2 * WPA Supplicant - WPA state machine and EAPOL-Key processing
3 * Copyright (c) 2003-2017, Jouni Malinen <j@w1.fi>
4 * Copyright(c) 2015 Intel Deutschland GmbH
6 * This software may be distributed under the terms of the BSD license.
7 * See README for more details.
13 #include "crypto/aes.h"
14 #include "crypto/aes_wrap.h"
15 #include "crypto/crypto.h"
16 #include "crypto/random.h"
17 #include "crypto/aes_siv.h"
18 #include "crypto/sha256.h"
19 #include "crypto/sha384.h"
20 #include "crypto/sha512.h"
21 #include "common/ieee802_11_defs.h"
22 #include "common/ieee802_11_common.h"
23 #include "eap_common/eap_defs.h"
24 #include "eapol_supp/eapol_supp_sm.h"
28 #include "pmksa_cache.h"
33 static const u8 null_rsc
[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
37 * wpa_eapol_key_send - Send WPA/RSN EAPOL-Key message
38 * @sm: Pointer to WPA state machine data from wpa_sm_init()
39 * @ptk: PTK for Key Confirmation/Encryption Key
40 * @ver: Version field from Key Info
41 * @dest: Destination address for the frame
42 * @proto: Ethertype (usually ETH_P_EAPOL)
43 * @msg: EAPOL-Key message
44 * @msg_len: Length of message
45 * @key_mic: Pointer to the buffer to which the EAPOL-Key MIC is written
46 * Returns: >= 0 on success, < 0 on failure
48 int wpa_eapol_key_send(struct wpa_sm
*sm
, struct wpa_ptk
*ptk
,
49 int ver
, const u8
*dest
, u16 proto
,
50 u8
*msg
, size_t msg_len
, u8
*key_mic
)
53 size_t mic_len
= wpa_mic_len(sm
->key_mgmt
, sm
->pmk_len
);
55 wpa_printf(MSG_DEBUG
, "WPA: Send EAPOL-Key frame to " MACSTR
56 " ver=%d mic_len=%d key_mgmt=0x%x",
57 MAC2STR(dest
), ver
, (int) mic_len
, sm
->key_mgmt
);
58 if (is_zero_ether_addr(dest
) && is_zero_ether_addr(sm
->bssid
)) {
60 * Association event was not yet received; try to fetch
61 * BSSID from the driver.
63 if (wpa_sm_get_bssid(sm
, sm
->bssid
) < 0) {
64 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
65 "WPA: Failed to read BSSID for "
66 "EAPOL-Key destination address");
69 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
70 "WPA: Use BSSID (" MACSTR
71 ") as the destination for EAPOL-Key",
77 if (key_mic
&& (!ptk
|| !ptk
->kck_len
))
81 wpa_eapol_key_mic(ptk
->kck
, ptk
->kck_len
, sm
->key_mgmt
, ver
,
82 msg
, msg_len
, key_mic
)) {
83 wpa_msg(sm
->ctx
->msg_ctx
, MSG_ERROR
,
84 "WPA: Failed to generate EAPOL-Key version %d key_mgmt 0x%x MIC",
89 wpa_hexdump_key(MSG_DEBUG
, "WPA: KCK",
90 ptk
->kck
, ptk
->kck_len
);
91 wpa_hexdump(MSG_DEBUG
, "WPA: Derived Key MIC",
95 /* AEAD cipher - Key MIC field not used */
96 struct ieee802_1x_hdr
*s_hdr
, *hdr
;
97 struct wpa_eapol_key
*s_key
, *key
;
98 u8
*buf
, *s_key_data
, *key_data
;
99 size_t buf_len
= msg_len
+ AES_BLOCK_SIZE
;
105 if (!ptk
|| !ptk
->kek_len
)
108 key_data_len
= msg_len
- sizeof(struct ieee802_1x_hdr
) -
109 sizeof(struct wpa_eapol_key
) - 2;
111 buf
= os_malloc(buf_len
);
115 os_memcpy(buf
, msg
, msg_len
);
116 hdr
= (struct ieee802_1x_hdr
*) buf
;
117 key
= (struct wpa_eapol_key
*) (hdr
+ 1);
118 key_data
= ((u8
*) (key
+ 1)) + 2;
120 /* Update EAPOL header to include AES-SIV overhead */
121 eapol_len
= be_to_host16(hdr
->length
);
122 eapol_len
+= AES_BLOCK_SIZE
;
123 hdr
->length
= host_to_be16(eapol_len
);
125 /* Update Key Data Length field to include AES-SIV overhead */
126 WPA_PUT_BE16((u8
*) (key
+ 1), AES_BLOCK_SIZE
+ key_data_len
);
128 s_hdr
= (struct ieee802_1x_hdr
*) msg
;
129 s_key
= (struct wpa_eapol_key
*) (s_hdr
+ 1);
130 s_key_data
= ((u8
*) (s_key
+ 1)) + 2;
132 wpa_hexdump_key(MSG_DEBUG
, "WPA: Plaintext Key Data",
133 s_key_data
, key_data_len
);
135 wpa_hexdump_key(MSG_DEBUG
, "WPA: KEK", ptk
->kek
, ptk
->kek_len
);
136 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
137 * to Key Data (exclusive). */
139 aad_len
[0] = key_data
- buf
;
140 if (aes_siv_encrypt(ptk
->kek
, ptk
->kek_len
,
141 s_key_data
, key_data_len
,
142 1, aad
, aad_len
, key_data
) < 0) {
147 wpa_hexdump(MSG_DEBUG
, "WPA: Encrypted Key Data from SIV",
148 key_data
, AES_BLOCK_SIZE
+ key_data_len
);
153 #else /* CONFIG_FILS */
155 #endif /* CONFIG_FILS */
158 wpa_hexdump(MSG_MSGDUMP
, "WPA: TX EAPOL-Key", msg
, msg_len
);
159 ret
= wpa_sm_ether_send(sm
, dest
, proto
, msg
, msg_len
);
160 eapol_sm_notify_tx_eapol_key(sm
->eapol
);
168 * wpa_sm_key_request - Send EAPOL-Key Request
169 * @sm: Pointer to WPA state machine data from wpa_sm_init()
170 * @error: Indicate whether this is an Michael MIC error report
171 * @pairwise: 1 = error report for pairwise packet, 0 = for group packet
173 * Send an EAPOL-Key Request to the current authenticator. This function is
174 * used to request rekeying and it is usually called when a local Michael MIC
175 * failure is detected.
177 void wpa_sm_key_request(struct wpa_sm
*sm
, int error
, int pairwise
)
179 size_t mic_len
, hdrlen
, rlen
;
180 struct wpa_eapol_key
*reply
;
182 u8 bssid
[ETH_ALEN
], *rbuf
, *key_mic
, *mic
;
184 if (wpa_use_akm_defined(sm
->key_mgmt
))
185 ver
= WPA_KEY_INFO_TYPE_AKM_DEFINED
;
186 else if (wpa_key_mgmt_ft(sm
->key_mgmt
) ||
187 wpa_key_mgmt_sha256(sm
->key_mgmt
))
188 ver
= WPA_KEY_INFO_TYPE_AES_128_CMAC
;
189 else if (sm
->pairwise_cipher
!= WPA_CIPHER_TKIP
)
190 ver
= WPA_KEY_INFO_TYPE_HMAC_SHA1_AES
;
192 ver
= WPA_KEY_INFO_TYPE_HMAC_MD5_RC4
;
194 if (wpa_sm_get_bssid(sm
, bssid
) < 0) {
195 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
196 "Failed to read BSSID for EAPOL-Key request");
200 mic_len
= wpa_mic_len(sm
->key_mgmt
, sm
->pmk_len
);
201 hdrlen
= sizeof(*reply
) + mic_len
+ 2;
202 rbuf
= wpa_sm_alloc_eapol(sm
, IEEE802_1X_TYPE_EAPOL_KEY
, NULL
,
203 hdrlen
, &rlen
, (void *) &reply
);
207 reply
->type
= (sm
->proto
== WPA_PROTO_RSN
||
208 sm
->proto
== WPA_PROTO_OSEN
) ?
209 EAPOL_KEY_TYPE_RSN
: EAPOL_KEY_TYPE_WPA
;
210 key_info
= WPA_KEY_INFO_REQUEST
| ver
;
212 key_info
|= WPA_KEY_INFO_SECURE
;
213 if (sm
->ptk_set
&& mic_len
)
214 key_info
|= WPA_KEY_INFO_MIC
;
216 key_info
|= WPA_KEY_INFO_ERROR
;
218 key_info
|= WPA_KEY_INFO_KEY_TYPE
;
219 WPA_PUT_BE16(reply
->key_info
, key_info
);
220 WPA_PUT_BE16(reply
->key_length
, 0);
221 os_memcpy(reply
->replay_counter
, sm
->request_counter
,
222 WPA_REPLAY_COUNTER_LEN
);
223 inc_byte_array(sm
->request_counter
, WPA_REPLAY_COUNTER_LEN
);
225 mic
= (u8
*) (reply
+ 1);
226 WPA_PUT_BE16(mic
+ mic_len
, 0);
227 if (!(key_info
& WPA_KEY_INFO_MIC
))
232 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
233 "WPA: Sending EAPOL-Key Request (error=%d "
234 "pairwise=%d ptk_set=%d len=%lu)",
235 error
, pairwise
, sm
->ptk_set
, (unsigned long) rlen
);
236 wpa_eapol_key_send(sm
, &sm
->ptk
, ver
, bssid
, ETH_P_EAPOL
, rbuf
, rlen
,
241 static void wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm
*sm
)
243 #ifdef CONFIG_IEEE80211R
244 if (sm
->key_mgmt
== WPA_KEY_MGMT_FT_IEEE8021X
) {
245 if (wpa_sm_key_mgmt_set_pmk(sm
, sm
->xxkey
, sm
->xxkey_len
))
246 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
247 "RSN: Cannot set low order 256 bits of MSK for key management offload");
249 #endif /* CONFIG_IEEE80211R */
250 if (wpa_sm_key_mgmt_set_pmk(sm
, sm
->pmk
, sm
->pmk_len
))
251 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
252 "RSN: Cannot set PMK for key management offload");
253 #ifdef CONFIG_IEEE80211R
255 #endif /* CONFIG_IEEE80211R */
259 static int wpa_supplicant_get_pmk(struct wpa_sm
*sm
,
260 const unsigned char *src_addr
,
263 int abort_cached
= 0;
265 if (pmkid
&& !sm
->cur_pmksa
) {
266 /* When using drivers that generate RSN IE, wpa_supplicant may
267 * not have enough time to get the association information
268 * event before receiving this 1/4 message, so try to find a
269 * matching PMKSA cache entry here. */
270 sm
->cur_pmksa
= pmksa_cache_get(sm
->pmksa
, src_addr
, pmkid
,
273 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
274 "RSN: found matching PMKID from PMKSA cache");
276 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
277 "RSN: no matching PMKID found");
282 if (pmkid
&& sm
->cur_pmksa
&&
283 os_memcmp_const(pmkid
, sm
->cur_pmksa
->pmkid
, PMKID_LEN
) == 0) {
284 wpa_hexdump(MSG_DEBUG
, "RSN: matched PMKID", pmkid
, PMKID_LEN
);
285 wpa_sm_set_pmk_from_pmksa(sm
);
286 wpa_hexdump_key(MSG_DEBUG
, "RSN: PMK from PMKSA cache",
287 sm
->pmk
, sm
->pmk_len
);
288 eapol_sm_notify_cached(sm
->eapol
);
289 #ifdef CONFIG_IEEE80211R
292 if (sm
->key_mgmt
== WPA_KEY_MGMT_FT_SAE
&&
293 sm
->pmk_len
== PMK_LEN
) {
294 /* Need to allow FT key derivation to proceed with
295 * PMK from SAE being used as the XXKey in cases where
296 * the PMKID in msg 1/4 matches the PMKSA entry that was
297 * just added based on SAE authentication for the
298 * initial mobility domain association. */
299 os_memcpy(sm
->xxkey
, sm
->pmk
, sm
->pmk_len
);
300 sm
->xxkey_len
= sm
->pmk_len
;
302 #endif /* CONFIG_SAE */
303 #endif /* CONFIG_IEEE80211R */
304 } else if (wpa_key_mgmt_wpa_ieee8021x(sm
->key_mgmt
) && sm
->eapol
) {
307 if (wpa_key_mgmt_sha384(sm
->key_mgmt
))
308 pmk_len
= PMK_LEN_SUITE_B_192
;
311 res
= eapol_sm_get_key(sm
->eapol
, sm
->pmk
, pmk_len
);
313 if (pmk_len
== PMK_LEN
) {
315 * EAP-LEAP is an exception from other EAP
316 * methods: it uses only 16-byte PMK.
318 res
= eapol_sm_get_key(sm
->eapol
, sm
->pmk
, 16);
322 #ifdef CONFIG_IEEE80211R
324 if (eapol_sm_get_key(sm
->eapol
, buf
, 2 * PMK_LEN
) == 0)
326 os_memcpy(sm
->xxkey
, buf
+ PMK_LEN
, PMK_LEN
);
327 sm
->xxkey_len
= PMK_LEN
;
328 os_memset(buf
, 0, sizeof(buf
));
330 #endif /* CONFIG_IEEE80211R */
333 struct rsn_pmksa_cache_entry
*sa
= NULL
;
334 const u8
*fils_cache_id
= NULL
;
337 if (sm
->fils_cache_id_set
)
338 fils_cache_id
= sm
->fils_cache_id
;
339 #endif /* CONFIG_FILS */
341 wpa_hexdump_key(MSG_DEBUG
, "WPA: PMK from EAPOL state "
342 "machines", sm
->pmk
, pmk_len
);
343 sm
->pmk_len
= pmk_len
;
344 wpa_supplicant_key_mgmt_set_pmk(sm
);
345 if (sm
->proto
== WPA_PROTO_RSN
&&
346 !wpa_key_mgmt_suite_b(sm
->key_mgmt
) &&
347 !wpa_key_mgmt_ft(sm
->key_mgmt
)) {
348 sa
= pmksa_cache_add(sm
->pmksa
,
349 sm
->pmk
, pmk_len
, NULL
,
351 src_addr
, sm
->own_addr
,
356 if (!sm
->cur_pmksa
&& pmkid
&&
357 pmksa_cache_get(sm
->pmksa
, src_addr
, pmkid
, NULL
))
359 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
360 "RSN: the new PMK matches with the "
363 } else if (sa
&& !sm
->cur_pmksa
&& pmkid
) {
365 * It looks like the authentication server
366 * derived mismatching MSK. This should not
367 * really happen, but bugs happen.. There is not
368 * much we can do here without knowing what
369 * exactly caused the server to misbehave.
371 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
372 "RSN: PMKID mismatch - authentication server may have derived different MSK?!");
379 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
380 "WPA: Failed to get master session key from "
381 "EAPOL state machines - key handshake "
384 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
385 "RSN: Cancelled PMKSA caching "
387 sm
->cur_pmksa
= NULL
;
389 } else if (!abort_cached
) {
395 if (abort_cached
&& wpa_key_mgmt_wpa_ieee8021x(sm
->key_mgmt
) &&
396 !wpa_key_mgmt_suite_b(sm
->key_mgmt
) &&
397 !wpa_key_mgmt_ft(sm
->key_mgmt
) && sm
->key_mgmt
!= WPA_KEY_MGMT_OSEN
)
399 /* Send EAPOL-Start to trigger full EAP authentication. */
403 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
404 "RSN: no PMKSA entry found - trigger "
405 "full EAP authentication");
406 buf
= wpa_sm_alloc_eapol(sm
, IEEE802_1X_TYPE_EAPOL_START
,
407 NULL
, 0, &buflen
, NULL
);
409 wpa_sm_ether_send(sm
, sm
->bssid
, ETH_P_EAPOL
,
423 * wpa_supplicant_send_2_of_4 - Send message 2 of WPA/RSN 4-Way Handshake
424 * @sm: Pointer to WPA state machine data from wpa_sm_init()
425 * @dst: Destination address for the frame
426 * @key: Pointer to the EAPOL-Key frame header
427 * @ver: Version bits from EAPOL-Key Key Info
428 * @nonce: Nonce value for the EAPOL-Key frame
429 * @wpa_ie: WPA/RSN IE
430 * @wpa_ie_len: Length of the WPA/RSN IE
431 * @ptk: PTK to use for keyed hash and encryption
432 * Returns: >= 0 on success, < 0 on failure
434 int wpa_supplicant_send_2_of_4(struct wpa_sm
*sm
, const unsigned char *dst
,
435 const struct wpa_eapol_key
*key
,
436 int ver
, const u8
*nonce
,
437 const u8
*wpa_ie
, size_t wpa_ie_len
,
440 size_t mic_len
, hdrlen
, rlen
;
441 struct wpa_eapol_key
*reply
;
443 u8
*rsn_ie_buf
= NULL
;
446 if (wpa_ie
== NULL
) {
447 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
, "WPA: No wpa_ie set - "
448 "cannot generate msg 2/4");
452 #ifdef CONFIG_IEEE80211R
453 if (wpa_key_mgmt_ft(sm
->key_mgmt
)) {
457 * Add PMKR1Name into RSN IE (PMKID-List) and add MDIE and
458 * FTIE from (Re)Association Response.
460 rsn_ie_buf
= os_malloc(wpa_ie_len
+ 2 + 2 + PMKID_LEN
+
461 sm
->assoc_resp_ies_len
);
462 if (rsn_ie_buf
== NULL
)
464 os_memcpy(rsn_ie_buf
, wpa_ie
, wpa_ie_len
);
465 res
= wpa_insert_pmkid(rsn_ie_buf
, &wpa_ie_len
,
472 if (sm
->assoc_resp_ies
) {
473 os_memcpy(rsn_ie_buf
+ wpa_ie_len
, sm
->assoc_resp_ies
,
474 sm
->assoc_resp_ies_len
);
475 wpa_ie_len
+= sm
->assoc_resp_ies_len
;
480 #endif /* CONFIG_IEEE80211R */
482 wpa_hexdump(MSG_DEBUG
, "WPA: WPA IE for msg 2/4", wpa_ie
, wpa_ie_len
);
484 mic_len
= wpa_mic_len(sm
->key_mgmt
, sm
->pmk_len
);
485 hdrlen
= sizeof(*reply
) + mic_len
+ 2;
486 rbuf
= wpa_sm_alloc_eapol(sm
, IEEE802_1X_TYPE_EAPOL_KEY
,
487 NULL
, hdrlen
+ wpa_ie_len
,
488 &rlen
, (void *) &reply
);
494 reply
->type
= (sm
->proto
== WPA_PROTO_RSN
||
495 sm
->proto
== WPA_PROTO_OSEN
) ?
496 EAPOL_KEY_TYPE_RSN
: EAPOL_KEY_TYPE_WPA
;
497 key_info
= ver
| WPA_KEY_INFO_KEY_TYPE
;
499 key_info
|= WPA_KEY_INFO_MIC
;
501 key_info
|= WPA_KEY_INFO_ENCR_KEY_DATA
;
502 WPA_PUT_BE16(reply
->key_info
, key_info
);
503 if (sm
->proto
== WPA_PROTO_RSN
|| sm
->proto
== WPA_PROTO_OSEN
)
504 WPA_PUT_BE16(reply
->key_length
, 0);
506 os_memcpy(reply
->key_length
, key
->key_length
, 2);
507 os_memcpy(reply
->replay_counter
, key
->replay_counter
,
508 WPA_REPLAY_COUNTER_LEN
);
509 wpa_hexdump(MSG_DEBUG
, "WPA: Replay Counter", reply
->replay_counter
,
510 WPA_REPLAY_COUNTER_LEN
);
512 key_mic
= (u8
*) (reply
+ 1);
513 WPA_PUT_BE16(key_mic
+ mic_len
, wpa_ie_len
); /* Key Data Length */
514 os_memcpy(key_mic
+ mic_len
+ 2, wpa_ie
, wpa_ie_len
); /* Key Data */
517 os_memcpy(reply
->key_nonce
, nonce
, WPA_NONCE_LEN
);
519 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, "WPA: Sending EAPOL-Key 2/4");
520 return wpa_eapol_key_send(sm
, ptk
, ver
, dst
, ETH_P_EAPOL
, rbuf
, rlen
,
525 static int wpa_derive_ptk(struct wpa_sm
*sm
, const unsigned char *src_addr
,
526 const struct wpa_eapol_key
*key
, struct wpa_ptk
*ptk
)
528 #ifdef CONFIG_IEEE80211R
529 if (wpa_key_mgmt_ft(sm
->key_mgmt
))
530 return wpa_derive_ptk_ft(sm
, src_addr
, key
, ptk
);
531 #endif /* CONFIG_IEEE80211R */
533 return wpa_pmk_to_ptk(sm
->pmk
, sm
->pmk_len
, "Pairwise key expansion",
534 sm
->own_addr
, sm
->bssid
, sm
->snonce
,
535 key
->key_nonce
, ptk
, sm
->key_mgmt
,
536 sm
->pairwise_cipher
);
540 static void wpa_supplicant_process_1_of_4(struct wpa_sm
*sm
,
541 const unsigned char *src_addr
,
542 const struct wpa_eapol_key
*key
,
543 u16 ver
, const u8
*key_data
,
546 struct wpa_eapol_ie_parse ie
;
549 u8
*kde
, *kde_buf
= NULL
;
552 if (wpa_sm_get_network_ctx(sm
) == NULL
) {
553 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
, "WPA: No SSID info "
554 "found (msg 1 of 4)");
558 wpa_sm_set_state(sm
, WPA_4WAY_HANDSHAKE
);
559 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, "WPA: RX message 1 of 4-Way "
560 "Handshake from " MACSTR
" (ver=%d)", MAC2STR(src_addr
), ver
);
562 os_memset(&ie
, 0, sizeof(ie
));
564 if (sm
->proto
== WPA_PROTO_RSN
|| sm
->proto
== WPA_PROTO_OSEN
) {
565 /* RSN: msg 1/4 should contain PMKID for the selected PMK */
566 wpa_hexdump(MSG_DEBUG
, "RSN: msg 1/4 key data",
567 key_data
, key_data_len
);
568 if (wpa_supplicant_parse_ies(key_data
, key_data_len
, &ie
) < 0)
571 wpa_hexdump(MSG_DEBUG
, "RSN: PMKID from "
572 "Authenticator", ie
.pmkid
, PMKID_LEN
);
576 res
= wpa_supplicant_get_pmk(sm
, src_addr
, ie
.pmkid
);
578 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, "RSN: Do not reply to "
579 "msg 1/4 - requesting full EAP authentication");
585 if (sm
->renew_snonce
) {
586 if (random_get_bytes(sm
->snonce
, WPA_NONCE_LEN
)) {
587 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
588 "WPA: Failed to get random data for SNonce");
591 sm
->renew_snonce
= 0;
592 wpa_hexdump(MSG_DEBUG
, "WPA: Renewed SNonce",
593 sm
->snonce
, WPA_NONCE_LEN
);
596 /* Calculate PTK which will be stored as a temporary PTK until it has
597 * been verified when processing message 3/4. */
599 if (wpa_derive_ptk(sm
, src_addr
, key
, ptk
) < 0)
601 if (sm
->pairwise_cipher
== WPA_CIPHER_TKIP
) {
603 /* Supplicant: swap tx/rx Mic keys */
604 os_memcpy(buf
, &ptk
->tk
[16], 8);
605 os_memcpy(&ptk
->tk
[16], &ptk
->tk
[24], 8);
606 os_memcpy(&ptk
->tk
[24], buf
, 8);
607 os_memset(buf
, 0, sizeof(buf
));
611 kde
= sm
->assoc_wpa_ie
;
612 kde_len
= sm
->assoc_wpa_ie_len
;
616 kde_buf
= os_malloc(kde_len
+ 2 + RSN_SELECTOR_LEN
+ 1);
619 wpa_printf(MSG_DEBUG
, "P2P: Add IP Address Request KDE "
620 "into EAPOL-Key 2/4");
621 os_memcpy(kde_buf
, kde
, kde_len
);
624 *pos
++ = WLAN_EID_VENDOR_SPECIFIC
;
625 *pos
++ = RSN_SELECTOR_LEN
+ 1;
626 RSN_SELECTOR_PUT(pos
, WFA_KEY_DATA_IP_ADDR_REQ
);
627 pos
+= RSN_SELECTOR_LEN
;
632 #endif /* CONFIG_P2P */
634 if (wpa_supplicant_send_2_of_4(sm
, sm
->bssid
, key
, ver
, sm
->snonce
,
635 kde
, kde_len
, ptk
) < 0)
639 os_memcpy(sm
->anonce
, key
->key_nonce
, WPA_NONCE_LEN
);
644 wpa_sm_deauthenticate(sm
, WLAN_REASON_UNSPECIFIED
);
648 static void wpa_sm_start_preauth(void *eloop_ctx
, void *timeout_ctx
)
650 struct wpa_sm
*sm
= eloop_ctx
;
651 rsn_preauth_candidate_process(sm
);
655 static void wpa_supplicant_key_neg_complete(struct wpa_sm
*sm
,
656 const u8
*addr
, int secure
)
658 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
659 "WPA: Key negotiation completed with "
660 MACSTR
" [PTK=%s GTK=%s]", MAC2STR(addr
),
661 wpa_cipher_txt(sm
->pairwise_cipher
),
662 wpa_cipher_txt(sm
->group_cipher
));
663 wpa_sm_cancel_auth_timeout(sm
);
664 wpa_sm_set_state(sm
, WPA_COMPLETED
);
667 wpa_sm_mlme_setprotection(
668 sm
, addr
, MLME_SETPROTECTION_PROTECT_TYPE_RX_TX
,
669 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE
);
670 eapol_sm_notify_portValid(sm
->eapol
, TRUE
);
671 if (wpa_key_mgmt_wpa_psk(sm
->key_mgmt
) ||
672 sm
->key_mgmt
== WPA_KEY_MGMT_DPP
||
673 sm
->key_mgmt
== WPA_KEY_MGMT_OWE
)
674 eapol_sm_notify_eap_success(sm
->eapol
, TRUE
);
676 * Start preauthentication after a short wait to avoid a
677 * possible race condition between the data receive and key
678 * configuration after the 4-Way Handshake. This increases the
679 * likelihood of the first preauth EAPOL-Start frame getting to
682 eloop_register_timeout(1, 0, wpa_sm_start_preauth
, sm
, NULL
);
685 if (sm
->cur_pmksa
&& sm
->cur_pmksa
->opportunistic
) {
686 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
687 "RSN: Authenticator accepted "
688 "opportunistic PMKSA entry - marking it valid");
689 sm
->cur_pmksa
->opportunistic
= 0;
692 #ifdef CONFIG_IEEE80211R
693 if (wpa_key_mgmt_ft(sm
->key_mgmt
)) {
694 /* Prepare for the next transition */
695 wpa_ft_prepare_auth_request(sm
, NULL
);
697 #endif /* CONFIG_IEEE80211R */
701 static void wpa_sm_rekey_ptk(void *eloop_ctx
, void *timeout_ctx
)
703 struct wpa_sm
*sm
= eloop_ctx
;
704 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, "WPA: Request PTK rekeying");
705 wpa_sm_key_request(sm
, 0, 1);
709 static int wpa_supplicant_install_ptk(struct wpa_sm
*sm
,
710 const struct wpa_eapol_key
*key
)
716 if (sm
->ptk
.installed
) {
717 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
718 "WPA: Do not re-install same PTK to the driver");
722 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
723 "WPA: Installing PTK to the driver");
725 if (sm
->pairwise_cipher
== WPA_CIPHER_NONE
) {
726 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, "WPA: Pairwise Cipher "
727 "Suite: NONE - do not use pairwise keys");
731 if (!wpa_cipher_valid_pairwise(sm
->pairwise_cipher
)) {
732 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
733 "WPA: Unsupported pairwise cipher %d",
734 sm
->pairwise_cipher
);
738 alg
= wpa_cipher_to_alg(sm
->pairwise_cipher
);
739 keylen
= wpa_cipher_key_len(sm
->pairwise_cipher
);
740 if (keylen
<= 0 || (unsigned int) keylen
!= sm
->ptk
.tk_len
) {
741 wpa_printf(MSG_DEBUG
, "WPA: TK length mismatch: %d != %lu",
742 keylen
, (long unsigned int) sm
->ptk
.tk_len
);
745 rsclen
= wpa_cipher_rsc_len(sm
->pairwise_cipher
);
747 if (sm
->proto
== WPA_PROTO_RSN
|| sm
->proto
== WPA_PROTO_OSEN
) {
750 key_rsc
= key
->key_rsc
;
751 wpa_hexdump(MSG_DEBUG
, "WPA: RSC", key_rsc
, rsclen
);
754 if (wpa_sm_set_key(sm
, alg
, sm
->bssid
, 0, 1, key_rsc
, rsclen
,
755 sm
->ptk
.tk
, keylen
) < 0) {
756 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
757 "WPA: Failed to set PTK to the "
758 "driver (alg=%d keylen=%d bssid=" MACSTR
")",
759 alg
, keylen
, MAC2STR(sm
->bssid
));
763 /* TK is not needed anymore in supplicant */
764 os_memset(sm
->ptk
.tk
, 0, WPA_TK_MAX_LEN
);
766 sm
->ptk
.installed
= 1;
768 if (sm
->wpa_ptk_rekey
) {
769 eloop_cancel_timeout(wpa_sm_rekey_ptk
, sm
, NULL
);
770 eloop_register_timeout(sm
->wpa_ptk_rekey
, 0, wpa_sm_rekey_ptk
,
778 static int wpa_supplicant_check_group_cipher(struct wpa_sm
*sm
,
780 int keylen
, int maxkeylen
,
786 *alg
= wpa_cipher_to_alg(group_cipher
);
787 if (*alg
== WPA_ALG_NONE
) {
788 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
789 "WPA: Unsupported Group Cipher %d",
793 *key_rsc_len
= wpa_cipher_rsc_len(group_cipher
);
795 klen
= wpa_cipher_key_len(group_cipher
);
796 if (keylen
!= klen
|| maxkeylen
< klen
) {
797 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
798 "WPA: Unsupported %s Group Cipher key length %d (%d)",
799 wpa_cipher_txt(group_cipher
), keylen
, maxkeylen
);
806 struct wpa_gtk_data
{
808 int tx
, key_rsc_len
, keyidx
;
814 static int wpa_supplicant_install_gtk(struct wpa_sm
*sm
,
815 const struct wpa_gtk_data
*gd
,
816 const u8
*key_rsc
, int wnm_sleep
)
818 const u8
*_gtk
= gd
->gtk
;
821 /* Detect possible key reinstallation */
822 if ((sm
->gtk
.gtk_len
== (size_t) gd
->gtk_len
&&
823 os_memcmp(sm
->gtk
.gtk
, gd
->gtk
, sm
->gtk
.gtk_len
) == 0) ||
824 (sm
->gtk_wnm_sleep
.gtk_len
== (size_t) gd
->gtk_len
&&
825 os_memcmp(sm
->gtk_wnm_sleep
.gtk
, gd
->gtk
,
826 sm
->gtk_wnm_sleep
.gtk_len
) == 0)) {
827 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
828 "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
829 gd
->keyidx
, gd
->tx
, gd
->gtk_len
);
833 wpa_hexdump_key(MSG_DEBUG
, "WPA: Group Key", gd
->gtk
, gd
->gtk_len
);
834 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
835 "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
836 gd
->keyidx
, gd
->tx
, gd
->gtk_len
);
837 wpa_hexdump(MSG_DEBUG
, "WPA: RSC", key_rsc
, gd
->key_rsc_len
);
838 if (sm
->group_cipher
== WPA_CIPHER_TKIP
) {
839 /* Swap Tx/Rx keys for Michael MIC */
840 os_memcpy(gtk_buf
, gd
->gtk
, 16);
841 os_memcpy(gtk_buf
+ 16, gd
->gtk
+ 24, 8);
842 os_memcpy(gtk_buf
+ 24, gd
->gtk
+ 16, 8);
845 if (sm
->pairwise_cipher
== WPA_CIPHER_NONE
) {
846 if (wpa_sm_set_key(sm
, gd
->alg
, NULL
,
847 gd
->keyidx
, 1, key_rsc
, gd
->key_rsc_len
,
848 _gtk
, gd
->gtk_len
) < 0) {
849 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
850 "WPA: Failed to set GTK to the driver "
852 os_memset(gtk_buf
, 0, sizeof(gtk_buf
));
855 } else if (wpa_sm_set_key(sm
, gd
->alg
, broadcast_ether_addr
,
856 gd
->keyidx
, gd
->tx
, key_rsc
, gd
->key_rsc_len
,
857 _gtk
, gd
->gtk_len
) < 0) {
858 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
859 "WPA: Failed to set GTK to "
860 "the driver (alg=%d keylen=%d keyidx=%d)",
861 gd
->alg
, gd
->gtk_len
, gd
->keyidx
);
862 os_memset(gtk_buf
, 0, sizeof(gtk_buf
));
865 os_memset(gtk_buf
, 0, sizeof(gtk_buf
));
868 sm
->gtk_wnm_sleep
.gtk_len
= gd
->gtk_len
;
869 os_memcpy(sm
->gtk_wnm_sleep
.gtk
, gd
->gtk
,
870 sm
->gtk_wnm_sleep
.gtk_len
);
872 sm
->gtk
.gtk_len
= gd
->gtk_len
;
873 os_memcpy(sm
->gtk
.gtk
, gd
->gtk
, sm
->gtk
.gtk_len
);
880 static int wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm
*sm
,
883 if (tx
&& sm
->pairwise_cipher
!= WPA_CIPHER_NONE
) {
884 /* Ignore Tx bit for GTK if a pairwise key is used. One AP
885 * seemed to set this bit (incorrectly, since Tx is only when
886 * doing Group Key only APs) and without this workaround, the
887 * data connection does not work because wpa_supplicant
888 * configured non-zero keyidx to be used for unicast. */
889 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
890 "WPA: Tx bit set for GTK, but pairwise "
891 "keys are used - ignore Tx bit");
898 static int wpa_supplicant_rsc_relaxation(const struct wpa_sm
*sm
,
903 if (!sm
->wpa_rsc_relaxation
)
906 rsclen
= wpa_cipher_rsc_len(sm
->group_cipher
);
909 * Try to detect RSC (endian) corruption issue where the AP sends
910 * the RSC bytes in EAPOL-Key message in the wrong order, both if
911 * it's actually a 6-byte field (as it should be) and if it treats
912 * it as an 8-byte field.
913 * An AP model known to have this bug is the Sapido RB-1632.
915 if (rsclen
== 6 && ((rsc
[5] && !rsc
[0]) || rsc
[6] || rsc
[7])) {
916 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
917 "RSC %02x%02x%02x%02x%02x%02x%02x%02x is likely bogus, using 0",
918 rsc
[0], rsc
[1], rsc
[2], rsc
[3],
919 rsc
[4], rsc
[5], rsc
[6], rsc
[7]);
928 static int wpa_supplicant_pairwise_gtk(struct wpa_sm
*sm
,
929 const struct wpa_eapol_key
*key
,
930 const u8
*gtk
, size_t gtk_len
,
933 struct wpa_gtk_data gd
;
937 * IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames - Figure 43x
939 * KeyID[bits 0-1], Tx [bit 2], Reserved [bits 3-7]
940 * Reserved [bits 0-7]
944 os_memset(&gd
, 0, sizeof(gd
));
945 wpa_hexdump_key(MSG_DEBUG
, "RSN: received GTK in pairwise handshake",
948 if (gtk_len
< 2 || gtk_len
- 2 > sizeof(gd
.gtk
))
951 gd
.keyidx
= gtk
[0] & 0x3;
952 gd
.tx
= wpa_supplicant_gtk_tx_bit_workaround(sm
,
953 !!(gtk
[0] & BIT(2)));
957 os_memcpy(gd
.gtk
, gtk
, gtk_len
);
958 gd
.gtk_len
= gtk_len
;
960 key_rsc
= key
->key_rsc
;
961 if (wpa_supplicant_rsc_relaxation(sm
, key
->key_rsc
))
964 if (sm
->group_cipher
!= WPA_CIPHER_GTK_NOT_USED
&&
965 (wpa_supplicant_check_group_cipher(sm
, sm
->group_cipher
,
967 &gd
.key_rsc_len
, &gd
.alg
) ||
968 wpa_supplicant_install_gtk(sm
, &gd
, key_rsc
, 0))) {
969 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
970 "RSN: Failed to install GTK");
971 os_memset(&gd
, 0, sizeof(gd
));
974 os_memset(&gd
, 0, sizeof(gd
));
976 wpa_supplicant_key_neg_complete(sm
, sm
->bssid
,
977 key_info
& WPA_KEY_INFO_SECURE
);
982 #ifdef CONFIG_IEEE80211W
983 static int wpa_supplicant_install_igtk(struct wpa_sm
*sm
,
984 const struct wpa_igtk_kde
*igtk
,
987 size_t len
= wpa_cipher_key_len(sm
->mgmt_group_cipher
);
988 u16 keyidx
= WPA_GET_LE16(igtk
->keyid
);
990 /* Detect possible key reinstallation */
991 if ((sm
->igtk
.igtk_len
== len
&&
992 os_memcmp(sm
->igtk
.igtk
, igtk
->igtk
, sm
->igtk
.igtk_len
) == 0) ||
993 (sm
->igtk_wnm_sleep
.igtk_len
== len
&&
994 os_memcmp(sm
->igtk_wnm_sleep
.igtk
, igtk
->igtk
,
995 sm
->igtk_wnm_sleep
.igtk_len
) == 0)) {
996 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
997 "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
1002 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
1003 "WPA: IGTK keyid %d pn %02x%02x%02x%02x%02x%02x",
1004 keyidx
, MAC2STR(igtk
->pn
));
1005 wpa_hexdump_key(MSG_DEBUG
, "WPA: IGTK", igtk
->igtk
, len
);
1006 if (keyidx
> 4095) {
1007 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1008 "WPA: Invalid IGTK KeyID %d", keyidx
);
1011 if (wpa_sm_set_key(sm
, wpa_cipher_to_alg(sm
->mgmt_group_cipher
),
1012 broadcast_ether_addr
,
1013 keyidx
, 0, igtk
->pn
, sizeof(igtk
->pn
),
1014 igtk
->igtk
, len
) < 0) {
1015 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1016 "WPA: Failed to configure IGTK to the driver");
1021 sm
->igtk_wnm_sleep
.igtk_len
= len
;
1022 os_memcpy(sm
->igtk_wnm_sleep
.igtk
, igtk
->igtk
,
1023 sm
->igtk_wnm_sleep
.igtk_len
);
1025 sm
->igtk
.igtk_len
= len
;
1026 os_memcpy(sm
->igtk
.igtk
, igtk
->igtk
, sm
->igtk
.igtk_len
);
1031 #endif /* CONFIG_IEEE80211W */
1034 static int ieee80211w_set_keys(struct wpa_sm
*sm
,
1035 struct wpa_eapol_ie_parse
*ie
)
1037 #ifdef CONFIG_IEEE80211W
1038 if (!wpa_cipher_valid_mgmt_group(sm
->mgmt_group_cipher
))
1043 const struct wpa_igtk_kde
*igtk
;
1045 len
= wpa_cipher_key_len(sm
->mgmt_group_cipher
);
1046 if (ie
->igtk_len
!= WPA_IGTK_KDE_PREFIX_LEN
+ len
)
1049 igtk
= (const struct wpa_igtk_kde
*) ie
->igtk
;
1050 if (wpa_supplicant_install_igtk(sm
, igtk
, 0) < 0)
1055 #else /* CONFIG_IEEE80211W */
1057 #endif /* CONFIG_IEEE80211W */
1061 static void wpa_report_ie_mismatch(struct wpa_sm
*sm
,
1062 const char *reason
, const u8
*src_addr
,
1063 const u8
*wpa_ie
, size_t wpa_ie_len
,
1064 const u8
*rsn_ie
, size_t rsn_ie_len
)
1066 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
, "WPA: %s (src=" MACSTR
")",
1067 reason
, MAC2STR(src_addr
));
1069 if (sm
->ap_wpa_ie
) {
1070 wpa_hexdump(MSG_INFO
, "WPA: WPA IE in Beacon/ProbeResp",
1071 sm
->ap_wpa_ie
, sm
->ap_wpa_ie_len
);
1074 if (!sm
->ap_wpa_ie
) {
1075 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
1076 "WPA: No WPA IE in Beacon/ProbeResp");
1078 wpa_hexdump(MSG_INFO
, "WPA: WPA IE in 3/4 msg",
1079 wpa_ie
, wpa_ie_len
);
1082 if (sm
->ap_rsn_ie
) {
1083 wpa_hexdump(MSG_INFO
, "WPA: RSN IE in Beacon/ProbeResp",
1084 sm
->ap_rsn_ie
, sm
->ap_rsn_ie_len
);
1087 if (!sm
->ap_rsn_ie
) {
1088 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
1089 "WPA: No RSN IE in Beacon/ProbeResp");
1091 wpa_hexdump(MSG_INFO
, "WPA: RSN IE in 3/4 msg",
1092 rsn_ie
, rsn_ie_len
);
1095 wpa_sm_deauthenticate(sm
, WLAN_REASON_IE_IN_4WAY_DIFFERS
);
1099 #ifdef CONFIG_IEEE80211R
1101 static int ft_validate_mdie(struct wpa_sm
*sm
,
1102 const unsigned char *src_addr
,
1103 struct wpa_eapol_ie_parse
*ie
,
1104 const u8
*assoc_resp_mdie
)
1106 struct rsn_mdie
*mdie
;
1108 mdie
= (struct rsn_mdie
*) (ie
->mdie
+ 2);
1109 if (ie
->mdie
== NULL
|| ie
->mdie_len
< 2 + sizeof(*mdie
) ||
1110 os_memcmp(mdie
->mobility_domain
, sm
->mobility_domain
,
1111 MOBILITY_DOMAIN_ID_LEN
) != 0) {
1112 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, "FT: MDIE in msg 3/4 did "
1113 "not match with the current mobility domain");
1117 if (assoc_resp_mdie
&&
1118 (assoc_resp_mdie
[1] != ie
->mdie
[1] ||
1119 os_memcmp(assoc_resp_mdie
, ie
->mdie
, 2 + ie
->mdie
[1]) != 0)) {
1120 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, "FT: MDIE mismatch");
1121 wpa_hexdump(MSG_DEBUG
, "FT: MDIE in EAPOL-Key msg 3/4",
1122 ie
->mdie
, 2 + ie
->mdie
[1]);
1123 wpa_hexdump(MSG_DEBUG
, "FT: MDIE in (Re)Association Response",
1124 assoc_resp_mdie
, 2 + assoc_resp_mdie
[1]);
1132 static int ft_validate_ftie(struct wpa_sm
*sm
,
1133 const unsigned char *src_addr
,
1134 struct wpa_eapol_ie_parse
*ie
,
1135 const u8
*assoc_resp_ftie
)
1137 if (ie
->ftie
== NULL
) {
1138 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
1139 "FT: No FTIE in EAPOL-Key msg 3/4");
1143 if (assoc_resp_ftie
== NULL
)
1146 if (assoc_resp_ftie
[1] != ie
->ftie
[1] ||
1147 os_memcmp(assoc_resp_ftie
, ie
->ftie
, 2 + ie
->ftie
[1]) != 0) {
1148 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, "FT: FTIE mismatch");
1149 wpa_hexdump(MSG_DEBUG
, "FT: FTIE in EAPOL-Key msg 3/4",
1150 ie
->ftie
, 2 + ie
->ftie
[1]);
1151 wpa_hexdump(MSG_DEBUG
, "FT: FTIE in (Re)Association Response",
1152 assoc_resp_ftie
, 2 + assoc_resp_ftie
[1]);
1160 static int ft_validate_rsnie(struct wpa_sm
*sm
,
1161 const unsigned char *src_addr
,
1162 struct wpa_eapol_ie_parse
*ie
)
1164 struct wpa_ie_data rsn
;
1170 * Verify that PMKR1Name from EAPOL-Key message 3/4
1171 * matches with the value we derived.
1173 if (wpa_parse_wpa_ie_rsn(ie
->rsn_ie
, ie
->rsn_ie_len
, &rsn
) < 0 ||
1174 rsn
.num_pmkid
!= 1 || rsn
.pmkid
== NULL
) {
1175 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, "FT: No PMKR1Name in "
1176 "FT 4-way handshake message 3/4");
1180 if (os_memcmp_const(rsn
.pmkid
, sm
->pmk_r1_name
, WPA_PMK_NAME_LEN
) != 0)
1182 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
1183 "FT: PMKR1Name mismatch in "
1184 "FT 4-way handshake message 3/4");
1185 wpa_hexdump(MSG_DEBUG
, "FT: PMKR1Name from Authenticator",
1186 rsn
.pmkid
, WPA_PMK_NAME_LEN
);
1187 wpa_hexdump(MSG_DEBUG
, "FT: Derived PMKR1Name",
1188 sm
->pmk_r1_name
, WPA_PMK_NAME_LEN
);
1196 static int wpa_supplicant_validate_ie_ft(struct wpa_sm
*sm
,
1197 const unsigned char *src_addr
,
1198 struct wpa_eapol_ie_parse
*ie
)
1200 const u8
*pos
, *end
, *mdie
= NULL
, *ftie
= NULL
;
1202 if (sm
->assoc_resp_ies
) {
1203 pos
= sm
->assoc_resp_ies
;
1204 end
= pos
+ sm
->assoc_resp_ies_len
;
1205 while (end
- pos
> 2) {
1206 if (2 + pos
[1] > end
- pos
)
1209 case WLAN_EID_MOBILITY_DOMAIN
:
1212 case WLAN_EID_FAST_BSS_TRANSITION
:
1220 if (ft_validate_mdie(sm
, src_addr
, ie
, mdie
) < 0 ||
1221 ft_validate_ftie(sm
, src_addr
, ie
, ftie
) < 0 ||
1222 ft_validate_rsnie(sm
, src_addr
, ie
) < 0)
1228 #endif /* CONFIG_IEEE80211R */
1231 static int wpa_supplicant_validate_ie(struct wpa_sm
*sm
,
1232 const unsigned char *src_addr
,
1233 struct wpa_eapol_ie_parse
*ie
)
1235 if (sm
->ap_wpa_ie
== NULL
&& sm
->ap_rsn_ie
== NULL
) {
1236 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
1237 "WPA: No WPA/RSN IE for this AP known. "
1238 "Trying to get from scan results");
1239 if (wpa_sm_get_beacon_ie(sm
) < 0) {
1240 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1241 "WPA: Could not find AP from "
1242 "the scan results");
1244 wpa_msg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
1245 "WPA: Found the current AP from "
1246 "updated scan results");
1250 if (ie
->wpa_ie
== NULL
&& ie
->rsn_ie
== NULL
&&
1251 (sm
->ap_wpa_ie
|| sm
->ap_rsn_ie
)) {
1252 wpa_report_ie_mismatch(sm
, "IE in 3/4 msg does not match "
1253 "with IE in Beacon/ProbeResp (no IE?)",
1254 src_addr
, ie
->wpa_ie
, ie
->wpa_ie_len
,
1255 ie
->rsn_ie
, ie
->rsn_ie_len
);
1259 if ((ie
->wpa_ie
&& sm
->ap_wpa_ie
&&
1260 (ie
->wpa_ie_len
!= sm
->ap_wpa_ie_len
||
1261 os_memcmp(ie
->wpa_ie
, sm
->ap_wpa_ie
, ie
->wpa_ie_len
) != 0)) ||
1262 (ie
->rsn_ie
&& sm
->ap_rsn_ie
&&
1263 wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm
->key_mgmt
),
1264 sm
->ap_rsn_ie
, sm
->ap_rsn_ie_len
,
1265 ie
->rsn_ie
, ie
->rsn_ie_len
))) {
1266 wpa_report_ie_mismatch(sm
, "IE in 3/4 msg does not match "
1267 "with IE in Beacon/ProbeResp",
1268 src_addr
, ie
->wpa_ie
, ie
->wpa_ie_len
,
1269 ie
->rsn_ie
, ie
->rsn_ie_len
);
1273 if (sm
->proto
== WPA_PROTO_WPA
&&
1274 ie
->rsn_ie
&& sm
->ap_rsn_ie
== NULL
&& sm
->rsn_enabled
) {
1275 wpa_report_ie_mismatch(sm
, "Possible downgrade attack "
1276 "detected - RSN was enabled and RSN IE "
1277 "was in msg 3/4, but not in "
1279 src_addr
, ie
->wpa_ie
, ie
->wpa_ie_len
,
1280 ie
->rsn_ie
, ie
->rsn_ie_len
);
1284 #ifdef CONFIG_IEEE80211R
1285 if (wpa_key_mgmt_ft(sm
->key_mgmt
) &&
1286 wpa_supplicant_validate_ie_ft(sm
, src_addr
, ie
) < 0)
1288 #endif /* CONFIG_IEEE80211R */
1295 * wpa_supplicant_send_4_of_4 - Send message 4 of WPA/RSN 4-Way Handshake
1296 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1297 * @dst: Destination address for the frame
1298 * @key: Pointer to the EAPOL-Key frame header
1299 * @ver: Version bits from EAPOL-Key Key Info
1300 * @key_info: Key Info
1301 * @ptk: PTK to use for keyed hash and encryption
1302 * Returns: >= 0 on success, < 0 on failure
1304 int wpa_supplicant_send_4_of_4(struct wpa_sm
*sm
, const unsigned char *dst
,
1305 const struct wpa_eapol_key
*key
,
1306 u16 ver
, u16 key_info
,
1307 struct wpa_ptk
*ptk
)
1309 size_t mic_len
, hdrlen
, rlen
;
1310 struct wpa_eapol_key
*reply
;
1313 mic_len
= wpa_mic_len(sm
->key_mgmt
, sm
->pmk_len
);
1314 hdrlen
= sizeof(*reply
) + mic_len
+ 2;
1315 rbuf
= wpa_sm_alloc_eapol(sm
, IEEE802_1X_TYPE_EAPOL_KEY
, NULL
,
1316 hdrlen
, &rlen
, (void *) &reply
);
1320 reply
->type
= (sm
->proto
== WPA_PROTO_RSN
||
1321 sm
->proto
== WPA_PROTO_OSEN
) ?
1322 EAPOL_KEY_TYPE_RSN
: EAPOL_KEY_TYPE_WPA
;
1323 key_info
&= WPA_KEY_INFO_SECURE
;
1324 key_info
|= ver
| WPA_KEY_INFO_KEY_TYPE
;
1326 key_info
|= WPA_KEY_INFO_MIC
;
1328 key_info
|= WPA_KEY_INFO_ENCR_KEY_DATA
;
1329 WPA_PUT_BE16(reply
->key_info
, key_info
);
1330 if (sm
->proto
== WPA_PROTO_RSN
|| sm
->proto
== WPA_PROTO_OSEN
)
1331 WPA_PUT_BE16(reply
->key_length
, 0);
1333 os_memcpy(reply
->key_length
, key
->key_length
, 2);
1334 os_memcpy(reply
->replay_counter
, key
->replay_counter
,
1335 WPA_REPLAY_COUNTER_LEN
);
1337 key_mic
= (u8
*) (reply
+ 1);
1338 WPA_PUT_BE16(key_mic
+ mic_len
, 0);
1340 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, "WPA: Sending EAPOL-Key 4/4");
1341 return wpa_eapol_key_send(sm
, ptk
, ver
, dst
, ETH_P_EAPOL
, rbuf
, rlen
,
1346 static void wpa_supplicant_process_3_of_4(struct wpa_sm
*sm
,
1347 const struct wpa_eapol_key
*key
,
1348 u16 ver
, const u8
*key_data
,
1349 size_t key_data_len
)
1351 u16 key_info
, keylen
;
1352 struct wpa_eapol_ie_parse ie
;
1354 wpa_sm_set_state(sm
, WPA_4WAY_HANDSHAKE
);
1355 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, "WPA: RX message 3 of 4-Way "
1356 "Handshake from " MACSTR
" (ver=%d)", MAC2STR(sm
->bssid
), ver
);
1358 key_info
= WPA_GET_BE16(key
->key_info
);
1360 wpa_hexdump(MSG_DEBUG
, "WPA: IE KeyData", key_data
, key_data_len
);
1361 if (wpa_supplicant_parse_ies(key_data
, key_data_len
, &ie
) < 0)
1363 if (ie
.gtk
&& !(key_info
& WPA_KEY_INFO_ENCR_KEY_DATA
)) {
1364 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1365 "WPA: GTK IE in unencrypted key data");
1368 #ifdef CONFIG_IEEE80211W
1369 if (ie
.igtk
&& !(key_info
& WPA_KEY_INFO_ENCR_KEY_DATA
)) {
1370 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1371 "WPA: IGTK KDE in unencrypted key data");
1376 wpa_cipher_valid_mgmt_group(sm
->mgmt_group_cipher
) &&
1377 ie
.igtk_len
!= WPA_IGTK_KDE_PREFIX_LEN
+
1378 (unsigned int) wpa_cipher_key_len(sm
->mgmt_group_cipher
)) {
1379 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1380 "WPA: Invalid IGTK KDE length %lu",
1381 (unsigned long) ie
.igtk_len
);
1384 #endif /* CONFIG_IEEE80211W */
1386 if (wpa_supplicant_validate_ie(sm
, sm
->bssid
, &ie
) < 0)
1389 if (os_memcmp(sm
->anonce
, key
->key_nonce
, WPA_NONCE_LEN
) != 0) {
1390 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1391 "WPA: ANonce from message 1 of 4-Way Handshake "
1392 "differs from 3 of 4-Way Handshake - drop packet (src="
1393 MACSTR
")", MAC2STR(sm
->bssid
));
1397 keylen
= WPA_GET_BE16(key
->key_length
);
1398 if (keylen
!= wpa_cipher_key_len(sm
->pairwise_cipher
)) {
1399 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1400 "WPA: Invalid %s key length %d (src=" MACSTR
1401 ")", wpa_cipher_txt(sm
->pairwise_cipher
), keylen
,
1402 MAC2STR(sm
->bssid
));
1407 if (ie
.ip_addr_alloc
) {
1408 os_memcpy(sm
->p2p_ip_addr
, ie
.ip_addr_alloc
, 3 * 4);
1409 wpa_hexdump(MSG_DEBUG
, "P2P: IP address info",
1410 sm
->p2p_ip_addr
, sizeof(sm
->p2p_ip_addr
));
1412 #endif /* CONFIG_P2P */
1414 if (wpa_supplicant_send_4_of_4(sm
, sm
->bssid
, key
, ver
, key_info
,
1419 /* SNonce was successfully used in msg 3/4, so mark it to be renewed
1420 * for the next 4-Way Handshake. If msg 3 is received again, the old
1421 * SNonce will still be used to avoid changing PTK. */
1422 sm
->renew_snonce
= 1;
1424 if (key_info
& WPA_KEY_INFO_INSTALL
) {
1425 if (wpa_supplicant_install_ptk(sm
, key
))
1429 if (key_info
& WPA_KEY_INFO_SECURE
) {
1430 wpa_sm_mlme_setprotection(
1431 sm
, sm
->bssid
, MLME_SETPROTECTION_PROTECT_TYPE_RX
,
1432 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE
);
1433 eapol_sm_notify_portValid(sm
->eapol
, TRUE
);
1435 wpa_sm_set_state(sm
, WPA_GROUP_HANDSHAKE
);
1437 if (sm
->group_cipher
== WPA_CIPHER_GTK_NOT_USED
) {
1438 wpa_supplicant_key_neg_complete(sm
, sm
->bssid
,
1439 key_info
& WPA_KEY_INFO_SECURE
);
1440 } else if (ie
.gtk
&&
1441 wpa_supplicant_pairwise_gtk(sm
, key
,
1442 ie
.gtk
, ie
.gtk_len
, key_info
) < 0) {
1443 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
1444 "RSN: Failed to configure GTK");
1448 if (ieee80211w_set_keys(sm
, &ie
) < 0) {
1449 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
1450 "RSN: Failed to configure IGTK");
1455 wpa_sm_set_rekey_offload(sm
);
1457 if (sm
->proto
== WPA_PROTO_RSN
&& wpa_key_mgmt_suite_b(sm
->key_mgmt
)) {
1458 struct rsn_pmksa_cache_entry
*sa
;
1460 sa
= pmksa_cache_add(sm
->pmksa
, sm
->pmk
, sm
->pmk_len
, NULL
,
1461 sm
->ptk
.kck
, sm
->ptk
.kck_len
,
1462 sm
->bssid
, sm
->own_addr
,
1463 sm
->network_ctx
, sm
->key_mgmt
, NULL
);
1468 sm
->msg_3_of_4_ok
= 1;
1472 wpa_sm_deauthenticate(sm
, WLAN_REASON_UNSPECIFIED
);
1476 static int wpa_supplicant_process_1_of_2_rsn(struct wpa_sm
*sm
,
1480 struct wpa_gtk_data
*gd
)
1483 struct wpa_eapol_ie_parse ie
;
1485 wpa_hexdump_key(MSG_DEBUG
, "RSN: msg 1/2 key data",
1486 keydata
, keydatalen
);
1487 if (wpa_supplicant_parse_ies(keydata
, keydatalen
, &ie
) < 0)
1489 if (ie
.gtk
&& !(key_info
& WPA_KEY_INFO_ENCR_KEY_DATA
)) {
1490 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1491 "WPA: GTK IE in unencrypted key data");
1494 if (ie
.gtk
== NULL
) {
1495 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
1496 "WPA: No GTK IE in Group Key msg 1/2");
1499 maxkeylen
= gd
->gtk_len
= ie
.gtk_len
- 2;
1501 if (wpa_supplicant_check_group_cipher(sm
, sm
->group_cipher
,
1502 gd
->gtk_len
, maxkeylen
,
1503 &gd
->key_rsc_len
, &gd
->alg
))
1506 wpa_hexdump_key(MSG_DEBUG
, "RSN: received GTK in group key handshake",
1507 ie
.gtk
, ie
.gtk_len
);
1508 gd
->keyidx
= ie
.gtk
[0] & 0x3;
1509 gd
->tx
= wpa_supplicant_gtk_tx_bit_workaround(sm
,
1510 !!(ie
.gtk
[0] & BIT(2)));
1511 if (ie
.gtk_len
- 2 > sizeof(gd
->gtk
)) {
1512 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
1513 "RSN: Too long GTK in GTK IE (len=%lu)",
1514 (unsigned long) ie
.gtk_len
- 2);
1517 os_memcpy(gd
->gtk
, ie
.gtk
+ 2, ie
.gtk_len
- 2);
1519 if (ieee80211w_set_keys(sm
, &ie
) < 0)
1520 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
1521 "RSN: Failed to configure IGTK");
1527 static int wpa_supplicant_process_1_of_2_wpa(struct wpa_sm
*sm
,
1528 const struct wpa_eapol_key
*key
,
1530 size_t key_data_len
, u16 key_info
,
1531 u16 ver
, struct wpa_gtk_data
*gd
)
1536 gtk_len
= WPA_GET_BE16(key
->key_length
);
1537 maxkeylen
= key_data_len
;
1538 if (ver
== WPA_KEY_INFO_TYPE_HMAC_SHA1_AES
) {
1539 if (maxkeylen
< 8) {
1540 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
1541 "WPA: Too short maxkeylen (%lu)",
1542 (unsigned long) maxkeylen
);
1548 if (gtk_len
> maxkeylen
||
1549 wpa_supplicant_check_group_cipher(sm
, sm
->group_cipher
,
1551 &gd
->key_rsc_len
, &gd
->alg
))
1554 gd
->gtk_len
= gtk_len
;
1555 gd
->keyidx
= (key_info
& WPA_KEY_INFO_KEY_INDEX_MASK
) >>
1556 WPA_KEY_INFO_KEY_INDEX_SHIFT
;
1557 if (ver
== WPA_KEY_INFO_TYPE_HMAC_MD5_RC4
&& sm
->ptk
.kek_len
== 16) {
1558 #ifdef CONFIG_NO_RC4
1559 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1560 "WPA: RC4 not supported in the build");
1562 #else /* CONFIG_NO_RC4 */
1564 if (key_data_len
> sizeof(gd
->gtk
)) {
1565 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1566 "WPA: RC4 key data too long (%lu)",
1567 (unsigned long) key_data_len
);
1570 os_memcpy(ek
, key
->key_iv
, 16);
1571 os_memcpy(ek
+ 16, sm
->ptk
.kek
, sm
->ptk
.kek_len
);
1572 os_memcpy(gd
->gtk
, key_data
, key_data_len
);
1573 if (rc4_skip(ek
, 32, 256, gd
->gtk
, key_data_len
)) {
1574 os_memset(ek
, 0, sizeof(ek
));
1575 wpa_msg(sm
->ctx
->msg_ctx
, MSG_ERROR
,
1579 os_memset(ek
, 0, sizeof(ek
));
1580 #endif /* CONFIG_NO_RC4 */
1581 } else if (ver
== WPA_KEY_INFO_TYPE_HMAC_SHA1_AES
) {
1582 if (maxkeylen
% 8) {
1583 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1584 "WPA: Unsupported AES-WRAP len %lu",
1585 (unsigned long) maxkeylen
);
1588 if (maxkeylen
> sizeof(gd
->gtk
)) {
1589 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1590 "WPA: AES-WRAP key data "
1591 "too long (keydatalen=%lu maxkeylen=%lu)",
1592 (unsigned long) key_data_len
,
1593 (unsigned long) maxkeylen
);
1596 if (aes_unwrap(sm
->ptk
.kek
, sm
->ptk
.kek_len
, maxkeylen
/ 8,
1597 key_data
, gd
->gtk
)) {
1598 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1599 "WPA: AES unwrap failed - could not decrypt "
1604 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1605 "WPA: Unsupported key_info type %d", ver
);
1608 gd
->tx
= wpa_supplicant_gtk_tx_bit_workaround(
1609 sm
, !!(key_info
& WPA_KEY_INFO_TXRX
));
1614 static int wpa_supplicant_send_2_of_2(struct wpa_sm
*sm
,
1615 const struct wpa_eapol_key
*key
,
1616 int ver
, u16 key_info
)
1618 size_t mic_len
, hdrlen
, rlen
;
1619 struct wpa_eapol_key
*reply
;
1622 mic_len
= wpa_mic_len(sm
->key_mgmt
, sm
->pmk_len
);
1623 hdrlen
= sizeof(*reply
) + mic_len
+ 2;
1624 rbuf
= wpa_sm_alloc_eapol(sm
, IEEE802_1X_TYPE_EAPOL_KEY
, NULL
,
1625 hdrlen
, &rlen
, (void *) &reply
);
1629 reply
->type
= (sm
->proto
== WPA_PROTO_RSN
||
1630 sm
->proto
== WPA_PROTO_OSEN
) ?
1631 EAPOL_KEY_TYPE_RSN
: EAPOL_KEY_TYPE_WPA
;
1632 key_info
&= WPA_KEY_INFO_KEY_INDEX_MASK
;
1633 key_info
|= ver
| WPA_KEY_INFO_SECURE
;
1635 key_info
|= WPA_KEY_INFO_MIC
;
1637 key_info
|= WPA_KEY_INFO_ENCR_KEY_DATA
;
1638 WPA_PUT_BE16(reply
->key_info
, key_info
);
1639 if (sm
->proto
== WPA_PROTO_RSN
|| sm
->proto
== WPA_PROTO_OSEN
)
1640 WPA_PUT_BE16(reply
->key_length
, 0);
1642 os_memcpy(reply
->key_length
, key
->key_length
, 2);
1643 os_memcpy(reply
->replay_counter
, key
->replay_counter
,
1644 WPA_REPLAY_COUNTER_LEN
);
1646 key_mic
= (u8
*) (reply
+ 1);
1647 WPA_PUT_BE16(key_mic
+ mic_len
, 0);
1649 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, "WPA: Sending EAPOL-Key 2/2");
1650 return wpa_eapol_key_send(sm
, &sm
->ptk
, ver
, sm
->bssid
, ETH_P_EAPOL
,
1651 rbuf
, rlen
, key_mic
);
1655 static void wpa_supplicant_process_1_of_2(struct wpa_sm
*sm
,
1656 const unsigned char *src_addr
,
1657 const struct wpa_eapol_key
*key
,
1659 size_t key_data_len
, u16 ver
)
1663 struct wpa_gtk_data gd
;
1666 if (!sm
->msg_3_of_4_ok
&& !wpa_fils_is_completed(sm
)) {
1667 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
1668 "WPA: Group Key Handshake started prior to completion of 4-way handshake");
1672 os_memset(&gd
, 0, sizeof(gd
));
1674 rekey
= wpa_sm_get_state(sm
) == WPA_COMPLETED
;
1675 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, "WPA: RX message 1 of Group Key "
1676 "Handshake from " MACSTR
" (ver=%d)", MAC2STR(src_addr
), ver
);
1678 key_info
= WPA_GET_BE16(key
->key_info
);
1680 if (sm
->proto
== WPA_PROTO_RSN
|| sm
->proto
== WPA_PROTO_OSEN
) {
1681 ret
= wpa_supplicant_process_1_of_2_rsn(sm
, key_data
,
1682 key_data_len
, key_info
,
1685 ret
= wpa_supplicant_process_1_of_2_wpa(sm
, key
, key_data
,
1687 key_info
, ver
, &gd
);
1690 wpa_sm_set_state(sm
, WPA_GROUP_HANDSHAKE
);
1695 key_rsc
= key
->key_rsc
;
1696 if (wpa_supplicant_rsc_relaxation(sm
, key
->key_rsc
))
1699 if (wpa_supplicant_install_gtk(sm
, &gd
, key_rsc
, 0) ||
1700 wpa_supplicant_send_2_of_2(sm
, key
, ver
, key_info
) < 0)
1702 os_memset(&gd
, 0, sizeof(gd
));
1705 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
, "WPA: Group rekeying "
1706 "completed with " MACSTR
" [GTK=%s]",
1707 MAC2STR(sm
->bssid
), wpa_cipher_txt(sm
->group_cipher
));
1708 wpa_sm_cancel_auth_timeout(sm
);
1709 wpa_sm_set_state(sm
, WPA_COMPLETED
);
1711 wpa_supplicant_key_neg_complete(sm
, sm
->bssid
,
1713 WPA_KEY_INFO_SECURE
);
1716 wpa_sm_set_rekey_offload(sm
);
1721 os_memset(&gd
, 0, sizeof(gd
));
1722 wpa_sm_deauthenticate(sm
, WLAN_REASON_UNSPECIFIED
);
1726 static int wpa_supplicant_verify_eapol_key_mic(struct wpa_sm
*sm
,
1727 struct wpa_eapol_key
*key
,
1729 const u8
*buf
, size_t len
)
1731 u8 mic
[WPA_EAPOL_KEY_MIC_MAX_LEN
];
1733 size_t mic_len
= wpa_mic_len(sm
->key_mgmt
, sm
->pmk_len
);
1735 os_memcpy(mic
, key
+ 1, mic_len
);
1737 os_memset(key
+ 1, 0, mic_len
);
1738 if (wpa_eapol_key_mic(sm
->tptk
.kck
, sm
->tptk
.kck_len
,
1740 ver
, buf
, len
, (u8
*) (key
+ 1)) < 0 ||
1741 os_memcmp_const(mic
, key
+ 1, mic_len
) != 0) {
1742 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1743 "WPA: Invalid EAPOL-Key MIC "
1744 "when using TPTK - ignoring TPTK");
1749 os_memcpy(&sm
->ptk
, &sm
->tptk
, sizeof(sm
->ptk
));
1750 os_memset(&sm
->tptk
, 0, sizeof(sm
->tptk
));
1752 * This assures the same TPTK in sm->tptk can never be
1753 * copied twice to sm->ptk as the new PTK. In
1754 * combination with the installed flag in the wpa_ptk
1755 * struct, this assures the same PTK is only installed
1758 sm
->renew_snonce
= 1;
1762 if (!ok
&& sm
->ptk_set
) {
1763 os_memset(key
+ 1, 0, mic_len
);
1764 if (wpa_eapol_key_mic(sm
->ptk
.kck
, sm
->ptk
.kck_len
,
1766 ver
, buf
, len
, (u8
*) (key
+ 1)) < 0 ||
1767 os_memcmp_const(mic
, key
+ 1, mic_len
) != 0) {
1768 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1769 "WPA: Invalid EAPOL-Key MIC - "
1777 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1778 "WPA: Could not verify EAPOL-Key MIC - "
1783 os_memcpy(sm
->rx_replay_counter
, key
->replay_counter
,
1784 WPA_REPLAY_COUNTER_LEN
);
1785 sm
->rx_replay_counter_set
= 1;
1790 /* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */
1791 static int wpa_supplicant_decrypt_key_data(struct wpa_sm
*sm
,
1792 struct wpa_eapol_key
*key
,
1793 size_t mic_len
, u16 ver
,
1794 u8
*key_data
, size_t *key_data_len
)
1796 wpa_hexdump(MSG_DEBUG
, "RSN: encrypted key data",
1797 key_data
, *key_data_len
);
1799 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1800 "WPA: PTK not available, cannot decrypt EAPOL-Key Key "
1805 /* Decrypt key data here so that this operation does not need
1806 * to be implemented separately for each message type. */
1807 if (ver
== WPA_KEY_INFO_TYPE_HMAC_MD5_RC4
&& sm
->ptk
.kek_len
== 16) {
1808 #ifdef CONFIG_NO_RC4
1809 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1810 "WPA: RC4 not supported in the build");
1812 #else /* CONFIG_NO_RC4 */
1815 wpa_printf(MSG_DEBUG
, "WPA: Decrypt Key Data using RC4");
1816 os_memcpy(ek
, key
->key_iv
, 16);
1817 os_memcpy(ek
+ 16, sm
->ptk
.kek
, sm
->ptk
.kek_len
);
1818 if (rc4_skip(ek
, 32, 256, key_data
, *key_data_len
)) {
1819 os_memset(ek
, 0, sizeof(ek
));
1820 wpa_msg(sm
->ctx
->msg_ctx
, MSG_ERROR
,
1824 os_memset(ek
, 0, sizeof(ek
));
1825 #endif /* CONFIG_NO_RC4 */
1826 } else if (ver
== WPA_KEY_INFO_TYPE_HMAC_SHA1_AES
||
1827 ver
== WPA_KEY_INFO_TYPE_AES_128_CMAC
||
1828 wpa_use_aes_key_wrap(sm
->key_mgmt
)) {
1831 wpa_printf(MSG_DEBUG
,
1832 "WPA: Decrypt Key Data using AES-UNWRAP (KEK length %u)",
1833 (unsigned int) sm
->ptk
.kek_len
);
1834 if (*key_data_len
< 8 || *key_data_len
% 8) {
1835 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1836 "WPA: Unsupported AES-WRAP len %u",
1837 (unsigned int) *key_data_len
);
1840 *key_data_len
-= 8; /* AES-WRAP adds 8 bytes */
1841 buf
= os_malloc(*key_data_len
);
1843 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1844 "WPA: No memory for AES-UNWRAP buffer");
1847 if (aes_unwrap(sm
->ptk
.kek
, sm
->ptk
.kek_len
, *key_data_len
/ 8,
1849 bin_clear_free(buf
, *key_data_len
);
1850 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1851 "WPA: AES unwrap failed - "
1852 "could not decrypt EAPOL-Key key data");
1855 os_memcpy(key_data
, buf
, *key_data_len
);
1856 bin_clear_free(buf
, *key_data_len
);
1857 WPA_PUT_BE16(((u8
*) (key
+ 1)) + mic_len
, *key_data_len
);
1859 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1860 "WPA: Unsupported key_info type %d", ver
);
1863 wpa_hexdump_key(MSG_DEBUG
, "WPA: decrypted EAPOL-Key key data",
1864 key_data
, *key_data_len
);
1870 * wpa_sm_aborted_cached - Notify WPA that PMKSA caching was aborted
1871 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1873 void wpa_sm_aborted_cached(struct wpa_sm
*sm
)
1875 if (sm
&& sm
->cur_pmksa
) {
1876 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
1877 "RSN: Cancelling PMKSA caching attempt");
1878 sm
->cur_pmksa
= NULL
;
1883 static void wpa_eapol_key_dump(struct wpa_sm
*sm
,
1884 const struct wpa_eapol_key
*key
,
1885 unsigned int key_data_len
,
1886 const u8
*mic
, unsigned int mic_len
)
1888 #ifndef CONFIG_NO_STDOUT_DEBUG
1889 u16 key_info
= WPA_GET_BE16(key
->key_info
);
1891 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, " EAPOL-Key type=%d", key
->type
);
1892 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
1893 " key_info 0x%x (ver=%d keyidx=%d rsvd=%d %s%s%s%s%s%s%s%s)",
1894 key_info
, key_info
& WPA_KEY_INFO_TYPE_MASK
,
1895 (key_info
& WPA_KEY_INFO_KEY_INDEX_MASK
) >>
1896 WPA_KEY_INFO_KEY_INDEX_SHIFT
,
1897 (key_info
& (BIT(13) | BIT(14) | BIT(15))) >> 13,
1898 key_info
& WPA_KEY_INFO_KEY_TYPE
? "Pairwise" : "Group",
1899 key_info
& WPA_KEY_INFO_INSTALL
? " Install" : "",
1900 key_info
& WPA_KEY_INFO_ACK
? " Ack" : "",
1901 key_info
& WPA_KEY_INFO_MIC
? " MIC" : "",
1902 key_info
& WPA_KEY_INFO_SECURE
? " Secure" : "",
1903 key_info
& WPA_KEY_INFO_ERROR
? " Error" : "",
1904 key_info
& WPA_KEY_INFO_REQUEST
? " Request" : "",
1905 key_info
& WPA_KEY_INFO_ENCR_KEY_DATA
? " Encr" : "");
1906 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
1907 " key_length=%u key_data_length=%u",
1908 WPA_GET_BE16(key
->key_length
), key_data_len
);
1909 wpa_hexdump(MSG_DEBUG
, " replay_counter",
1910 key
->replay_counter
, WPA_REPLAY_COUNTER_LEN
);
1911 wpa_hexdump(MSG_DEBUG
, " key_nonce", key
->key_nonce
, WPA_NONCE_LEN
);
1912 wpa_hexdump(MSG_DEBUG
, " key_iv", key
->key_iv
, 16);
1913 wpa_hexdump(MSG_DEBUG
, " key_rsc", key
->key_rsc
, 8);
1914 wpa_hexdump(MSG_DEBUG
, " key_id (reserved)", key
->key_id
, 8);
1915 wpa_hexdump(MSG_DEBUG
, " key_mic", mic
, mic_len
);
1916 #endif /* CONFIG_NO_STDOUT_DEBUG */
1921 static int wpa_supp_aead_decrypt(struct wpa_sm
*sm
, u8
*buf
, size_t buf_len
,
1922 size_t *key_data_len
)
1924 struct wpa_ptk
*ptk
;
1925 struct ieee802_1x_hdr
*hdr
;
1926 struct wpa_eapol_key
*key
;
1931 if (*key_data_len
< AES_BLOCK_SIZE
) {
1932 wpa_printf(MSG_INFO
, "No room for AES-SIV data in the frame");
1938 else if (sm
->ptk_set
)
1943 hdr
= (struct ieee802_1x_hdr
*) buf
;
1944 key
= (struct wpa_eapol_key
*) (hdr
+ 1);
1945 pos
= (u8
*) (key
+ 1);
1946 pos
+= 2; /* Pointing at the Encrypted Key Data field */
1948 tmp
= os_malloc(*key_data_len
);
1952 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
1953 * to Key Data (exclusive). */
1955 aad_len
[0] = pos
- buf
;
1956 if (aes_siv_decrypt(ptk
->kek
, ptk
->kek_len
, pos
, *key_data_len
,
1957 1, aad
, aad_len
, tmp
) < 0) {
1958 wpa_printf(MSG_INFO
, "Invalid AES-SIV data in the frame");
1959 bin_clear_free(tmp
, *key_data_len
);
1963 /* AEAD decryption and validation completed successfully */
1964 (*key_data_len
) -= AES_BLOCK_SIZE
;
1965 wpa_hexdump_key(MSG_DEBUG
, "WPA: Decrypted Key Data",
1966 tmp
, *key_data_len
);
1968 /* Replace Key Data field with the decrypted version */
1969 os_memcpy(pos
, tmp
, *key_data_len
);
1970 pos
-= 2; /* Key Data Length field */
1971 WPA_PUT_BE16(pos
, *key_data_len
);
1972 bin_clear_free(tmp
, *key_data_len
);
1977 os_memcpy(&sm
->ptk
, &sm
->tptk
, sizeof(sm
->ptk
));
1978 os_memset(&sm
->tptk
, 0, sizeof(sm
->tptk
));
1981 os_memcpy(sm
->rx_replay_counter
, key
->replay_counter
,
1982 WPA_REPLAY_COUNTER_LEN
);
1983 sm
->rx_replay_counter_set
= 1;
1987 #endif /* CONFIG_FILS */
1991 * wpa_sm_rx_eapol - Process received WPA EAPOL frames
1992 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1993 * @src_addr: Source MAC address of the EAPOL packet
1994 * @buf: Pointer to the beginning of the EAPOL data (EAPOL header)
1995 * @len: Length of the EAPOL frame
1996 * Returns: 1 = WPA EAPOL-Key processed, 0 = not a WPA EAPOL-Key, -1 failure
1998 * This function is called for each received EAPOL frame. Other than EAPOL-Key
1999 * frames can be skipped if filtering is done elsewhere. wpa_sm_rx_eapol() is
2000 * only processing WPA and WPA2 EAPOL-Key frames.
2002 * The received EAPOL-Key packets are validated and valid packets are replied
2003 * to. In addition, key material (PTK, GTK) is configured at the end of a
2004 * successful key handshake.
2006 int wpa_sm_rx_eapol(struct wpa_sm
*sm
, const u8
*src_addr
,
2007 const u8
*buf
, size_t len
)
2009 size_t plen
, data_len
, key_data_len
;
2010 const struct ieee802_1x_hdr
*hdr
;
2011 struct wpa_eapol_key
*key
;
2016 size_t mic_len
, keyhdrlen
;
2018 #ifdef CONFIG_IEEE80211R
2019 sm
->ft_completed
= 0;
2020 #endif /* CONFIG_IEEE80211R */
2022 mic_len
= wpa_mic_len(sm
->key_mgmt
, sm
->pmk_len
);
2023 keyhdrlen
= sizeof(*key
) + mic_len
+ 2;
2025 if (len
< sizeof(*hdr
) + keyhdrlen
) {
2026 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
2027 "WPA: EAPOL frame too short to be a WPA "
2028 "EAPOL-Key (len %lu, expecting at least %lu)",
2029 (unsigned long) len
,
2030 (unsigned long) sizeof(*hdr
) + keyhdrlen
);
2034 hdr
= (const struct ieee802_1x_hdr
*) buf
;
2035 plen
= be_to_host16(hdr
->length
);
2036 data_len
= plen
+ sizeof(*hdr
);
2037 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
2038 "IEEE 802.1X RX: version=%d type=%d length=%lu",
2039 hdr
->version
, hdr
->type
, (unsigned long) plen
);
2041 if (hdr
->version
< EAPOL_VERSION
) {
2042 /* TODO: backwards compatibility */
2044 if (hdr
->type
!= IEEE802_1X_TYPE_EAPOL_KEY
) {
2045 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
2046 "WPA: EAPOL frame (type %u) discarded, "
2047 "not a Key frame", hdr
->type
);
2051 wpa_hexdump(MSG_MSGDUMP
, "WPA: RX EAPOL-Key", buf
, len
);
2052 if (plen
> len
- sizeof(*hdr
) || plen
< keyhdrlen
) {
2053 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
2054 "WPA: EAPOL frame payload size %lu "
2055 "invalid (frame size %lu)",
2056 (unsigned long) plen
, (unsigned long) len
);
2060 if (data_len
< len
) {
2061 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
2062 "WPA: ignoring %lu bytes after the IEEE 802.1X data",
2063 (unsigned long) len
- data_len
);
2067 * Make a copy of the frame since we need to modify the buffer during
2068 * MAC validation and Key Data decryption.
2070 tmp
= os_memdup(buf
, data_len
);
2073 key
= (struct wpa_eapol_key
*) (tmp
+ sizeof(struct ieee802_1x_hdr
));
2074 mic
= (u8
*) (key
+ 1);
2075 key_data
= mic
+ mic_len
+ 2;
2077 if (key
->type
!= EAPOL_KEY_TYPE_WPA
&& key
->type
!= EAPOL_KEY_TYPE_RSN
)
2079 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
2080 "WPA: EAPOL-Key type (%d) unknown, discarded",
2086 key_data_len
= WPA_GET_BE16(mic
+ mic_len
);
2087 wpa_eapol_key_dump(sm
, key
, key_data_len
, mic
, mic_len
);
2089 if (key_data_len
> plen
- keyhdrlen
) {
2090 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
, "WPA: Invalid EAPOL-Key "
2091 "frame - key_data overflow (%u > %u)",
2092 (unsigned int) key_data_len
,
2093 (unsigned int) (plen
- keyhdrlen
));
2097 eapol_sm_notify_lower_layer_success(sm
->eapol
, 0);
2098 key_info
= WPA_GET_BE16(key
->key_info
);
2099 ver
= key_info
& WPA_KEY_INFO_TYPE_MASK
;
2100 if (ver
!= WPA_KEY_INFO_TYPE_HMAC_MD5_RC4
&&
2101 #if defined(CONFIG_IEEE80211R) || defined(CONFIG_IEEE80211W)
2102 ver
!= WPA_KEY_INFO_TYPE_AES_128_CMAC
&&
2103 #endif /* CONFIG_IEEE80211R || CONFIG_IEEE80211W */
2104 ver
!= WPA_KEY_INFO_TYPE_HMAC_SHA1_AES
&&
2105 !wpa_use_akm_defined(sm
->key_mgmt
)) {
2106 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
2107 "WPA: Unsupported EAPOL-Key descriptor version %d",
2112 if (wpa_use_akm_defined(sm
->key_mgmt
) &&
2113 ver
!= WPA_KEY_INFO_TYPE_AKM_DEFINED
) {
2114 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
2115 "RSN: Unsupported EAPOL-Key descriptor version %d (expected AKM defined = 0)",
2120 #ifdef CONFIG_IEEE80211R
2121 if (wpa_key_mgmt_ft(sm
->key_mgmt
)) {
2122 /* IEEE 802.11r uses a new key_info type (AES-128-CMAC). */
2123 if (ver
!= WPA_KEY_INFO_TYPE_AES_128_CMAC
&&
2124 !wpa_use_akm_defined(sm
->key_mgmt
)) {
2125 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
2126 "FT: AP did not use AES-128-CMAC");
2130 #endif /* CONFIG_IEEE80211R */
2131 #ifdef CONFIG_IEEE80211W
2132 if (wpa_key_mgmt_sha256(sm
->key_mgmt
)) {
2133 if (ver
!= WPA_KEY_INFO_TYPE_AES_128_CMAC
&&
2134 !wpa_use_akm_defined(sm
->key_mgmt
)) {
2135 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
2136 "WPA: AP did not use the "
2137 "negotiated AES-128-CMAC");
2141 #endif /* CONFIG_IEEE80211W */
2142 if (sm
->pairwise_cipher
== WPA_CIPHER_CCMP
&&
2143 !wpa_use_akm_defined(sm
->key_mgmt
) &&
2144 ver
!= WPA_KEY_INFO_TYPE_HMAC_SHA1_AES
) {
2145 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
2146 "WPA: CCMP is used, but EAPOL-Key "
2147 "descriptor version (%d) is not 2", ver
);
2148 if (sm
->group_cipher
!= WPA_CIPHER_CCMP
&&
2149 !(key_info
& WPA_KEY_INFO_KEY_TYPE
)) {
2150 /* Earlier versions of IEEE 802.11i did not explicitly
2151 * require version 2 descriptor for all EAPOL-Key
2152 * packets, so allow group keys to use version 1 if
2153 * CCMP is not used for them. */
2154 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
2155 "WPA: Backwards compatibility: allow invalid "
2156 "version for non-CCMP group keys");
2157 } else if (ver
== WPA_KEY_INFO_TYPE_AES_128_CMAC
) {
2158 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
2159 "WPA: Interoperability workaround: allow incorrect (should have been HMAC-SHA1), but stronger (is AES-128-CMAC), descriptor version to be used");
2162 } else if (sm
->pairwise_cipher
== WPA_CIPHER_GCMP
&&
2163 !wpa_use_akm_defined(sm
->key_mgmt
) &&
2164 ver
!= WPA_KEY_INFO_TYPE_HMAC_SHA1_AES
) {
2165 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
2166 "WPA: GCMP is used, but EAPOL-Key "
2167 "descriptor version (%d) is not 2", ver
);
2171 if (sm
->rx_replay_counter_set
&&
2172 os_memcmp(key
->replay_counter
, sm
->rx_replay_counter
,
2173 WPA_REPLAY_COUNTER_LEN
) <= 0) {
2174 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
2175 "WPA: EAPOL-Key Replay Counter did not increase - "
2180 if (key_info
& WPA_KEY_INFO_SMK_MESSAGE
) {
2181 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
2182 "WPA: Unsupported SMK bit in key_info");
2186 if (!(key_info
& WPA_KEY_INFO_ACK
)) {
2187 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
2188 "WPA: No Ack bit in key_info");
2192 if (key_info
& WPA_KEY_INFO_REQUEST
) {
2193 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
2194 "WPA: EAPOL-Key with Request bit - dropped");
2198 if ((key_info
& WPA_KEY_INFO_MIC
) &&
2199 wpa_supplicant_verify_eapol_key_mic(sm
, key
, ver
, tmp
, data_len
))
2203 if (!mic_len
&& (key_info
& WPA_KEY_INFO_ENCR_KEY_DATA
)) {
2204 if (wpa_supp_aead_decrypt(sm
, tmp
, data_len
, &key_data_len
))
2207 #endif /* CONFIG_FILS */
2209 if ((sm
->proto
== WPA_PROTO_RSN
|| sm
->proto
== WPA_PROTO_OSEN
) &&
2210 (key_info
& WPA_KEY_INFO_ENCR_KEY_DATA
) && mic_len
) {
2211 if (wpa_supplicant_decrypt_key_data(sm
, key
, mic_len
,
2217 if (key_info
& WPA_KEY_INFO_KEY_TYPE
) {
2218 if (key_info
& WPA_KEY_INFO_KEY_INDEX_MASK
) {
2219 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
2220 "WPA: Ignored EAPOL-Key (Pairwise) with "
2221 "non-zero key index");
2224 if (key_info
& (WPA_KEY_INFO_MIC
|
2225 WPA_KEY_INFO_ENCR_KEY_DATA
)) {
2226 /* 3/4 4-Way Handshake */
2227 wpa_supplicant_process_3_of_4(sm
, key
, ver
, key_data
,
2230 /* 1/4 4-Way Handshake */
2231 wpa_supplicant_process_1_of_4(sm
, src_addr
, key
,
2236 if ((mic_len
&& (key_info
& WPA_KEY_INFO_MIC
)) ||
2237 (!mic_len
&& (key_info
& WPA_KEY_INFO_ENCR_KEY_DATA
))) {
2238 /* 1/2 Group Key Handshake */
2239 wpa_supplicant_process_1_of_2(sm
, src_addr
, key
,
2240 key_data
, key_data_len
,
2243 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
2244 "WPA: EAPOL-Key (Group) without Mic/Encr bit - "
2252 bin_clear_free(tmp
, data_len
);
2257 #ifdef CONFIG_CTRL_IFACE
2258 static u32
wpa_key_mgmt_suite(struct wpa_sm
*sm
)
2260 switch (sm
->key_mgmt
) {
2261 case WPA_KEY_MGMT_IEEE8021X
:
2262 return ((sm
->proto
== WPA_PROTO_RSN
||
2263 sm
->proto
== WPA_PROTO_OSEN
) ?
2264 RSN_AUTH_KEY_MGMT_UNSPEC_802_1X
:
2265 WPA_AUTH_KEY_MGMT_UNSPEC_802_1X
);
2266 case WPA_KEY_MGMT_PSK
:
2267 return (sm
->proto
== WPA_PROTO_RSN
?
2268 RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X
:
2269 WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X
);
2270 #ifdef CONFIG_IEEE80211R
2271 case WPA_KEY_MGMT_FT_IEEE8021X
:
2272 return RSN_AUTH_KEY_MGMT_FT_802_1X
;
2273 case WPA_KEY_MGMT_FT_PSK
:
2274 return RSN_AUTH_KEY_MGMT_FT_PSK
;
2275 #endif /* CONFIG_IEEE80211R */
2276 #ifdef CONFIG_IEEE80211W
2277 case WPA_KEY_MGMT_IEEE8021X_SHA256
:
2278 return RSN_AUTH_KEY_MGMT_802_1X_SHA256
;
2279 case WPA_KEY_MGMT_PSK_SHA256
:
2280 return RSN_AUTH_KEY_MGMT_PSK_SHA256
;
2281 #endif /* CONFIG_IEEE80211W */
2282 case WPA_KEY_MGMT_CCKM
:
2283 return (sm
->proto
== WPA_PROTO_RSN
?
2284 RSN_AUTH_KEY_MGMT_CCKM
:
2285 WPA_AUTH_KEY_MGMT_CCKM
);
2286 case WPA_KEY_MGMT_WPA_NONE
:
2287 return WPA_AUTH_KEY_MGMT_NONE
;
2288 case WPA_KEY_MGMT_IEEE8021X_SUITE_B
:
2289 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B
;
2290 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192
:
2291 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192
;
2298 #define RSN_SUITE "%02x-%02x-%02x-%d"
2299 #define RSN_SUITE_ARG(s) \
2300 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
2303 * wpa_sm_get_mib - Dump text list of MIB entries
2304 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2305 * @buf: Buffer for the list
2306 * @buflen: Length of the buffer
2307 * Returns: Number of bytes written to buffer
2309 * This function is used fetch dot11 MIB variables.
2311 int wpa_sm_get_mib(struct wpa_sm
*sm
, char *buf
, size_t buflen
)
2313 char pmkid_txt
[PMKID_LEN
* 2 + 1];
2317 if (sm
->cur_pmksa
) {
2318 wpa_snprintf_hex(pmkid_txt
, sizeof(pmkid_txt
),
2319 sm
->cur_pmksa
->pmkid
, PMKID_LEN
);
2321 pmkid_txt
[0] = '\0';
2323 if ((wpa_key_mgmt_wpa_psk(sm
->key_mgmt
) ||
2324 wpa_key_mgmt_wpa_ieee8021x(sm
->key_mgmt
)) &&
2325 sm
->proto
== WPA_PROTO_RSN
)
2330 ret
= os_snprintf(buf
, buflen
,
2331 "dot11RSNAOptionImplemented=TRUE\n"
2332 "dot11RSNAPreauthenticationImplemented=TRUE\n"
2333 "dot11RSNAEnabled=%s\n"
2334 "dot11RSNAPreauthenticationEnabled=%s\n"
2335 "dot11RSNAConfigVersion=%d\n"
2336 "dot11RSNAConfigPairwiseKeysSupported=5\n"
2337 "dot11RSNAConfigGroupCipherSize=%d\n"
2338 "dot11RSNAConfigPMKLifetime=%d\n"
2339 "dot11RSNAConfigPMKReauthThreshold=%d\n"
2340 "dot11RSNAConfigNumberOfPTKSAReplayCounters=1\n"
2341 "dot11RSNAConfigSATimeout=%d\n",
2342 rsna
? "TRUE" : "FALSE",
2343 rsna
? "TRUE" : "FALSE",
2345 wpa_cipher_key_len(sm
->group_cipher
) * 8,
2346 sm
->dot11RSNAConfigPMKLifetime
,
2347 sm
->dot11RSNAConfigPMKReauthThreshold
,
2348 sm
->dot11RSNAConfigSATimeout
);
2349 if (os_snprintf_error(buflen
, ret
))
2354 buf
+ len
, buflen
- len
,
2355 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE
"\n"
2356 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE
"\n"
2357 "dot11RSNAGroupCipherSelected=" RSN_SUITE
"\n"
2358 "dot11RSNAPMKIDUsed=%s\n"
2359 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE
"\n"
2360 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE
"\n"
2361 "dot11RSNAGroupCipherRequested=" RSN_SUITE
"\n"
2362 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n"
2363 "dot11RSNA4WayHandshakeFailures=%u\n",
2364 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm
)),
2365 RSN_SUITE_ARG(wpa_cipher_to_suite(sm
->proto
,
2366 sm
->pairwise_cipher
)),
2367 RSN_SUITE_ARG(wpa_cipher_to_suite(sm
->proto
,
2370 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm
)),
2371 RSN_SUITE_ARG(wpa_cipher_to_suite(sm
->proto
,
2372 sm
->pairwise_cipher
)),
2373 RSN_SUITE_ARG(wpa_cipher_to_suite(sm
->proto
,
2375 sm
->dot11RSNA4WayHandshakeFailures
);
2376 if (!os_snprintf_error(buflen
- len
, ret
))
2381 #endif /* CONFIG_CTRL_IFACE */
2384 static void wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry
*entry
,
2385 void *ctx
, enum pmksa_free_reason reason
)
2387 struct wpa_sm
*sm
= ctx
;
2390 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, "RSN: PMKSA cache entry free_cb: "
2391 MACSTR
" reason=%d", MAC2STR(entry
->aa
), reason
);
2393 if (sm
->cur_pmksa
== entry
) {
2394 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
2395 "RSN: %s current PMKSA entry",
2396 reason
== PMKSA_REPLACE
? "replaced" : "removed");
2397 pmksa_cache_clear_current(sm
);
2400 * If an entry is simply being replaced, there's no need to
2401 * deauthenticate because it will be immediately re-added.
2402 * This happens when EAP authentication is completed again
2403 * (reauth or failed PMKSA caching attempt).
2405 if (reason
!= PMKSA_REPLACE
)
2409 if (reason
== PMKSA_EXPIRE
&&
2410 (sm
->pmk_len
== entry
->pmk_len
&&
2411 os_memcmp(sm
->pmk
, entry
->pmk
, sm
->pmk_len
) == 0)) {
2412 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
2413 "RSN: deauthenticating due to expired PMK");
2414 pmksa_cache_clear_current(sm
);
2419 os_memset(sm
->pmk
, 0, sizeof(sm
->pmk
));
2420 wpa_sm_deauthenticate(sm
, WLAN_REASON_UNSPECIFIED
);
2426 * wpa_sm_init - Initialize WPA state machine
2427 * @ctx: Context pointer for callbacks; this needs to be an allocated buffer
2428 * Returns: Pointer to the allocated WPA state machine data
2430 * This function is used to allocate a new WPA state machine and the returned
2431 * value is passed to all WPA state machine calls.
2433 struct wpa_sm
* wpa_sm_init(struct wpa_sm_ctx
*ctx
)
2437 sm
= os_zalloc(sizeof(*sm
));
2440 dl_list_init(&sm
->pmksa_candidates
);
2441 sm
->renew_snonce
= 1;
2444 sm
->dot11RSNAConfigPMKLifetime
= 43200;
2445 sm
->dot11RSNAConfigPMKReauthThreshold
= 70;
2446 sm
->dot11RSNAConfigSATimeout
= 60;
2448 sm
->pmksa
= pmksa_cache_init(wpa_sm_pmksa_free_cb
, sm
, sm
);
2449 if (sm
->pmksa
== NULL
) {
2450 wpa_msg(sm
->ctx
->msg_ctx
, MSG_ERROR
,
2451 "RSN: PMKSA cache initialization failed");
2461 * wpa_sm_deinit - Deinitialize WPA state machine
2462 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2464 void wpa_sm_deinit(struct wpa_sm
*sm
)
2468 pmksa_cache_deinit(sm
->pmksa
);
2469 eloop_cancel_timeout(wpa_sm_start_preauth
, sm
, NULL
);
2470 eloop_cancel_timeout(wpa_sm_rekey_ptk
, sm
, NULL
);
2471 os_free(sm
->assoc_wpa_ie
);
2472 os_free(sm
->ap_wpa_ie
);
2473 os_free(sm
->ap_rsn_ie
);
2476 #ifdef CONFIG_IEEE80211R
2477 os_free(sm
->assoc_resp_ies
);
2478 #endif /* CONFIG_IEEE80211R */
2479 #ifdef CONFIG_TESTING_OPTIONS
2480 wpabuf_free(sm
->test_assoc_ie
);
2481 #endif /* CONFIG_TESTING_OPTIONS */
2482 #ifdef CONFIG_FILS_SK_PFS
2483 crypto_ecdh_deinit(sm
->fils_ecdh
);
2484 #endif /* CONFIG_FILS_SK_PFS */
2486 wpabuf_free(sm
->fils_ft_ies
);
2487 #endif /* CONFIG_FILS */
2489 crypto_ecdh_deinit(sm
->owe_ecdh
);
2490 #endif /* CONFIG_OWE */
2496 * wpa_sm_notify_assoc - Notify WPA state machine about association
2497 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2498 * @bssid: The BSSID of the new association
2500 * This function is called to let WPA state machine know that the connection
2503 void wpa_sm_notify_assoc(struct wpa_sm
*sm
, const u8
*bssid
)
2510 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
2511 "WPA: Association event - clear replay counter");
2512 os_memcpy(sm
->bssid
, bssid
, ETH_ALEN
);
2513 os_memset(sm
->rx_replay_counter
, 0, WPA_REPLAY_COUNTER_LEN
);
2514 sm
->rx_replay_counter_set
= 0;
2515 sm
->renew_snonce
= 1;
2516 if (os_memcmp(sm
->preauth_bssid
, bssid
, ETH_ALEN
) == 0)
2517 rsn_preauth_deinit(sm
);
2519 #ifdef CONFIG_IEEE80211R
2520 if (wpa_ft_is_completed(sm
)) {
2522 * Clear portValid to kick EAPOL state machine to re-enter
2523 * AUTHENTICATED state to get the EAPOL port Authorized.
2525 eapol_sm_notify_portValid(sm
->eapol
, FALSE
);
2526 wpa_supplicant_key_neg_complete(sm
, sm
->bssid
, 1);
2528 /* Prepare for the next transition */
2529 wpa_ft_prepare_auth_request(sm
, NULL
);
2533 #endif /* CONFIG_IEEE80211R */
2535 if (sm
->fils_completed
) {
2537 * Clear portValid to kick EAPOL state machine to re-enter
2538 * AUTHENTICATED state to get the EAPOL port Authorized.
2540 wpa_supplicant_key_neg_complete(sm
, sm
->bssid
, 1);
2543 #endif /* CONFIG_FILS */
2547 * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
2548 * this is not part of a Fast BSS Transition.
2550 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, "WPA: Clear old PTK");
2552 os_memset(&sm
->ptk
, 0, sizeof(sm
->ptk
));
2554 os_memset(&sm
->tptk
, 0, sizeof(sm
->tptk
));
2555 os_memset(&sm
->gtk
, 0, sizeof(sm
->gtk
));
2556 os_memset(&sm
->gtk_wnm_sleep
, 0, sizeof(sm
->gtk_wnm_sleep
));
2557 #ifdef CONFIG_IEEE80211W
2558 os_memset(&sm
->igtk
, 0, sizeof(sm
->igtk
));
2559 os_memset(&sm
->igtk_wnm_sleep
, 0, sizeof(sm
->igtk_wnm_sleep
));
2560 #endif /* CONFIG_IEEE80211W */
2565 #endif /* CONFIG_TDLS */
2568 os_memset(sm
->p2p_ip_addr
, 0, sizeof(sm
->p2p_ip_addr
));
2569 #endif /* CONFIG_P2P */
2574 * wpa_sm_notify_disassoc - Notify WPA state machine about disassociation
2575 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2577 * This function is called to let WPA state machine know that the connection
2578 * was lost. This will abort any existing pre-authentication session.
2580 void wpa_sm_notify_disassoc(struct wpa_sm
*sm
)
2582 eloop_cancel_timeout(wpa_sm_start_preauth
, sm
, NULL
);
2583 eloop_cancel_timeout(wpa_sm_rekey_ptk
, sm
, NULL
);
2584 rsn_preauth_deinit(sm
);
2585 pmksa_cache_clear_current(sm
);
2586 if (wpa_sm_get_state(sm
) == WPA_4WAY_HANDSHAKE
)
2587 sm
->dot11RSNA4WayHandshakeFailures
++;
2589 wpa_tdls_disassoc(sm
);
2590 #endif /* CONFIG_TDLS */
2592 sm
->fils_completed
= 0;
2593 #endif /* CONFIG_FILS */
2594 #ifdef CONFIG_IEEE80211R
2595 sm
->ft_reassoc_completed
= 0;
2596 #endif /* CONFIG_IEEE80211R */
2598 /* Keys are not needed in the WPA state machine anymore */
2601 sm
->msg_3_of_4_ok
= 0;
2602 os_memset(sm
->bssid
, 0, ETH_ALEN
);
2607 * wpa_sm_set_pmk - Set PMK
2608 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2610 * @pmk_len: The length of the new PMK in bytes
2611 * @pmkid: Calculated PMKID
2612 * @bssid: AA to add into PMKSA cache or %NULL to not cache the PMK
2614 * Configure the PMK for WPA state machine.
2616 void wpa_sm_set_pmk(struct wpa_sm
*sm
, const u8
*pmk
, size_t pmk_len
,
2617 const u8
*pmkid
, const u8
*bssid
)
2622 wpa_hexdump_key(MSG_DEBUG
, "WPA: Set PMK based on external data",
2624 sm
->pmk_len
= pmk_len
;
2625 os_memcpy(sm
->pmk
, pmk
, pmk_len
);
2627 #ifdef CONFIG_IEEE80211R
2628 /* Set XXKey to be PSK for FT key derivation */
2629 sm
->xxkey_len
= pmk_len
;
2630 os_memcpy(sm
->xxkey
, pmk
, pmk_len
);
2631 #endif /* CONFIG_IEEE80211R */
2634 pmksa_cache_add(sm
->pmksa
, pmk
, pmk_len
, pmkid
, NULL
, 0,
2635 bssid
, sm
->own_addr
,
2636 sm
->network_ctx
, sm
->key_mgmt
, NULL
);
2642 * wpa_sm_set_pmk_from_pmksa - Set PMK based on the current PMKSA
2643 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2645 * Take the PMK from the current PMKSA into use. If no PMKSA is active, the PMK
2648 void wpa_sm_set_pmk_from_pmksa(struct wpa_sm
*sm
)
2653 if (sm
->cur_pmksa
) {
2654 wpa_hexdump_key(MSG_DEBUG
,
2655 "WPA: Set PMK based on current PMKSA",
2656 sm
->cur_pmksa
->pmk
, sm
->cur_pmksa
->pmk_len
);
2657 sm
->pmk_len
= sm
->cur_pmksa
->pmk_len
;
2658 os_memcpy(sm
->pmk
, sm
->cur_pmksa
->pmk
, sm
->pmk_len
);
2660 wpa_printf(MSG_DEBUG
, "WPA: No current PMKSA - clear PMK");
2662 os_memset(sm
->pmk
, 0, PMK_LEN_MAX
);
2668 * wpa_sm_set_fast_reauth - Set fast reauthentication (EAP) enabled/disabled
2669 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2670 * @fast_reauth: Whether fast reauthentication (EAP) is allowed
2672 void wpa_sm_set_fast_reauth(struct wpa_sm
*sm
, int fast_reauth
)
2675 sm
->fast_reauth
= fast_reauth
;
2680 * wpa_sm_set_scard_ctx - Set context pointer for smartcard callbacks
2681 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2682 * @scard_ctx: Context pointer for smartcard related callback functions
2684 void wpa_sm_set_scard_ctx(struct wpa_sm
*sm
, void *scard_ctx
)
2688 sm
->scard_ctx
= scard_ctx
;
2689 if (sm
->preauth_eapol
)
2690 eapol_sm_register_scard_ctx(sm
->preauth_eapol
, scard_ctx
);
2695 * wpa_sm_set_config - Notification of current configration change
2696 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2697 * @config: Pointer to current network configuration
2699 * Notify WPA state machine that configuration has changed. config will be
2700 * stored as a backpointer to network configuration. This can be %NULL to clear
2701 * the stored pointed.
2703 void wpa_sm_set_config(struct wpa_sm
*sm
, struct rsn_supp_config
*config
)
2709 sm
->network_ctx
= config
->network_ctx
;
2710 sm
->allowed_pairwise_cipher
= config
->allowed_pairwise_cipher
;
2711 sm
->proactive_key_caching
= config
->proactive_key_caching
;
2712 sm
->eap_workaround
= config
->eap_workaround
;
2713 sm
->eap_conf_ctx
= config
->eap_conf_ctx
;
2715 os_memcpy(sm
->ssid
, config
->ssid
, config
->ssid_len
);
2716 sm
->ssid_len
= config
->ssid_len
;
2719 sm
->wpa_ptk_rekey
= config
->wpa_ptk_rekey
;
2720 sm
->p2p
= config
->p2p
;
2721 sm
->wpa_rsc_relaxation
= config
->wpa_rsc_relaxation
;
2723 if (config
->fils_cache_id
) {
2724 sm
->fils_cache_id_set
= 1;
2725 os_memcpy(sm
->fils_cache_id
, config
->fils_cache_id
,
2728 sm
->fils_cache_id_set
= 0;
2730 #endif /* CONFIG_FILS */
2732 sm
->network_ctx
= NULL
;
2733 sm
->allowed_pairwise_cipher
= 0;
2734 sm
->proactive_key_caching
= 0;
2735 sm
->eap_workaround
= 0;
2736 sm
->eap_conf_ctx
= NULL
;
2738 sm
->wpa_ptk_rekey
= 0;
2740 sm
->wpa_rsc_relaxation
= 0;
2746 * wpa_sm_set_own_addr - Set own MAC address
2747 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2748 * @addr: Own MAC address
2750 void wpa_sm_set_own_addr(struct wpa_sm
*sm
, const u8
*addr
)
2753 os_memcpy(sm
->own_addr
, addr
, ETH_ALEN
);
2758 * wpa_sm_set_ifname - Set network interface name
2759 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2760 * @ifname: Interface name
2761 * @bridge_ifname: Optional bridge interface name (for pre-auth)
2763 void wpa_sm_set_ifname(struct wpa_sm
*sm
, const char *ifname
,
2764 const char *bridge_ifname
)
2767 sm
->ifname
= ifname
;
2768 sm
->bridge_ifname
= bridge_ifname
;
2774 * wpa_sm_set_eapol - Set EAPOL state machine pointer
2775 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2776 * @eapol: Pointer to EAPOL state machine allocated with eapol_sm_init()
2778 void wpa_sm_set_eapol(struct wpa_sm
*sm
, struct eapol_sm
*eapol
)
2786 * wpa_sm_set_param - Set WPA state machine parameters
2787 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2788 * @param: Parameter field
2789 * @value: Parameter value
2790 * Returns: 0 on success, -1 on failure
2792 int wpa_sm_set_param(struct wpa_sm
*sm
, enum wpa_sm_conf_params param
,
2801 case RSNA_PMK_LIFETIME
:
2803 sm
->dot11RSNAConfigPMKLifetime
= value
;
2807 case RSNA_PMK_REAUTH_THRESHOLD
:
2808 if (value
> 0 && value
<= 100)
2809 sm
->dot11RSNAConfigPMKReauthThreshold
= value
;
2813 case RSNA_SA_TIMEOUT
:
2815 sm
->dot11RSNAConfigSATimeout
= value
;
2819 case WPA_PARAM_PROTO
:
2822 case WPA_PARAM_PAIRWISE
:
2823 sm
->pairwise_cipher
= value
;
2825 case WPA_PARAM_GROUP
:
2826 sm
->group_cipher
= value
;
2828 case WPA_PARAM_KEY_MGMT
:
2829 sm
->key_mgmt
= value
;
2831 #ifdef CONFIG_IEEE80211W
2832 case WPA_PARAM_MGMT_GROUP
:
2833 sm
->mgmt_group_cipher
= value
;
2835 #endif /* CONFIG_IEEE80211W */
2836 case WPA_PARAM_RSN_ENABLED
:
2837 sm
->rsn_enabled
= value
;
2851 * wpa_sm_get_status - Get WPA state machine
2852 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2853 * @buf: Buffer for status information
2854 * @buflen: Maximum buffer length
2855 * @verbose: Whether to include verbose status information
2856 * Returns: Number of bytes written to buf.
2858 * Query WPA state machine for status information. This function fills in
2859 * a text area with current status information. If the buffer (buf) is not
2860 * large enough, status information will be truncated to fit the buffer.
2862 int wpa_sm_get_status(struct wpa_sm
*sm
, char *buf
, size_t buflen
,
2865 char *pos
= buf
, *end
= buf
+ buflen
;
2868 ret
= os_snprintf(pos
, end
- pos
,
2869 "pairwise_cipher=%s\n"
2872 wpa_cipher_txt(sm
->pairwise_cipher
),
2873 wpa_cipher_txt(sm
->group_cipher
),
2874 wpa_key_mgmt_txt(sm
->key_mgmt
, sm
->proto
));
2875 if (os_snprintf_error(end
- pos
, ret
))
2879 if (sm
->mfp
!= NO_MGMT_FRAME_PROTECTION
&& sm
->ap_rsn_ie
) {
2880 struct wpa_ie_data rsn
;
2881 if (wpa_parse_wpa_ie_rsn(sm
->ap_rsn_ie
, sm
->ap_rsn_ie_len
, &rsn
)
2883 rsn
.capabilities
& (WPA_CAPABILITY_MFPR
|
2884 WPA_CAPABILITY_MFPC
)) {
2885 ret
= os_snprintf(pos
, end
- pos
, "pmf=%d\n"
2886 "mgmt_group_cipher=%s\n",
2888 WPA_CAPABILITY_MFPR
) ? 2 : 1,
2890 sm
->mgmt_group_cipher
));
2891 if (os_snprintf_error(end
- pos
, ret
))
2901 int wpa_sm_pmf_enabled(struct wpa_sm
*sm
)
2903 struct wpa_ie_data rsn
;
2905 if (sm
->mfp
== NO_MGMT_FRAME_PROTECTION
|| !sm
->ap_rsn_ie
)
2908 if (wpa_parse_wpa_ie_rsn(sm
->ap_rsn_ie
, sm
->ap_rsn_ie_len
, &rsn
) >= 0 &&
2909 rsn
.capabilities
& (WPA_CAPABILITY_MFPR
| WPA_CAPABILITY_MFPC
))
2917 * wpa_sm_set_assoc_wpa_ie_default - Generate own WPA/RSN IE from configuration
2918 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2919 * @wpa_ie: Pointer to buffer for WPA/RSN IE
2920 * @wpa_ie_len: Pointer to the length of the wpa_ie buffer
2921 * Returns: 0 on success, -1 on failure
2923 int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm
*sm
, u8
*wpa_ie
,
2931 #ifdef CONFIG_TESTING_OPTIONS
2932 if (sm
->test_assoc_ie
) {
2933 wpa_printf(MSG_DEBUG
,
2934 "TESTING: Replace association WPA/RSN IE");
2935 if (*wpa_ie_len
< wpabuf_len(sm
->test_assoc_ie
))
2937 os_memcpy(wpa_ie
, wpabuf_head(sm
->test_assoc_ie
),
2938 wpabuf_len(sm
->test_assoc_ie
));
2939 res
= wpabuf_len(sm
->test_assoc_ie
);
2941 #endif /* CONFIG_TESTING_OPTIONS */
2942 res
= wpa_gen_wpa_ie(sm
, wpa_ie
, *wpa_ie_len
);
2947 wpa_hexdump(MSG_DEBUG
, "WPA: Set own WPA IE default",
2948 wpa_ie
, *wpa_ie_len
);
2950 if (sm
->assoc_wpa_ie
== NULL
) {
2952 * Make a copy of the WPA/RSN IE so that 4-Way Handshake gets
2953 * the correct version of the IE even if PMKSA caching is
2954 * aborted (which would remove PMKID from IE generation).
2956 sm
->assoc_wpa_ie
= os_memdup(wpa_ie
, *wpa_ie_len
);
2957 if (sm
->assoc_wpa_ie
== NULL
)
2960 sm
->assoc_wpa_ie_len
= *wpa_ie_len
;
2962 wpa_hexdump(MSG_DEBUG
,
2963 "WPA: Leave previously set WPA IE default",
2964 sm
->assoc_wpa_ie
, sm
->assoc_wpa_ie_len
);
2972 * wpa_sm_set_assoc_wpa_ie - Set own WPA/RSN IE from (Re)AssocReq
2973 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2974 * @ie: Pointer to IE data (starting from id)
2976 * Returns: 0 on success, -1 on failure
2978 * Inform WPA state machine about the WPA/RSN IE used in (Re)Association
2979 * Request frame. The IE will be used to override the default value generated
2980 * with wpa_sm_set_assoc_wpa_ie_default().
2982 int wpa_sm_set_assoc_wpa_ie(struct wpa_sm
*sm
, const u8
*ie
, size_t len
)
2987 os_free(sm
->assoc_wpa_ie
);
2988 if (ie
== NULL
|| len
== 0) {
2989 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
2990 "WPA: clearing own WPA/RSN IE");
2991 sm
->assoc_wpa_ie
= NULL
;
2992 sm
->assoc_wpa_ie_len
= 0;
2994 wpa_hexdump(MSG_DEBUG
, "WPA: set own WPA/RSN IE", ie
, len
);
2995 sm
->assoc_wpa_ie
= os_memdup(ie
, len
);
2996 if (sm
->assoc_wpa_ie
== NULL
)
2999 sm
->assoc_wpa_ie_len
= len
;
3007 * wpa_sm_set_ap_wpa_ie - Set AP WPA IE from Beacon/ProbeResp
3008 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3009 * @ie: Pointer to IE data (starting from id)
3011 * Returns: 0 on success, -1 on failure
3013 * Inform WPA state machine about the WPA IE used in Beacon / Probe Response
3016 int wpa_sm_set_ap_wpa_ie(struct wpa_sm
*sm
, const u8
*ie
, size_t len
)
3021 os_free(sm
->ap_wpa_ie
);
3022 if (ie
== NULL
|| len
== 0) {
3023 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
3024 "WPA: clearing AP WPA IE");
3025 sm
->ap_wpa_ie
= NULL
;
3026 sm
->ap_wpa_ie_len
= 0;
3028 wpa_hexdump(MSG_DEBUG
, "WPA: set AP WPA IE", ie
, len
);
3029 sm
->ap_wpa_ie
= os_memdup(ie
, len
);
3030 if (sm
->ap_wpa_ie
== NULL
)
3033 sm
->ap_wpa_ie_len
= len
;
3041 * wpa_sm_set_ap_rsn_ie - Set AP RSN IE from Beacon/ProbeResp
3042 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3043 * @ie: Pointer to IE data (starting from id)
3045 * Returns: 0 on success, -1 on failure
3047 * Inform WPA state machine about the RSN IE used in Beacon / Probe Response
3050 int wpa_sm_set_ap_rsn_ie(struct wpa_sm
*sm
, const u8
*ie
, size_t len
)
3055 os_free(sm
->ap_rsn_ie
);
3056 if (ie
== NULL
|| len
== 0) {
3057 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
3058 "WPA: clearing AP RSN IE");
3059 sm
->ap_rsn_ie
= NULL
;
3060 sm
->ap_rsn_ie_len
= 0;
3062 wpa_hexdump(MSG_DEBUG
, "WPA: set AP RSN IE", ie
, len
);
3063 sm
->ap_rsn_ie
= os_memdup(ie
, len
);
3064 if (sm
->ap_rsn_ie
== NULL
)
3067 sm
->ap_rsn_ie_len
= len
;
3075 * wpa_sm_parse_own_wpa_ie - Parse own WPA/RSN IE
3076 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3077 * @data: Pointer to data area for parsing results
3078 * Returns: 0 on success, -1 if IE is not known, or -2 on parsing failure
3080 * Parse the contents of the own WPA or RSN IE from (Re)AssocReq and write the
3081 * parsed data into data.
3083 int wpa_sm_parse_own_wpa_ie(struct wpa_sm
*sm
, struct wpa_ie_data
*data
)
3088 if (sm
->assoc_wpa_ie
== NULL
) {
3089 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
3090 "WPA: No WPA/RSN IE available from association info");
3093 if (wpa_parse_wpa_ie(sm
->assoc_wpa_ie
, sm
->assoc_wpa_ie_len
, data
))
3099 int wpa_sm_pmksa_cache_list(struct wpa_sm
*sm
, char *buf
, size_t len
)
3101 return pmksa_cache_list(sm
->pmksa
, buf
, len
);
3105 struct rsn_pmksa_cache_entry
* wpa_sm_pmksa_cache_head(struct wpa_sm
*sm
)
3107 return pmksa_cache_head(sm
->pmksa
);
3111 struct rsn_pmksa_cache_entry
*
3112 wpa_sm_pmksa_cache_add_entry(struct wpa_sm
*sm
,
3113 struct rsn_pmksa_cache_entry
* entry
)
3115 return pmksa_cache_add_entry(sm
->pmksa
, entry
);
3119 void wpa_sm_pmksa_cache_add(struct wpa_sm
*sm
, const u8
*pmk
, size_t pmk_len
,
3120 const u8
*pmkid
, const u8
*bssid
,
3121 const u8
*fils_cache_id
)
3123 sm
->cur_pmksa
= pmksa_cache_add(sm
->pmksa
, pmk
, pmk_len
, pmkid
, NULL
, 0,
3124 bssid
, sm
->own_addr
, sm
->network_ctx
,
3125 sm
->key_mgmt
, fils_cache_id
);
3129 int wpa_sm_pmksa_exists(struct wpa_sm
*sm
, const u8
*bssid
,
3130 const void *network_ctx
)
3132 return pmksa_cache_get(sm
->pmksa
, bssid
, NULL
, network_ctx
) != NULL
;
3136 void wpa_sm_drop_sa(struct wpa_sm
*sm
)
3138 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
, "WPA: Clear old PMK and PTK");
3141 os_memset(sm
->pmk
, 0, sizeof(sm
->pmk
));
3142 os_memset(&sm
->ptk
, 0, sizeof(sm
->ptk
));
3143 os_memset(&sm
->tptk
, 0, sizeof(sm
->tptk
));
3144 os_memset(&sm
->gtk
, 0, sizeof(sm
->gtk
));
3145 os_memset(&sm
->gtk_wnm_sleep
, 0, sizeof(sm
->gtk_wnm_sleep
));
3146 #ifdef CONFIG_IEEE80211W
3147 os_memset(&sm
->igtk
, 0, sizeof(sm
->igtk
));
3148 os_memset(&sm
->igtk_wnm_sleep
, 0, sizeof(sm
->igtk_wnm_sleep
));
3149 #endif /* CONFIG_IEEE80211W */
3150 #ifdef CONFIG_IEEE80211R
3151 os_memset(sm
->xxkey
, 0, sizeof(sm
->xxkey
));
3152 os_memset(sm
->pmk_r0
, 0, sizeof(sm
->pmk_r0
));
3153 os_memset(sm
->pmk_r1
, 0, sizeof(sm
->pmk_r1
));
3154 #endif /* CONFIG_IEEE80211R */
3158 int wpa_sm_has_ptk(struct wpa_sm
*sm
)
3166 void wpa_sm_update_replay_ctr(struct wpa_sm
*sm
, const u8
*replay_ctr
)
3168 os_memcpy(sm
->rx_replay_counter
, replay_ctr
, WPA_REPLAY_COUNTER_LEN
);
3172 void wpa_sm_pmksa_cache_flush(struct wpa_sm
*sm
, void *network_ctx
)
3174 pmksa_cache_flush(sm
->pmksa
, network_ctx
, NULL
, 0);
3179 int wpa_wnmsleep_install_key(struct wpa_sm
*sm
, u8 subelem_id
, u8
*buf
)
3182 u8 keylen
; /* plaintext key len */
3185 if (subelem_id
== WNM_SLEEP_SUBELEM_GTK
) {
3186 struct wpa_gtk_data gd
;
3188 os_memset(&gd
, 0, sizeof(gd
));
3189 keylen
= wpa_cipher_key_len(sm
->group_cipher
);
3190 gd
.key_rsc_len
= wpa_cipher_rsc_len(sm
->group_cipher
);
3191 gd
.alg
= wpa_cipher_to_alg(sm
->group_cipher
);
3192 if (gd
.alg
== WPA_ALG_NONE
) {
3193 wpa_printf(MSG_DEBUG
, "Unsupported group cipher suite");
3198 keyinfo
= WPA_GET_LE16(buf
+ 2);
3199 gd
.gtk_len
= keylen
;
3200 if (gd
.gtk_len
!= buf
[4]) {
3201 wpa_printf(MSG_DEBUG
, "GTK len mismatch len %d vs %d",
3202 gd
.gtk_len
, buf
[4]);
3205 gd
.keyidx
= keyinfo
& 0x03; /* B0 - B1 */
3206 gd
.tx
= wpa_supplicant_gtk_tx_bit_workaround(
3207 sm
, !!(keyinfo
& WPA_KEY_INFO_TXRX
));
3209 os_memcpy(gd
.gtk
, buf
+ 13, gd
.gtk_len
);
3211 wpa_hexdump_key(MSG_DEBUG
, "Install GTK (WNM SLEEP)",
3212 gd
.gtk
, gd
.gtk_len
);
3213 if (wpa_supplicant_install_gtk(sm
, &gd
, key_rsc
, 1)) {
3214 os_memset(&gd
, 0, sizeof(gd
));
3215 wpa_printf(MSG_DEBUG
, "Failed to install the GTK in "
3219 os_memset(&gd
, 0, sizeof(gd
));
3220 #ifdef CONFIG_IEEE80211W
3221 } else if (subelem_id
== WNM_SLEEP_SUBELEM_IGTK
) {
3222 const struct wpa_igtk_kde
*igtk
;
3224 igtk
= (const struct wpa_igtk_kde
*) (buf
+ 2);
3225 if (wpa_supplicant_install_igtk(sm
, igtk
, 1) < 0)
3227 #endif /* CONFIG_IEEE80211W */
3229 wpa_printf(MSG_DEBUG
, "Unknown element id");
3235 #endif /* CONFIG_WNM */
3240 int wpa_sm_get_p2p_ip_addr(struct wpa_sm
*sm
, u8
*buf
)
3242 if (sm
== NULL
|| WPA_GET_BE32(sm
->p2p_ip_addr
) == 0)
3244 os_memcpy(buf
, sm
->p2p_ip_addr
, 3 * 4);
3248 #endif /* CONFIG_P2P */
3251 void wpa_sm_set_rx_replay_ctr(struct wpa_sm
*sm
, const u8
*rx_replay_counter
)
3253 if (rx_replay_counter
== NULL
)
3256 os_memcpy(sm
->rx_replay_counter
, rx_replay_counter
,
3257 WPA_REPLAY_COUNTER_LEN
);
3258 sm
->rx_replay_counter_set
= 1;
3259 wpa_printf(MSG_DEBUG
, "Updated key replay counter");
3263 void wpa_sm_set_ptk_kck_kek(struct wpa_sm
*sm
,
3264 const u8
*ptk_kck
, size_t ptk_kck_len
,
3265 const u8
*ptk_kek
, size_t ptk_kek_len
)
3267 if (ptk_kck
&& ptk_kck_len
<= WPA_KCK_MAX_LEN
) {
3268 os_memcpy(sm
->ptk
.kck
, ptk_kck
, ptk_kck_len
);
3269 sm
->ptk
.kck_len
= ptk_kck_len
;
3270 wpa_printf(MSG_DEBUG
, "Updated PTK KCK");
3272 if (ptk_kek
&& ptk_kek_len
<= WPA_KEK_MAX_LEN
) {
3273 os_memcpy(sm
->ptk
.kek
, ptk_kek
, ptk_kek_len
);
3274 sm
->ptk
.kek_len
= ptk_kek_len
;
3275 wpa_printf(MSG_DEBUG
, "Updated PTK KEK");
3281 #ifdef CONFIG_TESTING_OPTIONS
3283 void wpa_sm_set_test_assoc_ie(struct wpa_sm
*sm
, struct wpabuf
*buf
)
3285 wpabuf_free(sm
->test_assoc_ie
);
3286 sm
->test_assoc_ie
= buf
;
3290 const u8
* wpa_sm_get_anonce(struct wpa_sm
*sm
)
3295 #endif /* CONFIG_TESTING_OPTIONS */
3300 struct wpabuf
* fils_build_auth(struct wpa_sm
*sm
, int dh_group
, const u8
*md
)
3302 struct wpabuf
*buf
= NULL
;
3303 struct wpabuf
*erp_msg
;
3304 struct wpabuf
*pub
= NULL
;
3306 erp_msg
= eapol_sm_build_erp_reauth_start(sm
->eapol
);
3307 if (!erp_msg
&& !sm
->cur_pmksa
) {
3308 wpa_printf(MSG_DEBUG
,
3309 "FILS: Neither ERP EAP-Initiate/Re-auth nor PMKSA cache entry is available - skip FILS");
3313 wpa_printf(MSG_DEBUG
, "FILS: Try to use FILS (erp=%d pmksa_cache=%d)",
3314 erp_msg
!= NULL
, sm
->cur_pmksa
!= NULL
);
3316 sm
->fils_completed
= 0;
3318 if (!sm
->assoc_wpa_ie
) {
3319 wpa_printf(MSG_INFO
, "FILS: No own RSN IE set for FILS");
3323 if (random_get_bytes(sm
->fils_nonce
, FILS_NONCE_LEN
) < 0 ||
3324 random_get_bytes(sm
->fils_session
, FILS_SESSION_LEN
) < 0)
3327 wpa_hexdump(MSG_DEBUG
, "FILS: Generated FILS Nonce",
3328 sm
->fils_nonce
, FILS_NONCE_LEN
);
3329 wpa_hexdump(MSG_DEBUG
, "FILS: Generated FILS Session",
3330 sm
->fils_session
, FILS_SESSION_LEN
);
3332 #ifdef CONFIG_FILS_SK_PFS
3333 sm
->fils_dh_group
= dh_group
;
3335 crypto_ecdh_deinit(sm
->fils_ecdh
);
3336 sm
->fils_ecdh
= crypto_ecdh_init(dh_group
);
3337 if (!sm
->fils_ecdh
) {
3338 wpa_printf(MSG_INFO
,
3339 "FILS: Could not initialize ECDH with group %d",
3343 pub
= crypto_ecdh_get_pubkey(sm
->fils_ecdh
, 1);
3346 wpa_hexdump_buf(MSG_DEBUG
, "FILS: Element (DH public key)",
3348 sm
->fils_dh_elem_len
= wpabuf_len(pub
);
3350 #endif /* CONFIG_FILS_SK_PFS */
3352 buf
= wpabuf_alloc(1000 + sm
->assoc_wpa_ie_len
+
3353 (pub
? wpabuf_len(pub
) : 0));
3357 /* Fields following the Authentication algorithm number field */
3359 /* Authentication Transaction seq# */
3360 wpabuf_put_le16(buf
, 1);
3363 wpabuf_put_le16(buf
, WLAN_STATUS_SUCCESS
);
3366 #ifdef CONFIG_FILS_SK_PFS
3368 /* Finite Cyclic Group */
3369 wpabuf_put_le16(buf
, dh_group
);
3371 wpabuf_put_buf(buf
, pub
);
3373 #endif /* CONFIG_FILS_SK_PFS */
3376 wpa_hexdump(MSG_DEBUG
, "FILS: RSNE in FILS Authentication frame",
3377 sm
->assoc_wpa_ie
, sm
->assoc_wpa_ie_len
);
3378 wpabuf_put_data(buf
, sm
->assoc_wpa_ie
, sm
->assoc_wpa_ie_len
);
3381 /* MDE when using FILS for FT initial association */
3382 struct rsn_mdie
*mdie
;
3384 wpabuf_put_u8(buf
, WLAN_EID_MOBILITY_DOMAIN
);
3385 wpabuf_put_u8(buf
, sizeof(*mdie
));
3386 mdie
= wpabuf_put(buf
, sizeof(*mdie
));
3387 os_memcpy(mdie
->mobility_domain
, md
, MOBILITY_DOMAIN_ID_LEN
);
3392 wpabuf_put_u8(buf
, WLAN_EID_EXTENSION
); /* Element ID */
3393 wpabuf_put_u8(buf
, 1 + FILS_NONCE_LEN
); /* Length */
3394 /* Element ID Extension */
3395 wpabuf_put_u8(buf
, WLAN_EID_EXT_FILS_NONCE
);
3396 wpabuf_put_data(buf
, sm
->fils_nonce
, FILS_NONCE_LEN
);
3399 wpabuf_put_u8(buf
, WLAN_EID_EXTENSION
); /* Element ID */
3400 wpabuf_put_u8(buf
, 1 + FILS_SESSION_LEN
); /* Length */
3401 /* Element ID Extension */
3402 wpabuf_put_u8(buf
, WLAN_EID_EXT_FILS_SESSION
);
3403 wpabuf_put_data(buf
, sm
->fils_session
, FILS_SESSION_LEN
);
3405 /* FILS Wrapped Data */
3406 sm
->fils_erp_pmkid_set
= 0;
3408 wpabuf_put_u8(buf
, WLAN_EID_EXTENSION
); /* Element ID */
3409 wpabuf_put_u8(buf
, 1 + wpabuf_len(erp_msg
)); /* Length */
3410 /* Element ID Extension */
3411 wpabuf_put_u8(buf
, WLAN_EID_EXT_FILS_WRAPPED_DATA
);
3412 wpabuf_put_buf(buf
, erp_msg
);
3413 /* Calculate pending PMKID here so that we do not need to
3414 * maintain a copy of the EAP-Initiate/Reauth message. */
3415 if (fils_pmkid_erp(sm
->key_mgmt
, wpabuf_head(erp_msg
),
3416 wpabuf_len(erp_msg
),
3417 sm
->fils_erp_pmkid
) == 0)
3418 sm
->fils_erp_pmkid_set
= 1;
3421 wpa_hexdump_buf(MSG_DEBUG
, "RSN: FILS fields for Authentication frame",
3425 wpabuf_free(erp_msg
);
3431 int fils_process_auth(struct wpa_sm
*sm
, const u8
*bssid
, const u8
*data
,
3434 const u8
*pos
, *end
;
3435 struct ieee802_11_elems elems
;
3436 struct wpa_ie_data rsn
;
3437 int pmkid_match
= 0;
3438 u8 ick
[FILS_ICK_MAX_LEN
];
3441 struct wpabuf
*dh_ss
= NULL
;
3442 const u8
*g_sta
= NULL
;
3443 size_t g_sta_len
= 0;
3444 const u8
*g_ap
= NULL
;
3445 size_t g_ap_len
= 0;
3446 struct wpabuf
*pub
= NULL
;
3448 os_memcpy(sm
->bssid
, bssid
, ETH_ALEN
);
3450 wpa_hexdump(MSG_DEBUG
, "FILS: Authentication frame fields",
3456 #ifdef CONFIG_FILS_SK_PFS
3457 if (sm
->fils_dh_group
) {
3460 /* Using FILS PFS */
3462 /* Finite Cyclic Group */
3463 if (end
- pos
< 2) {
3464 wpa_printf(MSG_DEBUG
,
3465 "FILS: No room for Finite Cyclic Group");
3468 group
= WPA_GET_LE16(pos
);
3470 if (group
!= sm
->fils_dh_group
) {
3471 wpa_printf(MSG_DEBUG
,
3472 "FILS: Unexpected change in Finite Cyclic Group: %u (expected %u)",
3473 group
, sm
->fils_dh_group
);
3478 if ((size_t) (end
- pos
) < sm
->fils_dh_elem_len
) {
3479 wpa_printf(MSG_DEBUG
, "FILS: No room for Element");
3483 if (!sm
->fils_ecdh
) {
3484 wpa_printf(MSG_DEBUG
, "FILS: No ECDH state available");
3487 dh_ss
= crypto_ecdh_set_peerkey(sm
->fils_ecdh
, 1, pos
,
3488 sm
->fils_dh_elem_len
);
3490 wpa_printf(MSG_DEBUG
, "FILS: ECDH operation failed");
3493 wpa_hexdump_buf_key(MSG_DEBUG
, "FILS: DH_SS", dh_ss
);
3495 g_ap_len
= sm
->fils_dh_elem_len
;
3496 pos
+= sm
->fils_dh_elem_len
;
3498 #endif /* CONFIG_FILS_SK_PFS */
3500 wpa_hexdump(MSG_DEBUG
, "FILS: Remaining IEs", pos
, end
- pos
);
3501 if (ieee802_11_parse_elems(pos
, end
- pos
, &elems
, 1) == ParseFailed
) {
3502 wpa_printf(MSG_DEBUG
, "FILS: Could not parse elements");
3507 wpa_hexdump(MSG_DEBUG
, "FILS: RSN element", elems
.rsn_ie
,
3509 if (!elems
.rsn_ie
||
3510 wpa_parse_wpa_ie_rsn(elems
.rsn_ie
- 2, elems
.rsn_ie_len
+ 2,
3512 wpa_printf(MSG_DEBUG
, "FILS: No RSN element");
3516 if (!elems
.fils_nonce
) {
3517 wpa_printf(MSG_DEBUG
, "FILS: No FILS Nonce field");
3520 os_memcpy(sm
->fils_anonce
, elems
.fils_nonce
, FILS_NONCE_LEN
);
3521 wpa_hexdump(MSG_DEBUG
, "FILS: ANonce", sm
->fils_anonce
, FILS_NONCE_LEN
);
3523 #ifdef CONFIG_IEEE80211R
3524 if (wpa_key_mgmt_ft(sm
->key_mgmt
)) {
3525 struct wpa_ft_ies parse
;
3527 if (!elems
.mdie
|| !elems
.ftie
) {
3528 wpa_printf(MSG_DEBUG
, "FILS+FT: No MDE or FTE");
3532 if (wpa_ft_parse_ies(pos
, end
- pos
, &parse
) < 0) {
3533 wpa_printf(MSG_DEBUG
, "FILS+FT: Failed to parse IEs");
3537 if (!parse
.r0kh_id
) {
3538 wpa_printf(MSG_DEBUG
,
3539 "FILS+FT: No R0KH-ID subelem in FTE");
3542 os_memcpy(sm
->r0kh_id
, parse
.r0kh_id
, parse
.r0kh_id_len
);
3543 sm
->r0kh_id_len
= parse
.r0kh_id_len
;
3544 wpa_hexdump_ascii(MSG_DEBUG
, "FILS+FT: R0KH-ID",
3545 sm
->r0kh_id
, sm
->r0kh_id_len
);
3547 if (!parse
.r1kh_id
) {
3548 wpa_printf(MSG_DEBUG
,
3549 "FILS+FT: No R1KH-ID subelem in FTE");
3552 os_memcpy(sm
->r1kh_id
, parse
.r1kh_id
, FT_R1KH_ID_LEN
);
3553 wpa_hexdump(MSG_DEBUG
, "FILS+FT: R1KH-ID",
3554 sm
->r1kh_id
, FT_R1KH_ID_LEN
);
3556 /* TODO: Check MDE and FTE payload */
3558 wpabuf_free(sm
->fils_ft_ies
);
3559 sm
->fils_ft_ies
= wpabuf_alloc(2 + elems
.mdie_len
+
3560 2 + elems
.ftie_len
);
3561 if (!sm
->fils_ft_ies
)
3563 wpabuf_put_data(sm
->fils_ft_ies
, elems
.mdie
- 2,
3564 2 + elems
.mdie_len
);
3565 wpabuf_put_data(sm
->fils_ft_ies
, elems
.ftie
- 2,
3566 2 + elems
.ftie_len
);
3568 wpabuf_free(sm
->fils_ft_ies
);
3569 sm
->fils_ft_ies
= NULL
;
3571 #endif /* CONFIG_IEEE80211R */
3574 if (rsn
.pmkid
&& rsn
.num_pmkid
> 0) {
3575 wpa_hexdump(MSG_DEBUG
, "FILS: PMKID List",
3576 rsn
.pmkid
, rsn
.num_pmkid
* PMKID_LEN
);
3578 if (rsn
.num_pmkid
!= 1) {
3579 wpa_printf(MSG_DEBUG
, "FILS: Invalid PMKID selection");
3582 wpa_hexdump(MSG_DEBUG
, "FILS: PMKID", rsn
.pmkid
, PMKID_LEN
);
3583 if (os_memcmp(sm
->cur_pmksa
->pmkid
, rsn
.pmkid
, PMKID_LEN
) != 0)
3585 wpa_printf(MSG_DEBUG
, "FILS: PMKID mismatch");
3586 wpa_hexdump(MSG_DEBUG
, "FILS: Expected PMKID",
3587 sm
->cur_pmksa
->pmkid
, PMKID_LEN
);
3590 wpa_printf(MSG_DEBUG
,
3591 "FILS: Matching PMKID - continue using PMKSA caching");
3594 if (!pmkid_match
&& sm
->cur_pmksa
) {
3595 wpa_printf(MSG_DEBUG
,
3596 "FILS: No PMKID match - cannot use cached PMKSA entry");
3597 sm
->cur_pmksa
= NULL
;
3601 if (!elems
.fils_session
) {
3602 wpa_printf(MSG_DEBUG
, "FILS: No FILS Session element");
3605 wpa_hexdump(MSG_DEBUG
, "FILS: FILS Session", elems
.fils_session
,
3607 if (os_memcmp(sm
->fils_session
, elems
.fils_session
, FILS_SESSION_LEN
)
3609 wpa_printf(MSG_DEBUG
, "FILS: Session mismatch");
3610 wpa_hexdump(MSG_DEBUG
, "FILS: Expected FILS Session",
3611 sm
->fils_session
, FILS_SESSION_LEN
);
3615 /* FILS Wrapped Data */
3616 if (!sm
->cur_pmksa
&& elems
.fils_wrapped_data
) {
3617 u8 rmsk
[ERP_MAX_KEY_LEN
];
3620 wpa_hexdump(MSG_DEBUG
, "FILS: Wrapped Data",
3621 elems
.fils_wrapped_data
,
3622 elems
.fils_wrapped_data_len
);
3623 eapol_sm_process_erp_finish(sm
->eapol
, elems
.fils_wrapped_data
,
3624 elems
.fils_wrapped_data_len
);
3625 if (eapol_sm_failed(sm
->eapol
))
3628 rmsk_len
= ERP_MAX_KEY_LEN
;
3629 res
= eapol_sm_get_key(sm
->eapol
, rmsk
, rmsk_len
);
3630 if (res
== PMK_LEN
) {
3632 res
= eapol_sm_get_key(sm
->eapol
, rmsk
, rmsk_len
);
3637 res
= fils_rmsk_to_pmk(sm
->key_mgmt
, rmsk
, rmsk_len
,
3638 sm
->fils_nonce
, sm
->fils_anonce
,
3639 dh_ss
? wpabuf_head(dh_ss
) : NULL
,
3640 dh_ss
? wpabuf_len(dh_ss
) : 0,
3641 sm
->pmk
, &sm
->pmk_len
);
3642 os_memset(rmsk
, 0, sizeof(rmsk
));
3644 /* Don't use DHss in PTK derivation if PMKSA caching is not
3646 wpabuf_clear_free(dh_ss
);
3652 if (!sm
->fils_erp_pmkid_set
) {
3653 wpa_printf(MSG_DEBUG
, "FILS: PMKID not available");
3656 wpa_hexdump(MSG_DEBUG
, "FILS: PMKID", sm
->fils_erp_pmkid
,
3658 wpa_printf(MSG_DEBUG
, "FILS: ERP processing succeeded - add PMKSA cache entry for the result");
3659 sm
->cur_pmksa
= pmksa_cache_add(sm
->pmksa
, sm
->pmk
, sm
->pmk_len
,
3660 sm
->fils_erp_pmkid
, NULL
, 0,
3661 sm
->bssid
, sm
->own_addr
,
3662 sm
->network_ctx
, sm
->key_mgmt
,
3666 if (!sm
->cur_pmksa
) {
3667 wpa_printf(MSG_DEBUG
,
3668 "FILS: No remaining options to continue FILS authentication");
3672 if (fils_pmk_to_ptk(sm
->pmk
, sm
->pmk_len
, sm
->own_addr
, sm
->bssid
,
3673 sm
->fils_nonce
, sm
->fils_anonce
,
3674 dh_ss
? wpabuf_head(dh_ss
) : NULL
,
3675 dh_ss
? wpabuf_len(dh_ss
) : 0,
3676 &sm
->ptk
, ick
, &ick_len
,
3677 sm
->key_mgmt
, sm
->pairwise_cipher
,
3678 sm
->fils_ft
, &sm
->fils_ft_len
) < 0) {
3679 wpa_printf(MSG_DEBUG
, "FILS: Failed to derive PTK");
3683 wpabuf_clear_free(dh_ss
);
3688 os_memset(&sm
->tptk
, 0, sizeof(sm
->tptk
));
3690 #ifdef CONFIG_FILS_SK_PFS
3691 if (sm
->fils_dh_group
) {
3692 if (!sm
->fils_ecdh
) {
3693 wpa_printf(MSG_INFO
, "FILS: ECDH not initialized");
3696 pub
= crypto_ecdh_get_pubkey(sm
->fils_ecdh
, 1);
3699 wpa_hexdump_buf(MSG_DEBUG
, "FILS: gSTA", pub
);
3700 g_sta
= wpabuf_head(pub
);
3701 g_sta_len
= wpabuf_len(pub
);
3703 wpa_printf(MSG_INFO
, "FILS: gAP not available");
3706 wpa_hexdump(MSG_DEBUG
, "FILS: gAP", g_ap
, g_ap_len
);
3708 #endif /* CONFIG_FILS_SK_PFS */
3710 res
= fils_key_auth_sk(ick
, ick_len
, sm
->fils_nonce
,
3711 sm
->fils_anonce
, sm
->own_addr
, sm
->bssid
,
3712 g_sta
, g_sta_len
, g_ap
, g_ap_len
,
3713 sm
->key_mgmt
, sm
->fils_key_auth_sta
,
3714 sm
->fils_key_auth_ap
,
3715 &sm
->fils_key_auth_len
);
3717 os_memset(ick
, 0, sizeof(ick
));
3721 wpabuf_clear_free(dh_ss
);
3726 #ifdef CONFIG_IEEE80211R
3727 static int fils_ft_build_assoc_req_rsne(struct wpa_sm
*sm
, struct wpabuf
*buf
)
3729 struct rsn_ie_hdr
*rsnie
;
3733 /* RSNIE[PMKR0Name/PMKR1Name] */
3734 rsnie
= wpabuf_put(buf
, sizeof(*rsnie
));
3735 rsnie
->elem_id
= WLAN_EID_RSN
;
3736 WPA_PUT_LE16(rsnie
->version
, RSN_VERSION
);
3738 /* Group Suite Selector */
3739 if (!wpa_cipher_valid_group(sm
->group_cipher
)) {
3740 wpa_printf(MSG_WARNING
, "FT: Invalid group cipher (%d)",
3744 pos
= wpabuf_put(buf
, RSN_SELECTOR_LEN
);
3745 RSN_SELECTOR_PUT(pos
, wpa_cipher_to_suite(WPA_PROTO_RSN
,
3748 /* Pairwise Suite Count */
3749 wpabuf_put_le16(buf
, 1);
3751 /* Pairwise Suite List */
3752 if (!wpa_cipher_valid_pairwise(sm
->pairwise_cipher
)) {
3753 wpa_printf(MSG_WARNING
, "FT: Invalid pairwise cipher (%d)",
3754 sm
->pairwise_cipher
);
3757 pos
= wpabuf_put(buf
, RSN_SELECTOR_LEN
);
3758 RSN_SELECTOR_PUT(pos
, wpa_cipher_to_suite(WPA_PROTO_RSN
,
3759 sm
->pairwise_cipher
));
3761 /* Authenticated Key Management Suite Count */
3762 wpabuf_put_le16(buf
, 1);
3764 /* Authenticated Key Management Suite List */
3765 pos
= wpabuf_put(buf
, RSN_SELECTOR_LEN
);
3766 if (sm
->key_mgmt
== WPA_KEY_MGMT_FT_FILS_SHA256
)
3767 RSN_SELECTOR_PUT(pos
, RSN_AUTH_KEY_MGMT_FT_FILS_SHA256
);
3768 else if (sm
->key_mgmt
== WPA_KEY_MGMT_FT_FILS_SHA384
)
3769 RSN_SELECTOR_PUT(pos
, RSN_AUTH_KEY_MGMT_FT_FILS_SHA384
);
3771 wpa_printf(MSG_WARNING
,
3772 "FILS+FT: Invalid key management type (%d)",
3777 /* RSN Capabilities */
3779 #ifdef CONFIG_IEEE80211W
3780 if (sm
->mgmt_group_cipher
== WPA_CIPHER_AES_128_CMAC
)
3781 capab
|= WPA_CAPABILITY_MFPC
;
3782 #endif /* CONFIG_IEEE80211W */
3783 wpabuf_put_le16(buf
, capab
);
3786 wpabuf_put_le16(buf
, 1);
3788 /* PMKID List [PMKR1Name] */
3789 wpa_hexdump_key(MSG_DEBUG
, "FILS+FT: XXKey (FILS-FT)",
3790 sm
->fils_ft
, sm
->fils_ft_len
);
3791 wpa_hexdump_ascii(MSG_DEBUG
, "FILS+FT: SSID", sm
->ssid
, sm
->ssid_len
);
3792 wpa_hexdump(MSG_DEBUG
, "FILS+FT: MDID",
3793 sm
->mobility_domain
, MOBILITY_DOMAIN_ID_LEN
);
3794 wpa_hexdump_ascii(MSG_DEBUG
, "FILS+FT: R0KH-ID",
3795 sm
->r0kh_id
, sm
->r0kh_id_len
);
3796 if (wpa_derive_pmk_r0(sm
->fils_ft
, sm
->fils_ft_len
, sm
->ssid
,
3797 sm
->ssid_len
, sm
->mobility_domain
,
3798 sm
->r0kh_id
, sm
->r0kh_id_len
, sm
->own_addr
,
3799 sm
->pmk_r0
, sm
->pmk_r0_name
) < 0) {
3800 wpa_printf(MSG_WARNING
, "FILS+FT: Could not derive PMK-R0");
3803 wpa_hexdump_key(MSG_DEBUG
, "FILS+FT: PMK-R0", sm
->pmk_r0
, PMK_LEN
);
3804 wpa_hexdump(MSG_DEBUG
, "FILS+FT: PMKR0Name",
3805 sm
->pmk_r0_name
, WPA_PMK_NAME_LEN
);
3806 wpa_printf(MSG_DEBUG
, "FILS+FT: R1KH-ID: " MACSTR
,
3807 MAC2STR(sm
->r1kh_id
));
3808 pos
= wpabuf_put(buf
, WPA_PMK_NAME_LEN
);
3809 if (wpa_derive_pmk_r1_name(sm
->pmk_r0_name
, sm
->r1kh_id
, sm
->own_addr
,
3811 wpa_printf(MSG_WARNING
, "FILS+FT: Could not derive PMKR1Name");
3814 wpa_hexdump(MSG_DEBUG
, "FILS+FT: PMKR1Name", pos
, WPA_PMK_NAME_LEN
);
3816 #ifdef CONFIG_IEEE80211W
3817 if (sm
->mgmt_group_cipher
== WPA_CIPHER_AES_128_CMAC
) {
3818 /* Management Group Cipher Suite */
3819 pos
= wpabuf_put(buf
, RSN_SELECTOR_LEN
);
3820 RSN_SELECTOR_PUT(pos
, RSN_CIPHER_SUITE_AES_128_CMAC
);
3822 #endif /* CONFIG_IEEE80211W */
3824 rsnie
->len
= ((u8
*) wpabuf_put(buf
, 0) - (u8
*) rsnie
) - 2;
3827 #endif /* CONFIG_IEEE80211R */
3830 struct wpabuf
* fils_build_assoc_req(struct wpa_sm
*sm
, const u8
**kek
,
3831 size_t *kek_len
, const u8
**snonce
,
3833 const struct wpabuf
**hlp
,
3834 unsigned int num_hlp
)
3841 #ifdef CONFIG_IEEE80211R
3842 if (sm
->fils_ft_ies
)
3843 len
+= wpabuf_len(sm
->fils_ft_ies
);
3844 if (wpa_key_mgmt_ft(sm
->key_mgmt
))
3846 #endif /* CONFIG_IEEE80211R */
3847 for (i
= 0; hlp
&& i
< num_hlp
; i
++)
3848 len
+= 10 + wpabuf_len(hlp
[i
]);
3849 buf
= wpabuf_alloc(len
);
3853 #ifdef CONFIG_IEEE80211R
3854 if (wpa_key_mgmt_ft(sm
->key_mgmt
) && sm
->fils_ft_ies
) {
3855 /* MDE and FTE when using FILS+FT */
3856 wpabuf_put_buf(buf
, sm
->fils_ft_ies
);
3857 /* RSNE with PMKR1Name in PMKID field */
3858 if (fils_ft_build_assoc_req_rsne(sm
, buf
) < 0) {
3863 #endif /* CONFIG_IEEE80211R */
3866 wpabuf_put_u8(buf
, WLAN_EID_EXTENSION
); /* Element ID */
3867 wpabuf_put_u8(buf
, 1 + FILS_SESSION_LEN
); /* Length */
3868 /* Element ID Extension */
3869 wpabuf_put_u8(buf
, WLAN_EID_EXT_FILS_SESSION
);
3870 wpabuf_put_data(buf
, sm
->fils_session
, FILS_SESSION_LEN
);
3872 /* Everything after FILS Session element gets encrypted in the driver
3873 * with KEK. The buffer returned from here is the plaintext version. */
3875 /* TODO: FILS Public Key */
3877 /* FILS Key Confirm */
3878 wpabuf_put_u8(buf
, WLAN_EID_EXTENSION
); /* Element ID */
3879 wpabuf_put_u8(buf
, 1 + sm
->fils_key_auth_len
); /* Length */
3880 /* Element ID Extension */
3881 wpabuf_put_u8(buf
, WLAN_EID_EXT_FILS_KEY_CONFIRM
);
3882 wpabuf_put_data(buf
, sm
->fils_key_auth_sta
, sm
->fils_key_auth_len
);
3884 /* FILS HLP Container */
3885 for (i
= 0; hlp
&& i
< num_hlp
; i
++) {
3886 const u8
*pos
= wpabuf_head(hlp
[i
]);
3887 size_t left
= wpabuf_len(hlp
[i
]);
3889 wpabuf_put_u8(buf
, WLAN_EID_EXTENSION
); /* Element ID */
3894 wpabuf_put_u8(buf
, len
); /* Length */
3895 /* Element ID Extension */
3896 wpabuf_put_u8(buf
, WLAN_EID_EXT_FILS_HLP_CONTAINER
);
3897 /* Destination MAC Address, Source MAC Address, HLP Packet.
3898 * HLP Packet is in MSDU format (i.e., included the LLC/SNAP
3899 * header when LPD is used). */
3900 wpabuf_put_data(buf
, pos
, len
- 1);
3904 wpabuf_put_u8(buf
, WLAN_EID_FRAGMENT
);
3905 len
= left
> 255 ? 255 : left
;
3906 wpabuf_put_u8(buf
, len
);
3907 wpabuf_put_data(buf
, pos
, len
);
3913 /* TODO: FILS IP Address Assignment */
3915 wpa_hexdump_buf(MSG_DEBUG
, "FILS: Association Request plaintext", buf
);
3918 *kek_len
= sm
->ptk
.kek_len
;
3919 wpa_hexdump_key(MSG_DEBUG
, "FILS: KEK for AEAD", *kek
, *kek_len
);
3920 *snonce
= sm
->fils_nonce
;
3921 wpa_hexdump(MSG_DEBUG
, "FILS: SNonce for AEAD AAD",
3922 *snonce
, FILS_NONCE_LEN
);
3923 *anonce
= sm
->fils_anonce
;
3924 wpa_hexdump(MSG_DEBUG
, "FILS: ANonce for AEAD AAD",
3925 *anonce
, FILS_NONCE_LEN
);
3931 static void fils_process_hlp_resp(struct wpa_sm
*sm
, const u8
*resp
, size_t len
)
3933 const u8
*pos
, *end
;
3935 wpa_hexdump(MSG_MSGDUMP
, "FILS: HLP response", resp
, len
);
3936 if (len
< 2 * ETH_ALEN
)
3938 pos
= resp
+ 2 * ETH_ALEN
;
3940 if (end
- pos
>= 6 &&
3941 os_memcmp(pos
, "\xaa\xaa\x03\x00\x00\x00", 6) == 0)
3942 pos
+= 6; /* Remove SNAP/LLC header */
3943 wpa_sm_fils_hlp_rx(sm
, resp
, resp
+ ETH_ALEN
, pos
, end
- pos
);
3947 static void fils_process_hlp_container(struct wpa_sm
*sm
, const u8
*pos
,
3950 const u8
*end
= pos
+ len
;
3953 /* Check if there are any FILS HLP Container elements */
3954 while (end
- pos
>= 2) {
3955 if (2 + pos
[1] > end
- pos
)
3957 if (pos
[0] == WLAN_EID_EXTENSION
&&
3958 pos
[1] >= 1 + 2 * ETH_ALEN
&&
3959 pos
[2] == WLAN_EID_EXT_FILS_HLP_CONTAINER
)
3964 return; /* No FILS HLP Container elements */
3966 tmp
= os_malloc(end
- pos
);
3970 while (end
- pos
>= 2) {
3971 if (2 + pos
[1] > end
- pos
||
3972 pos
[0] != WLAN_EID_EXTENSION
||
3973 pos
[1] < 1 + 2 * ETH_ALEN
||
3974 pos
[2] != WLAN_EID_EXT_FILS_HLP_CONTAINER
)
3977 os_memcpy(tmp_pos
, pos
+ 3, pos
[1] - 1);
3978 tmp_pos
+= pos
[1] - 1;
3981 /* Add possible fragments */
3982 while (end
- pos
>= 2 && pos
[0] == WLAN_EID_FRAGMENT
&&
3983 2 + pos
[1] <= end
- pos
) {
3984 os_memcpy(tmp_pos
, pos
+ 2, pos
[1]);
3989 fils_process_hlp_resp(sm
, tmp
, tmp_pos
- tmp
);
3996 int fils_process_assoc_resp(struct wpa_sm
*sm
, const u8
*resp
, size_t len
)
3998 const struct ieee80211_mgmt
*mgmt
;
3999 const u8
*end
, *ie_start
;
4000 struct ieee802_11_elems elems
;
4003 struct wpa_gtk_data gd
;
4005 struct wpa_eapol_ie_parse kde
;
4007 if (!sm
|| !sm
->ptk_set
) {
4008 wpa_printf(MSG_DEBUG
, "FILS: No KEK available");
4012 if (!wpa_key_mgmt_fils(sm
->key_mgmt
)) {
4013 wpa_printf(MSG_DEBUG
, "FILS: Not a FILS AKM");
4017 if (sm
->fils_completed
) {
4018 wpa_printf(MSG_DEBUG
,
4019 "FILS: Association has already been completed for this FILS authentication - ignore unexpected retransmission");
4023 wpa_hexdump(MSG_DEBUG
, "FILS: (Re)Association Response frame",
4026 mgmt
= (const struct ieee80211_mgmt
*) resp
;
4027 if (len
< IEEE80211_HDRLEN
+ sizeof(mgmt
->u
.assoc_resp
))
4031 /* Same offset for Association Response and Reassociation Response */
4032 ie_start
= mgmt
->u
.assoc_resp
.variable
;
4034 if (ieee802_11_parse_elems(ie_start
, end
- ie_start
, &elems
, 1) ==
4036 wpa_printf(MSG_DEBUG
,
4037 "FILS: Failed to parse decrypted elements");
4041 if (!elems
.fils_session
) {
4042 wpa_printf(MSG_DEBUG
, "FILS: No FILS Session element");
4045 if (os_memcmp(elems
.fils_session
, sm
->fils_session
,
4046 FILS_SESSION_LEN
) != 0) {
4047 wpa_printf(MSG_DEBUG
, "FILS: FILS Session mismatch");
4048 wpa_hexdump(MSG_DEBUG
, "FILS: Received FILS Session",
4049 elems
.fils_session
, FILS_SESSION_LEN
);
4050 wpa_hexdump(MSG_DEBUG
, "FILS: Expected FILS Session",
4051 sm
->fils_session
, FILS_SESSION_LEN
);
4054 /* TODO: FILS Public Key */
4056 if (!elems
.fils_key_confirm
) {
4057 wpa_printf(MSG_DEBUG
, "FILS: No FILS Key Confirm element");
4060 if (elems
.fils_key_confirm_len
!= sm
->fils_key_auth_len
) {
4061 wpa_printf(MSG_DEBUG
,
4062 "FILS: Unexpected Key-Auth length %d (expected %d)",
4063 elems
.fils_key_confirm_len
,
4064 (int) sm
->fils_key_auth_len
);
4067 if (os_memcmp(elems
.fils_key_confirm
, sm
->fils_key_auth_ap
,
4068 sm
->fils_key_auth_len
) != 0) {
4069 wpa_printf(MSG_DEBUG
, "FILS: Key-Auth mismatch");
4070 wpa_hexdump(MSG_DEBUG
, "FILS: Received Key-Auth",
4071 elems
.fils_key_confirm
,
4072 elems
.fils_key_confirm_len
);
4073 wpa_hexdump(MSG_DEBUG
, "FILS: Expected Key-Auth",
4074 sm
->fils_key_auth_ap
, sm
->fils_key_auth_len
);
4079 if (!elems
.key_delivery
) {
4080 wpa_printf(MSG_DEBUG
, "FILS: No Key Delivery element");
4084 /* Parse GTK and set the key to the driver */
4085 os_memset(&gd
, 0, sizeof(gd
));
4086 if (wpa_supplicant_parse_ies(elems
.key_delivery
+ WPA_KEY_RSC_LEN
,
4087 elems
.key_delivery_len
- WPA_KEY_RSC_LEN
,
4089 wpa_printf(MSG_DEBUG
, "FILS: Failed to parse KDEs");
4093 wpa_printf(MSG_DEBUG
, "FILS: No GTK KDE");
4096 maxkeylen
= gd
.gtk_len
= kde
.gtk_len
- 2;
4097 if (wpa_supplicant_check_group_cipher(sm
, sm
->group_cipher
,
4098 gd
.gtk_len
, maxkeylen
,
4099 &gd
.key_rsc_len
, &gd
.alg
))
4102 wpa_hexdump_key(MSG_DEBUG
, "FILS: Received GTK", kde
.gtk
, kde
.gtk_len
);
4103 gd
.keyidx
= kde
.gtk
[0] & 0x3;
4104 gd
.tx
= wpa_supplicant_gtk_tx_bit_workaround(sm
,
4105 !!(kde
.gtk
[0] & BIT(2)));
4106 if (kde
.gtk_len
- 2 > sizeof(gd
.gtk
)) {
4107 wpa_printf(MSG_DEBUG
, "FILS: Too long GTK in GTK KDE (len=%lu)",
4108 (unsigned long) kde
.gtk_len
- 2);
4111 os_memcpy(gd
.gtk
, kde
.gtk
+ 2, kde
.gtk_len
- 2);
4113 wpa_printf(MSG_DEBUG
, "FILS: Set GTK to driver");
4114 if (wpa_supplicant_install_gtk(sm
, &gd
, elems
.key_delivery
, 0) < 0) {
4115 wpa_printf(MSG_DEBUG
, "FILS: Failed to set GTK");
4119 if (ieee80211w_set_keys(sm
, &kde
) < 0) {
4120 wpa_printf(MSG_DEBUG
, "FILS: Failed to set IGTK");
4124 alg
= wpa_cipher_to_alg(sm
->pairwise_cipher
);
4125 keylen
= wpa_cipher_key_len(sm
->pairwise_cipher
);
4126 if (keylen
<= 0 || (unsigned int) keylen
!= sm
->ptk
.tk_len
) {
4127 wpa_printf(MSG_DEBUG
, "FILS: TK length mismatch: %u != %lu",
4128 keylen
, (long unsigned int) sm
->ptk
.tk_len
);
4131 rsclen
= wpa_cipher_rsc_len(sm
->pairwise_cipher
);
4132 wpa_hexdump_key(MSG_DEBUG
, "FILS: Set TK to driver",
4133 sm
->ptk
.tk
, keylen
);
4134 if (wpa_sm_set_key(sm
, alg
, sm
->bssid
, 0, 1, null_rsc
, rsclen
,
4135 sm
->ptk
.tk
, keylen
) < 0) {
4136 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
4137 "FILS: Failed to set PTK to the driver (alg=%d keylen=%d bssid="
4139 alg
, keylen
, MAC2STR(sm
->bssid
));
4143 /* TODO: TK could be cleared after auth frame exchange now that driver
4144 * takes care of association frame encryption/decryption. */
4145 /* TK is not needed anymore in supplicant */
4146 os_memset(sm
->ptk
.tk
, 0, WPA_TK_MAX_LEN
);
4148 sm
->ptk
.installed
= 1;
4150 /* FILS HLP Container */
4151 fils_process_hlp_container(sm
, ie_start
, end
- ie_start
);
4153 /* TODO: FILS IP Address Assignment */
4155 wpa_printf(MSG_DEBUG
, "FILS: Auth+Assoc completed successfully");
4156 sm
->fils_completed
= 1;
4164 void wpa_sm_set_reset_fils_completed(struct wpa_sm
*sm
, int set
)
4167 sm
->fils_completed
= !!set
;
4170 #endif /* CONFIG_FILS */
4173 int wpa_fils_is_completed(struct wpa_sm
*sm
)
4176 return sm
&& sm
->fils_completed
;
4177 #else /* CONFIG_FILS */
4179 #endif /* CONFIG_FILS */
4185 struct wpabuf
* owe_build_assoc_req(struct wpa_sm
*sm
, u16 group
)
4187 struct wpabuf
*ie
= NULL
, *pub
= NULL
;
4192 else if (group
== 20)
4194 else if (group
== 21)
4199 crypto_ecdh_deinit(sm
->owe_ecdh
);
4200 sm
->owe_ecdh
= crypto_ecdh_init(group
);
4203 sm
->owe_group
= group
;
4204 pub
= crypto_ecdh_get_pubkey(sm
->owe_ecdh
, 0);
4205 pub
= wpabuf_zeropad(pub
, prime_len
);
4209 ie
= wpabuf_alloc(5 + wpabuf_len(pub
));
4212 wpabuf_put_u8(ie
, WLAN_EID_EXTENSION
);
4213 wpabuf_put_u8(ie
, 1 + 2 + wpabuf_len(pub
));
4214 wpabuf_put_u8(ie
, WLAN_EID_EXT_OWE_DH_PARAM
);
4215 wpabuf_put_le16(ie
, group
);
4216 wpabuf_put_buf(ie
, pub
);
4218 wpa_hexdump_buf(MSG_DEBUG
, "OWE: Diffie-Hellman Parameter element",
4224 crypto_ecdh_deinit(sm
->owe_ecdh
);
4225 sm
->owe_ecdh
= NULL
;
4230 int owe_process_assoc_resp(struct wpa_sm
*sm
, const u8
*bssid
,
4231 const u8
*resp_ies
, size_t resp_ies_len
)
4233 struct ieee802_11_elems elems
;
4235 struct wpabuf
*secret
, *pub
, *hkey
;
4237 u8 prk
[SHA512_MAC_LEN
], pmkid
[SHA512_MAC_LEN
];
4238 const char *info
= "OWE Key Generation";
4241 size_t hash_len
, prime_len
;
4242 struct wpa_ie_data data
;
4245 ieee802_11_parse_elems(resp_ies
, resp_ies_len
, &elems
, 1) ==
4247 wpa_printf(MSG_INFO
,
4248 "OWE: Could not parse Association Response frame elements");
4252 if (sm
->cur_pmksa
&& elems
.rsn_ie
&&
4253 wpa_parse_wpa_ie_rsn(elems
.rsn_ie
- 2, 2 + elems
.rsn_ie_len
,
4255 data
.num_pmkid
== 1 && data
.pmkid
&&
4256 os_memcmp(sm
->cur_pmksa
->pmkid
, data
.pmkid
, PMKID_LEN
) == 0) {
4257 wpa_printf(MSG_DEBUG
, "OWE: Use PMKSA caching");
4258 wpa_sm_set_pmk_from_pmksa(sm
);
4262 if (!elems
.owe_dh
) {
4263 wpa_printf(MSG_INFO
,
4264 "OWE: No Diffie-Hellman Parameter element found in Association Response frame");
4268 group
= WPA_GET_LE16(elems
.owe_dh
);
4269 if (group
!= sm
->owe_group
) {
4270 wpa_printf(MSG_INFO
,
4271 "OWE: Unexpected Diffie-Hellman group in response: %u",
4276 if (!sm
->owe_ecdh
) {
4277 wpa_printf(MSG_INFO
, "OWE: No ECDH state available");
4283 else if (group
== 20)
4285 else if (group
== 21)
4290 secret
= crypto_ecdh_set_peerkey(sm
->owe_ecdh
, 0,
4292 elems
.owe_dh_len
- 2);
4293 secret
= wpabuf_zeropad(secret
, prime_len
);
4295 wpa_printf(MSG_DEBUG
, "OWE: Invalid peer DH public key");
4298 wpa_hexdump_buf_key(MSG_DEBUG
, "OWE: DH shared secret", secret
);
4300 /* prk = HKDF-extract(C | A | group, z) */
4302 pub
= crypto_ecdh_get_pubkey(sm
->owe_ecdh
, 0);
4304 wpabuf_clear_free(secret
);
4308 /* PMKID = Truncate-128(Hash(C | A)) */
4309 addr
[0] = wpabuf_head(pub
);
4310 len
[0] = wpabuf_len(pub
);
4311 addr
[1] = elems
.owe_dh
+ 2;
4312 len
[1] = elems
.owe_dh_len
- 2;
4314 res
= sha256_vector(2, addr
, len
, pmkid
);
4315 hash_len
= SHA256_MAC_LEN
;
4316 } else if (group
== 20) {
4317 res
= sha384_vector(2, addr
, len
, pmkid
);
4318 hash_len
= SHA384_MAC_LEN
;
4319 } else if (group
== 21) {
4320 res
= sha512_vector(2, addr
, len
, pmkid
);
4321 hash_len
= SHA512_MAC_LEN
;
4326 pub
= wpabuf_zeropad(pub
, prime_len
);
4327 if (res
< 0 || !pub
) {
4329 wpabuf_clear_free(secret
);
4333 hkey
= wpabuf_alloc(wpabuf_len(pub
) + elems
.owe_dh_len
- 2 + 2);
4336 wpabuf_clear_free(secret
);
4340 wpabuf_put_buf(hkey
, pub
); /* C */
4342 wpabuf_put_data(hkey
, elems
.owe_dh
+ 2, elems
.owe_dh_len
- 2); /* A */
4343 wpabuf_put_le16(hkey
, sm
->owe_group
); /* group */
4345 res
= hmac_sha256(wpabuf_head(hkey
), wpabuf_len(hkey
),
4346 wpabuf_head(secret
), wpabuf_len(secret
), prk
);
4347 else if (group
== 20)
4348 res
= hmac_sha384(wpabuf_head(hkey
), wpabuf_len(hkey
),
4349 wpabuf_head(secret
), wpabuf_len(secret
), prk
);
4350 else if (group
== 21)
4351 res
= hmac_sha512(wpabuf_head(hkey
), wpabuf_len(hkey
),
4352 wpabuf_head(secret
), wpabuf_len(secret
), prk
);
4353 wpabuf_clear_free(hkey
);
4354 wpabuf_clear_free(secret
);
4358 wpa_hexdump_key(MSG_DEBUG
, "OWE: prk", prk
, hash_len
);
4360 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
4363 res
= hmac_sha256_kdf(prk
, hash_len
, NULL
, (const u8
*) info
,
4364 os_strlen(info
), sm
->pmk
, hash_len
);
4365 else if (group
== 20)
4366 res
= hmac_sha384_kdf(prk
, hash_len
, NULL
, (const u8
*) info
,
4367 os_strlen(info
), sm
->pmk
, hash_len
);
4368 else if (group
== 21)
4369 res
= hmac_sha512_kdf(prk
, hash_len
, NULL
, (const u8
*) info
,
4370 os_strlen(info
), sm
->pmk
, hash_len
);
4371 os_memset(prk
, 0, SHA512_MAC_LEN
);
4374 sm
->pmk_len
= hash_len
;
4376 wpa_hexdump_key(MSG_DEBUG
, "OWE: PMK", sm
->pmk
, sm
->pmk_len
);
4377 wpa_hexdump(MSG_DEBUG
, "OWE: PMKID", pmkid
, PMKID_LEN
);
4378 pmksa_cache_add(sm
->pmksa
, sm
->pmk
, sm
->pmk_len
, pmkid
, NULL
, 0,
4379 bssid
, sm
->own_addr
, sm
->network_ctx
, sm
->key_mgmt
,
4385 #endif /* CONFIG_OWE */
4388 void wpa_sm_set_fils_cache_id(struct wpa_sm
*sm
, const u8
*fils_cache_id
)
4391 if (sm
&& fils_cache_id
) {
4392 sm
->fils_cache_id_set
= 1;
4393 os_memcpy(sm
->fils_cache_id
, fils_cache_id
, FILS_CACHE_ID_LEN
);
4395 #endif /* CONFIG_FILS */