]> git.ipfire.org Git - thirdparty/hostap.git/blame - src/ap/wpa_auth.c
projects / thirdparty / hostap.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
FILS: Association Response processing (STA)
[thirdparty/hostap.git] / src / ap / wpa_auth.c
CommitLineData
6fc6879b 1/*
00338a4f 2 * IEEE 802.11 RSN / WPA Authenticator
98cd3d1c 3 * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi>
6fc6879b 4 *
0f3d578e
JM		 5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
6fc6879b
JM		 7 */
8
6226e38d 9#include "utils/includes.h"
6fc6879b 10
6226e38d
JM		 11#include "utils/common.h"
12#include "utils/eloop.h"
13#include "utils/state_machine.h"
25ef8529 14#include "utils/bitfield.h"
81f4f619 15#include "common/ieee802_11_defs.h"
3b5b7aa8 16#include "crypto/aes.h"
03da66bd 17#include "crypto/aes_wrap.h"
3b5b7aa8 18#include "crypto/aes_siv.h"
03da66bd
JM		 19#include "crypto/crypto.h"
20#include "crypto/sha1.h"
21#include "crypto/sha256.h"
3642c431 22#include "crypto/random.h"
281c950b 23#include "eapol_auth/eapol_auth_sm.h"
6226e38d 24#include "ap_config.h"
6fc6879b 25#include "ieee802_11.h"
6226e38d
JM		 26#include "wpa_auth.h"
27#include "pmksa_cache_auth.h"
6fc6879b
JM		 28#include "wpa_auth_i.h"
29#include "wpa_auth_ie.h"
30
31#define STATE_MACHINE_DATA struct wpa_state_machine
32#define STATE_MACHINE_DEBUG_PREFIX "WPA"
33#define STATE_MACHINE_ADDR sm->addr
34
35
36static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx);
e4a6ea1d 37static int wpa_sm_step(struct wpa_state_machine *sm);
929a2ea5
JM		 38static int wpa_verify_key_mic(int akmp, struct wpa_ptk *PTK, u8 *data,
39 size_t data_len);
75c8563e
JM		 40#ifdef CONFIG_FILS
41static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
42 u8 *buf, size_t buf_len, u16 *_key_data_len);
43#endif /* CONFIG_FILS */
6fc6879b
JM		 44static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx);
45static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
46 struct wpa_group *group);
581a8cde 47static void wpa_request_new_ptk(struct wpa_state_machine *sm);
e6965d4e
JM		 48static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
49 struct wpa_group *group);
1bdb7ab3
JM		 50static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
51 struct wpa_group *group);
f23c5b17 52static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
207976f0
JM		 53 const u8 *pmk, unsigned int pmk_len,
54 struct wpa_ptk *ptk);
a0ad9e8c
MB		 55static void wpa_group_free(struct wpa_authenticator *wpa_auth,
56 struct wpa_group *group);
57static void wpa_group_get(struct wpa_authenticator *wpa_auth,
58 struct wpa_group *group);
59static void wpa_group_put(struct wpa_authenticator *wpa_auth,
60 struct wpa_group *group);
e73ffa09 61static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
6fc6879b 62
bae61562
JM		 63static const u32 dot11RSNAConfigGroupUpdateCount = 4;
64static const u32 dot11RSNAConfigPairwiseUpdateCount = 4;
65static const u32 eapol_key_timeout_first = 100; /* ms */
66static const u32 eapol_key_timeout_subseq = 1000; /* ms */
00338a4f 67static const u32 eapol_key_timeout_first_group = 500; /* ms */
6fc6879b
JM		 68
69/* TODO: make these configurable */
70static const int dot11RSNAConfigPMKLifetime = 43200;
71static const int dot11RSNAConfigPMKReauthThreshold = 70;
72static const int dot11RSNAConfigSATimeout = 60;
73
74
c772d054 75static inline int wpa_auth_mic_failure_report(
6fc6879b
JM		 76 struct wpa_authenticator *wpa_auth, const u8 *addr)
77{
78 if (wpa_auth->cb.mic_failure_report)
c772d054
JM		 79 return wpa_auth->cb.mic_failure_report(wpa_auth->cb.ctx, addr);
80 return 0;
6fc6879b
JM		 81}
82
83
2c502460
JM		 84static inline void wpa_auth_psk_failure_report(
85 struct wpa_authenticator *wpa_auth, const u8 *addr)
86{
87 if (wpa_auth->cb.psk_failure_report)
88 wpa_auth->cb.psk_failure_report(wpa_auth->cb.ctx, addr);
89}
90
91
6fc6879b
JM		 92static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth,
93 const u8 *addr, wpa_eapol_variable var,
94 int value)
95{
96 if (wpa_auth->cb.set_eapol)
97 wpa_auth->cb.set_eapol(wpa_auth->cb.ctx, addr, var, value);
98}
99
100
101static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth,
102 const u8 *addr, wpa_eapol_variable var)
103{
104 if (wpa_auth->cb.get_eapol == NULL)
105 return -1;
106 return wpa_auth->cb.get_eapol(wpa_auth->cb.ctx, addr, var);
107}
108
109
110static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth,
759fd76b
JM		 111 const u8 *addr,
112 const u8 *p2p_dev_addr,
113 const u8 *prev_psk)
6fc6879b
JM		 114{
115 if (wpa_auth->cb.get_psk == NULL)
116 return NULL;
759fd76b
JM		 117 return wpa_auth->cb.get_psk(wpa_auth->cb.ctx, addr, p2p_dev_addr,
118 prev_psk);
6fc6879b
JM		 119}
120
121
122static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth,
123 const u8 *addr, u8 *msk, size_t *len)
124{
125 if (wpa_auth->cb.get_msk == NULL)
126 return -1;
127 return wpa_auth->cb.get_msk(wpa_auth->cb.ctx, addr, msk, len);
128}
129
130
131static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
132 int vlan_id,
71934751 133 enum wpa_alg alg, const u8 *addr, int idx,
6fc6879b
JM		 134 u8 *key, size_t key_len)
135{
136 if (wpa_auth->cb.set_key == NULL)
137 return -1;
138 return wpa_auth->cb.set_key(wpa_auth->cb.ctx, vlan_id, alg, addr, idx,
139 key, key_len);
140}
141
142
143static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth,
144 const u8 *addr, int idx, u8 *seq)
145{
146 if (wpa_auth->cb.get_seqnum == NULL)
147 return -1;
148 return wpa_auth->cb.get_seqnum(wpa_auth->cb.ctx, addr, idx, seq);
149}
150
151
6fc6879b
JM		 152static inline int
153wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr,
154 const u8 *data, size_t data_len, int encrypt)
155{
156 if (wpa_auth->cb.send_eapol == NULL)
157 return -1;
158 return wpa_auth->cb.send_eapol(wpa_auth->cb.ctx, addr, data, data_len,
159 encrypt);
160}
161
162
c50d94f1
BC		 163#ifdef CONFIG_MESH
164static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth,
165 const u8 *addr)
166{
167 if (wpa_auth->cb.start_ampe == NULL)
168 return -1;
169 return wpa_auth->cb.start_ampe(wpa_auth->cb.ctx, addr);
170}
171#endif /* CONFIG_MESH */
172
173
6fc6879b
JM		 174int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
175 int (*cb)(struct wpa_state_machine *sm, void *ctx),
176 void *cb_ctx)
177{
178 if (wpa_auth->cb.for_each_sta == NULL)
179 return 0;
180 return wpa_auth->cb.for_each_sta(wpa_auth->cb.ctx, cb, cb_ctx);
181}
182
183
bf98f7f3
JM		 184int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
185 int (*cb)(struct wpa_authenticator *a, void *ctx),
186 void *cb_ctx)
187{
188 if (wpa_auth->cb.for_each_auth == NULL)
189 return 0;
190 return wpa_auth->cb.for_each_auth(wpa_auth->cb.ctx, cb, cb_ctx);
191}
192
193
6fc6879b
JM		 194void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr,
195 logger_level level, const char *txt)
196{
197 if (wpa_auth->cb.logger == NULL)
198 return;
199 wpa_auth->cb.logger(wpa_auth->cb.ctx, addr, level, txt);
200}
201
202
203void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr,
204 logger_level level, const char *fmt, ...)
205{
206 char *format;
207 int maxlen;
208 va_list ap;
209
210 if (wpa_auth->cb.logger == NULL)
211 return;
212
213 maxlen = os_strlen(fmt) + 100;
214 format = os_malloc(maxlen);
215 if (!format)
216 return;
217
218 va_start(ap, fmt);
219 vsnprintf(format, maxlen, fmt, ap);
220 va_end(ap);
221
222 wpa_auth_logger(wpa_auth, addr, level, format);
223
224 os_free(format);
225}
226
227
228static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth,
229 const u8 *addr)
230{
231 if (wpa_auth->cb.disconnect == NULL)
232 return;
afcc9ea1 233 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR, MAC2STR(addr));
6fc6879b
JM		 234 wpa_auth->cb.disconnect(wpa_auth->cb.ctx, addr,
235 WLAN_REASON_PREV_AUTH_NOT_VALID);
236}
237
238
239static int wpa_use_aes_cmac(struct wpa_state_machine *sm)
240{
56586197 241 int ret = 0;
6fc6879b 242#ifdef CONFIG_IEEE80211R
56586197
JM		 243 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
244 ret = 1;
6fc6879b 245#endif /* CONFIG_IEEE80211R */
56586197
JM		 246#ifdef CONFIG_IEEE80211W
247 if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt))
248 ret = 1;
249#endif /* CONFIG_IEEE80211W */
a14896e8
JM		 250 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN)
251 ret = 1;
56586197 252 return ret;
6fc6879b
JM		 253}
254
255
256static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx)
257{
258 struct wpa_authenticator *wpa_auth = eloop_ctx;
259
3642c431 260 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) {
6fc6879b
JM		 261 wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
262 "initialization.");
263 } else {
264 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd");
5cb9d5c3
JM		 265 wpa_hexdump_key(MSG_DEBUG, "GMK",
266 wpa_auth->group->GMK, WPA_GMK_LEN);
6fc6879b
JM		 267 }
268
269 if (wpa_auth->conf.wpa_gmk_rekey) {
270 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
271 wpa_rekey_gmk, wpa_auth, NULL);
272 }
273}
274
275
276static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx)
277{
278 struct wpa_authenticator *wpa_auth = eloop_ctx;
a0ad9e8c 279 struct wpa_group *group, *next;
6fc6879b
JM		 280
281 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK");
a0ad9e8c
MB		 282 group = wpa_auth->group;
283 while (group) {
284 wpa_group_get(wpa_auth, group);
285
6fc6879b
JM		 286 group->GTKReKey = TRUE;
287 do {
288 group->changed = FALSE;
289 wpa_group_sm_step(wpa_auth, group);
290 } while (group->changed);
a0ad9e8c
MB		 291
292 next = group->next;
293 wpa_group_put(wpa_auth, group);
294 group = next;
6fc6879b
JM		 295 }
296
297 if (wpa_auth->conf.wpa_group_rekey) {
298 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey,
299 0, wpa_rekey_gtk, wpa_auth, NULL);
300 }
301}
302
303
581a8cde
JM		 304static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
305{
306 struct wpa_authenticator *wpa_auth = eloop_ctx;
307 struct wpa_state_machine *sm = timeout_ctx;
308
309 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK");
310 wpa_request_new_ptk(sm);
311 wpa_sm_step(sm);
312}
313
314
6fc6879b
JM		 315static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx)
316{
317 if (sm->pmksa == ctx)
318 sm->pmksa = NULL;
319 return 0;
320}
321
322
323static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
324 void *ctx)
325{
326 struct wpa_authenticator *wpa_auth = ctx;
327 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry);
328}
329
330
1bdb7ab3
JM		 331static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth,
332 struct wpa_group *group)
333{
559cdabb 334 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)];
1bdb7ab3 335 u8 rkey[32];
559cdabb 336 unsigned long ptr;
1bdb7ab3 337
3642c431 338 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0)
1bdb7ab3
JM		 339 return -1;
340 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN);
341
342 /*
343 * Counter = PRF-256(Random number, "Init Counter",
344 * Local MAC Address || Time)
345 */
346 os_memcpy(buf, wpa_auth->addr, ETH_ALEN);
347 wpa_get_ntp_timestamp(buf + ETH_ALEN);
559cdabb
JM		 348 ptr = (unsigned long) group;
349 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr));
3642c431 350 if (random_get_bytes(rkey, sizeof(rkey)) < 0)
1bdb7ab3
JM		 351 return -1;
352
353 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf),
354 group->Counter, WPA_NONCE_LEN) < 0)
355 return -1;
356 wpa_hexdump_key(MSG_DEBUG, "Key Counter",
357 group->Counter, WPA_NONCE_LEN);
358
359 return 0;
360}
361
362
e6965d4e 363static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth,
bdffdc5d 364 int vlan_id, int delay_init)
e6965d4e
JM		 365{
366 struct wpa_group *group;
e6965d4e
JM		 367
368 group = os_zalloc(sizeof(struct wpa_group));
369 if (group == NULL)
370 return NULL;
371
372 group->GTKAuthenticator = TRUE;
373 group->vlan_id = vlan_id;
c3550295 374 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
6fc6879b 375
08704cd8
JM		 376 if (random_pool_ready() != 1) {
377 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
378 "for secure operations - update keys later when "
379 "the first station connects");
380 }
381
1bdb7ab3
JM		 382 /*
383 * Set initial GMK/Counter value here. The actual values that will be
384 * used in negotiations will be set once the first station tries to
385 * connect. This allows more time for collecting additional randomness
386 * on embedded devices.
6fc6879b 387 */
1bdb7ab3 388 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) {
6fc6879b
JM		 389 wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
390 "initialization.");
391 os_free(group);
392 return NULL;
393 }
6fc6879b
JM		 394
395 group->GInit = TRUE;
bdffdc5d
JM		 396 if (delay_init) {
397 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start "
398 "until Beacon frames have been configured");
399 /* Initialization is completed in wpa_init_keys(). */
400 } else {
401 wpa_group_sm_step(wpa_auth, group);
402 group->GInit = FALSE;
403 wpa_group_sm_step(wpa_auth, group);
404 }
6fc6879b
JM		 405
406 return group;
407}
408
409
410/**
411 * wpa_init - Initialize WPA authenticator
412 * @addr: Authenticator address
413 * @conf: Configuration for WPA authenticator
a17df5fb 414 * @cb: Callback functions for WPA authenticator
6fc6879b
JM		 415 * Returns: Pointer to WPA authenticator data or %NULL on failure
416 */
417struct wpa_authenticator * wpa_init(const u8 *addr,
418 struct wpa_auth_config *conf,
419 struct wpa_auth_callbacks *cb)
420{
421 struct wpa_authenticator *wpa_auth;
422
423 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator));
424 if (wpa_auth == NULL)
425 return NULL;
426 os_memcpy(wpa_auth->addr, addr, ETH_ALEN);
427 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
428 os_memcpy(&wpa_auth->cb, cb, sizeof(*cb));
429
430 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
431 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
432 os_free(wpa_auth);
433 return NULL;
434 }
435
bdffdc5d 436 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1);
6fc6879b
JM		 437 if (wpa_auth->group == NULL) {
438 os_free(wpa_auth->wpa_ie);
439 os_free(wpa_auth);
440 return NULL;
441 }
442
4bb081f1
JM		 443 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb,
444 wpa_auth);
6fc6879b
JM		 445 if (wpa_auth->pmksa == NULL) {
446 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed.");
27d9701d 447 os_free(wpa_auth->group);
6fc6879b
JM		 448 os_free(wpa_auth->wpa_ie);
449 os_free(wpa_auth);
450 return NULL;
451 }
452
453#ifdef CONFIG_IEEE80211R
454 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init();
455 if (wpa_auth->ft_pmk_cache == NULL) {
456 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed.");
27d9701d 457 os_free(wpa_auth->group);
6fc6879b 458 os_free(wpa_auth->wpa_ie);
4bb081f1 459 pmksa_cache_auth_deinit(wpa_auth->pmksa);
6fc6879b
JM		 460 os_free(wpa_auth);
461 return NULL;
462 }
463#endif /* CONFIG_IEEE80211R */
464
465 if (wpa_auth->conf.wpa_gmk_rekey) {
466 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
467 wpa_rekey_gmk, wpa_auth, NULL);
468 }
469
470 if (wpa_auth->conf.wpa_group_rekey) {
471 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0,
472 wpa_rekey_gtk, wpa_auth, NULL);
473 }
474
25ef8529
JM		 475#ifdef CONFIG_P2P
476 if (WPA_GET_BE32(conf->ip_addr_start)) {
477 int count = WPA_GET_BE32(conf->ip_addr_end) -
478 WPA_GET_BE32(conf->ip_addr_start) + 1;
479 if (count > 1000)
480 count = 1000;
481 if (count > 0)
482 wpa_auth->ip_pool = bitfield_alloc(count);
483 }
484#endif /* CONFIG_P2P */
485
6fc6879b
JM		 486 return wpa_auth;
487}
488
489
bdffdc5d
JM		 490int wpa_init_keys(struct wpa_authenticator *wpa_auth)
491{
492 struct wpa_group *group = wpa_auth->group;
493
494 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial "
495 "keys");
496 wpa_group_sm_step(wpa_auth, group);
497 group->GInit = FALSE;
498 wpa_group_sm_step(wpa_auth, group);
7d7f7be2
JM		 499 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
500 return -1;
bdffdc5d
JM		 501 return 0;
502}
503
504
6fc6879b
JM		 505/**
506 * wpa_deinit - Deinitialize WPA authenticator
507 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
508 */
509void wpa_deinit(struct wpa_authenticator *wpa_auth)
510{
511 struct wpa_group *group, *prev;
512
513 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL);
514 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
515
516#ifdef CONFIG_PEERKEY
517 while (wpa_auth->stsl_negotiations)
518 wpa_stsl_remove(wpa_auth, wpa_auth->stsl_negotiations);
519#endif /* CONFIG_PEERKEY */
520
4bb081f1 521 pmksa_cache_auth_deinit(wpa_auth->pmksa);
6fc6879b
JM		 522
523#ifdef CONFIG_IEEE80211R
524 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache);
525 wpa_auth->ft_pmk_cache = NULL;
526#endif /* CONFIG_IEEE80211R */
527
25ef8529
JM		 528#ifdef CONFIG_P2P
529 bitfield_free(wpa_auth->ip_pool);
530#endif /* CONFIG_P2P */
531
532
6fc6879b
JM		 533 os_free(wpa_auth->wpa_ie);
534
535 group = wpa_auth->group;
536 while (group) {
537 prev = group;
538 group = group->next;
539 os_free(prev);
540 }
541
542 os_free(wpa_auth);
543}
544
545
546/**
547 * wpa_reconfig - Update WPA authenticator configuration
548 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
549 * @conf: Configuration for WPA authenticator
550 */
551int wpa_reconfig(struct wpa_authenticator *wpa_auth,
552 struct wpa_auth_config *conf)
553{
e6965d4e 554 struct wpa_group *group;
6fc6879b
JM		 555 if (wpa_auth == NULL)
556 return 0;
557
558 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
ad08c363
JM		 559 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
560 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
561 return -1;
562 }
563
e6965d4e
JM		 564 /*
565 * Reinitialize GTK to make sure it is suitable for the new
566 * configuration.
567 */
568 group = wpa_auth->group;
c3550295 569 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
e6965d4e
JM		 570 group->GInit = TRUE;
571 wpa_group_sm_step(wpa_auth, group);
572 group->GInit = FALSE;
573 wpa_group_sm_step(wpa_auth, group);
574
6fc6879b
JM		 575 return 0;
576}
577
578
579struct wpa_state_machine *
94ddef3e
JM		 580wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr,
581 const u8 *p2p_dev_addr)
6fc6879b
JM		 582{
583 struct wpa_state_machine *sm;
584
7d7f7be2
JM		 585 if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
586 return NULL;
587
6fc6879b
JM		 588 sm = os_zalloc(sizeof(struct wpa_state_machine));
589 if (sm == NULL)
590 return NULL;
591 os_memcpy(sm->addr, addr, ETH_ALEN);
94ddef3e
JM		 592 if (p2p_dev_addr)
593 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN);
6fc6879b
JM		 594
595 sm->wpa_auth = wpa_auth;
596 sm->group = wpa_auth->group;
a0ad9e8c 597 wpa_group_get(sm->wpa_auth, sm->group);
6fc6879b
JM		 598
599 return sm;
600}
601
602
6f9b5d16
JM		 603int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
604 struct wpa_state_machine *sm)
6fc6879b
JM		 605{
606 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
6f9b5d16 607 return -1;
6fc6879b
JM		 608
609#ifdef CONFIG_IEEE80211R
610 if (sm->ft_completed) {
611 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
612 "FT authentication already completed - do not "
613 "start 4-way handshake");
3d4d2348
JM		 614 /* Go to PTKINITDONE state to allow GTK rekeying */
615 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
6f9b5d16 616 return 0;
6fc6879b
JM		 617 }
618#endif /* CONFIG_IEEE80211R */
619
620 if (sm->started) {
22a299ee 621 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay));
6fc6879b 622 sm->ReAuthenticationRequest = TRUE;
6f9b5d16 623 return wpa_sm_step(sm);
6fc6879b
JM		 624 }
625
626 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
627 "start authentication");
628 sm->started = 1;
629
630 sm->Init = TRUE;
e4a6ea1d 631 if (wpa_sm_step(sm) == 1)
6f9b5d16 632 return 1; /* should not really happen */
6fc6879b
JM		 633 sm->Init = FALSE;
634 sm->AuthenticationRequest = TRUE;
6f9b5d16 635 return wpa_sm_step(sm);
6fc6879b
JM		 636}
637
638
a8d05fca
JM		 639void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm)
640{
641 /* WPA/RSN was not used - clear WPA state. This is needed if the STA
642 * reassociates back to the same AP while the previous entry for the
643 * STA has not yet been removed. */
644 if (sm == NULL)
645 return;
646
647 sm->wpa_key_mgmt = 0;
648}
649
650
6fc6879b
JM		 651static void wpa_free_sta_sm(struct wpa_state_machine *sm)
652{
25ef8529
JM		 653#ifdef CONFIG_P2P
654 if (WPA_GET_BE32(sm->ip_addr)) {
655 u32 start;
656 wpa_printf(MSG_DEBUG, "P2P: Free assigned IP "
657 "address %u.%u.%u.%u from " MACSTR,
658 sm->ip_addr[0], sm->ip_addr[1],
659 sm->ip_addr[2], sm->ip_addr[3],
660 MAC2STR(sm->addr));
661 start = WPA_GET_BE32(sm->wpa_auth->conf.ip_addr_start);
662 bitfield_clear(sm->wpa_auth->ip_pool,
663 WPA_GET_BE32(sm->ip_addr) - start);
664 }
665#endif /* CONFIG_P2P */
2ade8ef2
JM		 666 if (sm->GUpdateStationKeys) {
667 sm->group->GKeyDoneStations--;
668 sm->GUpdateStationKeys = FALSE;
669 }
0f857f43
JM		 670#ifdef CONFIG_IEEE80211R
671 os_free(sm->assoc_resp_ftie);
692ec305 672 wpabuf_free(sm->ft_pending_req_ies);
0f857f43 673#endif /* CONFIG_IEEE80211R */
6fc6879b
JM		 674 os_free(sm->last_rx_eapol_key);
675 os_free(sm->wpa_ie);
a0ad9e8c 676 wpa_group_put(sm->wpa_auth, sm->group);
6fc6879b
JM		 677 os_free(sm);
678}
679
680
681void wpa_auth_sta_deinit(struct wpa_state_machine *sm)
682{
683 if (sm == NULL)
684 return;
685
686 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) {
687 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
688 "strict rekeying - force GTK rekey since STA "
689 "is leaving");
690 eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL);
691 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth,
692 NULL);
693 }
694
695 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
e4bf4db9 696 sm->pending_1_of_4_timeout = 0;
6fc6879b 697 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL);
581a8cde 698 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
6fc6879b
JM		 699 if (sm->in_step_loop) {
700 /* Must not free state machine while wpa_sm_step() is running.
701 * Freeing will be completed in the end of wpa_sm_step(). */
702 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state "
703 "machine deinit for " MACSTR, MAC2STR(sm->addr));
704 sm->pending_deinit = 1;
705 } else
706 wpa_free_sta_sm(sm);
707}
708
709
710static void wpa_request_new_ptk(struct wpa_state_machine *sm)
711{
712 if (sm == NULL)
713 return;
714
715 sm->PTKRequest = TRUE;
716 sm->PTK_valid = 0;
717}
718
719
68921e24 720static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr,
22a299ee
JM		 721 const u8 *replay_counter)
722{
723 int i;
724 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
68921e24 725 if (!ctr[i].valid)
22a299ee 726 break;
68921e24 727 if (os_memcmp(replay_counter, ctr[i].counter,
22a299ee
JM		 728 WPA_REPLAY_COUNTER_LEN) == 0)
729 return 1;
730 }
731 return 0;
732}
733
734
68921e24
JM		 735static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr,
736 const u8 *replay_counter)
737{
738 int i;
739 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
740 if (ctr[i].valid &&
741 (replay_counter == NULL ||
742 os_memcmp(replay_counter, ctr[i].counter,
743 WPA_REPLAY_COUNTER_LEN) == 0))
744 ctr[i].valid = FALSE;
745 }
746}
747
748
0f857f43
JM		 749#ifdef CONFIG_IEEE80211R
750static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth,
751 struct wpa_state_machine *sm,
752 struct wpa_eapol_ie_parse *kde)
753{
754 struct wpa_ie_data ie;
755 struct rsn_mdie *mdie;
756
757 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 ||
758 ie.num_pmkid != 1 || ie.pmkid == NULL) {
759 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in "
760 "FT 4-way handshake message 2/4");
761 return -1;
762 }
763
764 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN);
765 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant",
766 sm->sup_pmk_r1_name, PMKID_LEN);
767
768 if (!kde->mdie || !kde->ftie) {
769 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake "
770 "message 2/4", kde->mdie ? "FTIE" : "MDIE");
771 return -1;
772 }
773
774 mdie = (struct rsn_mdie *) (kde->mdie + 2);
775 if (kde->mdie[1] < sizeof(struct rsn_mdie) ||
776 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain,
777 MOBILITY_DOMAIN_ID_LEN) != 0) {
778 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch");
779 return -1;
780 }
781
782 if (sm->assoc_resp_ftie &&
783 (kde->ftie[1] != sm->assoc_resp_ftie[1] ||
784 os_memcmp(kde->ftie, sm->assoc_resp_ftie,
785 2 + sm->assoc_resp_ftie[1]) != 0)) {
786 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch");
787 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4",
788 kde->ftie, kde->ftie_len);
789 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp",
790 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]);
791 return -1;
792 }
793
794 return 0;
795}
796#endif /* CONFIG_IEEE80211R */
797
798
c772d054
JM		 799static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
800 struct wpa_state_machine *sm, int group)
ec027805
JM		 801{
802 /* Supplicant reported a Michael MIC error */
803 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
804 "received EAPOL-Key Error Request "
805 "(STA detected Michael MIC failure (group=%d))",
806 group);
fbc72d32
JM		 807
808 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
809 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
810 "ignore Michael MIC failure report since "
811 "group cipher is not TKIP");
812 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
813 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
814 "ignore Michael MIC failure report since "
815 "pairwise cipher is not TKIP");
816 } else {
c772d054
JM		 817 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0)
818 return 1; /* STA entry was removed */
fbc72d32
JM		 819 sm->dot11RSNAStatsTKIPRemoteMICFailures++;
820 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
821 }
ec027805
JM		 822
823 /*
824 * Error report is not a request for a new key handshake, but since
825 * Authenticator may do it, let's change the keys now anyway.
826 */
827 wpa_request_new_ptk(sm);
c772d054 828 return 0;
ec027805
JM		 829}
830
831
f23c5b17
JM		 832static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data,
833 size_t data_len)
834{
835 struct wpa_ptk PTK;
836 int ok = 0;
837 const u8 *pmk = NULL;
207976f0 838 unsigned int pmk_len;
f23c5b17 839
b729fd8d 840 os_memset(&PTK, 0, sizeof(PTK));
f23c5b17
JM		 841 for (;;) {
842 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
843 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
844 sm->p2p_dev_addr, pmk);
845 if (pmk == NULL)
846 break;
207976f0
JM		 847 pmk_len = PMK_LEN;
848 } else {
f23c5b17 849 pmk = sm->PMK;
207976f0
JM		 850 pmk_len = sm->pmk_len;
851 }
f23c5b17 852
207976f0 853 wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK);
f23c5b17
JM		 854
855 if (wpa_verify_key_mic(sm->wpa_key_mgmt, &PTK, data, data_len)
856 == 0) {
857 ok = 1;
858 break;
859 }
860
861 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
862 break;
863 }
864
865 if (!ok) {
866 wpa_printf(MSG_DEBUG,
867 "WPA: Earlier SNonce did not result in matching MIC");
868 return -1;
869 }
870
871 wpa_printf(MSG_DEBUG,
872 "WPA: Earlier SNonce resulted in matching MIC");
873 sm->alt_snonce_valid = 0;
874 os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN);
875 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
876 sm->PTK_valid = TRUE;
877
878 return 0;
879}
880
881
6fc6879b
JM		 882void wpa_receive(struct wpa_authenticator *wpa_auth,
883 struct wpa_state_machine *sm,
884 u8 *data, size_t data_len)
885{
886 struct ieee802_1x_hdr *hdr;
887 struct wpa_eapol_key *key;
888 u16 key_info, key_data_length;
889 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST,
890 SMK_M1, SMK_M3, SMK_ERROR } msg;
891 char *msgtxt;
892 struct wpa_eapol_ie_parse kde;
3b5b7aa8
JM		 893 const u8 *key_data;
894 size_t keyhdrlen, mic_len;
6d014ffc 895 u8 *mic;
6fc6879b
JM		 896
897 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
898 return;
dc5bad48 899 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL data", data, data_len);
6fc6879b 900
5e3b5197 901 mic_len = wpa_mic_len(sm->wpa_key_mgmt);
6d014ffc 902 keyhdrlen = sizeof(*key) + mic_len + 2;
5e3b5197 903
dc5bad48
JM		 904 if (data_len < sizeof(*hdr) + keyhdrlen) {
905 wpa_printf(MSG_DEBUG, "WPA: Ignore too short EAPOL-Key frame");
6fc6879b 906 return;
dc5bad48 907 }
6fc6879b
JM		 908
909 hdr = (struct ieee802_1x_hdr *) data;
910 key = (struct wpa_eapol_key *) (hdr + 1);
6d014ffc 911 mic = (u8 *) (key + 1);
6fc6879b 912 key_info = WPA_GET_BE16(key->key_info);
6d014ffc
JM		 913 key_data = mic + mic_len + 2;
914 key_data_length = WPA_GET_BE16(mic + mic_len);
0d442aff 915 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR
dc5bad48
JM		 916 " key_info=0x%x type=%u mic_len=%u key_data_length=%u",
917 MAC2STR(sm->addr), key_info, key->type,
918 (unsigned int) mic_len, key_data_length);
919 wpa_hexdump(MSG_MSGDUMP,
920 "WPA: EAPOL-Key header (ending before Key MIC)",
921 key, sizeof(*key));
922 wpa_hexdump(MSG_MSGDUMP, "WPA: EAPOL-Key Key MIC",
923 mic, mic_len);
5e3b5197 924 if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) {
6fc6879b
JM		 925 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
926 "key_data overflow (%d > %lu)",
927 key_data_length,
928 (unsigned long) (data_len - sizeof(*hdr) -
5e3b5197 929 keyhdrlen));
6fc6879b
JM		 930 return;
931 }
932
f8e96eb6 933 if (sm->wpa == WPA_VERSION_WPA2) {
74590e71
JM		 934 if (key->type == EAPOL_KEY_TYPE_WPA) {
935 /*
936 * Some deployed station implementations seem to send
937 * msg 4/4 with incorrect type value in WPA2 mode.
938 */
939 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key "
940 "with unexpected WPA type in RSN mode");
941 } else if (key->type != EAPOL_KEY_TYPE_RSN) {
f8e96eb6
JM		 942 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
943 "unexpected type %d in RSN mode",
944 key->type);
945 return;
946 }
947 } else {
948 if (key->type != EAPOL_KEY_TYPE_WPA) {
949 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
950 "unexpected type %d in WPA mode",
951 key->type);
952 return;
953 }
954 }
955
bc8318ac
JM		 956 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce,
957 WPA_NONCE_LEN);
958 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter",
959 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
960
6fc6879b
JM		 961 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
962 * are set */
963
964 if ((key_info & (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) ==
965 (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) {
966 if (key_info & WPA_KEY_INFO_ERROR) {
967 msg = SMK_ERROR;
968 msgtxt = "SMK Error";
969 } else {
970 msg = SMK_M1;
971 msgtxt = "SMK M1";
972 }
973 } else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
974 msg = SMK_M3;
975 msgtxt = "SMK M3";
976 } else if (key_info & WPA_KEY_INFO_REQUEST) {
977 msg = REQUEST;
978 msgtxt = "Request";
979 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) {
980 msg = GROUP_2;
981 msgtxt = "2/2 Group";
3b5b7aa8
JM		 982 } else if (key_data_length == 0 ||
983 (mic_len == 0 && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) &&
984 key_data_length == AES_BLOCK_SIZE)) {
6fc6879b
JM		 985 msg = PAIRWISE_4;
986 msgtxt = "4/4 Pairwise";
987 } else {
988 msg = PAIRWISE_2;
989 msgtxt = "2/4 Pairwise";
990 }
991
992 /* TODO: key_info type validation for PeerKey */
993 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 ||
994 msg == GROUP_2) {
995 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
eb7719ff
JM		 996 if (sm->pairwise == WPA_CIPHER_CCMP ||
997 sm->pairwise == WPA_CIPHER_GCMP) {
6fc6879b 998 if (wpa_use_aes_cmac(sm) &&
a14896e8 999 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN &&
929a2ea5 1000 !wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) &&
b9866483 1001 !wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
6fc6879b
JM		 1002 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1003 wpa_auth_logger(wpa_auth, sm->addr,
1004 LOGGER_WARNING,
1005 "advertised support for "
1006 "AES-128-CMAC, but did not "
1007 "use it");
1008 return;
1009 }
1010
1011 if (!wpa_use_aes_cmac(sm) &&
2449791b 1012 !wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
6fc6879b
JM		 1013 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1014 wpa_auth_logger(wpa_auth, sm->addr,
1015 LOGGER_WARNING,
1016 "did not use HMAC-SHA1-AES "
eb7719ff 1017 "with CCMP/GCMP");
6fc6879b
JM		 1018 return;
1019 }
1020 }
929a2ea5 1021
2449791b
JM		 1022 if ((wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
1023 wpa_key_mgmt_fils(sm->wpa_key_mgmt)) &&
929a2ea5
JM		 1024 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
1025 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1026 "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases");
1027 return;
1028 }
6fc6879b
JM		 1029 }
1030
1031 if (key_info & WPA_KEY_INFO_REQUEST) {
1032 if (sm->req_replay_counter_used &&
1033 os_memcmp(key->replay_counter, sm->req_replay_counter,
1034 WPA_REPLAY_COUNTER_LEN) <= 0) {
1035 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1036 "received EAPOL-Key request with "
1037 "replayed counter");
1038 return;
1039 }
1040 }
1041
1042 if (!(key_info & WPA_KEY_INFO_REQUEST) &&
68921e24 1043 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) {
22a299ee 1044 int i;
68921e24
JM		 1045
1046 if (msg == PAIRWISE_2 &&
1047 wpa_replay_counter_valid(sm->prev_key_replay,
1048 key->replay_counter) &&
1049 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1050 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0)
1051 {
1052 /*
1053 * Some supplicant implementations (e.g., Windows XP
1054 * WZC) update SNonce for each EAPOL-Key 2/4. This
1055 * breaks the workaround on accepting any of the
1056 * pending requests, so allow the SNonce to be updated
1057 * even if we have already sent out EAPOL-Key 3/4.
1058 */
1059 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1060 "Process SNonce update from STA "
1061 "based on retransmitted EAPOL-Key "
1062 "1/4");
1063 sm->update_snonce = 1;
f23c5b17
JM		 1064 os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN);
1065 sm->alt_snonce_valid = TRUE;
1066 os_memcpy(sm->alt_replay_counter,
1067 sm->key_replay[0].counter,
1068 WPA_REPLAY_COUNTER_LEN);
1069 goto continue_processing;
1070 }
1071
1072 if (msg == PAIRWISE_4 && sm->alt_snonce_valid &&
1073 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1074 os_memcmp(key->replay_counter, sm->alt_replay_counter,
1075 WPA_REPLAY_COUNTER_LEN) == 0) {
1076 /*
1077 * Supplicant may still be using the old SNonce since
1078 * there was two EAPOL-Key 2/4 messages and they had
1079 * different SNonce values.
1080 */
1081 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1082 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4");
68921e24
JM		 1083 goto continue_processing;
1084 }
1085
1086 if (msg == PAIRWISE_2 &&
1087 wpa_replay_counter_valid(sm->prev_key_replay,
1088 key->replay_counter) &&
1089 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
1090 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1091 "ignore retransmitted EAPOL-Key %s - "
1092 "SNonce did not change", msgtxt);
1093 } else {
1094 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1095 "received EAPOL-Key %s with "
1096 "unexpected replay counter", msgtxt);
1097 }
22a299ee
JM		 1098 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
1099 if (!sm->key_replay[i].valid)
1100 break;
1101 wpa_hexdump(MSG_DEBUG, "pending replay counter",
1102 sm->key_replay[i].counter,
1103 WPA_REPLAY_COUNTER_LEN);
1104 }
6fc6879b
JM		 1105 wpa_hexdump(MSG_DEBUG, "received replay counter",
1106 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1107 return;
1108 }
1109
68921e24 1110continue_processing:
3b5b7aa8
JM		 1111#ifdef CONFIG_FILS
1112 if (sm->wpa == WPA_VERSION_WPA2 && mic_len == 0 &&
1113 !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1114 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1115 "WPA: Encr Key Data bit not set even though AEAD cipher is supposed to be used - drop frame");
1116 return;
1117 }
1118#endif /* CONFIG_FILS */
1119
6fc6879b
JM		 1120 switch (msg) {
1121 case PAIRWISE_2:
1122 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART &&
68921e24
JM		 1123 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING &&
1124 (!sm->update_snonce ||
1125 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) {
6fc6879b
JM		 1126 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1127 "received EAPOL-Key msg 2/4 in "
1128 "invalid state (%d) - dropped",
1129 sm->wpa_ptk_state);
1130 return;
1131 }
bbb921da 1132 random_add_randomness(key->key_nonce, WPA_NONCE_LEN);
08704cd8
JM		 1133 if (sm->group->reject_4way_hs_for_entropy) {
1134 /*
1135 * The system did not have enough entropy to generate
1136 * strong random numbers. Reject the first 4-way
1137 * handshake(s) and collect some entropy based on the
1138 * information from it. Once enough entropy is
1139 * available, the next atempt will trigger GMK/Key
1140 * Counter update and the station will be allowed to
1141 * continue.
1142 */
1143 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to "
1144 "collect more entropy for random number "
1145 "generation");
08704cd8 1146 random_mark_pool_ready();
08704cd8
JM		 1147 wpa_sta_disconnect(wpa_auth, sm->addr);
1148 return;
1149 }
6fc6879b
JM		 1150 break;
1151 case PAIRWISE_4:
1152 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING ||
1153 !sm->PTK_valid) {
1154 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1155 "received EAPOL-Key msg 4/4 in "
1156 "invalid state (%d) - dropped",
1157 sm->wpa_ptk_state);
1158 return;
1159 }
1160 break;
1161 case GROUP_2:
1162 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING
1163 || !sm->PTK_valid) {
1164 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1165 "received EAPOL-Key msg 2/2 in "
1166 "invalid state (%d) - dropped",
1167 sm->wpa_ptk_group_state);
1168 return;
1169 }
1170 break;
1171#ifdef CONFIG_PEERKEY
1172 case SMK_M1:
1173 case SMK_M3:
1174 case SMK_ERROR:
1175 if (!wpa_auth->conf.peerkey) {
1176 wpa_printf(MSG_DEBUG, "RSN: SMK M1/M3/Error, but "
1177 "PeerKey use disabled - ignoring message");
1178 return;
1179 }
1180 if (!sm->PTK_valid) {
1181 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1182 "received EAPOL-Key msg SMK in "
1183 "invalid state - dropped");
1184 return;
1185 }
1186 break;
1187#else /* CONFIG_PEERKEY */
1188 case SMK_M1:
1189 case SMK_M3:
1190 case SMK_ERROR:
1191 return; /* STSL disabled - ignore SMK messages */
1192#endif /* CONFIG_PEERKEY */
1193 case REQUEST:
1194 break;
1195 }
1196
1197 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1198 "received EAPOL-Key frame (%s)", msgtxt);
1199
1200 if (key_info & WPA_KEY_INFO_ACK) {
1201 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1202 "received invalid EAPOL-Key: Key Ack set");
1203 return;
1204 }
1205
b9866483
JM		 1206 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1207 !(key_info & WPA_KEY_INFO_MIC)) {
6fc6879b
JM		 1208 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1209 "received invalid EAPOL-Key: Key MIC not set");
1210 return;
1211 }
1212
b9866483
JM		 1213#ifdef CONFIG_FILS
1214 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1215 (key_info & WPA_KEY_INFO_MIC)) {
1216 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1217 "received invalid EAPOL-Key: Key MIC set");
1218 return;
1219 }
1220#endif /* CONFIG_FILS */
1221
6fc6879b 1222 sm->MICVerified = FALSE;
68921e24 1223 if (sm->PTK_valid && !sm->update_snonce) {
3b5b7aa8
JM		 1224 if (mic_len &&
1225 wpa_verify_key_mic(sm->wpa_key_mgmt, &sm->PTK, data,
f23c5b17
JM		 1226 data_len) &&
1227 (msg != PAIRWISE_4 || !sm->alt_snonce_valid ||
1228 wpa_try_alt_snonce(sm, data, data_len))) {
6fc6879b
JM		 1229 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1230 "received EAPOL-Key with invalid MIC");
1231 return;
1232 }
75c8563e
JM		 1233#ifdef CONFIG_FILS
1234 if (!mic_len &&
1235 wpa_aead_decrypt(sm, &sm->PTK, data, data_len,
1236 &key_data_length) < 0) {
1237 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1238 "received EAPOL-Key with invalid MIC");
1239 return;
1240 }
1241#endif /* CONFIG_FILS */
6fc6879b
JM		 1242 sm->MICVerified = TRUE;
1243 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
e4bf4db9 1244 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 1245 }
1246
1247 if (key_info & WPA_KEY_INFO_REQUEST) {
1248 if (sm->MICVerified) {
1249 sm->req_replay_counter_used = 1;
1250 os_memcpy(sm->req_replay_counter, key->replay_counter,
1251 WPA_REPLAY_COUNTER_LEN);
1252 } else {
1253 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1254 "received EAPOL-Key request with "
1255 "invalid MIC");
1256 return;
1257 }
1258
1259 /*
1260 * TODO: should decrypt key data field if encryption was used;
1261 * even though MAC address KDE is not normally encrypted,
1262 * supplicant is allowed to encrypt it.
1263 */
1264 if (msg == SMK_ERROR) {
1265#ifdef CONFIG_PEERKEY
5e3b5197 1266 wpa_smk_error(wpa_auth, sm, key_data, key_data_length);
6fc6879b
JM		 1267#endif /* CONFIG_PEERKEY */
1268 return;
1269 } else if (key_info & WPA_KEY_INFO_ERROR) {
c772d054
JM		 1270 if (wpa_receive_error_report(
1271 wpa_auth, sm,
1272 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0)
1273 return; /* STA entry was removed */
6fc6879b
JM		 1274 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) {
1275 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1276 "received EAPOL-Key Request for new "
1277 "4-Way Handshake");
1278 wpa_request_new_ptk(sm);
1279#ifdef CONFIG_PEERKEY
1280 } else if (msg == SMK_M1) {
5e3b5197 1281 wpa_smk_m1(wpa_auth, sm, key, key_data,
5c6787a6 1282 key_data_length);
6fc6879b
JM		 1283#endif /* CONFIG_PEERKEY */
1284 } else if (key_data_length > 0 &&
5e3b5197
JM		 1285 wpa_parse_kde_ies(key_data, key_data_length,
1286 &kde) == 0 &&
6fc6879b
JM		 1287 kde.mac_addr) {
1288 } else {
1289 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1290 "received EAPOL-Key Request for GTK "
1291 "rekeying");
6fc6879b
JM		 1292 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
1293 wpa_rekey_gtk(wpa_auth, NULL);
1294 }
1295 } else {
68921e24
JM		 1296 /* Do not allow the same key replay counter to be reused. */
1297 wpa_replay_counter_mark_invalid(sm->key_replay,
1298 key->replay_counter);
1299
1300 if (msg == PAIRWISE_2) {
1301 /*
1302 * Maintain a copy of the pending EAPOL-Key frames in
1303 * case the EAPOL-Key frame was retransmitted. This is
1304 * needed to allow EAPOL-Key msg 2/4 reply to another
1305 * pending msg 1/4 to update the SNonce to work around
1306 * unexpected supplicant behavior.
1307 */
1308 os_memcpy(sm->prev_key_replay, sm->key_replay,
1309 sizeof(sm->key_replay));
1310 } else {
1311 os_memset(sm->prev_key_replay, 0,
1312 sizeof(sm->prev_key_replay));
1313 }
1314
1315 /*
1316 * Make sure old valid counters are not accepted anymore and
1317 * do not get copied again.
1318 */
1319 wpa_replay_counter_mark_invalid(sm->key_replay, NULL);
6fc6879b
JM		 1320 }
1321
1322#ifdef CONFIG_PEERKEY
1323 if (msg == SMK_M3) {
5e3b5197 1324 wpa_smk_m3(wpa_auth, sm, key, key_data, key_data_length);
6fc6879b
JM		 1325 return;
1326 }
1327#endif /* CONFIG_PEERKEY */
1328
1329 os_free(sm->last_rx_eapol_key);
1330 sm->last_rx_eapol_key = os_malloc(data_len);
1331 if (sm->last_rx_eapol_key == NULL)
1332 return;
1333 os_memcpy(sm->last_rx_eapol_key, data, data_len);
1334 sm->last_rx_eapol_key_len = data_len;
1335
0d442aff 1336 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE);
6fc6879b
JM		 1337 sm->EAPOLKeyReceived = TRUE;
1338 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1339 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST);
1340 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN);
1341 wpa_sm_step(sm);
1342}
1343
1344
3c7302c2
JM		 1345static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr,
1346 const u8 *gnonce, u8 *gtk, size_t gtk_len)
6fc6879b 1347{
5cb9d5c3
JM		 1348 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16];
1349 u8 *pos;
3c7302c2 1350 int ret = 0;
6fc6879b 1351
5cb9d5c3
JM		 1352 /* GTK = PRF-X(GMK, "Group key expansion",
1353 * AA || GNonce || Time || random data)
1354 * The example described in the IEEE 802.11 standard uses only AA and
1355 * GNonce as inputs here. Add some more entropy since this derivation
1356 * is done only at the Authenticator and as such, does not need to be
1357 * exactly same.
1358 */
6fc6879b
JM		 1359 os_memcpy(data, addr, ETH_ALEN);
1360 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN);
5cb9d5c3
JM		 1361 pos = data + ETH_ALEN + WPA_NONCE_LEN;
1362 wpa_get_ntp_timestamp(pos);
1363 pos += 8;
3642c431 1364 if (random_get_bytes(pos, 16) < 0)
3c7302c2 1365 ret = -1;
6fc6879b 1366
56586197 1367#ifdef CONFIG_IEEE80211W
5cb9d5c3 1368 sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len);
56586197 1369#else /* CONFIG_IEEE80211W */
3c7302c2
JM		 1370 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len)
1371 < 0)
1372 ret = -1;
56586197 1373#endif /* CONFIG_IEEE80211W */
3c7302c2
JM		 1374
1375 return ret;
6fc6879b
JM		 1376}
1377
1378
1379static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx)
1380{
1381 struct wpa_authenticator *wpa_auth = eloop_ctx;
1382 struct wpa_state_machine *sm = timeout_ctx;
1383
e4bf4db9 1384 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 1385 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout");
1386 sm->TimeoutEvt = TRUE;
1387 wpa_sm_step(sm);
1388}
1389
1390
1391void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1392 struct wpa_state_machine *sm, int key_info,
1393 const u8 *key_rsc, const u8 *nonce,
1394 const u8 *kde, size_t kde_len,
1395 int keyidx, int encr, int force_version)
1396{
1397 struct ieee802_1x_hdr *hdr;
1398 struct wpa_eapol_key *key;
5e3b5197 1399 size_t len, mic_len, keyhdrlen;
6fc6879b
JM		 1400 int alg;
1401 int key_data_len, pad_len = 0;
1402 u8 *buf, *pos;
1403 int version, pairwise;
22a299ee 1404 int i;
6d014ffc 1405 u8 *key_mic, *key_data;
6fc6879b 1406
5e3b5197 1407 mic_len = wpa_mic_len(sm->wpa_key_mgmt);
6d014ffc 1408 keyhdrlen = sizeof(*key) + mic_len + 2;
5e3b5197
JM		 1409
1410 len = sizeof(struct ieee802_1x_hdr) + keyhdrlen;
6fc6879b
JM		 1411
1412 if (force_version)
1413 version = force_version;
929a2ea5 1414 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
36a50fd4
JM		 1415 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
1416 wpa_key_mgmt_fils(sm->wpa_key_mgmt))
a14896e8 1417 version = WPA_KEY_INFO_TYPE_AKM_DEFINED;
6fc6879b
JM		 1418 else if (wpa_use_aes_cmac(sm))
1419 version = WPA_KEY_INFO_TYPE_AES_128_CMAC;
eb7719ff 1420 else if (sm->pairwise != WPA_CIPHER_TKIP)
6fc6879b
JM		 1421 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
1422 else
1423 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
1424
8543ed8a 1425 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
6fc6879b
JM		 1426
1427 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d "
1428 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d "
1429 "encr=%d)",
1430 version,
1431 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0,
1432 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0,
1433 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0,
1434 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0,
1435 pairwise, (unsigned long) kde_len, keyidx, encr);
1436
1437 key_data_len = kde_len;
1438
1439 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
a14896e8 1440 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
929a2ea5 1441 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
6fc6879b
JM		 1442 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) {
1443 pad_len = key_data_len % 8;
1444 if (pad_len)
1445 pad_len = 8 - pad_len;
1446 key_data_len += pad_len + 8;
1447 }
1448
1449 len += key_data_len;
b729fd8d
JM		 1450 if (!mic_len && encr)
1451 len += AES_BLOCK_SIZE;
6fc6879b
JM		 1452
1453 hdr = os_zalloc(len);
1454 if (hdr == NULL)
1455 return;
1456 hdr->version = wpa_auth->conf.eapol_version;
1457 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
1458 hdr->length = host_to_be16(len - sizeof(*hdr));
1459 key = (struct wpa_eapol_key *) (hdr + 1);
6d014ffc 1460 key_mic = (u8 *) (key + 1);
5e3b5197 1461 key_data = ((u8 *) (hdr + 1)) + keyhdrlen;
6fc6879b
JM		 1462
1463 key->type = sm->wpa == WPA_VERSION_WPA2 ?
1464 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1465 key_info |= version;
1466 if (encr && sm->wpa == WPA_VERSION_WPA2)
1467 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1468 if (sm->wpa != WPA_VERSION_WPA2)
1469 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT;
1470 WPA_PUT_BE16(key->key_info, key_info);
1471
1472 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group;
c3550295 1473 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg));
6fc6879b
JM		 1474 if (key_info & WPA_KEY_INFO_SMK_MESSAGE)
1475 WPA_PUT_BE16(key->key_length, 0);
1476
1477 /* FIX: STSL: what to use as key_replay_counter? */
22a299ee
JM		 1478 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) {
1479 sm->key_replay[i].valid = sm->key_replay[i - 1].valid;
1480 os_memcpy(sm->key_replay[i].counter,
1481 sm->key_replay[i - 1].counter,
1482 WPA_REPLAY_COUNTER_LEN);
1483 }
1484 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN);
1485 os_memcpy(key->replay_counter, sm->key_replay[0].counter,
6fc6879b 1486 WPA_REPLAY_COUNTER_LEN);
db099951
JM		 1487 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter",
1488 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
22a299ee 1489 sm->key_replay[0].valid = TRUE;
6fc6879b
JM		 1490
1491 if (nonce)
1492 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN);
1493
1494 if (key_rsc)
1495 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN);
1496
1497 if (kde && !encr) {
5e3b5197 1498 os_memcpy(key_data, kde, kde_len);
6d014ffc 1499 WPA_PUT_BE16(key_mic + mic_len, kde_len);
b729fd8d
JM		 1500#ifdef CONFIG_FILS
1501 } else if (!mic_len) {
1502 const u8 *aad[1];
1503 size_t aad_len[1];
1504
1505 WPA_PUT_BE16(key_mic, AES_BLOCK_SIZE + kde_len);
1506 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1507 kde, kde_len);
1508
1509 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK",
1510 sm->PTK.kek, sm->PTK.kek_len);
1511 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
1512 * to Key Data (exclusive). */
1513 aad[0] = (u8 *) hdr;
1514 aad_len[0] = key_mic + 2 - (u8 *) hdr;
1515 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, kde, kde_len,
1516 1, aad, aad_len, key_mic + 2) < 0) {
1517 wpa_printf(MSG_DEBUG, "WPA: AES-SIV encryption failed");
1518 return;
1519 }
1520
1521 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
1522 key_mic + 2, AES_BLOCK_SIZE + kde_len);
1523#endif /* CONFIG_FILS */
6fc6879b
JM		 1524 } else if (encr && kde) {
1525 buf = os_zalloc(key_data_len);
1526 if (buf == NULL) {
1527 os_free(hdr);
1528 return;
1529 }
1530 pos = buf;
1531 os_memcpy(pos, kde, kde_len);
1532 pos += kde_len;
1533
1534 if (pad_len)
1535 *pos++ = 0xdd;
1536
1537 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1538 buf, key_data_len);
1539 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
a14896e8 1540 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
929a2ea5 1541 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
6fc6879b 1542 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
98cd3d1c 1543 if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len,
5e3b5197 1544 (key_data_len - 8) / 8, buf, key_data)) {
6fc6879b
JM		 1545 os_free(hdr);
1546 os_free(buf);
1547 return;
1548 }
6d014ffc 1549 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
7cb53ded 1550#ifndef CONFIG_NO_RC4
98cd3d1c 1551 } else if (sm->PTK.kek_len == 16) {
6fc6879b
JM		 1552 u8 ek[32];
1553 os_memcpy(key->key_iv,
1554 sm->group->Counter + WPA_NONCE_LEN - 16, 16);
1555 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
1556 os_memcpy(ek, key->key_iv, 16);
98cd3d1c 1557 os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len);
5e3b5197
JM		 1558 os_memcpy(key_data, buf, key_data_len);
1559 rc4_skip(ek, 32, 256, key_data, key_data_len);
6d014ffc 1560 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
7cb53ded 1561#endif /* CONFIG_NO_RC4 */
98cd3d1c
JM		 1562 } else {
1563 os_free(hdr);
1564 os_free(buf);
1565 return;
6fc6879b
JM		 1566 }
1567 os_free(buf);
1568 }
1569
1570 if (key_info & WPA_KEY_INFO_MIC) {
b729fd8d 1571 if (!sm->PTK_valid || !mic_len) {
6fc6879b
JM		 1572 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
1573 "PTK not valid when sending EAPOL-Key "
1574 "frame");
1575 os_free(hdr);
1576 return;
1577 }
5e3b5197 1578
98cd3d1c
JM		 1579 wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len,
1580 sm->wpa_key_mgmt, version,
5e3b5197 1581 (u8 *) hdr, len, key_mic);
7af092a0
JB		 1582#ifdef CONFIG_TESTING_OPTIONS
1583 if (!pairwise &&
06df2aa6 1584 wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0 &&
7af092a0
JB		 1585 drand48() <
1586 wpa_auth->conf.corrupt_gtk_rekey_mic_probability) {
1587 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1588 "Corrupting group EAPOL-Key Key MIC");
5e3b5197 1589 key_mic[0]++;
7af092a0
JB		 1590 }
1591#endif /* CONFIG_TESTING_OPTIONS */
6fc6879b
JM		 1592 }
1593
1594 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx,
1595 1);
1596 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len,
1597 sm->pairwise_set);
1598 os_free(hdr);
1599}
1600
1601
1602static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1603 struct wpa_state_machine *sm, int key_info,
1604 const u8 *key_rsc, const u8 *nonce,
1605 const u8 *kde, size_t kde_len,
1606 int keyidx, int encr)
1607{
1608 int timeout_ms;
1609 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
bae61562 1610 int ctr;
6fc6879b
JM		 1611
1612 if (sm == NULL)
1613 return;
1614
1615 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len,
1616 keyidx, encr, 0);
1617
bae61562 1618 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr;
e4bf4db9 1619 if (ctr == 1 && wpa_auth->conf.tx_status)
00338a4f
JM		 1620 timeout_ms = pairwise ? eapol_key_timeout_first :
1621 eapol_key_timeout_first_group;
bae61562
JM		 1622 else
1623 timeout_ms = eapol_key_timeout_subseq;
e4bf4db9
JM		 1624 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
1625 sm->pending_1_of_4_timeout = 1;
1626 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry "
1627 "counter %d)", timeout_ms, ctr);
6fc6879b
JM		 1628 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000,
1629 wpa_send_eapol_timeout, wpa_auth, sm);
1630}
1631
1632
929a2ea5
JM		 1633static int wpa_verify_key_mic(int akmp, struct wpa_ptk *PTK, u8 *data,
1634 size_t data_len)
6fc6879b
JM		 1635{
1636 struct ieee802_1x_hdr *hdr;
1637 struct wpa_eapol_key *key;
1638 u16 key_info;
1639 int ret = 0;
6d014ffc 1640 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN], *mic_pos;
5e3b5197 1641 size_t mic_len = wpa_mic_len(akmp);
6fc6879b
JM		 1642
1643 if (data_len < sizeof(*hdr) + sizeof(*key))
1644 return -1;
1645
1646 hdr = (struct ieee802_1x_hdr *) data;
1647 key = (struct wpa_eapol_key *) (hdr + 1);
6d014ffc 1648 mic_pos = (u8 *) (key + 1);
6fc6879b 1649 key_info = WPA_GET_BE16(key->key_info);
6d014ffc
JM		 1650 os_memcpy(mic, mic_pos, mic_len);
1651 os_memset(mic_pos, 0, mic_len);
98cd3d1c
JM		 1652 if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp,
1653 key_info & WPA_KEY_INFO_TYPE_MASK,
6d014ffc
JM		 1654 data, data_len, mic_pos) ||
1655 os_memcmp_const(mic, mic_pos, mic_len) != 0)
6fc6879b 1656 ret = -1;
6d014ffc 1657 os_memcpy(mic_pos, mic, mic_len);
6fc6879b
JM		 1658 return ret;
1659}
1660
1661
1662void wpa_remove_ptk(struct wpa_state_machine *sm)
1663{
1664 sm->PTK_valid = FALSE;
1665 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
26083221 1666 wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 0);
6fc6879b 1667 sm->pairwise_set = FALSE;
581a8cde 1668 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
6fc6879b
JM		 1669}
1670
1671
bb119228 1672int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
6fc6879b 1673{
5d22a1d5
JM		 1674 int remove_ptk = 1;
1675
6fc6879b 1676 if (sm == NULL)
6f9b5d16 1677 return -1;
6fc6879b
JM		 1678
1679 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1680 "event %d notification", event);
1681
1682 switch (event) {
1683 case WPA_AUTH:
c50d94f1
BC		 1684#ifdef CONFIG_MESH
1685 /* PTKs are derived through AMPE */
1686 if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) {
1687 /* not mesh */
1688 break;
1689 }
1690 return 0;
1691#endif /* CONFIG_MESH */
6fc6879b
JM		 1692 case WPA_ASSOC:
1693 break;
1694 case WPA_DEAUTH:
1695 case WPA_DISASSOC:
1696 sm->DeauthenticationRequest = TRUE;
1697 break;
1698 case WPA_REAUTH:
1699 case WPA_REAUTH_EAPOL:
3ab72b62
JM		 1700 if (!sm->started) {
1701 /*
1702 * When using WPS, we may end up here if the STA
1703 * manages to re-associate without the previous STA
1704 * entry getting removed. Consequently, we need to make
1705 * sure that the WPA state machines gets initialized
1706 * properly at this point.
1707 */
1708 wpa_printf(MSG_DEBUG, "WPA state machine had not been "
1709 "started - initialize now");
1710 sm->started = 1;
1711 sm->Init = TRUE;
1712 if (wpa_sm_step(sm) == 1)
1713 return 1; /* should not really happen */
1714 sm->Init = FALSE;
1715 sm->AuthenticationRequest = TRUE;
1716 break;
1717 }
9663596f
JM		 1718 if (sm->GUpdateStationKeys) {
1719 /*
1720 * Reauthentication cancels the pending group key
1721 * update for this STA.
1722 */
1723 sm->group->GKeyDoneStations--;
1724 sm->GUpdateStationKeys = FALSE;
1725 sm->PtkGroupInit = TRUE;
1726 }
6fc6879b
JM		 1727 sm->ReAuthenticationRequest = TRUE;
1728 break;
1729 case WPA_ASSOC_FT:
1730#ifdef CONFIG_IEEE80211R
81a658d7
JM		 1731 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration "
1732 "after association");
1733 wpa_ft_install_ptk(sm);
1734
6fc6879b
JM		 1735 /* Using FT protocol, not WPA auth state machine */
1736 sm->ft_completed = 1;
6f9b5d16 1737 return 0;
6fc6879b
JM		 1738#else /* CONFIG_IEEE80211R */
1739 break;
1740#endif /* CONFIG_IEEE80211R */
1741 }
1742
1743#ifdef CONFIG_IEEE80211R
1744 sm->ft_completed = 0;
1745#endif /* CONFIG_IEEE80211R */
1746
5d22a1d5
JM		 1747#ifdef CONFIG_IEEE80211W
1748 if (sm->mgmt_frame_prot && event == WPA_AUTH)
1749 remove_ptk = 0;
1750#endif /* CONFIG_IEEE80211W */
78815f3d
JM		 1751#ifdef CONFIG_FILS
1752 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) && event == WPA_AUTH)
1753 remove_ptk = 0;
1754#endif /* CONFIG_FILS */
6fc6879b 1755
5d22a1d5
JM		 1756 if (remove_ptk) {
1757 sm->PTK_valid = FALSE;
1758 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1759
1760 if (event != WPA_REAUTH_EAPOL)
1761 wpa_remove_ptk(sm);
1762 }
6fc6879b 1763
43f49c37
JM		 1764 if (sm->in_step_loop) {
1765 /*
1766 * wpa_sm_step() is already running - avoid recursive call to
1767 * it by making the existing loop process the new update.
1768 */
1769 sm->changed = TRUE;
1770 return 0;
1771 }
6f9b5d16 1772 return wpa_sm_step(sm);
6fc6879b
JM		 1773}
1774
1775
6fc6879b
JM		 1776SM_STATE(WPA_PTK, INITIALIZE)
1777{
1778 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk);
1779 if (sm->Init) {
1780 /* Init flag is not cleared here, so avoid busy
1781 * loop by claiming nothing changed. */
1782 sm->changed = FALSE;
1783 }
1784
1785 sm->keycount = 0;
1786 if (sm->GUpdateStationKeys)
1787 sm->group->GKeyDoneStations--;
1788 sm->GUpdateStationKeys = FALSE;
1789 if (sm->wpa == WPA_VERSION_WPA)
1790 sm->PInitAKeys = FALSE;
1791 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and
1792 * Local AA > Remote AA)) */) {
1793 sm->Pair = TRUE;
1794 }
1795 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0);
1796 wpa_remove_ptk(sm);
1797 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0);
1798 sm->TimeoutCtr = 0;
56586197 1799 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
6fc6879b
JM		 1800 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
1801 WPA_EAPOL_authorized, 0);
1802 }
1803}
1804
1805
1806SM_STATE(WPA_PTK, DISCONNECT)
1807{
1808 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk);
1809 sm->Disconnect = FALSE;
1810 wpa_sta_disconnect(sm->wpa_auth, sm->addr);
1811}
1812
1813
1814SM_STATE(WPA_PTK, DISCONNECTED)
1815{
1816 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk);
1817 sm->DeauthenticationRequest = FALSE;
1818}
1819
1820
1821SM_STATE(WPA_PTK, AUTHENTICATION)
1822{
1823 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk);
1824 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1825 sm->PTK_valid = FALSE;
1826 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto,
1827 1);
1828 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1);
1829 sm->AuthenticationRequest = FALSE;
1830}
1831
1832
40d00d2b
NC		 1833static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth,
1834 struct wpa_group *group)
1bdb7ab3 1835{
40d00d2b
NC		 1836 if (group->first_sta_seen)
1837 return;
1bdb7ab3
JM		 1838 /*
1839 * System has run bit further than at the time hostapd was started
1840 * potentially very early during boot up. This provides better chances
1841 * of collecting more randomness on embedded systems. Re-initialize the
1842 * GMK and Counter here to improve their strength if there was not
1843 * enough entropy available immediately after system startup.
1844 */
1845 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first "
1846 "station");
08704cd8
JM		 1847 if (random_pool_ready() != 1) {
1848 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
1849 "to proceed - reject first 4-way handshake");
1850 group->reject_4way_hs_for_entropy = TRUE;
40d00d2b
NC		 1851 } else {
1852 group->first_sta_seen = TRUE;
1853 group->reject_4way_hs_for_entropy = FALSE;
08704cd8 1854 }
40d00d2b 1855
aac1efec
JM		 1856 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 ||
1857 wpa_gtk_update(wpa_auth, group) < 0 ||
1858 wpa_group_config_group_keys(wpa_auth, group) < 0) {
1859 wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed");
1860 group->first_sta_seen = FALSE;
1861 group->reject_4way_hs_for_entropy = TRUE;
1862 }
1bdb7ab3
JM		 1863}
1864
1865
6fc6879b
JM		 1866SM_STATE(WPA_PTK, AUTHENTICATION2)
1867{
1868 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk);
1bdb7ab3 1869
40d00d2b 1870 wpa_group_ensure_init(sm->wpa_auth, sm->group);
65a32cdb 1871 sm->ReAuthenticationRequest = FALSE;
1bdb7ab3 1872
3825a19b
JM		 1873 /*
1874 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
1875 * ambiguous. The Authenticator state machine uses a counter that is
1876 * incremented by one for each 4-way handshake. However, the security
1877 * analysis of 4-way handshake points out that unpredictable nonces
1878 * help in preventing precomputation attacks. Instead of the state
1879 * machine definition, use an unpredictable nonce value here to provide
1880 * stronger protection against potential precomputation attacks.
1881 */
1882 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
1883 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for "
1884 "ANonce.");
65a32cdb 1885 sm->Disconnect = TRUE;
3825a19b
JM		 1886 return;
1887 }
bc8318ac
JM		 1888 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
1889 WPA_NONCE_LEN);
6fc6879b
JM		 1890 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more
1891 * logical place than INITIALIZE since AUTHENTICATION2 can be
1892 * re-entered on ReAuthenticationRequest without going through
1893 * INITIALIZE. */
1894 sm->TimeoutCtr = 0;
1895}
1896
1897
1898SM_STATE(WPA_PTK, INITPMK)
1899{
1900 u8 msk[2 * PMK_LEN];
1901 size_t len = 2 * PMK_LEN;
1902
1903 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk);
1904#ifdef CONFIG_IEEE80211R
1905 sm->xxkey_len = 0;
1906#endif /* CONFIG_IEEE80211R */
1907 if (sm->pmksa) {
1908 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache");
207976f0
JM		 1909 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
1910 sm->pmk_len = sm->pmksa->pmk_len;
6fc6879b 1911 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) {
207976f0
JM		 1912 unsigned int pmk_len;
1913
1914 if (sm->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)
1915 pmk_len = PMK_LEN_SUITE_B_192;
1916 else
1917 pmk_len = PMK_LEN;
6fc6879b 1918 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine "
207976f0
JM		 1919 "(MSK len=%lu PMK len=%u)", (unsigned long) len,
1920 pmk_len);
1921 if (len < pmk_len) {
1922 wpa_printf(MSG_DEBUG,
1923 "WPA: MSK not long enough (%u) to create PMK (%u)",
1924 (unsigned int) len, (unsigned int) pmk_len);
1925 sm->Disconnect = TRUE;
1926 return;
1927 }
1928 os_memcpy(sm->PMK, msk, pmk_len);
1929 sm->pmk_len = pmk_len;
6fc6879b
JM		 1930#ifdef CONFIG_IEEE80211R
1931 if (len >= 2 * PMK_LEN) {
1932 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
1933 sm->xxkey_len = PMK_LEN;
1934 }
1935#endif /* CONFIG_IEEE80211R */
1936 } else {
400de9b1
BG		 1937 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p",
1938 sm->wpa_auth->cb.get_msk);
1180dd66
JM		 1939 sm->Disconnect = TRUE;
1940 return;
6fc6879b 1941 }
40aaa64f 1942 os_memset(msk, 0, sizeof(msk));
6fc6879b
JM		 1943
1944 sm->req_replay_counter_used = 0;
1945 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this
1946 * will break reauthentication since EAPOL state machines may not be
1947 * get into AUTHENTICATING state that clears keyRun before WPA state
1948 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK
1949 * state and takes PMK from the previously used AAA Key. This will
1950 * eventually fail in 4-Way Handshake because Supplicant uses PMK
1951 * derived from the new AAA Key. Setting keyRun = FALSE here seems to
1952 * be good workaround for this issue. */
1953 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0);
1954}
1955
1956
1957SM_STATE(WPA_PTK, INITPSK)
1958{
1959 const u8 *psk;
1960 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk);
759fd76b 1961 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL);
6fc6879b
JM		 1962 if (psk) {
1963 os_memcpy(sm->PMK, psk, PMK_LEN);
207976f0 1964 sm->pmk_len = PMK_LEN;
6fc6879b
JM		 1965#ifdef CONFIG_IEEE80211R
1966 os_memcpy(sm->xxkey, psk, PMK_LEN);
1967 sm->xxkey_len = PMK_LEN;
1968#endif /* CONFIG_IEEE80211R */
1969 }
1970 sm->req_replay_counter_used = 0;
1971}
1972
1973
1974SM_STATE(WPA_PTK, PTKSTART)
1975{
1976 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL;
1977 size_t pmkid_len = 0;
1978
1979 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk);
1980 sm->PTKRequest = FALSE;
1981 sm->TimeoutEvt = FALSE;
f23c5b17 1982 sm->alt_snonce_valid = FALSE;
bae61562
JM		 1983
1984 sm->TimeoutCtr++;
1985 if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) {
1986 /* No point in sending the EAPOL-Key - we will disconnect
1987 * immediately following this. */
1988 return;
1989 }
1990
6fc6879b
JM		 1991 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1992 "sending 1/4 msg of 4-Way Handshake");
1993 /*
1994 * TODO: Could add PMKID even with WPA2-PSK, but only if there is only
1995 * one possible PSK for this STA.
1996 */
1997 if (sm->wpa == WPA_VERSION_WPA2 &&
a14896e8
JM		 1998 wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
1999 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) {
6fc6879b
JM		 2000 pmkid = buf;
2001 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
2002 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC;
2003 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN;
2004 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID);
929a2ea5 2005 if (sm->pmksa) {
6fc6879b
JM		 2006 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2007 sm->pmksa->pmkid, PMKID_LEN);
929a2ea5
JM		 2008 } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) {
2009 /* No KCK available to derive PMKID */
2010 pmkid = NULL;
2011 } else {
6fc6879b
JM		 2012 /*
2013 * Calculate PMKID since no PMKSA cache entry was
2014 * available with pre-calculated PMKID.
2015 */
207976f0 2016 rsn_pmkid(sm->PMK, sm->pmk_len, sm->wpa_auth->addr,
56586197
JM		 2017 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN],
2018 wpa_key_mgmt_sha256(sm->wpa_key_mgmt));
6fc6879b
JM		 2019 }
2020 }
2021 wpa_send_eapol(sm->wpa_auth, sm,
2022 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
2023 sm->ANonce, pmkid, pmkid_len, 0, 0);
6fc6879b
JM		 2024}
2025
2026
f23c5b17 2027static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
207976f0
JM		 2028 const u8 *pmk, unsigned int pmk_len,
2029 struct wpa_ptk *ptk)
6fc6879b
JM		 2030{
2031#ifdef CONFIG_IEEE80211R
56586197 2032 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
98cd3d1c 2033 return wpa_auth_derive_ptk_ft(sm, pmk, ptk);
6fc6879b
JM		 2034#endif /* CONFIG_IEEE80211R */
2035
207976f0 2036 return wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion",
98cd3d1c
JM		 2037 sm->wpa_auth->addr, sm->addr, sm->ANonce, snonce,
2038 ptk, sm->wpa_key_mgmt, sm->pairwise);
6fc6879b
JM		 2039}
2040
2041
3b5b7aa8 2042#ifdef CONFIG_FILS
c4fd6d8a
JM		 2043
2044int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk,
2045 size_t pmk_len, const u8 *snonce, const u8 *anonce)
2046{
2047 u8 ick[FILS_ICK_MAX_LEN];
2048 size_t ick_len;
2049 int res;
2050
2051 res = fils_pmk_to_ptk(pmk, pmk_len, sm->addr, sm->wpa_auth->addr,
2052 snonce, anonce, &sm->PTK, ick, &ick_len,
2053 sm->wpa_key_mgmt, sm->pairwise);
2054 if (res < 0)
2055 return res;
2056 sm->PTK_valid = TRUE;
2057
2058 res = fils_key_auth_sk(ick, ick_len, snonce, anonce,
2059 sm->addr, sm->wpa_auth->addr,
2060 NULL, 0, NULL, 0, /* TODO: SK+PFS */
2061 sm->wpa_key_mgmt, sm->fils_key_auth_sta,
2062 sm->fils_key_auth_ap,
2063 &sm->fils_key_auth_len);
2064 os_memset(ick, 0, sizeof(ick));
78815f3d
JM		 2065
2066 /* Store nonces for (Re)Association Request/Response frame processing */
2067 os_memcpy(sm->SNonce, snonce, FILS_NONCE_LEN);
2068 os_memcpy(sm->ANonce, anonce, FILS_NONCE_LEN);
2069
c4fd6d8a
JM		 2070 return res;
2071}
2072
2073
3b5b7aa8 2074static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
75c8563e 2075 u8 *buf, size_t buf_len, u16 *_key_data_len)
3b5b7aa8
JM		 2076{
2077 struct ieee802_1x_hdr *hdr;
2078 struct wpa_eapol_key *key;
2079 u8 *pos;
2080 u16 key_data_len;
2081 u8 *tmp;
2082 const u8 *aad[1];
2083 size_t aad_len[1];
2084
75c8563e 2085 hdr = (struct ieee802_1x_hdr *) buf;
3b5b7aa8
JM		 2086 key = (struct wpa_eapol_key *) (hdr + 1);
2087 pos = (u8 *) (key + 1);
2088 key_data_len = WPA_GET_BE16(pos);
2089 if (key_data_len < AES_BLOCK_SIZE ||
2090 key_data_len > buf_len - sizeof(*hdr) - sizeof(*key) - 2) {
2091 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2092 "No room for AES-SIV data in the frame");
2093 return -1;
2094 }
2095 pos += 2; /* Pointing at the Encrypted Key Data field */
2096
2097 tmp = os_malloc(key_data_len);
2098 if (!tmp)
2099 return -1;
2100
2101 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
2102 * to Key Data (exclusive). */
75c8563e
JM		 2103 aad[0] = buf;
2104 aad_len[0] = pos - buf;
3b5b7aa8
JM		 2105 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, key_data_len,
2106 1, aad, aad_len, tmp) < 0) {
2107 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2108 "Invalid AES-SIV data in the frame");
2109 bin_clear_free(tmp, key_data_len);
2110 return -1;
2111 }
2112
2113 /* AEAD decryption and validation completed successfully */
2114 key_data_len -= AES_BLOCK_SIZE;
2115 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
2116 tmp, key_data_len);
2117
2118 /* Replace Key Data field with the decrypted version */
2119 os_memcpy(pos, tmp, key_data_len);
2120 pos -= 2; /* Key Data Length field */
2121 WPA_PUT_BE16(pos, key_data_len);
2122 bin_clear_free(tmp, key_data_len);
2123 if (_key_data_len)
2124 *_key_data_len = key_data_len;
2125 return 0;
2126}
78815f3d
JM		 2127
2128
2129int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session,
2130 const struct ieee80211_mgmt *mgmt, size_t frame_len,
2131 u8 *pos, size_t left)
2132{
2133 u16 fc, stype;
2134 const u8 *end, *ie_start, *ie, *session, *crypt;
2135 struct ieee802_11_elems elems;
2136 const u8 *aad[5];
2137 size_t aad_len[5];
2138
2139 if (!sm || !sm->PTK_valid) {
2140 wpa_printf(MSG_DEBUG,
2141 "FILS: No KEK to decrypt Assocication Request frame");
2142 return -1;
2143 }
2144
2145 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2146 wpa_printf(MSG_DEBUG,
2147 "FILS: Not a FILS AKM - reject association");
2148 return -1;
2149 }
2150
2151 end = ((const u8 *) mgmt) + frame_len;
2152 fc = le_to_host16(mgmt->frame_control);
2153 stype = WLAN_FC_GET_STYPE(fc);
2154 if (stype == WLAN_FC_STYPE_REASSOC_REQ)
2155 ie_start = mgmt->u.reassoc_req.variable;
2156 else
2157 ie_start = mgmt->u.assoc_req.variable;
2158 ie = ie_start;
2159
2160 /*
2161 * Find FILS Session element which is the last unencrypted element in
2162 * the frame.
2163 */
2164 session = NULL;
2165 while (ie + 1 < end) {
2166 if (ie + 2 + ie[1] > end)
2167 break;
2168 if (ie[0] == WLAN_EID_EXTENSION &&
2169 ie[1] >= 1 + FILS_SESSION_LEN &&
2170 ie[2] == WLAN_EID_EXT_FILS_SESSION) {
2171 session = ie;
2172 break;
2173 }
2174 ie += 2 + ie[1];
2175 }
2176
2177 if (!session) {
2178 wpa_printf(MSG_DEBUG,
2179 "FILS: Could not find FILS Session element in Association Request frame - reject");
2180 return -1;
2181 }
2182 if (os_memcmp(fils_session, session + 3, FILS_SESSION_LEN) != 0) {
2183 wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
2184 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
2185 fils_session, FILS_SESSION_LEN);
2186 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
2187 session + 3, FILS_SESSION_LEN);
2188 return -1;
2189 }
2190 crypt = session + 2 + session[1];
2191
2192 if (end - crypt < AES_BLOCK_SIZE) {
2193 wpa_printf(MSG_DEBUG,
2194 "FILS: Too short frame to include AES-SIV data");
2195 return -1;
2196 }
2197
2198 /* AES-SIV AAD vectors */
2199
2200 /* The STA's MAC address */
2201 aad[0] = mgmt->sa;
2202 aad_len[0] = ETH_ALEN;
2203 /* The AP's BSSID */
2204 aad[1] = mgmt->da;
2205 aad_len[1] = ETH_ALEN;
2206 /* The STA's nonce */
2207 aad[2] = sm->SNonce;
2208 aad_len[2] = FILS_NONCE_LEN;
2209 /* The AP's nonce */
2210 aad[3] = sm->ANonce;
2211 aad_len[3] = FILS_NONCE_LEN;
2212 /*
2213 * The (Re)Association Request frame from the Capability Information
2214 * field to the FILS Session element (both inclusive).
2215 */
2216 aad[4] = (const u8 *) &mgmt->u.assoc_req.capab_info;
2217 aad_len[4] = crypt - aad[0];
2218
2219 if (aes_siv_decrypt(sm->PTK.kek, sm->PTK.kek_len, crypt, end - crypt,
2220 1, aad, aad_len, pos + (crypt - ie_start)) < 0) {
2221 wpa_printf(MSG_DEBUG,
2222 "FILS: Invalid AES-SIV data in the frame");
2223 return -1;
2224 }
2225 wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Request elements",
2226 pos, left - AES_BLOCK_SIZE);
2227
2228 if (ieee802_11_parse_elems(pos, left - AES_BLOCK_SIZE, &elems, 1) ==
2229 ParseFailed) {
2230 wpa_printf(MSG_DEBUG,
2231 "FILS: Failed to parse decrypted elements");
2232 return -1;
2233 }
2234 if (!elems.fils_key_confirm) {
2235 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
2236 return -1;
2237 }
2238 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
2239 wpa_printf(MSG_DEBUG,
2240 "FILS: Unexpected Key-Auth length %d (expected %d)",
2241 elems.fils_key_confirm_len,
2242 (int) sm->fils_key_auth_len);
2243 return -1;
2244 }
2245 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_sta,
2246 sm->fils_key_auth_len) != 0) {
2247 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
2248 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
2249 elems.fils_key_confirm,
2250 elems.fils_key_confirm_len);
2251 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
2252 sm->fils_key_auth_sta, sm->fils_key_auth_len);
2253 return -1;
2254 }
2255
2256 return left - AES_BLOCK_SIZE;
2257}
2258
e73ffa09
JM		 2259
2260int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf,
2261 size_t current_len, size_t max_len)
2262{
2263 u8 *end = buf + max_len;
2264 u8 *pos = buf + current_len;
2265 struct ieee80211_mgmt *mgmt;
2266 struct wpabuf *plain;
2267 u8 *len, *tmp, *tmp2;
2268 u8 hdr[2];
2269 u8 *gtk, dummy_gtk[32];
2270 size_t gtk_len;
2271 struct wpa_group *gsm;
2272 const u8 *aad[5];
2273 size_t aad_len[5];
2274
2275 if (!sm || !sm->PTK_valid)
2276 return -1;
2277
2278 wpa_hexdump(MSG_DEBUG,
2279 "FILS: Association Response frame before FILS processing",
2280 buf, current_len);
2281
2282 mgmt = (struct ieee80211_mgmt *) buf;
2283
2284 /* AES-SIV AAD vectors */
2285
2286 /* The AP's BSSID */
2287 aad[0] = mgmt->sa;
2288 aad_len[0] = ETH_ALEN;
2289 /* The STA's MAC address */
2290 aad[1] = mgmt->da;
2291 aad_len[1] = ETH_ALEN;
2292 /* The AP's nonce */
2293 aad[2] = sm->ANonce;
2294 aad_len[2] = FILS_NONCE_LEN;
2295 /* The STA's nonce */
2296 aad[3] = sm->SNonce;
2297 aad_len[3] = FILS_NONCE_LEN;
2298 /*
2299 * The (Re)Association Response frame from the Capability Information
2300 * field (the same offset in both Association and Reassociation
2301 * Response frames) to the FILS Session element (both inclusive).
2302 */
2303 aad[4] = (const u8 *) &mgmt->u.assoc_resp.capab_info;
2304 aad_len[4] = pos - aad[4];
2305
2306 /* The following elements will be encrypted with AES-SIV */
2307
2308 plain = wpabuf_alloc(1000);
2309 if (!plain)
2310 return -1;
2311
2312 /* TODO: FILS Public Key */
2313
2314 /* FILS Key Confirmation */
2315 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
2316 wpabuf_put_u8(plain, 1 + sm->fils_key_auth_len); /* Length */
2317 /* Element ID Extension */
2318 wpabuf_put_u8(plain, WLAN_EID_EXT_FILS_KEY_CONFIRM);
2319 wpabuf_put_data(plain, sm->fils_key_auth_ap, sm->fils_key_auth_len);
2320
2321 /* TODO: FILS HLP Container */
2322
2323 /* TODO: FILS IP Address Assignment */
2324
2325 /* Key Delivery */
2326 gsm = sm->group;
2327 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
2328 len = wpabuf_put(plain, 1);
2329 wpabuf_put_u8(plain, WLAN_EID_EXT_KEY_DELIVERY);
2330 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN,
2331 wpabuf_put(plain, WPA_KEY_RSC_LEN));
2332 /* GTK KDE */
2333 gtk = gsm->GTK[gsm->GN - 1];
2334 gtk_len = gsm->GTK_len;
2335 if (sm->wpa_auth->conf.disable_gtk) {
2336 /*
2337 * Provide unique random GTK to each STA to prevent use
2338 * of GTK in the BSS.
2339 */
2340 if (random_get_bytes(dummy_gtk, gtk_len) < 0) {
2341 wpabuf_free(plain);
2342 return -1;
2343 }
2344 gtk = dummy_gtk;
2345 }
2346 hdr[0] = gsm->GN & 0x03;
2347 hdr[1] = 0;
2348 tmp = wpabuf_put(plain, 0);
2349 tmp2 = wpa_add_kde(tmp, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2350 gtk, gtk_len);
2351 wpabuf_put(plain, tmp2 - tmp);
2352
2353 /* IGTK KDE */
2354 tmp = wpabuf_put(plain, 0);
2355 tmp2 = ieee80211w_kde_add(sm, tmp);
2356 wpabuf_put(plain, tmp2 - tmp);
2357
2358 *len = (u8 *) wpabuf_put(plain, 0) - len - 1;
2359
2360 if (pos + wpabuf_len(plain) + AES_BLOCK_SIZE > end) {
2361 wpa_printf(MSG_DEBUG,
2362 "FILS: Not enough room for FILS elements");
2363 wpabuf_free(plain);
2364 return -1;
2365 }
2366
2367 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: Association Response plaintext",
2368 plain);
2369
2370 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len,
2371 wpabuf_head(plain), wpabuf_len(plain),
2372 5, aad, aad_len, pos) < 0) {
2373 wpabuf_free(plain);
2374 return -1;
2375 }
2376
2377 wpa_hexdump(MSG_DEBUG,
2378 "FILS: Encrypted Association Response elements",
2379 pos, AES_BLOCK_SIZE + wpabuf_len(plain));
2380 current_len += wpabuf_len(plain) + AES_BLOCK_SIZE;
2381 wpabuf_free(plain);
2382
2383 return current_len;
2384}
2385
3b5b7aa8
JM		 2386#endif /* CONFIG_FILS */
2387
2388
6fc6879b
JM		 2389SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
2390{
3b5b7aa8 2391 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
6fc6879b 2392 struct wpa_ptk PTK;
2c502460 2393 int ok = 0, psk_found = 0;
6fc6879b 2394 const u8 *pmk = NULL;
207976f0 2395 unsigned int pmk_len;
3b5b7aa8
JM		 2396 int ft;
2397 const u8 *eapol_key_ie, *key_data, *mic;
2398 u16 key_data_length;
2399 size_t mic_len, eapol_key_ie_len;
2400 struct ieee802_1x_hdr *hdr;
2401 struct wpa_eapol_key *key;
2402 struct wpa_eapol_ie_parse kde;
6fc6879b
JM		 2403
2404 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
2405 sm->EAPOLKeyReceived = FALSE;
68921e24 2406 sm->update_snonce = FALSE;
b729fd8d 2407 os_memset(&PTK, 0, sizeof(PTK));
6fc6879b 2408
3b5b7aa8
JM		 2409 mic_len = wpa_mic_len(sm->wpa_key_mgmt);
2410
6fc6879b
JM		 2411 /* WPA with IEEE 802.1X: use the derived PMK from EAP
2412 * WPA-PSK: iterate through possible PSKs and select the one matching
2413 * the packet */
2414 for (;;) {
56586197 2415 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
759fd76b
JM		 2416 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
2417 sm->p2p_dev_addr, pmk);
6fc6879b
JM		 2418 if (pmk == NULL)
2419 break;
2c502460 2420 psk_found = 1;
207976f0
JM		 2421 pmk_len = PMK_LEN;
2422 } else {
6fc6879b 2423 pmk = sm->PMK;
207976f0
JM		 2424 pmk_len = sm->pmk_len;
2425 }
6fc6879b 2426
207976f0 2427 wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK);
6fc6879b 2428
3b5b7aa8
JM		 2429 if (mic_len &&
2430 wpa_verify_key_mic(sm->wpa_key_mgmt, &PTK,
929a2ea5 2431 sm->last_rx_eapol_key,
6fc6879b
JM		 2432 sm->last_rx_eapol_key_len) == 0) {
2433 ok = 1;
2434 break;
2435 }
2436
3b5b7aa8 2437#ifdef CONFIG_FILS
75c8563e
JM		 2438 if (!mic_len &&
2439 wpa_aead_decrypt(sm, &PTK, sm->last_rx_eapol_key,
2440 sm->last_rx_eapol_key_len, NULL) == 0) {
3b5b7aa8
JM		 2441 ok = 1;
2442 break;
2443 }
2444#endif /* CONFIG_FILS */
2445
56586197 2446 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
6fc6879b
JM		 2447 break;
2448 }
2449
2450 if (!ok) {
2451 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2452 "invalid MIC in msg 2/4 of 4-Way Handshake");
2c502460
JM		 2453 if (psk_found)
2454 wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr);
6fc6879b
JM		 2455 return;
2456 }
2457
3b5b7aa8
JM		 2458 /*
2459 * Note: last_rx_eapol_key length fields have already been validated in
2460 * wpa_receive().
2461 */
2462 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
2463 key = (struct wpa_eapol_key *) (hdr + 1);
2464 mic = (u8 *) (key + 1);
2465 key_data = mic + mic_len + 2;
2466 key_data_length = WPA_GET_BE16(mic + mic_len);
2467 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
2468 sizeof(*key) - mic_len - 2)
2469 return;
2470
2471 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
2472 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
2473 "received EAPOL-Key msg 2/4 with invalid Key Data contents");
2474 return;
2475 }
2476 if (kde.rsn_ie) {
2477 eapol_key_ie = kde.rsn_ie;
2478 eapol_key_ie_len = kde.rsn_ie_len;
2479 } else if (kde.osen) {
2480 eapol_key_ie = kde.osen;
2481 eapol_key_ie_len = kde.osen_len;
2482 } else {
2483 eapol_key_ie = kde.wpa_ie;
2484 eapol_key_ie_len = kde.wpa_ie_len;
2485 }
2486 ft = sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt);
2487 if (sm->wpa_ie == NULL ||
2488 wpa_compare_rsn_ie(ft, sm->wpa_ie, sm->wpa_ie_len,
2489 eapol_key_ie, eapol_key_ie_len)) {
2490 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
2491 "WPA IE from (Re)AssocReq did not match with msg 2/4");
2492 if (sm->wpa_ie) {
2493 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq",
2494 sm->wpa_ie, sm->wpa_ie_len);
2495 }
2496 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4",
2497 eapol_key_ie, eapol_key_ie_len);
2498 /* MLME-DEAUTHENTICATE.request */
2499 wpa_sta_disconnect(wpa_auth, sm->addr);
2500 return;
2501 }
2502#ifdef CONFIG_IEEE80211R
2503 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
2504 wpa_sta_disconnect(wpa_auth, sm->addr);
2505 return;
2506 }
2507#endif /* CONFIG_IEEE80211R */
2508#ifdef CONFIG_P2P
2509 if (kde.ip_addr_req && kde.ip_addr_req[0] &&
2510 wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) {
2511 int idx;
2512 wpa_printf(MSG_DEBUG,
2513 "P2P: IP address requested in EAPOL-Key exchange");
2514 idx = bitfield_get_first_zero(wpa_auth->ip_pool);
2515 if (idx >= 0) {
2516 u32 start = WPA_GET_BE32(wpa_auth->conf.ip_addr_start);
2517 bitfield_set(wpa_auth->ip_pool, idx);
2518 WPA_PUT_BE32(sm->ip_addr, start + idx);
2519 wpa_printf(MSG_DEBUG,
2520 "P2P: Assigned IP address %u.%u.%u.%u to "
2521 MACSTR, sm->ip_addr[0], sm->ip_addr[1],
2522 sm->ip_addr[2], sm->ip_addr[3],
2523 MAC2STR(sm->addr));
2524 }
2525 }
2526#endif /* CONFIG_P2P */
2527
26e23750
JM		 2528#ifdef CONFIG_IEEE80211R
2529 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2530 /*
2531 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches
2532 * with the value we derived.
2533 */
870834a1
JM		 2534 if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name,
2535 WPA_PMK_NAME_LEN) != 0) {
26e23750
JM		 2536 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2537 "PMKR1Name mismatch in FT 4-way "
2538 "handshake");
2539 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from "
2540 "Supplicant",
2541 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN);
2542 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
2543 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
2544 return;
2545 }
2546 }
2547#endif /* CONFIG_IEEE80211R */
2548
e4bf4db9 2549 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 2550 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
2551
56586197 2552 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
6fc6879b
JM		 2553 /* PSK may have changed from the previous choice, so update
2554 * state machine data based on whatever PSK was selected here.
2555 */
2556 os_memcpy(sm->PMK, pmk, PMK_LEN);
207976f0 2557 sm->pmk_len = PMK_LEN;
6fc6879b
JM		 2558 }
2559
2560 sm->MICVerified = TRUE;
2561
2562 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
2563 sm->PTK_valid = TRUE;
2564}
2565
2566
2567SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2)
2568{
2569 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk);
2570 sm->TimeoutCtr = 0;
2571}
2572
2573
2574#ifdef CONFIG_IEEE80211W
2575
2576static int ieee80211w_kde_len(struct wpa_state_machine *sm)
2577{
2578 if (sm->mgmt_frame_prot) {
8dd9f9cd
JM		 2579 size_t len;
2580 len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
2581 return 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN + len;
6fc6879b
JM		 2582 }
2583
2584 return 0;
2585}
2586
2587
2588static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
2589{
2590 struct wpa_igtk_kde igtk;
2591 struct wpa_group *gsm = sm->group;
03610ad2 2592 u8 rsc[WPA_KEY_RSC_LEN];
8dd9f9cd 2593 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
6fc6879b
JM		 2594
2595 if (!sm->mgmt_frame_prot)
2596 return pos;
2597
2598 igtk.keyid[0] = gsm->GN_igtk;
2599 igtk.keyid[1] = 0;
7b1080da 2600 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
03610ad2 2601 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0)
6fc6879b 2602 os_memset(igtk.pn, 0, sizeof(igtk.pn));
03610ad2
JM		 2603 else
2604 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn));
8dd9f9cd 2605 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len);
83421850
JM		 2606 if (sm->wpa_auth->conf.disable_gtk) {
2607 /*
2608 * Provide unique random IGTK to each STA to prevent use of
2609 * IGTK in the BSS.
2610 */
8dd9f9cd 2611 if (random_get_bytes(igtk.igtk, len) < 0)
83421850
JM		 2612 return pos;
2613 }
6fc6879b 2614 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK,
8dd9f9cd
JM		 2615 (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len,
2616 NULL, 0);
6fc6879b
JM		 2617
2618 return pos;
2619}
2620
2621#else /* CONFIG_IEEE80211W */
2622
2623static int ieee80211w_kde_len(struct wpa_state_machine *sm)
2624{
2625 return 0;
2626}
2627
2628
2629static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
2630{
2631 return pos;
2632}
2633
2634#endif /* CONFIG_IEEE80211W */
2635
2636
2637SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
2638{
83421850 2639 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32];
6fc6879b
JM		 2640 size_t gtk_len, kde_len;
2641 struct wpa_group *gsm = sm->group;
2642 u8 *wpa_ie;
2643 int wpa_ie_len, secure, keyidx, encr = 0;
2644
2645 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk);
2646 sm->TimeoutEvt = FALSE;
bae61562
JM		 2647
2648 sm->TimeoutCtr++;
2649 if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) {
2650 /* No point in sending the EAPOL-Key - we will disconnect
2651 * immediately following this. */
2652 return;
2653 }
2654
86dfabb8
JM		 2655 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
2656 GTK[GN], IGTK, [FTIE], [TIE * 2])
6fc6879b
JM		 2657 */
2658 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
2659 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
86dfabb8 2660 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
6fc6879b
JM		 2661 wpa_ie = sm->wpa_auth->wpa_ie;
2662 wpa_ie_len = sm->wpa_auth->wpa_ie_len;
2663 if (sm->wpa == WPA_VERSION_WPA &&
2664 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
2665 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
774d4145 2666 /* WPA-only STA, remove RSN IE and possible MDIE */
6fc6879b 2667 wpa_ie = wpa_ie + wpa_ie[1] + 2;
774d4145
JM		 2668 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
2669 wpa_ie = wpa_ie + wpa_ie[1] + 2;
6fc6879b
JM		 2670 wpa_ie_len = wpa_ie[1] + 2;
2671 }
2672 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2673 "sending 3/4 msg of 4-Way Handshake");
2674 if (sm->wpa == WPA_VERSION_WPA2) {
2675 /* WPA2 send GTK in the 4-way handshake */
2676 secure = 1;
2677 gtk = gsm->GTK[gsm->GN - 1];
2678 gtk_len = gsm->GTK_len;
83421850
JM		 2679 if (sm->wpa_auth->conf.disable_gtk) {
2680 /*
2681 * Provide unique random GTK to each STA to prevent use
2682 * of GTK in the BSS.
2683 */
2684 if (random_get_bytes(dummy_gtk, gtk_len) < 0)
2685 return;
2686 gtk = dummy_gtk;
2687 }
6fc6879b
JM		 2688 keyidx = gsm->GN;
2689 _rsc = rsc;
2690 encr = 1;
2691 } else {
2692 /* WPA does not include GTK in msg 3/4 */
2693 secure = 0;
2694 gtk = NULL;
2695 gtk_len = 0;
2696 keyidx = 0;
2697 _rsc = NULL;
0d442aff
JM		 2698 if (sm->rx_eapol_key_secure) {
2699 /*
2700 * It looks like Windows 7 supplicant tries to use
2701 * Secure bit in msg 2/4 after having reported Michael
2702 * MIC failure and it then rejects the 4-way handshake
2703 * if msg 3/4 does not set Secure bit. Work around this
2704 * by setting the Secure bit here even in the case of
2705 * WPA if the supplicant used it first.
2706 */
2707 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4740d5b9
JM		 2708 "STA used Secure bit in WPA msg 2/4 - "
2709 "set Secure for 3/4 as workaround");
0d442aff
JM		 2710 secure = 1;
2711 }
6fc6879b
JM		 2712 }
2713
2714 kde_len = wpa_ie_len + ieee80211w_kde_len(sm);
2715 if (gtk)
2716 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
26e23750 2717#ifdef CONFIG_IEEE80211R
86dfabb8
JM		 2718 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2719 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
2720 kde_len += 300; /* FTIE + 2 * TIE */
2721 }
26e23750 2722#endif /* CONFIG_IEEE80211R */
25ef8529
JM		 2723#ifdef CONFIG_P2P
2724 if (WPA_GET_BE32(sm->ip_addr) > 0)
2725 kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4;
2726#endif /* CONFIG_P2P */
6fc6879b
JM		 2727 kde = os_malloc(kde_len);
2728 if (kde == NULL)
2729 return;
2730
2731 pos = kde;
2732 os_memcpy(pos, wpa_ie, wpa_ie_len);
2733 pos += wpa_ie_len;
26e23750
JM		 2734#ifdef CONFIG_IEEE80211R
2735 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
59e78c24
JM		 2736 int res;
2737 size_t elen;
2738
2739 elen = pos - kde;
2740 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name);
26e23750
JM		 2741 if (res < 0) {
2742 wpa_printf(MSG_ERROR, "FT: Failed to insert "
2743 "PMKR1Name into RSN IE in EAPOL-Key data");
2744 os_free(kde);
2745 return;
2746 }
59e78c24
JM		 2747 pos -= wpa_ie_len;
2748 pos += elen;
26e23750
JM		 2749 }
2750#endif /* CONFIG_IEEE80211R */
6fc6879b
JM		 2751 if (gtk) {
2752 u8 hdr[2];
2753 hdr[0] = keyidx & 0x03;
2754 hdr[1] = 0;
2755 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2756 gtk, gtk_len);
2757 }
2758 pos = ieee80211w_kde_add(sm, pos);
2759
86dfabb8
JM		 2760#ifdef CONFIG_IEEE80211R
2761 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2762 int res;
2763 struct wpa_auth_config *conf;
2764
2765 conf = &sm->wpa_auth->conf;
9257610a
JM		 2766 if (sm->assoc_resp_ftie &&
2767 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) {
2768 os_memcpy(pos, sm->assoc_resp_ftie,
2769 2 + sm->assoc_resp_ftie[1]);
2770 res = 2 + sm->assoc_resp_ftie[1];
2771 } else {
2772 res = wpa_write_ftie(conf, conf->r0_key_holder,
2773 conf->r0_key_holder_len,
2774 NULL, NULL, pos,
2775 kde + kde_len - pos,
2776 NULL, 0);
2777 }
86dfabb8
JM		 2778 if (res < 0) {
2779 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE "
2780 "into EAPOL-Key Key Data");
2781 os_free(kde);
2782 return;
2783 }
2784 pos += res;
2785
2786 /* TIE[ReassociationDeadline] (TU) */
2787 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
2788 *pos++ = 5;
2789 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
2790 WPA_PUT_LE32(pos, conf->reassociation_deadline);
2791 pos += 4;
2792
2793 /* TIE[KeyLifetime] (seconds) */
2794 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
2795 *pos++ = 5;
2796 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
2797 WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60);
2798 pos += 4;
2799 }
2800#endif /* CONFIG_IEEE80211R */
25ef8529
JM		 2801#ifdef CONFIG_P2P
2802 if (WPA_GET_BE32(sm->ip_addr) > 0) {
2803 u8 addr[3 * 4];
2804 os_memcpy(addr, sm->ip_addr, 4);
2805 os_memcpy(addr + 4, sm->wpa_auth->conf.ip_addr_mask, 4);
2806 os_memcpy(addr + 8, sm->wpa_auth->conf.ip_addr_go, 4);
2807 pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC,
2808 addr, sizeof(addr), NULL, 0);
2809 }
2810#endif /* CONFIG_P2P */
86dfabb8 2811
6fc6879b 2812 wpa_send_eapol(sm->wpa_auth, sm,
b729fd8d
JM		 2813 (secure ? WPA_KEY_INFO_SECURE : 0) |
2814 (wpa_mic_len(sm->wpa_key_mgmt) ? WPA_KEY_INFO_MIC : 0) |
6fc6879b
JM		 2815 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
2816 WPA_KEY_INFO_KEY_TYPE,
2817 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr);
2818 os_free(kde);
6fc6879b
JM		 2819}
2820
2821
2822SM_STATE(WPA_PTK, PTKINITDONE)
2823{
2824 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk);
2825 sm->EAPOLKeyReceived = FALSE;
2826 if (sm->Pair) {
c3550295
JM		 2827 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
2828 int klen = wpa_cipher_key_len(sm->pairwise);
6fc6879b 2829 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
98cd3d1c 2830 sm->PTK.tk, klen)) {
6fc6879b
JM		 2831 wpa_sta_disconnect(sm->wpa_auth, sm->addr);
2832 return;
2833 }
2834 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
2835 sm->pairwise_set = TRUE;
2836
581a8cde
JM		 2837 if (sm->wpa_auth->conf.wpa_ptk_rekey) {
2838 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
2839 eloop_register_timeout(sm->wpa_auth->conf.
2840 wpa_ptk_rekey, 0, wpa_rekey_ptk,
2841 sm->wpa_auth, sm);
2842 }
2843
56586197 2844 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
6fc6879b
JM		 2845 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
2846 WPA_EAPOL_authorized, 1);
2847 }
2848 }
2849
2850 if (0 /* IBSS == TRUE */) {
2851 sm->keycount++;
2852 if (sm->keycount == 2) {
2853 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
2854 WPA_EAPOL_portValid, 1);
2855 }
2856 } else {
2857 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid,
2858 1);
2859 }
2860 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0);
2861 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1);
2862 if (sm->wpa == WPA_VERSION_WPA)
2863 sm->PInitAKeys = TRUE;
2864 else
2865 sm->has_GTK = TRUE;
2866 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2867 "pairwise key handshake completed (%s)",
2868 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
2869
2870#ifdef CONFIG_IEEE80211R
2871 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr);
2872#endif /* CONFIG_IEEE80211R */
2873}
2874
2875
2876SM_STEP(WPA_PTK)
2877{
2878 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2879
2880 if (sm->Init)
2881 SM_ENTER(WPA_PTK, INITIALIZE);
2882 else if (sm->Disconnect
1aae01fc
BG		 2883 /* || FIX: dot11RSNAConfigSALifetime timeout */) {
2884 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
2885 "WPA_PTK: sm->Disconnect");
6fc6879b 2886 SM_ENTER(WPA_PTK, DISCONNECT);
1aae01fc 2887 }
6fc6879b
JM		 2888 else if (sm->DeauthenticationRequest)
2889 SM_ENTER(WPA_PTK, DISCONNECTED);
2890 else if (sm->AuthenticationRequest)
2891 SM_ENTER(WPA_PTK, AUTHENTICATION);
2892 else if (sm->ReAuthenticationRequest)
2893 SM_ENTER(WPA_PTK, AUTHENTICATION2);
2894 else if (sm->PTKRequest)
2895 SM_ENTER(WPA_PTK, PTKSTART);
2896 else switch (sm->wpa_ptk_state) {
2897 case WPA_PTK_INITIALIZE:
2898 break;
2899 case WPA_PTK_DISCONNECT:
2900 SM_ENTER(WPA_PTK, DISCONNECTED);
2901 break;
2902 case WPA_PTK_DISCONNECTED:
2903 SM_ENTER(WPA_PTK, INITIALIZE);
2904 break;
2905 case WPA_PTK_AUTHENTICATION:
2906 SM_ENTER(WPA_PTK, AUTHENTICATION2);
2907 break;
2908 case WPA_PTK_AUTHENTICATION2:
56586197 2909 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
6fc6879b
JM		 2910 wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
2911 WPA_EAPOL_keyRun) > 0)
2912 SM_ENTER(WPA_PTK, INITPMK);
56586197 2913 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)
6fc6879b
JM		 2914 /* FIX: && 802.1X::keyRun */)
2915 SM_ENTER(WPA_PTK, INITPSK);
2916 break;
2917 case WPA_PTK_INITPMK:
2918 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
2919 WPA_EAPOL_keyAvailable) > 0)
2920 SM_ENTER(WPA_PTK, PTKSTART);
2921 else {
2922 wpa_auth->dot11RSNA4WayHandshakeFailures++;
1aae01fc
BG		 2923 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2924 "INITPMK - keyAvailable = false");
6fc6879b
JM		 2925 SM_ENTER(WPA_PTK, DISCONNECT);
2926 }
2927 break;
2928 case WPA_PTK_INITPSK:
759fd76b
JM		 2929 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr,
2930 NULL))
6fc6879b
JM		 2931 SM_ENTER(WPA_PTK, PTKSTART);
2932 else {
2933 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2934 "no PSK configured for the STA");
2935 wpa_auth->dot11RSNA4WayHandshakeFailures++;
2936 SM_ENTER(WPA_PTK, DISCONNECT);
2937 }
2938 break;
2939 case WPA_PTK_PTKSTART:
2940 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2941 sm->EAPOLKeyPairwise)
2942 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
2943 else if (sm->TimeoutCtr >
2944 (int) dot11RSNAConfigPairwiseUpdateCount) {
2945 wpa_auth->dot11RSNA4WayHandshakeFailures++;
1aae01fc
BG		 2946 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2947 "PTKSTART: Retry limit %d reached",
2948 dot11RSNAConfigPairwiseUpdateCount);
6fc6879b
JM		 2949 SM_ENTER(WPA_PTK, DISCONNECT);
2950 } else if (sm->TimeoutEvt)
2951 SM_ENTER(WPA_PTK, PTKSTART);
2952 break;
2953 case WPA_PTK_PTKCALCNEGOTIATING:
2954 if (sm->MICVerified)
2955 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2);
2956 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2957 sm->EAPOLKeyPairwise)
2958 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
2959 else if (sm->TimeoutEvt)
2960 SM_ENTER(WPA_PTK, PTKSTART);
2961 break;
2962 case WPA_PTK_PTKCALCNEGOTIATING2:
2963 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
2964 break;
2965 case WPA_PTK_PTKINITNEGOTIATING:
68921e24
JM		 2966 if (sm->update_snonce)
2967 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
2968 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2969 sm->EAPOLKeyPairwise && sm->MICVerified)
6fc6879b
JM		 2970 SM_ENTER(WPA_PTK, PTKINITDONE);
2971 else if (sm->TimeoutCtr >
2972 (int) dot11RSNAConfigPairwiseUpdateCount) {
2973 wpa_auth->dot11RSNA4WayHandshakeFailures++;
1aae01fc
BG		 2974 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2975 "PTKINITNEGOTIATING: Retry limit %d "
2976 "reached",
2977 dot11RSNAConfigPairwiseUpdateCount);
6fc6879b
JM		 2978 SM_ENTER(WPA_PTK, DISCONNECT);
2979 } else if (sm->TimeoutEvt)
2980 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
2981 break;
2982 case WPA_PTK_PTKINITDONE:
2983 break;
2984 }
2985}
2986
2987
2988SM_STATE(WPA_PTK_GROUP, IDLE)
2989{
2990 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group);
2991 if (sm->Init) {
2992 /* Init flag is not cleared here, so avoid busy
2993 * loop by claiming nothing changed. */
2994 sm->changed = FALSE;
2995 }
2996 sm->GTimeoutCtr = 0;
2997}
2998
2999
3000SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
3001{
3002 u8 rsc[WPA_KEY_RSC_LEN];
3003 struct wpa_group *gsm = sm->group;
e41e4f9e
JM		 3004 const u8 *kde;
3005 u8 *kde_buf = NULL, *pos, hdr[2];
6fc6879b 3006 size_t kde_len;
83421850 3007 u8 *gtk, dummy_gtk[32];
6fc6879b
JM		 3008
3009 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
bae61562
JM		 3010
3011 sm->GTimeoutCtr++;
3012 if (sm->GTimeoutCtr > (int) dot11RSNAConfigGroupUpdateCount) {
3013 /* No point in sending the EAPOL-Key - we will disconnect
3014 * immediately following this. */
3015 return;
3016 }
3017
6fc6879b
JM		 3018 if (sm->wpa == WPA_VERSION_WPA)
3019 sm->PInitAKeys = FALSE;
3020 sm->TimeoutEvt = FALSE;
3021 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
3022 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
3023 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE)
3024 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
3025 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3026 "sending 1/2 msg of Group Key Handshake");
3027
83421850
JM		 3028 gtk = gsm->GTK[gsm->GN - 1];
3029 if (sm->wpa_auth->conf.disable_gtk) {
3030 /*
3031 * Provide unique random GTK to each STA to prevent use
3032 * of GTK in the BSS.
3033 */
3034 if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0)
3035 return;
3036 gtk = dummy_gtk;
3037 }
6fc6879b
JM		 3038 if (sm->wpa == WPA_VERSION_WPA2) {
3039 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
3040 ieee80211w_kde_len(sm);
e41e4f9e
JM		 3041 kde_buf = os_malloc(kde_len);
3042 if (kde_buf == NULL)
6fc6879b
JM		 3043 return;
3044
e41e4f9e 3045 kde = pos = kde_buf;
6fc6879b
JM		 3046 hdr[0] = gsm->GN & 0x03;
3047 hdr[1] = 0;
3048 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
83421850 3049 gtk, gsm->GTK_len);
6fc6879b 3050 pos = ieee80211w_kde_add(sm, pos);
e41e4f9e 3051 kde_len = pos - kde;
6fc6879b 3052 } else {
83421850 3053 kde = gtk;
e41e4f9e 3054 kde_len = gsm->GTK_len;
6fc6879b
JM		 3055 }
3056
3057 wpa_send_eapol(sm->wpa_auth, sm,
b729fd8d
JM		 3058 WPA_KEY_INFO_SECURE |
3059 (wpa_mic_len(sm->wpa_key_mgmt) ? WPA_KEY_INFO_MIC : 0) |
6fc6879b
JM		 3060 WPA_KEY_INFO_ACK |
3061 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
e41e4f9e
JM		 3062 rsc, gsm->GNonce, kde, kde_len, gsm->GN, 1);
3063
3064 os_free(kde_buf);
6fc6879b
JM		 3065}
3066
3067
3068SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED)
3069{
3070 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group);
3071 sm->EAPOLKeyReceived = FALSE;
3072 if (sm->GUpdateStationKeys)
3073 sm->group->GKeyDoneStations--;
3074 sm->GUpdateStationKeys = FALSE;
3075 sm->GTimeoutCtr = 0;
3076 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */
3077 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3078 "group key handshake completed (%s)",
3079 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
3080 sm->has_GTK = TRUE;
3081}
3082
3083
3084SM_STATE(WPA_PTK_GROUP, KEYERROR)
3085{
3086 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group);
3087 if (sm->GUpdateStationKeys)
3088 sm->group->GKeyDoneStations--;
3089 sm->GUpdateStationKeys = FALSE;
3090 sm->Disconnect = TRUE;
3091}
3092
3093
3094SM_STEP(WPA_PTK_GROUP)
3095{
9663596f 3096 if (sm->Init || sm->PtkGroupInit) {
6fc6879b 3097 SM_ENTER(WPA_PTK_GROUP, IDLE);
9663596f
JM		 3098 sm->PtkGroupInit = FALSE;
3099 } else switch (sm->wpa_ptk_group_state) {
6fc6879b
JM		 3100 case WPA_PTK_GROUP_IDLE:
3101 if (sm->GUpdateStationKeys ||
3102 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys))
3103 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
3104 break;
3105 case WPA_PTK_GROUP_REKEYNEGOTIATING:
3106 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3107 !sm->EAPOLKeyPairwise && sm->MICVerified)
3108 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
3109 else if (sm->GTimeoutCtr >
3110 (int) dot11RSNAConfigGroupUpdateCount)
3111 SM_ENTER(WPA_PTK_GROUP, KEYERROR);
3112 else if (sm->TimeoutEvt)
3113 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
3114 break;
3115 case WPA_PTK_GROUP_KEYERROR:
3116 SM_ENTER(WPA_PTK_GROUP, IDLE);
3117 break;
3118 case WPA_PTK_GROUP_REKEYESTABLISHED:
3119 SM_ENTER(WPA_PTK_GROUP, IDLE);
3120 break;
3121 }
3122}
3123
3124
3125static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
3126 struct wpa_group *group)
3127{
3128 int ret = 0;
3129
6fc6879b
JM		 3130 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
3131 inc_byte_array(group->Counter, WPA_NONCE_LEN);
3c7302c2
JM		 3132 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion",
3133 wpa_auth->addr, group->GNonce,
3134 group->GTK[group->GN - 1], group->GTK_len) < 0)
3135 ret = -1;
5cb9d5c3
JM		 3136 wpa_hexdump_key(MSG_DEBUG, "GTK",
3137 group->GTK[group->GN - 1], group->GTK_len);
6fc6879b
JM		 3138
3139#ifdef CONFIG_IEEE80211W
70f8cc8e 3140 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
8dd9f9cd
JM		 3141 size_t len;
3142 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
5cb9d5c3
JM		 3143 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
3144 inc_byte_array(group->Counter, WPA_NONCE_LEN);
3c7302c2
JM		 3145 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion",
3146 wpa_auth->addr, group->GNonce,
8dd9f9cd 3147 group->IGTK[group->GN_igtk - 4], len) < 0)
3c7302c2 3148 ret = -1;
6fc6879b 3149 wpa_hexdump_key(MSG_DEBUG, "IGTK",
8dd9f9cd 3150 group->IGTK[group->GN_igtk - 4], len);
6fc6879b
JM		 3151 }
3152#endif /* CONFIG_IEEE80211W */
3153
3154 return ret;
3155}
3156
3157
3158static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth,
3159 struct wpa_group *group)
3160{
3161 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3162 "GTK_INIT (VLAN-ID %d)", group->vlan_id);
3163 group->changed = FALSE; /* GInit is not cleared here; avoid loop */
3164 group->wpa_group_state = WPA_GROUP_GTK_INIT;
3165
3166 /* GTK[0..N] = 0 */
3167 os_memset(group->GTK, 0, sizeof(group->GTK));
3168 group->GN = 1;
3169 group->GM = 2;
3170#ifdef CONFIG_IEEE80211W
3171 group->GN_igtk = 4;
3172 group->GM_igtk = 5;
3173#endif /* CONFIG_IEEE80211W */
3174 /* GTK[GN] = CalcGTK() */
3175 wpa_gtk_update(wpa_auth, group);
3176}
3177
3178
3179static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
3180{
473b6f22
MB		 3181 if (ctx != NULL && ctx != sm->group)
3182 return 0;
3183
6fc6879b
JM		 3184 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) {
3185 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3186 "Not in PTKINITDONE; skip Group Key update");
3c183894 3187 sm->GUpdateStationKeys = FALSE;
6fc6879b
JM		 3188 return 0;
3189 }
9663596f
JM		 3190 if (sm->GUpdateStationKeys) {
3191 /*
3c183894
JM		 3192 * This should not really happen, so add a debug log entry.
3193 * Since we clear the GKeyDoneStations before the loop, the
3194 * station needs to be counted here anyway.
9663596f
JM		 3195 */
3196 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3c183894
JM		 3197 "GUpdateStationKeys was already set when "
3198 "marking station for GTK rekeying");
9663596f 3199 }
3c183894 3200
ad3872a3 3201 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */
d32d94db
XC		 3202 if (sm->is_wnmsleep)
3203 return 0;
d32d94db 3204
3c183894
JM		 3205 sm->group->GKeyDoneStations++;
3206 sm->GUpdateStationKeys = TRUE;
3207
6fc6879b
JM		 3208 wpa_sm_step(sm);
3209 return 0;
3210}
3211
3212
ad3872a3
JM		 3213#ifdef CONFIG_WNM
3214/* update GTK when exiting WNM-Sleep Mode */
d32d94db
XC		 3215void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm)
3216{
629edfef 3217 if (sm == NULL || sm->is_wnmsleep)
d32d94db
XC		 3218 return;
3219
3220 wpa_group_update_sta(sm, NULL);
3221}
3222
3223
3224void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag)
3225{
629edfef
JM		 3226 if (sm)
3227 sm->is_wnmsleep = !!flag;
d32d94db
XC		 3228}
3229
3230
3231int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos)
3232{
d32d94db 3233 struct wpa_group *gsm = sm->group;
835822d4 3234 u8 *start = pos;
d32d94db
XC		 3235
3236 /*
835822d4 3237 * GTK subelement:
d32d94db 3238 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] |
835822d4 3239 * Key[5..32]
d32d94db 3240 */
835822d4
JM		 3241 *pos++ = WNM_SLEEP_SUBELEM_GTK;
3242 *pos++ = 11 + gsm->GTK_len;
d32d94db 3243 /* Key ID in B0-B1 of Key Info */
835822d4
JM		 3244 WPA_PUT_LE16(pos, gsm->GN & 0x03);
3245 pos += 2;
3246 *pos++ = gsm->GTK_len;
3247 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0)
d32d94db 3248 return 0;
835822d4
JM		 3249 pos += 8;
3250 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len);
3251 pos += gsm->GTK_len;
d32d94db 3252
835822d4
JM		 3253 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit",
3254 gsm->GN);
3255 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit",
d32d94db 3256 gsm->GTK[gsm->GN - 1], gsm->GTK_len);
d32d94db 3257
835822d4 3258 return pos - start;
d32d94db
XC		 3259}
3260
3261
3262#ifdef CONFIG_IEEE80211W
3263int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos)
3264{
d32d94db 3265 struct wpa_group *gsm = sm->group;
835822d4 3266 u8 *start = pos;
8dd9f9cd 3267 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
d32d94db 3268
835822d4
JM		 3269 /*
3270 * IGTK subelement:
3271 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16]
3272 */
3273 *pos++ = WNM_SLEEP_SUBELEM_IGTK;
8dd9f9cd 3274 *pos++ = 2 + 6 + len;
835822d4
JM		 3275 WPA_PUT_LE16(pos, gsm->GN_igtk);
3276 pos += 2;
3277 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0)
d32d94db 3278 return 0;
835822d4 3279 pos += 6;
d32d94db 3280
8dd9f9cd
JM		 3281 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len);
3282 pos += len;
d32d94db 3283
835822d4
JM		 3284 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit",
3285 gsm->GN_igtk);
3286 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit",
8dd9f9cd 3287 gsm->IGTK[gsm->GN_igtk - 4], len);
d32d94db 3288
835822d4 3289 return pos - start;
d32d94db
XC		 3290}
3291#endif /* CONFIG_IEEE80211W */
ad3872a3 3292#endif /* CONFIG_WNM */
d32d94db
XC		 3293
3294
6fc6879b
JM		 3295static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth,
3296 struct wpa_group *group)
3297{
3298 int tmp;
3299
3300 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3301 "SETKEYS (VLAN-ID %d)", group->vlan_id);
3302 group->changed = TRUE;
3303 group->wpa_group_state = WPA_GROUP_SETKEYS;
3304 group->GTKReKey = FALSE;
3305 tmp = group->GM;
3306 group->GM = group->GN;
3307 group->GN = tmp;
3308#ifdef CONFIG_IEEE80211W
3309 tmp = group->GM_igtk;
3310 group->GM_igtk = group->GN_igtk;
3311 group->GN_igtk = tmp;
3312#endif /* CONFIG_IEEE80211W */
3313 /* "GKeyDoneStations = GNoStations" is done in more robust way by
3314 * counting the STAs that are marked with GUpdateStationKeys instead of
3315 * including all STAs that could be in not-yet-completed state. */
3316 wpa_gtk_update(wpa_auth, group);
3317
3c183894
JM		 3318 if (group->GKeyDoneStations) {
3319 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected "
3320 "GKeyDoneStations=%d when starting new GTK rekey",
3321 group->GKeyDoneStations);
3322 group->GKeyDoneStations = 0;
3323 }
473b6f22 3324 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group);
6fc6879b
JM		 3325 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d",
3326 group->GKeyDoneStations);
3327}
3328
3329
1bdb7ab3
JM		 3330static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
3331 struct wpa_group *group)
6fc6879b 3332{
3c7302c2
JM		 3333 int ret = 0;
3334
3c7302c2 3335 if (wpa_auth_set_key(wpa_auth, group->vlan_id,
c3550295 3336 wpa_cipher_to_alg(wpa_auth->conf.wpa_group),
0382097e
JM		 3337 broadcast_ether_addr, group->GN,
3338 group->GTK[group->GN - 1], group->GTK_len) < 0)
3c7302c2 3339 ret = -1;
6fc6879b
JM		 3340
3341#ifdef CONFIG_IEEE80211W
8dd9f9cd
JM		 3342 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
3343 enum wpa_alg alg;
3344 size_t len;
3345
3346 alg = wpa_cipher_to_alg(wpa_auth->conf.group_mgmt_cipher);
3347 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
3348
3349 if (ret == 0 &&
3350 wpa_auth_set_key(wpa_auth, group->vlan_id, alg,
3351 broadcast_ether_addr, group->GN_igtk,
3352 group->IGTK[group->GN_igtk - 4], len) < 0)
3353 ret = -1;
3354 }
6fc6879b 3355#endif /* CONFIG_IEEE80211W */
3c7302c2
JM		 3356
3357 return ret;
6fc6879b
JM		 3358}
3359
3360
7d7f7be2
JM		 3361static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx)
3362{
3363 if (sm->group == ctx) {
3364 wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR
3365 " for discconnection due to fatal failure",
3366 MAC2STR(sm->addr));
3367 sm->Disconnect = TRUE;
3368 }
3369
3370 return 0;
3371}
3372
3373
3374static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth,
3375 struct wpa_group *group)
3376{
3377 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state FATAL_FAILURE");
3378 group->changed = TRUE;
3379 group->wpa_group_state = WPA_GROUP_FATAL_FAILURE;
3380 wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group);
3381}
3382
3383
1bdb7ab3
JM		 3384static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
3385 struct wpa_group *group)
3386{
3387 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3388 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id);
3389 group->changed = TRUE;
3390 group->wpa_group_state = WPA_GROUP_SETKEYSDONE;
3391
7d7f7be2
JM		 3392 if (wpa_group_config_group_keys(wpa_auth, group) < 0) {
3393 wpa_group_fatal_failure(wpa_auth, group);
1bdb7ab3 3394 return -1;
7d7f7be2 3395 }
1bdb7ab3
JM		 3396
3397 return 0;
3398}
3399
3400
6fc6879b
JM		 3401static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
3402 struct wpa_group *group)
3403{
3404 if (group->GInit) {
3405 wpa_group_gtk_init(wpa_auth, group);
7d7f7be2
JM		 3406 } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) {
3407 /* Do not allow group operations */
6fc6879b
JM		 3408 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT &&
3409 group->GTKAuthenticator) {
3410 wpa_group_setkeysdone(wpa_auth, group);
3411 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE &&
3412 group->GTKReKey) {
3413 wpa_group_setkeys(wpa_auth, group);
3414 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) {
3415 if (group->GKeyDoneStations == 0)
3416 wpa_group_setkeysdone(wpa_auth, group);
3417 else if (group->GTKReKey)
3418 wpa_group_setkeys(wpa_auth, group);
3419 }
3420}
3421
3422
e4a6ea1d 3423static int wpa_sm_step(struct wpa_state_machine *sm)
6fc6879b
JM		 3424{
3425 if (sm == NULL)
e4a6ea1d 3426 return 0;
6fc6879b
JM		 3427
3428 if (sm->in_step_loop) {
3429 /* This should not happen, but if it does, make sure we do not
3430 * end up freeing the state machine too early by exiting the
3431 * recursive call. */
3432 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively");
e4a6ea1d 3433 return 0;
6fc6879b
JM		 3434 }
3435
3436 sm->in_step_loop = 1;
3437 do {
3438 if (sm->pending_deinit)
3439 break;
3440
3441 sm->changed = FALSE;
3442 sm->wpa_auth->group->changed = FALSE;
3443
3444 SM_STEP_RUN(WPA_PTK);
3445 if (sm->pending_deinit)
3446 break;
3447 SM_STEP_RUN(WPA_PTK_GROUP);
3448 if (sm->pending_deinit)
3449 break;
3450 wpa_group_sm_step(sm->wpa_auth, sm->group);
3451 } while (sm->changed || sm->wpa_auth->group->changed);
3452 sm->in_step_loop = 0;
3453
3454 if (sm->pending_deinit) {
3455 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state "
3456 "machine deinit for " MACSTR, MAC2STR(sm->addr));
3457 wpa_free_sta_sm(sm);
e4a6ea1d 3458 return 1;
6fc6879b 3459 }
e4a6ea1d 3460 return 0;
6fc6879b
JM		 3461}
3462
3463
3464static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx)
3465{
3466 struct wpa_state_machine *sm = eloop_ctx;
3467 wpa_sm_step(sm);
3468}
3469
3470
3471void wpa_auth_sm_notify(struct wpa_state_machine *sm)
3472{
3473 if (sm == NULL)
3474 return;
3475 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
3476}
3477
3478
3479void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth)
3480{
3481 int tmp, i;
3482 struct wpa_group *group;
3483
3484 if (wpa_auth == NULL)
3485 return;
3486
3487 group = wpa_auth->group;
3488
3489 for (i = 0; i < 2; i++) {
3490 tmp = group->GM;
3491 group->GM = group->GN;
3492 group->GN = tmp;
3493#ifdef CONFIG_IEEE80211W
3494 tmp = group->GM_igtk;
3495 group->GM_igtk = group->GN_igtk;
3496 group->GN_igtk = tmp;
3497#endif /* CONFIG_IEEE80211W */
3498 wpa_gtk_update(wpa_auth, group);
9354e594 3499 wpa_group_config_group_keys(wpa_auth, group);
6fc6879b
JM		 3500 }
3501}
3502
3503
a6da824b 3504static const char * wpa_bool_txt(int val)
6fc6879b 3505{
a6da824b 3506 return val ? "TRUE" : "FALSE";
6fc6879b
JM		 3507}
3508
3509
6fc6879b
JM		 3510#define RSN_SUITE "%02x-%02x-%02x-%d"
3511#define RSN_SUITE_ARG(s) \
3512((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
3513
3514int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen)
3515{
3516 int len = 0, ret;
3517 char pmkid_txt[PMKID_LEN * 2 + 1];
8ce58ceb
IH		 3518#ifdef CONFIG_RSN_PREAUTH
3519 const int preauth = 1;
3520#else /* CONFIG_RSN_PREAUTH */
3521 const int preauth = 0;
3522#endif /* CONFIG_RSN_PREAUTH */
6fc6879b
JM		 3523
3524 if (wpa_auth == NULL)
3525 return len;
3526
3527 ret = os_snprintf(buf + len, buflen - len,
3528 "dot11RSNAOptionImplemented=TRUE\n"
8ce58ceb 3529 "dot11RSNAPreauthenticationImplemented=%s\n"
6fc6879b
JM		 3530 "dot11RSNAEnabled=%s\n"
3531 "dot11RSNAPreauthenticationEnabled=%s\n",
8ce58ceb 3532 wpa_bool_txt(preauth),
6fc6879b
JM		 3533 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN),
3534 wpa_bool_txt(wpa_auth->conf.rsn_preauth));
d85e1fc8 3535 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3536 return len;
3537 len += ret;
3538
3539 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
3540 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN);
3541
3542 ret = os_snprintf(
3543 buf + len, buflen - len,
3544 "dot11RSNAConfigVersion=%u\n"
3545 "dot11RSNAConfigPairwiseKeysSupported=9999\n"
3546 /* FIX: dot11RSNAConfigGroupCipher */
3547 /* FIX: dot11RSNAConfigGroupRekeyMethod */
3548 /* FIX: dot11RSNAConfigGroupRekeyTime */
3549 /* FIX: dot11RSNAConfigGroupRekeyPackets */
3550 "dot11RSNAConfigGroupRekeyStrict=%u\n"
3551 "dot11RSNAConfigGroupUpdateCount=%u\n"
3552 "dot11RSNAConfigPairwiseUpdateCount=%u\n"
3553 "dot11RSNAConfigGroupCipherSize=%u\n"
3554 "dot11RSNAConfigPMKLifetime=%u\n"
3555 "dot11RSNAConfigPMKReauthThreshold=%u\n"
3556 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n"
3557 "dot11RSNAConfigSATimeout=%u\n"
3558 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
3559 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
3560 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
3561 "dot11RSNAPMKIDUsed=%s\n"
3562 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
3563 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
3564 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
3565 "dot11RSNATKIPCounterMeasuresInvoked=%u\n"
3566 "dot11RSNA4WayHandshakeFailures=%u\n"
3567 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n",
3568 RSN_VERSION,
3569 !!wpa_auth->conf.wpa_strict_rekey,
3570 dot11RSNAConfigGroupUpdateCount,
3571 dot11RSNAConfigPairwiseUpdateCount,
c3550295 3572 wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8,
6fc6879b
JM		 3573 dot11RSNAConfigPMKLifetime,
3574 dot11RSNAConfigPMKReauthThreshold,
3575 dot11RSNAConfigSATimeout,
3576 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected),
3577 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected),
3578 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected),
3579 pmkid_txt,
3580 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested),
3581 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested),
3582 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested),
3583 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked,
3584 wpa_auth->dot11RSNA4WayHandshakeFailures);
d85e1fc8 3585 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3586 return len;
3587 len += ret;
3588
3589 /* TODO: dot11RSNAConfigPairwiseCiphersTable */
3590 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */
3591
3592 /* Private MIB */
3593 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n",
3594 wpa_auth->group->wpa_group_state);
d85e1fc8 3595 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3596 return len;
3597 len += ret;
3598
3599 return len;
3600}
3601
3602
3603int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen)
3604{
3605 int len = 0, ret;
3606 u32 pairwise = 0;
3607
3608 if (sm == NULL)
3609 return 0;
3610
3611 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */
3612
3613 /* dot11RSNAStatsEntry */
3614
c3550295
JM		 3615 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ?
3616 WPA_PROTO_RSN : WPA_PROTO_WPA,
3617 sm->pairwise);
3618 if (pairwise == 0)
6fc6879b
JM		 3619 return 0;
3620
3621 ret = os_snprintf(
3622 buf + len, buflen - len,
3623 /* TODO: dot11RSNAStatsIndex */
3624 "dot11RSNAStatsSTAAddress=" MACSTR "\n"
3625 "dot11RSNAStatsVersion=1\n"
3626 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n"
3627 /* TODO: dot11RSNAStatsTKIPICVErrors */
3628 "dot11RSNAStatsTKIPLocalMICFailures=%u\n"
d9040cdb 3629 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n"
6fc6879b
JM		 3630 /* TODO: dot11RSNAStatsCCMPReplays */
3631 /* TODO: dot11RSNAStatsCCMPDecryptErrors */
3632 /* TODO: dot11RSNAStatsTKIPReplays */,
3633 MAC2STR(sm->addr),
3634 RSN_SUITE_ARG(pairwise),
3635 sm->dot11RSNAStatsTKIPLocalMICFailures,
3636 sm->dot11RSNAStatsTKIPRemoteMICFailures);
d85e1fc8 3637 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3638 return len;
3639 len += ret;
3640
3641 /* Private MIB */
3642 ret = os_snprintf(buf + len, buflen - len,
3643 "hostapdWPAPTKState=%d\n"
3644 "hostapdWPAPTKGroupState=%d\n",
3645 sm->wpa_ptk_state,
3646 sm->wpa_ptk_group_state);
d85e1fc8 3647 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3648 return len;
3649 len += ret;
3650
3651 return len;
3652}
3653
3654
3655void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth)
3656{
3657 if (wpa_auth)
3658 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++;
3659}
3660
3661
3662int wpa_auth_pairwise_set(struct wpa_state_machine *sm)
3663{
3664 return sm && sm->pairwise_set;
3665}
3666
3667
ff36ff00
JM		 3668int wpa_auth_get_pairwise(struct wpa_state_machine *sm)
3669{
3670 return sm->pairwise;
3671}
3672
3673
6fc6879b
JM		 3674int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm)
3675{
3676 if (sm == NULL)
3677 return -1;
3678 return sm->wpa_key_mgmt;
3679}
3680
3681
3682int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
3683{
3684 if (sm == NULL)
3685 return 0;
3686 return sm->wpa;
3687}
3688
3689
3690int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
3691 struct rsn_pmksa_cache_entry *entry)
3692{
3693 if (sm == NULL || sm->pmksa != entry)
3694 return -1;
3695 sm->pmksa = NULL;
3696 return 0;
3697}
3698
3699
3700struct rsn_pmksa_cache_entry *
3701wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm)
3702{
3703 return sm ? sm->pmksa : NULL;
3704}
3705
3706
3707void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm)
3708{
3709 if (sm)
3710 sm->dot11RSNAStatsTKIPLocalMICFailures++;
3711}
3712
3713
3714const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
3715{
3716 if (wpa_auth == NULL)
3717 return NULL;
3718 *len = wpa_auth->wpa_ie_len;
3719 return wpa_auth->wpa_ie;
3720}
3721
3722
3723int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
207976f0 3724 unsigned int pmk_len,
6fc6879b
JM		 3725 int session_timeout, struct eapol_state_machine *eapol)
3726{
cb465555
JM		 3727 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 ||
3728 sm->wpa_auth->conf.disable_pmksa_caching)
6fc6879b
JM		 3729 return -1;
3730
207976f0
JM		 3731 if (sm->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) {
3732 if (pmk_len > PMK_LEN_SUITE_B_192)
3733 pmk_len = PMK_LEN_SUITE_B_192;
3734 } else if (pmk_len > PMK_LEN) {
3735 pmk_len = PMK_LEN;
3736 }
3737
70c93963 3738 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL,
98cd3d1c 3739 sm->PTK.kck, sm->PTK.kck_len,
4bb081f1
JM		 3740 sm->wpa_auth->addr, sm->addr, session_timeout,
3741 eapol, sm->wpa_key_mgmt))
6fc6879b
JM		 3742 return 0;
3743
3744 return -1;
3745}
3746
3747
3748int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
3749 const u8 *pmk, size_t len, const u8 *sta_addr,
3750 int session_timeout,
3751 struct eapol_state_machine *eapol)
3752{
3753 if (wpa_auth == NULL)
3754 return -1;
3755
70c93963 3756 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL,
087a1f4e
JM		 3757 NULL, 0,
3758 wpa_auth->addr,
4bb081f1
JM		 3759 sta_addr, session_timeout, eapol,
3760 WPA_KEY_MGMT_IEEE8021X))
6fc6879b
JM		 3761 return 0;
3762
3763 return -1;
3764}
3765
3766
f2991170 3767int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr,
70c93963 3768 const u8 *pmk, const u8 *pmkid)
f2991170
JM		 3769{
3770 if (wpa_auth->conf.disable_pmksa_caching)
3771 return -1;
3772
70c93963 3773 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN, pmkid,
087a1f4e 3774 NULL, 0,
f2991170
JM		 3775 wpa_auth->addr, addr, 0, NULL,
3776 WPA_KEY_MGMT_SAE))
3777 return 0;
3778
3779 return -1;
3780}
3781
3782
901d1fe1
JM		 3783void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
3784 const u8 *sta_addr)
3785{
3786 struct rsn_pmksa_cache_entry *pmksa;
3787
3788 if (wpa_auth == NULL || wpa_auth->pmksa == NULL)
3789 return;
3790 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL);
3791 if (pmksa) {
3792 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for "
3793 MACSTR " based on request", MAC2STR(sta_addr));
3794 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa);
3795 }
3796}
3797
3798
b8daac18
MH		 3799int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf,
3800 size_t len)
3801{
3802 if (!wpa_auth || !wpa_auth->pmksa)
3803 return 0;
3804 return pmksa_cache_auth_list(wpa_auth->pmksa, buf, len);
3805}
3806
3807
4c522c77
MH		 3808void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth)
3809{
3810 if (wpa_auth && wpa_auth->pmksa)
3811 pmksa_cache_auth_flush(wpa_auth->pmksa);
3812}
3813
3814
9f2cf23e 3815struct rsn_pmksa_cache_entry *
c1bd4bac
JM		 3816wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
3817 const u8 *pmkid)
9f2cf23e
MH		 3818{
3819 if (!wpa_auth || !wpa_auth->pmksa)
3820 return NULL;
c1bd4bac 3821 return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, pmkid);
9f2cf23e
MH		 3822}
3823
3824
3825void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa,
3826 struct wpa_state_machine *sm,
3827 struct wpa_authenticator *wpa_auth,
3828 u8 *pmkid, u8 *pmk)
3829{
3830 if (!sm)
3831 return;
3832
3833 sm->pmksa = pmksa;
8854f90b
JM		 3834 os_memcpy(pmk, pmksa->pmk, PMK_LEN);
3835 os_memcpy(pmkid, pmksa->pmkid, PMKID_LEN);
3836 os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmksa->pmkid, PMKID_LEN);
9f2cf23e
MH		 3837}
3838
3839
a0ad9e8c
MB		 3840/*
3841 * Remove and free the group from wpa_authenticator. This is triggered by a
3842 * callback to make sure nobody is currently iterating the group list while it
3843 * gets modified.
3844 */
3845static void wpa_group_free(struct wpa_authenticator *wpa_auth,
3846 struct wpa_group *group)
3847{
3848 struct wpa_group *prev = wpa_auth->group;
3849
3850 wpa_printf(MSG_DEBUG, "WPA: Remove group state machine for VLAN-ID %d",
3851 group->vlan_id);
3852
3853 while (prev) {
3854 if (prev->next == group) {
3855 /* This never frees the special first group as needed */
3856 prev->next = group->next;
3857 os_free(group);
3858 break;
3859 }
3860 prev = prev->next;
3861 }
3862
3863}
3864
3865
3866/* Increase the reference counter for group */
3867static void wpa_group_get(struct wpa_authenticator *wpa_auth,
3868 struct wpa_group *group)
3869{
3870 /* Skip the special first group */
3871 if (wpa_auth->group == group)
3872 return;
3873
3874 group->references++;
3875}
3876
3877
3878/* Decrease the reference counter and maybe free the group */
3879static void wpa_group_put(struct wpa_authenticator *wpa_auth,
3880 struct wpa_group *group)
3881{
3882 /* Skip the special first group */
3883 if (wpa_auth->group == group)
3884 return;
3885
3886 group->references--;
3887 if (group->references)
3888 return;
3889 wpa_group_free(wpa_auth, group);
3890}
3891
3892
3893/*
3894 * Add a group that has its references counter set to zero. Caller needs to
3895 * call wpa_group_get() on the return value to mark the entry in use.
3896 */
6fc6879b
JM		 3897static struct wpa_group *
3898wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id)
3899{
3900 struct wpa_group *group;
3901
3902 if (wpa_auth == NULL || wpa_auth->group == NULL)
3903 return NULL;
3904
3905 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d",
3906 vlan_id);
bdffdc5d 3907 group = wpa_group_init(wpa_auth, vlan_id, 0);
6fc6879b
JM		 3908 if (group == NULL)
3909 return NULL;
3910
3911 group->next = wpa_auth->group->next;
3912 wpa_auth->group->next = group;
3913
3914 return group;
3915}
3916
3917
7cebc8e2
MB		 3918/*
3919 * Enforce that the group state machine for the VLAN is running, increase
3920 * reference counter as interface is up. References might have been increased
3921 * even if a negative value is returned.
3922 * Returns: -1 on error (group missing, group already failed); otherwise, 0
3923 */
3924int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id)
3925{
3926 struct wpa_group *group;
3927
3928 if (wpa_auth == NULL)
3929 return 0;
3930
3931 group = wpa_auth->group;
3932 while (group) {
3933 if (group->vlan_id == vlan_id)
3934 break;
3935 group = group->next;
3936 }
3937
3938 if (group == NULL) {
3939 group = wpa_auth_add_group(wpa_auth, vlan_id);
3940 if (group == NULL)
3941 return -1;
3942 }
3943
3944 wpa_printf(MSG_DEBUG,
3945 "WPA: Ensure group state machine running for VLAN ID %d",
3946 vlan_id);
3947
3948 wpa_group_get(wpa_auth, group);
3949 group->num_setup_iface++;
3950
3951 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
3952 return -1;
3953
3954 return 0;
3955}
3956
3957
3958/*
3959 * Decrease reference counter, expected to be zero afterwards.
3960 * returns: -1 on error (group not found, group in fail state)
3961 * -2 if wpa_group is still referenced
3962 * 0 else
3963 */
3964int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id)
3965{
3966 struct wpa_group *group;
3967 int ret = 0;
3968
3969 if (wpa_auth == NULL)
3970 return 0;
3971
3972 group = wpa_auth->group;
3973 while (group) {
3974 if (group->vlan_id == vlan_id)
3975 break;
3976 group = group->next;
3977 }
3978
3979 if (group == NULL)
3980 return -1;
3981
3982 wpa_printf(MSG_DEBUG,
3983 "WPA: Try stopping group state machine for VLAN ID %d",
3984 vlan_id);
3985
3986 if (group->num_setup_iface <= 0) {
3987 wpa_printf(MSG_ERROR,
3988 "WPA: wpa_auth_release_group called more often than wpa_auth_ensure_group for VLAN ID %d, skipping.",
3989 vlan_id);
3990 return -1;
3991 }
3992 group->num_setup_iface--;
3993
3994 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
3995 ret = -1;
3996
3997 if (group->references > 1) {
3998 wpa_printf(MSG_DEBUG,
3999 "WPA: Cannot stop group state machine for VLAN ID %d as references are still hold",
4000 vlan_id);
4001 ret = -2;
4002 }
4003
4004 wpa_group_put(wpa_auth, group);
4005
4006 return ret;
4007}
4008
4009
6fc6879b
JM		 4010int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id)
4011{
4012 struct wpa_group *group;
4013
4014 if (sm == NULL || sm->wpa_auth == NULL)
4015 return 0;
4016
4017 group = sm->wpa_auth->group;
4018 while (group) {
4019 if (group->vlan_id == vlan_id)
4020 break;
4021 group = group->next;
4022 }
4023
4024 if (group == NULL) {
4025 group = wpa_auth_add_group(sm->wpa_auth, vlan_id);
4026 if (group == NULL)
4027 return -1;
4028 }
4029
4030 if (sm->group == group)
4031 return 0;
4032
7d7f7be2
JM		 4033 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4034 return -1;
4035
6fc6879b
JM		 4036 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state "
4037 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id);
4038
a0ad9e8c
MB		 4039 wpa_group_get(sm->wpa_auth, group);
4040 wpa_group_put(sm->wpa_auth, sm->group);
6fc6879b 4041 sm->group = group;
a0ad9e8c 4042
6fc6879b
JM		 4043 return 0;
4044}
e4bf4db9
JM		 4045
4046
4047void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
4048 struct wpa_state_machine *sm, int ack)
4049{
4050 if (wpa_auth == NULL || sm == NULL)
4051 return;
4052 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR
4053 " ack=%d", MAC2STR(sm->addr), ack);
4054 if (sm->pending_1_of_4_timeout && ack) {
4055 /*
4056 * Some deployed supplicant implementations update their SNonce
4057 * for each EAPOL-Key 2/4 message even within the same 4-way
4058 * handshake and then fail to use the first SNonce when
4059 * deriving the PTK. This results in unsuccessful 4-way
4060 * handshake whenever the relatively short initial timeout is
4061 * reached and EAPOL-Key 1/4 is retransmitted. Try to work
4062 * around this by increasing the timeout now that we know that
4063 * the station has received the frame.
4064 */
4065 int timeout_ms = eapol_key_timeout_subseq;
4066 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 "
4067 "timeout by %u ms because of acknowledged frame",
4068 timeout_ms);
4069 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
4070 eloop_register_timeout(timeout_ms / 1000,
4071 (timeout_ms % 1000) * 1000,
4072 wpa_send_eapol_timeout, wpa_auth, sm);
4073 }
4074}
c10347f2
JM		 4075
4076
4077int wpa_auth_uses_sae(struct wpa_state_machine *sm)
4078{
4079 if (sm == NULL)
4080 return 0;
4081 return wpa_key_mgmt_sae(sm->wpa_key_mgmt);
4082}
aa189ac9
JM		 4083
4084
4085int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm)
4086{
4087 if (sm == NULL)
4088 return 0;
4089 return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE;
4090}
25ef8529
JM		 4091
4092
4093#ifdef CONFIG_P2P
4094int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr)
4095{
4096 if (sm == NULL || WPA_GET_BE32(sm->ip_addr) == 0)
4097 return -1;
4098 os_memcpy(addr, sm->ip_addr, 4);
4099 return 0;
4100}
4101#endif /* CONFIG_P2P */
cbc210de
JM		 4102
4103
4104int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth,
4105 struct radius_das_attrs *attr)
4106{
4107 return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr);
4108}
34782730
JM		 4109
4110
4111void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth)
4112{
4113 struct wpa_group *group;
4114
4115 if (!wpa_auth)
4116 return;
4117 for (group = wpa_auth->group; group; group = group->next)
4118 wpa_group_config_group_keys(wpa_auth, group);
4119}
Unnamed repository; edit this file 'description' to name the repository.