2 * WPA Supplicant - WPA state machine and EAPOL-Key processing
3 * Copyright (c) 2003-2018, Jouni Malinen <j@w1.fi>
4 * Copyright(c) 2015 Intel Deutschland GmbH
6 * This software may be distributed under the terms of the BSD license.
7 * See README for more details.
13 #include "crypto/aes.h"
14 #include "crypto/aes_wrap.h"
15 #include "crypto/crypto.h"
16 #include "crypto/random.h"
17 #include "crypto/aes_siv.h"
18 #include "crypto/sha256.h"
19 #include "crypto/sha384.h"
20 #include "crypto/sha512.h"
21 #include "common/ieee802_11_defs.h"
22 #include "common/ieee802_11_common.h"
23 #include "eap_common/eap_defs.h"
24 #include "eapol_supp/eapol_supp_sm.h"
28 #include "pmksa_cache.h"
33 static const u8 null_rsc
[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
37 * wpa_eapol_key_send - Send WPA/RSN EAPOL-Key message
38 * @sm: Pointer to WPA state machine data from wpa_sm_init()
39 * @ptk: PTK for Key Confirmation/Encryption Key
40 * @ver: Version field from Key Info
41 * @dest: Destination address for the frame
42 * @proto: Ethertype (usually ETH_P_EAPOL)
43 * @msg: EAPOL-Key message
44 * @msg_len: Length of message
45 * @key_mic: Pointer to the buffer to which the EAPOL-Key MIC is written
46 * Returns: >= 0 on success, < 0 on failure
48 int wpa_eapol_key_send(struct wpa_sm
*sm
, struct wpa_ptk
*ptk
,
49 int ver
, const u8
*dest
, u16 proto
,
50 u8
*msg
, size_t msg_len
, u8
*key_mic
)
53 size_t mic_len
= wpa_mic_len(sm
->key_mgmt
, sm
->pmk_len
);
55 wpa_printf(MSG_DEBUG
, "WPA: Send EAPOL-Key frame to " MACSTR
56 " ver=%d mic_len=%d key_mgmt=0x%x",
57 MAC2STR(dest
), ver
, (int) mic_len
, sm
->key_mgmt
);
58 if (is_zero_ether_addr(dest
) && is_zero_ether_addr(sm
->bssid
)) {
60 * Association event was not yet received; try to fetch
61 * BSSID from the driver.
63 if (wpa_sm_get_bssid(sm
, sm
->bssid
) < 0) {
64 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
65 "WPA: Failed to read BSSID for "
66 "EAPOL-Key destination address");
69 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
70 "WPA: Use BSSID (" MACSTR
71 ") as the destination for EAPOL-Key",
77 if (key_mic
&& (!ptk
|| !ptk
->kck_len
))
81 wpa_eapol_key_mic(ptk
->kck
, ptk
->kck_len
, sm
->key_mgmt
, ver
,
82 msg
, msg_len
, key_mic
)) {
83 wpa_msg(sm
->ctx
->msg_ctx
, MSG_ERROR
,
84 "WPA: Failed to generate EAPOL-Key version %d key_mgmt 0x%x MIC",
89 wpa_hexdump_key(MSG_DEBUG
, "WPA: KCK",
90 ptk
->kck
, ptk
->kck_len
);
91 wpa_hexdump(MSG_DEBUG
, "WPA: Derived Key MIC",
95 /* AEAD cipher - Key MIC field not used */
96 struct ieee802_1x_hdr
*s_hdr
, *hdr
;
97 struct wpa_eapol_key
*s_key
, *key
;
98 u8
*buf
, *s_key_data
, *key_data
;
99 size_t buf_len
= msg_len
+ AES_BLOCK_SIZE
;
105 if (!ptk
|| !ptk
->kek_len
)
108 key_data_len
= msg_len
- sizeof(struct ieee802_1x_hdr
) -
109 sizeof(struct wpa_eapol_key
) - 2;
111 buf
= os_malloc(buf_len
);
115 os_memcpy(buf
, msg
, msg_len
);
116 hdr
= (struct ieee802_1x_hdr
*) buf
;
117 key
= (struct wpa_eapol_key
*) (hdr
+ 1);
118 key_data
= ((u8
*) (key
+ 1)) + 2;
120 /* Update EAPOL header to include AES-SIV overhead */
121 eapol_len
= be_to_host16(hdr
->length
);
122 eapol_len
+= AES_BLOCK_SIZE
;
123 hdr
->length
= host_to_be16(eapol_len
);
125 /* Update Key Data Length field to include AES-SIV overhead */
126 WPA_PUT_BE16((u8
*) (key
+ 1), AES_BLOCK_SIZE
+ key_data_len
);
128 s_hdr
= (struct ieee802_1x_hdr
*) msg
;
129 s_key
= (struct wpa_eapol_key
*) (s_hdr
+ 1);
130 s_key_data
= ((u8
*) (s_key
+ 1)) + 2;
132 wpa_hexdump_key(MSG_DEBUG
, "WPA: Plaintext Key Data",
133 s_key_data
, key_data_len
);
135 wpa_hexdump_key(MSG_DEBUG
, "WPA: KEK", ptk
->kek
, ptk
->kek_len
);
136 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
137 * to Key Data (exclusive). */
139 aad_len
[0] = key_data
- buf
;
140 if (aes_siv_encrypt(ptk
->kek
, ptk
->kek_len
,
141 s_key_data
, key_data_len
,
142 1, aad
, aad_len
, key_data
) < 0) {
147 wpa_hexdump(MSG_DEBUG
, "WPA: Encrypted Key Data from SIV",
148 key_data
, AES_BLOCK_SIZE
+ key_data_len
);
153 #else /* CONFIG_FILS */
155 #endif /* CONFIG_FILS */
158 wpa_hexdump(MSG_MSGDUMP
, "WPA: TX EAPOL-Key", msg
, msg_len
);
159 ret
= wpa_sm_ether_send(sm
, dest
, proto
, msg
, msg_len
);
160 eapol_sm_notify_tx_eapol_key(sm
->eapol
);
168 * wpa_sm_key_request - Send EAPOL-Key Request
169 * @sm: Pointer to WPA state machine data from wpa_sm_init()
170 * @error: Indicate whether this is an Michael MIC error report
171 * @pairwise: 1 = error report for pairwise packet, 0 = for group packet
173 * Send an EAPOL-Key Request to the current authenticator. This function is
174 * used to request rekeying and it is usually called when a local Michael MIC
175 * failure is detected.
177 void wpa_sm_key_request(struct wpa_sm
*sm
, int error
, int pairwise
)
179 size_t mic_len
, hdrlen
, rlen
;
180 struct wpa_eapol_key
*reply
;
182 u8 bssid
[ETH_ALEN
], *rbuf
, *key_mic
, *mic
;
184 if (wpa_use_akm_defined(sm
->key_mgmt
))
185 ver
= WPA_KEY_INFO_TYPE_AKM_DEFINED
;
186 else if (wpa_key_mgmt_ft(sm
->key_mgmt
) ||
187 wpa_key_mgmt_sha256(sm
->key_mgmt
))
188 ver
= WPA_KEY_INFO_TYPE_AES_128_CMAC
;
189 else if (sm
->pairwise_cipher
!= WPA_CIPHER_TKIP
)
190 ver
= WPA_KEY_INFO_TYPE_HMAC_SHA1_AES
;
192 ver
= WPA_KEY_INFO_TYPE_HMAC_MD5_RC4
;
194 if (wpa_sm_get_bssid(sm
, bssid
) < 0) {
195 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
196 "Failed to read BSSID for EAPOL-Key request");
200 mic_len
= wpa_mic_len(sm
->key_mgmt
, sm
->pmk_len
);
201 hdrlen
= sizeof(*reply
) + mic_len
+ 2;
202 rbuf
= wpa_sm_alloc_eapol(sm
, IEEE802_1X_TYPE_EAPOL_KEY
, NULL
,
203 hdrlen
, &rlen
, (void *) &reply
);
207 reply
->type
= (sm
->proto
== WPA_PROTO_RSN
||
208 sm
->proto
== WPA_PROTO_OSEN
) ?
209 EAPOL_KEY_TYPE_RSN
: EAPOL_KEY_TYPE_WPA
;
210 key_info
= WPA_KEY_INFO_REQUEST
| ver
;
212 key_info
|= WPA_KEY_INFO_SECURE
;
213 if (sm
->ptk_set
&& mic_len
)
214 key_info
|= WPA_KEY_INFO_MIC
;
216 key_info
|= WPA_KEY_INFO_ERROR
;
218 key_info
|= WPA_KEY_INFO_KEY_TYPE
;
219 WPA_PUT_BE16(reply
->key_info
, key_info
);
220 WPA_PUT_BE16(reply
->key_length
, 0);
221 os_memcpy(reply
->replay_counter
, sm
->request_counter
,
222 WPA_REPLAY_COUNTER_LEN
);
223 inc_byte_array(sm
->request_counter
, WPA_REPLAY_COUNTER_LEN
);
225 mic
= (u8
*) (reply
+ 1);
226 WPA_PUT_BE16(mic
+ mic_len
, 0);
227 if (!(key_info
& WPA_KEY_INFO_MIC
))
232 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
233 "WPA: Sending EAPOL-Key Request (error=%d "
234 "pairwise=%d ptk_set=%d len=%lu)",
235 error
, pairwise
, sm
->ptk_set
, (unsigned long) rlen
);
236 wpa_eapol_key_send(sm
, &sm
->ptk
, ver
, bssid
, ETH_P_EAPOL
, rbuf
, rlen
,
241 static void wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm
*sm
)
243 #ifdef CONFIG_IEEE80211R
244 if (sm
->key_mgmt
== WPA_KEY_MGMT_FT_IEEE8021X
) {
245 if (wpa_sm_key_mgmt_set_pmk(sm
, sm
->xxkey
, sm
->xxkey_len
))
246 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
247 "RSN: Cannot set low order 256 bits of MSK for key management offload");
249 #endif /* CONFIG_IEEE80211R */
250 if (wpa_sm_key_mgmt_set_pmk(sm
, sm
->pmk
, sm
->pmk_len
))
251 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
252 "RSN: Cannot set PMK for key management offload");
253 #ifdef CONFIG_IEEE80211R
255 #endif /* CONFIG_IEEE80211R */
259 static int wpa_supplicant_get_pmk(struct wpa_sm
*sm
,
260 const unsigned char *src_addr
,
263 int abort_cached
= 0;
265 if (pmkid
&& !sm
->cur_pmksa
) {
266 /* When using drivers that generate RSN IE, wpa_supplicant may
267 * not have enough time to get the association information
268 * event before receiving this 1/4 message, so try to find a
269 * matching PMKSA cache entry here. */
270 sm
->cur_pmksa
= pmksa_cache_get(sm
->pmksa
, src_addr
, pmkid
,
273 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
274 "RSN: found matching PMKID from PMKSA cache");
276 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
277 "RSN: no matching PMKID found");
282 if (pmkid
&& sm
->cur_pmksa
&&
283 os_memcmp_const(pmkid
, sm
->cur_pmksa
->pmkid
, PMKID_LEN
) == 0) {
284 wpa_hexdump(MSG_DEBUG
, "RSN: matched PMKID", pmkid
, PMKID_LEN
);
285 wpa_sm_set_pmk_from_pmksa(sm
);
286 wpa_hexdump_key(MSG_DEBUG
, "RSN: PMK from PMKSA cache",
287 sm
->pmk
, sm
->pmk_len
);
288 eapol_sm_notify_cached(sm
->eapol
);
289 #ifdef CONFIG_IEEE80211R
292 if (sm
->key_mgmt
== WPA_KEY_MGMT_FT_SAE
&&
293 sm
->pmk_len
== PMK_LEN
) {
294 /* Need to allow FT key derivation to proceed with
295 * PMK from SAE being used as the XXKey in cases where
296 * the PMKID in msg 1/4 matches the PMKSA entry that was
297 * just added based on SAE authentication for the
298 * initial mobility domain association. */
299 os_memcpy(sm
->xxkey
, sm
->pmk
, sm
->pmk_len
);
300 sm
->xxkey_len
= sm
->pmk_len
;
302 #endif /* CONFIG_SAE */
303 #endif /* CONFIG_IEEE80211R */
304 } else if (wpa_key_mgmt_wpa_ieee8021x(sm
->key_mgmt
) && sm
->eapol
) {
307 if (wpa_key_mgmt_sha384(sm
->key_mgmt
))
308 pmk_len
= PMK_LEN_SUITE_B_192
;
311 res
= eapol_sm_get_key(sm
->eapol
, sm
->pmk
, pmk_len
);
313 if (pmk_len
== PMK_LEN
) {
315 * EAP-LEAP is an exception from other EAP
316 * methods: it uses only 16-byte PMK.
318 res
= eapol_sm_get_key(sm
->eapol
, sm
->pmk
, 16);
322 #ifdef CONFIG_IEEE80211R
324 if (eapol_sm_get_key(sm
->eapol
, buf
, 2 * PMK_LEN
) == 0)
326 if (wpa_key_mgmt_sha384(sm
->key_mgmt
)) {
327 os_memcpy(sm
->xxkey
, buf
,
329 sm
->xxkey_len
= SHA384_MAC_LEN
;
331 os_memcpy(sm
->xxkey
, buf
+ PMK_LEN
,
333 sm
->xxkey_len
= PMK_LEN
;
335 os_memset(buf
, 0, sizeof(buf
));
337 #endif /* CONFIG_IEEE80211R */
340 struct rsn_pmksa_cache_entry
*sa
= NULL
;
341 const u8
*fils_cache_id
= NULL
;
344 if (sm
->fils_cache_id_set
)
345 fils_cache_id
= sm
->fils_cache_id
;
346 #endif /* CONFIG_FILS */
348 wpa_hexdump_key(MSG_DEBUG
, "WPA: PMK from EAPOL state "
349 "machines", sm
->pmk
, pmk_len
);
350 sm
->pmk_len
= pmk_len
;
351 wpa_supplicant_key_mgmt_set_pmk(sm
);
352 if (sm
->proto
== WPA_PROTO_RSN
&&
353 !wpa_key_mgmt_suite_b(sm
->key_mgmt
) &&
354 !wpa_key_mgmt_ft(sm
->key_mgmt
)) {
355 sa
= pmksa_cache_add(sm
->pmksa
,
356 sm
->pmk
, pmk_len
, NULL
,
358 src_addr
, sm
->own_addr
,
363 if (!sm
->cur_pmksa
&& pmkid
&&
364 pmksa_cache_get(sm
->pmksa
, src_addr
, pmkid
, NULL
,
366 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
367 "RSN: the new PMK matches with the "
370 } else if (sa
&& !sm
->cur_pmksa
&& pmkid
) {
372 * It looks like the authentication server
373 * derived mismatching MSK. This should not
374 * really happen, but bugs happen.. There is not
375 * much we can do here without knowing what
376 * exactly caused the server to misbehave.
378 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
379 "RSN: PMKID mismatch - authentication server may have derived different MSK?!");
386 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
387 "WPA: Failed to get master session key from "
388 "EAPOL state machines - key handshake "
391 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
392 "RSN: Cancelled PMKSA caching "
394 sm
->cur_pmksa
= NULL
;
396 } else if (!abort_cached
) {
402 if (abort_cached
&& wpa_key_mgmt_wpa_ieee8021x(sm
->key_mgmt
) &&
403 !wpa_key_mgmt_suite_b(sm
->key_mgmt
) &&
404 !wpa_key_mgmt_ft(sm
->key_mgmt
) && sm
->key_mgmt
!= WPA_KEY_MGMT_OSEN
)
406 /* Send EAPOL-Start to trigger full EAP authentication. */
410 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
411 "RSN: no PMKSA entry found - trigger "
412 "full EAP authentication");
413 buf
= wpa_sm_alloc_eapol(sm
, IEEE802_1X_TYPE_EAPOL_START
,
414 NULL
, 0, &buflen
, NULL
);
416 wpa_sm_ether_send(sm
, sm
->bssid
, ETH_P_EAPOL
,
430 * wpa_supplicant_send_2_of_4 - Send message 2 of WPA/RSN 4-Way Handshake
431 * @sm: Pointer to WPA state machine data from wpa_sm_init()
432 * @dst: Destination address for the frame
433 * @key: Pointer to the EAPOL-Key frame header
434 * @ver: Version bits from EAPOL-Key Key Info
435 * @nonce: Nonce value for the EAPOL-Key frame
436 * @wpa_ie: WPA/RSN IE
437 * @wpa_ie_len: Length of the WPA/RSN IE
438 * @ptk: PTK to use for keyed hash and encryption
439 * Returns: >= 0 on success, < 0 on failure
441 int wpa_supplicant_send_2_of_4(struct wpa_sm
*sm
, const unsigned char *dst
,
442 const struct wpa_eapol_key
*key
,
443 int ver
, const u8
*nonce
,
444 const u8
*wpa_ie
, size_t wpa_ie_len
,
447 size_t mic_len
, hdrlen
, rlen
;
448 struct wpa_eapol_key
*reply
;
450 u8
*rsn_ie_buf
= NULL
;
453 if (wpa_ie
== NULL
) {
454 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
, "WPA: No wpa_ie set - "
455 "cannot generate msg 2/4");
459 #ifdef CONFIG_IEEE80211R
460 if (wpa_key_mgmt_ft(sm
->key_mgmt
)) {
464 * Add PMKR1Name into RSN IE (PMKID-List) and add MDIE and
465 * FTIE from (Re)Association Response.
467 rsn_ie_buf
= os_malloc(wpa_ie_len
+ 2 + 2 + PMKID_LEN
+
468 sm
->assoc_resp_ies_len
);
469 if (rsn_ie_buf
== NULL
)
471 os_memcpy(rsn_ie_buf
, wpa_ie
, wpa_ie_len
);
472 res
= wpa_insert_pmkid(rsn_ie_buf
, &wpa_ie_len
,
479 if (sm
->assoc_resp_ies
) {
480 os_memcpy(rsn_ie_buf
+ wpa_ie_len
, sm
->assoc_resp_ies
,
481 sm
->assoc_resp_ies_len
);
482 wpa_ie_len
+= sm
->assoc_resp_ies_len
;
487 #endif /* CONFIG_IEEE80211R */
489 wpa_hexdump(MSG_DEBUG
, "WPA: WPA IE for msg 2/4", wpa_ie
, wpa_ie_len
);
491 mic_len
= wpa_mic_len(sm
->key_mgmt
, sm
->pmk_len
);
492 hdrlen
= sizeof(*reply
) + mic_len
+ 2;
493 rbuf
= wpa_sm_alloc_eapol(sm
, IEEE802_1X_TYPE_EAPOL_KEY
,
494 NULL
, hdrlen
+ wpa_ie_len
,
495 &rlen
, (void *) &reply
);
501 reply
->type
= (sm
->proto
== WPA_PROTO_RSN
||
502 sm
->proto
== WPA_PROTO_OSEN
) ?
503 EAPOL_KEY_TYPE_RSN
: EAPOL_KEY_TYPE_WPA
;
504 key_info
= ver
| WPA_KEY_INFO_KEY_TYPE
;
506 key_info
|= WPA_KEY_INFO_MIC
;
508 key_info
|= WPA_KEY_INFO_ENCR_KEY_DATA
;
509 WPA_PUT_BE16(reply
->key_info
, key_info
);
510 if (sm
->proto
== WPA_PROTO_RSN
|| sm
->proto
== WPA_PROTO_OSEN
)
511 WPA_PUT_BE16(reply
->key_length
, 0);
513 os_memcpy(reply
->key_length
, key
->key_length
, 2);
514 os_memcpy(reply
->replay_counter
, key
->replay_counter
,
515 WPA_REPLAY_COUNTER_LEN
);
516 wpa_hexdump(MSG_DEBUG
, "WPA: Replay Counter", reply
->replay_counter
,
517 WPA_REPLAY_COUNTER_LEN
);
519 key_mic
= (u8
*) (reply
+ 1);
520 WPA_PUT_BE16(key_mic
+ mic_len
, wpa_ie_len
); /* Key Data Length */
521 os_memcpy(key_mic
+ mic_len
+ 2, wpa_ie
, wpa_ie_len
); /* Key Data */
524 os_memcpy(reply
->key_nonce
, nonce
, WPA_NONCE_LEN
);
526 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, "WPA: Sending EAPOL-Key 2/4");
527 return wpa_eapol_key_send(sm
, ptk
, ver
, dst
, ETH_P_EAPOL
, rbuf
, rlen
,
532 static int wpa_derive_ptk(struct wpa_sm
*sm
, const unsigned char *src_addr
,
533 const struct wpa_eapol_key
*key
, struct wpa_ptk
*ptk
)
535 #ifdef CONFIG_IEEE80211R
536 if (wpa_key_mgmt_ft(sm
->key_mgmt
))
537 return wpa_derive_ptk_ft(sm
, src_addr
, key
, ptk
);
538 #endif /* CONFIG_IEEE80211R */
540 return wpa_pmk_to_ptk(sm
->pmk
, sm
->pmk_len
, "Pairwise key expansion",
541 sm
->own_addr
, sm
->bssid
, sm
->snonce
,
542 key
->key_nonce
, ptk
, sm
->key_mgmt
,
543 sm
->pairwise_cipher
);
547 static void wpa_supplicant_process_1_of_4(struct wpa_sm
*sm
,
548 const unsigned char *src_addr
,
549 const struct wpa_eapol_key
*key
,
550 u16 ver
, const u8
*key_data
,
553 struct wpa_eapol_ie_parse ie
;
556 u8
*kde
, *kde_buf
= NULL
;
559 if (wpa_sm_get_network_ctx(sm
) == NULL
) {
560 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
, "WPA: No SSID info "
561 "found (msg 1 of 4)");
565 wpa_sm_set_state(sm
, WPA_4WAY_HANDSHAKE
);
566 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, "WPA: RX message 1 of 4-Way "
567 "Handshake from " MACSTR
" (ver=%d)", MAC2STR(src_addr
), ver
);
569 os_memset(&ie
, 0, sizeof(ie
));
571 if (sm
->proto
== WPA_PROTO_RSN
|| sm
->proto
== WPA_PROTO_OSEN
) {
572 /* RSN: msg 1/4 should contain PMKID for the selected PMK */
573 wpa_hexdump(MSG_DEBUG
, "RSN: msg 1/4 key data",
574 key_data
, key_data_len
);
575 if (wpa_supplicant_parse_ies(key_data
, key_data_len
, &ie
) < 0)
578 wpa_hexdump(MSG_DEBUG
, "RSN: PMKID from "
579 "Authenticator", ie
.pmkid
, PMKID_LEN
);
583 res
= wpa_supplicant_get_pmk(sm
, src_addr
, ie
.pmkid
);
585 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, "RSN: Do not reply to "
586 "msg 1/4 - requesting full EAP authentication");
592 if (sm
->renew_snonce
) {
593 if (random_get_bytes(sm
->snonce
, WPA_NONCE_LEN
)) {
594 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
595 "WPA: Failed to get random data for SNonce");
598 sm
->renew_snonce
= 0;
599 wpa_hexdump(MSG_DEBUG
, "WPA: Renewed SNonce",
600 sm
->snonce
, WPA_NONCE_LEN
);
603 /* Calculate PTK which will be stored as a temporary PTK until it has
604 * been verified when processing message 3/4. */
606 if (wpa_derive_ptk(sm
, src_addr
, key
, ptk
) < 0)
608 if (sm
->pairwise_cipher
== WPA_CIPHER_TKIP
) {
610 /* Supplicant: swap tx/rx Mic keys */
611 os_memcpy(buf
, &ptk
->tk
[16], 8);
612 os_memcpy(&ptk
->tk
[16], &ptk
->tk
[24], 8);
613 os_memcpy(&ptk
->tk
[24], buf
, 8);
614 os_memset(buf
, 0, sizeof(buf
));
618 kde
= sm
->assoc_wpa_ie
;
619 kde_len
= sm
->assoc_wpa_ie_len
;
623 kde_buf
= os_malloc(kde_len
+ 2 + RSN_SELECTOR_LEN
+ 1);
626 wpa_printf(MSG_DEBUG
, "P2P: Add IP Address Request KDE "
627 "into EAPOL-Key 2/4");
628 os_memcpy(kde_buf
, kde
, kde_len
);
631 *pos
++ = WLAN_EID_VENDOR_SPECIFIC
;
632 *pos
++ = RSN_SELECTOR_LEN
+ 1;
633 RSN_SELECTOR_PUT(pos
, WFA_KEY_DATA_IP_ADDR_REQ
);
634 pos
+= RSN_SELECTOR_LEN
;
639 #endif /* CONFIG_P2P */
641 if (wpa_supplicant_send_2_of_4(sm
, sm
->bssid
, key
, ver
, sm
->snonce
,
642 kde
, kde_len
, ptk
) < 0)
646 os_memcpy(sm
->anonce
, key
->key_nonce
, WPA_NONCE_LEN
);
651 wpa_sm_deauthenticate(sm
, WLAN_REASON_UNSPECIFIED
);
655 static void wpa_sm_start_preauth(void *eloop_ctx
, void *timeout_ctx
)
657 struct wpa_sm
*sm
= eloop_ctx
;
658 rsn_preauth_candidate_process(sm
);
662 static void wpa_supplicant_key_neg_complete(struct wpa_sm
*sm
,
663 const u8
*addr
, int secure
)
665 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
666 "WPA: Key negotiation completed with "
667 MACSTR
" [PTK=%s GTK=%s]", MAC2STR(addr
),
668 wpa_cipher_txt(sm
->pairwise_cipher
),
669 wpa_cipher_txt(sm
->group_cipher
));
670 wpa_sm_cancel_auth_timeout(sm
);
671 wpa_sm_set_state(sm
, WPA_COMPLETED
);
674 wpa_sm_mlme_setprotection(
675 sm
, addr
, MLME_SETPROTECTION_PROTECT_TYPE_RX_TX
,
676 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE
);
677 eapol_sm_notify_portValid(sm
->eapol
, TRUE
);
678 if (wpa_key_mgmt_wpa_psk(sm
->key_mgmt
) ||
679 sm
->key_mgmt
== WPA_KEY_MGMT_DPP
||
680 sm
->key_mgmt
== WPA_KEY_MGMT_OWE
)
681 eapol_sm_notify_eap_success(sm
->eapol
, TRUE
);
683 * Start preauthentication after a short wait to avoid a
684 * possible race condition between the data receive and key
685 * configuration after the 4-Way Handshake. This increases the
686 * likelihood of the first preauth EAPOL-Start frame getting to
689 eloop_register_timeout(1, 0, wpa_sm_start_preauth
, sm
, NULL
);
692 if (sm
->cur_pmksa
&& sm
->cur_pmksa
->opportunistic
) {
693 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
694 "RSN: Authenticator accepted "
695 "opportunistic PMKSA entry - marking it valid");
696 sm
->cur_pmksa
->opportunistic
= 0;
699 #ifdef CONFIG_IEEE80211R
700 if (wpa_key_mgmt_ft(sm
->key_mgmt
)) {
701 /* Prepare for the next transition */
702 wpa_ft_prepare_auth_request(sm
, NULL
);
704 #endif /* CONFIG_IEEE80211R */
708 static void wpa_sm_rekey_ptk(void *eloop_ctx
, void *timeout_ctx
)
710 struct wpa_sm
*sm
= eloop_ctx
;
711 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, "WPA: Request PTK rekeying");
712 wpa_sm_key_request(sm
, 0, 1);
716 static int wpa_supplicant_install_ptk(struct wpa_sm
*sm
,
717 const struct wpa_eapol_key
*key
)
723 if (sm
->ptk
.installed
) {
724 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
725 "WPA: Do not re-install same PTK to the driver");
729 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
730 "WPA: Installing PTK to the driver");
732 if (sm
->pairwise_cipher
== WPA_CIPHER_NONE
) {
733 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, "WPA: Pairwise Cipher "
734 "Suite: NONE - do not use pairwise keys");
738 if (!wpa_cipher_valid_pairwise(sm
->pairwise_cipher
)) {
739 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
740 "WPA: Unsupported pairwise cipher %d",
741 sm
->pairwise_cipher
);
745 alg
= wpa_cipher_to_alg(sm
->pairwise_cipher
);
746 keylen
= wpa_cipher_key_len(sm
->pairwise_cipher
);
747 if (keylen
<= 0 || (unsigned int) keylen
!= sm
->ptk
.tk_len
) {
748 wpa_printf(MSG_DEBUG
, "WPA: TK length mismatch: %d != %lu",
749 keylen
, (long unsigned int) sm
->ptk
.tk_len
);
752 rsclen
= wpa_cipher_rsc_len(sm
->pairwise_cipher
);
754 if (sm
->proto
== WPA_PROTO_RSN
|| sm
->proto
== WPA_PROTO_OSEN
) {
757 key_rsc
= key
->key_rsc
;
758 wpa_hexdump(MSG_DEBUG
, "WPA: RSC", key_rsc
, rsclen
);
761 if (wpa_sm_set_key(sm
, alg
, sm
->bssid
, 0, 1, key_rsc
, rsclen
,
762 sm
->ptk
.tk
, keylen
) < 0) {
763 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
764 "WPA: Failed to set PTK to the "
765 "driver (alg=%d keylen=%d bssid=" MACSTR
")",
766 alg
, keylen
, MAC2STR(sm
->bssid
));
770 /* TK is not needed anymore in supplicant */
771 os_memset(sm
->ptk
.tk
, 0, WPA_TK_MAX_LEN
);
773 sm
->ptk
.installed
= 1;
775 if (sm
->wpa_ptk_rekey
) {
776 eloop_cancel_timeout(wpa_sm_rekey_ptk
, sm
, NULL
);
777 eloop_register_timeout(sm
->wpa_ptk_rekey
, 0, wpa_sm_rekey_ptk
,
785 static int wpa_supplicant_check_group_cipher(struct wpa_sm
*sm
,
787 int keylen
, int maxkeylen
,
793 *alg
= wpa_cipher_to_alg(group_cipher
);
794 if (*alg
== WPA_ALG_NONE
) {
795 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
796 "WPA: Unsupported Group Cipher %d",
800 *key_rsc_len
= wpa_cipher_rsc_len(group_cipher
);
802 klen
= wpa_cipher_key_len(group_cipher
);
803 if (keylen
!= klen
|| maxkeylen
< klen
) {
804 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
805 "WPA: Unsupported %s Group Cipher key length %d (%d)",
806 wpa_cipher_txt(group_cipher
), keylen
, maxkeylen
);
813 struct wpa_gtk_data
{
815 int tx
, key_rsc_len
, keyidx
;
821 static int wpa_supplicant_install_gtk(struct wpa_sm
*sm
,
822 const struct wpa_gtk_data
*gd
,
823 const u8
*key_rsc
, int wnm_sleep
)
825 const u8
*_gtk
= gd
->gtk
;
828 /* Detect possible key reinstallation */
829 if ((sm
->gtk
.gtk_len
== (size_t) gd
->gtk_len
&&
830 os_memcmp(sm
->gtk
.gtk
, gd
->gtk
, sm
->gtk
.gtk_len
) == 0) ||
831 (sm
->gtk_wnm_sleep
.gtk_len
== (size_t) gd
->gtk_len
&&
832 os_memcmp(sm
->gtk_wnm_sleep
.gtk
, gd
->gtk
,
833 sm
->gtk_wnm_sleep
.gtk_len
) == 0)) {
834 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
835 "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
836 gd
->keyidx
, gd
->tx
, gd
->gtk_len
);
840 wpa_hexdump_key(MSG_DEBUG
, "WPA: Group Key", gd
->gtk
, gd
->gtk_len
);
841 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
842 "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
843 gd
->keyidx
, gd
->tx
, gd
->gtk_len
);
844 wpa_hexdump(MSG_DEBUG
, "WPA: RSC", key_rsc
, gd
->key_rsc_len
);
845 if (sm
->group_cipher
== WPA_CIPHER_TKIP
) {
846 /* Swap Tx/Rx keys for Michael MIC */
847 os_memcpy(gtk_buf
, gd
->gtk
, 16);
848 os_memcpy(gtk_buf
+ 16, gd
->gtk
+ 24, 8);
849 os_memcpy(gtk_buf
+ 24, gd
->gtk
+ 16, 8);
852 if (sm
->pairwise_cipher
== WPA_CIPHER_NONE
) {
853 if (wpa_sm_set_key(sm
, gd
->alg
, NULL
,
854 gd
->keyidx
, 1, key_rsc
, gd
->key_rsc_len
,
855 _gtk
, gd
->gtk_len
) < 0) {
856 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
857 "WPA: Failed to set GTK to the driver "
859 os_memset(gtk_buf
, 0, sizeof(gtk_buf
));
862 } else if (wpa_sm_set_key(sm
, gd
->alg
, broadcast_ether_addr
,
863 gd
->keyidx
, gd
->tx
, key_rsc
, gd
->key_rsc_len
,
864 _gtk
, gd
->gtk_len
) < 0) {
865 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
866 "WPA: Failed to set GTK to "
867 "the driver (alg=%d keylen=%d keyidx=%d)",
868 gd
->alg
, gd
->gtk_len
, gd
->keyidx
);
869 os_memset(gtk_buf
, 0, sizeof(gtk_buf
));
872 os_memset(gtk_buf
, 0, sizeof(gtk_buf
));
875 sm
->gtk_wnm_sleep
.gtk_len
= gd
->gtk_len
;
876 os_memcpy(sm
->gtk_wnm_sleep
.gtk
, gd
->gtk
,
877 sm
->gtk_wnm_sleep
.gtk_len
);
879 sm
->gtk
.gtk_len
= gd
->gtk_len
;
880 os_memcpy(sm
->gtk
.gtk
, gd
->gtk
, sm
->gtk
.gtk_len
);
887 static int wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm
*sm
,
890 if (tx
&& sm
->pairwise_cipher
!= WPA_CIPHER_NONE
) {
891 /* Ignore Tx bit for GTK if a pairwise key is used. One AP
892 * seemed to set this bit (incorrectly, since Tx is only when
893 * doing Group Key only APs) and without this workaround, the
894 * data connection does not work because wpa_supplicant
895 * configured non-zero keyidx to be used for unicast. */
896 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
897 "WPA: Tx bit set for GTK, but pairwise "
898 "keys are used - ignore Tx bit");
905 static int wpa_supplicant_rsc_relaxation(const struct wpa_sm
*sm
,
910 if (!sm
->wpa_rsc_relaxation
)
913 rsclen
= wpa_cipher_rsc_len(sm
->group_cipher
);
916 * Try to detect RSC (endian) corruption issue where the AP sends
917 * the RSC bytes in EAPOL-Key message in the wrong order, both if
918 * it's actually a 6-byte field (as it should be) and if it treats
919 * it as an 8-byte field.
920 * An AP model known to have this bug is the Sapido RB-1632.
922 if (rsclen
== 6 && ((rsc
[5] && !rsc
[0]) || rsc
[6] || rsc
[7])) {
923 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
924 "RSC %02x%02x%02x%02x%02x%02x%02x%02x is likely bogus, using 0",
925 rsc
[0], rsc
[1], rsc
[2], rsc
[3],
926 rsc
[4], rsc
[5], rsc
[6], rsc
[7]);
935 static int wpa_supplicant_pairwise_gtk(struct wpa_sm
*sm
,
936 const struct wpa_eapol_key
*key
,
937 const u8
*gtk
, size_t gtk_len
,
940 struct wpa_gtk_data gd
;
944 * IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames - Figure 43x
946 * KeyID[bits 0-1], Tx [bit 2], Reserved [bits 3-7]
947 * Reserved [bits 0-7]
951 os_memset(&gd
, 0, sizeof(gd
));
952 wpa_hexdump_key(MSG_DEBUG
, "RSN: received GTK in pairwise handshake",
955 if (gtk_len
< 2 || gtk_len
- 2 > sizeof(gd
.gtk
))
958 gd
.keyidx
= gtk
[0] & 0x3;
959 gd
.tx
= wpa_supplicant_gtk_tx_bit_workaround(sm
,
960 !!(gtk
[0] & BIT(2)));
964 os_memcpy(gd
.gtk
, gtk
, gtk_len
);
965 gd
.gtk_len
= gtk_len
;
967 key_rsc
= key
->key_rsc
;
968 if (wpa_supplicant_rsc_relaxation(sm
, key
->key_rsc
))
971 if (sm
->group_cipher
!= WPA_CIPHER_GTK_NOT_USED
&&
972 (wpa_supplicant_check_group_cipher(sm
, sm
->group_cipher
,
974 &gd
.key_rsc_len
, &gd
.alg
) ||
975 wpa_supplicant_install_gtk(sm
, &gd
, key_rsc
, 0))) {
976 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
977 "RSN: Failed to install GTK");
978 os_memset(&gd
, 0, sizeof(gd
));
981 os_memset(&gd
, 0, sizeof(gd
));
983 wpa_supplicant_key_neg_complete(sm
, sm
->bssid
,
984 key_info
& WPA_KEY_INFO_SECURE
);
989 #ifdef CONFIG_IEEE80211W
990 static int wpa_supplicant_install_igtk(struct wpa_sm
*sm
,
991 const struct wpa_igtk_kde
*igtk
,
994 size_t len
= wpa_cipher_key_len(sm
->mgmt_group_cipher
);
995 u16 keyidx
= WPA_GET_LE16(igtk
->keyid
);
997 /* Detect possible key reinstallation */
998 if ((sm
->igtk
.igtk_len
== len
&&
999 os_memcmp(sm
->igtk
.igtk
, igtk
->igtk
, sm
->igtk
.igtk_len
) == 0) ||
1000 (sm
->igtk_wnm_sleep
.igtk_len
== len
&&
1001 os_memcmp(sm
->igtk_wnm_sleep
.igtk
, igtk
->igtk
,
1002 sm
->igtk_wnm_sleep
.igtk_len
) == 0)) {
1003 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
1004 "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
1009 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
1010 "WPA: IGTK keyid %d pn %02x%02x%02x%02x%02x%02x",
1011 keyidx
, MAC2STR(igtk
->pn
));
1012 wpa_hexdump_key(MSG_DEBUG
, "WPA: IGTK", igtk
->igtk
, len
);
1013 if (keyidx
> 4095) {
1014 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1015 "WPA: Invalid IGTK KeyID %d", keyidx
);
1018 if (wpa_sm_set_key(sm
, wpa_cipher_to_alg(sm
->mgmt_group_cipher
),
1019 broadcast_ether_addr
,
1020 keyidx
, 0, igtk
->pn
, sizeof(igtk
->pn
),
1021 igtk
->igtk
, len
) < 0) {
1022 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1023 "WPA: Failed to configure IGTK to the driver");
1028 sm
->igtk_wnm_sleep
.igtk_len
= len
;
1029 os_memcpy(sm
->igtk_wnm_sleep
.igtk
, igtk
->igtk
,
1030 sm
->igtk_wnm_sleep
.igtk_len
);
1032 sm
->igtk
.igtk_len
= len
;
1033 os_memcpy(sm
->igtk
.igtk
, igtk
->igtk
, sm
->igtk
.igtk_len
);
1038 #endif /* CONFIG_IEEE80211W */
1041 static int ieee80211w_set_keys(struct wpa_sm
*sm
,
1042 struct wpa_eapol_ie_parse
*ie
)
1044 #ifdef CONFIG_IEEE80211W
1045 if (!wpa_cipher_valid_mgmt_group(sm
->mgmt_group_cipher
))
1050 const struct wpa_igtk_kde
*igtk
;
1052 len
= wpa_cipher_key_len(sm
->mgmt_group_cipher
);
1053 if (ie
->igtk_len
!= WPA_IGTK_KDE_PREFIX_LEN
+ len
)
1056 igtk
= (const struct wpa_igtk_kde
*) ie
->igtk
;
1057 if (wpa_supplicant_install_igtk(sm
, igtk
, 0) < 0)
1062 #else /* CONFIG_IEEE80211W */
1064 #endif /* CONFIG_IEEE80211W */
1068 static void wpa_report_ie_mismatch(struct wpa_sm
*sm
,
1069 const char *reason
, const u8
*src_addr
,
1070 const u8
*wpa_ie
, size_t wpa_ie_len
,
1071 const u8
*rsn_ie
, size_t rsn_ie_len
)
1073 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
, "WPA: %s (src=" MACSTR
")",
1074 reason
, MAC2STR(src_addr
));
1076 if (sm
->ap_wpa_ie
) {
1077 wpa_hexdump(MSG_INFO
, "WPA: WPA IE in Beacon/ProbeResp",
1078 sm
->ap_wpa_ie
, sm
->ap_wpa_ie_len
);
1081 if (!sm
->ap_wpa_ie
) {
1082 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
1083 "WPA: No WPA IE in Beacon/ProbeResp");
1085 wpa_hexdump(MSG_INFO
, "WPA: WPA IE in 3/4 msg",
1086 wpa_ie
, wpa_ie_len
);
1089 if (sm
->ap_rsn_ie
) {
1090 wpa_hexdump(MSG_INFO
, "WPA: RSN IE in Beacon/ProbeResp",
1091 sm
->ap_rsn_ie
, sm
->ap_rsn_ie_len
);
1094 if (!sm
->ap_rsn_ie
) {
1095 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
1096 "WPA: No RSN IE in Beacon/ProbeResp");
1098 wpa_hexdump(MSG_INFO
, "WPA: RSN IE in 3/4 msg",
1099 rsn_ie
, rsn_ie_len
);
1102 wpa_sm_deauthenticate(sm
, WLAN_REASON_IE_IN_4WAY_DIFFERS
);
1106 #ifdef CONFIG_IEEE80211R
1108 static int ft_validate_mdie(struct wpa_sm
*sm
,
1109 const unsigned char *src_addr
,
1110 struct wpa_eapol_ie_parse
*ie
,
1111 const u8
*assoc_resp_mdie
)
1113 struct rsn_mdie
*mdie
;
1115 mdie
= (struct rsn_mdie
*) (ie
->mdie
+ 2);
1116 if (ie
->mdie
== NULL
|| ie
->mdie_len
< 2 + sizeof(*mdie
) ||
1117 os_memcmp(mdie
->mobility_domain
, sm
->mobility_domain
,
1118 MOBILITY_DOMAIN_ID_LEN
) != 0) {
1119 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, "FT: MDIE in msg 3/4 did "
1120 "not match with the current mobility domain");
1124 if (assoc_resp_mdie
&&
1125 (assoc_resp_mdie
[1] != ie
->mdie
[1] ||
1126 os_memcmp(assoc_resp_mdie
, ie
->mdie
, 2 + ie
->mdie
[1]) != 0)) {
1127 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, "FT: MDIE mismatch");
1128 wpa_hexdump(MSG_DEBUG
, "FT: MDIE in EAPOL-Key msg 3/4",
1129 ie
->mdie
, 2 + ie
->mdie
[1]);
1130 wpa_hexdump(MSG_DEBUG
, "FT: MDIE in (Re)Association Response",
1131 assoc_resp_mdie
, 2 + assoc_resp_mdie
[1]);
1139 static int ft_validate_ftie(struct wpa_sm
*sm
,
1140 const unsigned char *src_addr
,
1141 struct wpa_eapol_ie_parse
*ie
,
1142 const u8
*assoc_resp_ftie
)
1144 if (ie
->ftie
== NULL
) {
1145 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
1146 "FT: No FTIE in EAPOL-Key msg 3/4");
1150 if (assoc_resp_ftie
== NULL
)
1153 if (assoc_resp_ftie
[1] != ie
->ftie
[1] ||
1154 os_memcmp(assoc_resp_ftie
, ie
->ftie
, 2 + ie
->ftie
[1]) != 0) {
1155 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, "FT: FTIE mismatch");
1156 wpa_hexdump(MSG_DEBUG
, "FT: FTIE in EAPOL-Key msg 3/4",
1157 ie
->ftie
, 2 + ie
->ftie
[1]);
1158 wpa_hexdump(MSG_DEBUG
, "FT: FTIE in (Re)Association Response",
1159 assoc_resp_ftie
, 2 + assoc_resp_ftie
[1]);
1167 static int ft_validate_rsnie(struct wpa_sm
*sm
,
1168 const unsigned char *src_addr
,
1169 struct wpa_eapol_ie_parse
*ie
)
1171 struct wpa_ie_data rsn
;
1177 * Verify that PMKR1Name from EAPOL-Key message 3/4
1178 * matches with the value we derived.
1180 if (wpa_parse_wpa_ie_rsn(ie
->rsn_ie
, ie
->rsn_ie_len
, &rsn
) < 0 ||
1181 rsn
.num_pmkid
!= 1 || rsn
.pmkid
== NULL
) {
1182 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, "FT: No PMKR1Name in "
1183 "FT 4-way handshake message 3/4");
1187 if (os_memcmp_const(rsn
.pmkid
, sm
->pmk_r1_name
, WPA_PMK_NAME_LEN
) != 0)
1189 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
1190 "FT: PMKR1Name mismatch in "
1191 "FT 4-way handshake message 3/4");
1192 wpa_hexdump(MSG_DEBUG
, "FT: PMKR1Name from Authenticator",
1193 rsn
.pmkid
, WPA_PMK_NAME_LEN
);
1194 wpa_hexdump(MSG_DEBUG
, "FT: Derived PMKR1Name",
1195 sm
->pmk_r1_name
, WPA_PMK_NAME_LEN
);
1203 static int wpa_supplicant_validate_ie_ft(struct wpa_sm
*sm
,
1204 const unsigned char *src_addr
,
1205 struct wpa_eapol_ie_parse
*ie
)
1207 const u8
*pos
, *end
, *mdie
= NULL
, *ftie
= NULL
;
1209 if (sm
->assoc_resp_ies
) {
1210 pos
= sm
->assoc_resp_ies
;
1211 end
= pos
+ sm
->assoc_resp_ies_len
;
1212 while (end
- pos
> 2) {
1213 if (2 + pos
[1] > end
- pos
)
1216 case WLAN_EID_MOBILITY_DOMAIN
:
1219 case WLAN_EID_FAST_BSS_TRANSITION
:
1227 if (ft_validate_mdie(sm
, src_addr
, ie
, mdie
) < 0 ||
1228 ft_validate_ftie(sm
, src_addr
, ie
, ftie
) < 0 ||
1229 ft_validate_rsnie(sm
, src_addr
, ie
) < 0)
1235 #endif /* CONFIG_IEEE80211R */
1238 static int wpa_supplicant_validate_ie(struct wpa_sm
*sm
,
1239 const unsigned char *src_addr
,
1240 struct wpa_eapol_ie_parse
*ie
)
1242 if (sm
->ap_wpa_ie
== NULL
&& sm
->ap_rsn_ie
== NULL
) {
1243 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
1244 "WPA: No WPA/RSN IE for this AP known. "
1245 "Trying to get from scan results");
1246 if (wpa_sm_get_beacon_ie(sm
) < 0) {
1247 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1248 "WPA: Could not find AP from "
1249 "the scan results");
1251 wpa_msg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
1252 "WPA: Found the current AP from "
1253 "updated scan results");
1257 if (ie
->wpa_ie
== NULL
&& ie
->rsn_ie
== NULL
&&
1258 (sm
->ap_wpa_ie
|| sm
->ap_rsn_ie
)) {
1259 wpa_report_ie_mismatch(sm
, "IE in 3/4 msg does not match "
1260 "with IE in Beacon/ProbeResp (no IE?)",
1261 src_addr
, ie
->wpa_ie
, ie
->wpa_ie_len
,
1262 ie
->rsn_ie
, ie
->rsn_ie_len
);
1266 if ((ie
->wpa_ie
&& sm
->ap_wpa_ie
&&
1267 (ie
->wpa_ie_len
!= sm
->ap_wpa_ie_len
||
1268 os_memcmp(ie
->wpa_ie
, sm
->ap_wpa_ie
, ie
->wpa_ie_len
) != 0)) ||
1269 (ie
->rsn_ie
&& sm
->ap_rsn_ie
&&
1270 wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm
->key_mgmt
),
1271 sm
->ap_rsn_ie
, sm
->ap_rsn_ie_len
,
1272 ie
->rsn_ie
, ie
->rsn_ie_len
))) {
1273 wpa_report_ie_mismatch(sm
, "IE in 3/4 msg does not match "
1274 "with IE in Beacon/ProbeResp",
1275 src_addr
, ie
->wpa_ie
, ie
->wpa_ie_len
,
1276 ie
->rsn_ie
, ie
->rsn_ie_len
);
1280 if (sm
->proto
== WPA_PROTO_WPA
&&
1281 ie
->rsn_ie
&& sm
->ap_rsn_ie
== NULL
&& sm
->rsn_enabled
) {
1282 wpa_report_ie_mismatch(sm
, "Possible downgrade attack "
1283 "detected - RSN was enabled and RSN IE "
1284 "was in msg 3/4, but not in "
1286 src_addr
, ie
->wpa_ie
, ie
->wpa_ie_len
,
1287 ie
->rsn_ie
, ie
->rsn_ie_len
);
1291 #ifdef CONFIG_IEEE80211R
1292 if (wpa_key_mgmt_ft(sm
->key_mgmt
) &&
1293 wpa_supplicant_validate_ie_ft(sm
, src_addr
, ie
) < 0)
1295 #endif /* CONFIG_IEEE80211R */
1302 * wpa_supplicant_send_4_of_4 - Send message 4 of WPA/RSN 4-Way Handshake
1303 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1304 * @dst: Destination address for the frame
1305 * @key: Pointer to the EAPOL-Key frame header
1306 * @ver: Version bits from EAPOL-Key Key Info
1307 * @key_info: Key Info
1308 * @ptk: PTK to use for keyed hash and encryption
1309 * Returns: >= 0 on success, < 0 on failure
1311 int wpa_supplicant_send_4_of_4(struct wpa_sm
*sm
, const unsigned char *dst
,
1312 const struct wpa_eapol_key
*key
,
1313 u16 ver
, u16 key_info
,
1314 struct wpa_ptk
*ptk
)
1316 size_t mic_len
, hdrlen
, rlen
;
1317 struct wpa_eapol_key
*reply
;
1320 mic_len
= wpa_mic_len(sm
->key_mgmt
, sm
->pmk_len
);
1321 hdrlen
= sizeof(*reply
) + mic_len
+ 2;
1322 rbuf
= wpa_sm_alloc_eapol(sm
, IEEE802_1X_TYPE_EAPOL_KEY
, NULL
,
1323 hdrlen
, &rlen
, (void *) &reply
);
1327 reply
->type
= (sm
->proto
== WPA_PROTO_RSN
||
1328 sm
->proto
== WPA_PROTO_OSEN
) ?
1329 EAPOL_KEY_TYPE_RSN
: EAPOL_KEY_TYPE_WPA
;
1330 key_info
&= WPA_KEY_INFO_SECURE
;
1331 key_info
|= ver
| WPA_KEY_INFO_KEY_TYPE
;
1333 key_info
|= WPA_KEY_INFO_MIC
;
1335 key_info
|= WPA_KEY_INFO_ENCR_KEY_DATA
;
1336 WPA_PUT_BE16(reply
->key_info
, key_info
);
1337 if (sm
->proto
== WPA_PROTO_RSN
|| sm
->proto
== WPA_PROTO_OSEN
)
1338 WPA_PUT_BE16(reply
->key_length
, 0);
1340 os_memcpy(reply
->key_length
, key
->key_length
, 2);
1341 os_memcpy(reply
->replay_counter
, key
->replay_counter
,
1342 WPA_REPLAY_COUNTER_LEN
);
1344 key_mic
= (u8
*) (reply
+ 1);
1345 WPA_PUT_BE16(key_mic
+ mic_len
, 0);
1347 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, "WPA: Sending EAPOL-Key 4/4");
1348 return wpa_eapol_key_send(sm
, ptk
, ver
, dst
, ETH_P_EAPOL
, rbuf
, rlen
,
1353 static void wpa_supplicant_process_3_of_4(struct wpa_sm
*sm
,
1354 const struct wpa_eapol_key
*key
,
1355 u16 ver
, const u8
*key_data
,
1356 size_t key_data_len
)
1358 u16 key_info
, keylen
;
1359 struct wpa_eapol_ie_parse ie
;
1361 wpa_sm_set_state(sm
, WPA_4WAY_HANDSHAKE
);
1362 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, "WPA: RX message 3 of 4-Way "
1363 "Handshake from " MACSTR
" (ver=%d)", MAC2STR(sm
->bssid
), ver
);
1365 key_info
= WPA_GET_BE16(key
->key_info
);
1367 wpa_hexdump(MSG_DEBUG
, "WPA: IE KeyData", key_data
, key_data_len
);
1368 if (wpa_supplicant_parse_ies(key_data
, key_data_len
, &ie
) < 0)
1370 if (ie
.gtk
&& !(key_info
& WPA_KEY_INFO_ENCR_KEY_DATA
)) {
1371 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1372 "WPA: GTK IE in unencrypted key data");
1375 #ifdef CONFIG_IEEE80211W
1376 if (ie
.igtk
&& !(key_info
& WPA_KEY_INFO_ENCR_KEY_DATA
)) {
1377 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1378 "WPA: IGTK KDE in unencrypted key data");
1383 wpa_cipher_valid_mgmt_group(sm
->mgmt_group_cipher
) &&
1384 ie
.igtk_len
!= WPA_IGTK_KDE_PREFIX_LEN
+
1385 (unsigned int) wpa_cipher_key_len(sm
->mgmt_group_cipher
)) {
1386 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1387 "WPA: Invalid IGTK KDE length %lu",
1388 (unsigned long) ie
.igtk_len
);
1391 #endif /* CONFIG_IEEE80211W */
1393 if (wpa_supplicant_validate_ie(sm
, sm
->bssid
, &ie
) < 0)
1396 if (os_memcmp(sm
->anonce
, key
->key_nonce
, WPA_NONCE_LEN
) != 0) {
1397 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1398 "WPA: ANonce from message 1 of 4-Way Handshake "
1399 "differs from 3 of 4-Way Handshake - drop packet (src="
1400 MACSTR
")", MAC2STR(sm
->bssid
));
1404 keylen
= WPA_GET_BE16(key
->key_length
);
1405 if (keylen
!= wpa_cipher_key_len(sm
->pairwise_cipher
)) {
1406 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1407 "WPA: Invalid %s key length %d (src=" MACSTR
1408 ")", wpa_cipher_txt(sm
->pairwise_cipher
), keylen
,
1409 MAC2STR(sm
->bssid
));
1414 if (ie
.ip_addr_alloc
) {
1415 os_memcpy(sm
->p2p_ip_addr
, ie
.ip_addr_alloc
, 3 * 4);
1416 wpa_hexdump(MSG_DEBUG
, "P2P: IP address info",
1417 sm
->p2p_ip_addr
, sizeof(sm
->p2p_ip_addr
));
1419 #endif /* CONFIG_P2P */
1421 if (wpa_supplicant_send_4_of_4(sm
, sm
->bssid
, key
, ver
, key_info
,
1426 /* SNonce was successfully used in msg 3/4, so mark it to be renewed
1427 * for the next 4-Way Handshake. If msg 3 is received again, the old
1428 * SNonce will still be used to avoid changing PTK. */
1429 sm
->renew_snonce
= 1;
1431 if (key_info
& WPA_KEY_INFO_INSTALL
) {
1432 if (wpa_supplicant_install_ptk(sm
, key
))
1436 if (key_info
& WPA_KEY_INFO_SECURE
) {
1437 wpa_sm_mlme_setprotection(
1438 sm
, sm
->bssid
, MLME_SETPROTECTION_PROTECT_TYPE_RX
,
1439 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE
);
1440 eapol_sm_notify_portValid(sm
->eapol
, TRUE
);
1442 wpa_sm_set_state(sm
, WPA_GROUP_HANDSHAKE
);
1444 if (sm
->group_cipher
== WPA_CIPHER_GTK_NOT_USED
) {
1445 wpa_supplicant_key_neg_complete(sm
, sm
->bssid
,
1446 key_info
& WPA_KEY_INFO_SECURE
);
1447 } else if (ie
.gtk
&&
1448 wpa_supplicant_pairwise_gtk(sm
, key
,
1449 ie
.gtk
, ie
.gtk_len
, key_info
) < 0) {
1450 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
1451 "RSN: Failed to configure GTK");
1455 if (ieee80211w_set_keys(sm
, &ie
) < 0) {
1456 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
1457 "RSN: Failed to configure IGTK");
1462 wpa_sm_set_rekey_offload(sm
);
1464 if (sm
->proto
== WPA_PROTO_RSN
&& wpa_key_mgmt_suite_b(sm
->key_mgmt
)) {
1465 struct rsn_pmksa_cache_entry
*sa
;
1467 sa
= pmksa_cache_add(sm
->pmksa
, sm
->pmk
, sm
->pmk_len
, NULL
,
1468 sm
->ptk
.kck
, sm
->ptk
.kck_len
,
1469 sm
->bssid
, sm
->own_addr
,
1470 sm
->network_ctx
, sm
->key_mgmt
, NULL
);
1475 sm
->msg_3_of_4_ok
= 1;
1479 wpa_sm_deauthenticate(sm
, WLAN_REASON_UNSPECIFIED
);
1483 static int wpa_supplicant_process_1_of_2_rsn(struct wpa_sm
*sm
,
1487 struct wpa_gtk_data
*gd
)
1490 struct wpa_eapol_ie_parse ie
;
1492 wpa_hexdump_key(MSG_DEBUG
, "RSN: msg 1/2 key data",
1493 keydata
, keydatalen
);
1494 if (wpa_supplicant_parse_ies(keydata
, keydatalen
, &ie
) < 0)
1496 if (ie
.gtk
&& !(key_info
& WPA_KEY_INFO_ENCR_KEY_DATA
)) {
1497 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1498 "WPA: GTK IE in unencrypted key data");
1501 if (ie
.gtk
== NULL
) {
1502 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
1503 "WPA: No GTK IE in Group Key msg 1/2");
1506 maxkeylen
= gd
->gtk_len
= ie
.gtk_len
- 2;
1508 if (wpa_supplicant_check_group_cipher(sm
, sm
->group_cipher
,
1509 gd
->gtk_len
, maxkeylen
,
1510 &gd
->key_rsc_len
, &gd
->alg
))
1513 wpa_hexdump_key(MSG_DEBUG
, "RSN: received GTK in group key handshake",
1514 ie
.gtk
, ie
.gtk_len
);
1515 gd
->keyidx
= ie
.gtk
[0] & 0x3;
1516 gd
->tx
= wpa_supplicant_gtk_tx_bit_workaround(sm
,
1517 !!(ie
.gtk
[0] & BIT(2)));
1518 if (ie
.gtk_len
- 2 > sizeof(gd
->gtk
)) {
1519 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
1520 "RSN: Too long GTK in GTK IE (len=%lu)",
1521 (unsigned long) ie
.gtk_len
- 2);
1524 os_memcpy(gd
->gtk
, ie
.gtk
+ 2, ie
.gtk_len
- 2);
1526 if (ieee80211w_set_keys(sm
, &ie
) < 0)
1527 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
1528 "RSN: Failed to configure IGTK");
1534 static int wpa_supplicant_process_1_of_2_wpa(struct wpa_sm
*sm
,
1535 const struct wpa_eapol_key
*key
,
1537 size_t key_data_len
, u16 key_info
,
1538 u16 ver
, struct wpa_gtk_data
*gd
)
1543 gtk_len
= WPA_GET_BE16(key
->key_length
);
1544 maxkeylen
= key_data_len
;
1545 if (ver
== WPA_KEY_INFO_TYPE_HMAC_SHA1_AES
) {
1546 if (maxkeylen
< 8) {
1547 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
1548 "WPA: Too short maxkeylen (%lu)",
1549 (unsigned long) maxkeylen
);
1555 if (gtk_len
> maxkeylen
||
1556 wpa_supplicant_check_group_cipher(sm
, sm
->group_cipher
,
1558 &gd
->key_rsc_len
, &gd
->alg
))
1561 gd
->gtk_len
= gtk_len
;
1562 gd
->keyidx
= (key_info
& WPA_KEY_INFO_KEY_INDEX_MASK
) >>
1563 WPA_KEY_INFO_KEY_INDEX_SHIFT
;
1564 if (ver
== WPA_KEY_INFO_TYPE_HMAC_MD5_RC4
&& sm
->ptk
.kek_len
== 16) {
1565 #ifdef CONFIG_NO_RC4
1566 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1567 "WPA: RC4 not supported in the build");
1569 #else /* CONFIG_NO_RC4 */
1571 if (key_data_len
> sizeof(gd
->gtk
)) {
1572 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1573 "WPA: RC4 key data too long (%lu)",
1574 (unsigned long) key_data_len
);
1577 os_memcpy(ek
, key
->key_iv
, 16);
1578 os_memcpy(ek
+ 16, sm
->ptk
.kek
, sm
->ptk
.kek_len
);
1579 os_memcpy(gd
->gtk
, key_data
, key_data_len
);
1580 if (rc4_skip(ek
, 32, 256, gd
->gtk
, key_data_len
)) {
1581 os_memset(ek
, 0, sizeof(ek
));
1582 wpa_msg(sm
->ctx
->msg_ctx
, MSG_ERROR
,
1586 os_memset(ek
, 0, sizeof(ek
));
1587 #endif /* CONFIG_NO_RC4 */
1588 } else if (ver
== WPA_KEY_INFO_TYPE_HMAC_SHA1_AES
) {
1589 if (maxkeylen
% 8) {
1590 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1591 "WPA: Unsupported AES-WRAP len %lu",
1592 (unsigned long) maxkeylen
);
1595 if (maxkeylen
> sizeof(gd
->gtk
)) {
1596 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1597 "WPA: AES-WRAP key data "
1598 "too long (keydatalen=%lu maxkeylen=%lu)",
1599 (unsigned long) key_data_len
,
1600 (unsigned long) maxkeylen
);
1603 if (aes_unwrap(sm
->ptk
.kek
, sm
->ptk
.kek_len
, maxkeylen
/ 8,
1604 key_data
, gd
->gtk
)) {
1605 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1606 "WPA: AES unwrap failed - could not decrypt "
1611 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1612 "WPA: Unsupported key_info type %d", ver
);
1615 gd
->tx
= wpa_supplicant_gtk_tx_bit_workaround(
1616 sm
, !!(key_info
& WPA_KEY_INFO_TXRX
));
1621 static int wpa_supplicant_send_2_of_2(struct wpa_sm
*sm
,
1622 const struct wpa_eapol_key
*key
,
1623 int ver
, u16 key_info
)
1625 size_t mic_len
, hdrlen
, rlen
;
1626 struct wpa_eapol_key
*reply
;
1629 mic_len
= wpa_mic_len(sm
->key_mgmt
, sm
->pmk_len
);
1630 hdrlen
= sizeof(*reply
) + mic_len
+ 2;
1631 rbuf
= wpa_sm_alloc_eapol(sm
, IEEE802_1X_TYPE_EAPOL_KEY
, NULL
,
1632 hdrlen
, &rlen
, (void *) &reply
);
1636 reply
->type
= (sm
->proto
== WPA_PROTO_RSN
||
1637 sm
->proto
== WPA_PROTO_OSEN
) ?
1638 EAPOL_KEY_TYPE_RSN
: EAPOL_KEY_TYPE_WPA
;
1639 key_info
&= WPA_KEY_INFO_KEY_INDEX_MASK
;
1640 key_info
|= ver
| WPA_KEY_INFO_SECURE
;
1642 key_info
|= WPA_KEY_INFO_MIC
;
1644 key_info
|= WPA_KEY_INFO_ENCR_KEY_DATA
;
1645 WPA_PUT_BE16(reply
->key_info
, key_info
);
1646 if (sm
->proto
== WPA_PROTO_RSN
|| sm
->proto
== WPA_PROTO_OSEN
)
1647 WPA_PUT_BE16(reply
->key_length
, 0);
1649 os_memcpy(reply
->key_length
, key
->key_length
, 2);
1650 os_memcpy(reply
->replay_counter
, key
->replay_counter
,
1651 WPA_REPLAY_COUNTER_LEN
);
1653 key_mic
= (u8
*) (reply
+ 1);
1654 WPA_PUT_BE16(key_mic
+ mic_len
, 0);
1656 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, "WPA: Sending EAPOL-Key 2/2");
1657 return wpa_eapol_key_send(sm
, &sm
->ptk
, ver
, sm
->bssid
, ETH_P_EAPOL
,
1658 rbuf
, rlen
, key_mic
);
1662 static void wpa_supplicant_process_1_of_2(struct wpa_sm
*sm
,
1663 const unsigned char *src_addr
,
1664 const struct wpa_eapol_key
*key
,
1666 size_t key_data_len
, u16 ver
)
1670 struct wpa_gtk_data gd
;
1673 if (!sm
->msg_3_of_4_ok
&& !wpa_fils_is_completed(sm
)) {
1674 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
1675 "WPA: Group Key Handshake started prior to completion of 4-way handshake");
1679 os_memset(&gd
, 0, sizeof(gd
));
1681 rekey
= wpa_sm_get_state(sm
) == WPA_COMPLETED
;
1682 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, "WPA: RX message 1 of Group Key "
1683 "Handshake from " MACSTR
" (ver=%d)", MAC2STR(src_addr
), ver
);
1685 key_info
= WPA_GET_BE16(key
->key_info
);
1687 if (sm
->proto
== WPA_PROTO_RSN
|| sm
->proto
== WPA_PROTO_OSEN
) {
1688 ret
= wpa_supplicant_process_1_of_2_rsn(sm
, key_data
,
1689 key_data_len
, key_info
,
1692 ret
= wpa_supplicant_process_1_of_2_wpa(sm
, key
, key_data
,
1694 key_info
, ver
, &gd
);
1697 wpa_sm_set_state(sm
, WPA_GROUP_HANDSHAKE
);
1702 key_rsc
= key
->key_rsc
;
1703 if (wpa_supplicant_rsc_relaxation(sm
, key
->key_rsc
))
1706 if (wpa_supplicant_install_gtk(sm
, &gd
, key_rsc
, 0) ||
1707 wpa_supplicant_send_2_of_2(sm
, key
, ver
, key_info
) < 0)
1709 os_memset(&gd
, 0, sizeof(gd
));
1712 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
, "WPA: Group rekeying "
1713 "completed with " MACSTR
" [GTK=%s]",
1714 MAC2STR(sm
->bssid
), wpa_cipher_txt(sm
->group_cipher
));
1715 wpa_sm_cancel_auth_timeout(sm
);
1716 wpa_sm_set_state(sm
, WPA_COMPLETED
);
1718 wpa_supplicant_key_neg_complete(sm
, sm
->bssid
,
1720 WPA_KEY_INFO_SECURE
);
1723 wpa_sm_set_rekey_offload(sm
);
1728 os_memset(&gd
, 0, sizeof(gd
));
1729 wpa_sm_deauthenticate(sm
, WLAN_REASON_UNSPECIFIED
);
1733 static int wpa_supplicant_verify_eapol_key_mic(struct wpa_sm
*sm
,
1734 struct wpa_eapol_key
*key
,
1736 const u8
*buf
, size_t len
)
1738 u8 mic
[WPA_EAPOL_KEY_MIC_MAX_LEN
];
1740 size_t mic_len
= wpa_mic_len(sm
->key_mgmt
, sm
->pmk_len
);
1742 os_memcpy(mic
, key
+ 1, mic_len
);
1744 os_memset(key
+ 1, 0, mic_len
);
1745 if (wpa_eapol_key_mic(sm
->tptk
.kck
, sm
->tptk
.kck_len
,
1747 ver
, buf
, len
, (u8
*) (key
+ 1)) < 0 ||
1748 os_memcmp_const(mic
, key
+ 1, mic_len
) != 0) {
1749 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1750 "WPA: Invalid EAPOL-Key MIC "
1751 "when using TPTK - ignoring TPTK");
1756 os_memcpy(&sm
->ptk
, &sm
->tptk
, sizeof(sm
->ptk
));
1757 os_memset(&sm
->tptk
, 0, sizeof(sm
->tptk
));
1759 * This assures the same TPTK in sm->tptk can never be
1760 * copied twice to sm->ptk as the new PTK. In
1761 * combination with the installed flag in the wpa_ptk
1762 * struct, this assures the same PTK is only installed
1765 sm
->renew_snonce
= 1;
1769 if (!ok
&& sm
->ptk_set
) {
1770 os_memset(key
+ 1, 0, mic_len
);
1771 if (wpa_eapol_key_mic(sm
->ptk
.kck
, sm
->ptk
.kck_len
,
1773 ver
, buf
, len
, (u8
*) (key
+ 1)) < 0 ||
1774 os_memcmp_const(mic
, key
+ 1, mic_len
) != 0) {
1775 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1776 "WPA: Invalid EAPOL-Key MIC - "
1784 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1785 "WPA: Could not verify EAPOL-Key MIC - "
1790 os_memcpy(sm
->rx_replay_counter
, key
->replay_counter
,
1791 WPA_REPLAY_COUNTER_LEN
);
1792 sm
->rx_replay_counter_set
= 1;
1797 /* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */
1798 static int wpa_supplicant_decrypt_key_data(struct wpa_sm
*sm
,
1799 struct wpa_eapol_key
*key
,
1800 size_t mic_len
, u16 ver
,
1801 u8
*key_data
, size_t *key_data_len
)
1803 wpa_hexdump(MSG_DEBUG
, "RSN: encrypted key data",
1804 key_data
, *key_data_len
);
1806 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1807 "WPA: PTK not available, cannot decrypt EAPOL-Key Key "
1812 /* Decrypt key data here so that this operation does not need
1813 * to be implemented separately for each message type. */
1814 if (ver
== WPA_KEY_INFO_TYPE_HMAC_MD5_RC4
&& sm
->ptk
.kek_len
== 16) {
1815 #ifdef CONFIG_NO_RC4
1816 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1817 "WPA: RC4 not supported in the build");
1819 #else /* CONFIG_NO_RC4 */
1822 wpa_printf(MSG_DEBUG
, "WPA: Decrypt Key Data using RC4");
1823 os_memcpy(ek
, key
->key_iv
, 16);
1824 os_memcpy(ek
+ 16, sm
->ptk
.kek
, sm
->ptk
.kek_len
);
1825 if (rc4_skip(ek
, 32, 256, key_data
, *key_data_len
)) {
1826 os_memset(ek
, 0, sizeof(ek
));
1827 wpa_msg(sm
->ctx
->msg_ctx
, MSG_ERROR
,
1831 os_memset(ek
, 0, sizeof(ek
));
1832 #endif /* CONFIG_NO_RC4 */
1833 } else if (ver
== WPA_KEY_INFO_TYPE_HMAC_SHA1_AES
||
1834 ver
== WPA_KEY_INFO_TYPE_AES_128_CMAC
||
1835 wpa_use_aes_key_wrap(sm
->key_mgmt
)) {
1838 wpa_printf(MSG_DEBUG
,
1839 "WPA: Decrypt Key Data using AES-UNWRAP (KEK length %u)",
1840 (unsigned int) sm
->ptk
.kek_len
);
1841 if (*key_data_len
< 8 || *key_data_len
% 8) {
1842 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1843 "WPA: Unsupported AES-WRAP len %u",
1844 (unsigned int) *key_data_len
);
1847 *key_data_len
-= 8; /* AES-WRAP adds 8 bytes */
1848 buf
= os_malloc(*key_data_len
);
1850 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1851 "WPA: No memory for AES-UNWRAP buffer");
1854 if (aes_unwrap(sm
->ptk
.kek
, sm
->ptk
.kek_len
, *key_data_len
/ 8,
1856 bin_clear_free(buf
, *key_data_len
);
1857 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1858 "WPA: AES unwrap failed - "
1859 "could not decrypt EAPOL-Key key data");
1862 os_memcpy(key_data
, buf
, *key_data_len
);
1863 bin_clear_free(buf
, *key_data_len
);
1864 WPA_PUT_BE16(((u8
*) (key
+ 1)) + mic_len
, *key_data_len
);
1866 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1867 "WPA: Unsupported key_info type %d", ver
);
1870 wpa_hexdump_key(MSG_DEBUG
, "WPA: decrypted EAPOL-Key key data",
1871 key_data
, *key_data_len
);
1877 * wpa_sm_aborted_cached - Notify WPA that PMKSA caching was aborted
1878 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1880 void wpa_sm_aborted_cached(struct wpa_sm
*sm
)
1882 if (sm
&& sm
->cur_pmksa
) {
1883 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
1884 "RSN: Cancelling PMKSA caching attempt");
1885 sm
->cur_pmksa
= NULL
;
1890 static void wpa_eapol_key_dump(struct wpa_sm
*sm
,
1891 const struct wpa_eapol_key
*key
,
1892 unsigned int key_data_len
,
1893 const u8
*mic
, unsigned int mic_len
)
1895 #ifndef CONFIG_NO_STDOUT_DEBUG
1896 u16 key_info
= WPA_GET_BE16(key
->key_info
);
1898 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, " EAPOL-Key type=%d", key
->type
);
1899 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
1900 " key_info 0x%x (ver=%d keyidx=%d rsvd=%d %s%s%s%s%s%s%s%s)",
1901 key_info
, key_info
& WPA_KEY_INFO_TYPE_MASK
,
1902 (key_info
& WPA_KEY_INFO_KEY_INDEX_MASK
) >>
1903 WPA_KEY_INFO_KEY_INDEX_SHIFT
,
1904 (key_info
& (BIT(13) | BIT(14) | BIT(15))) >> 13,
1905 key_info
& WPA_KEY_INFO_KEY_TYPE
? "Pairwise" : "Group",
1906 key_info
& WPA_KEY_INFO_INSTALL
? " Install" : "",
1907 key_info
& WPA_KEY_INFO_ACK
? " Ack" : "",
1908 key_info
& WPA_KEY_INFO_MIC
? " MIC" : "",
1909 key_info
& WPA_KEY_INFO_SECURE
? " Secure" : "",
1910 key_info
& WPA_KEY_INFO_ERROR
? " Error" : "",
1911 key_info
& WPA_KEY_INFO_REQUEST
? " Request" : "",
1912 key_info
& WPA_KEY_INFO_ENCR_KEY_DATA
? " Encr" : "");
1913 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
1914 " key_length=%u key_data_length=%u",
1915 WPA_GET_BE16(key
->key_length
), key_data_len
);
1916 wpa_hexdump(MSG_DEBUG
, " replay_counter",
1917 key
->replay_counter
, WPA_REPLAY_COUNTER_LEN
);
1918 wpa_hexdump(MSG_DEBUG
, " key_nonce", key
->key_nonce
, WPA_NONCE_LEN
);
1919 wpa_hexdump(MSG_DEBUG
, " key_iv", key
->key_iv
, 16);
1920 wpa_hexdump(MSG_DEBUG
, " key_rsc", key
->key_rsc
, 8);
1921 wpa_hexdump(MSG_DEBUG
, " key_id (reserved)", key
->key_id
, 8);
1922 wpa_hexdump(MSG_DEBUG
, " key_mic", mic
, mic_len
);
1923 #endif /* CONFIG_NO_STDOUT_DEBUG */
1928 static int wpa_supp_aead_decrypt(struct wpa_sm
*sm
, u8
*buf
, size_t buf_len
,
1929 size_t *key_data_len
)
1931 struct wpa_ptk
*ptk
;
1932 struct ieee802_1x_hdr
*hdr
;
1933 struct wpa_eapol_key
*key
;
1938 if (*key_data_len
< AES_BLOCK_SIZE
) {
1939 wpa_printf(MSG_INFO
, "No room for AES-SIV data in the frame");
1945 else if (sm
->ptk_set
)
1950 hdr
= (struct ieee802_1x_hdr
*) buf
;
1951 key
= (struct wpa_eapol_key
*) (hdr
+ 1);
1952 pos
= (u8
*) (key
+ 1);
1953 pos
+= 2; /* Pointing at the Encrypted Key Data field */
1955 tmp
= os_malloc(*key_data_len
);
1959 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
1960 * to Key Data (exclusive). */
1962 aad_len
[0] = pos
- buf
;
1963 if (aes_siv_decrypt(ptk
->kek
, ptk
->kek_len
, pos
, *key_data_len
,
1964 1, aad
, aad_len
, tmp
) < 0) {
1965 wpa_printf(MSG_INFO
, "Invalid AES-SIV data in the frame");
1966 bin_clear_free(tmp
, *key_data_len
);
1970 /* AEAD decryption and validation completed successfully */
1971 (*key_data_len
) -= AES_BLOCK_SIZE
;
1972 wpa_hexdump_key(MSG_DEBUG
, "WPA: Decrypted Key Data",
1973 tmp
, *key_data_len
);
1975 /* Replace Key Data field with the decrypted version */
1976 os_memcpy(pos
, tmp
, *key_data_len
);
1977 pos
-= 2; /* Key Data Length field */
1978 WPA_PUT_BE16(pos
, *key_data_len
);
1979 bin_clear_free(tmp
, *key_data_len
);
1984 os_memcpy(&sm
->ptk
, &sm
->tptk
, sizeof(sm
->ptk
));
1985 os_memset(&sm
->tptk
, 0, sizeof(sm
->tptk
));
1988 os_memcpy(sm
->rx_replay_counter
, key
->replay_counter
,
1989 WPA_REPLAY_COUNTER_LEN
);
1990 sm
->rx_replay_counter_set
= 1;
1994 #endif /* CONFIG_FILS */
1998 * wpa_sm_rx_eapol - Process received WPA EAPOL frames
1999 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2000 * @src_addr: Source MAC address of the EAPOL packet
2001 * @buf: Pointer to the beginning of the EAPOL data (EAPOL header)
2002 * @len: Length of the EAPOL frame
2003 * Returns: 1 = WPA EAPOL-Key processed, 0 = not a WPA EAPOL-Key, -1 failure
2005 * This function is called for each received EAPOL frame. Other than EAPOL-Key
2006 * frames can be skipped if filtering is done elsewhere. wpa_sm_rx_eapol() is
2007 * only processing WPA and WPA2 EAPOL-Key frames.
2009 * The received EAPOL-Key packets are validated and valid packets are replied
2010 * to. In addition, key material (PTK, GTK) is configured at the end of a
2011 * successful key handshake.
2013 int wpa_sm_rx_eapol(struct wpa_sm
*sm
, const u8
*src_addr
,
2014 const u8
*buf
, size_t len
)
2016 size_t plen
, data_len
, key_data_len
;
2017 const struct ieee802_1x_hdr
*hdr
;
2018 struct wpa_eapol_key
*key
;
2023 size_t mic_len
, keyhdrlen
;
2025 #ifdef CONFIG_IEEE80211R
2026 sm
->ft_completed
= 0;
2027 #endif /* CONFIG_IEEE80211R */
2029 mic_len
= wpa_mic_len(sm
->key_mgmt
, sm
->pmk_len
);
2030 keyhdrlen
= sizeof(*key
) + mic_len
+ 2;
2032 if (len
< sizeof(*hdr
) + keyhdrlen
) {
2033 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
2034 "WPA: EAPOL frame too short to be a WPA "
2035 "EAPOL-Key (len %lu, expecting at least %lu)",
2036 (unsigned long) len
,
2037 (unsigned long) sizeof(*hdr
) + keyhdrlen
);
2041 hdr
= (const struct ieee802_1x_hdr
*) buf
;
2042 plen
= be_to_host16(hdr
->length
);
2043 data_len
= plen
+ sizeof(*hdr
);
2044 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
2045 "IEEE 802.1X RX: version=%d type=%d length=%lu",
2046 hdr
->version
, hdr
->type
, (unsigned long) plen
);
2048 if (hdr
->version
< EAPOL_VERSION
) {
2049 /* TODO: backwards compatibility */
2051 if (hdr
->type
!= IEEE802_1X_TYPE_EAPOL_KEY
) {
2052 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
2053 "WPA: EAPOL frame (type %u) discarded, "
2054 "not a Key frame", hdr
->type
);
2058 wpa_hexdump(MSG_MSGDUMP
, "WPA: RX EAPOL-Key", buf
, len
);
2059 if (plen
> len
- sizeof(*hdr
) || plen
< keyhdrlen
) {
2060 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
2061 "WPA: EAPOL frame payload size %lu "
2062 "invalid (frame size %lu)",
2063 (unsigned long) plen
, (unsigned long) len
);
2067 if (data_len
< len
) {
2068 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
2069 "WPA: ignoring %lu bytes after the IEEE 802.1X data",
2070 (unsigned long) len
- data_len
);
2074 * Make a copy of the frame since we need to modify the buffer during
2075 * MAC validation and Key Data decryption.
2077 tmp
= os_memdup(buf
, data_len
);
2080 key
= (struct wpa_eapol_key
*) (tmp
+ sizeof(struct ieee802_1x_hdr
));
2081 mic
= (u8
*) (key
+ 1);
2082 key_data
= mic
+ mic_len
+ 2;
2084 if (key
->type
!= EAPOL_KEY_TYPE_WPA
&& key
->type
!= EAPOL_KEY_TYPE_RSN
)
2086 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
2087 "WPA: EAPOL-Key type (%d) unknown, discarded",
2093 key_data_len
= WPA_GET_BE16(mic
+ mic_len
);
2094 wpa_eapol_key_dump(sm
, key
, key_data_len
, mic
, mic_len
);
2096 if (key_data_len
> plen
- keyhdrlen
) {
2097 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
, "WPA: Invalid EAPOL-Key "
2098 "frame - key_data overflow (%u > %u)",
2099 (unsigned int) key_data_len
,
2100 (unsigned int) (plen
- keyhdrlen
));
2104 eapol_sm_notify_lower_layer_success(sm
->eapol
, 0);
2105 key_info
= WPA_GET_BE16(key
->key_info
);
2106 ver
= key_info
& WPA_KEY_INFO_TYPE_MASK
;
2107 if (ver
!= WPA_KEY_INFO_TYPE_HMAC_MD5_RC4
&&
2108 #if defined(CONFIG_IEEE80211R) || defined(CONFIG_IEEE80211W)
2109 ver
!= WPA_KEY_INFO_TYPE_AES_128_CMAC
&&
2110 #endif /* CONFIG_IEEE80211R || CONFIG_IEEE80211W */
2111 ver
!= WPA_KEY_INFO_TYPE_HMAC_SHA1_AES
&&
2112 !wpa_use_akm_defined(sm
->key_mgmt
)) {
2113 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
2114 "WPA: Unsupported EAPOL-Key descriptor version %d",
2119 if (wpa_use_akm_defined(sm
->key_mgmt
) &&
2120 ver
!= WPA_KEY_INFO_TYPE_AKM_DEFINED
) {
2121 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
2122 "RSN: Unsupported EAPOL-Key descriptor version %d (expected AKM defined = 0)",
2127 #ifdef CONFIG_IEEE80211R
2128 if (wpa_key_mgmt_ft(sm
->key_mgmt
)) {
2129 /* IEEE 802.11r uses a new key_info type (AES-128-CMAC). */
2130 if (ver
!= WPA_KEY_INFO_TYPE_AES_128_CMAC
&&
2131 !wpa_use_akm_defined(sm
->key_mgmt
)) {
2132 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
2133 "FT: AP did not use AES-128-CMAC");
2137 #endif /* CONFIG_IEEE80211R */
2138 #ifdef CONFIG_IEEE80211W
2139 if (wpa_key_mgmt_sha256(sm
->key_mgmt
)) {
2140 if (ver
!= WPA_KEY_INFO_TYPE_AES_128_CMAC
&&
2141 !wpa_use_akm_defined(sm
->key_mgmt
)) {
2142 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
2143 "WPA: AP did not use the "
2144 "negotiated AES-128-CMAC");
2148 #endif /* CONFIG_IEEE80211W */
2149 if (sm
->pairwise_cipher
== WPA_CIPHER_CCMP
&&
2150 !wpa_use_akm_defined(sm
->key_mgmt
) &&
2151 ver
!= WPA_KEY_INFO_TYPE_HMAC_SHA1_AES
) {
2152 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
2153 "WPA: CCMP is used, but EAPOL-Key "
2154 "descriptor version (%d) is not 2", ver
);
2155 if (sm
->group_cipher
!= WPA_CIPHER_CCMP
&&
2156 !(key_info
& WPA_KEY_INFO_KEY_TYPE
)) {
2157 /* Earlier versions of IEEE 802.11i did not explicitly
2158 * require version 2 descriptor for all EAPOL-Key
2159 * packets, so allow group keys to use version 1 if
2160 * CCMP is not used for them. */
2161 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
2162 "WPA: Backwards compatibility: allow invalid "
2163 "version for non-CCMP group keys");
2164 } else if (ver
== WPA_KEY_INFO_TYPE_AES_128_CMAC
) {
2165 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
2166 "WPA: Interoperability workaround: allow incorrect (should have been HMAC-SHA1), but stronger (is AES-128-CMAC), descriptor version to be used");
2169 } else if (sm
->pairwise_cipher
== WPA_CIPHER_GCMP
&&
2170 !wpa_use_akm_defined(sm
->key_mgmt
) &&
2171 ver
!= WPA_KEY_INFO_TYPE_HMAC_SHA1_AES
) {
2172 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
2173 "WPA: GCMP is used, but EAPOL-Key "
2174 "descriptor version (%d) is not 2", ver
);
2178 if (sm
->rx_replay_counter_set
&&
2179 os_memcmp(key
->replay_counter
, sm
->rx_replay_counter
,
2180 WPA_REPLAY_COUNTER_LEN
) <= 0) {
2181 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
2182 "WPA: EAPOL-Key Replay Counter did not increase - "
2187 if (key_info
& WPA_KEY_INFO_SMK_MESSAGE
) {
2188 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
2189 "WPA: Unsupported SMK bit in key_info");
2193 if (!(key_info
& WPA_KEY_INFO_ACK
)) {
2194 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
2195 "WPA: No Ack bit in key_info");
2199 if (key_info
& WPA_KEY_INFO_REQUEST
) {
2200 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
2201 "WPA: EAPOL-Key with Request bit - dropped");
2205 if ((key_info
& WPA_KEY_INFO_MIC
) &&
2206 wpa_supplicant_verify_eapol_key_mic(sm
, key
, ver
, tmp
, data_len
))
2210 if (!mic_len
&& (key_info
& WPA_KEY_INFO_ENCR_KEY_DATA
)) {
2211 if (wpa_supp_aead_decrypt(sm
, tmp
, data_len
, &key_data_len
))
2214 #endif /* CONFIG_FILS */
2216 if ((sm
->proto
== WPA_PROTO_RSN
|| sm
->proto
== WPA_PROTO_OSEN
) &&
2217 (key_info
& WPA_KEY_INFO_ENCR_KEY_DATA
) && mic_len
) {
2218 if (wpa_supplicant_decrypt_key_data(sm
, key
, mic_len
,
2224 if (key_info
& WPA_KEY_INFO_KEY_TYPE
) {
2225 if (key_info
& WPA_KEY_INFO_KEY_INDEX_MASK
) {
2226 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
2227 "WPA: Ignored EAPOL-Key (Pairwise) with "
2228 "non-zero key index");
2231 if (key_info
& (WPA_KEY_INFO_MIC
|
2232 WPA_KEY_INFO_ENCR_KEY_DATA
)) {
2233 /* 3/4 4-Way Handshake */
2234 wpa_supplicant_process_3_of_4(sm
, key
, ver
, key_data
,
2237 /* 1/4 4-Way Handshake */
2238 wpa_supplicant_process_1_of_4(sm
, src_addr
, key
,
2243 if ((mic_len
&& (key_info
& WPA_KEY_INFO_MIC
)) ||
2244 (!mic_len
&& (key_info
& WPA_KEY_INFO_ENCR_KEY_DATA
))) {
2245 /* 1/2 Group Key Handshake */
2246 wpa_supplicant_process_1_of_2(sm
, src_addr
, key
,
2247 key_data
, key_data_len
,
2250 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
2251 "WPA: EAPOL-Key (Group) without Mic/Encr bit - "
2259 bin_clear_free(tmp
, data_len
);
2264 #ifdef CONFIG_CTRL_IFACE
2265 static u32
wpa_key_mgmt_suite(struct wpa_sm
*sm
)
2267 switch (sm
->key_mgmt
) {
2268 case WPA_KEY_MGMT_IEEE8021X
:
2269 return ((sm
->proto
== WPA_PROTO_RSN
||
2270 sm
->proto
== WPA_PROTO_OSEN
) ?
2271 RSN_AUTH_KEY_MGMT_UNSPEC_802_1X
:
2272 WPA_AUTH_KEY_MGMT_UNSPEC_802_1X
);
2273 case WPA_KEY_MGMT_PSK
:
2274 return (sm
->proto
== WPA_PROTO_RSN
?
2275 RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X
:
2276 WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X
);
2277 #ifdef CONFIG_IEEE80211R
2278 case WPA_KEY_MGMT_FT_IEEE8021X
:
2279 return RSN_AUTH_KEY_MGMT_FT_802_1X
;
2280 case WPA_KEY_MGMT_FT_PSK
:
2281 return RSN_AUTH_KEY_MGMT_FT_PSK
;
2282 #endif /* CONFIG_IEEE80211R */
2283 #ifdef CONFIG_IEEE80211W
2284 case WPA_KEY_MGMT_IEEE8021X_SHA256
:
2285 return RSN_AUTH_KEY_MGMT_802_1X_SHA256
;
2286 case WPA_KEY_MGMT_PSK_SHA256
:
2287 return RSN_AUTH_KEY_MGMT_PSK_SHA256
;
2288 #endif /* CONFIG_IEEE80211W */
2289 case WPA_KEY_MGMT_CCKM
:
2290 return (sm
->proto
== WPA_PROTO_RSN
?
2291 RSN_AUTH_KEY_MGMT_CCKM
:
2292 WPA_AUTH_KEY_MGMT_CCKM
);
2293 case WPA_KEY_MGMT_WPA_NONE
:
2294 return WPA_AUTH_KEY_MGMT_NONE
;
2295 case WPA_KEY_MGMT_IEEE8021X_SUITE_B
:
2296 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B
;
2297 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192
:
2298 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192
;
2305 #define RSN_SUITE "%02x-%02x-%02x-%d"
2306 #define RSN_SUITE_ARG(s) \
2307 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
2310 * wpa_sm_get_mib - Dump text list of MIB entries
2311 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2312 * @buf: Buffer for the list
2313 * @buflen: Length of the buffer
2314 * Returns: Number of bytes written to buffer
2316 * This function is used fetch dot11 MIB variables.
2318 int wpa_sm_get_mib(struct wpa_sm
*sm
, char *buf
, size_t buflen
)
2320 char pmkid_txt
[PMKID_LEN
* 2 + 1];
2324 if (sm
->cur_pmksa
) {
2325 wpa_snprintf_hex(pmkid_txt
, sizeof(pmkid_txt
),
2326 sm
->cur_pmksa
->pmkid
, PMKID_LEN
);
2328 pmkid_txt
[0] = '\0';
2330 if ((wpa_key_mgmt_wpa_psk(sm
->key_mgmt
) ||
2331 wpa_key_mgmt_wpa_ieee8021x(sm
->key_mgmt
)) &&
2332 sm
->proto
== WPA_PROTO_RSN
)
2337 ret
= os_snprintf(buf
, buflen
,
2338 "dot11RSNAOptionImplemented=TRUE\n"
2339 "dot11RSNAPreauthenticationImplemented=TRUE\n"
2340 "dot11RSNAEnabled=%s\n"
2341 "dot11RSNAPreauthenticationEnabled=%s\n"
2342 "dot11RSNAConfigVersion=%d\n"
2343 "dot11RSNAConfigPairwiseKeysSupported=5\n"
2344 "dot11RSNAConfigGroupCipherSize=%d\n"
2345 "dot11RSNAConfigPMKLifetime=%d\n"
2346 "dot11RSNAConfigPMKReauthThreshold=%d\n"
2347 "dot11RSNAConfigNumberOfPTKSAReplayCounters=1\n"
2348 "dot11RSNAConfigSATimeout=%d\n",
2349 rsna
? "TRUE" : "FALSE",
2350 rsna
? "TRUE" : "FALSE",
2352 wpa_cipher_key_len(sm
->group_cipher
) * 8,
2353 sm
->dot11RSNAConfigPMKLifetime
,
2354 sm
->dot11RSNAConfigPMKReauthThreshold
,
2355 sm
->dot11RSNAConfigSATimeout
);
2356 if (os_snprintf_error(buflen
, ret
))
2361 buf
+ len
, buflen
- len
,
2362 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE
"\n"
2363 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE
"\n"
2364 "dot11RSNAGroupCipherSelected=" RSN_SUITE
"\n"
2365 "dot11RSNAPMKIDUsed=%s\n"
2366 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE
"\n"
2367 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE
"\n"
2368 "dot11RSNAGroupCipherRequested=" RSN_SUITE
"\n"
2369 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n"
2370 "dot11RSNA4WayHandshakeFailures=%u\n",
2371 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm
)),
2372 RSN_SUITE_ARG(wpa_cipher_to_suite(sm
->proto
,
2373 sm
->pairwise_cipher
)),
2374 RSN_SUITE_ARG(wpa_cipher_to_suite(sm
->proto
,
2377 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm
)),
2378 RSN_SUITE_ARG(wpa_cipher_to_suite(sm
->proto
,
2379 sm
->pairwise_cipher
)),
2380 RSN_SUITE_ARG(wpa_cipher_to_suite(sm
->proto
,
2382 sm
->dot11RSNA4WayHandshakeFailures
);
2383 if (!os_snprintf_error(buflen
- len
, ret
))
2388 #endif /* CONFIG_CTRL_IFACE */
2391 static void wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry
*entry
,
2392 void *ctx
, enum pmksa_free_reason reason
)
2394 struct wpa_sm
*sm
= ctx
;
2397 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, "RSN: PMKSA cache entry free_cb: "
2398 MACSTR
" reason=%d", MAC2STR(entry
->aa
), reason
);
2400 if (sm
->cur_pmksa
== entry
) {
2401 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
2402 "RSN: %s current PMKSA entry",
2403 reason
== PMKSA_REPLACE
? "replaced" : "removed");
2404 pmksa_cache_clear_current(sm
);
2407 * If an entry is simply being replaced, there's no need to
2408 * deauthenticate because it will be immediately re-added.
2409 * This happens when EAP authentication is completed again
2410 * (reauth or failed PMKSA caching attempt).
2412 if (reason
!= PMKSA_REPLACE
)
2416 if (reason
== PMKSA_EXPIRE
&&
2417 (sm
->pmk_len
== entry
->pmk_len
&&
2418 os_memcmp(sm
->pmk
, entry
->pmk
, sm
->pmk_len
) == 0)) {
2419 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
2420 "RSN: deauthenticating due to expired PMK");
2421 pmksa_cache_clear_current(sm
);
2427 os_memset(sm
->pmk
, 0, sizeof(sm
->pmk
));
2428 wpa_sm_deauthenticate(sm
, WLAN_REASON_UNSPECIFIED
);
2434 * wpa_sm_init - Initialize WPA state machine
2435 * @ctx: Context pointer for callbacks; this needs to be an allocated buffer
2436 * Returns: Pointer to the allocated WPA state machine data
2438 * This function is used to allocate a new WPA state machine and the returned
2439 * value is passed to all WPA state machine calls.
2441 struct wpa_sm
* wpa_sm_init(struct wpa_sm_ctx
*ctx
)
2445 sm
= os_zalloc(sizeof(*sm
));
2448 dl_list_init(&sm
->pmksa_candidates
);
2449 sm
->renew_snonce
= 1;
2452 sm
->dot11RSNAConfigPMKLifetime
= 43200;
2453 sm
->dot11RSNAConfigPMKReauthThreshold
= 70;
2454 sm
->dot11RSNAConfigSATimeout
= 60;
2456 sm
->pmksa
= pmksa_cache_init(wpa_sm_pmksa_free_cb
, sm
, sm
);
2457 if (sm
->pmksa
== NULL
) {
2458 wpa_msg(sm
->ctx
->msg_ctx
, MSG_ERROR
,
2459 "RSN: PMKSA cache initialization failed");
2469 * wpa_sm_deinit - Deinitialize WPA state machine
2470 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2472 void wpa_sm_deinit(struct wpa_sm
*sm
)
2476 pmksa_cache_deinit(sm
->pmksa
);
2477 eloop_cancel_timeout(wpa_sm_start_preauth
, sm
, NULL
);
2478 eloop_cancel_timeout(wpa_sm_rekey_ptk
, sm
, NULL
);
2479 os_free(sm
->assoc_wpa_ie
);
2480 os_free(sm
->ap_wpa_ie
);
2481 os_free(sm
->ap_rsn_ie
);
2484 #ifdef CONFIG_IEEE80211R
2485 os_free(sm
->assoc_resp_ies
);
2486 #endif /* CONFIG_IEEE80211R */
2487 #ifdef CONFIG_TESTING_OPTIONS
2488 wpabuf_free(sm
->test_assoc_ie
);
2489 #endif /* CONFIG_TESTING_OPTIONS */
2490 #ifdef CONFIG_FILS_SK_PFS
2491 crypto_ecdh_deinit(sm
->fils_ecdh
);
2492 #endif /* CONFIG_FILS_SK_PFS */
2494 wpabuf_free(sm
->fils_ft_ies
);
2495 #endif /* CONFIG_FILS */
2497 crypto_ecdh_deinit(sm
->owe_ecdh
);
2498 #endif /* CONFIG_OWE */
2504 * wpa_sm_notify_assoc - Notify WPA state machine about association
2505 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2506 * @bssid: The BSSID of the new association
2508 * This function is called to let WPA state machine know that the connection
2511 void wpa_sm_notify_assoc(struct wpa_sm
*sm
, const u8
*bssid
)
2518 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
2519 "WPA: Association event - clear replay counter");
2520 os_memcpy(sm
->bssid
, bssid
, ETH_ALEN
);
2521 os_memset(sm
->rx_replay_counter
, 0, WPA_REPLAY_COUNTER_LEN
);
2522 sm
->rx_replay_counter_set
= 0;
2523 sm
->renew_snonce
= 1;
2524 if (os_memcmp(sm
->preauth_bssid
, bssid
, ETH_ALEN
) == 0)
2525 rsn_preauth_deinit(sm
);
2527 #ifdef CONFIG_IEEE80211R
2528 if (wpa_ft_is_completed(sm
)) {
2530 * Clear portValid to kick EAPOL state machine to re-enter
2531 * AUTHENTICATED state to get the EAPOL port Authorized.
2533 eapol_sm_notify_portValid(sm
->eapol
, FALSE
);
2534 wpa_supplicant_key_neg_complete(sm
, sm
->bssid
, 1);
2536 /* Prepare for the next transition */
2537 wpa_ft_prepare_auth_request(sm
, NULL
);
2541 #endif /* CONFIG_IEEE80211R */
2543 if (sm
->fils_completed
) {
2545 * Clear portValid to kick EAPOL state machine to re-enter
2546 * AUTHENTICATED state to get the EAPOL port Authorized.
2548 wpa_supplicant_key_neg_complete(sm
, sm
->bssid
, 1);
2551 #endif /* CONFIG_FILS */
2555 * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
2556 * this is not part of a Fast BSS Transition.
2558 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, "WPA: Clear old PTK");
2560 os_memset(&sm
->ptk
, 0, sizeof(sm
->ptk
));
2562 os_memset(&sm
->tptk
, 0, sizeof(sm
->tptk
));
2563 os_memset(&sm
->gtk
, 0, sizeof(sm
->gtk
));
2564 os_memset(&sm
->gtk_wnm_sleep
, 0, sizeof(sm
->gtk_wnm_sleep
));
2565 #ifdef CONFIG_IEEE80211W
2566 os_memset(&sm
->igtk
, 0, sizeof(sm
->igtk
));
2567 os_memset(&sm
->igtk_wnm_sleep
, 0, sizeof(sm
->igtk_wnm_sleep
));
2568 #endif /* CONFIG_IEEE80211W */
2573 #endif /* CONFIG_TDLS */
2576 os_memset(sm
->p2p_ip_addr
, 0, sizeof(sm
->p2p_ip_addr
));
2577 #endif /* CONFIG_P2P */
2582 * wpa_sm_notify_disassoc - Notify WPA state machine about disassociation
2583 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2585 * This function is called to let WPA state machine know that the connection
2586 * was lost. This will abort any existing pre-authentication session.
2588 void wpa_sm_notify_disassoc(struct wpa_sm
*sm
)
2590 eloop_cancel_timeout(wpa_sm_start_preauth
, sm
, NULL
);
2591 eloop_cancel_timeout(wpa_sm_rekey_ptk
, sm
, NULL
);
2592 rsn_preauth_deinit(sm
);
2593 pmksa_cache_clear_current(sm
);
2594 if (wpa_sm_get_state(sm
) == WPA_4WAY_HANDSHAKE
)
2595 sm
->dot11RSNA4WayHandshakeFailures
++;
2597 wpa_tdls_disassoc(sm
);
2598 #endif /* CONFIG_TDLS */
2600 sm
->fils_completed
= 0;
2601 #endif /* CONFIG_FILS */
2602 #ifdef CONFIG_IEEE80211R
2603 sm
->ft_reassoc_completed
= 0;
2604 #endif /* CONFIG_IEEE80211R */
2606 /* Keys are not needed in the WPA state machine anymore */
2609 sm
->msg_3_of_4_ok
= 0;
2610 os_memset(sm
->bssid
, 0, ETH_ALEN
);
2615 * wpa_sm_set_pmk - Set PMK
2616 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2618 * @pmk_len: The length of the new PMK in bytes
2619 * @pmkid: Calculated PMKID
2620 * @bssid: AA to add into PMKSA cache or %NULL to not cache the PMK
2622 * Configure the PMK for WPA state machine.
2624 void wpa_sm_set_pmk(struct wpa_sm
*sm
, const u8
*pmk
, size_t pmk_len
,
2625 const u8
*pmkid
, const u8
*bssid
)
2630 wpa_hexdump_key(MSG_DEBUG
, "WPA: Set PMK based on external data",
2632 sm
->pmk_len
= pmk_len
;
2633 os_memcpy(sm
->pmk
, pmk
, pmk_len
);
2635 #ifdef CONFIG_IEEE80211R
2636 /* Set XXKey to be PSK for FT key derivation */
2637 sm
->xxkey_len
= pmk_len
;
2638 os_memcpy(sm
->xxkey
, pmk
, pmk_len
);
2639 #endif /* CONFIG_IEEE80211R */
2642 pmksa_cache_add(sm
->pmksa
, pmk
, pmk_len
, pmkid
, NULL
, 0,
2643 bssid
, sm
->own_addr
,
2644 sm
->network_ctx
, sm
->key_mgmt
, NULL
);
2650 * wpa_sm_set_pmk_from_pmksa - Set PMK based on the current PMKSA
2651 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2653 * Take the PMK from the current PMKSA into use. If no PMKSA is active, the PMK
2656 void wpa_sm_set_pmk_from_pmksa(struct wpa_sm
*sm
)
2661 if (sm
->cur_pmksa
) {
2662 wpa_hexdump_key(MSG_DEBUG
,
2663 "WPA: Set PMK based on current PMKSA",
2664 sm
->cur_pmksa
->pmk
, sm
->cur_pmksa
->pmk_len
);
2665 sm
->pmk_len
= sm
->cur_pmksa
->pmk_len
;
2666 os_memcpy(sm
->pmk
, sm
->cur_pmksa
->pmk
, sm
->pmk_len
);
2668 wpa_printf(MSG_DEBUG
, "WPA: No current PMKSA - clear PMK");
2670 os_memset(sm
->pmk
, 0, PMK_LEN_MAX
);
2676 * wpa_sm_set_fast_reauth - Set fast reauthentication (EAP) enabled/disabled
2677 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2678 * @fast_reauth: Whether fast reauthentication (EAP) is allowed
2680 void wpa_sm_set_fast_reauth(struct wpa_sm
*sm
, int fast_reauth
)
2683 sm
->fast_reauth
= fast_reauth
;
2688 * wpa_sm_set_scard_ctx - Set context pointer for smartcard callbacks
2689 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2690 * @scard_ctx: Context pointer for smartcard related callback functions
2692 void wpa_sm_set_scard_ctx(struct wpa_sm
*sm
, void *scard_ctx
)
2696 sm
->scard_ctx
= scard_ctx
;
2697 if (sm
->preauth_eapol
)
2698 eapol_sm_register_scard_ctx(sm
->preauth_eapol
, scard_ctx
);
2703 * wpa_sm_set_config - Notification of current configration change
2704 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2705 * @config: Pointer to current network configuration
2707 * Notify WPA state machine that configuration has changed. config will be
2708 * stored as a backpointer to network configuration. This can be %NULL to clear
2709 * the stored pointed.
2711 void wpa_sm_set_config(struct wpa_sm
*sm
, struct rsn_supp_config
*config
)
2717 sm
->network_ctx
= config
->network_ctx
;
2718 sm
->allowed_pairwise_cipher
= config
->allowed_pairwise_cipher
;
2719 sm
->proactive_key_caching
= config
->proactive_key_caching
;
2720 sm
->eap_workaround
= config
->eap_workaround
;
2721 sm
->eap_conf_ctx
= config
->eap_conf_ctx
;
2723 os_memcpy(sm
->ssid
, config
->ssid
, config
->ssid_len
);
2724 sm
->ssid_len
= config
->ssid_len
;
2727 sm
->wpa_ptk_rekey
= config
->wpa_ptk_rekey
;
2728 sm
->p2p
= config
->p2p
;
2729 sm
->wpa_rsc_relaxation
= config
->wpa_rsc_relaxation
;
2731 if (config
->fils_cache_id
) {
2732 sm
->fils_cache_id_set
= 1;
2733 os_memcpy(sm
->fils_cache_id
, config
->fils_cache_id
,
2736 sm
->fils_cache_id_set
= 0;
2738 #endif /* CONFIG_FILS */
2740 sm
->network_ctx
= NULL
;
2741 sm
->allowed_pairwise_cipher
= 0;
2742 sm
->proactive_key_caching
= 0;
2743 sm
->eap_workaround
= 0;
2744 sm
->eap_conf_ctx
= NULL
;
2746 sm
->wpa_ptk_rekey
= 0;
2748 sm
->wpa_rsc_relaxation
= 0;
2754 * wpa_sm_set_own_addr - Set own MAC address
2755 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2756 * @addr: Own MAC address
2758 void wpa_sm_set_own_addr(struct wpa_sm
*sm
, const u8
*addr
)
2761 os_memcpy(sm
->own_addr
, addr
, ETH_ALEN
);
2766 * wpa_sm_set_ifname - Set network interface name
2767 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2768 * @ifname: Interface name
2769 * @bridge_ifname: Optional bridge interface name (for pre-auth)
2771 void wpa_sm_set_ifname(struct wpa_sm
*sm
, const char *ifname
,
2772 const char *bridge_ifname
)
2775 sm
->ifname
= ifname
;
2776 sm
->bridge_ifname
= bridge_ifname
;
2782 * wpa_sm_set_eapol - Set EAPOL state machine pointer
2783 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2784 * @eapol: Pointer to EAPOL state machine allocated with eapol_sm_init()
2786 void wpa_sm_set_eapol(struct wpa_sm
*sm
, struct eapol_sm
*eapol
)
2794 * wpa_sm_set_param - Set WPA state machine parameters
2795 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2796 * @param: Parameter field
2797 * @value: Parameter value
2798 * Returns: 0 on success, -1 on failure
2800 int wpa_sm_set_param(struct wpa_sm
*sm
, enum wpa_sm_conf_params param
,
2809 case RSNA_PMK_LIFETIME
:
2811 sm
->dot11RSNAConfigPMKLifetime
= value
;
2815 case RSNA_PMK_REAUTH_THRESHOLD
:
2816 if (value
> 0 && value
<= 100)
2817 sm
->dot11RSNAConfigPMKReauthThreshold
= value
;
2821 case RSNA_SA_TIMEOUT
:
2823 sm
->dot11RSNAConfigSATimeout
= value
;
2827 case WPA_PARAM_PROTO
:
2830 case WPA_PARAM_PAIRWISE
:
2831 sm
->pairwise_cipher
= value
;
2833 case WPA_PARAM_GROUP
:
2834 sm
->group_cipher
= value
;
2836 case WPA_PARAM_KEY_MGMT
:
2837 sm
->key_mgmt
= value
;
2839 #ifdef CONFIG_IEEE80211W
2840 case WPA_PARAM_MGMT_GROUP
:
2841 sm
->mgmt_group_cipher
= value
;
2843 #endif /* CONFIG_IEEE80211W */
2844 case WPA_PARAM_RSN_ENABLED
:
2845 sm
->rsn_enabled
= value
;
2859 * wpa_sm_get_status - Get WPA state machine
2860 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2861 * @buf: Buffer for status information
2862 * @buflen: Maximum buffer length
2863 * @verbose: Whether to include verbose status information
2864 * Returns: Number of bytes written to buf.
2866 * Query WPA state machine for status information. This function fills in
2867 * a text area with current status information. If the buffer (buf) is not
2868 * large enough, status information will be truncated to fit the buffer.
2870 int wpa_sm_get_status(struct wpa_sm
*sm
, char *buf
, size_t buflen
,
2873 char *pos
= buf
, *end
= buf
+ buflen
;
2876 ret
= os_snprintf(pos
, end
- pos
,
2877 "pairwise_cipher=%s\n"
2880 wpa_cipher_txt(sm
->pairwise_cipher
),
2881 wpa_cipher_txt(sm
->group_cipher
),
2882 wpa_key_mgmt_txt(sm
->key_mgmt
, sm
->proto
));
2883 if (os_snprintf_error(end
- pos
, ret
))
2887 if (sm
->mfp
!= NO_MGMT_FRAME_PROTECTION
&& sm
->ap_rsn_ie
) {
2888 struct wpa_ie_data rsn
;
2889 if (wpa_parse_wpa_ie_rsn(sm
->ap_rsn_ie
, sm
->ap_rsn_ie_len
, &rsn
)
2891 rsn
.capabilities
& (WPA_CAPABILITY_MFPR
|
2892 WPA_CAPABILITY_MFPC
)) {
2893 ret
= os_snprintf(pos
, end
- pos
, "pmf=%d\n"
2894 "mgmt_group_cipher=%s\n",
2896 WPA_CAPABILITY_MFPR
) ? 2 : 1,
2898 sm
->mgmt_group_cipher
));
2899 if (os_snprintf_error(end
- pos
, ret
))
2909 int wpa_sm_pmf_enabled(struct wpa_sm
*sm
)
2911 struct wpa_ie_data rsn
;
2913 if (sm
->mfp
== NO_MGMT_FRAME_PROTECTION
|| !sm
->ap_rsn_ie
)
2916 if (wpa_parse_wpa_ie_rsn(sm
->ap_rsn_ie
, sm
->ap_rsn_ie_len
, &rsn
) >= 0 &&
2917 rsn
.capabilities
& (WPA_CAPABILITY_MFPR
| WPA_CAPABILITY_MFPC
))
2925 * wpa_sm_set_assoc_wpa_ie_default - Generate own WPA/RSN IE from configuration
2926 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2927 * @wpa_ie: Pointer to buffer for WPA/RSN IE
2928 * @wpa_ie_len: Pointer to the length of the wpa_ie buffer
2929 * Returns: 0 on success, -1 on failure
2931 int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm
*sm
, u8
*wpa_ie
,
2939 #ifdef CONFIG_TESTING_OPTIONS
2940 if (sm
->test_assoc_ie
) {
2941 wpa_printf(MSG_DEBUG
,
2942 "TESTING: Replace association WPA/RSN IE");
2943 if (*wpa_ie_len
< wpabuf_len(sm
->test_assoc_ie
))
2945 os_memcpy(wpa_ie
, wpabuf_head(sm
->test_assoc_ie
),
2946 wpabuf_len(sm
->test_assoc_ie
));
2947 res
= wpabuf_len(sm
->test_assoc_ie
);
2949 #endif /* CONFIG_TESTING_OPTIONS */
2950 res
= wpa_gen_wpa_ie(sm
, wpa_ie
, *wpa_ie_len
);
2955 wpa_hexdump(MSG_DEBUG
, "WPA: Set own WPA IE default",
2956 wpa_ie
, *wpa_ie_len
);
2958 if (sm
->assoc_wpa_ie
== NULL
) {
2960 * Make a copy of the WPA/RSN IE so that 4-Way Handshake gets
2961 * the correct version of the IE even if PMKSA caching is
2962 * aborted (which would remove PMKID from IE generation).
2964 sm
->assoc_wpa_ie
= os_memdup(wpa_ie
, *wpa_ie_len
);
2965 if (sm
->assoc_wpa_ie
== NULL
)
2968 sm
->assoc_wpa_ie_len
= *wpa_ie_len
;
2970 wpa_hexdump(MSG_DEBUG
,
2971 "WPA: Leave previously set WPA IE default",
2972 sm
->assoc_wpa_ie
, sm
->assoc_wpa_ie_len
);
2980 * wpa_sm_set_assoc_wpa_ie - Set own WPA/RSN IE from (Re)AssocReq
2981 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2982 * @ie: Pointer to IE data (starting from id)
2984 * Returns: 0 on success, -1 on failure
2986 * Inform WPA state machine about the WPA/RSN IE used in (Re)Association
2987 * Request frame. The IE will be used to override the default value generated
2988 * with wpa_sm_set_assoc_wpa_ie_default().
2990 int wpa_sm_set_assoc_wpa_ie(struct wpa_sm
*sm
, const u8
*ie
, size_t len
)
2995 os_free(sm
->assoc_wpa_ie
);
2996 if (ie
== NULL
|| len
== 0) {
2997 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
2998 "WPA: clearing own WPA/RSN IE");
2999 sm
->assoc_wpa_ie
= NULL
;
3000 sm
->assoc_wpa_ie_len
= 0;
3002 wpa_hexdump(MSG_DEBUG
, "WPA: set own WPA/RSN IE", ie
, len
);
3003 sm
->assoc_wpa_ie
= os_memdup(ie
, len
);
3004 if (sm
->assoc_wpa_ie
== NULL
)
3007 sm
->assoc_wpa_ie_len
= len
;
3015 * wpa_sm_set_ap_wpa_ie - Set AP WPA IE from Beacon/ProbeResp
3016 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3017 * @ie: Pointer to IE data (starting from id)
3019 * Returns: 0 on success, -1 on failure
3021 * Inform WPA state machine about the WPA IE used in Beacon / Probe Response
3024 int wpa_sm_set_ap_wpa_ie(struct wpa_sm
*sm
, const u8
*ie
, size_t len
)
3029 os_free(sm
->ap_wpa_ie
);
3030 if (ie
== NULL
|| len
== 0) {
3031 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
3032 "WPA: clearing AP WPA IE");
3033 sm
->ap_wpa_ie
= NULL
;
3034 sm
->ap_wpa_ie_len
= 0;
3036 wpa_hexdump(MSG_DEBUG
, "WPA: set AP WPA IE", ie
, len
);
3037 sm
->ap_wpa_ie
= os_memdup(ie
, len
);
3038 if (sm
->ap_wpa_ie
== NULL
)
3041 sm
->ap_wpa_ie_len
= len
;
3049 * wpa_sm_set_ap_rsn_ie - Set AP RSN IE from Beacon/ProbeResp
3050 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3051 * @ie: Pointer to IE data (starting from id)
3053 * Returns: 0 on success, -1 on failure
3055 * Inform WPA state machine about the RSN IE used in Beacon / Probe Response
3058 int wpa_sm_set_ap_rsn_ie(struct wpa_sm
*sm
, const u8
*ie
, size_t len
)
3063 os_free(sm
->ap_rsn_ie
);
3064 if (ie
== NULL
|| len
== 0) {
3065 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
3066 "WPA: clearing AP RSN IE");
3067 sm
->ap_rsn_ie
= NULL
;
3068 sm
->ap_rsn_ie_len
= 0;
3070 wpa_hexdump(MSG_DEBUG
, "WPA: set AP RSN IE", ie
, len
);
3071 sm
->ap_rsn_ie
= os_memdup(ie
, len
);
3072 if (sm
->ap_rsn_ie
== NULL
)
3075 sm
->ap_rsn_ie_len
= len
;
3083 * wpa_sm_parse_own_wpa_ie - Parse own WPA/RSN IE
3084 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3085 * @data: Pointer to data area for parsing results
3086 * Returns: 0 on success, -1 if IE is not known, or -2 on parsing failure
3088 * Parse the contents of the own WPA or RSN IE from (Re)AssocReq and write the
3089 * parsed data into data.
3091 int wpa_sm_parse_own_wpa_ie(struct wpa_sm
*sm
, struct wpa_ie_data
*data
)
3096 if (sm
->assoc_wpa_ie
== NULL
) {
3097 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
3098 "WPA: No WPA/RSN IE available from association info");
3101 if (wpa_parse_wpa_ie(sm
->assoc_wpa_ie
, sm
->assoc_wpa_ie_len
, data
))
3107 int wpa_sm_pmksa_cache_list(struct wpa_sm
*sm
, char *buf
, size_t len
)
3109 return pmksa_cache_list(sm
->pmksa
, buf
, len
);
3113 struct rsn_pmksa_cache_entry
* wpa_sm_pmksa_cache_head(struct wpa_sm
*sm
)
3115 return pmksa_cache_head(sm
->pmksa
);
3119 struct rsn_pmksa_cache_entry
*
3120 wpa_sm_pmksa_cache_add_entry(struct wpa_sm
*sm
,
3121 struct rsn_pmksa_cache_entry
* entry
)
3123 return pmksa_cache_add_entry(sm
->pmksa
, entry
);
3127 void wpa_sm_pmksa_cache_add(struct wpa_sm
*sm
, const u8
*pmk
, size_t pmk_len
,
3128 const u8
*pmkid
, const u8
*bssid
,
3129 const u8
*fils_cache_id
)
3131 sm
->cur_pmksa
= pmksa_cache_add(sm
->pmksa
, pmk
, pmk_len
, pmkid
, NULL
, 0,
3132 bssid
, sm
->own_addr
, sm
->network_ctx
,
3133 sm
->key_mgmt
, fils_cache_id
);
3137 int wpa_sm_pmksa_exists(struct wpa_sm
*sm
, const u8
*bssid
,
3138 const void *network_ctx
)
3140 return pmksa_cache_get(sm
->pmksa
, bssid
, NULL
, network_ctx
, 0) != NULL
;
3144 void wpa_sm_drop_sa(struct wpa_sm
*sm
)
3146 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, "WPA: Clear old PMK and PTK");
3150 os_memset(sm
->pmk
, 0, sizeof(sm
->pmk
));
3151 os_memset(&sm
->ptk
, 0, sizeof(sm
->ptk
));
3152 os_memset(&sm
->tptk
, 0, sizeof(sm
->tptk
));
3153 os_memset(&sm
->gtk
, 0, sizeof(sm
->gtk
));
3154 os_memset(&sm
->gtk_wnm_sleep
, 0, sizeof(sm
->gtk_wnm_sleep
));
3155 #ifdef CONFIG_IEEE80211W
3156 os_memset(&sm
->igtk
, 0, sizeof(sm
->igtk
));
3157 os_memset(&sm
->igtk_wnm_sleep
, 0, sizeof(sm
->igtk_wnm_sleep
));
3158 #endif /* CONFIG_IEEE80211W */
3159 #ifdef CONFIG_IEEE80211R
3160 os_memset(sm
->xxkey
, 0, sizeof(sm
->xxkey
));
3162 os_memset(sm
->pmk_r0
, 0, sizeof(sm
->pmk_r0
));
3164 os_memset(sm
->pmk_r1
, 0, sizeof(sm
->pmk_r1
));
3166 #endif /* CONFIG_IEEE80211R */
3170 int wpa_sm_has_ptk(struct wpa_sm
*sm
)
3178 void wpa_sm_update_replay_ctr(struct wpa_sm
*sm
, const u8
*replay_ctr
)
3180 os_memcpy(sm
->rx_replay_counter
, replay_ctr
, WPA_REPLAY_COUNTER_LEN
);
3184 void wpa_sm_pmksa_cache_flush(struct wpa_sm
*sm
, void *network_ctx
)
3186 pmksa_cache_flush(sm
->pmksa
, network_ctx
, NULL
, 0);
3191 int wpa_wnmsleep_install_key(struct wpa_sm
*sm
, u8 subelem_id
, u8
*buf
)
3194 u8 keylen
; /* plaintext key len */
3197 if (subelem_id
== WNM_SLEEP_SUBELEM_GTK
) {
3198 struct wpa_gtk_data gd
;
3200 os_memset(&gd
, 0, sizeof(gd
));
3201 keylen
= wpa_cipher_key_len(sm
->group_cipher
);
3202 gd
.key_rsc_len
= wpa_cipher_rsc_len(sm
->group_cipher
);
3203 gd
.alg
= wpa_cipher_to_alg(sm
->group_cipher
);
3204 if (gd
.alg
== WPA_ALG_NONE
) {
3205 wpa_printf(MSG_DEBUG
, "Unsupported group cipher suite");
3210 keyinfo
= WPA_GET_LE16(buf
+ 2);
3211 gd
.gtk_len
= keylen
;
3212 if (gd
.gtk_len
!= buf
[4]) {
3213 wpa_printf(MSG_DEBUG
, "GTK len mismatch len %d vs %d",
3214 gd
.gtk_len
, buf
[4]);
3217 gd
.keyidx
= keyinfo
& 0x03; /* B0 - B1 */
3218 gd
.tx
= wpa_supplicant_gtk_tx_bit_workaround(
3219 sm
, !!(keyinfo
& WPA_KEY_INFO_TXRX
));
3221 os_memcpy(gd
.gtk
, buf
+ 13, gd
.gtk_len
);
3223 wpa_hexdump_key(MSG_DEBUG
, "Install GTK (WNM SLEEP)",
3224 gd
.gtk
, gd
.gtk_len
);
3225 if (wpa_supplicant_install_gtk(sm
, &gd
, key_rsc
, 1)) {
3226 os_memset(&gd
, 0, sizeof(gd
));
3227 wpa_printf(MSG_DEBUG
, "Failed to install the GTK in "
3231 os_memset(&gd
, 0, sizeof(gd
));
3232 #ifdef CONFIG_IEEE80211W
3233 } else if (subelem_id
== WNM_SLEEP_SUBELEM_IGTK
) {
3234 const struct wpa_igtk_kde
*igtk
;
3236 igtk
= (const struct wpa_igtk_kde
*) (buf
+ 2);
3237 if (wpa_supplicant_install_igtk(sm
, igtk
, 1) < 0)
3239 #endif /* CONFIG_IEEE80211W */
3241 wpa_printf(MSG_DEBUG
, "Unknown element id");
3247 #endif /* CONFIG_WNM */
3252 int wpa_sm_get_p2p_ip_addr(struct wpa_sm
*sm
, u8
*buf
)
3254 if (sm
== NULL
|| WPA_GET_BE32(sm
->p2p_ip_addr
) == 0)
3256 os_memcpy(buf
, sm
->p2p_ip_addr
, 3 * 4);
3260 #endif /* CONFIG_P2P */
3263 void wpa_sm_set_rx_replay_ctr(struct wpa_sm
*sm
, const u8
*rx_replay_counter
)
3265 if (rx_replay_counter
== NULL
)
3268 os_memcpy(sm
->rx_replay_counter
, rx_replay_counter
,
3269 WPA_REPLAY_COUNTER_LEN
);
3270 sm
->rx_replay_counter_set
= 1;
3271 wpa_printf(MSG_DEBUG
, "Updated key replay counter");
3275 void wpa_sm_set_ptk_kck_kek(struct wpa_sm
*sm
,
3276 const u8
*ptk_kck
, size_t ptk_kck_len
,
3277 const u8
*ptk_kek
, size_t ptk_kek_len
)
3279 if (ptk_kck
&& ptk_kck_len
<= WPA_KCK_MAX_LEN
) {
3280 os_memcpy(sm
->ptk
.kck
, ptk_kck
, ptk_kck_len
);
3281 sm
->ptk
.kck_len
= ptk_kck_len
;
3282 wpa_printf(MSG_DEBUG
, "Updated PTK KCK");
3284 if (ptk_kek
&& ptk_kek_len
<= WPA_KEK_MAX_LEN
) {
3285 os_memcpy(sm
->ptk
.kek
, ptk_kek
, ptk_kek_len
);
3286 sm
->ptk
.kek_len
= ptk_kek_len
;
3287 wpa_printf(MSG_DEBUG
, "Updated PTK KEK");
3293 #ifdef CONFIG_TESTING_OPTIONS
3295 void wpa_sm_set_test_assoc_ie(struct wpa_sm
*sm
, struct wpabuf
*buf
)
3297 wpabuf_free(sm
->test_assoc_ie
);
3298 sm
->test_assoc_ie
= buf
;
3302 const u8
* wpa_sm_get_anonce(struct wpa_sm
*sm
)
3307 #endif /* CONFIG_TESTING_OPTIONS */
3310 unsigned int wpa_sm_get_key_mgmt(struct wpa_sm
*sm
)
3312 return sm
->key_mgmt
;
3318 struct wpabuf
* fils_build_auth(struct wpa_sm
*sm
, int dh_group
, const u8
*md
)
3320 struct wpabuf
*buf
= NULL
;
3321 struct wpabuf
*erp_msg
;
3322 struct wpabuf
*pub
= NULL
;
3324 erp_msg
= eapol_sm_build_erp_reauth_start(sm
->eapol
);
3325 if (!erp_msg
&& !sm
->cur_pmksa
) {
3326 wpa_printf(MSG_DEBUG
,
3327 "FILS: Neither ERP EAP-Initiate/Re-auth nor PMKSA cache entry is available - skip FILS");
3331 wpa_printf(MSG_DEBUG
, "FILS: Try to use FILS (erp=%d pmksa_cache=%d)",
3332 erp_msg
!= NULL
, sm
->cur_pmksa
!= NULL
);
3334 sm
->fils_completed
= 0;
3336 if (!sm
->assoc_wpa_ie
) {
3337 wpa_printf(MSG_INFO
, "FILS: No own RSN IE set for FILS");
3341 if (random_get_bytes(sm
->fils_nonce
, FILS_NONCE_LEN
) < 0 ||
3342 random_get_bytes(sm
->fils_session
, FILS_SESSION_LEN
) < 0)
3345 wpa_hexdump(MSG_DEBUG
, "FILS: Generated FILS Nonce",
3346 sm
->fils_nonce
, FILS_NONCE_LEN
);
3347 wpa_hexdump(MSG_DEBUG
, "FILS: Generated FILS Session",
3348 sm
->fils_session
, FILS_SESSION_LEN
);
3350 #ifdef CONFIG_FILS_SK_PFS
3351 sm
->fils_dh_group
= dh_group
;
3353 crypto_ecdh_deinit(sm
->fils_ecdh
);
3354 sm
->fils_ecdh
= crypto_ecdh_init(dh_group
);
3355 if (!sm
->fils_ecdh
) {
3356 wpa_printf(MSG_INFO
,
3357 "FILS: Could not initialize ECDH with group %d",
3361 pub
= crypto_ecdh_get_pubkey(sm
->fils_ecdh
, 1);
3364 wpa_hexdump_buf(MSG_DEBUG
, "FILS: Element (DH public key)",
3366 sm
->fils_dh_elem_len
= wpabuf_len(pub
);
3368 #endif /* CONFIG_FILS_SK_PFS */
3370 buf
= wpabuf_alloc(1000 + sm
->assoc_wpa_ie_len
+
3371 (pub
? wpabuf_len(pub
) : 0));
3375 /* Fields following the Authentication algorithm number field */
3377 /* Authentication Transaction seq# */
3378 wpabuf_put_le16(buf
, 1);
3381 wpabuf_put_le16(buf
, WLAN_STATUS_SUCCESS
);
3384 #ifdef CONFIG_FILS_SK_PFS
3386 /* Finite Cyclic Group */
3387 wpabuf_put_le16(buf
, dh_group
);
3389 wpabuf_put_buf(buf
, pub
);
3391 #endif /* CONFIG_FILS_SK_PFS */
3394 wpa_hexdump(MSG_DEBUG
, "FILS: RSNE in FILS Authentication frame",
3395 sm
->assoc_wpa_ie
, sm
->assoc_wpa_ie_len
);
3396 wpabuf_put_data(buf
, sm
->assoc_wpa_ie
, sm
->assoc_wpa_ie_len
);
3399 /* MDE when using FILS for FT initial association */
3400 struct rsn_mdie
*mdie
;
3402 wpabuf_put_u8(buf
, WLAN_EID_MOBILITY_DOMAIN
);
3403 wpabuf_put_u8(buf
, sizeof(*mdie
));
3404 mdie
= wpabuf_put(buf
, sizeof(*mdie
));
3405 os_memcpy(mdie
->mobility_domain
, md
, MOBILITY_DOMAIN_ID_LEN
);
3410 wpabuf_put_u8(buf
, WLAN_EID_EXTENSION
); /* Element ID */
3411 wpabuf_put_u8(buf
, 1 + FILS_NONCE_LEN
); /* Length */
3412 /* Element ID Extension */
3413 wpabuf_put_u8(buf
, WLAN_EID_EXT_FILS_NONCE
);
3414 wpabuf_put_data(buf
, sm
->fils_nonce
, FILS_NONCE_LEN
);
3417 wpabuf_put_u8(buf
, WLAN_EID_EXTENSION
); /* Element ID */
3418 wpabuf_put_u8(buf
, 1 + FILS_SESSION_LEN
); /* Length */
3419 /* Element ID Extension */
3420 wpabuf_put_u8(buf
, WLAN_EID_EXT_FILS_SESSION
);
3421 wpabuf_put_data(buf
, sm
->fils_session
, FILS_SESSION_LEN
);
3423 /* FILS Wrapped Data */
3424 sm
->fils_erp_pmkid_set
= 0;
3426 wpabuf_put_u8(buf
, WLAN_EID_EXTENSION
); /* Element ID */
3427 wpabuf_put_u8(buf
, 1 + wpabuf_len(erp_msg
)); /* Length */
3428 /* Element ID Extension */
3429 wpabuf_put_u8(buf
, WLAN_EID_EXT_FILS_WRAPPED_DATA
);
3430 wpabuf_put_buf(buf
, erp_msg
);
3431 /* Calculate pending PMKID here so that we do not need to
3432 * maintain a copy of the EAP-Initiate/Reauth message. */
3433 if (fils_pmkid_erp(sm
->key_mgmt
, wpabuf_head(erp_msg
),
3434 wpabuf_len(erp_msg
),
3435 sm
->fils_erp_pmkid
) == 0)
3436 sm
->fils_erp_pmkid_set
= 1;
3439 wpa_hexdump_buf(MSG_DEBUG
, "RSN: FILS fields for Authentication frame",
3443 wpabuf_free(erp_msg
);
3449 int fils_process_auth(struct wpa_sm
*sm
, const u8
*bssid
, const u8
*data
,
3452 const u8
*pos
, *end
;
3453 struct ieee802_11_elems elems
;
3454 struct wpa_ie_data rsn
;
3455 int pmkid_match
= 0;
3456 u8 ick
[FILS_ICK_MAX_LEN
];
3459 struct wpabuf
*dh_ss
= NULL
;
3460 const u8
*g_sta
= NULL
;
3461 size_t g_sta_len
= 0;
3462 const u8
*g_ap
= NULL
;
3463 size_t g_ap_len
= 0;
3464 struct wpabuf
*pub
= NULL
;
3466 os_memcpy(sm
->bssid
, bssid
, ETH_ALEN
);
3468 wpa_hexdump(MSG_DEBUG
, "FILS: Authentication frame fields",
3474 #ifdef CONFIG_FILS_SK_PFS
3475 if (sm
->fils_dh_group
) {
3478 /* Using FILS PFS */
3480 /* Finite Cyclic Group */
3481 if (end
- pos
< 2) {
3482 wpa_printf(MSG_DEBUG
,
3483 "FILS: No room for Finite Cyclic Group");
3486 group
= WPA_GET_LE16(pos
);
3488 if (group
!= sm
->fils_dh_group
) {
3489 wpa_printf(MSG_DEBUG
,
3490 "FILS: Unexpected change in Finite Cyclic Group: %u (expected %u)",
3491 group
, sm
->fils_dh_group
);
3496 if ((size_t) (end
- pos
) < sm
->fils_dh_elem_len
) {
3497 wpa_printf(MSG_DEBUG
, "FILS: No room for Element");
3501 if (!sm
->fils_ecdh
) {
3502 wpa_printf(MSG_DEBUG
, "FILS: No ECDH state available");
3505 dh_ss
= crypto_ecdh_set_peerkey(sm
->fils_ecdh
, 1, pos
,
3506 sm
->fils_dh_elem_len
);
3508 wpa_printf(MSG_DEBUG
, "FILS: ECDH operation failed");
3511 wpa_hexdump_buf_key(MSG_DEBUG
, "FILS: DH_SS", dh_ss
);
3513 g_ap_len
= sm
->fils_dh_elem_len
;
3514 pos
+= sm
->fils_dh_elem_len
;
3516 #endif /* CONFIG_FILS_SK_PFS */
3518 wpa_hexdump(MSG_DEBUG
, "FILS: Remaining IEs", pos
, end
- pos
);
3519 if (ieee802_11_parse_elems(pos
, end
- pos
, &elems
, 1) == ParseFailed
) {
3520 wpa_printf(MSG_DEBUG
, "FILS: Could not parse elements");
3525 wpa_hexdump(MSG_DEBUG
, "FILS: RSN element", elems
.rsn_ie
,
3527 if (!elems
.rsn_ie
||
3528 wpa_parse_wpa_ie_rsn(elems
.rsn_ie
- 2, elems
.rsn_ie_len
+ 2,
3530 wpa_printf(MSG_DEBUG
, "FILS: No RSN element");
3534 if (!elems
.fils_nonce
) {
3535 wpa_printf(MSG_DEBUG
, "FILS: No FILS Nonce field");
3538 os_memcpy(sm
->fils_anonce
, elems
.fils_nonce
, FILS_NONCE_LEN
);
3539 wpa_hexdump(MSG_DEBUG
, "FILS: ANonce", sm
->fils_anonce
, FILS_NONCE_LEN
);
3541 #ifdef CONFIG_IEEE80211R
3542 if (wpa_key_mgmt_ft(sm
->key_mgmt
)) {
3543 struct wpa_ft_ies parse
;
3545 if (!elems
.mdie
|| !elems
.ftie
) {
3546 wpa_printf(MSG_DEBUG
, "FILS+FT: No MDE or FTE");
3550 if (wpa_ft_parse_ies(pos
, end
- pos
, &parse
) < 0) {
3551 wpa_printf(MSG_DEBUG
, "FILS+FT: Failed to parse IEs");
3555 if (!parse
.r0kh_id
) {
3556 wpa_printf(MSG_DEBUG
,
3557 "FILS+FT: No R0KH-ID subelem in FTE");
3560 os_memcpy(sm
->r0kh_id
, parse
.r0kh_id
, parse
.r0kh_id_len
);
3561 sm
->r0kh_id_len
= parse
.r0kh_id_len
;
3562 wpa_hexdump_ascii(MSG_DEBUG
, "FILS+FT: R0KH-ID",
3563 sm
->r0kh_id
, sm
->r0kh_id_len
);
3565 if (!parse
.r1kh_id
) {
3566 wpa_printf(MSG_DEBUG
,
3567 "FILS+FT: No R1KH-ID subelem in FTE");
3570 os_memcpy(sm
->r1kh_id
, parse
.r1kh_id
, FT_R1KH_ID_LEN
);
3571 wpa_hexdump(MSG_DEBUG
, "FILS+FT: R1KH-ID",
3572 sm
->r1kh_id
, FT_R1KH_ID_LEN
);
3574 /* TODO: Check MDE and FTE payload */
3576 wpabuf_free(sm
->fils_ft_ies
);
3577 sm
->fils_ft_ies
= wpabuf_alloc(2 + elems
.mdie_len
+
3578 2 + elems
.ftie_len
);
3579 if (!sm
->fils_ft_ies
)
3581 wpabuf_put_data(sm
->fils_ft_ies
, elems
.mdie
- 2,
3582 2 + elems
.mdie_len
);
3583 wpabuf_put_data(sm
->fils_ft_ies
, elems
.ftie
- 2,
3584 2 + elems
.ftie_len
);
3586 wpabuf_free(sm
->fils_ft_ies
);
3587 sm
->fils_ft_ies
= NULL
;
3589 #endif /* CONFIG_IEEE80211R */
3592 if (rsn
.pmkid
&& rsn
.num_pmkid
> 0) {
3593 wpa_hexdump(MSG_DEBUG
, "FILS: PMKID List",
3594 rsn
.pmkid
, rsn
.num_pmkid
* PMKID_LEN
);
3596 if (rsn
.num_pmkid
!= 1) {
3597 wpa_printf(MSG_DEBUG
, "FILS: Invalid PMKID selection");
3600 wpa_hexdump(MSG_DEBUG
, "FILS: PMKID", rsn
.pmkid
, PMKID_LEN
);
3601 if (os_memcmp(sm
->cur_pmksa
->pmkid
, rsn
.pmkid
, PMKID_LEN
) != 0)
3603 wpa_printf(MSG_DEBUG
, "FILS: PMKID mismatch");
3604 wpa_hexdump(MSG_DEBUG
, "FILS: Expected PMKID",
3605 sm
->cur_pmksa
->pmkid
, PMKID_LEN
);
3608 wpa_printf(MSG_DEBUG
,
3609 "FILS: Matching PMKID - continue using PMKSA caching");
3612 if (!pmkid_match
&& sm
->cur_pmksa
) {
3613 wpa_printf(MSG_DEBUG
,
3614 "FILS: No PMKID match - cannot use cached PMKSA entry");
3615 sm
->cur_pmksa
= NULL
;
3619 if (!elems
.fils_session
) {
3620 wpa_printf(MSG_DEBUG
, "FILS: No FILS Session element");
3623 wpa_hexdump(MSG_DEBUG
, "FILS: FILS Session", elems
.fils_session
,
3625 if (os_memcmp(sm
->fils_session
, elems
.fils_session
, FILS_SESSION_LEN
)
3627 wpa_printf(MSG_DEBUG
, "FILS: Session mismatch");
3628 wpa_hexdump(MSG_DEBUG
, "FILS: Expected FILS Session",
3629 sm
->fils_session
, FILS_SESSION_LEN
);
3633 /* FILS Wrapped Data */
3634 if (!sm
->cur_pmksa
&& elems
.fils_wrapped_data
) {
3635 u8 rmsk
[ERP_MAX_KEY_LEN
];
3638 wpa_hexdump(MSG_DEBUG
, "FILS: Wrapped Data",
3639 elems
.fils_wrapped_data
,
3640 elems
.fils_wrapped_data_len
);
3641 eapol_sm_process_erp_finish(sm
->eapol
, elems
.fils_wrapped_data
,
3642 elems
.fils_wrapped_data_len
);
3643 if (eapol_sm_failed(sm
->eapol
))
3646 rmsk_len
= ERP_MAX_KEY_LEN
;
3647 res
= eapol_sm_get_key(sm
->eapol
, rmsk
, rmsk_len
);
3648 if (res
== PMK_LEN
) {
3650 res
= eapol_sm_get_key(sm
->eapol
, rmsk
, rmsk_len
);
3655 res
= fils_rmsk_to_pmk(sm
->key_mgmt
, rmsk
, rmsk_len
,
3656 sm
->fils_nonce
, sm
->fils_anonce
,
3657 dh_ss
? wpabuf_head(dh_ss
) : NULL
,
3658 dh_ss
? wpabuf_len(dh_ss
) : 0,
3659 sm
->pmk
, &sm
->pmk_len
);
3660 os_memset(rmsk
, 0, sizeof(rmsk
));
3662 /* Don't use DHss in PTK derivation if PMKSA caching is not
3664 wpabuf_clear_free(dh_ss
);
3670 if (!sm
->fils_erp_pmkid_set
) {
3671 wpa_printf(MSG_DEBUG
, "FILS: PMKID not available");
3674 wpa_hexdump(MSG_DEBUG
, "FILS: PMKID", sm
->fils_erp_pmkid
,
3676 wpa_printf(MSG_DEBUG
, "FILS: ERP processing succeeded - add PMKSA cache entry for the result");
3677 sm
->cur_pmksa
= pmksa_cache_add(sm
->pmksa
, sm
->pmk
, sm
->pmk_len
,
3678 sm
->fils_erp_pmkid
, NULL
, 0,
3679 sm
->bssid
, sm
->own_addr
,
3680 sm
->network_ctx
, sm
->key_mgmt
,
3684 if (!sm
->cur_pmksa
) {
3685 wpa_printf(MSG_DEBUG
,
3686 "FILS: No remaining options to continue FILS authentication");
3690 if (fils_pmk_to_ptk(sm
->pmk
, sm
->pmk_len
, sm
->own_addr
, sm
->bssid
,
3691 sm
->fils_nonce
, sm
->fils_anonce
,
3692 dh_ss
? wpabuf_head(dh_ss
) : NULL
,
3693 dh_ss
? wpabuf_len(dh_ss
) : 0,
3694 &sm
->ptk
, ick
, &ick_len
,
3695 sm
->key_mgmt
, sm
->pairwise_cipher
,
3696 sm
->fils_ft
, &sm
->fils_ft_len
) < 0) {
3697 wpa_printf(MSG_DEBUG
, "FILS: Failed to derive PTK");
3701 wpabuf_clear_free(dh_ss
);
3706 os_memset(&sm
->tptk
, 0, sizeof(sm
->tptk
));
3708 #ifdef CONFIG_FILS_SK_PFS
3709 if (sm
->fils_dh_group
) {
3710 if (!sm
->fils_ecdh
) {
3711 wpa_printf(MSG_INFO
, "FILS: ECDH not initialized");
3714 pub
= crypto_ecdh_get_pubkey(sm
->fils_ecdh
, 1);
3717 wpa_hexdump_buf(MSG_DEBUG
, "FILS: gSTA", pub
);
3718 g_sta
= wpabuf_head(pub
);
3719 g_sta_len
= wpabuf_len(pub
);
3721 wpa_printf(MSG_INFO
, "FILS: gAP not available");
3724 wpa_hexdump(MSG_DEBUG
, "FILS: gAP", g_ap
, g_ap_len
);
3726 #endif /* CONFIG_FILS_SK_PFS */
3728 res
= fils_key_auth_sk(ick
, ick_len
, sm
->fils_nonce
,
3729 sm
->fils_anonce
, sm
->own_addr
, sm
->bssid
,
3730 g_sta
, g_sta_len
, g_ap
, g_ap_len
,
3731 sm
->key_mgmt
, sm
->fils_key_auth_sta
,
3732 sm
->fils_key_auth_ap
,
3733 &sm
->fils_key_auth_len
);
3735 os_memset(ick
, 0, sizeof(ick
));
3739 wpabuf_clear_free(dh_ss
);
3744 #ifdef CONFIG_IEEE80211R
3745 static int fils_ft_build_assoc_req_rsne(struct wpa_sm
*sm
, struct wpabuf
*buf
)
3747 struct rsn_ie_hdr
*rsnie
;
3751 /* RSNIE[PMKR0Name/PMKR1Name] */
3752 rsnie
= wpabuf_put(buf
, sizeof(*rsnie
));
3753 rsnie
->elem_id
= WLAN_EID_RSN
;
3754 WPA_PUT_LE16(rsnie
->version
, RSN_VERSION
);
3756 /* Group Suite Selector */
3757 if (!wpa_cipher_valid_group(sm
->group_cipher
)) {
3758 wpa_printf(MSG_WARNING
, "FT: Invalid group cipher (%d)",
3762 pos
= wpabuf_put(buf
, RSN_SELECTOR_LEN
);
3763 RSN_SELECTOR_PUT(pos
, wpa_cipher_to_suite(WPA_PROTO_RSN
,
3766 /* Pairwise Suite Count */
3767 wpabuf_put_le16(buf
, 1);
3769 /* Pairwise Suite List */
3770 if (!wpa_cipher_valid_pairwise(sm
->pairwise_cipher
)) {
3771 wpa_printf(MSG_WARNING
, "FT: Invalid pairwise cipher (%d)",
3772 sm
->pairwise_cipher
);
3775 pos
= wpabuf_put(buf
, RSN_SELECTOR_LEN
);
3776 RSN_SELECTOR_PUT(pos
, wpa_cipher_to_suite(WPA_PROTO_RSN
,
3777 sm
->pairwise_cipher
));
3779 /* Authenticated Key Management Suite Count */
3780 wpabuf_put_le16(buf
, 1);
3782 /* Authenticated Key Management Suite List */
3783 pos
= wpabuf_put(buf
, RSN_SELECTOR_LEN
);
3784 if (sm
->key_mgmt
== WPA_KEY_MGMT_FT_FILS_SHA256
)
3785 RSN_SELECTOR_PUT(pos
, RSN_AUTH_KEY_MGMT_FT_FILS_SHA256
);
3786 else if (sm
->key_mgmt
== WPA_KEY_MGMT_FT_FILS_SHA384
)
3787 RSN_SELECTOR_PUT(pos
, RSN_AUTH_KEY_MGMT_FT_FILS_SHA384
);
3789 wpa_printf(MSG_WARNING
,
3790 "FILS+FT: Invalid key management type (%d)",
3795 /* RSN Capabilities */
3797 #ifdef CONFIG_IEEE80211W
3798 if (sm
->mgmt_group_cipher
== WPA_CIPHER_AES_128_CMAC
)
3799 capab
|= WPA_CAPABILITY_MFPC
;
3800 #endif /* CONFIG_IEEE80211W */
3801 wpabuf_put_le16(buf
, capab
);
3804 wpabuf_put_le16(buf
, 1);
3806 /* PMKID List [PMKR1Name] */
3807 wpa_hexdump_key(MSG_DEBUG
, "FILS+FT: XXKey (FILS-FT)",
3808 sm
->fils_ft
, sm
->fils_ft_len
);
3809 wpa_hexdump_ascii(MSG_DEBUG
, "FILS+FT: SSID", sm
->ssid
, sm
->ssid_len
);
3810 wpa_hexdump(MSG_DEBUG
, "FILS+FT: MDID",
3811 sm
->mobility_domain
, MOBILITY_DOMAIN_ID_LEN
);
3812 wpa_hexdump_ascii(MSG_DEBUG
, "FILS+FT: R0KH-ID",
3813 sm
->r0kh_id
, sm
->r0kh_id_len
);
3814 if (wpa_derive_pmk_r0(sm
->fils_ft
, sm
->fils_ft_len
, sm
->ssid
,
3815 sm
->ssid_len
, sm
->mobility_domain
,
3816 sm
->r0kh_id
, sm
->r0kh_id_len
, sm
->own_addr
,
3817 sm
->pmk_r0
, sm
->pmk_r0_name
) < 0) {
3818 wpa_printf(MSG_WARNING
, "FILS+FT: Could not derive PMK-R0");
3821 wpa_hexdump_key(MSG_DEBUG
, "FILS+FT: PMK-R0", sm
->pmk_r0
, PMK_LEN
);
3822 wpa_hexdump(MSG_DEBUG
, "FILS+FT: PMKR0Name",
3823 sm
->pmk_r0_name
, WPA_PMK_NAME_LEN
);
3824 wpa_printf(MSG_DEBUG
, "FILS+FT: R1KH-ID: " MACSTR
,
3825 MAC2STR(sm
->r1kh_id
));
3826 pos
= wpabuf_put(buf
, WPA_PMK_NAME_LEN
);
3827 if (wpa_derive_pmk_r1_name(sm
->pmk_r0_name
, sm
->r1kh_id
, sm
->own_addr
,
3829 wpa_printf(MSG_WARNING
, "FILS+FT: Could not derive PMKR1Name");
3832 wpa_hexdump(MSG_DEBUG
, "FILS+FT: PMKR1Name", pos
, WPA_PMK_NAME_LEN
);
3834 #ifdef CONFIG_IEEE80211W
3835 if (sm
->mgmt_group_cipher
== WPA_CIPHER_AES_128_CMAC
) {
3836 /* Management Group Cipher Suite */
3837 pos
= wpabuf_put(buf
, RSN_SELECTOR_LEN
);
3838 RSN_SELECTOR_PUT(pos
, RSN_CIPHER_SUITE_AES_128_CMAC
);
3840 #endif /* CONFIG_IEEE80211W */
3842 rsnie
->len
= ((u8
*) wpabuf_put(buf
, 0) - (u8
*) rsnie
) - 2;
3845 #endif /* CONFIG_IEEE80211R */
3848 struct wpabuf
* fils_build_assoc_req(struct wpa_sm
*sm
, const u8
**kek
,
3849 size_t *kek_len
, const u8
**snonce
,
3851 const struct wpabuf
**hlp
,
3852 unsigned int num_hlp
)
3859 #ifdef CONFIG_IEEE80211R
3860 if (sm
->fils_ft_ies
)
3861 len
+= wpabuf_len(sm
->fils_ft_ies
);
3862 if (wpa_key_mgmt_ft(sm
->key_mgmt
))
3864 #endif /* CONFIG_IEEE80211R */
3865 for (i
= 0; hlp
&& i
< num_hlp
; i
++)
3866 len
+= 10 + wpabuf_len(hlp
[i
]);
3867 buf
= wpabuf_alloc(len
);
3871 #ifdef CONFIG_IEEE80211R
3872 if (wpa_key_mgmt_ft(sm
->key_mgmt
) && sm
->fils_ft_ies
) {
3873 /* MDE and FTE when using FILS+FT */
3874 wpabuf_put_buf(buf
, sm
->fils_ft_ies
);
3875 /* RSNE with PMKR1Name in PMKID field */
3876 if (fils_ft_build_assoc_req_rsne(sm
, buf
) < 0) {
3881 #endif /* CONFIG_IEEE80211R */
3884 wpabuf_put_u8(buf
, WLAN_EID_EXTENSION
); /* Element ID */
3885 wpabuf_put_u8(buf
, 1 + FILS_SESSION_LEN
); /* Length */
3886 /* Element ID Extension */
3887 wpabuf_put_u8(buf
, WLAN_EID_EXT_FILS_SESSION
);
3888 wpabuf_put_data(buf
, sm
->fils_session
, FILS_SESSION_LEN
);
3890 /* Everything after FILS Session element gets encrypted in the driver
3891 * with KEK. The buffer returned from here is the plaintext version. */
3893 /* TODO: FILS Public Key */
3895 /* FILS Key Confirm */
3896 wpabuf_put_u8(buf
, WLAN_EID_EXTENSION
); /* Element ID */
3897 wpabuf_put_u8(buf
, 1 + sm
->fils_key_auth_len
); /* Length */
3898 /* Element ID Extension */
3899 wpabuf_put_u8(buf
, WLAN_EID_EXT_FILS_KEY_CONFIRM
);
3900 wpabuf_put_data(buf
, sm
->fils_key_auth_sta
, sm
->fils_key_auth_len
);
3902 /* FILS HLP Container */
3903 for (i
= 0; hlp
&& i
< num_hlp
; i
++) {
3904 const u8
*pos
= wpabuf_head(hlp
[i
]);
3905 size_t left
= wpabuf_len(hlp
[i
]);
3907 wpabuf_put_u8(buf
, WLAN_EID_EXTENSION
); /* Element ID */
3912 wpabuf_put_u8(buf
, len
); /* Length */
3913 /* Element ID Extension */
3914 wpabuf_put_u8(buf
, WLAN_EID_EXT_FILS_HLP_CONTAINER
);
3915 /* Destination MAC Address, Source MAC Address, HLP Packet.
3916 * HLP Packet is in MSDU format (i.e., included the LLC/SNAP
3917 * header when LPD is used). */
3918 wpabuf_put_data(buf
, pos
, len
- 1);
3922 wpabuf_put_u8(buf
, WLAN_EID_FRAGMENT
);
3923 len
= left
> 255 ? 255 : left
;
3924 wpabuf_put_u8(buf
, len
);
3925 wpabuf_put_data(buf
, pos
, len
);
3931 /* TODO: FILS IP Address Assignment */
3933 wpa_hexdump_buf(MSG_DEBUG
, "FILS: Association Request plaintext", buf
);
3936 *kek_len
= sm
->ptk
.kek_len
;
3937 wpa_hexdump_key(MSG_DEBUG
, "FILS: KEK for AEAD", *kek
, *kek_len
);
3938 *snonce
= sm
->fils_nonce
;
3939 wpa_hexdump(MSG_DEBUG
, "FILS: SNonce for AEAD AAD",
3940 *snonce
, FILS_NONCE_LEN
);
3941 *anonce
= sm
->fils_anonce
;
3942 wpa_hexdump(MSG_DEBUG
, "FILS: ANonce for AEAD AAD",
3943 *anonce
, FILS_NONCE_LEN
);
3949 static void fils_process_hlp_resp(struct wpa_sm
*sm
, const u8
*resp
, size_t len
)
3951 const u8
*pos
, *end
;
3953 wpa_hexdump(MSG_MSGDUMP
, "FILS: HLP response", resp
, len
);
3954 if (len
< 2 * ETH_ALEN
)
3956 pos
= resp
+ 2 * ETH_ALEN
;
3958 if (end
- pos
>= 6 &&
3959 os_memcmp(pos
, "\xaa\xaa\x03\x00\x00\x00", 6) == 0)
3960 pos
+= 6; /* Remove SNAP/LLC header */
3961 wpa_sm_fils_hlp_rx(sm
, resp
, resp
+ ETH_ALEN
, pos
, end
- pos
);
3965 static void fils_process_hlp_container(struct wpa_sm
*sm
, const u8
*pos
,
3968 const u8
*end
= pos
+ len
;
3971 /* Check if there are any FILS HLP Container elements */
3972 while (end
- pos
>= 2) {
3973 if (2 + pos
[1] > end
- pos
)
3975 if (pos
[0] == WLAN_EID_EXTENSION
&&
3976 pos
[1] >= 1 + 2 * ETH_ALEN
&&
3977 pos
[2] == WLAN_EID_EXT_FILS_HLP_CONTAINER
)
3982 return; /* No FILS HLP Container elements */
3984 tmp
= os_malloc(end
- pos
);
3988 while (end
- pos
>= 2) {
3989 if (2 + pos
[1] > end
- pos
||
3990 pos
[0] != WLAN_EID_EXTENSION
||
3991 pos
[1] < 1 + 2 * ETH_ALEN
||
3992 pos
[2] != WLAN_EID_EXT_FILS_HLP_CONTAINER
)
3995 os_memcpy(tmp_pos
, pos
+ 3, pos
[1] - 1);
3996 tmp_pos
+= pos
[1] - 1;
3999 /* Add possible fragments */
4000 while (end
- pos
>= 2 && pos
[0] == WLAN_EID_FRAGMENT
&&
4001 2 + pos
[1] <= end
- pos
) {
4002 os_memcpy(tmp_pos
, pos
+ 2, pos
[1]);
4007 fils_process_hlp_resp(sm
, tmp
, tmp_pos
- tmp
);
4014 int fils_process_assoc_resp(struct wpa_sm
*sm
, const u8
*resp
, size_t len
)
4016 const struct ieee80211_mgmt
*mgmt
;
4017 const u8
*end
, *ie_start
;
4018 struct ieee802_11_elems elems
;
4021 struct wpa_gtk_data gd
;
4023 struct wpa_eapol_ie_parse kde
;
4025 if (!sm
|| !sm
->ptk_set
) {
4026 wpa_printf(MSG_DEBUG
, "FILS: No KEK available");
4030 if (!wpa_key_mgmt_fils(sm
->key_mgmt
)) {
4031 wpa_printf(MSG_DEBUG
, "FILS: Not a FILS AKM");
4035 if (sm
->fils_completed
) {
4036 wpa_printf(MSG_DEBUG
,
4037 "FILS: Association has already been completed for this FILS authentication - ignore unexpected retransmission");
4041 wpa_hexdump(MSG_DEBUG
, "FILS: (Re)Association Response frame",
4044 mgmt
= (const struct ieee80211_mgmt
*) resp
;
4045 if (len
< IEEE80211_HDRLEN
+ sizeof(mgmt
->u
.assoc_resp
))
4049 /* Same offset for Association Response and Reassociation Response */
4050 ie_start
= mgmt
->u
.assoc_resp
.variable
;
4052 if (ieee802_11_parse_elems(ie_start
, end
- ie_start
, &elems
, 1) ==
4054 wpa_printf(MSG_DEBUG
,
4055 "FILS: Failed to parse decrypted elements");
4059 if (!elems
.fils_session
) {
4060 wpa_printf(MSG_DEBUG
, "FILS: No FILS Session element");
4063 if (os_memcmp(elems
.fils_session
, sm
->fils_session
,
4064 FILS_SESSION_LEN
) != 0) {
4065 wpa_printf(MSG_DEBUG
, "FILS: FILS Session mismatch");
4066 wpa_hexdump(MSG_DEBUG
, "FILS: Received FILS Session",
4067 elems
.fils_session
, FILS_SESSION_LEN
);
4068 wpa_hexdump(MSG_DEBUG
, "FILS: Expected FILS Session",
4069 sm
->fils_session
, FILS_SESSION_LEN
);
4072 /* TODO: FILS Public Key */
4074 if (!elems
.fils_key_confirm
) {
4075 wpa_printf(MSG_DEBUG
, "FILS: No FILS Key Confirm element");
4078 if (elems
.fils_key_confirm_len
!= sm
->fils_key_auth_len
) {
4079 wpa_printf(MSG_DEBUG
,
4080 "FILS: Unexpected Key-Auth length %d (expected %d)",
4081 elems
.fils_key_confirm_len
,
4082 (int) sm
->fils_key_auth_len
);
4085 if (os_memcmp(elems
.fils_key_confirm
, sm
->fils_key_auth_ap
,
4086 sm
->fils_key_auth_len
) != 0) {
4087 wpa_printf(MSG_DEBUG
, "FILS: Key-Auth mismatch");
4088 wpa_hexdump(MSG_DEBUG
, "FILS: Received Key-Auth",
4089 elems
.fils_key_confirm
,
4090 elems
.fils_key_confirm_len
);
4091 wpa_hexdump(MSG_DEBUG
, "FILS: Expected Key-Auth",
4092 sm
->fils_key_auth_ap
, sm
->fils_key_auth_len
);
4097 if (!elems
.key_delivery
) {
4098 wpa_printf(MSG_DEBUG
, "FILS: No Key Delivery element");
4102 /* Parse GTK and set the key to the driver */
4103 os_memset(&gd
, 0, sizeof(gd
));
4104 if (wpa_supplicant_parse_ies(elems
.key_delivery
+ WPA_KEY_RSC_LEN
,
4105 elems
.key_delivery_len
- WPA_KEY_RSC_LEN
,
4107 wpa_printf(MSG_DEBUG
, "FILS: Failed to parse KDEs");
4111 wpa_printf(MSG_DEBUG
, "FILS: No GTK KDE");
4114 maxkeylen
= gd
.gtk_len
= kde
.gtk_len
- 2;
4115 if (wpa_supplicant_check_group_cipher(sm
, sm
->group_cipher
,
4116 gd
.gtk_len
, maxkeylen
,
4117 &gd
.key_rsc_len
, &gd
.alg
))
4120 wpa_hexdump_key(MSG_DEBUG
, "FILS: Received GTK", kde
.gtk
, kde
.gtk_len
);
4121 gd
.keyidx
= kde
.gtk
[0] & 0x3;
4122 gd
.tx
= wpa_supplicant_gtk_tx_bit_workaround(sm
,
4123 !!(kde
.gtk
[0] & BIT(2)));
4124 if (kde
.gtk_len
- 2 > sizeof(gd
.gtk
)) {
4125 wpa_printf(MSG_DEBUG
, "FILS: Too long GTK in GTK KDE (len=%lu)",
4126 (unsigned long) kde
.gtk_len
- 2);
4129 os_memcpy(gd
.gtk
, kde
.gtk
+ 2, kde
.gtk_len
- 2);
4131 wpa_printf(MSG_DEBUG
, "FILS: Set GTK to driver");
4132 if (wpa_supplicant_install_gtk(sm
, &gd
, elems
.key_delivery
, 0) < 0) {
4133 wpa_printf(MSG_DEBUG
, "FILS: Failed to set GTK");
4137 if (ieee80211w_set_keys(sm
, &kde
) < 0) {
4138 wpa_printf(MSG_DEBUG
, "FILS: Failed to set IGTK");
4142 alg
= wpa_cipher_to_alg(sm
->pairwise_cipher
);
4143 keylen
= wpa_cipher_key_len(sm
->pairwise_cipher
);
4144 if (keylen
<= 0 || (unsigned int) keylen
!= sm
->ptk
.tk_len
) {
4145 wpa_printf(MSG_DEBUG
, "FILS: TK length mismatch: %u != %lu",
4146 keylen
, (long unsigned int) sm
->ptk
.tk_len
);
4149 rsclen
= wpa_cipher_rsc_len(sm
->pairwise_cipher
);
4150 wpa_hexdump_key(MSG_DEBUG
, "FILS: Set TK to driver",
4151 sm
->ptk
.tk
, keylen
);
4152 if (wpa_sm_set_key(sm
, alg
, sm
->bssid
, 0, 1, null_rsc
, rsclen
,
4153 sm
->ptk
.tk
, keylen
) < 0) {
4154 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
4155 "FILS: Failed to set PTK to the driver (alg=%d keylen=%d bssid="
4157 alg
, keylen
, MAC2STR(sm
->bssid
));
4161 /* TODO: TK could be cleared after auth frame exchange now that driver
4162 * takes care of association frame encryption/decryption. */
4163 /* TK is not needed anymore in supplicant */
4164 os_memset(sm
->ptk
.tk
, 0, WPA_TK_MAX_LEN
);
4166 sm
->ptk
.installed
= 1;
4168 /* FILS HLP Container */
4169 fils_process_hlp_container(sm
, ie_start
, end
- ie_start
);
4171 /* TODO: FILS IP Address Assignment */
4173 wpa_printf(MSG_DEBUG
, "FILS: Auth+Assoc completed successfully");
4174 sm
->fils_completed
= 1;
4182 void wpa_sm_set_reset_fils_completed(struct wpa_sm
*sm
, int set
)
4185 sm
->fils_completed
= !!set
;
4188 #endif /* CONFIG_FILS */
4191 int wpa_fils_is_completed(struct wpa_sm
*sm
)
4194 return sm
&& sm
->fils_completed
;
4195 #else /* CONFIG_FILS */
4197 #endif /* CONFIG_FILS */
4203 struct wpabuf
* owe_build_assoc_req(struct wpa_sm
*sm
, u16 group
)
4205 struct wpabuf
*ie
= NULL
, *pub
= NULL
;
4210 else if (group
== 20)
4212 else if (group
== 21)
4217 crypto_ecdh_deinit(sm
->owe_ecdh
);
4218 sm
->owe_ecdh
= crypto_ecdh_init(group
);
4221 sm
->owe_group
= group
;
4222 pub
= crypto_ecdh_get_pubkey(sm
->owe_ecdh
, 0);
4223 pub
= wpabuf_zeropad(pub
, prime_len
);
4227 ie
= wpabuf_alloc(5 + wpabuf_len(pub
));
4230 wpabuf_put_u8(ie
, WLAN_EID_EXTENSION
);
4231 wpabuf_put_u8(ie
, 1 + 2 + wpabuf_len(pub
));
4232 wpabuf_put_u8(ie
, WLAN_EID_EXT_OWE_DH_PARAM
);
4233 wpabuf_put_le16(ie
, group
);
4234 wpabuf_put_buf(ie
, pub
);
4236 wpa_hexdump_buf(MSG_DEBUG
, "OWE: Diffie-Hellman Parameter element",
4242 crypto_ecdh_deinit(sm
->owe_ecdh
);
4243 sm
->owe_ecdh
= NULL
;
4248 int owe_process_assoc_resp(struct wpa_sm
*sm
, const u8
*bssid
,
4249 const u8
*resp_ies
, size_t resp_ies_len
)
4251 struct ieee802_11_elems elems
;
4253 struct wpabuf
*secret
, *pub
, *hkey
;
4255 u8 prk
[SHA512_MAC_LEN
], pmkid
[SHA512_MAC_LEN
];
4256 const char *info
= "OWE Key Generation";
4259 size_t hash_len
, prime_len
;
4260 struct wpa_ie_data data
;
4263 ieee802_11_parse_elems(resp_ies
, resp_ies_len
, &elems
, 1) ==
4265 wpa_printf(MSG_INFO
,
4266 "OWE: Could not parse Association Response frame elements");
4270 if (sm
->cur_pmksa
&& elems
.rsn_ie
&&
4271 wpa_parse_wpa_ie_rsn(elems
.rsn_ie
- 2, 2 + elems
.rsn_ie_len
,
4273 data
.num_pmkid
== 1 && data
.pmkid
&&
4274 os_memcmp(sm
->cur_pmksa
->pmkid
, data
.pmkid
, PMKID_LEN
) == 0) {
4275 wpa_printf(MSG_DEBUG
, "OWE: Use PMKSA caching");
4276 wpa_sm_set_pmk_from_pmksa(sm
);
4280 if (!elems
.owe_dh
) {
4281 wpa_printf(MSG_INFO
,
4282 "OWE: No Diffie-Hellman Parameter element found in Association Response frame");
4286 group
= WPA_GET_LE16(elems
.owe_dh
);
4287 if (group
!= sm
->owe_group
) {
4288 wpa_printf(MSG_INFO
,
4289 "OWE: Unexpected Diffie-Hellman group in response: %u",
4294 if (!sm
->owe_ecdh
) {
4295 wpa_printf(MSG_INFO
, "OWE: No ECDH state available");
4301 else if (group
== 20)
4303 else if (group
== 21)
4308 secret
= crypto_ecdh_set_peerkey(sm
->owe_ecdh
, 0,
4310 elems
.owe_dh_len
- 2);
4311 secret
= wpabuf_zeropad(secret
, prime_len
);
4313 wpa_printf(MSG_DEBUG
, "OWE: Invalid peer DH public key");
4316 wpa_hexdump_buf_key(MSG_DEBUG
, "OWE: DH shared secret", secret
);
4318 /* prk = HKDF-extract(C | A | group, z) */
4320 pub
= crypto_ecdh_get_pubkey(sm
->owe_ecdh
, 0);
4322 wpabuf_clear_free(secret
);
4326 /* PMKID = Truncate-128(Hash(C | A)) */
4327 addr
[0] = wpabuf_head(pub
);
4328 len
[0] = wpabuf_len(pub
);
4329 addr
[1] = elems
.owe_dh
+ 2;
4330 len
[1] = elems
.owe_dh_len
- 2;
4332 res
= sha256_vector(2, addr
, len
, pmkid
);
4333 hash_len
= SHA256_MAC_LEN
;
4334 } else if (group
== 20) {
4335 res
= sha384_vector(2, addr
, len
, pmkid
);
4336 hash_len
= SHA384_MAC_LEN
;
4337 } else if (group
== 21) {
4338 res
= sha512_vector(2, addr
, len
, pmkid
);
4339 hash_len
= SHA512_MAC_LEN
;
4344 pub
= wpabuf_zeropad(pub
, prime_len
);
4345 if (res
< 0 || !pub
) {
4347 wpabuf_clear_free(secret
);
4351 hkey
= wpabuf_alloc(wpabuf_len(pub
) + elems
.owe_dh_len
- 2 + 2);
4354 wpabuf_clear_free(secret
);
4358 wpabuf_put_buf(hkey
, pub
); /* C */
4360 wpabuf_put_data(hkey
, elems
.owe_dh
+ 2, elems
.owe_dh_len
- 2); /* A */
4361 wpabuf_put_le16(hkey
, sm
->owe_group
); /* group */
4363 res
= hmac_sha256(wpabuf_head(hkey
), wpabuf_len(hkey
),
4364 wpabuf_head(secret
), wpabuf_len(secret
), prk
);
4365 else if (group
== 20)
4366 res
= hmac_sha384(wpabuf_head(hkey
), wpabuf_len(hkey
),
4367 wpabuf_head(secret
), wpabuf_len(secret
), prk
);
4368 else if (group
== 21)
4369 res
= hmac_sha512(wpabuf_head(hkey
), wpabuf_len(hkey
),
4370 wpabuf_head(secret
), wpabuf_len(secret
), prk
);
4371 wpabuf_clear_free(hkey
);
4372 wpabuf_clear_free(secret
);
4376 wpa_hexdump_key(MSG_DEBUG
, "OWE: prk", prk
, hash_len
);
4378 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
4381 res
= hmac_sha256_kdf(prk
, hash_len
, NULL
, (const u8
*) info
,
4382 os_strlen(info
), sm
->pmk
, hash_len
);
4383 else if (group
== 20)
4384 res
= hmac_sha384_kdf(prk
, hash_len
, NULL
, (const u8
*) info
,
4385 os_strlen(info
), sm
->pmk
, hash_len
);
4386 else if (group
== 21)
4387 res
= hmac_sha512_kdf(prk
, hash_len
, NULL
, (const u8
*) info
,
4388 os_strlen(info
), sm
->pmk
, hash_len
);
4389 os_memset(prk
, 0, SHA512_MAC_LEN
);
4394 sm
->pmk_len
= hash_len
;
4396 wpa_hexdump_key(MSG_DEBUG
, "OWE: PMK", sm
->pmk
, sm
->pmk_len
);
4397 wpa_hexdump(MSG_DEBUG
, "OWE: PMKID", pmkid
, PMKID_LEN
);
4398 pmksa_cache_add(sm
->pmksa
, sm
->pmk
, sm
->pmk_len
, pmkid
, NULL
, 0,
4399 bssid
, sm
->own_addr
, sm
->network_ctx
, sm
->key_mgmt
,
4405 #endif /* CONFIG_OWE */
4408 void wpa_sm_set_fils_cache_id(struct wpa_sm
*sm
, const u8
*fils_cache_id
)
4411 if (sm
&& fils_cache_id
) {
4412 sm
->fils_cache_id_set
= 1;
4413 os_memcpy(sm
->fils_cache_id
, fils_cache_id
, FILS_CACHE_ID_LEN
);
4415 #endif /* CONFIG_FILS */