]> git.ipfire.org Git - thirdparty/hostap.git/blob - src/ap/wpa_auth.c
projects / thirdparty / hostap.git / blob
? search:


8103ef8a30334fc65e315adaf165631f1ba9671f
[thirdparty/hostap.git] / src / ap / wpa_auth.c
1 /*
2 * IEEE 802.11 RSN / WPA Authenticator
3 * Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "utils/state_machine.h"
14 #include "utils/bitfield.h"
15 #include "common/ieee802_11_defs.h"
16 #include "common/ocv.h"
17 #include "crypto/aes.h"
18 #include "crypto/aes_wrap.h"
19 #include "crypto/aes_siv.h"
20 #include "crypto/crypto.h"
21 #include "crypto/sha1.h"
22 #include "crypto/sha256.h"
23 #include "crypto/sha384.h"
24 #include "crypto/random.h"
25 #include "eapol_auth/eapol_auth_sm.h"
26 #include "drivers/driver.h"
27 #include "ap_config.h"
28 #include "ieee802_11.h"
29 #include "wpa_auth.h"
30 #include "pmksa_cache_auth.h"
31 #include "wpa_auth_i.h"
32 #include "wpa_auth_ie.h"
33
34 #define STATE_MACHINE_DATA struct wpa_state_machine
35 #define STATE_MACHINE_DEBUG_PREFIX "WPA"
36 #define STATE_MACHINE_ADDR sm->addr
37
38
39 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx);
40 static int wpa_sm_step(struct wpa_state_machine *sm);
41 static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK,
42 u8 *data, size_t data_len);
43 #ifdef CONFIG_FILS
44 static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
45 u8 *buf, size_t buf_len, u16 *_key_data_len);
46 static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
47 const struct wpabuf *hlp);
48 #endif /* CONFIG_FILS */
49 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx);
50 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
51 struct wpa_group *group);
52 static void wpa_request_new_ptk(struct wpa_state_machine *sm);
53 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
54 struct wpa_group *group);
55 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
56 struct wpa_group *group);
57 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
58 const u8 *pmk, unsigned int pmk_len,
59 struct wpa_ptk *ptk);
60 static void wpa_group_free(struct wpa_authenticator *wpa_auth,
61 struct wpa_group *group);
62 static void wpa_group_get(struct wpa_authenticator *wpa_auth,
63 struct wpa_group *group);
64 static void wpa_group_put(struct wpa_authenticator *wpa_auth,
65 struct wpa_group *group);
66 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
67
68 static const u32 eapol_key_timeout_first = 100; /* ms */
69 static const u32 eapol_key_timeout_subseq = 1000; /* ms */
70 static const u32 eapol_key_timeout_first_group = 500; /* ms */
71 static const u32 eapol_key_timeout_no_retrans = 4000; /* ms */
72
73 /* TODO: make these configurable */
74 static const int dot11RSNAConfigPMKLifetime = 43200;
75 static const int dot11RSNAConfigPMKReauthThreshold = 70;
76 static const int dot11RSNAConfigSATimeout = 60;
77
78
79 static inline int wpa_auth_mic_failure_report(
80 struct wpa_authenticator *wpa_auth, const u8 *addr)
81 {
82 if (wpa_auth->cb->mic_failure_report)
83 return wpa_auth->cb->mic_failure_report(wpa_auth->cb_ctx, addr);
84 return 0;
85 }
86
87
88 static inline void wpa_auth_psk_failure_report(
89 struct wpa_authenticator *wpa_auth, const u8 *addr)
90 {
91 if (wpa_auth->cb->psk_failure_report)
92 wpa_auth->cb->psk_failure_report(wpa_auth->cb_ctx, addr);
93 }
94
95
96 static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth,
97 const u8 *addr, wpa_eapol_variable var,
98 int value)
99 {
100 if (wpa_auth->cb->set_eapol)
101 wpa_auth->cb->set_eapol(wpa_auth->cb_ctx, addr, var, value);
102 }
103
104
105 static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth,
106 const u8 *addr, wpa_eapol_variable var)
107 {
108 if (wpa_auth->cb->get_eapol == NULL)
109 return -1;
110 return wpa_auth->cb->get_eapol(wpa_auth->cb_ctx, addr, var);
111 }
112
113
114 static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth,
115 const u8 *addr,
116 const u8 *p2p_dev_addr,
117 const u8 *prev_psk, size_t *psk_len,
118 int *vlan_id)
119 {
120 if (wpa_auth->cb->get_psk == NULL)
121 return NULL;
122 return wpa_auth->cb->get_psk(wpa_auth->cb_ctx, addr, p2p_dev_addr,
123 prev_psk, psk_len, vlan_id);
124 }
125
126
127 static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth,
128 const u8 *addr, u8 *msk, size_t *len)
129 {
130 if (wpa_auth->cb->get_msk == NULL)
131 return -1;
132 return wpa_auth->cb->get_msk(wpa_auth->cb_ctx, addr, msk, len);
133 }
134
135
136 static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
137 int vlan_id,
138 enum wpa_alg alg, const u8 *addr, int idx,
139 u8 *key, size_t key_len)
140 {
141 if (wpa_auth->cb->set_key == NULL)
142 return -1;
143 return wpa_auth->cb->set_key(wpa_auth->cb_ctx, vlan_id, alg, addr, idx,
144 key, key_len);
145 }
146
147
148 static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth,
149 const u8 *addr, int idx, u8 *seq)
150 {
151 int res;
152
153 if (wpa_auth->cb->get_seqnum == NULL)
154 return -1;
155 res = wpa_auth->cb->get_seqnum(wpa_auth->cb_ctx, addr, idx, seq);
156 #ifdef CONFIG_TESTING_OPTIONS
157 if (!addr && idx < 4 && wpa_auth->conf.gtk_rsc_override_set) {
158 wpa_printf(MSG_DEBUG,
159 "TESTING: Override GTK RSC %016llx --> %016llx",
160 (long long unsigned) WPA_GET_LE64(seq),
161 (long long unsigned)
162 WPA_GET_LE64(wpa_auth->conf.gtk_rsc_override));
163 os_memcpy(seq, wpa_auth->conf.gtk_rsc_override,
164 WPA_KEY_RSC_LEN);
165 }
166 if (!addr && idx >= 4 && idx <= 5 &&
167 wpa_auth->conf.igtk_rsc_override_set) {
168 wpa_printf(MSG_DEBUG,
169 "TESTING: Override IGTK RSC %016llx --> %016llx",
170 (long long unsigned) WPA_GET_LE64(seq),
171 (long long unsigned)
172 WPA_GET_LE64(wpa_auth->conf.igtk_rsc_override));
173 os_memcpy(seq, wpa_auth->conf.igtk_rsc_override,
174 WPA_KEY_RSC_LEN);
175 }
176 #endif /* CONFIG_TESTING_OPTIONS */
177 return res;
178 }
179
180
181 static inline int
182 wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr,
183 const u8 *data, size_t data_len, int encrypt)
184 {
185 if (wpa_auth->cb->send_eapol == NULL)
186 return -1;
187 return wpa_auth->cb->send_eapol(wpa_auth->cb_ctx, addr, data, data_len,
188 encrypt);
189 }
190
191
192 #ifdef CONFIG_MESH
193 static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth,
194 const u8 *addr)
195 {
196 if (wpa_auth->cb->start_ampe == NULL)
197 return -1;
198 return wpa_auth->cb->start_ampe(wpa_auth->cb_ctx, addr);
199 }
200 #endif /* CONFIG_MESH */
201
202
203 int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
204 int (*cb)(struct wpa_state_machine *sm, void *ctx),
205 void *cb_ctx)
206 {
207 if (wpa_auth->cb->for_each_sta == NULL)
208 return 0;
209 return wpa_auth->cb->for_each_sta(wpa_auth->cb_ctx, cb, cb_ctx);
210 }
211
212
213 int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
214 int (*cb)(struct wpa_authenticator *a, void *ctx),
215 void *cb_ctx)
216 {
217 if (wpa_auth->cb->for_each_auth == NULL)
218 return 0;
219 return wpa_auth->cb->for_each_auth(wpa_auth->cb_ctx, cb, cb_ctx);
220 }
221
222
223 void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr,
224 logger_level level, const char *txt)
225 {
226 if (wpa_auth->cb->logger == NULL)
227 return;
228 wpa_auth->cb->logger(wpa_auth->cb_ctx, addr, level, txt);
229 }
230
231
232 void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr,
233 logger_level level, const char *fmt, ...)
234 {
235 char *format;
236 int maxlen;
237 va_list ap;
238
239 if (wpa_auth->cb->logger == NULL)
240 return;
241
242 maxlen = os_strlen(fmt) + 100;
243 format = os_malloc(maxlen);
244 if (!format)
245 return;
246
247 va_start(ap, fmt);
248 vsnprintf(format, maxlen, fmt, ap);
249 va_end(ap);
250
251 wpa_auth_logger(wpa_auth, addr, level, format);
252
253 os_free(format);
254 }
255
256
257 static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth,
258 const u8 *addr, u16 reason)
259 {
260 if (wpa_auth->cb->disconnect == NULL)
261 return;
262 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR " (reason %u)",
263 MAC2STR(addr), reason);
264 wpa_auth->cb->disconnect(wpa_auth->cb_ctx, addr, reason);
265 }
266
267
268 #ifdef CONFIG_OCV
269 static int wpa_channel_info(struct wpa_authenticator *wpa_auth,
270 struct wpa_channel_info *ci)
271 {
272 if (!wpa_auth->cb->channel_info)
273 return -1;
274 return wpa_auth->cb->channel_info(wpa_auth->cb_ctx, ci);
275 }
276 #endif /* CONFIG_OCV */
277
278
279 static int wpa_auth_update_vlan(struct wpa_authenticator *wpa_auth,
280 const u8 *addr, int vlan_id)
281 {
282 if (!wpa_auth->cb->update_vlan)
283 return -1;
284 return wpa_auth->cb->update_vlan(wpa_auth->cb_ctx, addr, vlan_id);
285 }
286
287
288 static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx)
289 {
290 struct wpa_authenticator *wpa_auth = eloop_ctx;
291
292 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) {
293 wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
294 "initialization.");
295 } else {
296 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd");
297 wpa_hexdump_key(MSG_DEBUG, "GMK",
298 wpa_auth->group->GMK, WPA_GMK_LEN);
299 }
300
301 if (wpa_auth->conf.wpa_gmk_rekey) {
302 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
303 wpa_rekey_gmk, wpa_auth, NULL);
304 }
305 }
306
307
308 static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx)
309 {
310 struct wpa_authenticator *wpa_auth = eloop_ctx;
311 struct wpa_group *group, *next;
312
313 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK");
314 group = wpa_auth->group;
315 while (group) {
316 wpa_group_get(wpa_auth, group);
317
318 group->GTKReKey = TRUE;
319 do {
320 group->changed = FALSE;
321 wpa_group_sm_step(wpa_auth, group);
322 } while (group->changed);
323
324 next = group->next;
325 wpa_group_put(wpa_auth, group);
326 group = next;
327 }
328
329 if (wpa_auth->conf.wpa_group_rekey) {
330 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey,
331 0, wpa_rekey_gtk, wpa_auth, NULL);
332 }
333 }
334
335
336 static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
337 {
338 struct wpa_authenticator *wpa_auth = eloop_ctx;
339 struct wpa_state_machine *sm = timeout_ctx;
340
341 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK");
342 wpa_request_new_ptk(sm);
343 wpa_sm_step(sm);
344 }
345
346
347 void wpa_auth_set_ptk_rekey_timer(struct wpa_state_machine *sm)
348 {
349 if (sm && sm->wpa_auth->conf.wpa_ptk_rekey) {
350 wpa_printf(MSG_DEBUG, "WPA: Start PTK rekeying timer for "
351 MACSTR " (%d seconds)", MAC2STR(sm->addr),
352 sm->wpa_auth->conf.wpa_ptk_rekey);
353 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
354 eloop_register_timeout(sm->wpa_auth->conf.wpa_ptk_rekey, 0,
355 wpa_rekey_ptk, sm->wpa_auth, sm);
356 }
357 }
358
359
360 static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx)
361 {
362 if (sm->pmksa == ctx)
363 sm->pmksa = NULL;
364 return 0;
365 }
366
367
368 static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
369 void *ctx)
370 {
371 struct wpa_authenticator *wpa_auth = ctx;
372 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry);
373 }
374
375
376 static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth,
377 struct wpa_group *group)
378 {
379 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)];
380 u8 rkey[32];
381 unsigned long ptr;
382
383 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0)
384 return -1;
385 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN);
386
387 /*
388 * Counter = PRF-256(Random number, "Init Counter",
389 * Local MAC Address || Time)
390 */
391 os_memcpy(buf, wpa_auth->addr, ETH_ALEN);
392 wpa_get_ntp_timestamp(buf + ETH_ALEN);
393 ptr = (unsigned long) group;
394 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr));
395 #ifdef TEST_FUZZ
396 os_memset(buf + ETH_ALEN, 0xab, 8);
397 os_memset(buf + ETH_ALEN + 8, 0xcd, sizeof(ptr));
398 #endif /* TEST_FUZZ */
399 if (random_get_bytes(rkey, sizeof(rkey)) < 0)
400 return -1;
401
402 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf),
403 group->Counter, WPA_NONCE_LEN) < 0)
404 return -1;
405 wpa_hexdump_key(MSG_DEBUG, "Key Counter",
406 group->Counter, WPA_NONCE_LEN);
407
408 return 0;
409 }
410
411
412 static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth,
413 int vlan_id, int delay_init)
414 {
415 struct wpa_group *group;
416
417 group = os_zalloc(sizeof(struct wpa_group));
418 if (group == NULL)
419 return NULL;
420
421 group->GTKAuthenticator = TRUE;
422 group->vlan_id = vlan_id;
423 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
424
425 if (random_pool_ready() != 1) {
426 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
427 "for secure operations - update keys later when "
428 "the first station connects");
429 }
430
431 /*
432 * Set initial GMK/Counter value here. The actual values that will be
433 * used in negotiations will be set once the first station tries to
434 * connect. This allows more time for collecting additional randomness
435 * on embedded devices.
436 */
437 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) {
438 wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
439 "initialization.");
440 os_free(group);
441 return NULL;
442 }
443
444 group->GInit = TRUE;
445 if (delay_init) {
446 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start "
447 "until Beacon frames have been configured");
448 /* Initialization is completed in wpa_init_keys(). */
449 } else {
450 wpa_group_sm_step(wpa_auth, group);
451 group->GInit = FALSE;
452 wpa_group_sm_step(wpa_auth, group);
453 }
454
455 return group;
456 }
457
458
459 /**
460 * wpa_init - Initialize WPA authenticator
461 * @addr: Authenticator address
462 * @conf: Configuration for WPA authenticator
463 * @cb: Callback functions for WPA authenticator
464 * Returns: Pointer to WPA authenticator data or %NULL on failure
465 */
466 struct wpa_authenticator * wpa_init(const u8 *addr,
467 struct wpa_auth_config *conf,
468 const struct wpa_auth_callbacks *cb,
469 void *cb_ctx)
470 {
471 struct wpa_authenticator *wpa_auth;
472
473 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator));
474 if (wpa_auth == NULL)
475 return NULL;
476 os_memcpy(wpa_auth->addr, addr, ETH_ALEN);
477 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
478 wpa_auth->cb = cb;
479 wpa_auth->cb_ctx = cb_ctx;
480
481 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
482 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
483 os_free(wpa_auth);
484 return NULL;
485 }
486
487 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1);
488 if (wpa_auth->group == NULL) {
489 os_free(wpa_auth->wpa_ie);
490 os_free(wpa_auth);
491 return NULL;
492 }
493
494 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb,
495 wpa_auth);
496 if (wpa_auth->pmksa == NULL) {
497 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed.");
498 os_free(wpa_auth->group);
499 os_free(wpa_auth->wpa_ie);
500 os_free(wpa_auth);
501 return NULL;
502 }
503
504 #ifdef CONFIG_IEEE80211R_AP
505 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init();
506 if (wpa_auth->ft_pmk_cache == NULL) {
507 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed.");
508 os_free(wpa_auth->group);
509 os_free(wpa_auth->wpa_ie);
510 pmksa_cache_auth_deinit(wpa_auth->pmksa);
511 os_free(wpa_auth);
512 return NULL;
513 }
514 #endif /* CONFIG_IEEE80211R_AP */
515
516 if (wpa_auth->conf.wpa_gmk_rekey) {
517 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
518 wpa_rekey_gmk, wpa_auth, NULL);
519 }
520
521 if (wpa_auth->conf.wpa_group_rekey) {
522 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0,
523 wpa_rekey_gtk, wpa_auth, NULL);
524 }
525
526 #ifdef CONFIG_P2P
527 if (WPA_GET_BE32(conf->ip_addr_start)) {
528 int count = WPA_GET_BE32(conf->ip_addr_end) -
529 WPA_GET_BE32(conf->ip_addr_start) + 1;
530 if (count > 1000)
531 count = 1000;
532 if (count > 0)
533 wpa_auth->ip_pool = bitfield_alloc(count);
534 }
535 #endif /* CONFIG_P2P */
536
537 return wpa_auth;
538 }
539
540
541 int wpa_init_keys(struct wpa_authenticator *wpa_auth)
542 {
543 struct wpa_group *group = wpa_auth->group;
544
545 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial "
546 "keys");
547 wpa_group_sm_step(wpa_auth, group);
548 group->GInit = FALSE;
549 wpa_group_sm_step(wpa_auth, group);
550 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
551 return -1;
552 return 0;
553 }
554
555
556 /**
557 * wpa_deinit - Deinitialize WPA authenticator
558 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
559 */
560 void wpa_deinit(struct wpa_authenticator *wpa_auth)
561 {
562 struct wpa_group *group, *prev;
563
564 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL);
565 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
566
567 pmksa_cache_auth_deinit(wpa_auth->pmksa);
568
569 #ifdef CONFIG_IEEE80211R_AP
570 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache);
571 wpa_auth->ft_pmk_cache = NULL;
572 wpa_ft_deinit(wpa_auth);
573 #endif /* CONFIG_IEEE80211R_AP */
574
575 #ifdef CONFIG_P2P
576 bitfield_free(wpa_auth->ip_pool);
577 #endif /* CONFIG_P2P */
578
579
580 os_free(wpa_auth->wpa_ie);
581
582 group = wpa_auth->group;
583 while (group) {
584 prev = group;
585 group = group->next;
586 os_free(prev);
587 }
588
589 os_free(wpa_auth);
590 }
591
592
593 /**
594 * wpa_reconfig - Update WPA authenticator configuration
595 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
596 * @conf: Configuration for WPA authenticator
597 */
598 int wpa_reconfig(struct wpa_authenticator *wpa_auth,
599 struct wpa_auth_config *conf)
600 {
601 struct wpa_group *group;
602 if (wpa_auth == NULL)
603 return 0;
604
605 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
606 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
607 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
608 return -1;
609 }
610
611 /*
612 * Reinitialize GTK to make sure it is suitable for the new
613 * configuration.
614 */
615 group = wpa_auth->group;
616 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
617 group->GInit = TRUE;
618 wpa_group_sm_step(wpa_auth, group);
619 group->GInit = FALSE;
620 wpa_group_sm_step(wpa_auth, group);
621
622 return 0;
623 }
624
625
626 struct wpa_state_machine *
627 wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr,
628 const u8 *p2p_dev_addr)
629 {
630 struct wpa_state_machine *sm;
631
632 if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
633 return NULL;
634
635 sm = os_zalloc(sizeof(struct wpa_state_machine));
636 if (sm == NULL)
637 return NULL;
638 os_memcpy(sm->addr, addr, ETH_ALEN);
639 if (p2p_dev_addr)
640 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN);
641
642 sm->wpa_auth = wpa_auth;
643 sm->group = wpa_auth->group;
644 wpa_group_get(sm->wpa_auth, sm->group);
645
646 return sm;
647 }
648
649
650 int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
651 struct wpa_state_machine *sm)
652 {
653 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
654 return -1;
655
656 #ifdef CONFIG_IEEE80211R_AP
657 if (sm->ft_completed) {
658 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
659 "FT authentication already completed - do not "
660 "start 4-way handshake");
661 /* Go to PTKINITDONE state to allow GTK rekeying */
662 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
663 sm->Pair = TRUE;
664 return 0;
665 }
666 #endif /* CONFIG_IEEE80211R_AP */
667
668 #ifdef CONFIG_FILS
669 if (sm->fils_completed) {
670 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
671 "FILS authentication already completed - do not start 4-way handshake");
672 /* Go to PTKINITDONE state to allow GTK rekeying */
673 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
674 sm->Pair = TRUE;
675 return 0;
676 }
677 #endif /* CONFIG_FILS */
678
679 if (sm->started) {
680 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay));
681 sm->ReAuthenticationRequest = TRUE;
682 return wpa_sm_step(sm);
683 }
684
685 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
686 "start authentication");
687 sm->started = 1;
688
689 sm->Init = TRUE;
690 if (wpa_sm_step(sm) == 1)
691 return 1; /* should not really happen */
692 sm->Init = FALSE;
693 sm->AuthenticationRequest = TRUE;
694 return wpa_sm_step(sm);
695 }
696
697
698 void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm)
699 {
700 /* WPA/RSN was not used - clear WPA state. This is needed if the STA
701 * reassociates back to the same AP while the previous entry for the
702 * STA has not yet been removed. */
703 if (sm == NULL)
704 return;
705
706 sm->wpa_key_mgmt = 0;
707 }
708
709
710 static void wpa_free_sta_sm(struct wpa_state_machine *sm)
711 {
712 #ifdef CONFIG_P2P
713 if (WPA_GET_BE32(sm->ip_addr)) {
714 u32 start;
715 wpa_printf(MSG_DEBUG, "P2P: Free assigned IP "
716 "address %u.%u.%u.%u from " MACSTR,
717 sm->ip_addr[0], sm->ip_addr[1],
718 sm->ip_addr[2], sm->ip_addr[3],
719 MAC2STR(sm->addr));
720 start = WPA_GET_BE32(sm->wpa_auth->conf.ip_addr_start);
721 bitfield_clear(sm->wpa_auth->ip_pool,
722 WPA_GET_BE32(sm->ip_addr) - start);
723 }
724 #endif /* CONFIG_P2P */
725 if (sm->GUpdateStationKeys) {
726 sm->group->GKeyDoneStations--;
727 sm->GUpdateStationKeys = FALSE;
728 }
729 #ifdef CONFIG_IEEE80211R_AP
730 os_free(sm->assoc_resp_ftie);
731 wpabuf_free(sm->ft_pending_req_ies);
732 #endif /* CONFIG_IEEE80211R_AP */
733 os_free(sm->last_rx_eapol_key);
734 os_free(sm->wpa_ie);
735 os_free(sm->rsnxe);
736 wpa_group_put(sm->wpa_auth, sm->group);
737 #ifdef CONFIG_DPP2
738 wpabuf_clear_free(sm->dpp_z);
739 #endif /* CONFIG_DPP2 */
740 bin_clear_free(sm, sizeof(*sm));
741 }
742
743
744 void wpa_auth_sta_deinit(struct wpa_state_machine *sm)
745 {
746 if (sm == NULL)
747 return;
748
749 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) {
750 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
751 "strict rekeying - force GTK rekey since STA "
752 "is leaving");
753 if (eloop_deplete_timeout(0, 500000, wpa_rekey_gtk,
754 sm->wpa_auth, NULL) == -1)
755 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth,
756 NULL);
757 }
758
759 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
760 sm->pending_1_of_4_timeout = 0;
761 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL);
762 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
763 #ifdef CONFIG_IEEE80211R_AP
764 wpa_ft_sta_deinit(sm);
765 #endif /* CONFIG_IEEE80211R_AP */
766 if (sm->in_step_loop) {
767 /* Must not free state machine while wpa_sm_step() is running.
768 * Freeing will be completed in the end of wpa_sm_step(). */
769 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state "
770 "machine deinit for " MACSTR, MAC2STR(sm->addr));
771 sm->pending_deinit = 1;
772 } else
773 wpa_free_sta_sm(sm);
774 }
775
776
777 static void wpa_request_new_ptk(struct wpa_state_machine *sm)
778 {
779 if (sm == NULL)
780 return;
781
782 sm->PTKRequest = TRUE;
783 sm->PTK_valid = 0;
784 }
785
786
787 static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr,
788 const u8 *replay_counter)
789 {
790 int i;
791 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
792 if (!ctr[i].valid)
793 break;
794 if (os_memcmp(replay_counter, ctr[i].counter,
795 WPA_REPLAY_COUNTER_LEN) == 0)
796 return 1;
797 }
798 return 0;
799 }
800
801
802 static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr,
803 const u8 *replay_counter)
804 {
805 int i;
806 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
807 if (ctr[i].valid &&
808 (replay_counter == NULL ||
809 os_memcmp(replay_counter, ctr[i].counter,
810 WPA_REPLAY_COUNTER_LEN) == 0))
811 ctr[i].valid = FALSE;
812 }
813 }
814
815
816 #ifdef CONFIG_IEEE80211R_AP
817 static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth,
818 struct wpa_state_machine *sm,
819 struct wpa_eapol_ie_parse *kde)
820 {
821 struct wpa_ie_data ie;
822 struct rsn_mdie *mdie;
823
824 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 ||
825 ie.num_pmkid != 1 || ie.pmkid == NULL) {
826 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in "
827 "FT 4-way handshake message 2/4");
828 return -1;
829 }
830
831 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN);
832 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant",
833 sm->sup_pmk_r1_name, PMKID_LEN);
834
835 if (!kde->mdie || !kde->ftie) {
836 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake "
837 "message 2/4", kde->mdie ? "FTIE" : "MDIE");
838 return -1;
839 }
840
841 mdie = (struct rsn_mdie *) (kde->mdie + 2);
842 if (kde->mdie[1] < sizeof(struct rsn_mdie) ||
843 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain,
844 MOBILITY_DOMAIN_ID_LEN) != 0) {
845 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch");
846 return -1;
847 }
848
849 if (sm->assoc_resp_ftie &&
850 (kde->ftie[1] != sm->assoc_resp_ftie[1] ||
851 os_memcmp(kde->ftie, sm->assoc_resp_ftie,
852 2 + sm->assoc_resp_ftie[1]) != 0)) {
853 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch");
854 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4",
855 kde->ftie, kde->ftie_len);
856 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp",
857 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]);
858 return -1;
859 }
860
861 return 0;
862 }
863 #endif /* CONFIG_IEEE80211R_AP */
864
865
866 static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
867 struct wpa_state_machine *sm, int group)
868 {
869 /* Supplicant reported a Michael MIC error */
870 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
871 "received EAPOL-Key Error Request "
872 "(STA detected Michael MIC failure (group=%d))",
873 group);
874
875 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
876 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
877 "ignore Michael MIC failure report since "
878 "group cipher is not TKIP");
879 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
880 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
881 "ignore Michael MIC failure report since "
882 "pairwise cipher is not TKIP");
883 } else {
884 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0)
885 return 1; /* STA entry was removed */
886 sm->dot11RSNAStatsTKIPRemoteMICFailures++;
887 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
888 }
889
890 /*
891 * Error report is not a request for a new key handshake, but since
892 * Authenticator may do it, let's change the keys now anyway.
893 */
894 wpa_request_new_ptk(sm);
895 return 0;
896 }
897
898
899 static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data,
900 size_t data_len)
901 {
902 struct wpa_ptk PTK;
903 int ok = 0;
904 const u8 *pmk = NULL;
905 size_t pmk_len;
906 int vlan_id = 0;
907
908 os_memset(&PTK, 0, sizeof(PTK));
909 for (;;) {
910 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
911 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
912 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
913 sm->p2p_dev_addr, pmk, &pmk_len,
914 &vlan_id);
915 if (pmk == NULL)
916 break;
917 #ifdef CONFIG_IEEE80211R_AP
918 if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) {
919 os_memcpy(sm->xxkey, pmk, pmk_len);
920 sm->xxkey_len = pmk_len;
921 }
922 #endif /* CONFIG_IEEE80211R_AP */
923 } else {
924 pmk = sm->PMK;
925 pmk_len = sm->pmk_len;
926 }
927
928 if (wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK) < 0)
929 break;
930
931 if (wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
932 data, data_len) == 0) {
933 if (sm->PMK != pmk) {
934 os_memcpy(sm->PMK, pmk, pmk_len);
935 sm->pmk_len = pmk_len;
936 }
937 ok = 1;
938 break;
939 }
940
941 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
942 wpa_key_mgmt_sae(sm->wpa_key_mgmt))
943 break;
944 }
945
946 if (!ok) {
947 wpa_printf(MSG_DEBUG,
948 "WPA: Earlier SNonce did not result in matching MIC");
949 return -1;
950 }
951
952 wpa_printf(MSG_DEBUG,
953 "WPA: Earlier SNonce resulted in matching MIC");
954 sm->alt_snonce_valid = 0;
955
956 if (vlan_id && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
957 wpa_auth_update_vlan(sm->wpa_auth, sm->addr, vlan_id) < 0)
958 return -1;
959
960 os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN);
961 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
962 forced_memzero(&PTK, sizeof(PTK));
963 sm->PTK_valid = TRUE;
964
965 return 0;
966 }
967
968
969 void wpa_receive(struct wpa_authenticator *wpa_auth,
970 struct wpa_state_machine *sm,
971 u8 *data, size_t data_len)
972 {
973 struct ieee802_1x_hdr *hdr;
974 struct wpa_eapol_key *key;
975 u16 key_info, key_data_length;
976 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST } msg;
977 char *msgtxt;
978 struct wpa_eapol_ie_parse kde;
979 const u8 *key_data;
980 size_t keyhdrlen, mic_len;
981 u8 *mic;
982
983 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
984 return;
985 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL data", data, data_len);
986
987 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
988 keyhdrlen = sizeof(*key) + mic_len + 2;
989
990 if (data_len < sizeof(*hdr) + keyhdrlen) {
991 wpa_printf(MSG_DEBUG, "WPA: Ignore too short EAPOL-Key frame");
992 return;
993 }
994
995 hdr = (struct ieee802_1x_hdr *) data;
996 key = (struct wpa_eapol_key *) (hdr + 1);
997 mic = (u8 *) (key + 1);
998 key_info = WPA_GET_BE16(key->key_info);
999 key_data = mic + mic_len + 2;
1000 key_data_length = WPA_GET_BE16(mic + mic_len);
1001 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR
1002 " key_info=0x%x type=%u mic_len=%u key_data_length=%u",
1003 MAC2STR(sm->addr), key_info, key->type,
1004 (unsigned int) mic_len, key_data_length);
1005 wpa_hexdump(MSG_MSGDUMP,
1006 "WPA: EAPOL-Key header (ending before Key MIC)",
1007 key, sizeof(*key));
1008 wpa_hexdump(MSG_MSGDUMP, "WPA: EAPOL-Key Key MIC",
1009 mic, mic_len);
1010 if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) {
1011 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
1012 "key_data overflow (%d > %lu)",
1013 key_data_length,
1014 (unsigned long) (data_len - sizeof(*hdr) -
1015 keyhdrlen));
1016 return;
1017 }
1018
1019 if (sm->wpa == WPA_VERSION_WPA2) {
1020 if (key->type == EAPOL_KEY_TYPE_WPA) {
1021 /*
1022 * Some deployed station implementations seem to send
1023 * msg 4/4 with incorrect type value in WPA2 mode.
1024 */
1025 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key "
1026 "with unexpected WPA type in RSN mode");
1027 } else if (key->type != EAPOL_KEY_TYPE_RSN) {
1028 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
1029 "unexpected type %d in RSN mode",
1030 key->type);
1031 return;
1032 }
1033 } else {
1034 if (key->type != EAPOL_KEY_TYPE_WPA) {
1035 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
1036 "unexpected type %d in WPA mode",
1037 key->type);
1038 return;
1039 }
1040 }
1041
1042 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce,
1043 WPA_NONCE_LEN);
1044 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter",
1045 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1046
1047 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
1048 * are set */
1049
1050 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
1051 wpa_printf(MSG_DEBUG, "WPA: Ignore SMK message");
1052 return;
1053 }
1054
1055 if (key_info & WPA_KEY_INFO_REQUEST) {
1056 msg = REQUEST;
1057 msgtxt = "Request";
1058 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) {
1059 msg = GROUP_2;
1060 msgtxt = "2/2 Group";
1061 } else if (key_data_length == 0 ||
1062 (mic_len == 0 && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) &&
1063 key_data_length == AES_BLOCK_SIZE)) {
1064 msg = PAIRWISE_4;
1065 msgtxt = "4/4 Pairwise";
1066 } else {
1067 msg = PAIRWISE_2;
1068 msgtxt = "2/4 Pairwise";
1069 }
1070
1071 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 ||
1072 msg == GROUP_2) {
1073 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
1074 if (sm->pairwise == WPA_CIPHER_CCMP ||
1075 sm->pairwise == WPA_CIPHER_GCMP) {
1076 if (wpa_use_cmac(sm->wpa_key_mgmt) &&
1077 !wpa_use_akm_defined(sm->wpa_key_mgmt) &&
1078 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1079 wpa_auth_logger(wpa_auth, sm->addr,
1080 LOGGER_WARNING,
1081 "advertised support for "
1082 "AES-128-CMAC, but did not "
1083 "use it");
1084 return;
1085 }
1086
1087 if (!wpa_use_cmac(sm->wpa_key_mgmt) &&
1088 !wpa_use_akm_defined(sm->wpa_key_mgmt) &&
1089 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1090 wpa_auth_logger(wpa_auth, sm->addr,
1091 LOGGER_WARNING,
1092 "did not use HMAC-SHA1-AES "
1093 "with CCMP/GCMP");
1094 return;
1095 }
1096 }
1097
1098 if (wpa_use_akm_defined(sm->wpa_key_mgmt) &&
1099 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
1100 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1101 "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases");
1102 return;
1103 }
1104 }
1105
1106 if (key_info & WPA_KEY_INFO_REQUEST) {
1107 if (sm->req_replay_counter_used &&
1108 os_memcmp(key->replay_counter, sm->req_replay_counter,
1109 WPA_REPLAY_COUNTER_LEN) <= 0) {
1110 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1111 "received EAPOL-Key request with "
1112 "replayed counter");
1113 return;
1114 }
1115 }
1116
1117 if (!(key_info & WPA_KEY_INFO_REQUEST) &&
1118 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) {
1119 int i;
1120
1121 if (msg == PAIRWISE_2 &&
1122 wpa_replay_counter_valid(sm->prev_key_replay,
1123 key->replay_counter) &&
1124 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1125 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0)
1126 {
1127 /*
1128 * Some supplicant implementations (e.g., Windows XP
1129 * WZC) update SNonce for each EAPOL-Key 2/4. This
1130 * breaks the workaround on accepting any of the
1131 * pending requests, so allow the SNonce to be updated
1132 * even if we have already sent out EAPOL-Key 3/4.
1133 */
1134 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1135 "Process SNonce update from STA "
1136 "based on retransmitted EAPOL-Key "
1137 "1/4");
1138 sm->update_snonce = 1;
1139 os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN);
1140 sm->alt_snonce_valid = TRUE;
1141 os_memcpy(sm->alt_replay_counter,
1142 sm->key_replay[0].counter,
1143 WPA_REPLAY_COUNTER_LEN);
1144 goto continue_processing;
1145 }
1146
1147 if (msg == PAIRWISE_4 && sm->alt_snonce_valid &&
1148 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1149 os_memcmp(key->replay_counter, sm->alt_replay_counter,
1150 WPA_REPLAY_COUNTER_LEN) == 0) {
1151 /*
1152 * Supplicant may still be using the old SNonce since
1153 * there was two EAPOL-Key 2/4 messages and they had
1154 * different SNonce values.
1155 */
1156 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1157 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4");
1158 goto continue_processing;
1159 }
1160
1161 if (msg == PAIRWISE_2 &&
1162 wpa_replay_counter_valid(sm->prev_key_replay,
1163 key->replay_counter) &&
1164 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
1165 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1166 "ignore retransmitted EAPOL-Key %s - "
1167 "SNonce did not change", msgtxt);
1168 } else {
1169 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1170 "received EAPOL-Key %s with "
1171 "unexpected replay counter", msgtxt);
1172 }
1173 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
1174 if (!sm->key_replay[i].valid)
1175 break;
1176 wpa_hexdump(MSG_DEBUG, "pending replay counter",
1177 sm->key_replay[i].counter,
1178 WPA_REPLAY_COUNTER_LEN);
1179 }
1180 wpa_hexdump(MSG_DEBUG, "received replay counter",
1181 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1182 return;
1183 }
1184
1185 continue_processing:
1186 #ifdef CONFIG_FILS
1187 if (sm->wpa == WPA_VERSION_WPA2 && mic_len == 0 &&
1188 !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1189 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1190 "WPA: Encr Key Data bit not set even though AEAD cipher is supposed to be used - drop frame");
1191 return;
1192 }
1193 #endif /* CONFIG_FILS */
1194
1195 switch (msg) {
1196 case PAIRWISE_2:
1197 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART &&
1198 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING &&
1199 (!sm->update_snonce ||
1200 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) {
1201 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1202 "received EAPOL-Key msg 2/4 in "
1203 "invalid state (%d) - dropped",
1204 sm->wpa_ptk_state);
1205 return;
1206 }
1207 random_add_randomness(key->key_nonce, WPA_NONCE_LEN);
1208 if (sm->group->reject_4way_hs_for_entropy) {
1209 /*
1210 * The system did not have enough entropy to generate
1211 * strong random numbers. Reject the first 4-way
1212 * handshake(s) and collect some entropy based on the
1213 * information from it. Once enough entropy is
1214 * available, the next atempt will trigger GMK/Key
1215 * Counter update and the station will be allowed to
1216 * continue.
1217 */
1218 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to "
1219 "collect more entropy for random number "
1220 "generation");
1221 random_mark_pool_ready();
1222 wpa_sta_disconnect(wpa_auth, sm->addr,
1223 WLAN_REASON_PREV_AUTH_NOT_VALID);
1224 return;
1225 }
1226 break;
1227 case PAIRWISE_4:
1228 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING ||
1229 !sm->PTK_valid) {
1230 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1231 "received EAPOL-Key msg 4/4 in "
1232 "invalid state (%d) - dropped",
1233 sm->wpa_ptk_state);
1234 return;
1235 }
1236 break;
1237 case GROUP_2:
1238 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING
1239 || !sm->PTK_valid) {
1240 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1241 "received EAPOL-Key msg 2/2 in "
1242 "invalid state (%d) - dropped",
1243 sm->wpa_ptk_group_state);
1244 return;
1245 }
1246 break;
1247 case REQUEST:
1248 break;
1249 }
1250
1251 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1252 "received EAPOL-Key frame (%s)", msgtxt);
1253
1254 if (key_info & WPA_KEY_INFO_ACK) {
1255 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1256 "received invalid EAPOL-Key: Key Ack set");
1257 return;
1258 }
1259
1260 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1261 !(key_info & WPA_KEY_INFO_MIC)) {
1262 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1263 "received invalid EAPOL-Key: Key MIC not set");
1264 return;
1265 }
1266
1267 #ifdef CONFIG_FILS
1268 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1269 (key_info & WPA_KEY_INFO_MIC)) {
1270 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1271 "received invalid EAPOL-Key: Key MIC set");
1272 return;
1273 }
1274 #endif /* CONFIG_FILS */
1275
1276 sm->MICVerified = FALSE;
1277 if (sm->PTK_valid && !sm->update_snonce) {
1278 if (mic_len &&
1279 wpa_verify_key_mic(sm->wpa_key_mgmt, sm->pmk_len, &sm->PTK,
1280 data, data_len) &&
1281 (msg != PAIRWISE_4 || !sm->alt_snonce_valid ||
1282 wpa_try_alt_snonce(sm, data, data_len))) {
1283 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1284 "received EAPOL-Key with invalid MIC");
1285 #ifdef TEST_FUZZ
1286 wpa_printf(MSG_INFO,
1287 "TEST: Ignore Key MIC failure for fuzz testing");
1288 goto continue_fuzz;
1289 #endif /* TEST_FUZZ */
1290 return;
1291 }
1292 #ifdef CONFIG_FILS
1293 if (!mic_len &&
1294 wpa_aead_decrypt(sm, &sm->PTK, data, data_len,
1295 &key_data_length) < 0) {
1296 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1297 "received EAPOL-Key with invalid MIC");
1298 #ifdef TEST_FUZZ
1299 wpa_printf(MSG_INFO,
1300 "TEST: Ignore Key MIC failure for fuzz testing");
1301 goto continue_fuzz;
1302 #endif /* TEST_FUZZ */
1303 return;
1304 }
1305 #endif /* CONFIG_FILS */
1306 #ifdef TEST_FUZZ
1307 continue_fuzz:
1308 #endif /* TEST_FUZZ */
1309 sm->MICVerified = TRUE;
1310 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
1311 sm->pending_1_of_4_timeout = 0;
1312 }
1313
1314 if (key_info & WPA_KEY_INFO_REQUEST) {
1315 if (sm->MICVerified) {
1316 sm->req_replay_counter_used = 1;
1317 os_memcpy(sm->req_replay_counter, key->replay_counter,
1318 WPA_REPLAY_COUNTER_LEN);
1319 } else {
1320 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1321 "received EAPOL-Key request with "
1322 "invalid MIC");
1323 return;
1324 }
1325
1326 /*
1327 * TODO: should decrypt key data field if encryption was used;
1328 * even though MAC address KDE is not normally encrypted,
1329 * supplicant is allowed to encrypt it.
1330 */
1331 if (key_info & WPA_KEY_INFO_ERROR) {
1332 if (wpa_receive_error_report(
1333 wpa_auth, sm,
1334 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0)
1335 return; /* STA entry was removed */
1336 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) {
1337 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1338 "received EAPOL-Key Request for new "
1339 "4-Way Handshake");
1340 wpa_request_new_ptk(sm);
1341 } else if (key_data_length > 0 &&
1342 wpa_parse_kde_ies(key_data, key_data_length,
1343 &kde) == 0 &&
1344 kde.mac_addr) {
1345 } else {
1346 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1347 "received EAPOL-Key Request for GTK "
1348 "rekeying");
1349 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
1350 wpa_rekey_gtk(wpa_auth, NULL);
1351 }
1352 } else {
1353 /* Do not allow the same key replay counter to be reused. */
1354 wpa_replay_counter_mark_invalid(sm->key_replay,
1355 key->replay_counter);
1356
1357 if (msg == PAIRWISE_2) {
1358 /*
1359 * Maintain a copy of the pending EAPOL-Key frames in
1360 * case the EAPOL-Key frame was retransmitted. This is
1361 * needed to allow EAPOL-Key msg 2/4 reply to another
1362 * pending msg 1/4 to update the SNonce to work around
1363 * unexpected supplicant behavior.
1364 */
1365 os_memcpy(sm->prev_key_replay, sm->key_replay,
1366 sizeof(sm->key_replay));
1367 } else {
1368 os_memset(sm->prev_key_replay, 0,
1369 sizeof(sm->prev_key_replay));
1370 }
1371
1372 /*
1373 * Make sure old valid counters are not accepted anymore and
1374 * do not get copied again.
1375 */
1376 wpa_replay_counter_mark_invalid(sm->key_replay, NULL);
1377 }
1378
1379 os_free(sm->last_rx_eapol_key);
1380 sm->last_rx_eapol_key = os_memdup(data, data_len);
1381 if (sm->last_rx_eapol_key == NULL)
1382 return;
1383 sm->last_rx_eapol_key_len = data_len;
1384
1385 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE);
1386 sm->EAPOLKeyReceived = TRUE;
1387 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1388 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST);
1389 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN);
1390 wpa_sm_step(sm);
1391 }
1392
1393
1394 static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr,
1395 const u8 *gnonce, u8 *gtk, size_t gtk_len)
1396 {
1397 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + WPA_GTK_MAX_LEN];
1398 u8 *pos;
1399 int ret = 0;
1400
1401 /* GTK = PRF-X(GMK, "Group key expansion",
1402 * AA || GNonce || Time || random data)
1403 * The example described in the IEEE 802.11 standard uses only AA and
1404 * GNonce as inputs here. Add some more entropy since this derivation
1405 * is done only at the Authenticator and as such, does not need to be
1406 * exactly same.
1407 */
1408 os_memset(data, 0, sizeof(data));
1409 os_memcpy(data, addr, ETH_ALEN);
1410 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN);
1411 pos = data + ETH_ALEN + WPA_NONCE_LEN;
1412 wpa_get_ntp_timestamp(pos);
1413 #ifdef TEST_FUZZ
1414 os_memset(pos, 0xef, 8);
1415 #endif /* TEST_FUZZ */
1416 pos += 8;
1417 if (random_get_bytes(pos, gtk_len) < 0)
1418 ret = -1;
1419
1420 #ifdef CONFIG_SHA384
1421 if (sha384_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
1422 gtk, gtk_len) < 0)
1423 ret = -1;
1424 #else /* CONFIG_SHA384 */
1425 #ifdef CONFIG_SHA256
1426 if (sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
1427 gtk, gtk_len) < 0)
1428 ret = -1;
1429 #else /* CONFIG_SHA256 */
1430 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
1431 gtk, gtk_len) < 0)
1432 ret = -1;
1433 #endif /* CONFIG_SHA256 */
1434 #endif /* CONFIG_SHA384 */
1435
1436 forced_memzero(data, sizeof(data));
1437
1438 return ret;
1439 }
1440
1441
1442 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx)
1443 {
1444 struct wpa_authenticator *wpa_auth = eloop_ctx;
1445 struct wpa_state_machine *sm = timeout_ctx;
1446
1447 sm->pending_1_of_4_timeout = 0;
1448 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout");
1449 sm->TimeoutEvt = TRUE;
1450 wpa_sm_step(sm);
1451 }
1452
1453
1454 void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1455 struct wpa_state_machine *sm, int key_info,
1456 const u8 *key_rsc, const u8 *nonce,
1457 const u8 *kde, size_t kde_len,
1458 int keyidx, int encr, int force_version)
1459 {
1460 struct ieee802_1x_hdr *hdr;
1461 struct wpa_eapol_key *key;
1462 size_t len, mic_len, keyhdrlen;
1463 int alg;
1464 int key_data_len, pad_len = 0;
1465 u8 *buf, *pos;
1466 int version, pairwise;
1467 int i;
1468 u8 *key_mic, *key_data;
1469
1470 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
1471 keyhdrlen = sizeof(*key) + mic_len + 2;
1472
1473 len = sizeof(struct ieee802_1x_hdr) + keyhdrlen;
1474
1475 if (force_version)
1476 version = force_version;
1477 else if (wpa_use_akm_defined(sm->wpa_key_mgmt))
1478 version = WPA_KEY_INFO_TYPE_AKM_DEFINED;
1479 else if (wpa_use_cmac(sm->wpa_key_mgmt))
1480 version = WPA_KEY_INFO_TYPE_AES_128_CMAC;
1481 else if (sm->pairwise != WPA_CIPHER_TKIP)
1482 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
1483 else
1484 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
1485
1486 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1487
1488 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d "
1489 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d "
1490 "encr=%d)",
1491 version,
1492 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0,
1493 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0,
1494 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0,
1495 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0,
1496 pairwise, (unsigned long) kde_len, keyidx, encr);
1497
1498 key_data_len = kde_len;
1499
1500 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1501 wpa_use_aes_key_wrap(sm->wpa_key_mgmt) ||
1502 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) {
1503 pad_len = key_data_len % 8;
1504 if (pad_len)
1505 pad_len = 8 - pad_len;
1506 key_data_len += pad_len + 8;
1507 }
1508
1509 len += key_data_len;
1510 if (!mic_len && encr)
1511 len += AES_BLOCK_SIZE;
1512
1513 hdr = os_zalloc(len);
1514 if (hdr == NULL)
1515 return;
1516 hdr->version = wpa_auth->conf.eapol_version;
1517 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
1518 hdr->length = host_to_be16(len - sizeof(*hdr));
1519 key = (struct wpa_eapol_key *) (hdr + 1);
1520 key_mic = (u8 *) (key + 1);
1521 key_data = ((u8 *) (hdr + 1)) + keyhdrlen;
1522
1523 key->type = sm->wpa == WPA_VERSION_WPA2 ?
1524 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1525 key_info |= version;
1526 if (encr && sm->wpa == WPA_VERSION_WPA2)
1527 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1528 if (sm->wpa != WPA_VERSION_WPA2)
1529 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT;
1530 WPA_PUT_BE16(key->key_info, key_info);
1531
1532 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group;
1533 if (sm->wpa == WPA_VERSION_WPA2 && !pairwise)
1534 WPA_PUT_BE16(key->key_length, 0);
1535 else
1536 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg));
1537
1538 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) {
1539 sm->key_replay[i].valid = sm->key_replay[i - 1].valid;
1540 os_memcpy(sm->key_replay[i].counter,
1541 sm->key_replay[i - 1].counter,
1542 WPA_REPLAY_COUNTER_LEN);
1543 }
1544 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN);
1545 os_memcpy(key->replay_counter, sm->key_replay[0].counter,
1546 WPA_REPLAY_COUNTER_LEN);
1547 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter",
1548 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1549 sm->key_replay[0].valid = TRUE;
1550
1551 if (nonce)
1552 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN);
1553
1554 if (key_rsc)
1555 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN);
1556
1557 if (kde && !encr) {
1558 os_memcpy(key_data, kde, kde_len);
1559 WPA_PUT_BE16(key_mic + mic_len, kde_len);
1560 #ifdef CONFIG_FILS
1561 } else if (!mic_len && kde) {
1562 const u8 *aad[1];
1563 size_t aad_len[1];
1564
1565 WPA_PUT_BE16(key_mic, AES_BLOCK_SIZE + kde_len);
1566 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1567 kde, kde_len);
1568
1569 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK",
1570 sm->PTK.kek, sm->PTK.kek_len);
1571 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
1572 * to Key Data (exclusive). */
1573 aad[0] = (u8 *) hdr;
1574 aad_len[0] = key_mic + 2 - (u8 *) hdr;
1575 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, kde, kde_len,
1576 1, aad, aad_len, key_mic + 2) < 0) {
1577 wpa_printf(MSG_DEBUG, "WPA: AES-SIV encryption failed");
1578 return;
1579 }
1580
1581 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
1582 key_mic + 2, AES_BLOCK_SIZE + kde_len);
1583 #endif /* CONFIG_FILS */
1584 } else if (encr && kde) {
1585 buf = os_zalloc(key_data_len);
1586 if (buf == NULL) {
1587 os_free(hdr);
1588 return;
1589 }
1590 pos = buf;
1591 os_memcpy(pos, kde, kde_len);
1592 pos += kde_len;
1593
1594 if (pad_len)
1595 *pos++ = 0xdd;
1596
1597 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1598 buf, key_data_len);
1599 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1600 wpa_use_aes_key_wrap(sm->wpa_key_mgmt) ||
1601 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1602 wpa_printf(MSG_DEBUG,
1603 "WPA: Encrypt Key Data using AES-WRAP (KEK length %u)",
1604 (unsigned int) sm->PTK.kek_len);
1605 if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len,
1606 (key_data_len - 8) / 8, buf, key_data)) {
1607 os_free(hdr);
1608 os_free(buf);
1609 return;
1610 }
1611 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
1612 #ifndef CONFIG_NO_RC4
1613 } else if (sm->PTK.kek_len == 16) {
1614 u8 ek[32];
1615
1616 wpa_printf(MSG_DEBUG,
1617 "WPA: Encrypt Key Data using RC4");
1618 os_memcpy(key->key_iv,
1619 sm->group->Counter + WPA_NONCE_LEN - 16, 16);
1620 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
1621 os_memcpy(ek, key->key_iv, 16);
1622 os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len);
1623 os_memcpy(key_data, buf, key_data_len);
1624 rc4_skip(ek, 32, 256, key_data, key_data_len);
1625 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
1626 #endif /* CONFIG_NO_RC4 */
1627 } else {
1628 os_free(hdr);
1629 os_free(buf);
1630 return;
1631 }
1632 os_free(buf);
1633 }
1634
1635 if (key_info & WPA_KEY_INFO_MIC) {
1636 if (!sm->PTK_valid || !mic_len) {
1637 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
1638 "PTK not valid when sending EAPOL-Key "
1639 "frame");
1640 os_free(hdr);
1641 return;
1642 }
1643
1644 if (wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len,
1645 sm->wpa_key_mgmt, version,
1646 (u8 *) hdr, len, key_mic) < 0) {
1647 os_free(hdr);
1648 return;
1649 }
1650 #ifdef CONFIG_TESTING_OPTIONS
1651 if (!pairwise &&
1652 wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0 &&
1653 drand48() <
1654 wpa_auth->conf.corrupt_gtk_rekey_mic_probability) {
1655 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1656 "Corrupting group EAPOL-Key Key MIC");
1657 key_mic[0]++;
1658 }
1659 #endif /* CONFIG_TESTING_OPTIONS */
1660 }
1661
1662 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx,
1663 1);
1664 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len,
1665 sm->pairwise_set);
1666 os_free(hdr);
1667 }
1668
1669
1670 static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1671 struct wpa_state_machine *sm, int key_info,
1672 const u8 *key_rsc, const u8 *nonce,
1673 const u8 *kde, size_t kde_len,
1674 int keyidx, int encr)
1675 {
1676 int timeout_ms;
1677 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
1678 u32 ctr;
1679
1680 if (sm == NULL)
1681 return;
1682
1683 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len,
1684 keyidx, encr, 0);
1685
1686 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr;
1687 if (ctr == 1 && wpa_auth->conf.tx_status)
1688 timeout_ms = pairwise ? eapol_key_timeout_first :
1689 eapol_key_timeout_first_group;
1690 else
1691 timeout_ms = eapol_key_timeout_subseq;
1692 if (wpa_auth->conf.wpa_disable_eapol_key_retries &&
1693 (!pairwise || (key_info & WPA_KEY_INFO_MIC)))
1694 timeout_ms = eapol_key_timeout_no_retrans;
1695 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
1696 sm->pending_1_of_4_timeout = 1;
1697 #ifdef TEST_FUZZ
1698 timeout_ms = 1;
1699 #endif /* TEST_FUZZ */
1700 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry "
1701 "counter %u)", timeout_ms, ctr);
1702 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000,
1703 wpa_send_eapol_timeout, wpa_auth, sm);
1704 }
1705
1706
1707 static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK,
1708 u8 *data, size_t data_len)
1709 {
1710 struct ieee802_1x_hdr *hdr;
1711 struct wpa_eapol_key *key;
1712 u16 key_info;
1713 int ret = 0;
1714 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN], *mic_pos;
1715 size_t mic_len = wpa_mic_len(akmp, pmk_len);
1716
1717 if (data_len < sizeof(*hdr) + sizeof(*key))
1718 return -1;
1719
1720 hdr = (struct ieee802_1x_hdr *) data;
1721 key = (struct wpa_eapol_key *) (hdr + 1);
1722 mic_pos = (u8 *) (key + 1);
1723 key_info = WPA_GET_BE16(key->key_info);
1724 os_memcpy(mic, mic_pos, mic_len);
1725 os_memset(mic_pos, 0, mic_len);
1726 if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp,
1727 key_info & WPA_KEY_INFO_TYPE_MASK,
1728 data, data_len, mic_pos) ||
1729 os_memcmp_const(mic, mic_pos, mic_len) != 0)
1730 ret = -1;
1731 os_memcpy(mic_pos, mic, mic_len);
1732 return ret;
1733 }
1734
1735
1736 void wpa_remove_ptk(struct wpa_state_machine *sm)
1737 {
1738 sm->PTK_valid = FALSE;
1739 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1740 if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL,
1741 0))
1742 wpa_printf(MSG_DEBUG,
1743 "RSN: PTK removal from the driver failed");
1744 sm->pairwise_set = FALSE;
1745 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
1746 }
1747
1748
1749 int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
1750 {
1751 int remove_ptk = 1;
1752
1753 if (sm == NULL)
1754 return -1;
1755
1756 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1757 "event %d notification", event);
1758
1759 switch (event) {
1760 case WPA_AUTH:
1761 #ifdef CONFIG_MESH
1762 /* PTKs are derived through AMPE */
1763 if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) {
1764 /* not mesh */
1765 break;
1766 }
1767 return 0;
1768 #endif /* CONFIG_MESH */
1769 case WPA_ASSOC:
1770 break;
1771 case WPA_DEAUTH:
1772 case WPA_DISASSOC:
1773 sm->DeauthenticationRequest = TRUE;
1774 #ifdef CONFIG_IEEE80211R_AP
1775 os_memset(sm->PMK, 0, sizeof(sm->PMK));
1776 sm->pmk_len = 0;
1777 os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
1778 sm->xxkey_len = 0;
1779 os_memset(sm->pmk_r1, 0, sizeof(sm->pmk_r1));
1780 sm->pmk_r1_len = 0;
1781 #endif /* CONFIG_IEEE80211R_AP */
1782 break;
1783 case WPA_REAUTH:
1784 case WPA_REAUTH_EAPOL:
1785 if (!sm->started) {
1786 /*
1787 * When using WPS, we may end up here if the STA
1788 * manages to re-associate without the previous STA
1789 * entry getting removed. Consequently, we need to make
1790 * sure that the WPA state machines gets initialized
1791 * properly at this point.
1792 */
1793 wpa_printf(MSG_DEBUG, "WPA state machine had not been "
1794 "started - initialize now");
1795 sm->started = 1;
1796 sm->Init = TRUE;
1797 if (wpa_sm_step(sm) == 1)
1798 return 1; /* should not really happen */
1799 sm->Init = FALSE;
1800 sm->AuthenticationRequest = TRUE;
1801 break;
1802 }
1803 if (sm->GUpdateStationKeys) {
1804 /*
1805 * Reauthentication cancels the pending group key
1806 * update for this STA.
1807 */
1808 sm->group->GKeyDoneStations--;
1809 sm->GUpdateStationKeys = FALSE;
1810 sm->PtkGroupInit = TRUE;
1811 }
1812 sm->ReAuthenticationRequest = TRUE;
1813 break;
1814 case WPA_ASSOC_FT:
1815 #ifdef CONFIG_IEEE80211R_AP
1816 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration "
1817 "after association");
1818 wpa_ft_install_ptk(sm);
1819
1820 /* Using FT protocol, not WPA auth state machine */
1821 sm->ft_completed = 1;
1822 wpa_auth_set_ptk_rekey_timer(sm);
1823 return 0;
1824 #else /* CONFIG_IEEE80211R_AP */
1825 break;
1826 #endif /* CONFIG_IEEE80211R_AP */
1827 case WPA_ASSOC_FILS:
1828 #ifdef CONFIG_FILS
1829 wpa_printf(MSG_DEBUG,
1830 "FILS: TK configuration after association");
1831 fils_set_tk(sm);
1832 sm->fils_completed = 1;
1833 return 0;
1834 #else /* CONFIG_FILS */
1835 break;
1836 #endif /* CONFIG_FILS */
1837 case WPA_DRV_STA_REMOVED:
1838 sm->tk_already_set = FALSE;
1839 return 0;
1840 }
1841
1842 #ifdef CONFIG_IEEE80211R_AP
1843 sm->ft_completed = 0;
1844 #endif /* CONFIG_IEEE80211R_AP */
1845
1846 if (sm->mgmt_frame_prot && event == WPA_AUTH)
1847 remove_ptk = 0;
1848 #ifdef CONFIG_FILS
1849 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1850 (event == WPA_AUTH || event == WPA_ASSOC))
1851 remove_ptk = 0;
1852 #endif /* CONFIG_FILS */
1853
1854 if (remove_ptk) {
1855 sm->PTK_valid = FALSE;
1856 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1857
1858 if (event != WPA_REAUTH_EAPOL)
1859 wpa_remove_ptk(sm);
1860 }
1861
1862 if (sm->in_step_loop) {
1863 /*
1864 * wpa_sm_step() is already running - avoid recursive call to
1865 * it by making the existing loop process the new update.
1866 */
1867 sm->changed = TRUE;
1868 return 0;
1869 }
1870 return wpa_sm_step(sm);
1871 }
1872
1873
1874 SM_STATE(WPA_PTK, INITIALIZE)
1875 {
1876 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk);
1877 if (sm->Init) {
1878 /* Init flag is not cleared here, so avoid busy
1879 * loop by claiming nothing changed. */
1880 sm->changed = FALSE;
1881 }
1882
1883 sm->keycount = 0;
1884 if (sm->GUpdateStationKeys)
1885 sm->group->GKeyDoneStations--;
1886 sm->GUpdateStationKeys = FALSE;
1887 if (sm->wpa == WPA_VERSION_WPA)
1888 sm->PInitAKeys = FALSE;
1889 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and
1890 * Local AA > Remote AA)) */) {
1891 sm->Pair = TRUE;
1892 }
1893 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0);
1894 wpa_remove_ptk(sm);
1895 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0);
1896 sm->TimeoutCtr = 0;
1897 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
1898 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
1899 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
1900 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
1901 WPA_EAPOL_authorized, 0);
1902 }
1903 }
1904
1905
1906 SM_STATE(WPA_PTK, DISCONNECT)
1907 {
1908 u16 reason = sm->disconnect_reason;
1909
1910 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk);
1911 sm->Disconnect = FALSE;
1912 sm->disconnect_reason = 0;
1913 if (!reason)
1914 reason = WLAN_REASON_PREV_AUTH_NOT_VALID;
1915 wpa_sta_disconnect(sm->wpa_auth, sm->addr, reason);
1916 }
1917
1918
1919 SM_STATE(WPA_PTK, DISCONNECTED)
1920 {
1921 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk);
1922 sm->DeauthenticationRequest = FALSE;
1923 }
1924
1925
1926 SM_STATE(WPA_PTK, AUTHENTICATION)
1927 {
1928 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk);
1929 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1930 sm->PTK_valid = FALSE;
1931 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto,
1932 1);
1933 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1);
1934 sm->AuthenticationRequest = FALSE;
1935 }
1936
1937
1938 static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth,
1939 struct wpa_group *group)
1940 {
1941 if (group->first_sta_seen)
1942 return;
1943 /*
1944 * System has run bit further than at the time hostapd was started
1945 * potentially very early during boot up. This provides better chances
1946 * of collecting more randomness on embedded systems. Re-initialize the
1947 * GMK and Counter here to improve their strength if there was not
1948 * enough entropy available immediately after system startup.
1949 */
1950 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first "
1951 "station");
1952 if (random_pool_ready() != 1) {
1953 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
1954 "to proceed - reject first 4-way handshake");
1955 group->reject_4way_hs_for_entropy = TRUE;
1956 } else {
1957 group->first_sta_seen = TRUE;
1958 group->reject_4way_hs_for_entropy = FALSE;
1959 }
1960
1961 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 ||
1962 wpa_gtk_update(wpa_auth, group) < 0 ||
1963 wpa_group_config_group_keys(wpa_auth, group) < 0) {
1964 wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed");
1965 group->first_sta_seen = FALSE;
1966 group->reject_4way_hs_for_entropy = TRUE;
1967 }
1968 }
1969
1970
1971 SM_STATE(WPA_PTK, AUTHENTICATION2)
1972 {
1973 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk);
1974
1975 wpa_group_ensure_init(sm->wpa_auth, sm->group);
1976 sm->ReAuthenticationRequest = FALSE;
1977
1978 /*
1979 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
1980 * ambiguous. The Authenticator state machine uses a counter that is
1981 * incremented by one for each 4-way handshake. However, the security
1982 * analysis of 4-way handshake points out that unpredictable nonces
1983 * help in preventing precomputation attacks. Instead of the state
1984 * machine definition, use an unpredictable nonce value here to provide
1985 * stronger protection against potential precomputation attacks.
1986 */
1987 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
1988 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for "
1989 "ANonce.");
1990 sm->Disconnect = TRUE;
1991 return;
1992 }
1993 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
1994 WPA_NONCE_LEN);
1995 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more
1996 * logical place than INITIALIZE since AUTHENTICATION2 can be
1997 * re-entered on ReAuthenticationRequest without going through
1998 * INITIALIZE. */
1999 sm->TimeoutCtr = 0;
2000 }
2001
2002
2003 static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm)
2004 {
2005 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
2006 wpa_printf(MSG_ERROR,
2007 "WPA: Failed to get random data for ANonce");
2008 sm->Disconnect = TRUE;
2009 return -1;
2010 }
2011 wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce,
2012 WPA_NONCE_LEN);
2013 sm->TimeoutCtr = 0;
2014 return 0;
2015 }
2016
2017
2018 SM_STATE(WPA_PTK, INITPMK)
2019 {
2020 u8 msk[2 * PMK_LEN];
2021 size_t len = 2 * PMK_LEN;
2022
2023 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk);
2024 #ifdef CONFIG_IEEE80211R_AP
2025 sm->xxkey_len = 0;
2026 #endif /* CONFIG_IEEE80211R_AP */
2027 if (sm->pmksa) {
2028 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache");
2029 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
2030 sm->pmk_len = sm->pmksa->pmk_len;
2031 #ifdef CONFIG_DPP
2032 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) {
2033 wpa_printf(MSG_DEBUG,
2034 "DPP: No PMKSA cache entry for STA - reject connection");
2035 sm->Disconnect = TRUE;
2036 sm->disconnect_reason = WLAN_REASON_INVALID_PMKID;
2037 return;
2038 #endif /* CONFIG_DPP */
2039 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) {
2040 unsigned int pmk_len;
2041
2042 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt))
2043 pmk_len = PMK_LEN_SUITE_B_192;
2044 else
2045 pmk_len = PMK_LEN;
2046 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine "
2047 "(MSK len=%lu PMK len=%u)", (unsigned long) len,
2048 pmk_len);
2049 if (len < pmk_len) {
2050 wpa_printf(MSG_DEBUG,
2051 "WPA: MSK not long enough (%u) to create PMK (%u)",
2052 (unsigned int) len, (unsigned int) pmk_len);
2053 sm->Disconnect = TRUE;
2054 return;
2055 }
2056 os_memcpy(sm->PMK, msk, pmk_len);
2057 sm->pmk_len = pmk_len;
2058 #ifdef CONFIG_IEEE80211R_AP
2059 if (len >= 2 * PMK_LEN) {
2060 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
2061 os_memcpy(sm->xxkey, msk, SHA384_MAC_LEN);
2062 sm->xxkey_len = SHA384_MAC_LEN;
2063 } else {
2064 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
2065 sm->xxkey_len = PMK_LEN;
2066 }
2067 }
2068 #endif /* CONFIG_IEEE80211R_AP */
2069 } else {
2070 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p",
2071 sm->wpa_auth->cb->get_msk);
2072 sm->Disconnect = TRUE;
2073 return;
2074 }
2075 forced_memzero(msk, sizeof(msk));
2076
2077 sm->req_replay_counter_used = 0;
2078 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this
2079 * will break reauthentication since EAPOL state machines may not be
2080 * get into AUTHENTICATING state that clears keyRun before WPA state
2081 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK
2082 * state and takes PMK from the previously used AAA Key. This will
2083 * eventually fail in 4-Way Handshake because Supplicant uses PMK
2084 * derived from the new AAA Key. Setting keyRun = FALSE here seems to
2085 * be good workaround for this issue. */
2086 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0);
2087 }
2088
2089
2090 SM_STATE(WPA_PTK, INITPSK)
2091 {
2092 const u8 *psk;
2093 size_t psk_len;
2094
2095 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk);
2096 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL,
2097 &psk_len, NULL);
2098 if (psk) {
2099 os_memcpy(sm->PMK, psk, psk_len);
2100 sm->pmk_len = psk_len;
2101 #ifdef CONFIG_IEEE80211R_AP
2102 os_memcpy(sm->xxkey, psk, PMK_LEN);
2103 sm->xxkey_len = PMK_LEN;
2104 #endif /* CONFIG_IEEE80211R_AP */
2105 }
2106 #ifdef CONFIG_SAE
2107 if (wpa_auth_uses_sae(sm) && sm->pmksa) {
2108 wpa_printf(MSG_DEBUG, "SAE: PMK from PMKSA cache");
2109 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
2110 sm->pmk_len = sm->pmksa->pmk_len;
2111 #ifdef CONFIG_IEEE80211R_AP
2112 os_memcpy(sm->xxkey, sm->pmksa->pmk, sm->pmksa->pmk_len);
2113 sm->xxkey_len = sm->pmksa->pmk_len;
2114 #endif /* CONFIG_IEEE80211R_AP */
2115 }
2116 #endif /* CONFIG_SAE */
2117 sm->req_replay_counter_used = 0;
2118 }
2119
2120
2121 SM_STATE(WPA_PTK, PTKSTART)
2122 {
2123 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL;
2124 size_t pmkid_len = 0;
2125
2126 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk);
2127 sm->PTKRequest = FALSE;
2128 sm->TimeoutEvt = FALSE;
2129 sm->alt_snonce_valid = FALSE;
2130
2131 sm->TimeoutCtr++;
2132 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
2133 /* No point in sending the EAPOL-Key - we will disconnect
2134 * immediately following this. */
2135 return;
2136 }
2137
2138 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2139 "sending 1/4 msg of 4-Way Handshake");
2140 /*
2141 * For infrastructure BSS cases, it is better for the AP not to include
2142 * the PMKID KDE in EAPOL-Key msg 1/4 since it could be used to initiate
2143 * offline search for the passphrase/PSK without having to be able to
2144 * capture a 4-way handshake from a STA that has access to the network.
2145 *
2146 * For IBSS cases, addition of PMKID KDE could be considered even with
2147 * WPA2-PSK cases that use multiple PSKs, but only if there is a single
2148 * possible PSK for this STA. However, this should not be done unless
2149 * there is support for using that information on the supplicant side.
2150 * The concern about exposing PMKID unnecessarily in infrastructure BSS
2151 * cases would also apply here, but at least in the IBSS case, this
2152 * would cover a potential real use case.
2153 */
2154 if (sm->wpa == WPA_VERSION_WPA2 &&
2155 (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) ||
2156 (sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE && sm->pmksa) ||
2157 wpa_key_mgmt_sae(sm->wpa_key_mgmt)) &&
2158 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) {
2159 pmkid = buf;
2160 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
2161 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC;
2162 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN;
2163 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID);
2164 if (sm->pmksa) {
2165 wpa_hexdump(MSG_DEBUG,
2166 "RSN: Message 1/4 PMKID from PMKSA entry",
2167 sm->pmksa->pmkid, PMKID_LEN);
2168 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2169 sm->pmksa->pmkid, PMKID_LEN);
2170 } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) {
2171 /* No KCK available to derive PMKID */
2172 wpa_printf(MSG_DEBUG,
2173 "RSN: No KCK available to derive PMKID for message 1/4");
2174 pmkid = NULL;
2175 #ifdef CONFIG_FILS
2176 } else if (wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2177 if (sm->pmkid_set) {
2178 wpa_hexdump(MSG_DEBUG,
2179 "RSN: Message 1/4 PMKID from FILS/ERP",
2180 sm->pmkid, PMKID_LEN);
2181 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2182 sm->pmkid, PMKID_LEN);
2183 } else {
2184 /* No PMKID available */
2185 wpa_printf(MSG_DEBUG,
2186 "RSN: No FILS/ERP PMKID available for message 1/4");
2187 pmkid = NULL;
2188 }
2189 #endif /* CONFIG_FILS */
2190 #ifdef CONFIG_IEEE80211R_AP
2191 } else if (wpa_key_mgmt_ft(sm->wpa_key_mgmt) &&
2192 sm->ft_completed) {
2193 wpa_printf(MSG_DEBUG,
2194 "FT: No PMKID in message 1/4 when using FT protocol");
2195 pmkid = NULL;
2196 #endif /* CONFIG_IEEE80211R_AP */
2197 #ifdef CONFIG_SAE
2198 } else if (wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
2199 if (sm->pmkid_set) {
2200 wpa_hexdump(MSG_DEBUG,
2201 "RSN: Message 1/4 PMKID from SAE",
2202 sm->pmkid, PMKID_LEN);
2203 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2204 sm->pmkid, PMKID_LEN);
2205 } else {
2206 /* No PMKID available */
2207 wpa_printf(MSG_DEBUG,
2208 "RSN: No SAE PMKID available for message 1/4");
2209 pmkid = NULL;
2210 }
2211 #endif /* CONFIG_SAE */
2212 } else {
2213 /*
2214 * Calculate PMKID since no PMKSA cache entry was
2215 * available with pre-calculated PMKID.
2216 */
2217 rsn_pmkid(sm->PMK, sm->pmk_len, sm->wpa_auth->addr,
2218 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN],
2219 sm->wpa_key_mgmt);
2220 wpa_hexdump(MSG_DEBUG,
2221 "RSN: Message 1/4 PMKID derived from PMK",
2222 &pmkid[2 + RSN_SELECTOR_LEN], PMKID_LEN);
2223 }
2224 }
2225 if (!pmkid)
2226 pmkid_len = 0;
2227 wpa_send_eapol(sm->wpa_auth, sm,
2228 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
2229 sm->ANonce, pmkid, pmkid_len, 0, 0);
2230 }
2231
2232
2233 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
2234 const u8 *pmk, unsigned int pmk_len,
2235 struct wpa_ptk *ptk)
2236 {
2237 const u8 *z = NULL;
2238 size_t z_len = 0;
2239
2240 #ifdef CONFIG_IEEE80211R_AP
2241 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2242 if (sm->ft_completed) {
2243 u8 ptk_name[WPA_PMK_NAME_LEN];
2244
2245 return wpa_pmk_r1_to_ptk(sm->pmk_r1, sm->pmk_r1_len,
2246 sm->SNonce, sm->ANonce,
2247 sm->addr, sm->wpa_auth->addr,
2248 sm->pmk_r1_name,
2249 ptk, ptk_name,
2250 sm->wpa_key_mgmt,
2251 sm->pairwise);
2252 }
2253 return wpa_auth_derive_ptk_ft(sm, ptk);
2254 }
2255 #endif /* CONFIG_IEEE80211R_AP */
2256
2257 #ifdef CONFIG_DPP2
2258 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
2259 z = wpabuf_head(sm->dpp_z);
2260 z_len = wpabuf_len(sm->dpp_z);
2261 }
2262 #endif /* CONFIG_DPP2 */
2263
2264 return wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion",
2265 sm->wpa_auth->addr, sm->addr, sm->ANonce, snonce,
2266 ptk, sm->wpa_key_mgmt, sm->pairwise, z, z_len);
2267 }
2268
2269
2270 #ifdef CONFIG_FILS
2271
2272 int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk,
2273 size_t pmk_len, const u8 *snonce, const u8 *anonce,
2274 const u8 *dhss, size_t dhss_len,
2275 struct wpabuf *g_sta, struct wpabuf *g_ap)
2276 {
2277 u8 ick[FILS_ICK_MAX_LEN];
2278 size_t ick_len;
2279 int res;
2280 u8 fils_ft[FILS_FT_MAX_LEN];
2281 size_t fils_ft_len = 0;
2282
2283 res = fils_pmk_to_ptk(pmk, pmk_len, sm->addr, sm->wpa_auth->addr,
2284 snonce, anonce, dhss, dhss_len,
2285 &sm->PTK, ick, &ick_len,
2286 sm->wpa_key_mgmt, sm->pairwise,
2287 fils_ft, &fils_ft_len);
2288 if (res < 0)
2289 return res;
2290 sm->PTK_valid = TRUE;
2291 sm->tk_already_set = FALSE;
2292
2293 #ifdef CONFIG_IEEE80211R_AP
2294 if (fils_ft_len) {
2295 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2296 struct wpa_auth_config *conf = &wpa_auth->conf;
2297 u8 pmk_r0[PMK_LEN_MAX], pmk_r0_name[WPA_PMK_NAME_LEN];
2298 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt);
2299 size_t pmk_r0_len = use_sha384 ? SHA384_MAC_LEN : PMK_LEN;
2300
2301 if (wpa_derive_pmk_r0(fils_ft, fils_ft_len,
2302 conf->ssid, conf->ssid_len,
2303 conf->mobility_domain,
2304 conf->r0_key_holder,
2305 conf->r0_key_holder_len,
2306 sm->addr, pmk_r0, pmk_r0_name,
2307 use_sha384) < 0)
2308 return -1;
2309
2310 wpa_hexdump_key(MSG_DEBUG, "FILS+FT: PMK-R0",
2311 pmk_r0, pmk_r0_len);
2312 wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR0Name",
2313 pmk_r0_name, WPA_PMK_NAME_LEN);
2314 wpa_ft_store_pmk_fils(sm, pmk_r0, pmk_r0_name);
2315 forced_memzero(fils_ft, sizeof(fils_ft));
2316
2317 res = wpa_derive_pmk_r1_name(pmk_r0_name, conf->r1_key_holder,
2318 sm->addr, sm->pmk_r1_name,
2319 use_sha384);
2320 forced_memzero(pmk_r0, PMK_LEN_MAX);
2321 if (res < 0)
2322 return -1;
2323 wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR1Name", sm->pmk_r1_name,
2324 WPA_PMK_NAME_LEN);
2325 sm->pmk_r1_name_valid = 1;
2326 }
2327 #endif /* CONFIG_IEEE80211R_AP */
2328
2329 res = fils_key_auth_sk(ick, ick_len, snonce, anonce,
2330 sm->addr, sm->wpa_auth->addr,
2331 g_sta ? wpabuf_head(g_sta) : NULL,
2332 g_sta ? wpabuf_len(g_sta) : 0,
2333 g_ap ? wpabuf_head(g_ap) : NULL,
2334 g_ap ? wpabuf_len(g_ap) : 0,
2335 sm->wpa_key_mgmt, sm->fils_key_auth_sta,
2336 sm->fils_key_auth_ap,
2337 &sm->fils_key_auth_len);
2338 forced_memzero(ick, sizeof(ick));
2339
2340 /* Store nonces for (Re)Association Request/Response frame processing */
2341 os_memcpy(sm->SNonce, snonce, FILS_NONCE_LEN);
2342 os_memcpy(sm->ANonce, anonce, FILS_NONCE_LEN);
2343
2344 return res;
2345 }
2346
2347
2348 static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
2349 u8 *buf, size_t buf_len, u16 *_key_data_len)
2350 {
2351 struct ieee802_1x_hdr *hdr;
2352 struct wpa_eapol_key *key;
2353 u8 *pos;
2354 u16 key_data_len;
2355 u8 *tmp;
2356 const u8 *aad[1];
2357 size_t aad_len[1];
2358
2359 hdr = (struct ieee802_1x_hdr *) buf;
2360 key = (struct wpa_eapol_key *) (hdr + 1);
2361 pos = (u8 *) (key + 1);
2362 key_data_len = WPA_GET_BE16(pos);
2363 if (key_data_len < AES_BLOCK_SIZE ||
2364 key_data_len > buf_len - sizeof(*hdr) - sizeof(*key) - 2) {
2365 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2366 "No room for AES-SIV data in the frame");
2367 return -1;
2368 }
2369 pos += 2; /* Pointing at the Encrypted Key Data field */
2370
2371 tmp = os_malloc(key_data_len);
2372 if (!tmp)
2373 return -1;
2374
2375 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
2376 * to Key Data (exclusive). */
2377 aad[0] = buf;
2378 aad_len[0] = pos - buf;
2379 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, key_data_len,
2380 1, aad, aad_len, tmp) < 0) {
2381 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2382 "Invalid AES-SIV data in the frame");
2383 bin_clear_free(tmp, key_data_len);
2384 return -1;
2385 }
2386
2387 /* AEAD decryption and validation completed successfully */
2388 key_data_len -= AES_BLOCK_SIZE;
2389 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
2390 tmp, key_data_len);
2391
2392 /* Replace Key Data field with the decrypted version */
2393 os_memcpy(pos, tmp, key_data_len);
2394 pos -= 2; /* Key Data Length field */
2395 WPA_PUT_BE16(pos, key_data_len);
2396 bin_clear_free(tmp, key_data_len);
2397 if (_key_data_len)
2398 *_key_data_len = key_data_len;
2399 return 0;
2400 }
2401
2402
2403 const u8 * wpa_fils_validate_fils_session(struct wpa_state_machine *sm,
2404 const u8 *ies, size_t ies_len,
2405 const u8 *fils_session)
2406 {
2407 const u8 *ie, *end;
2408 const u8 *session = NULL;
2409
2410 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2411 wpa_printf(MSG_DEBUG,
2412 "FILS: Not a FILS AKM - reject association");
2413 return NULL;
2414 }
2415
2416 /* Verify Session element */
2417 ie = ies;
2418 end = ((const u8 *) ie) + ies_len;
2419 while (ie + 1 < end) {
2420 if (ie + 2 + ie[1] > end)
2421 break;
2422 if (ie[0] == WLAN_EID_EXTENSION &&
2423 ie[1] >= 1 + FILS_SESSION_LEN &&
2424 ie[2] == WLAN_EID_EXT_FILS_SESSION) {
2425 session = ie;
2426 break;
2427 }
2428 ie += 2 + ie[1];
2429 }
2430
2431 if (!session) {
2432 wpa_printf(MSG_DEBUG,
2433 "FILS: %s: Could not find FILS Session element in Assoc Req - reject",
2434 __func__);
2435 return NULL;
2436 }
2437
2438 if (!fils_session) {
2439 wpa_printf(MSG_DEBUG,
2440 "FILS: %s: Could not find FILS Session element in STA entry - reject",
2441 __func__);
2442 return NULL;
2443 }
2444
2445 if (os_memcmp(fils_session, session + 3, FILS_SESSION_LEN) != 0) {
2446 wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
2447 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
2448 fils_session, FILS_SESSION_LEN);
2449 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
2450 session + 3, FILS_SESSION_LEN);
2451 return NULL;
2452 }
2453 return session;
2454 }
2455
2456
2457 int wpa_fils_validate_key_confirm(struct wpa_state_machine *sm, const u8 *ies,
2458 size_t ies_len)
2459 {
2460 struct ieee802_11_elems elems;
2461
2462 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
2463 wpa_printf(MSG_DEBUG,
2464 "FILS: Failed to parse decrypted elements");
2465 return -1;
2466 }
2467
2468 if (!elems.fils_session) {
2469 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
2470 return -1;
2471 }
2472
2473 if (!elems.fils_key_confirm) {
2474 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
2475 return -1;
2476 }
2477
2478 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
2479 wpa_printf(MSG_DEBUG,
2480 "FILS: Unexpected Key-Auth length %d (expected %d)",
2481 elems.fils_key_confirm_len,
2482 (int) sm->fils_key_auth_len);
2483 return -1;
2484 }
2485
2486 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_sta,
2487 sm->fils_key_auth_len) != 0) {
2488 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
2489 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
2490 elems.fils_key_confirm, elems.fils_key_confirm_len);
2491 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
2492 sm->fils_key_auth_sta, sm->fils_key_auth_len);
2493 return -1;
2494 }
2495
2496 return 0;
2497 }
2498
2499
2500 int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session,
2501 const struct ieee80211_mgmt *mgmt, size_t frame_len,
2502 u8 *pos, size_t left)
2503 {
2504 u16 fc, stype;
2505 const u8 *end, *ie_start, *ie, *session, *crypt;
2506 const u8 *aad[5];
2507 size_t aad_len[5];
2508
2509 if (!sm || !sm->PTK_valid) {
2510 wpa_printf(MSG_DEBUG,
2511 "FILS: No KEK to decrypt Assocication Request frame");
2512 return -1;
2513 }
2514
2515 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2516 wpa_printf(MSG_DEBUG,
2517 "FILS: Not a FILS AKM - reject association");
2518 return -1;
2519 }
2520
2521 end = ((const u8 *) mgmt) + frame_len;
2522 fc = le_to_host16(mgmt->frame_control);
2523 stype = WLAN_FC_GET_STYPE(fc);
2524 if (stype == WLAN_FC_STYPE_REASSOC_REQ)
2525 ie_start = mgmt->u.reassoc_req.variable;
2526 else
2527 ie_start = mgmt->u.assoc_req.variable;
2528 ie = ie_start;
2529
2530 /*
2531 * Find FILS Session element which is the last unencrypted element in
2532 * the frame.
2533 */
2534 session = wpa_fils_validate_fils_session(sm, ie, end - ie,
2535 fils_session);
2536 if (!session) {
2537 wpa_printf(MSG_DEBUG, "FILS: Session validation failed");
2538 return -1;
2539 }
2540
2541 crypt = session + 2 + session[1];
2542
2543 if (end - crypt < AES_BLOCK_SIZE) {
2544 wpa_printf(MSG_DEBUG,
2545 "FILS: Too short frame to include AES-SIV data");
2546 return -1;
2547 }
2548
2549 /* AES-SIV AAD vectors */
2550
2551 /* The STA's MAC address */
2552 aad[0] = mgmt->sa;
2553 aad_len[0] = ETH_ALEN;
2554 /* The AP's BSSID */
2555 aad[1] = mgmt->da;
2556 aad_len[1] = ETH_ALEN;
2557 /* The STA's nonce */
2558 aad[2] = sm->SNonce;
2559 aad_len[2] = FILS_NONCE_LEN;
2560 /* The AP's nonce */
2561 aad[3] = sm->ANonce;
2562 aad_len[3] = FILS_NONCE_LEN;
2563 /*
2564 * The (Re)Association Request frame from the Capability Information
2565 * field to the FILS Session element (both inclusive).
2566 */
2567 aad[4] = (const u8 *) &mgmt->u.assoc_req.capab_info;
2568 aad_len[4] = crypt - aad[4];
2569
2570 if (aes_siv_decrypt(sm->PTK.kek, sm->PTK.kek_len, crypt, end - crypt,
2571 5, aad, aad_len, pos + (crypt - ie_start)) < 0) {
2572 wpa_printf(MSG_DEBUG,
2573 "FILS: Invalid AES-SIV data in the frame");
2574 return -1;
2575 }
2576 wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Request elements",
2577 pos, left - AES_BLOCK_SIZE);
2578
2579 if (wpa_fils_validate_key_confirm(sm, pos, left - AES_BLOCK_SIZE) < 0) {
2580 wpa_printf(MSG_DEBUG, "FILS: Key Confirm validation failed");
2581 return -1;
2582 }
2583
2584 return left - AES_BLOCK_SIZE;
2585 }
2586
2587
2588 int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf,
2589 size_t current_len, size_t max_len,
2590 const struct wpabuf *hlp)
2591 {
2592 u8 *end = buf + max_len;
2593 u8 *pos = buf + current_len;
2594 struct ieee80211_mgmt *mgmt;
2595 struct wpabuf *plain;
2596 const u8 *aad[5];
2597 size_t aad_len[5];
2598
2599 if (!sm || !sm->PTK_valid)
2600 return -1;
2601
2602 wpa_hexdump(MSG_DEBUG,
2603 "FILS: Association Response frame before FILS processing",
2604 buf, current_len);
2605
2606 mgmt = (struct ieee80211_mgmt *) buf;
2607
2608 /* AES-SIV AAD vectors */
2609
2610 /* The AP's BSSID */
2611 aad[0] = mgmt->sa;
2612 aad_len[0] = ETH_ALEN;
2613 /* The STA's MAC address */
2614 aad[1] = mgmt->da;
2615 aad_len[1] = ETH_ALEN;
2616 /* The AP's nonce */
2617 aad[2] = sm->ANonce;
2618 aad_len[2] = FILS_NONCE_LEN;
2619 /* The STA's nonce */
2620 aad[3] = sm->SNonce;
2621 aad_len[3] = FILS_NONCE_LEN;
2622 /*
2623 * The (Re)Association Response frame from the Capability Information
2624 * field (the same offset in both Association and Reassociation
2625 * Response frames) to the FILS Session element (both inclusive).
2626 */
2627 aad[4] = (const u8 *) &mgmt->u.assoc_resp.capab_info;
2628 aad_len[4] = pos - aad[4];
2629
2630 /* The following elements will be encrypted with AES-SIV */
2631 plain = fils_prepare_plainbuf(sm, hlp);
2632 if (!plain) {
2633 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed");
2634 return -1;
2635 }
2636
2637 if (pos + wpabuf_len(plain) + AES_BLOCK_SIZE > end) {
2638 wpa_printf(MSG_DEBUG,
2639 "FILS: Not enough room for FILS elements");
2640 wpabuf_clear_free(plain);
2641 return -1;
2642 }
2643
2644 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: Association Response plaintext",
2645 plain);
2646
2647 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len,
2648 wpabuf_head(plain), wpabuf_len(plain),
2649 5, aad, aad_len, pos) < 0) {
2650 wpabuf_clear_free(plain);
2651 return -1;
2652 }
2653
2654 wpa_hexdump(MSG_DEBUG,
2655 "FILS: Encrypted Association Response elements",
2656 pos, AES_BLOCK_SIZE + wpabuf_len(plain));
2657 current_len += wpabuf_len(plain) + AES_BLOCK_SIZE;
2658 wpabuf_clear_free(plain);
2659
2660 sm->fils_completed = 1;
2661
2662 return current_len;
2663 }
2664
2665
2666 static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
2667 const struct wpabuf *hlp)
2668 {
2669 struct wpabuf *plain;
2670 u8 *len, *tmp, *tmp2;
2671 u8 hdr[2];
2672 u8 *gtk, dummy_gtk[32];
2673 size_t gtk_len;
2674 struct wpa_group *gsm;
2675
2676 plain = wpabuf_alloc(1000);
2677 if (!plain)
2678 return NULL;
2679
2680 /* TODO: FILS Public Key */
2681
2682 /* FILS Key Confirmation */
2683 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
2684 wpabuf_put_u8(plain, 1 + sm->fils_key_auth_len); /* Length */
2685 /* Element ID Extension */
2686 wpabuf_put_u8(plain, WLAN_EID_EXT_FILS_KEY_CONFIRM);
2687 wpabuf_put_data(plain, sm->fils_key_auth_ap, sm->fils_key_auth_len);
2688
2689 /* FILS HLP Container */
2690 if (hlp)
2691 wpabuf_put_buf(plain, hlp);
2692
2693 /* TODO: FILS IP Address Assignment */
2694
2695 /* Key Delivery */
2696 gsm = sm->group;
2697 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
2698 len = wpabuf_put(plain, 1);
2699 wpabuf_put_u8(plain, WLAN_EID_EXT_KEY_DELIVERY);
2700 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN,
2701 wpabuf_put(plain, WPA_KEY_RSC_LEN));
2702 /* GTK KDE */
2703 gtk = gsm->GTK[gsm->GN - 1];
2704 gtk_len = gsm->GTK_len;
2705 if (sm->wpa_auth->conf.disable_gtk ||
2706 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
2707 /*
2708 * Provide unique random GTK to each STA to prevent use
2709 * of GTK in the BSS.
2710 */
2711 if (random_get_bytes(dummy_gtk, gtk_len) < 0) {
2712 wpabuf_clear_free(plain);
2713 return NULL;
2714 }
2715 gtk = dummy_gtk;
2716 }
2717 hdr[0] = gsm->GN & 0x03;
2718 hdr[1] = 0;
2719 tmp = wpabuf_put(plain, 0);
2720 tmp2 = wpa_add_kde(tmp, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2721 gtk, gtk_len);
2722 wpabuf_put(plain, tmp2 - tmp);
2723
2724 /* IGTK KDE */
2725 tmp = wpabuf_put(plain, 0);
2726 tmp2 = ieee80211w_kde_add(sm, tmp);
2727 wpabuf_put(plain, tmp2 - tmp);
2728
2729 *len = (u8 *) wpabuf_put(plain, 0) - len - 1;
2730
2731 #ifdef CONFIG_OCV
2732 if (wpa_auth_uses_ocv(sm)) {
2733 struct wpa_channel_info ci;
2734 u8 *pos;
2735
2736 if (wpa_channel_info(sm->wpa_auth, &ci) != 0) {
2737 wpa_printf(MSG_WARNING,
2738 "FILS: Failed to get channel info for OCI element");
2739 wpabuf_clear_free(plain);
2740 return NULL;
2741 }
2742
2743 pos = wpabuf_put(plain, OCV_OCI_EXTENDED_LEN);
2744 if (ocv_insert_extended_oci(&ci, pos) < 0) {
2745 wpabuf_clear_free(plain);
2746 return NULL;
2747 }
2748 }
2749 #endif /* CONFIG_OCV */
2750
2751 return plain;
2752 }
2753
2754
2755 int fils_set_tk(struct wpa_state_machine *sm)
2756 {
2757 enum wpa_alg alg;
2758 int klen;
2759
2760 if (!sm || !sm->PTK_valid) {
2761 wpa_printf(MSG_DEBUG, "FILS: No valid PTK available to set TK");
2762 return -1;
2763 }
2764 if (sm->tk_already_set) {
2765 wpa_printf(MSG_DEBUG, "FILS: TK already set to the driver");
2766 return -1;
2767 }
2768
2769 alg = wpa_cipher_to_alg(sm->pairwise);
2770 klen = wpa_cipher_key_len(sm->pairwise);
2771
2772 wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver");
2773 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
2774 sm->PTK.tk, klen)) {
2775 wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver");
2776 return -1;
2777 }
2778 sm->tk_already_set = TRUE;
2779
2780 return 0;
2781 }
2782
2783
2784 u8 * hostapd_eid_assoc_fils_session(struct wpa_state_machine *sm, u8 *buf,
2785 const u8 *fils_session, struct wpabuf *hlp)
2786 {
2787 struct wpabuf *plain;
2788 u8 *pos = buf;
2789
2790 /* FILS Session */
2791 *pos++ = WLAN_EID_EXTENSION; /* Element ID */
2792 *pos++ = 1 + FILS_SESSION_LEN; /* Length */
2793 *pos++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
2794 os_memcpy(pos, fils_session, FILS_SESSION_LEN);
2795 pos += FILS_SESSION_LEN;
2796
2797 plain = fils_prepare_plainbuf(sm, hlp);
2798 if (!plain) {
2799 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed");
2800 return NULL;
2801 }
2802
2803 os_memcpy(pos, wpabuf_head(plain), wpabuf_len(plain));
2804 pos += wpabuf_len(plain);
2805
2806 wpa_printf(MSG_DEBUG, "%s: plain buf_len: %u", __func__,
2807 (unsigned int) wpabuf_len(plain));
2808 wpabuf_clear_free(plain);
2809 sm->fils_completed = 1;
2810 return pos;
2811 }
2812
2813 #endif /* CONFIG_FILS */
2814
2815
2816 #ifdef CONFIG_OCV
2817 int get_sta_tx_parameters(struct wpa_state_machine *sm, int ap_max_chanwidth,
2818 int ap_seg1_idx, int *bandwidth, int *seg1_idx)
2819 {
2820 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2821
2822 if (!wpa_auth->cb->get_sta_tx_params)
2823 return -1;
2824 return wpa_auth->cb->get_sta_tx_params(wpa_auth->cb_ctx, sm->addr,
2825 ap_max_chanwidth, ap_seg1_idx,
2826 bandwidth, seg1_idx);
2827 }
2828 #endif /* CONFIG_OCV */
2829
2830
2831 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
2832 {
2833 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2834 struct wpa_ptk PTK;
2835 int ok = 0, psk_found = 0;
2836 const u8 *pmk = NULL;
2837 size_t pmk_len;
2838 int ft;
2839 const u8 *eapol_key_ie, *key_data, *mic;
2840 u16 key_data_length;
2841 size_t mic_len, eapol_key_ie_len;
2842 struct ieee802_1x_hdr *hdr;
2843 struct wpa_eapol_key *key;
2844 struct wpa_eapol_ie_parse kde;
2845 int vlan_id = 0;
2846
2847 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
2848 sm->EAPOLKeyReceived = FALSE;
2849 sm->update_snonce = FALSE;
2850 os_memset(&PTK, 0, sizeof(PTK));
2851
2852 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
2853
2854 /* WPA with IEEE 802.1X: use the derived PMK from EAP
2855 * WPA-PSK: iterate through possible PSKs and select the one matching
2856 * the packet */
2857 for (;;) {
2858 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
2859 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
2860 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
2861 sm->p2p_dev_addr, pmk, &pmk_len,
2862 &vlan_id);
2863 if (pmk == NULL)
2864 break;
2865 psk_found = 1;
2866 #ifdef CONFIG_IEEE80211R_AP
2867 if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) {
2868 os_memcpy(sm->xxkey, pmk, pmk_len);
2869 sm->xxkey_len = pmk_len;
2870 }
2871 #endif /* CONFIG_IEEE80211R_AP */
2872 } else {
2873 pmk = sm->PMK;
2874 pmk_len = sm->pmk_len;
2875 }
2876
2877 if ((!pmk || !pmk_len) && sm->pmksa) {
2878 wpa_printf(MSG_DEBUG, "WPA: Use PMK from PMKSA cache");
2879 pmk = sm->pmksa->pmk;
2880 pmk_len = sm->pmksa->pmk_len;
2881 }
2882
2883 if (wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK) < 0)
2884 break;
2885
2886 if (mic_len &&
2887 wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
2888 sm->last_rx_eapol_key,
2889 sm->last_rx_eapol_key_len) == 0) {
2890 if (sm->PMK != pmk) {
2891 os_memcpy(sm->PMK, pmk, pmk_len);
2892 sm->pmk_len = pmk_len;
2893 }
2894 ok = 1;
2895 break;
2896 }
2897
2898 #ifdef CONFIG_FILS
2899 if (!mic_len &&
2900 wpa_aead_decrypt(sm, &PTK, sm->last_rx_eapol_key,
2901 sm->last_rx_eapol_key_len, NULL) == 0) {
2902 ok = 1;
2903 break;
2904 }
2905 #endif /* CONFIG_FILS */
2906
2907 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
2908 wpa_key_mgmt_sae(sm->wpa_key_mgmt))
2909 break;
2910 }
2911
2912 if (!ok) {
2913 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2914 "invalid MIC in msg 2/4 of 4-Way Handshake");
2915 if (psk_found)
2916 wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr);
2917 return;
2918 }
2919
2920 /*
2921 * Note: last_rx_eapol_key length fields have already been validated in
2922 * wpa_receive().
2923 */
2924 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
2925 key = (struct wpa_eapol_key *) (hdr + 1);
2926 mic = (u8 *) (key + 1);
2927 key_data = mic + mic_len + 2;
2928 key_data_length = WPA_GET_BE16(mic + mic_len);
2929 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
2930 sizeof(*key) - mic_len - 2)
2931 return;
2932
2933 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
2934 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
2935 "received EAPOL-Key msg 2/4 with invalid Key Data contents");
2936 return;
2937 }
2938 if (kde.rsn_ie) {
2939 eapol_key_ie = kde.rsn_ie;
2940 eapol_key_ie_len = kde.rsn_ie_len;
2941 } else if (kde.osen) {
2942 eapol_key_ie = kde.osen;
2943 eapol_key_ie_len = kde.osen_len;
2944 } else {
2945 eapol_key_ie = kde.wpa_ie;
2946 eapol_key_ie_len = kde.wpa_ie_len;
2947 }
2948 ft = sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt);
2949 if (sm->wpa_ie == NULL ||
2950 wpa_compare_rsn_ie(ft, sm->wpa_ie, sm->wpa_ie_len,
2951 eapol_key_ie, eapol_key_ie_len)) {
2952 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
2953 "WPA IE from (Re)AssocReq did not match with msg 2/4");
2954 if (sm->wpa_ie) {
2955 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq",
2956 sm->wpa_ie, sm->wpa_ie_len);
2957 }
2958 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4",
2959 eapol_key_ie, eapol_key_ie_len);
2960 /* MLME-DEAUTHENTICATE.request */
2961 wpa_sta_disconnect(wpa_auth, sm->addr,
2962 WLAN_REASON_PREV_AUTH_NOT_VALID);
2963 return;
2964 }
2965 if ((!sm->rsnxe && kde.rsnxe) ||
2966 (sm->rsnxe && !kde.rsnxe) ||
2967 (sm->rsnxe && kde.rsnxe &&
2968 (sm->rsnxe_len != kde.rsnxe_len ||
2969 os_memcmp(sm->rsnxe, kde.rsnxe, sm->rsnxe_len) != 0))) {
2970 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
2971 "RSNXE from (Re)AssocReq did not match the one in EAPOL-Key msg 2/4");
2972 wpa_hexdump(MSG_DEBUG, "RSNXE in AssocReq",
2973 sm->rsnxe, sm->rsnxe_len);
2974 wpa_hexdump(MSG_DEBUG, "RSNXE in EAPOL-Key msg 2/4",
2975 kde.rsnxe, kde.rsnxe_len);
2976 /* MLME-DEAUTHENTICATE.request */
2977 wpa_sta_disconnect(wpa_auth, sm->addr,
2978 WLAN_REASON_PREV_AUTH_NOT_VALID);
2979 return;
2980 }
2981 #ifdef CONFIG_OCV
2982 if (wpa_auth_uses_ocv(sm)) {
2983 struct wpa_channel_info ci;
2984 int tx_chanwidth;
2985 int tx_seg1_idx;
2986
2987 if (wpa_channel_info(wpa_auth, &ci) != 0) {
2988 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
2989 "Failed to get channel info to validate received OCI in EAPOL-Key 2/4");
2990 return;
2991 }
2992
2993 if (get_sta_tx_parameters(sm,
2994 channel_width_to_int(ci.chanwidth),
2995 ci.seg1_idx, &tx_chanwidth,
2996 &tx_seg1_idx) < 0)
2997 return;
2998
2999 if (ocv_verify_tx_params(kde.oci, kde.oci_len, &ci,
3000 tx_chanwidth, tx_seg1_idx) != 0) {
3001 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
3002 ocv_errorstr);
3003 return;
3004 }
3005 }
3006 #endif /* CONFIG_OCV */
3007 #ifdef CONFIG_IEEE80211R_AP
3008 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
3009 wpa_sta_disconnect(wpa_auth, sm->addr,
3010 WLAN_REASON_PREV_AUTH_NOT_VALID);
3011 return;
3012 }
3013 #endif /* CONFIG_IEEE80211R_AP */
3014 #ifdef CONFIG_P2P
3015 if (kde.ip_addr_req && kde.ip_addr_req[0] &&
3016 wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) {
3017 int idx;
3018 wpa_printf(MSG_DEBUG,
3019 "P2P: IP address requested in EAPOL-Key exchange");
3020 idx = bitfield_get_first_zero(wpa_auth->ip_pool);
3021 if (idx >= 0) {
3022 u32 start = WPA_GET_BE32(wpa_auth->conf.ip_addr_start);
3023 bitfield_set(wpa_auth->ip_pool, idx);
3024 WPA_PUT_BE32(sm->ip_addr, start + idx);
3025 wpa_printf(MSG_DEBUG,
3026 "P2P: Assigned IP address %u.%u.%u.%u to "
3027 MACSTR, sm->ip_addr[0], sm->ip_addr[1],
3028 sm->ip_addr[2], sm->ip_addr[3],
3029 MAC2STR(sm->addr));
3030 }
3031 }
3032 #endif /* CONFIG_P2P */
3033
3034 #ifdef CONFIG_IEEE80211R_AP
3035 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
3036 /*
3037 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches
3038 * with the value we derived.
3039 */
3040 if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name,
3041 WPA_PMK_NAME_LEN) != 0) {
3042 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3043 "PMKR1Name mismatch in FT 4-way "
3044 "handshake");
3045 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from "
3046 "Supplicant",
3047 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN);
3048 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
3049 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
3050 return;
3051 }
3052 }
3053 #endif /* CONFIG_IEEE80211R_AP */
3054
3055 if (vlan_id && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
3056 wpa_auth_update_vlan(wpa_auth, sm->addr, vlan_id) < 0) {
3057 wpa_sta_disconnect(wpa_auth, sm->addr,
3058 WLAN_REASON_PREV_AUTH_NOT_VALID);
3059 return;
3060 }
3061
3062 sm->pending_1_of_4_timeout = 0;
3063 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
3064
3065 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
3066 /* PSK may have changed from the previous choice, so update
3067 * state machine data based on whatever PSK was selected here.
3068 */
3069 os_memcpy(sm->PMK, pmk, PMK_LEN);
3070 sm->pmk_len = PMK_LEN;
3071 }
3072
3073 sm->MICVerified = TRUE;
3074
3075 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
3076 forced_memzero(&PTK, sizeof(PTK));
3077 sm->PTK_valid = TRUE;
3078 }
3079
3080
3081 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2)
3082 {
3083 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk);
3084 sm->TimeoutCtr = 0;
3085 }
3086
3087
3088 static int ieee80211w_kde_len(struct wpa_state_machine *sm)
3089 {
3090 if (sm->mgmt_frame_prot) {
3091 size_t len;
3092 len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
3093 return 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN + len;
3094 }
3095
3096 return 0;
3097 }
3098
3099
3100 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
3101 {
3102 struct wpa_igtk_kde igtk;
3103 struct wpa_group *gsm = sm->group;
3104 u8 rsc[WPA_KEY_RSC_LEN];
3105 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
3106
3107 if (!sm->mgmt_frame_prot)
3108 return pos;
3109
3110 igtk.keyid[0] = gsm->GN_igtk;
3111 igtk.keyid[1] = 0;
3112 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
3113 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0)
3114 os_memset(igtk.pn, 0, sizeof(igtk.pn));
3115 else
3116 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn));
3117 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len);
3118 if (sm->wpa_auth->conf.disable_gtk ||
3119 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
3120 /*
3121 * Provide unique random IGTK to each STA to prevent use of
3122 * IGTK in the BSS.
3123 */
3124 if (random_get_bytes(igtk.igtk, len) < 0)
3125 return pos;
3126 }
3127 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK,
3128 (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len,
3129 NULL, 0);
3130
3131 return pos;
3132 }
3133
3134
3135 static int ocv_oci_len(struct wpa_state_machine *sm)
3136 {
3137 #ifdef CONFIG_OCV
3138 if (wpa_auth_uses_ocv(sm))
3139 return OCV_OCI_KDE_LEN;
3140 #endif /* CONFIG_OCV */
3141 return 0;
3142 }
3143
3144 static int ocv_oci_add(struct wpa_state_machine *sm, u8 **argpos)
3145 {
3146 #ifdef CONFIG_OCV
3147 struct wpa_channel_info ci;
3148
3149 if (!wpa_auth_uses_ocv(sm))
3150 return 0;
3151
3152 if (wpa_channel_info(sm->wpa_auth, &ci) != 0) {
3153 wpa_printf(MSG_WARNING,
3154 "Failed to get channel info for OCI element");
3155 return -1;
3156 }
3157
3158 return ocv_insert_oci_kde(&ci, argpos);
3159 #else /* CONFIG_OCV */
3160 return 0;
3161 #endif /* CONFIG_OCV */
3162 }
3163
3164
3165 SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
3166 {
3167 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde = NULL, *pos, dummy_gtk[32];
3168 size_t gtk_len, kde_len;
3169 struct wpa_group *gsm = sm->group;
3170 u8 *wpa_ie;
3171 int wpa_ie_len, secure, gtkidx, encr = 0;
3172 u8 *wpa_ie_buf = NULL;
3173
3174 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk);
3175 sm->TimeoutEvt = FALSE;
3176
3177 sm->TimeoutCtr++;
3178 if (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
3179 sm->TimeoutCtr > 1) {
3180 /* Do not allow retransmission of EAPOL-Key msg 3/4 */
3181 return;
3182 }
3183 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
3184 /* No point in sending the EAPOL-Key - we will disconnect
3185 * immediately following this. */
3186 return;
3187 }
3188
3189 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
3190 GTK[GN], IGTK, [FTIE], [TIE * 2])
3191 */
3192 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
3193 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
3194 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
3195 wpa_ie = sm->wpa_auth->wpa_ie;
3196 wpa_ie_len = sm->wpa_auth->wpa_ie_len;
3197 if (sm->wpa == WPA_VERSION_WPA &&
3198 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
3199 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
3200 /* WPA-only STA, remove RSN IE and possible MDIE */
3201 wpa_ie = wpa_ie + wpa_ie[1] + 2;
3202 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
3203 wpa_ie = wpa_ie + wpa_ie[1] + 2;
3204 wpa_ie_len = wpa_ie[1] + 2;
3205 }
3206 #ifdef CONFIG_TESTING_OPTIONS
3207 if (sm->wpa_auth->conf.rsnxe_override_eapol_len) {
3208 u8 *obuf = sm->wpa_auth->conf.rsnxe_override_eapol;
3209 size_t olen = sm->wpa_auth->conf.rsnxe_override_eapol_len;
3210 const u8 *rsnxe;
3211
3212 wpa_hexdump(MSG_DEBUG,
3213 "TESTING: wpa_ie before RSNXE EAPOL override",
3214 wpa_ie, wpa_ie_len);
3215 wpa_ie_buf = os_malloc(wpa_ie_len + olen);
3216 if (!wpa_ie_buf)
3217 return;
3218 os_memcpy(wpa_ie_buf, wpa_ie, wpa_ie_len);
3219 wpa_ie = wpa_ie_buf;
3220 rsnxe = get_ie(wpa_ie, wpa_ie_len, WLAN_EID_RSNX);
3221 if (rsnxe) {
3222 u8 rsnxe_len = 2 + rsnxe[1];
3223
3224 os_memmove((void *) rsnxe, rsnxe + rsnxe_len,
3225 wpa_ie_len - (rsnxe - wpa_ie) - rsnxe_len);
3226 wpa_ie_len -= rsnxe_len;
3227 }
3228 os_memcpy(wpa_ie + wpa_ie_len, obuf, olen);
3229 wpa_ie_len += olen;
3230 wpa_hexdump(MSG_DEBUG,
3231 "TESTING: wpa_ie after RSNXE EAPOL override",
3232 wpa_ie, wpa_ie_len);
3233 }
3234 #endif /* CONFIG_TESTING_OPTIONS */
3235 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3236 "sending 3/4 msg of 4-Way Handshake");
3237 if (sm->wpa == WPA_VERSION_WPA2) {
3238 /* WPA2 send GTK in the 4-way handshake */
3239 secure = 1;
3240 gtk = gsm->GTK[gsm->GN - 1];
3241 gtk_len = gsm->GTK_len;
3242 if (sm->wpa_auth->conf.disable_gtk ||
3243 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
3244 /*
3245 * Provide unique random GTK to each STA to prevent use
3246 * of GTK in the BSS.
3247 */
3248 if (random_get_bytes(dummy_gtk, gtk_len) < 0)
3249 goto done;
3250 gtk = dummy_gtk;
3251 }
3252 gtkidx = gsm->GN;
3253 _rsc = rsc;
3254 encr = 1;
3255 } else {
3256 /* WPA does not include GTK in msg 3/4 */
3257 secure = 0;
3258 gtk = NULL;
3259 gtk_len = 0;
3260 _rsc = NULL;
3261 if (sm->rx_eapol_key_secure) {
3262 /*
3263 * It looks like Windows 7 supplicant tries to use
3264 * Secure bit in msg 2/4 after having reported Michael
3265 * MIC failure and it then rejects the 4-way handshake
3266 * if msg 3/4 does not set Secure bit. Work around this
3267 * by setting the Secure bit here even in the case of
3268 * WPA if the supplicant used it first.
3269 */
3270 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3271 "STA used Secure bit in WPA msg 2/4 - "
3272 "set Secure for 3/4 as workaround");
3273 secure = 1;
3274 }
3275 }
3276
3277 kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm);
3278 if (gtk)
3279 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
3280 #ifdef CONFIG_IEEE80211R_AP
3281 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
3282 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
3283 kde_len += 300; /* FTIE + 2 * TIE */
3284 }
3285 #endif /* CONFIG_IEEE80211R_AP */
3286 #ifdef CONFIG_P2P
3287 if (WPA_GET_BE32(sm->ip_addr) > 0)
3288 kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4;
3289 #endif /* CONFIG_P2P */
3290 kde = os_malloc(kde_len);
3291 if (kde == NULL)
3292 goto done;
3293
3294 pos = kde;
3295 os_memcpy(pos, wpa_ie, wpa_ie_len);
3296 pos += wpa_ie_len;
3297 #ifdef CONFIG_IEEE80211R_AP
3298 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
3299 int res;
3300 size_t elen;
3301
3302 elen = pos - kde;
3303 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name);
3304 if (res < 0) {
3305 wpa_printf(MSG_ERROR, "FT: Failed to insert "
3306 "PMKR1Name into RSN IE in EAPOL-Key data");
3307 goto done;
3308 }
3309 pos -= wpa_ie_len;
3310 pos += elen;
3311 }
3312 #endif /* CONFIG_IEEE80211R_AP */
3313 if (gtk) {
3314 u8 hdr[2];
3315 hdr[0] = gtkidx & 0x03;
3316 hdr[1] = 0;
3317 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
3318 gtk, gtk_len);
3319 }
3320 pos = ieee80211w_kde_add(sm, pos);
3321 if (ocv_oci_add(sm, &pos) < 0)
3322 goto done;
3323
3324 #ifdef CONFIG_IEEE80211R_AP
3325 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
3326 int res;
3327 struct wpa_auth_config *conf;
3328
3329 conf = &sm->wpa_auth->conf;
3330 if (sm->assoc_resp_ftie &&
3331 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) {
3332 os_memcpy(pos, sm->assoc_resp_ftie,
3333 2 + sm->assoc_resp_ftie[1]);
3334 res = 2 + sm->assoc_resp_ftie[1];
3335 } else {
3336 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt);
3337
3338 res = wpa_write_ftie(conf, use_sha384,
3339 conf->r0_key_holder,
3340 conf->r0_key_holder_len,
3341 NULL, NULL, pos,
3342 kde + kde_len - pos,
3343 NULL, 0);
3344 }
3345 if (res < 0) {
3346 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE "
3347 "into EAPOL-Key Key Data");
3348 goto done;
3349 }
3350 pos += res;
3351
3352 /* TIE[ReassociationDeadline] (TU) */
3353 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
3354 *pos++ = 5;
3355 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
3356 WPA_PUT_LE32(pos, conf->reassociation_deadline);
3357 pos += 4;
3358
3359 /* TIE[KeyLifetime] (seconds) */
3360 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
3361 *pos++ = 5;
3362 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
3363 WPA_PUT_LE32(pos, conf->r0_key_lifetime);
3364 pos += 4;
3365 }
3366 #endif /* CONFIG_IEEE80211R_AP */
3367 #ifdef CONFIG_P2P
3368 if (WPA_GET_BE32(sm->ip_addr) > 0) {
3369 u8 addr[3 * 4];
3370 os_memcpy(addr, sm->ip_addr, 4);
3371 os_memcpy(addr + 4, sm->wpa_auth->conf.ip_addr_mask, 4);
3372 os_memcpy(addr + 8, sm->wpa_auth->conf.ip_addr_go, 4);
3373 pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC,
3374 addr, sizeof(addr), NULL, 0);
3375 }
3376 #endif /* CONFIG_P2P */
3377
3378 wpa_send_eapol(sm->wpa_auth, sm,
3379 (secure ? WPA_KEY_INFO_SECURE : 0) |
3380 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
3381 WPA_KEY_INFO_MIC : 0) |
3382 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
3383 WPA_KEY_INFO_KEY_TYPE,
3384 _rsc, sm->ANonce, kde, pos - kde, 0, encr);
3385 done:
3386 os_free(kde);
3387 os_free(wpa_ie_buf);
3388 }
3389
3390
3391 SM_STATE(WPA_PTK, PTKINITDONE)
3392 {
3393 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk);
3394 sm->EAPOLKeyReceived = FALSE;
3395 if (sm->Pair) {
3396 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
3397 int klen = wpa_cipher_key_len(sm->pairwise);
3398 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
3399 sm->PTK.tk, klen)) {
3400 wpa_sta_disconnect(sm->wpa_auth, sm->addr,
3401 WLAN_REASON_PREV_AUTH_NOT_VALID);
3402 return;
3403 }
3404 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
3405 sm->pairwise_set = TRUE;
3406
3407 wpa_auth_set_ptk_rekey_timer(sm);
3408
3409 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
3410 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
3411 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
3412 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
3413 WPA_EAPOL_authorized, 1);
3414 }
3415 }
3416
3417 if (0 /* IBSS == TRUE */) {
3418 sm->keycount++;
3419 if (sm->keycount == 2) {
3420 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
3421 WPA_EAPOL_portValid, 1);
3422 }
3423 } else {
3424 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid,
3425 1);
3426 }
3427 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0);
3428 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1);
3429 if (sm->wpa == WPA_VERSION_WPA)
3430 sm->PInitAKeys = TRUE;
3431 else
3432 sm->has_GTK = TRUE;
3433 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3434 "pairwise key handshake completed (%s)",
3435 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
3436
3437 #ifdef CONFIG_IEEE80211R_AP
3438 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr);
3439 #endif /* CONFIG_IEEE80211R_AP */
3440 }
3441
3442
3443 SM_STEP(WPA_PTK)
3444 {
3445 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
3446
3447 if (sm->Init)
3448 SM_ENTER(WPA_PTK, INITIALIZE);
3449 else if (sm->Disconnect
3450 /* || FIX: dot11RSNAConfigSALifetime timeout */) {
3451 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
3452 "WPA_PTK: sm->Disconnect");
3453 SM_ENTER(WPA_PTK, DISCONNECT);
3454 }
3455 else if (sm->DeauthenticationRequest)
3456 SM_ENTER(WPA_PTK, DISCONNECTED);
3457 else if (sm->AuthenticationRequest)
3458 SM_ENTER(WPA_PTK, AUTHENTICATION);
3459 else if (sm->ReAuthenticationRequest)
3460 SM_ENTER(WPA_PTK, AUTHENTICATION2);
3461 else if (sm->PTKRequest) {
3462 if (wpa_auth_sm_ptk_update(sm) < 0)
3463 SM_ENTER(WPA_PTK, DISCONNECTED);
3464 else
3465 SM_ENTER(WPA_PTK, PTKSTART);
3466 } else switch (sm->wpa_ptk_state) {
3467 case WPA_PTK_INITIALIZE:
3468 break;
3469 case WPA_PTK_DISCONNECT:
3470 SM_ENTER(WPA_PTK, DISCONNECTED);
3471 break;
3472 case WPA_PTK_DISCONNECTED:
3473 SM_ENTER(WPA_PTK, INITIALIZE);
3474 break;
3475 case WPA_PTK_AUTHENTICATION:
3476 SM_ENTER(WPA_PTK, AUTHENTICATION2);
3477 break;
3478 case WPA_PTK_AUTHENTICATION2:
3479 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
3480 wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
3481 WPA_EAPOL_keyRun) > 0)
3482 SM_ENTER(WPA_PTK, INITPMK);
3483 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
3484 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE
3485 /* FIX: && 802.1X::keyRun */)
3486 SM_ENTER(WPA_PTK, INITPSK);
3487 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP)
3488 SM_ENTER(WPA_PTK, INITPMK);
3489 break;
3490 case WPA_PTK_INITPMK:
3491 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
3492 WPA_EAPOL_keyAvailable) > 0) {
3493 SM_ENTER(WPA_PTK, PTKSTART);
3494 #ifdef CONFIG_DPP
3495 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->pmksa) {
3496 SM_ENTER(WPA_PTK, PTKSTART);
3497 #endif /* CONFIG_DPP */
3498 } else {
3499 wpa_auth->dot11RSNA4WayHandshakeFailures++;
3500 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3501 "INITPMK - keyAvailable = false");
3502 SM_ENTER(WPA_PTK, DISCONNECT);
3503 }
3504 break;
3505 case WPA_PTK_INITPSK:
3506 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr,
3507 NULL, NULL, NULL)) {
3508 SM_ENTER(WPA_PTK, PTKSTART);
3509 #ifdef CONFIG_SAE
3510 } else if (wpa_auth_uses_sae(sm) && sm->pmksa) {
3511 SM_ENTER(WPA_PTK, PTKSTART);
3512 #endif /* CONFIG_SAE */
3513 } else {
3514 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3515 "no PSK configured for the STA");
3516 wpa_auth->dot11RSNA4WayHandshakeFailures++;
3517 SM_ENTER(WPA_PTK, DISCONNECT);
3518 }
3519 break;
3520 case WPA_PTK_PTKSTART:
3521 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3522 sm->EAPOLKeyPairwise)
3523 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3524 else if (sm->TimeoutCtr >
3525 sm->wpa_auth->conf.wpa_pairwise_update_count) {
3526 wpa_auth->dot11RSNA4WayHandshakeFailures++;
3527 wpa_auth_vlogger(
3528 sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3529 "PTKSTART: Retry limit %u reached",
3530 sm->wpa_auth->conf.wpa_pairwise_update_count);
3531 SM_ENTER(WPA_PTK, DISCONNECT);
3532 } else if (sm->TimeoutEvt)
3533 SM_ENTER(WPA_PTK, PTKSTART);
3534 break;
3535 case WPA_PTK_PTKCALCNEGOTIATING:
3536 if (sm->MICVerified)
3537 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2);
3538 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3539 sm->EAPOLKeyPairwise)
3540 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3541 else if (sm->TimeoutEvt)
3542 SM_ENTER(WPA_PTK, PTKSTART);
3543 break;
3544 case WPA_PTK_PTKCALCNEGOTIATING2:
3545 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
3546 break;
3547 case WPA_PTK_PTKINITNEGOTIATING:
3548 if (sm->update_snonce)
3549 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3550 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3551 sm->EAPOLKeyPairwise && sm->MICVerified)
3552 SM_ENTER(WPA_PTK, PTKINITDONE);
3553 else if (sm->TimeoutCtr >
3554 sm->wpa_auth->conf.wpa_pairwise_update_count ||
3555 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
3556 sm->TimeoutCtr > 1)) {
3557 wpa_auth->dot11RSNA4WayHandshakeFailures++;
3558 wpa_auth_vlogger(
3559 sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3560 "PTKINITNEGOTIATING: Retry limit %u reached",
3561 sm->wpa_auth->conf.wpa_pairwise_update_count);
3562 SM_ENTER(WPA_PTK, DISCONNECT);
3563 } else if (sm->TimeoutEvt)
3564 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
3565 break;
3566 case WPA_PTK_PTKINITDONE:
3567 break;
3568 }
3569 }
3570
3571
3572 SM_STATE(WPA_PTK_GROUP, IDLE)
3573 {
3574 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group);
3575 if (sm->Init) {
3576 /* Init flag is not cleared here, so avoid busy
3577 * loop by claiming nothing changed. */
3578 sm->changed = FALSE;
3579 }
3580 sm->GTimeoutCtr = 0;
3581 }
3582
3583
3584 SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
3585 {
3586 u8 rsc[WPA_KEY_RSC_LEN];
3587 struct wpa_group *gsm = sm->group;
3588 const u8 *kde;
3589 u8 *kde_buf = NULL, *pos, hdr[2];
3590 size_t kde_len;
3591 u8 *gtk, dummy_gtk[32];
3592
3593 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
3594
3595 sm->GTimeoutCtr++;
3596 if (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
3597 sm->GTimeoutCtr > 1) {
3598 /* Do not allow retransmission of EAPOL-Key group msg 1/2 */
3599 return;
3600 }
3601 if (sm->GTimeoutCtr > sm->wpa_auth->conf.wpa_group_update_count) {
3602 /* No point in sending the EAPOL-Key - we will disconnect
3603 * immediately following this. */
3604 return;
3605 }
3606
3607 if (sm->wpa == WPA_VERSION_WPA)
3608 sm->PInitAKeys = FALSE;
3609 sm->TimeoutEvt = FALSE;
3610 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
3611 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
3612 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE)
3613 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
3614 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3615 "sending 1/2 msg of Group Key Handshake");
3616
3617 gtk = gsm->GTK[gsm->GN - 1];
3618 if (sm->wpa_auth->conf.disable_gtk ||
3619 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
3620 /*
3621 * Provide unique random GTK to each STA to prevent use
3622 * of GTK in the BSS.
3623 */
3624 if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0)
3625 return;
3626 gtk = dummy_gtk;
3627 }
3628 if (sm->wpa == WPA_VERSION_WPA2) {
3629 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
3630 ieee80211w_kde_len(sm) + ocv_oci_len(sm);
3631 kde_buf = os_malloc(kde_len);
3632 if (kde_buf == NULL)
3633 return;
3634
3635 kde = pos = kde_buf;
3636 hdr[0] = gsm->GN & 0x03;
3637 hdr[1] = 0;
3638 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
3639 gtk, gsm->GTK_len);
3640 pos = ieee80211w_kde_add(sm, pos);
3641 if (ocv_oci_add(sm, &pos) < 0) {
3642 os_free(kde_buf);
3643 return;
3644 }
3645 kde_len = pos - kde;
3646 } else {
3647 kde = gtk;
3648 kde_len = gsm->GTK_len;
3649 }
3650
3651 wpa_send_eapol(sm->wpa_auth, sm,
3652 WPA_KEY_INFO_SECURE |
3653 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
3654 WPA_KEY_INFO_MIC : 0) |
3655 WPA_KEY_INFO_ACK |
3656 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
3657 rsc, NULL, kde, kde_len, gsm->GN, 1);
3658
3659 os_free(kde_buf);
3660 }
3661
3662
3663 SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED)
3664 {
3665 #ifdef CONFIG_OCV
3666 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
3667 const u8 *key_data, *mic;
3668 struct ieee802_1x_hdr *hdr;
3669 struct wpa_eapol_key *key;
3670 struct wpa_eapol_ie_parse kde;
3671 size_t mic_len;
3672 u16 key_data_length;
3673 #endif /* CONFIG_OCV */
3674
3675 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group);
3676 sm->EAPOLKeyReceived = FALSE;
3677
3678 #ifdef CONFIG_OCV
3679 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
3680
3681 /*
3682 * Note: last_rx_eapol_key length fields have already been validated in
3683 * wpa_receive().
3684 */
3685 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
3686 key = (struct wpa_eapol_key *) (hdr + 1);
3687 mic = (u8 *) (key + 1);
3688 key_data = mic + mic_len + 2;
3689 key_data_length = WPA_GET_BE16(mic + mic_len);
3690 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
3691 sizeof(*key) - mic_len - 2)
3692 return;
3693
3694 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
3695 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
3696 "received EAPOL-Key group msg 2/2 with invalid Key Data contents");
3697 return;
3698 }
3699
3700 if (wpa_auth_uses_ocv(sm)) {
3701 struct wpa_channel_info ci;
3702 int tx_chanwidth;
3703 int tx_seg1_idx;
3704
3705 if (wpa_channel_info(wpa_auth, &ci) != 0) {
3706 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
3707 "Failed to get channel info to validate received OCI in EAPOL-Key group 1/2");
3708 return;
3709 }
3710
3711 if (get_sta_tx_parameters(sm,
3712 channel_width_to_int(ci.chanwidth),
3713 ci.seg1_idx, &tx_chanwidth,
3714 &tx_seg1_idx) < 0)
3715 return;
3716
3717 if (ocv_verify_tx_params(kde.oci, kde.oci_len, &ci,
3718 tx_chanwidth, tx_seg1_idx) != 0) {
3719 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
3720 ocv_errorstr);
3721 return;
3722 }
3723 }
3724 #endif /* CONFIG_OCV */
3725
3726 if (sm->GUpdateStationKeys)
3727 sm->group->GKeyDoneStations--;
3728 sm->GUpdateStationKeys = FALSE;
3729 sm->GTimeoutCtr = 0;
3730 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */
3731 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3732 "group key handshake completed (%s)",
3733 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
3734 sm->has_GTK = TRUE;
3735 }
3736
3737
3738 SM_STATE(WPA_PTK_GROUP, KEYERROR)
3739 {
3740 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group);
3741 if (sm->GUpdateStationKeys)
3742 sm->group->GKeyDoneStations--;
3743 sm->GUpdateStationKeys = FALSE;
3744 sm->Disconnect = TRUE;
3745 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3746 "group key handshake failed (%s) after %u tries",
3747 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN",
3748 sm->wpa_auth->conf.wpa_group_update_count);
3749 }
3750
3751
3752 SM_STEP(WPA_PTK_GROUP)
3753 {
3754 if (sm->Init || sm->PtkGroupInit) {
3755 SM_ENTER(WPA_PTK_GROUP, IDLE);
3756 sm->PtkGroupInit = FALSE;
3757 } else switch (sm->wpa_ptk_group_state) {
3758 case WPA_PTK_GROUP_IDLE:
3759 if (sm->GUpdateStationKeys ||
3760 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys))
3761 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
3762 break;
3763 case WPA_PTK_GROUP_REKEYNEGOTIATING:
3764 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3765 !sm->EAPOLKeyPairwise && sm->MICVerified)
3766 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
3767 else if (sm->GTimeoutCtr >
3768 sm->wpa_auth->conf.wpa_group_update_count ||
3769 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
3770 sm->GTimeoutCtr > 1))
3771 SM_ENTER(WPA_PTK_GROUP, KEYERROR);
3772 else if (sm->TimeoutEvt)
3773 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
3774 break;
3775 case WPA_PTK_GROUP_KEYERROR:
3776 SM_ENTER(WPA_PTK_GROUP, IDLE);
3777 break;
3778 case WPA_PTK_GROUP_REKEYESTABLISHED:
3779 SM_ENTER(WPA_PTK_GROUP, IDLE);
3780 break;
3781 }
3782 }
3783
3784
3785 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
3786 struct wpa_group *group)
3787 {
3788 int ret = 0;
3789
3790 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
3791 inc_byte_array(group->Counter, WPA_NONCE_LEN);
3792 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion",
3793 wpa_auth->addr, group->GNonce,
3794 group->GTK[group->GN - 1], group->GTK_len) < 0)
3795 ret = -1;
3796 wpa_hexdump_key(MSG_DEBUG, "GTK",
3797 group->GTK[group->GN - 1], group->GTK_len);
3798
3799 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
3800 size_t len;
3801 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
3802 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
3803 inc_byte_array(group->Counter, WPA_NONCE_LEN);
3804 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion",
3805 wpa_auth->addr, group->GNonce,
3806 group->IGTK[group->GN_igtk - 4], len) < 0)
3807 ret = -1;
3808 wpa_hexdump_key(MSG_DEBUG, "IGTK",
3809 group->IGTK[group->GN_igtk - 4], len);
3810 }
3811
3812 return ret;
3813 }
3814
3815
3816 static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth,
3817 struct wpa_group *group)
3818 {
3819 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3820 "GTK_INIT (VLAN-ID %d)", group->vlan_id);
3821 group->changed = FALSE; /* GInit is not cleared here; avoid loop */
3822 group->wpa_group_state = WPA_GROUP_GTK_INIT;
3823
3824 /* GTK[0..N] = 0 */
3825 os_memset(group->GTK, 0, sizeof(group->GTK));
3826 group->GN = 1;
3827 group->GM = 2;
3828 group->GN_igtk = 4;
3829 group->GM_igtk = 5;
3830 /* GTK[GN] = CalcGTK() */
3831 wpa_gtk_update(wpa_auth, group);
3832 }
3833
3834
3835 static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
3836 {
3837 if (ctx != NULL && ctx != sm->group)
3838 return 0;
3839
3840 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) {
3841 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3842 "Not in PTKINITDONE; skip Group Key update");
3843 sm->GUpdateStationKeys = FALSE;
3844 return 0;
3845 }
3846 if (sm->GUpdateStationKeys) {
3847 /*
3848 * This should not really happen, so add a debug log entry.
3849 * Since we clear the GKeyDoneStations before the loop, the
3850 * station needs to be counted here anyway.
3851 */
3852 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3853 "GUpdateStationKeys was already set when "
3854 "marking station for GTK rekeying");
3855 }
3856
3857 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */
3858 if (sm->is_wnmsleep)
3859 return 0;
3860
3861 sm->group->GKeyDoneStations++;
3862 sm->GUpdateStationKeys = TRUE;
3863
3864 wpa_sm_step(sm);
3865 return 0;
3866 }
3867
3868
3869 #ifdef CONFIG_WNM_AP
3870 /* update GTK when exiting WNM-Sleep Mode */
3871 void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm)
3872 {
3873 if (sm == NULL || sm->is_wnmsleep)
3874 return;
3875
3876 wpa_group_update_sta(sm, NULL);
3877 }
3878
3879
3880 void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag)
3881 {
3882 if (sm)
3883 sm->is_wnmsleep = !!flag;
3884 }
3885
3886
3887 int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos)
3888 {
3889 struct wpa_group *gsm = sm->group;
3890 u8 *start = pos;
3891
3892 /*
3893 * GTK subelement:
3894 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] |
3895 * Key[5..32]
3896 */
3897 *pos++ = WNM_SLEEP_SUBELEM_GTK;
3898 *pos++ = 11 + gsm->GTK_len;
3899 /* Key ID in B0-B1 of Key Info */
3900 WPA_PUT_LE16(pos, gsm->GN & 0x03);
3901 pos += 2;
3902 *pos++ = gsm->GTK_len;
3903 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0)
3904 return 0;
3905 pos += 8;
3906 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len);
3907 pos += gsm->GTK_len;
3908
3909 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit",
3910 gsm->GN);
3911 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit",
3912 gsm->GTK[gsm->GN - 1], gsm->GTK_len);
3913
3914 return pos - start;
3915 }
3916
3917
3918 int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos)
3919 {
3920 struct wpa_group *gsm = sm->group;
3921 u8 *start = pos;
3922 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
3923
3924 /*
3925 * IGTK subelement:
3926 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16]
3927 */
3928 *pos++ = WNM_SLEEP_SUBELEM_IGTK;
3929 *pos++ = 2 + 6 + len;
3930 WPA_PUT_LE16(pos, gsm->GN_igtk);
3931 pos += 2;
3932 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0)
3933 return 0;
3934 pos += 6;
3935
3936 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len);
3937 pos += len;
3938
3939 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit",
3940 gsm->GN_igtk);
3941 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit",
3942 gsm->IGTK[gsm->GN_igtk - 4], len);
3943
3944 return pos - start;
3945 }
3946
3947 #endif /* CONFIG_WNM_AP */
3948
3949
3950 static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth,
3951 struct wpa_group *group)
3952 {
3953 int tmp;
3954
3955 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3956 "SETKEYS (VLAN-ID %d)", group->vlan_id);
3957 group->changed = TRUE;
3958 group->wpa_group_state = WPA_GROUP_SETKEYS;
3959 group->GTKReKey = FALSE;
3960 tmp = group->GM;
3961 group->GM = group->GN;
3962 group->GN = tmp;
3963 tmp = group->GM_igtk;
3964 group->GM_igtk = group->GN_igtk;
3965 group->GN_igtk = tmp;
3966 /* "GKeyDoneStations = GNoStations" is done in more robust way by
3967 * counting the STAs that are marked with GUpdateStationKeys instead of
3968 * including all STAs that could be in not-yet-completed state. */
3969 wpa_gtk_update(wpa_auth, group);
3970
3971 if (group->GKeyDoneStations) {
3972 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected "
3973 "GKeyDoneStations=%d when starting new GTK rekey",
3974 group->GKeyDoneStations);
3975 group->GKeyDoneStations = 0;
3976 }
3977 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group);
3978 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d",
3979 group->GKeyDoneStations);
3980 }
3981
3982
3983 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
3984 struct wpa_group *group)
3985 {
3986 int ret = 0;
3987
3988 if (wpa_auth_set_key(wpa_auth, group->vlan_id,
3989 wpa_cipher_to_alg(wpa_auth->conf.wpa_group),
3990 broadcast_ether_addr, group->GN,
3991 group->GTK[group->GN - 1], group->GTK_len) < 0)
3992 ret = -1;
3993
3994 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
3995 enum wpa_alg alg;
3996 size_t len;
3997
3998 alg = wpa_cipher_to_alg(wpa_auth->conf.group_mgmt_cipher);
3999 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
4000
4001 if (ret == 0 &&
4002 wpa_auth_set_key(wpa_auth, group->vlan_id, alg,
4003 broadcast_ether_addr, group->GN_igtk,
4004 group->IGTK[group->GN_igtk - 4], len) < 0)
4005 ret = -1;
4006 }
4007
4008 return ret;
4009 }
4010
4011
4012 static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx)
4013 {
4014 if (sm->group == ctx) {
4015 wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR
4016 " for discconnection due to fatal failure",
4017 MAC2STR(sm->addr));
4018 sm->Disconnect = TRUE;
4019 }
4020
4021 return 0;
4022 }
4023
4024
4025 static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth,
4026 struct wpa_group *group)
4027 {
4028 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state FATAL_FAILURE");
4029 group->changed = TRUE;
4030 group->wpa_group_state = WPA_GROUP_FATAL_FAILURE;
4031 wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group);
4032 }
4033
4034
4035 static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
4036 struct wpa_group *group)
4037 {
4038 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
4039 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id);
4040 group->changed = TRUE;
4041 group->wpa_group_state = WPA_GROUP_SETKEYSDONE;
4042
4043 if (wpa_group_config_group_keys(wpa_auth, group) < 0) {
4044 wpa_group_fatal_failure(wpa_auth, group);
4045 return -1;
4046 }
4047
4048 return 0;
4049 }
4050
4051
4052 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
4053 struct wpa_group *group)
4054 {
4055 if (group->GInit) {
4056 wpa_group_gtk_init(wpa_auth, group);
4057 } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) {
4058 /* Do not allow group operations */
4059 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT &&
4060 group->GTKAuthenticator) {
4061 wpa_group_setkeysdone(wpa_auth, group);
4062 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE &&
4063 group->GTKReKey) {
4064 wpa_group_setkeys(wpa_auth, group);
4065 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) {
4066 if (group->GKeyDoneStations == 0)
4067 wpa_group_setkeysdone(wpa_auth, group);
4068 else if (group->GTKReKey)
4069 wpa_group_setkeys(wpa_auth, group);
4070 }
4071 }
4072
4073
4074 static int wpa_sm_step(struct wpa_state_machine *sm)
4075 {
4076 if (sm == NULL)
4077 return 0;
4078
4079 if (sm->in_step_loop) {
4080 /* This should not happen, but if it does, make sure we do not
4081 * end up freeing the state machine too early by exiting the
4082 * recursive call. */
4083 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively");
4084 return 0;
4085 }
4086
4087 sm->in_step_loop = 1;
4088 do {
4089 if (sm->pending_deinit)
4090 break;
4091
4092 sm->changed = FALSE;
4093 sm->wpa_auth->group->changed = FALSE;
4094
4095 SM_STEP_RUN(WPA_PTK);
4096 if (sm->pending_deinit)
4097 break;
4098 SM_STEP_RUN(WPA_PTK_GROUP);
4099 if (sm->pending_deinit)
4100 break;
4101 wpa_group_sm_step(sm->wpa_auth, sm->group);
4102 } while (sm->changed || sm->wpa_auth->group->changed);
4103 sm->in_step_loop = 0;
4104
4105 if (sm->pending_deinit) {
4106 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state "
4107 "machine deinit for " MACSTR, MAC2STR(sm->addr));
4108 wpa_free_sta_sm(sm);
4109 return 1;
4110 }
4111 return 0;
4112 }
4113
4114
4115 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx)
4116 {
4117 struct wpa_state_machine *sm = eloop_ctx;
4118 wpa_sm_step(sm);
4119 }
4120
4121
4122 void wpa_auth_sm_notify(struct wpa_state_machine *sm)
4123 {
4124 if (sm == NULL)
4125 return;
4126 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
4127 }
4128
4129
4130 void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth)
4131 {
4132 int tmp, i;
4133 struct wpa_group *group;
4134
4135 if (wpa_auth == NULL)
4136 return;
4137
4138 group = wpa_auth->group;
4139
4140 for (i = 0; i < 2; i++) {
4141 tmp = group->GM;
4142 group->GM = group->GN;
4143 group->GN = tmp;
4144 tmp = group->GM_igtk;
4145 group->GM_igtk = group->GN_igtk;
4146 group->GN_igtk = tmp;
4147 wpa_gtk_update(wpa_auth, group);
4148 wpa_group_config_group_keys(wpa_auth, group);
4149 }
4150 }
4151
4152
4153 static const char * wpa_bool_txt(int val)
4154 {
4155 return val ? "TRUE" : "FALSE";
4156 }
4157
4158
4159 #define RSN_SUITE "%02x-%02x-%02x-%d"
4160 #define RSN_SUITE_ARG(s) \
4161 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
4162
4163 int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen)
4164 {
4165 int len = 0, ret;
4166 char pmkid_txt[PMKID_LEN * 2 + 1];
4167 #ifdef CONFIG_RSN_PREAUTH
4168 const int preauth = 1;
4169 #else /* CONFIG_RSN_PREAUTH */
4170 const int preauth = 0;
4171 #endif /* CONFIG_RSN_PREAUTH */
4172
4173 if (wpa_auth == NULL)
4174 return len;
4175
4176 ret = os_snprintf(buf + len, buflen - len,
4177 "dot11RSNAOptionImplemented=TRUE\n"
4178 "dot11RSNAPreauthenticationImplemented=%s\n"
4179 "dot11RSNAEnabled=%s\n"
4180 "dot11RSNAPreauthenticationEnabled=%s\n",
4181 wpa_bool_txt(preauth),
4182 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN),
4183 wpa_bool_txt(wpa_auth->conf.rsn_preauth));
4184 if (os_snprintf_error(buflen - len, ret))
4185 return len;
4186 len += ret;
4187
4188 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
4189 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN);
4190
4191 ret = os_snprintf(
4192 buf + len, buflen - len,
4193 "dot11RSNAConfigVersion=%u\n"
4194 "dot11RSNAConfigPairwiseKeysSupported=9999\n"
4195 /* FIX: dot11RSNAConfigGroupCipher */
4196 /* FIX: dot11RSNAConfigGroupRekeyMethod */
4197 /* FIX: dot11RSNAConfigGroupRekeyTime */
4198 /* FIX: dot11RSNAConfigGroupRekeyPackets */
4199 "dot11RSNAConfigGroupRekeyStrict=%u\n"
4200 "dot11RSNAConfigGroupUpdateCount=%u\n"
4201 "dot11RSNAConfigPairwiseUpdateCount=%u\n"
4202 "dot11RSNAConfigGroupCipherSize=%u\n"
4203 "dot11RSNAConfigPMKLifetime=%u\n"
4204 "dot11RSNAConfigPMKReauthThreshold=%u\n"
4205 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n"
4206 "dot11RSNAConfigSATimeout=%u\n"
4207 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
4208 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
4209 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
4210 "dot11RSNAPMKIDUsed=%s\n"
4211 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
4212 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
4213 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
4214 "dot11RSNATKIPCounterMeasuresInvoked=%u\n"
4215 "dot11RSNA4WayHandshakeFailures=%u\n"
4216 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n",
4217 RSN_VERSION,
4218 !!wpa_auth->conf.wpa_strict_rekey,
4219 wpa_auth->conf.wpa_group_update_count,
4220 wpa_auth->conf.wpa_pairwise_update_count,
4221 wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8,
4222 dot11RSNAConfigPMKLifetime,
4223 dot11RSNAConfigPMKReauthThreshold,
4224 dot11RSNAConfigSATimeout,
4225 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected),
4226 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected),
4227 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected),
4228 pmkid_txt,
4229 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested),
4230 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested),
4231 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested),
4232 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked,
4233 wpa_auth->dot11RSNA4WayHandshakeFailures);
4234 if (os_snprintf_error(buflen - len, ret))
4235 return len;
4236 len += ret;
4237
4238 /* TODO: dot11RSNAConfigPairwiseCiphersTable */
4239 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */
4240
4241 /* Private MIB */
4242 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n",
4243 wpa_auth->group->wpa_group_state);
4244 if (os_snprintf_error(buflen - len, ret))
4245 return len;
4246 len += ret;
4247
4248 return len;
4249 }
4250
4251
4252 int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen)
4253 {
4254 int len = 0, ret;
4255 u32 pairwise = 0;
4256
4257 if (sm == NULL)
4258 return 0;
4259
4260 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */
4261
4262 /* dot11RSNAStatsEntry */
4263
4264 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ?
4265 WPA_PROTO_RSN : WPA_PROTO_WPA,
4266 sm->pairwise);
4267 if (pairwise == 0)
4268 return 0;
4269
4270 ret = os_snprintf(
4271 buf + len, buflen - len,
4272 /* TODO: dot11RSNAStatsIndex */
4273 "dot11RSNAStatsSTAAddress=" MACSTR "\n"
4274 "dot11RSNAStatsVersion=1\n"
4275 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n"
4276 /* TODO: dot11RSNAStatsTKIPICVErrors */
4277 "dot11RSNAStatsTKIPLocalMICFailures=%u\n"
4278 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n"
4279 /* TODO: dot11RSNAStatsCCMPReplays */
4280 /* TODO: dot11RSNAStatsCCMPDecryptErrors */
4281 /* TODO: dot11RSNAStatsTKIPReplays */,
4282 MAC2STR(sm->addr),
4283 RSN_SUITE_ARG(pairwise),
4284 sm->dot11RSNAStatsTKIPLocalMICFailures,
4285 sm->dot11RSNAStatsTKIPRemoteMICFailures);
4286 if (os_snprintf_error(buflen - len, ret))
4287 return len;
4288 len += ret;
4289
4290 /* Private MIB */
4291 ret = os_snprintf(buf + len, buflen - len,
4292 "wpa=%d\n"
4293 "AKMSuiteSelector=" RSN_SUITE "\n"
4294 "hostapdWPAPTKState=%d\n"
4295 "hostapdWPAPTKGroupState=%d\n",
4296 sm->wpa,
4297 RSN_SUITE_ARG(wpa_akm_to_suite(sm->wpa_key_mgmt)),
4298 sm->wpa_ptk_state,
4299 sm->wpa_ptk_group_state);
4300 if (os_snprintf_error(buflen - len, ret))
4301 return len;
4302 len += ret;
4303
4304 return len;
4305 }
4306
4307
4308 void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth)
4309 {
4310 if (wpa_auth)
4311 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++;
4312 }
4313
4314
4315 int wpa_auth_pairwise_set(struct wpa_state_machine *sm)
4316 {
4317 return sm && sm->pairwise_set;
4318 }
4319
4320
4321 int wpa_auth_get_pairwise(struct wpa_state_machine *sm)
4322 {
4323 return sm->pairwise;
4324 }
4325
4326
4327 const u8 * wpa_auth_get_pmk(struct wpa_state_machine *sm, int *len)
4328 {
4329 if (!sm)
4330 return NULL;
4331 *len = sm->pmk_len;
4332 return sm->PMK;
4333 }
4334
4335
4336 int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm)
4337 {
4338 if (sm == NULL)
4339 return -1;
4340 return sm->wpa_key_mgmt;
4341 }
4342
4343
4344 int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
4345 {
4346 if (sm == NULL)
4347 return 0;
4348 return sm->wpa;
4349 }
4350
4351
4352 int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm)
4353 {
4354 if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt))
4355 return 0;
4356 return sm->tk_already_set;
4357 }
4358
4359
4360 int wpa_auth_sta_fils_tk_already_set(struct wpa_state_machine *sm)
4361 {
4362 if (!sm || !wpa_key_mgmt_fils(sm->wpa_key_mgmt))
4363 return 0;
4364 return sm->tk_already_set;
4365 }
4366
4367
4368 int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
4369 struct rsn_pmksa_cache_entry *entry)
4370 {
4371 if (sm == NULL || sm->pmksa != entry)
4372 return -1;
4373 sm->pmksa = NULL;
4374 return 0;
4375 }
4376
4377
4378 struct rsn_pmksa_cache_entry *
4379 wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm)
4380 {
4381 return sm ? sm->pmksa : NULL;
4382 }
4383
4384
4385 void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm)
4386 {
4387 if (sm)
4388 sm->dot11RSNAStatsTKIPLocalMICFailures++;
4389 }
4390
4391
4392 const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
4393 {
4394 if (wpa_auth == NULL)
4395 return NULL;
4396 *len = wpa_auth->wpa_ie_len;
4397 return wpa_auth->wpa_ie;
4398 }
4399
4400
4401 int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
4402 unsigned int pmk_len,
4403 int session_timeout, struct eapol_state_machine *eapol)
4404 {
4405 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 ||
4406 sm->wpa_auth->conf.disable_pmksa_caching)
4407 return -1;
4408
4409 #ifdef CONFIG_IEEE80211R_AP
4410 if (pmk_len >= 2 * PMK_LEN && wpa_key_mgmt_ft(sm->wpa_key_mgmt) &&
4411 wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
4412 !wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
4413 /* Cache MPMK/XXKey instead of initial part from MSK */
4414 pmk = pmk + PMK_LEN;
4415 pmk_len = PMK_LEN;
4416 } else
4417 #endif /* CONFIG_IEEE80211R_AP */
4418 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
4419 if (pmk_len > PMK_LEN_SUITE_B_192)
4420 pmk_len = PMK_LEN_SUITE_B_192;
4421 } else if (pmk_len > PMK_LEN) {
4422 pmk_len = PMK_LEN;
4423 }
4424
4425 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK", pmk, pmk_len);
4426 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL,
4427 sm->PTK.kck, sm->PTK.kck_len,
4428 sm->wpa_auth->addr, sm->addr, session_timeout,
4429 eapol, sm->wpa_key_mgmt))
4430 return 0;
4431
4432 return -1;
4433 }
4434
4435
4436 int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
4437 const u8 *pmk, size_t len, const u8 *sta_addr,
4438 int session_timeout,
4439 struct eapol_state_machine *eapol)
4440 {
4441 if (wpa_auth == NULL)
4442 return -1;
4443
4444 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK from preauth", pmk, len);
4445 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL,
4446 NULL, 0,
4447 wpa_auth->addr,
4448 sta_addr, session_timeout, eapol,
4449 WPA_KEY_MGMT_IEEE8021X))
4450 return 0;
4451
4452 return -1;
4453 }
4454
4455
4456 int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr,
4457 const u8 *pmk, const u8 *pmkid)
4458 {
4459 if (wpa_auth->conf.disable_pmksa_caching)
4460 return -1;
4461
4462 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK from SAE", pmk, PMK_LEN);
4463 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN, pmkid,
4464 NULL, 0,
4465 wpa_auth->addr, addr, 0, NULL,
4466 WPA_KEY_MGMT_SAE))
4467 return 0;
4468
4469 return -1;
4470 }
4471
4472
4473 void wpa_auth_add_sae_pmkid(struct wpa_state_machine *sm, const u8 *pmkid)
4474 {
4475 os_memcpy(sm->pmkid, pmkid, PMKID_LEN);
4476 sm->pmkid_set = 1;
4477 }
4478
4479
4480 int wpa_auth_pmksa_add2(struct wpa_authenticator *wpa_auth, const u8 *addr,
4481 const u8 *pmk, size_t pmk_len, const u8 *pmkid,
4482 int session_timeout, int akmp)
4483 {
4484 if (wpa_auth->conf.disable_pmksa_caching)
4485 return -1;
4486
4487 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK (2)", pmk, PMK_LEN);
4488 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, pmk_len, pmkid,
4489 NULL, 0, wpa_auth->addr, addr, session_timeout,
4490 NULL, akmp))
4491 return 0;
4492
4493 return -1;
4494 }
4495
4496
4497 void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
4498 const u8 *sta_addr)
4499 {
4500 struct rsn_pmksa_cache_entry *pmksa;
4501
4502 if (wpa_auth == NULL || wpa_auth->pmksa == NULL)
4503 return;
4504 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL);
4505 if (pmksa) {
4506 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for "
4507 MACSTR " based on request", MAC2STR(sta_addr));
4508 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa);
4509 }
4510 }
4511
4512
4513 int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf,
4514 size_t len)
4515 {
4516 if (!wpa_auth || !wpa_auth->pmksa)
4517 return 0;
4518 return pmksa_cache_auth_list(wpa_auth->pmksa, buf, len);
4519 }
4520
4521
4522 void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth)
4523 {
4524 if (wpa_auth && wpa_auth->pmksa)
4525 pmksa_cache_auth_flush(wpa_auth->pmksa);
4526 }
4527
4528
4529 #ifdef CONFIG_PMKSA_CACHE_EXTERNAL
4530 #ifdef CONFIG_MESH
4531
4532 int wpa_auth_pmksa_list_mesh(struct wpa_authenticator *wpa_auth, const u8 *addr,
4533 char *buf, size_t len)
4534 {
4535 if (!wpa_auth || !wpa_auth->pmksa)
4536 return 0;
4537
4538 return pmksa_cache_auth_list_mesh(wpa_auth->pmksa, addr, buf, len);
4539 }
4540
4541
4542 struct rsn_pmksa_cache_entry *
4543 wpa_auth_pmksa_create_entry(const u8 *aa, const u8 *spa, const u8 *pmk,
4544 const u8 *pmkid, int expiration)
4545 {
4546 struct rsn_pmksa_cache_entry *entry;
4547 struct os_reltime now;
4548
4549 entry = pmksa_cache_auth_create_entry(pmk, PMK_LEN, pmkid, NULL, 0, aa,
4550 spa, 0, NULL, WPA_KEY_MGMT_SAE);
4551 if (!entry)
4552 return NULL;
4553
4554 os_get_reltime(&now);
4555 entry->expiration = now.sec + expiration;
4556 return entry;
4557 }
4558
4559
4560 int wpa_auth_pmksa_add_entry(struct wpa_authenticator *wpa_auth,
4561 struct rsn_pmksa_cache_entry *entry)
4562 {
4563 int ret;
4564
4565 if (!wpa_auth || !wpa_auth->pmksa)
4566 return -1;
4567
4568 ret = pmksa_cache_auth_add_entry(wpa_auth->pmksa, entry);
4569 if (ret < 0)
4570 wpa_printf(MSG_DEBUG,
4571 "RSN: Failed to store external PMKSA cache for "
4572 MACSTR, MAC2STR(entry->spa));
4573
4574 return ret;
4575 }
4576
4577 #endif /* CONFIG_MESH */
4578 #endif /* CONFIG_PMKSA_CACHE_EXTERNAL */
4579
4580
4581 struct rsn_pmksa_cache_entry *
4582 wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
4583 const u8 *pmkid)
4584 {
4585 if (!wpa_auth || !wpa_auth->pmksa)
4586 return NULL;
4587 return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, pmkid);
4588 }
4589
4590
4591 void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa,
4592 struct wpa_state_machine *sm,
4593 struct wpa_authenticator *wpa_auth,
4594 u8 *pmkid, u8 *pmk)
4595 {
4596 if (!sm)
4597 return;
4598
4599 sm->pmksa = pmksa;
4600 os_memcpy(pmk, pmksa->pmk, PMK_LEN);
4601 os_memcpy(pmkid, pmksa->pmkid, PMKID_LEN);
4602 os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmksa->pmkid, PMKID_LEN);
4603 }
4604
4605
4606 /*
4607 * Remove and free the group from wpa_authenticator. This is triggered by a
4608 * callback to make sure nobody is currently iterating the group list while it
4609 * gets modified.
4610 */
4611 static void wpa_group_free(struct wpa_authenticator *wpa_auth,
4612 struct wpa_group *group)
4613 {
4614 struct wpa_group *prev = wpa_auth->group;
4615
4616 wpa_printf(MSG_DEBUG, "WPA: Remove group state machine for VLAN-ID %d",
4617 group->vlan_id);
4618
4619 while (prev) {
4620 if (prev->next == group) {
4621 /* This never frees the special first group as needed */
4622 prev->next = group->next;
4623 os_free(group);
4624 break;
4625 }
4626 prev = prev->next;
4627 }
4628
4629 }
4630
4631
4632 /* Increase the reference counter for group */
4633 static void wpa_group_get(struct wpa_authenticator *wpa_auth,
4634 struct wpa_group *group)
4635 {
4636 /* Skip the special first group */
4637 if (wpa_auth->group == group)
4638 return;
4639
4640 group->references++;
4641 }
4642
4643
4644 /* Decrease the reference counter and maybe free the group */
4645 static void wpa_group_put(struct wpa_authenticator *wpa_auth,
4646 struct wpa_group *group)
4647 {
4648 /* Skip the special first group */
4649 if (wpa_auth->group == group)
4650 return;
4651
4652 group->references--;
4653 if (group->references)
4654 return;
4655 wpa_group_free(wpa_auth, group);
4656 }
4657
4658
4659 /*
4660 * Add a group that has its references counter set to zero. Caller needs to
4661 * call wpa_group_get() on the return value to mark the entry in use.
4662 */
4663 static struct wpa_group *
4664 wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4665 {
4666 struct wpa_group *group;
4667
4668 if (wpa_auth == NULL || wpa_auth->group == NULL)
4669 return NULL;
4670
4671 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d",
4672 vlan_id);
4673 group = wpa_group_init(wpa_auth, vlan_id, 0);
4674 if (group == NULL)
4675 return NULL;
4676
4677 group->next = wpa_auth->group->next;
4678 wpa_auth->group->next = group;
4679
4680 return group;
4681 }
4682
4683
4684 /*
4685 * Enforce that the group state machine for the VLAN is running, increase
4686 * reference counter as interface is up. References might have been increased
4687 * even if a negative value is returned.
4688 * Returns: -1 on error (group missing, group already failed); otherwise, 0
4689 */
4690 int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4691 {
4692 struct wpa_group *group;
4693
4694 if (wpa_auth == NULL)
4695 return 0;
4696
4697 group = wpa_auth->group;
4698 while (group) {
4699 if (group->vlan_id == vlan_id)
4700 break;
4701 group = group->next;
4702 }
4703
4704 if (group == NULL) {
4705 group = wpa_auth_add_group(wpa_auth, vlan_id);
4706 if (group == NULL)
4707 return -1;
4708 }
4709
4710 wpa_printf(MSG_DEBUG,
4711 "WPA: Ensure group state machine running for VLAN ID %d",
4712 vlan_id);
4713
4714 wpa_group_get(wpa_auth, group);
4715 group->num_setup_iface++;
4716
4717 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4718 return -1;
4719
4720 return 0;
4721 }
4722
4723
4724 /*
4725 * Decrease reference counter, expected to be zero afterwards.
4726 * returns: -1 on error (group not found, group in fail state)
4727 * -2 if wpa_group is still referenced
4728 * 0 else
4729 */
4730 int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4731 {
4732 struct wpa_group *group;
4733 int ret = 0;
4734
4735 if (wpa_auth == NULL)
4736 return 0;
4737
4738 group = wpa_auth->group;
4739 while (group) {
4740 if (group->vlan_id == vlan_id)
4741 break;
4742 group = group->next;
4743 }
4744
4745 if (group == NULL)
4746 return -1;
4747
4748 wpa_printf(MSG_DEBUG,
4749 "WPA: Try stopping group state machine for VLAN ID %d",
4750 vlan_id);
4751
4752 if (group->num_setup_iface <= 0) {
4753 wpa_printf(MSG_ERROR,
4754 "WPA: wpa_auth_release_group called more often than wpa_auth_ensure_group for VLAN ID %d, skipping.",
4755 vlan_id);
4756 return -1;
4757 }
4758 group->num_setup_iface--;
4759
4760 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4761 ret = -1;
4762
4763 if (group->references > 1) {
4764 wpa_printf(MSG_DEBUG,
4765 "WPA: Cannot stop group state machine for VLAN ID %d as references are still hold",
4766 vlan_id);
4767 ret = -2;
4768 }
4769
4770 wpa_group_put(wpa_auth, group);
4771
4772 return ret;
4773 }
4774
4775
4776 int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id)
4777 {
4778 struct wpa_group *group;
4779
4780 if (sm == NULL || sm->wpa_auth == NULL)
4781 return 0;
4782
4783 group = sm->wpa_auth->group;
4784 while (group) {
4785 if (group->vlan_id == vlan_id)
4786 break;
4787 group = group->next;
4788 }
4789
4790 if (group == NULL) {
4791 group = wpa_auth_add_group(sm->wpa_auth, vlan_id);
4792 if (group == NULL)
4793 return -1;
4794 }
4795
4796 if (sm->group == group)
4797 return 0;
4798
4799 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4800 return -1;
4801
4802 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state "
4803 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id);
4804
4805 wpa_group_get(sm->wpa_auth, group);
4806 wpa_group_put(sm->wpa_auth, sm->group);
4807 sm->group = group;
4808
4809 return 0;
4810 }
4811
4812
4813 void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
4814 struct wpa_state_machine *sm, int ack)
4815 {
4816 if (wpa_auth == NULL || sm == NULL)
4817 return;
4818 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR
4819 " ack=%d", MAC2STR(sm->addr), ack);
4820 if (sm->pending_1_of_4_timeout && ack) {
4821 /*
4822 * Some deployed supplicant implementations update their SNonce
4823 * for each EAPOL-Key 2/4 message even within the same 4-way
4824 * handshake and then fail to use the first SNonce when
4825 * deriving the PTK. This results in unsuccessful 4-way
4826 * handshake whenever the relatively short initial timeout is
4827 * reached and EAPOL-Key 1/4 is retransmitted. Try to work
4828 * around this by increasing the timeout now that we know that
4829 * the station has received the frame.
4830 */
4831 int timeout_ms = eapol_key_timeout_subseq;
4832 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 "
4833 "timeout by %u ms because of acknowledged frame",
4834 timeout_ms);
4835 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
4836 eloop_register_timeout(timeout_ms / 1000,
4837 (timeout_ms % 1000) * 1000,
4838 wpa_send_eapol_timeout, wpa_auth, sm);
4839 }
4840
4841 #ifdef CONFIG_TESTING_OPTIONS
4842 if (sm->eapol_status_cb) {
4843 sm->eapol_status_cb(sm->eapol_status_cb_ctx1,
4844 sm->eapol_status_cb_ctx2);
4845 sm->eapol_status_cb = NULL;
4846 }
4847 #endif /* CONFIG_TESTING_OPTIONS */
4848 }
4849
4850
4851 int wpa_auth_uses_sae(struct wpa_state_machine *sm)
4852 {
4853 if (sm == NULL)
4854 return 0;
4855 return wpa_key_mgmt_sae(sm->wpa_key_mgmt);
4856 }
4857
4858
4859 int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm)
4860 {
4861 if (sm == NULL)
4862 return 0;
4863 return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE;
4864 }
4865
4866
4867 #ifdef CONFIG_P2P
4868 int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr)
4869 {
4870 if (sm == NULL || WPA_GET_BE32(sm->ip_addr) == 0)
4871 return -1;
4872 os_memcpy(addr, sm->ip_addr, 4);
4873 return 0;
4874 }
4875 #endif /* CONFIG_P2P */
4876
4877
4878 int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth,
4879 struct radius_das_attrs *attr)
4880 {
4881 return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr);
4882 }
4883
4884
4885 void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth)
4886 {
4887 struct wpa_group *group;
4888
4889 if (!wpa_auth)
4890 return;
4891 for (group = wpa_auth->group; group; group = group->next)
4892 wpa_group_config_group_keys(wpa_auth, group);
4893 }
4894
4895
4896 #ifdef CONFIG_FILS
4897
4898 struct wpa_auth_fils_iter_data {
4899 struct wpa_authenticator *auth;
4900 const u8 *cache_id;
4901 struct rsn_pmksa_cache_entry *pmksa;
4902 const u8 *spa;
4903 const u8 *pmkid;
4904 };
4905
4906
4907 static int wpa_auth_fils_iter(struct wpa_authenticator *a, void *ctx)
4908 {
4909 struct wpa_auth_fils_iter_data *data = ctx;
4910
4911 if (a == data->auth || !a->conf.fils_cache_id_set ||
4912 os_memcmp(a->conf.fils_cache_id, data->cache_id,
4913 FILS_CACHE_ID_LEN) != 0)
4914 return 0;
4915 data->pmksa = pmksa_cache_auth_get(a->pmksa, data->spa, data->pmkid);
4916 return data->pmksa != NULL;
4917 }
4918
4919
4920 struct rsn_pmksa_cache_entry *
4921 wpa_auth_pmksa_get_fils_cache_id(struct wpa_authenticator *wpa_auth,
4922 const u8 *sta_addr, const u8 *pmkid)
4923 {
4924 struct wpa_auth_fils_iter_data idata;
4925
4926 if (!wpa_auth->conf.fils_cache_id_set)
4927 return NULL;
4928 idata.auth = wpa_auth;
4929 idata.cache_id = wpa_auth->conf.fils_cache_id;
4930 idata.pmksa = NULL;
4931 idata.spa = sta_addr;
4932 idata.pmkid = pmkid;
4933 wpa_auth_for_each_auth(wpa_auth, wpa_auth_fils_iter, &idata);
4934 return idata.pmksa;
4935 }
4936
4937
4938 #ifdef CONFIG_IEEE80211R_AP
4939 int wpa_auth_write_fte(struct wpa_authenticator *wpa_auth, int use_sha384,
4940 u8 *buf, size_t len)
4941 {
4942 struct wpa_auth_config *conf = &wpa_auth->conf;
4943
4944 return wpa_write_ftie(conf, use_sha384, conf->r0_key_holder,
4945 conf->r0_key_holder_len,
4946 NULL, NULL, buf, len, NULL, 0);
4947 }
4948 #endif /* CONFIG_IEEE80211R_AP */
4949
4950
4951 void wpa_auth_get_fils_aead_params(struct wpa_state_machine *sm,
4952 u8 *fils_anonce, u8 *fils_snonce,
4953 u8 *fils_kek, size_t *fils_kek_len)
4954 {
4955 os_memcpy(fils_anonce, sm->ANonce, WPA_NONCE_LEN);
4956 os_memcpy(fils_snonce, sm->SNonce, WPA_NONCE_LEN);
4957 os_memcpy(fils_kek, sm->PTK.kek, WPA_KEK_MAX_LEN);
4958 *fils_kek_len = sm->PTK.kek_len;
4959 }
4960
4961
4962 void wpa_auth_add_fils_pmk_pmkid(struct wpa_state_machine *sm, const u8 *pmk,
4963 size_t pmk_len, const u8 *pmkid)
4964 {
4965 os_memcpy(sm->PMK, pmk, pmk_len);
4966 sm->pmk_len = pmk_len;
4967 os_memcpy(sm->pmkid, pmkid, PMKID_LEN);
4968 sm->pmkid_set = 1;
4969 }
4970
4971 #endif /* CONFIG_FILS */
4972
4973
4974 void wpa_auth_set_auth_alg(struct wpa_state_machine *sm, u16 auth_alg)
4975 {
4976 if (sm)
4977 sm->auth_alg = auth_alg;
4978 }
4979
4980
4981 #ifdef CONFIG_DPP2
4982 void wpa_auth_set_dpp_z(struct wpa_state_machine *sm, const struct wpabuf *z)
4983 {
4984 if (sm) {
4985 wpabuf_clear_free(sm->dpp_z);
4986 sm->dpp_z = z ? wpabuf_dup(z) : NULL;
4987 }
4988 }
4989 #endif /* CONFIG_DPP2 */
4990
4991
4992 #ifdef CONFIG_TESTING_OPTIONS
4993
4994 int wpa_auth_resend_m1(struct wpa_state_machine *sm, int change_anonce,
4995 void (*cb)(void *ctx1, void *ctx2),
4996 void *ctx1, void *ctx2)
4997 {
4998 const u8 *anonce = sm->ANonce;
4999 u8 anonce_buf[WPA_NONCE_LEN];
5000
5001 if (change_anonce) {
5002 if (random_get_bytes(anonce_buf, WPA_NONCE_LEN))
5003 return -1;
5004 anonce = anonce_buf;
5005 }
5006
5007 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
5008 "sending 1/4 msg of 4-Way Handshake (TESTING)");
5009 wpa_send_eapol(sm->wpa_auth, sm,
5010 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
5011 anonce, NULL, 0, 0, 0);
5012 return 0;
5013 }
5014
5015
5016 int wpa_auth_resend_m3(struct wpa_state_machine *sm,
5017 void (*cb)(void *ctx1, void *ctx2),
5018 void *ctx1, void *ctx2)
5019 {
5020 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos;
5021 u8 *opos;
5022 size_t gtk_len, kde_len;
5023 struct wpa_group *gsm = sm->group;
5024 u8 *wpa_ie;
5025 int wpa_ie_len, secure, gtkidx, encr = 0;
5026
5027 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
5028 GTK[GN], IGTK, [FTIE], [TIE * 2])
5029 */
5030
5031 /* Use 0 RSC */
5032 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
5033 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
5034 wpa_ie = sm->wpa_auth->wpa_ie;
5035 wpa_ie_len = sm->wpa_auth->wpa_ie_len;
5036 if (sm->wpa == WPA_VERSION_WPA &&
5037 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
5038 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
5039 /* WPA-only STA, remove RSN IE and possible MDIE */
5040 wpa_ie = wpa_ie + wpa_ie[1] + 2;
5041 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
5042 wpa_ie = wpa_ie + wpa_ie[1] + 2;
5043 wpa_ie_len = wpa_ie[1] + 2;
5044 }
5045 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
5046 "sending 3/4 msg of 4-Way Handshake (TESTING)");
5047 if (sm->wpa == WPA_VERSION_WPA2) {
5048 /* WPA2 send GTK in the 4-way handshake */
5049 secure = 1;
5050 gtk = gsm->GTK[gsm->GN - 1];
5051 gtk_len = gsm->GTK_len;
5052 gtkidx = gsm->GN;
5053 _rsc = rsc;
5054 encr = 1;
5055 } else {
5056 /* WPA does not include GTK in msg 3/4 */
5057 secure = 0;
5058 gtk = NULL;
5059 gtk_len = 0;
5060 _rsc = NULL;
5061 if (sm->rx_eapol_key_secure) {
5062 /*
5063 * It looks like Windows 7 supplicant tries to use
5064 * Secure bit in msg 2/4 after having reported Michael
5065 * MIC failure and it then rejects the 4-way handshake
5066 * if msg 3/4 does not set Secure bit. Work around this
5067 * by setting the Secure bit here even in the case of
5068 * WPA if the supplicant used it first.
5069 */
5070 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
5071 "STA used Secure bit in WPA msg 2/4 - "
5072 "set Secure for 3/4 as workaround");
5073 secure = 1;
5074 }
5075 }
5076
5077 kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm);
5078 if (gtk)
5079 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
5080 #ifdef CONFIG_IEEE80211R_AP
5081 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
5082 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
5083 kde_len += 300; /* FTIE + 2 * TIE */
5084 }
5085 #endif /* CONFIG_IEEE80211R_AP */
5086 kde = os_malloc(kde_len);
5087 if (kde == NULL)
5088 return -1;
5089
5090 pos = kde;
5091 os_memcpy(pos, wpa_ie, wpa_ie_len);
5092 pos += wpa_ie_len;
5093 #ifdef CONFIG_IEEE80211R_AP
5094 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
5095 int res;
5096 size_t elen;
5097
5098 elen = pos - kde;
5099 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name);
5100 if (res < 0) {
5101 wpa_printf(MSG_ERROR, "FT: Failed to insert "
5102 "PMKR1Name into RSN IE in EAPOL-Key data");
5103 os_free(kde);
5104 return -1;
5105 }
5106 pos -= wpa_ie_len;
5107 pos += elen;
5108 }
5109 #endif /* CONFIG_IEEE80211R_AP */
5110 if (gtk) {
5111 u8 hdr[2];
5112 hdr[0] = gtkidx & 0x03;
5113 hdr[1] = 0;
5114 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
5115 gtk, gtk_len);
5116 }
5117 opos = pos;
5118 pos = ieee80211w_kde_add(sm, pos);
5119 if (pos - opos >= 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) {
5120 /* skip KDE header and keyid */
5121 opos += 2 + RSN_SELECTOR_LEN + 2;
5122 os_memset(opos, 0, 6); /* clear PN */
5123 }
5124 if (ocv_oci_add(sm, &pos) < 0) {
5125 os_free(kde);
5126 return -1;
5127 }
5128
5129 #ifdef CONFIG_IEEE80211R_AP
5130 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
5131 int res;
5132 struct wpa_auth_config *conf;
5133
5134 conf = &sm->wpa_auth->conf;
5135 if (sm->assoc_resp_ftie &&
5136 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) {
5137 os_memcpy(pos, sm->assoc_resp_ftie,
5138 2 + sm->assoc_resp_ftie[1]);
5139 res = 2 + sm->assoc_resp_ftie[1];
5140 } else {
5141 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt);
5142
5143 res = wpa_write_ftie(conf, use_sha384,
5144 conf->r0_key_holder,
5145 conf->r0_key_holder_len,
5146 NULL, NULL, pos,
5147 kde + kde_len - pos,
5148 NULL, 0);
5149 }
5150 if (res < 0) {
5151 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE "
5152 "into EAPOL-Key Key Data");
5153 os_free(kde);
5154 return -1;
5155 }
5156 pos += res;
5157
5158 /* TIE[ReassociationDeadline] (TU) */
5159 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
5160 *pos++ = 5;
5161 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
5162 WPA_PUT_LE32(pos, conf->reassociation_deadline);
5163 pos += 4;
5164
5165 /* TIE[KeyLifetime] (seconds) */
5166 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
5167 *pos++ = 5;
5168 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
5169 WPA_PUT_LE32(pos, conf->r0_key_lifetime);
5170 pos += 4;
5171 }
5172 #endif /* CONFIG_IEEE80211R_AP */
5173
5174 wpa_send_eapol(sm->wpa_auth, sm,
5175 (secure ? WPA_KEY_INFO_SECURE : 0) |
5176 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
5177 WPA_KEY_INFO_MIC : 0) |
5178 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
5179 WPA_KEY_INFO_KEY_TYPE,
5180 _rsc, sm->ANonce, kde, pos - kde, 0, encr);
5181 os_free(kde);
5182 return 0;
5183 }
5184
5185
5186 int wpa_auth_resend_group_m1(struct wpa_state_machine *sm,
5187 void (*cb)(void *ctx1, void *ctx2),
5188 void *ctx1, void *ctx2)
5189 {
5190 u8 rsc[WPA_KEY_RSC_LEN];
5191 struct wpa_group *gsm = sm->group;
5192 const u8 *kde;
5193 u8 *kde_buf = NULL, *pos, hdr[2];
5194 u8 *opos;
5195 size_t kde_len;
5196 u8 *gtk;
5197
5198 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
5199 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
5200 /* Use 0 RSC */
5201 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
5202 "sending 1/2 msg of Group Key Handshake (TESTING)");
5203
5204 gtk = gsm->GTK[gsm->GN - 1];
5205 if (sm->wpa == WPA_VERSION_WPA2) {
5206 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
5207 ieee80211w_kde_len(sm) + ocv_oci_len(sm);
5208 kde_buf = os_malloc(kde_len);
5209 if (kde_buf == NULL)
5210 return -1;
5211
5212 kde = pos = kde_buf;
5213 hdr[0] = gsm->GN & 0x03;
5214 hdr[1] = 0;
5215 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
5216 gtk, gsm->GTK_len);
5217 opos = pos;
5218 pos = ieee80211w_kde_add(sm, pos);
5219 if (pos - opos >=
5220 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) {
5221 /* skip KDE header and keyid */
5222 opos += 2 + RSN_SELECTOR_LEN + 2;
5223 os_memset(opos, 0, 6); /* clear PN */
5224 }
5225 if (ocv_oci_add(sm, &pos) < 0) {
5226 os_free(kde_buf);
5227 return -1;
5228 }
5229 kde_len = pos - kde;
5230 } else {
5231 kde = gtk;
5232 kde_len = gsm->GTK_len;
5233 }
5234
5235 sm->eapol_status_cb = cb;
5236 sm->eapol_status_cb_ctx1 = ctx1;
5237 sm->eapol_status_cb_ctx2 = ctx2;
5238
5239 wpa_send_eapol(sm->wpa_auth, sm,
5240 WPA_KEY_INFO_SECURE |
5241 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
5242 WPA_KEY_INFO_MIC : 0) |
5243 WPA_KEY_INFO_ACK |
5244 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
5245 rsc, NULL, kde, kde_len, gsm->GN, 1);
5246
5247 os_free(kde_buf);
5248 return 0;
5249 }
5250
5251
5252 int wpa_auth_rekey_gtk(struct wpa_authenticator *wpa_auth)
5253 {
5254 if (!wpa_auth)
5255 return -1;
5256 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
5257 return eloop_register_timeout(0, 0, wpa_rekey_gtk, wpa_auth, NULL);
5258 }
5259
5260 #endif /* CONFIG_TESTING_OPTIONS */
Unnamed repository; edit this file 'description' to name the repository.