]> git.ipfire.org Git - thirdparty/hostap.git/blame - src/ap/wpa_auth.c
projects / thirdparty / hostap.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
FILS: Derive FT key hierarchy on supplicant side for FILS+FT
[thirdparty/hostap.git] / src / ap / wpa_auth.c
CommitLineData
6fc6879b 1/*
00338a4f 2 * IEEE 802.11 RSN / WPA Authenticator
98cd3d1c 3 * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi>
6fc6879b 4 *
0f3d578e
JM		 5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
6fc6879b
JM		 7 */
8
6226e38d 9#include "utils/includes.h"
6fc6879b 10
6226e38d
JM		 11#include "utils/common.h"
12#include "utils/eloop.h"
13#include "utils/state_machine.h"
25ef8529 14#include "utils/bitfield.h"
81f4f619 15#include "common/ieee802_11_defs.h"
3b5b7aa8 16#include "crypto/aes.h"
03da66bd 17#include "crypto/aes_wrap.h"
3b5b7aa8 18#include "crypto/aes_siv.h"
03da66bd
JM		 19#include "crypto/crypto.h"
20#include "crypto/sha1.h"
21#include "crypto/sha256.h"
3642c431 22#include "crypto/random.h"
281c950b 23#include "eapol_auth/eapol_auth_sm.h"
6226e38d 24#include "ap_config.h"
6fc6879b 25#include "ieee802_11.h"
6226e38d
JM		 26#include "wpa_auth.h"
27#include "pmksa_cache_auth.h"
6fc6879b
JM		 28#include "wpa_auth_i.h"
29#include "wpa_auth_ie.h"
30
31#define STATE_MACHINE_DATA struct wpa_state_machine
32#define STATE_MACHINE_DEBUG_PREFIX "WPA"
33#define STATE_MACHINE_ADDR sm->addr
34
35
36static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx);
e4a6ea1d 37static int wpa_sm_step(struct wpa_state_machine *sm);
929a2ea5
JM		 38static int wpa_verify_key_mic(int akmp, struct wpa_ptk *PTK, u8 *data,
39 size_t data_len);
75c8563e
JM		 40#ifdef CONFIG_FILS
41static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
42 u8 *buf, size_t buf_len, u16 *_key_data_len);
9392859d
JM		 43static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
44 const struct wpabuf *hlp);
75c8563e 45#endif /* CONFIG_FILS */
6fc6879b
JM		 46static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx);
47static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
48 struct wpa_group *group);
581a8cde 49static void wpa_request_new_ptk(struct wpa_state_machine *sm);
e6965d4e
JM		 50static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
51 struct wpa_group *group);
1bdb7ab3
JM		 52static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
53 struct wpa_group *group);
f23c5b17 54static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
207976f0
JM		 55 const u8 *pmk, unsigned int pmk_len,
56 struct wpa_ptk *ptk);
a0ad9e8c
MB		 57static void wpa_group_free(struct wpa_authenticator *wpa_auth,
58 struct wpa_group *group);
59static void wpa_group_get(struct wpa_authenticator *wpa_auth,
60 struct wpa_group *group);
61static void wpa_group_put(struct wpa_authenticator *wpa_auth,
62 struct wpa_group *group);
e73ffa09 63static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
6fc6879b 64
bae61562
JM		 65static const u32 eapol_key_timeout_first = 100; /* ms */
66static const u32 eapol_key_timeout_subseq = 1000; /* ms */
00338a4f 67static const u32 eapol_key_timeout_first_group = 500; /* ms */
6fc6879b
JM		 68
69/* TODO: make these configurable */
70static const int dot11RSNAConfigPMKLifetime = 43200;
71static const int dot11RSNAConfigPMKReauthThreshold = 70;
72static const int dot11RSNAConfigSATimeout = 60;
73
74
c772d054 75static inline int wpa_auth_mic_failure_report(
6fc6879b
JM		 76 struct wpa_authenticator *wpa_auth, const u8 *addr)
77{
cef8fac0
JB		 78 if (wpa_auth->cb->mic_failure_report)
79 return wpa_auth->cb->mic_failure_report(wpa_auth->cb_ctx, addr);
c772d054 80 return 0;
6fc6879b
JM		 81}
82
83
2c502460
JM		 84static inline void wpa_auth_psk_failure_report(
85 struct wpa_authenticator *wpa_auth, const u8 *addr)
86{
cef8fac0
JB		 87 if (wpa_auth->cb->psk_failure_report)
88 wpa_auth->cb->psk_failure_report(wpa_auth->cb_ctx, addr);
2c502460
JM		 89}
90
91
6fc6879b
JM		 92static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth,
93 const u8 *addr, wpa_eapol_variable var,
94 int value)
95{
cef8fac0
JB		 96 if (wpa_auth->cb->set_eapol)
97 wpa_auth->cb->set_eapol(wpa_auth->cb_ctx, addr, var, value);
6fc6879b
JM		 98}
99
100
101static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth,
102 const u8 *addr, wpa_eapol_variable var)
103{
cef8fac0 104 if (wpa_auth->cb->get_eapol == NULL)
6fc6879b 105 return -1;
cef8fac0 106 return wpa_auth->cb->get_eapol(wpa_auth->cb_ctx, addr, var);
6fc6879b
JM		 107}
108
109
110static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth,
759fd76b
JM		 111 const u8 *addr,
112 const u8 *p2p_dev_addr,
113 const u8 *prev_psk)
6fc6879b 114{
cef8fac0 115 if (wpa_auth->cb->get_psk == NULL)
6fc6879b 116 return NULL;
cef8fac0
JB		 117 return wpa_auth->cb->get_psk(wpa_auth->cb_ctx, addr, p2p_dev_addr,
118 prev_psk);
6fc6879b
JM		 119}
120
121
122static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth,
123 const u8 *addr, u8 *msk, size_t *len)
124{
cef8fac0 125 if (wpa_auth->cb->get_msk == NULL)
6fc6879b 126 return -1;
cef8fac0 127 return wpa_auth->cb->get_msk(wpa_auth->cb_ctx, addr, msk, len);
6fc6879b
JM		 128}
129
130
131static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
132 int vlan_id,
71934751 133 enum wpa_alg alg, const u8 *addr, int idx,
6fc6879b
JM		 134 u8 *key, size_t key_len)
135{
cef8fac0 136 if (wpa_auth->cb->set_key == NULL)
6fc6879b 137 return -1;
cef8fac0
JB		 138 return wpa_auth->cb->set_key(wpa_auth->cb_ctx, vlan_id, alg, addr, idx,
139 key, key_len);
6fc6879b
JM		 140}
141
142
143static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth,
144 const u8 *addr, int idx, u8 *seq)
145{
cef8fac0 146 if (wpa_auth->cb->get_seqnum == NULL)
6fc6879b 147 return -1;
cef8fac0 148 return wpa_auth->cb->get_seqnum(wpa_auth->cb_ctx, addr, idx, seq);
6fc6879b
JM		 149}
150
151
6fc6879b
JM		 152static inline int
153wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr,
154 const u8 *data, size_t data_len, int encrypt)
155{
cef8fac0 156 if (wpa_auth->cb->send_eapol == NULL)
6fc6879b 157 return -1;
cef8fac0
JB		 158 return wpa_auth->cb->send_eapol(wpa_auth->cb_ctx, addr, data, data_len,
159 encrypt);
6fc6879b
JM		 160}
161
162
c50d94f1
BC		 163#ifdef CONFIG_MESH
164static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth,
165 const u8 *addr)
166{
cef8fac0 167 if (wpa_auth->cb->start_ampe == NULL)
c50d94f1 168 return -1;
cef8fac0 169 return wpa_auth->cb->start_ampe(wpa_auth->cb_ctx, addr);
c50d94f1
BC		 170}
171#endif /* CONFIG_MESH */
172
173
6fc6879b
JM		 174int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
175 int (*cb)(struct wpa_state_machine *sm, void *ctx),
176 void *cb_ctx)
177{
cef8fac0 178 if (wpa_auth->cb->for_each_sta == NULL)
6fc6879b 179 return 0;
cef8fac0 180 return wpa_auth->cb->for_each_sta(wpa_auth->cb_ctx, cb, cb_ctx);
6fc6879b
JM		 181}
182
183
bf98f7f3
JM		 184int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
185 int (*cb)(struct wpa_authenticator *a, void *ctx),
186 void *cb_ctx)
187{
cef8fac0 188 if (wpa_auth->cb->for_each_auth == NULL)
bf98f7f3 189 return 0;
cef8fac0 190 return wpa_auth->cb->for_each_auth(wpa_auth->cb_ctx, cb, cb_ctx);
bf98f7f3
JM		 191}
192
193
6fc6879b
JM		 194void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr,
195 logger_level level, const char *txt)
196{
cef8fac0 197 if (wpa_auth->cb->logger == NULL)
6fc6879b 198 return;
cef8fac0 199 wpa_auth->cb->logger(wpa_auth->cb_ctx, addr, level, txt);
6fc6879b
JM		 200}
201
202
203void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr,
204 logger_level level, const char *fmt, ...)
205{
206 char *format;
207 int maxlen;
208 va_list ap;
209
cef8fac0 210 if (wpa_auth->cb->logger == NULL)
6fc6879b
JM		 211 return;
212
213 maxlen = os_strlen(fmt) + 100;
214 format = os_malloc(maxlen);
215 if (!format)
216 return;
217
218 va_start(ap, fmt);
219 vsnprintf(format, maxlen, fmt, ap);
220 va_end(ap);
221
222 wpa_auth_logger(wpa_auth, addr, level, format);
223
224 os_free(format);
225}
226
227
228static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth,
229 const u8 *addr)
230{
cef8fac0 231 if (wpa_auth->cb->disconnect == NULL)
6fc6879b 232 return;
afcc9ea1 233 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR, MAC2STR(addr));
cef8fac0
JB		 234 wpa_auth->cb->disconnect(wpa_auth->cb_ctx, addr,
235 WLAN_REASON_PREV_AUTH_NOT_VALID);
6fc6879b
JM		 236}
237
238
239static int wpa_use_aes_cmac(struct wpa_state_machine *sm)
240{
56586197 241 int ret = 0;
4ec1fd8e 242#ifdef CONFIG_IEEE80211R_AP
56586197
JM		 243 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
244 ret = 1;
4ec1fd8e 245#endif /* CONFIG_IEEE80211R_AP */
56586197
JM		 246#ifdef CONFIG_IEEE80211W
247 if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt))
248 ret = 1;
249#endif /* CONFIG_IEEE80211W */
a14896e8
JM		 250 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN)
251 ret = 1;
56586197 252 return ret;
6fc6879b
JM		 253}
254
255
256static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx)
257{
258 struct wpa_authenticator *wpa_auth = eloop_ctx;
259
3642c431 260 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) {
6fc6879b
JM		 261 wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
262 "initialization.");
263 } else {
264 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd");
5cb9d5c3
JM		 265 wpa_hexdump_key(MSG_DEBUG, "GMK",
266 wpa_auth->group->GMK, WPA_GMK_LEN);
6fc6879b
JM		 267 }
268
269 if (wpa_auth->conf.wpa_gmk_rekey) {
270 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
271 wpa_rekey_gmk, wpa_auth, NULL);
272 }
273}
274
275
276static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx)
277{
278 struct wpa_authenticator *wpa_auth = eloop_ctx;
a0ad9e8c 279 struct wpa_group *group, *next;
6fc6879b
JM		 280
281 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK");
a0ad9e8c
MB		 282 group = wpa_auth->group;
283 while (group) {
284 wpa_group_get(wpa_auth, group);
285
6fc6879b
JM		 286 group->GTKReKey = TRUE;
287 do {
288 group->changed = FALSE;
289 wpa_group_sm_step(wpa_auth, group);
290 } while (group->changed);
a0ad9e8c
MB		 291
292 next = group->next;
293 wpa_group_put(wpa_auth, group);
294 group = next;
6fc6879b
JM		 295 }
296
297 if (wpa_auth->conf.wpa_group_rekey) {
298 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey,
299 0, wpa_rekey_gtk, wpa_auth, NULL);
300 }
301}
302
303
581a8cde
JM		 304static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
305{
306 struct wpa_authenticator *wpa_auth = eloop_ctx;
307 struct wpa_state_machine *sm = timeout_ctx;
308
309 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK");
310 wpa_request_new_ptk(sm);
311 wpa_sm_step(sm);
312}
313
314
6fc6879b
JM		 315static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx)
316{
317 if (sm->pmksa == ctx)
318 sm->pmksa = NULL;
319 return 0;
320}
321
322
323static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
324 void *ctx)
325{
326 struct wpa_authenticator *wpa_auth = ctx;
327 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry);
328}
329
330
1bdb7ab3
JM		 331static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth,
332 struct wpa_group *group)
333{
559cdabb 334 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)];
1bdb7ab3 335 u8 rkey[32];
559cdabb 336 unsigned long ptr;
1bdb7ab3 337
3642c431 338 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0)
1bdb7ab3
JM		 339 return -1;
340 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN);
341
342 /*
343 * Counter = PRF-256(Random number, "Init Counter",
344 * Local MAC Address || Time)
345 */
346 os_memcpy(buf, wpa_auth->addr, ETH_ALEN);
347 wpa_get_ntp_timestamp(buf + ETH_ALEN);
559cdabb
JM		 348 ptr = (unsigned long) group;
349 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr));
3642c431 350 if (random_get_bytes(rkey, sizeof(rkey)) < 0)
1bdb7ab3
JM		 351 return -1;
352
353 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf),
354 group->Counter, WPA_NONCE_LEN) < 0)
355 return -1;
356 wpa_hexdump_key(MSG_DEBUG, "Key Counter",
357 group->Counter, WPA_NONCE_LEN);
358
359 return 0;
360}
361
362
e6965d4e 363static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth,
bdffdc5d 364 int vlan_id, int delay_init)
e6965d4e
JM		 365{
366 struct wpa_group *group;
e6965d4e
JM		 367
368 group = os_zalloc(sizeof(struct wpa_group));
369 if (group == NULL)
370 return NULL;
371
372 group->GTKAuthenticator = TRUE;
373 group->vlan_id = vlan_id;
c3550295 374 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
6fc6879b 375
08704cd8
JM		 376 if (random_pool_ready() != 1) {
377 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
378 "for secure operations - update keys later when "
379 "the first station connects");
380 }
381
1bdb7ab3
JM		 382 /*
383 * Set initial GMK/Counter value here. The actual values that will be
384 * used in negotiations will be set once the first station tries to
385 * connect. This allows more time for collecting additional randomness
386 * on embedded devices.
6fc6879b 387 */
1bdb7ab3 388 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) {
6fc6879b
JM		 389 wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
390 "initialization.");
391 os_free(group);
392 return NULL;
393 }
6fc6879b
JM		 394
395 group->GInit = TRUE;
bdffdc5d
JM		 396 if (delay_init) {
397 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start "
398 "until Beacon frames have been configured");
399 /* Initialization is completed in wpa_init_keys(). */
400 } else {
401 wpa_group_sm_step(wpa_auth, group);
402 group->GInit = FALSE;
403 wpa_group_sm_step(wpa_auth, group);
404 }
6fc6879b
JM		 405
406 return group;
407}
408
409
410/**
411 * wpa_init - Initialize WPA authenticator
412 * @addr: Authenticator address
413 * @conf: Configuration for WPA authenticator
a17df5fb 414 * @cb: Callback functions for WPA authenticator
6fc6879b
JM		 415 * Returns: Pointer to WPA authenticator data or %NULL on failure
416 */
417struct wpa_authenticator * wpa_init(const u8 *addr,
418 struct wpa_auth_config *conf,
cef8fac0
JB		 419 const struct wpa_auth_callbacks *cb,
420 void *cb_ctx)
6fc6879b
JM		 421{
422 struct wpa_authenticator *wpa_auth;
423
424 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator));
425 if (wpa_auth == NULL)
426 return NULL;
427 os_memcpy(wpa_auth->addr, addr, ETH_ALEN);
428 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
cef8fac0
JB		 429 wpa_auth->cb = cb;
430 wpa_auth->cb_ctx = cb_ctx;
6fc6879b
JM		 431
432 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
433 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
434 os_free(wpa_auth);
435 return NULL;
436 }
437
bdffdc5d 438 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1);
6fc6879b
JM		 439 if (wpa_auth->group == NULL) {
440 os_free(wpa_auth->wpa_ie);
441 os_free(wpa_auth);
442 return NULL;
443 }
444
4bb081f1
JM		 445 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb,
446 wpa_auth);
6fc6879b
JM		 447 if (wpa_auth->pmksa == NULL) {
448 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed.");
27d9701d 449 os_free(wpa_auth->group);
6fc6879b
JM		 450 os_free(wpa_auth->wpa_ie);
451 os_free(wpa_auth);
452 return NULL;
453 }
454
4ec1fd8e 455#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 456 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init();
457 if (wpa_auth->ft_pmk_cache == NULL) {
458 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed.");
27d9701d 459 os_free(wpa_auth->group);
6fc6879b 460 os_free(wpa_auth->wpa_ie);
4bb081f1 461 pmksa_cache_auth_deinit(wpa_auth->pmksa);
6fc6879b
JM		 462 os_free(wpa_auth);
463 return NULL;
464 }
4ec1fd8e 465#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 466
467 if (wpa_auth->conf.wpa_gmk_rekey) {
468 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
469 wpa_rekey_gmk, wpa_auth, NULL);
470 }
471
472 if (wpa_auth->conf.wpa_group_rekey) {
473 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0,
474 wpa_rekey_gtk, wpa_auth, NULL);
475 }
476
25ef8529
JM		 477#ifdef CONFIG_P2P
478 if (WPA_GET_BE32(conf->ip_addr_start)) {
479 int count = WPA_GET_BE32(conf->ip_addr_end) -
480 WPA_GET_BE32(conf->ip_addr_start) + 1;
481 if (count > 1000)
482 count = 1000;
483 if (count > 0)
484 wpa_auth->ip_pool = bitfield_alloc(count);
485 }
486#endif /* CONFIG_P2P */
487
6fc6879b
JM		 488 return wpa_auth;
489}
490
491
bdffdc5d
JM		 492int wpa_init_keys(struct wpa_authenticator *wpa_auth)
493{
494 struct wpa_group *group = wpa_auth->group;
495
496 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial "
497 "keys");
498 wpa_group_sm_step(wpa_auth, group);
499 group->GInit = FALSE;
500 wpa_group_sm_step(wpa_auth, group);
7d7f7be2
JM		 501 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
502 return -1;
bdffdc5d
JM		 503 return 0;
504}
505
506
6fc6879b
JM		 507/**
508 * wpa_deinit - Deinitialize WPA authenticator
509 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
510 */
511void wpa_deinit(struct wpa_authenticator *wpa_auth)
512{
513 struct wpa_group *group, *prev;
514
515 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL);
516 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
517
4bb081f1 518 pmksa_cache_auth_deinit(wpa_auth->pmksa);
6fc6879b 519
4ec1fd8e 520#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 521 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache);
522 wpa_auth->ft_pmk_cache = NULL;
eefe8630 523 wpa_ft_deinit(wpa_auth);
4ec1fd8e 524#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 525
25ef8529
JM		 526#ifdef CONFIG_P2P
527 bitfield_free(wpa_auth->ip_pool);
528#endif /* CONFIG_P2P */
529
530
6fc6879b
JM		 531 os_free(wpa_auth->wpa_ie);
532
533 group = wpa_auth->group;
534 while (group) {
535 prev = group;
536 group = group->next;
537 os_free(prev);
538 }
539
540 os_free(wpa_auth);
541}
542
543
544/**
545 * wpa_reconfig - Update WPA authenticator configuration
546 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
547 * @conf: Configuration for WPA authenticator
548 */
549int wpa_reconfig(struct wpa_authenticator *wpa_auth,
550 struct wpa_auth_config *conf)
551{
e6965d4e 552 struct wpa_group *group;
6fc6879b
JM		 553 if (wpa_auth == NULL)
554 return 0;
555
556 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
ad08c363
JM		 557 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
558 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
559 return -1;
560 }
561
e6965d4e
JM		 562 /*
563 * Reinitialize GTK to make sure it is suitable for the new
564 * configuration.
565 */
566 group = wpa_auth->group;
c3550295 567 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
e6965d4e
JM		 568 group->GInit = TRUE;
569 wpa_group_sm_step(wpa_auth, group);
570 group->GInit = FALSE;
571 wpa_group_sm_step(wpa_auth, group);
572
6fc6879b
JM		 573 return 0;
574}
575
576
577struct wpa_state_machine *
94ddef3e
JM		 578wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr,
579 const u8 *p2p_dev_addr)
6fc6879b
JM		 580{
581 struct wpa_state_machine *sm;
582
7d7f7be2
JM		 583 if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
584 return NULL;
585
6fc6879b
JM		 586 sm = os_zalloc(sizeof(struct wpa_state_machine));
587 if (sm == NULL)
588 return NULL;
589 os_memcpy(sm->addr, addr, ETH_ALEN);
94ddef3e
JM		 590 if (p2p_dev_addr)
591 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN);
6fc6879b
JM		 592
593 sm->wpa_auth = wpa_auth;
594 sm->group = wpa_auth->group;
a0ad9e8c 595 wpa_group_get(sm->wpa_auth, sm->group);
6fc6879b
JM		 596
597 return sm;
598}
599
600
6f9b5d16
JM		 601int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
602 struct wpa_state_machine *sm)
6fc6879b
JM		 603{
604 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
6f9b5d16 605 return -1;
6fc6879b 606
4ec1fd8e 607#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 608 if (sm->ft_completed) {
609 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
610 "FT authentication already completed - do not "
611 "start 4-way handshake");
3d4d2348
JM		 612 /* Go to PTKINITDONE state to allow GTK rekeying */
613 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
3bbc4705 614 sm->Pair = TRUE;
6f9b5d16 615 return 0;
6fc6879b 616 }
4ec1fd8e 617#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 618
07e0117d
JM		 619#ifdef CONFIG_FILS
620 if (sm->fils_completed) {
621 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
622 "FILS authentication already completed - do not start 4-way handshake");
623 /* Go to PTKINITDONE state to allow GTK rekeying */
624 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
3bbc4705 625 sm->Pair = TRUE;
07e0117d
JM		 626 return 0;
627 }
628#endif /* CONFIG_FILS */
629
6fc6879b 630 if (sm->started) {
22a299ee 631 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay));
6fc6879b 632 sm->ReAuthenticationRequest = TRUE;
6f9b5d16 633 return wpa_sm_step(sm);
6fc6879b
JM		 634 }
635
636 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
637 "start authentication");
638 sm->started = 1;
639
640 sm->Init = TRUE;
e4a6ea1d 641 if (wpa_sm_step(sm) == 1)
6f9b5d16 642 return 1; /* should not really happen */
6fc6879b
JM		 643 sm->Init = FALSE;
644 sm->AuthenticationRequest = TRUE;
6f9b5d16 645 return wpa_sm_step(sm);
6fc6879b
JM		 646}
647
648
a8d05fca
JM		 649void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm)
650{
651 /* WPA/RSN was not used - clear WPA state. This is needed if the STA
652 * reassociates back to the same AP while the previous entry for the
653 * STA has not yet been removed. */
654 if (sm == NULL)
655 return;
656
657 sm->wpa_key_mgmt = 0;
658}
659
660
6fc6879b
JM		 661static void wpa_free_sta_sm(struct wpa_state_machine *sm)
662{
25ef8529
JM		 663#ifdef CONFIG_P2P
664 if (WPA_GET_BE32(sm->ip_addr)) {
665 u32 start;
666 wpa_printf(MSG_DEBUG, "P2P: Free assigned IP "
667 "address %u.%u.%u.%u from " MACSTR,
668 sm->ip_addr[0], sm->ip_addr[1],
669 sm->ip_addr[2], sm->ip_addr[3],
670 MAC2STR(sm->addr));
671 start = WPA_GET_BE32(sm->wpa_auth->conf.ip_addr_start);
672 bitfield_clear(sm->wpa_auth->ip_pool,
673 WPA_GET_BE32(sm->ip_addr) - start);
674 }
675#endif /* CONFIG_P2P */
2ade8ef2
JM		 676 if (sm->GUpdateStationKeys) {
677 sm->group->GKeyDoneStations--;
678 sm->GUpdateStationKeys = FALSE;
679 }
4ec1fd8e 680#ifdef CONFIG_IEEE80211R_AP
0f857f43 681 os_free(sm->assoc_resp_ftie);
692ec305 682 wpabuf_free(sm->ft_pending_req_ies);
4ec1fd8e 683#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 684 os_free(sm->last_rx_eapol_key);
685 os_free(sm->wpa_ie);
a0ad9e8c 686 wpa_group_put(sm->wpa_auth, sm->group);
6fc6879b
JM		 687 os_free(sm);
688}
689
690
691void wpa_auth_sta_deinit(struct wpa_state_machine *sm)
692{
693 if (sm == NULL)
694 return;
695
696 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) {
697 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
698 "strict rekeying - force GTK rekey since STA "
699 "is leaving");
700 eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL);
701 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth,
702 NULL);
703 }
704
705 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
e4bf4db9 706 sm->pending_1_of_4_timeout = 0;
6fc6879b 707 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL);
581a8cde 708 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
3a46cf93
MB		 709#ifdef CONFIG_IEEE80211R_AP
710 wpa_ft_sta_deinit(sm);
711#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 712 if (sm->in_step_loop) {
713 /* Must not free state machine while wpa_sm_step() is running.
714 * Freeing will be completed in the end of wpa_sm_step(). */
715 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state "
716 "machine deinit for " MACSTR, MAC2STR(sm->addr));
717 sm->pending_deinit = 1;
718 } else
719 wpa_free_sta_sm(sm);
720}
721
722
723static void wpa_request_new_ptk(struct wpa_state_machine *sm)
724{
725 if (sm == NULL)
726 return;
727
728 sm->PTKRequest = TRUE;
729 sm->PTK_valid = 0;
730}
731
732
68921e24 733static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr,
22a299ee
JM		 734 const u8 *replay_counter)
735{
736 int i;
737 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
68921e24 738 if (!ctr[i].valid)
22a299ee 739 break;
68921e24 740 if (os_memcmp(replay_counter, ctr[i].counter,
22a299ee
JM		 741 WPA_REPLAY_COUNTER_LEN) == 0)
742 return 1;
743 }
744 return 0;
745}
746
747
68921e24
JM		 748static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr,
749 const u8 *replay_counter)
750{
751 int i;
752 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
753 if (ctr[i].valid &&
754 (replay_counter == NULL ||
755 os_memcmp(replay_counter, ctr[i].counter,
756 WPA_REPLAY_COUNTER_LEN) == 0))
757 ctr[i].valid = FALSE;
758 }
759}
760
761
4ec1fd8e 762#ifdef CONFIG_IEEE80211R_AP
0f857f43
JM		 763static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth,
764 struct wpa_state_machine *sm,
765 struct wpa_eapol_ie_parse *kde)
766{
767 struct wpa_ie_data ie;
768 struct rsn_mdie *mdie;
769
770 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 ||
771 ie.num_pmkid != 1 || ie.pmkid == NULL) {
772 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in "
773 "FT 4-way handshake message 2/4");
774 return -1;
775 }
776
777 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN);
778 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant",
779 sm->sup_pmk_r1_name, PMKID_LEN);
780
781 if (!kde->mdie || !kde->ftie) {
782 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake "
783 "message 2/4", kde->mdie ? "FTIE" : "MDIE");
784 return -1;
785 }
786
787 mdie = (struct rsn_mdie *) (kde->mdie + 2);
788 if (kde->mdie[1] < sizeof(struct rsn_mdie) ||
789 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain,
790 MOBILITY_DOMAIN_ID_LEN) != 0) {
791 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch");
792 return -1;
793 }
794
795 if (sm->assoc_resp_ftie &&
796 (kde->ftie[1] != sm->assoc_resp_ftie[1] ||
797 os_memcmp(kde->ftie, sm->assoc_resp_ftie,
798 2 + sm->assoc_resp_ftie[1]) != 0)) {
799 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch");
800 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4",
801 kde->ftie, kde->ftie_len);
802 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp",
803 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]);
804 return -1;
805 }
806
807 return 0;
808}
4ec1fd8e 809#endif /* CONFIG_IEEE80211R_AP */
0f857f43
JM		 810
811
c772d054
JM		 812static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
813 struct wpa_state_machine *sm, int group)
ec027805
JM		 814{
815 /* Supplicant reported a Michael MIC error */
816 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
817 "received EAPOL-Key Error Request "
818 "(STA detected Michael MIC failure (group=%d))",
819 group);
fbc72d32
JM		 820
821 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
822 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
823 "ignore Michael MIC failure report since "
824 "group cipher is not TKIP");
825 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
826 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
827 "ignore Michael MIC failure report since "
828 "pairwise cipher is not TKIP");
829 } else {
c772d054
JM		 830 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0)
831 return 1; /* STA entry was removed */
fbc72d32
JM		 832 sm->dot11RSNAStatsTKIPRemoteMICFailures++;
833 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
834 }
ec027805
JM		 835
836 /*
837 * Error report is not a request for a new key handshake, but since
838 * Authenticator may do it, let's change the keys now anyway.
839 */
840 wpa_request_new_ptk(sm);
c772d054 841 return 0;
ec027805
JM		 842}
843
844
f23c5b17
JM		 845static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data,
846 size_t data_len)
847{
848 struct wpa_ptk PTK;
849 int ok = 0;
850 const u8 *pmk = NULL;
207976f0 851 unsigned int pmk_len;
f23c5b17 852
b729fd8d 853 os_memset(&PTK, 0, sizeof(PTK));
f23c5b17
JM		 854 for (;;) {
855 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
856 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
857 sm->p2p_dev_addr, pmk);
858 if (pmk == NULL)
859 break;
207976f0
JM		 860 pmk_len = PMK_LEN;
861 } else {
f23c5b17 862 pmk = sm->PMK;
207976f0
JM		 863 pmk_len = sm->pmk_len;
864 }
f23c5b17 865
364c064a
JM		 866 if (wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK) < 0)
867 break;
f23c5b17
JM		 868
869 if (wpa_verify_key_mic(sm->wpa_key_mgmt, &PTK, data, data_len)
870 == 0) {
871 ok = 1;
872 break;
873 }
874
875 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
876 break;
877 }
878
879 if (!ok) {
880 wpa_printf(MSG_DEBUG,
881 "WPA: Earlier SNonce did not result in matching MIC");
882 return -1;
883 }
884
885 wpa_printf(MSG_DEBUG,
886 "WPA: Earlier SNonce resulted in matching MIC");
887 sm->alt_snonce_valid = 0;
888 os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN);
889 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
890 sm->PTK_valid = TRUE;
891
892 return 0;
893}
894
895
6fc6879b
JM		 896void wpa_receive(struct wpa_authenticator *wpa_auth,
897 struct wpa_state_machine *sm,
898 u8 *data, size_t data_len)
899{
900 struct ieee802_1x_hdr *hdr;
901 struct wpa_eapol_key *key;
902 u16 key_info, key_data_length;
903 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST,
904 SMK_M1, SMK_M3, SMK_ERROR } msg;
905 char *msgtxt;
906 struct wpa_eapol_ie_parse kde;
3b5b7aa8
JM		 907 const u8 *key_data;
908 size_t keyhdrlen, mic_len;
6d014ffc 909 u8 *mic;
6fc6879b
JM		 910
911 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
912 return;
dc5bad48 913 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL data", data, data_len);
6fc6879b 914
5e3b5197 915 mic_len = wpa_mic_len(sm->wpa_key_mgmt);
6d014ffc 916 keyhdrlen = sizeof(*key) + mic_len + 2;
5e3b5197 917
dc5bad48
JM		 918 if (data_len < sizeof(*hdr) + keyhdrlen) {
919 wpa_printf(MSG_DEBUG, "WPA: Ignore too short EAPOL-Key frame");
6fc6879b 920 return;
dc5bad48 921 }
6fc6879b
JM		 922
923 hdr = (struct ieee802_1x_hdr *) data;
924 key = (struct wpa_eapol_key *) (hdr + 1);
6d014ffc 925 mic = (u8 *) (key + 1);
6fc6879b 926 key_info = WPA_GET_BE16(key->key_info);
6d014ffc
JM		 927 key_data = mic + mic_len + 2;
928 key_data_length = WPA_GET_BE16(mic + mic_len);
0d442aff 929 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR
dc5bad48
JM		 930 " key_info=0x%x type=%u mic_len=%u key_data_length=%u",
931 MAC2STR(sm->addr), key_info, key->type,
932 (unsigned int) mic_len, key_data_length);
933 wpa_hexdump(MSG_MSGDUMP,
934 "WPA: EAPOL-Key header (ending before Key MIC)",
935 key, sizeof(*key));
936 wpa_hexdump(MSG_MSGDUMP, "WPA: EAPOL-Key Key MIC",
937 mic, mic_len);
5e3b5197 938 if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) {
6fc6879b
JM		 939 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
940 "key_data overflow (%d > %lu)",
941 key_data_length,
942 (unsigned long) (data_len - sizeof(*hdr) -
5e3b5197 943 keyhdrlen));
6fc6879b
JM		 944 return;
945 }
946
f8e96eb6 947 if (sm->wpa == WPA_VERSION_WPA2) {
74590e71
JM		 948 if (key->type == EAPOL_KEY_TYPE_WPA) {
949 /*
950 * Some deployed station implementations seem to send
951 * msg 4/4 with incorrect type value in WPA2 mode.
952 */
953 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key "
954 "with unexpected WPA type in RSN mode");
955 } else if (key->type != EAPOL_KEY_TYPE_RSN) {
f8e96eb6
JM		 956 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
957 "unexpected type %d in RSN mode",
958 key->type);
959 return;
960 }
961 } else {
962 if (key->type != EAPOL_KEY_TYPE_WPA) {
963 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
964 "unexpected type %d in WPA mode",
965 key->type);
966 return;
967 }
968 }
969
bc8318ac
JM		 970 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce,
971 WPA_NONCE_LEN);
972 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter",
973 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
974
6fc6879b
JM		 975 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
976 * are set */
977
978 if ((key_info & (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) ==
979 (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) {
980 if (key_info & WPA_KEY_INFO_ERROR) {
981 msg = SMK_ERROR;
982 msgtxt = "SMK Error";
983 } else {
984 msg = SMK_M1;
985 msgtxt = "SMK M1";
986 }
987 } else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
988 msg = SMK_M3;
989 msgtxt = "SMK M3";
990 } else if (key_info & WPA_KEY_INFO_REQUEST) {
991 msg = REQUEST;
992 msgtxt = "Request";
993 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) {
994 msg = GROUP_2;
995 msgtxt = "2/2 Group";
3b5b7aa8
JM		 996 } else if (key_data_length == 0 ||
997 (mic_len == 0 && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) &&
998 key_data_length == AES_BLOCK_SIZE)) {
6fc6879b
JM		 999 msg = PAIRWISE_4;
1000 msgtxt = "4/4 Pairwise";
1001 } else {
1002 msg = PAIRWISE_2;
1003 msgtxt = "2/4 Pairwise";
1004 }
1005
1006 /* TODO: key_info type validation for PeerKey */
1007 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 ||
1008 msg == GROUP_2) {
1009 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
eb7719ff
JM		 1010 if (sm->pairwise == WPA_CIPHER_CCMP ||
1011 sm->pairwise == WPA_CIPHER_GCMP) {
6fc6879b 1012 if (wpa_use_aes_cmac(sm) &&
a14896e8 1013 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN &&
929a2ea5 1014 !wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) &&
b9866483 1015 !wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
6fc6879b
JM		 1016 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1017 wpa_auth_logger(wpa_auth, sm->addr,
1018 LOGGER_WARNING,
1019 "advertised support for "
1020 "AES-128-CMAC, but did not "
1021 "use it");
1022 return;
1023 }
1024
1025 if (!wpa_use_aes_cmac(sm) &&
2449791b 1026 !wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
07a5fe82 1027 sm->wpa_key_mgmt != WPA_KEY_MGMT_OWE &&
6fc6879b
JM		 1028 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1029 wpa_auth_logger(wpa_auth, sm->addr,
1030 LOGGER_WARNING,
1031 "did not use HMAC-SHA1-AES "
eb7719ff 1032 "with CCMP/GCMP");
6fc6879b
JM		 1033 return;
1034 }
1035 }
929a2ea5 1036
2449791b 1037 if ((wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
07a5fe82
JM		 1038 wpa_key_mgmt_fils(sm->wpa_key_mgmt) ||
1039 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) &&
929a2ea5
JM		 1040 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
1041 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1042 "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases");
1043 return;
1044 }
6fc6879b
JM		 1045 }
1046
1047 if (key_info & WPA_KEY_INFO_REQUEST) {
1048 if (sm->req_replay_counter_used &&
1049 os_memcmp(key->replay_counter, sm->req_replay_counter,
1050 WPA_REPLAY_COUNTER_LEN) <= 0) {
1051 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1052 "received EAPOL-Key request with "
1053 "replayed counter");
1054 return;
1055 }
1056 }
1057
1058 if (!(key_info & WPA_KEY_INFO_REQUEST) &&
68921e24 1059 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) {
22a299ee 1060 int i;
68921e24
JM		 1061
1062 if (msg == PAIRWISE_2 &&
1063 wpa_replay_counter_valid(sm->prev_key_replay,
1064 key->replay_counter) &&
1065 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1066 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0)
1067 {
1068 /*
1069 * Some supplicant implementations (e.g., Windows XP
1070 * WZC) update SNonce for each EAPOL-Key 2/4. This
1071 * breaks the workaround on accepting any of the
1072 * pending requests, so allow the SNonce to be updated
1073 * even if we have already sent out EAPOL-Key 3/4.
1074 */
1075 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1076 "Process SNonce update from STA "
1077 "based on retransmitted EAPOL-Key "
1078 "1/4");
1079 sm->update_snonce = 1;
f23c5b17
JM		 1080 os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN);
1081 sm->alt_snonce_valid = TRUE;
1082 os_memcpy(sm->alt_replay_counter,
1083 sm->key_replay[0].counter,
1084 WPA_REPLAY_COUNTER_LEN);
1085 goto continue_processing;
1086 }
1087
1088 if (msg == PAIRWISE_4 && sm->alt_snonce_valid &&
1089 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1090 os_memcmp(key->replay_counter, sm->alt_replay_counter,
1091 WPA_REPLAY_COUNTER_LEN) == 0) {
1092 /*
1093 * Supplicant may still be using the old SNonce since
1094 * there was two EAPOL-Key 2/4 messages and they had
1095 * different SNonce values.
1096 */
1097 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1098 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4");
68921e24
JM		 1099 goto continue_processing;
1100 }
1101
1102 if (msg == PAIRWISE_2 &&
1103 wpa_replay_counter_valid(sm->prev_key_replay,
1104 key->replay_counter) &&
1105 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
1106 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1107 "ignore retransmitted EAPOL-Key %s - "
1108 "SNonce did not change", msgtxt);
1109 } else {
1110 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1111 "received EAPOL-Key %s with "
1112 "unexpected replay counter", msgtxt);
1113 }
22a299ee
JM		 1114 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
1115 if (!sm->key_replay[i].valid)
1116 break;
1117 wpa_hexdump(MSG_DEBUG, "pending replay counter",
1118 sm->key_replay[i].counter,
1119 WPA_REPLAY_COUNTER_LEN);
1120 }
6fc6879b
JM		 1121 wpa_hexdump(MSG_DEBUG, "received replay counter",
1122 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1123 return;
1124 }
1125
68921e24 1126continue_processing:
3b5b7aa8
JM		 1127#ifdef CONFIG_FILS
1128 if (sm->wpa == WPA_VERSION_WPA2 && mic_len == 0 &&
1129 !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1130 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1131 "WPA: Encr Key Data bit not set even though AEAD cipher is supposed to be used - drop frame");
1132 return;
1133 }
1134#endif /* CONFIG_FILS */
1135
6fc6879b
JM		 1136 switch (msg) {
1137 case PAIRWISE_2:
1138 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART &&
68921e24
JM		 1139 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING &&
1140 (!sm->update_snonce ||
1141 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) {
6fc6879b
JM		 1142 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1143 "received EAPOL-Key msg 2/4 in "
1144 "invalid state (%d) - dropped",
1145 sm->wpa_ptk_state);
1146 return;
1147 }
bbb921da 1148 random_add_randomness(key->key_nonce, WPA_NONCE_LEN);
08704cd8
JM		 1149 if (sm->group->reject_4way_hs_for_entropy) {
1150 /*
1151 * The system did not have enough entropy to generate
1152 * strong random numbers. Reject the first 4-way
1153 * handshake(s) and collect some entropy based on the
1154 * information from it. Once enough entropy is
1155 * available, the next atempt will trigger GMK/Key
1156 * Counter update and the station will be allowed to
1157 * continue.
1158 */
1159 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to "
1160 "collect more entropy for random number "
1161 "generation");
08704cd8 1162 random_mark_pool_ready();
08704cd8
JM		 1163 wpa_sta_disconnect(wpa_auth, sm->addr);
1164 return;
1165 }
6fc6879b
JM		 1166 break;
1167 case PAIRWISE_4:
1168 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING ||
1169 !sm->PTK_valid) {
1170 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1171 "received EAPOL-Key msg 4/4 in "
1172 "invalid state (%d) - dropped",
1173 sm->wpa_ptk_state);
1174 return;
1175 }
1176 break;
1177 case GROUP_2:
1178 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING
1179 || !sm->PTK_valid) {
1180 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1181 "received EAPOL-Key msg 2/2 in "
1182 "invalid state (%d) - dropped",
1183 sm->wpa_ptk_group_state);
1184 return;
1185 }
1186 break;
1187#ifdef CONFIG_PEERKEY
1188 case SMK_M1:
1189 case SMK_M3:
1190 case SMK_ERROR:
1191 if (!wpa_auth->conf.peerkey) {
1192 wpa_printf(MSG_DEBUG, "RSN: SMK M1/M3/Error, but "
1193 "PeerKey use disabled - ignoring message");
1194 return;
1195 }
1196 if (!sm->PTK_valid) {
1197 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1198 "received EAPOL-Key msg SMK in "
1199 "invalid state - dropped");
1200 return;
1201 }
1202 break;
1203#else /* CONFIG_PEERKEY */
1204 case SMK_M1:
1205 case SMK_M3:
1206 case SMK_ERROR:
1207 return; /* STSL disabled - ignore SMK messages */
1208#endif /* CONFIG_PEERKEY */
1209 case REQUEST:
1210 break;
1211 }
1212
1213 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1214 "received EAPOL-Key frame (%s)", msgtxt);
1215
1216 if (key_info & WPA_KEY_INFO_ACK) {
1217 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1218 "received invalid EAPOL-Key: Key Ack set");
1219 return;
1220 }
1221
b9866483
JM		 1222 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1223 !(key_info & WPA_KEY_INFO_MIC)) {
6fc6879b
JM		 1224 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1225 "received invalid EAPOL-Key: Key MIC not set");
1226 return;
1227 }
1228
b9866483
JM		 1229#ifdef CONFIG_FILS
1230 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1231 (key_info & WPA_KEY_INFO_MIC)) {
1232 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1233 "received invalid EAPOL-Key: Key MIC set");
1234 return;
1235 }
1236#endif /* CONFIG_FILS */
1237
6fc6879b 1238 sm->MICVerified = FALSE;
68921e24 1239 if (sm->PTK_valid && !sm->update_snonce) {
3b5b7aa8
JM		 1240 if (mic_len &&
1241 wpa_verify_key_mic(sm->wpa_key_mgmt, &sm->PTK, data,
f23c5b17
JM		 1242 data_len) &&
1243 (msg != PAIRWISE_4 || !sm->alt_snonce_valid ||
1244 wpa_try_alt_snonce(sm, data, data_len))) {
6fc6879b
JM		 1245 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1246 "received EAPOL-Key with invalid MIC");
1247 return;
1248 }
75c8563e
JM		 1249#ifdef CONFIG_FILS
1250 if (!mic_len &&
1251 wpa_aead_decrypt(sm, &sm->PTK, data, data_len,
1252 &key_data_length) < 0) {
1253 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1254 "received EAPOL-Key with invalid MIC");
1255 return;
1256 }
1257#endif /* CONFIG_FILS */
6fc6879b
JM		 1258 sm->MICVerified = TRUE;
1259 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
e4bf4db9 1260 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 1261 }
1262
1263 if (key_info & WPA_KEY_INFO_REQUEST) {
1264 if (sm->MICVerified) {
1265 sm->req_replay_counter_used = 1;
1266 os_memcpy(sm->req_replay_counter, key->replay_counter,
1267 WPA_REPLAY_COUNTER_LEN);
1268 } else {
1269 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1270 "received EAPOL-Key request with "
1271 "invalid MIC");
1272 return;
1273 }
1274
1275 /*
1276 * TODO: should decrypt key data field if encryption was used;
1277 * even though MAC address KDE is not normally encrypted,
1278 * supplicant is allowed to encrypt it.
1279 */
1280 if (msg == SMK_ERROR) {
1281#ifdef CONFIG_PEERKEY
5e3b5197 1282 wpa_smk_error(wpa_auth, sm, key_data, key_data_length);
6fc6879b
JM		 1283#endif /* CONFIG_PEERKEY */
1284 return;
1285 } else if (key_info & WPA_KEY_INFO_ERROR) {
c772d054
JM		 1286 if (wpa_receive_error_report(
1287 wpa_auth, sm,
1288 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0)
1289 return; /* STA entry was removed */
6fc6879b
JM		 1290 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) {
1291 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1292 "received EAPOL-Key Request for new "
1293 "4-Way Handshake");
1294 wpa_request_new_ptk(sm);
1295#ifdef CONFIG_PEERKEY
1296 } else if (msg == SMK_M1) {
5e3b5197 1297 wpa_smk_m1(wpa_auth, sm, key, key_data,
5c6787a6 1298 key_data_length);
6fc6879b
JM		 1299#endif /* CONFIG_PEERKEY */
1300 } else if (key_data_length > 0 &&
5e3b5197
JM		 1301 wpa_parse_kde_ies(key_data, key_data_length,
1302 &kde) == 0 &&
6fc6879b
JM		 1303 kde.mac_addr) {
1304 } else {
1305 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1306 "received EAPOL-Key Request for GTK "
1307 "rekeying");
6fc6879b
JM		 1308 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
1309 wpa_rekey_gtk(wpa_auth, NULL);
1310 }
1311 } else {
68921e24
JM		 1312 /* Do not allow the same key replay counter to be reused. */
1313 wpa_replay_counter_mark_invalid(sm->key_replay,
1314 key->replay_counter);
1315
1316 if (msg == PAIRWISE_2) {
1317 /*
1318 * Maintain a copy of the pending EAPOL-Key frames in
1319 * case the EAPOL-Key frame was retransmitted. This is
1320 * needed to allow EAPOL-Key msg 2/4 reply to another
1321 * pending msg 1/4 to update the SNonce to work around
1322 * unexpected supplicant behavior.
1323 */
1324 os_memcpy(sm->prev_key_replay, sm->key_replay,
1325 sizeof(sm->key_replay));
1326 } else {
1327 os_memset(sm->prev_key_replay, 0,
1328 sizeof(sm->prev_key_replay));
1329 }
1330
1331 /*
1332 * Make sure old valid counters are not accepted anymore and
1333 * do not get copied again.
1334 */
1335 wpa_replay_counter_mark_invalid(sm->key_replay, NULL);
6fc6879b
JM		 1336 }
1337
1338#ifdef CONFIG_PEERKEY
1339 if (msg == SMK_M3) {
5e3b5197 1340 wpa_smk_m3(wpa_auth, sm, key, key_data, key_data_length);
6fc6879b
JM		 1341 return;
1342 }
1343#endif /* CONFIG_PEERKEY */
1344
1345 os_free(sm->last_rx_eapol_key);
a1f11e34 1346 sm->last_rx_eapol_key = os_memdup(data, data_len);
6fc6879b
JM		 1347 if (sm->last_rx_eapol_key == NULL)
1348 return;
6fc6879b
JM		 1349 sm->last_rx_eapol_key_len = data_len;
1350
0d442aff 1351 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE);
6fc6879b
JM		 1352 sm->EAPOLKeyReceived = TRUE;
1353 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1354 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST);
1355 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN);
1356 wpa_sm_step(sm);
1357}
1358
1359
3c7302c2
JM		 1360static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr,
1361 const u8 *gnonce, u8 *gtk, size_t gtk_len)
6fc6879b 1362{
5cb9d5c3
JM		 1363 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16];
1364 u8 *pos;
3c7302c2 1365 int ret = 0;
6fc6879b 1366
5cb9d5c3
JM		 1367 /* GTK = PRF-X(GMK, "Group key expansion",
1368 * AA || GNonce || Time || random data)
1369 * The example described in the IEEE 802.11 standard uses only AA and
1370 * GNonce as inputs here. Add some more entropy since this derivation
1371 * is done only at the Authenticator and as such, does not need to be
1372 * exactly same.
1373 */
6fc6879b
JM		 1374 os_memcpy(data, addr, ETH_ALEN);
1375 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN);
5cb9d5c3
JM		 1376 pos = data + ETH_ALEN + WPA_NONCE_LEN;
1377 wpa_get_ntp_timestamp(pos);
1378 pos += 8;
3642c431 1379 if (random_get_bytes(pos, 16) < 0)
3c7302c2 1380 ret = -1;
6fc6879b 1381
56586197 1382#ifdef CONFIG_IEEE80211W
5cb9d5c3 1383 sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len);
56586197 1384#else /* CONFIG_IEEE80211W */
3c7302c2
JM		 1385 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len)
1386 < 0)
1387 ret = -1;
56586197 1388#endif /* CONFIG_IEEE80211W */
3c7302c2
JM		 1389
1390 return ret;
6fc6879b
JM		 1391}
1392
1393
1394static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx)
1395{
1396 struct wpa_authenticator *wpa_auth = eloop_ctx;
1397 struct wpa_state_machine *sm = timeout_ctx;
1398
e4bf4db9 1399 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 1400 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout");
1401 sm->TimeoutEvt = TRUE;
1402 wpa_sm_step(sm);
1403}
1404
1405
1406void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1407 struct wpa_state_machine *sm, int key_info,
1408 const u8 *key_rsc, const u8 *nonce,
1409 const u8 *kde, size_t kde_len,
1410 int keyidx, int encr, int force_version)
1411{
1412 struct ieee802_1x_hdr *hdr;
1413 struct wpa_eapol_key *key;
5e3b5197 1414 size_t len, mic_len, keyhdrlen;
6fc6879b
JM		 1415 int alg;
1416 int key_data_len, pad_len = 0;
1417 u8 *buf, *pos;
1418 int version, pairwise;
22a299ee 1419 int i;
6d014ffc 1420 u8 *key_mic, *key_data;
6fc6879b 1421
5e3b5197 1422 mic_len = wpa_mic_len(sm->wpa_key_mgmt);
6d014ffc 1423 keyhdrlen = sizeof(*key) + mic_len + 2;
5e3b5197
JM		 1424
1425 len = sizeof(struct ieee802_1x_hdr) + keyhdrlen;
6fc6879b
JM		 1426
1427 if (force_version)
1428 version = force_version;
929a2ea5 1429 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
07a5fe82 1430 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE ||
36a50fd4
JM		 1431 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
1432 wpa_key_mgmt_fils(sm->wpa_key_mgmt))
a14896e8 1433 version = WPA_KEY_INFO_TYPE_AKM_DEFINED;
6fc6879b
JM		 1434 else if (wpa_use_aes_cmac(sm))
1435 version = WPA_KEY_INFO_TYPE_AES_128_CMAC;
eb7719ff 1436 else if (sm->pairwise != WPA_CIPHER_TKIP)
6fc6879b
JM		 1437 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
1438 else
1439 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
1440
8543ed8a 1441 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
6fc6879b
JM		 1442
1443 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d "
1444 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d "
1445 "encr=%d)",
1446 version,
1447 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0,
1448 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0,
1449 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0,
1450 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0,
1451 pairwise, (unsigned long) kde_len, keyidx, encr);
1452
1453 key_data_len = kde_len;
1454
1455 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
07a5fe82 1456 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE ||
a14896e8 1457 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
929a2ea5 1458 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
6fc6879b
JM		 1459 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) {
1460 pad_len = key_data_len % 8;
1461 if (pad_len)
1462 pad_len = 8 - pad_len;
1463 key_data_len += pad_len + 8;
1464 }
1465
1466 len += key_data_len;
b729fd8d
JM		 1467 if (!mic_len && encr)
1468 len += AES_BLOCK_SIZE;
6fc6879b
JM		 1469
1470 hdr = os_zalloc(len);
1471 if (hdr == NULL)
1472 return;
1473 hdr->version = wpa_auth->conf.eapol_version;
1474 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
1475 hdr->length = host_to_be16(len - sizeof(*hdr));
1476 key = (struct wpa_eapol_key *) (hdr + 1);
6d014ffc 1477 key_mic = (u8 *) (key + 1);
5e3b5197 1478 key_data = ((u8 *) (hdr + 1)) + keyhdrlen;
6fc6879b
JM		 1479
1480 key->type = sm->wpa == WPA_VERSION_WPA2 ?
1481 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1482 key_info |= version;
1483 if (encr && sm->wpa == WPA_VERSION_WPA2)
1484 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1485 if (sm->wpa != WPA_VERSION_WPA2)
1486 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT;
1487 WPA_PUT_BE16(key->key_info, key_info);
1488
1489 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group;
caab23f1
JM		 1490 if ((key_info & WPA_KEY_INFO_SMK_MESSAGE) ||
1491 (sm->wpa == WPA_VERSION_WPA2 && !pairwise))
6fc6879b 1492 WPA_PUT_BE16(key->key_length, 0);
caab23f1
JM		 1493 else
1494 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg));
6fc6879b
JM		 1495
1496 /* FIX: STSL: what to use as key_replay_counter? */
22a299ee
JM		 1497 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) {
1498 sm->key_replay[i].valid = sm->key_replay[i - 1].valid;
1499 os_memcpy(sm->key_replay[i].counter,
1500 sm->key_replay[i - 1].counter,
1501 WPA_REPLAY_COUNTER_LEN);
1502 }
1503 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN);
1504 os_memcpy(key->replay_counter, sm->key_replay[0].counter,
6fc6879b 1505 WPA_REPLAY_COUNTER_LEN);
db099951
JM		 1506 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter",
1507 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
22a299ee 1508 sm->key_replay[0].valid = TRUE;
6fc6879b
JM		 1509
1510 if (nonce)
1511 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN);
1512
1513 if (key_rsc)
1514 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN);
1515
1516 if (kde && !encr) {
5e3b5197 1517 os_memcpy(key_data, kde, kde_len);
6d014ffc 1518 WPA_PUT_BE16(key_mic + mic_len, kde_len);
b729fd8d
JM		 1519#ifdef CONFIG_FILS
1520 } else if (!mic_len) {
1521 const u8 *aad[1];
1522 size_t aad_len[1];
1523
1524 WPA_PUT_BE16(key_mic, AES_BLOCK_SIZE + kde_len);
1525 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1526 kde, kde_len);
1527
1528 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK",
1529 sm->PTK.kek, sm->PTK.kek_len);
1530 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
1531 * to Key Data (exclusive). */
1532 aad[0] = (u8 *) hdr;
1533 aad_len[0] = key_mic + 2 - (u8 *) hdr;
1534 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, kde, kde_len,
1535 1, aad, aad_len, key_mic + 2) < 0) {
1536 wpa_printf(MSG_DEBUG, "WPA: AES-SIV encryption failed");
1537 return;
1538 }
1539
1540 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
1541 key_mic + 2, AES_BLOCK_SIZE + kde_len);
1542#endif /* CONFIG_FILS */
6fc6879b
JM		 1543 } else if (encr && kde) {
1544 buf = os_zalloc(key_data_len);
1545 if (buf == NULL) {
1546 os_free(hdr);
1547 return;
1548 }
1549 pos = buf;
1550 os_memcpy(pos, kde, kde_len);
1551 pos += kde_len;
1552
1553 if (pad_len)
1554 *pos++ = 0xdd;
1555
1556 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1557 buf, key_data_len);
1558 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
07a5fe82 1559 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE ||
a14896e8 1560 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
929a2ea5 1561 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
6fc6879b 1562 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
ef9627cb
JM		 1563 wpa_printf(MSG_DEBUG,
1564 "WPA: Encrypt Key Data using AES-WRAP (KEK length %u)",
1565 (unsigned int) sm->PTK.kek_len);
98cd3d1c 1566 if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len,
5e3b5197 1567 (key_data_len - 8) / 8, buf, key_data)) {
6fc6879b
JM		 1568 os_free(hdr);
1569 os_free(buf);
1570 return;
1571 }
6d014ffc 1572 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
7cb53ded 1573#ifndef CONFIG_NO_RC4
98cd3d1c 1574 } else if (sm->PTK.kek_len == 16) {
6fc6879b 1575 u8 ek[32];
ef9627cb
JM		 1576
1577 wpa_printf(MSG_DEBUG,
1578 "WPA: Encrypt Key Data using RC4");
6fc6879b
JM		 1579 os_memcpy(key->key_iv,
1580 sm->group->Counter + WPA_NONCE_LEN - 16, 16);
1581 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
1582 os_memcpy(ek, key->key_iv, 16);
98cd3d1c 1583 os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len);
5e3b5197
JM		 1584 os_memcpy(key_data, buf, key_data_len);
1585 rc4_skip(ek, 32, 256, key_data, key_data_len);
6d014ffc 1586 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
7cb53ded 1587#endif /* CONFIG_NO_RC4 */
98cd3d1c
JM		 1588 } else {
1589 os_free(hdr);
1590 os_free(buf);
1591 return;
6fc6879b
JM		 1592 }
1593 os_free(buf);
1594 }
1595
1596 if (key_info & WPA_KEY_INFO_MIC) {
b729fd8d 1597 if (!sm->PTK_valid || !mic_len) {
6fc6879b
JM		 1598 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
1599 "PTK not valid when sending EAPOL-Key "
1600 "frame");
1601 os_free(hdr);
1602 return;
1603 }
5e3b5197 1604
98cd3d1c
JM		 1605 wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len,
1606 sm->wpa_key_mgmt, version,
5e3b5197 1607 (u8 *) hdr, len, key_mic);
7af092a0
JB		 1608#ifdef CONFIG_TESTING_OPTIONS
1609 if (!pairwise &&
06df2aa6 1610 wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0 &&
7af092a0
JB		 1611 drand48() <
1612 wpa_auth->conf.corrupt_gtk_rekey_mic_probability) {
1613 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1614 "Corrupting group EAPOL-Key Key MIC");
5e3b5197 1615 key_mic[0]++;
7af092a0
JB		 1616 }
1617#endif /* CONFIG_TESTING_OPTIONS */
6fc6879b
JM		 1618 }
1619
1620 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx,
1621 1);
1622 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len,
1623 sm->pairwise_set);
1624 os_free(hdr);
1625}
1626
1627
1628static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1629 struct wpa_state_machine *sm, int key_info,
1630 const u8 *key_rsc, const u8 *nonce,
1631 const u8 *kde, size_t kde_len,
1632 int keyidx, int encr)
1633{
1634 int timeout_ms;
1635 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
41f140d3 1636 u32 ctr;
6fc6879b
JM		 1637
1638 if (sm == NULL)
1639 return;
1640
1641 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len,
1642 keyidx, encr, 0);
1643
bae61562 1644 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr;
e4bf4db9 1645 if (ctr == 1 && wpa_auth->conf.tx_status)
00338a4f
JM		 1646 timeout_ms = pairwise ? eapol_key_timeout_first :
1647 eapol_key_timeout_first_group;
bae61562
JM		 1648 else
1649 timeout_ms = eapol_key_timeout_subseq;
e4bf4db9
JM		 1650 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
1651 sm->pending_1_of_4_timeout = 1;
1652 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry "
41f140d3 1653 "counter %u)", timeout_ms, ctr);
6fc6879b
JM		 1654 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000,
1655 wpa_send_eapol_timeout, wpa_auth, sm);
1656}
1657
1658
929a2ea5
JM		 1659static int wpa_verify_key_mic(int akmp, struct wpa_ptk *PTK, u8 *data,
1660 size_t data_len)
6fc6879b
JM		 1661{
1662 struct ieee802_1x_hdr *hdr;
1663 struct wpa_eapol_key *key;
1664 u16 key_info;
1665 int ret = 0;
6d014ffc 1666 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN], *mic_pos;
5e3b5197 1667 size_t mic_len = wpa_mic_len(akmp);
6fc6879b
JM		 1668
1669 if (data_len < sizeof(*hdr) + sizeof(*key))
1670 return -1;
1671
1672 hdr = (struct ieee802_1x_hdr *) data;
1673 key = (struct wpa_eapol_key *) (hdr + 1);
6d014ffc 1674 mic_pos = (u8 *) (key + 1);
6fc6879b 1675 key_info = WPA_GET_BE16(key->key_info);
6d014ffc
JM		 1676 os_memcpy(mic, mic_pos, mic_len);
1677 os_memset(mic_pos, 0, mic_len);
98cd3d1c
JM		 1678 if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp,
1679 key_info & WPA_KEY_INFO_TYPE_MASK,
6d014ffc
JM		 1680 data, data_len, mic_pos) ||
1681 os_memcmp_const(mic, mic_pos, mic_len) != 0)
6fc6879b 1682 ret = -1;
6d014ffc 1683 os_memcpy(mic_pos, mic, mic_len);
6fc6879b
JM		 1684 return ret;
1685}
1686
1687
1688void wpa_remove_ptk(struct wpa_state_machine *sm)
1689{
1690 sm->PTK_valid = FALSE;
1691 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
2a0b86d3
JM		 1692 if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL,
1693 0))
1694 wpa_printf(MSG_DEBUG,
1695 "RSN: PTK removal from the driver failed");
6fc6879b 1696 sm->pairwise_set = FALSE;
581a8cde 1697 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
6fc6879b
JM		 1698}
1699
1700
bb119228 1701int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
6fc6879b 1702{
5d22a1d5
JM		 1703 int remove_ptk = 1;
1704
6fc6879b 1705 if (sm == NULL)
6f9b5d16 1706 return -1;
6fc6879b
JM		 1707
1708 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1709 "event %d notification", event);
1710
1711 switch (event) {
1712 case WPA_AUTH:
c50d94f1
BC		 1713#ifdef CONFIG_MESH
1714 /* PTKs are derived through AMPE */
1715 if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) {
1716 /* not mesh */
1717 break;
1718 }
1719 return 0;
1720#endif /* CONFIG_MESH */
6fc6879b
JM		 1721 case WPA_ASSOC:
1722 break;
1723 case WPA_DEAUTH:
1724 case WPA_DISASSOC:
1725 sm->DeauthenticationRequest = TRUE;
1726 break;
1727 case WPA_REAUTH:
1728 case WPA_REAUTH_EAPOL:
3ab72b62
JM		 1729 if (!sm->started) {
1730 /*
1731 * When using WPS, we may end up here if the STA
1732 * manages to re-associate without the previous STA
1733 * entry getting removed. Consequently, we need to make
1734 * sure that the WPA state machines gets initialized
1735 * properly at this point.
1736 */
1737 wpa_printf(MSG_DEBUG, "WPA state machine had not been "
1738 "started - initialize now");
1739 sm->started = 1;
1740 sm->Init = TRUE;
1741 if (wpa_sm_step(sm) == 1)
1742 return 1; /* should not really happen */
1743 sm->Init = FALSE;
1744 sm->AuthenticationRequest = TRUE;
1745 break;
1746 }
9663596f
JM		 1747 if (sm->GUpdateStationKeys) {
1748 /*
1749 * Reauthentication cancels the pending group key
1750 * update for this STA.
1751 */
1752 sm->group->GKeyDoneStations--;
1753 sm->GUpdateStationKeys = FALSE;
1754 sm->PtkGroupInit = TRUE;
1755 }
6fc6879b
JM		 1756 sm->ReAuthenticationRequest = TRUE;
1757 break;
1758 case WPA_ASSOC_FT:
4ec1fd8e 1759#ifdef CONFIG_IEEE80211R_AP
81a658d7
JM		 1760 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration "
1761 "after association");
1762 wpa_ft_install_ptk(sm);
1763
6fc6879b
JM		 1764 /* Using FT protocol, not WPA auth state machine */
1765 sm->ft_completed = 1;
6f9b5d16 1766 return 0;
4ec1fd8e 1767#else /* CONFIG_IEEE80211R_AP */
6fc6879b 1768 break;
4ec1fd8e 1769#endif /* CONFIG_IEEE80211R_AP */
957bff83
JM		 1770 case WPA_ASSOC_FILS:
1771#ifdef CONFIG_FILS
1772 wpa_printf(MSG_DEBUG,
1773 "FILS: TK configuration after association");
1774 fils_set_tk(sm);
1775 sm->fils_completed = 1;
1776 return 0;
1777#else /* CONFIG_FILS */
1778 break;
1779#endif /* CONFIG_FILS */
6fc6879b
JM		 1780 }
1781
4ec1fd8e 1782#ifdef CONFIG_IEEE80211R_AP
6fc6879b 1783 sm->ft_completed = 0;
4ec1fd8e 1784#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 1785
5d22a1d5
JM		 1786#ifdef CONFIG_IEEE80211W
1787 if (sm->mgmt_frame_prot && event == WPA_AUTH)
1788 remove_ptk = 0;
1789#endif /* CONFIG_IEEE80211W */
78815f3d 1790#ifdef CONFIG_FILS
da24c5aa
JM		 1791 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1792 (event == WPA_AUTH || event == WPA_ASSOC))
78815f3d
JM		 1793 remove_ptk = 0;
1794#endif /* CONFIG_FILS */
6fc6879b 1795
5d22a1d5
JM		 1796 if (remove_ptk) {
1797 sm->PTK_valid = FALSE;
1798 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1799
1800 if (event != WPA_REAUTH_EAPOL)
1801 wpa_remove_ptk(sm);
1802 }
6fc6879b 1803
43f49c37
JM		 1804 if (sm->in_step_loop) {
1805 /*
1806 * wpa_sm_step() is already running - avoid recursive call to
1807 * it by making the existing loop process the new update.
1808 */
1809 sm->changed = TRUE;
1810 return 0;
1811 }
6f9b5d16 1812 return wpa_sm_step(sm);
6fc6879b
JM		 1813}
1814
1815
6fc6879b
JM		 1816SM_STATE(WPA_PTK, INITIALIZE)
1817{
1818 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk);
1819 if (sm->Init) {
1820 /* Init flag is not cleared here, so avoid busy
1821 * loop by claiming nothing changed. */
1822 sm->changed = FALSE;
1823 }
1824
1825 sm->keycount = 0;
1826 if (sm->GUpdateStationKeys)
1827 sm->group->GKeyDoneStations--;
1828 sm->GUpdateStationKeys = FALSE;
1829 if (sm->wpa == WPA_VERSION_WPA)
1830 sm->PInitAKeys = FALSE;
1831 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and
1832 * Local AA > Remote AA)) */) {
1833 sm->Pair = TRUE;
1834 }
1835 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0);
1836 wpa_remove_ptk(sm);
1837 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0);
1838 sm->TimeoutCtr = 0;
a1ea1b45
JM		 1839 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
1840 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
6fc6879b
JM		 1841 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
1842 WPA_EAPOL_authorized, 0);
1843 }
1844}
1845
1846
1847SM_STATE(WPA_PTK, DISCONNECT)
1848{
1849 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk);
1850 sm->Disconnect = FALSE;
1851 wpa_sta_disconnect(sm->wpa_auth, sm->addr);
1852}
1853
1854
1855SM_STATE(WPA_PTK, DISCONNECTED)
1856{
1857 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk);
1858 sm->DeauthenticationRequest = FALSE;
1859}
1860
1861
1862SM_STATE(WPA_PTK, AUTHENTICATION)
1863{
1864 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk);
1865 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1866 sm->PTK_valid = FALSE;
1867 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto,
1868 1);
1869 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1);
1870 sm->AuthenticationRequest = FALSE;
1871}
1872
1873
40d00d2b
NC		 1874static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth,
1875 struct wpa_group *group)
1bdb7ab3 1876{
40d00d2b
NC		 1877 if (group->first_sta_seen)
1878 return;
1bdb7ab3
JM		 1879 /*
1880 * System has run bit further than at the time hostapd was started
1881 * potentially very early during boot up. This provides better chances
1882 * of collecting more randomness on embedded systems. Re-initialize the
1883 * GMK and Counter here to improve their strength if there was not
1884 * enough entropy available immediately after system startup.
1885 */
1886 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first "
1887 "station");
08704cd8
JM		 1888 if (random_pool_ready() != 1) {
1889 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
1890 "to proceed - reject first 4-way handshake");
1891 group->reject_4way_hs_for_entropy = TRUE;
40d00d2b
NC		 1892 } else {
1893 group->first_sta_seen = TRUE;
1894 group->reject_4way_hs_for_entropy = FALSE;
08704cd8 1895 }
40d00d2b 1896
aac1efec
JM		 1897 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 ||
1898 wpa_gtk_update(wpa_auth, group) < 0 ||
1899 wpa_group_config_group_keys(wpa_auth, group) < 0) {
1900 wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed");
1901 group->first_sta_seen = FALSE;
1902 group->reject_4way_hs_for_entropy = TRUE;
1903 }
1bdb7ab3
JM		 1904}
1905
1906
6fc6879b
JM		 1907SM_STATE(WPA_PTK, AUTHENTICATION2)
1908{
1909 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk);
1bdb7ab3 1910
40d00d2b 1911 wpa_group_ensure_init(sm->wpa_auth, sm->group);
65a32cdb 1912 sm->ReAuthenticationRequest = FALSE;
1bdb7ab3 1913
3825a19b
JM		 1914 /*
1915 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
1916 * ambiguous. The Authenticator state machine uses a counter that is
1917 * incremented by one for each 4-way handshake. However, the security
1918 * analysis of 4-way handshake points out that unpredictable nonces
1919 * help in preventing precomputation attacks. Instead of the state
1920 * machine definition, use an unpredictable nonce value here to provide
1921 * stronger protection against potential precomputation attacks.
1922 */
1923 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
1924 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for "
1925 "ANonce.");
65a32cdb 1926 sm->Disconnect = TRUE;
3825a19b
JM		 1927 return;
1928 }
bc8318ac
JM		 1929 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
1930 WPA_NONCE_LEN);
6fc6879b
JM		 1931 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more
1932 * logical place than INITIALIZE since AUTHENTICATION2 can be
1933 * re-entered on ReAuthenticationRequest without going through
1934 * INITIALIZE. */
1935 sm->TimeoutCtr = 0;
1936}
1937
1938
1939SM_STATE(WPA_PTK, INITPMK)
1940{
1941 u8 msk[2 * PMK_LEN];
1942 size_t len = 2 * PMK_LEN;
1943
1944 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk);
4ec1fd8e 1945#ifdef CONFIG_IEEE80211R_AP
6fc6879b 1946 sm->xxkey_len = 0;
4ec1fd8e 1947#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 1948 if (sm->pmksa) {
1949 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache");
207976f0
JM		 1950 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
1951 sm->pmk_len = sm->pmksa->pmk_len;
6fc6879b 1952 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) {
207976f0
JM		 1953 unsigned int pmk_len;
1954
834c5d68 1955 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt))
207976f0
JM		 1956 pmk_len = PMK_LEN_SUITE_B_192;
1957 else
1958 pmk_len = PMK_LEN;
6fc6879b 1959 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine "
207976f0
JM		 1960 "(MSK len=%lu PMK len=%u)", (unsigned long) len,
1961 pmk_len);
1962 if (len < pmk_len) {
1963 wpa_printf(MSG_DEBUG,
1964 "WPA: MSK not long enough (%u) to create PMK (%u)",
1965 (unsigned int) len, (unsigned int) pmk_len);
1966 sm->Disconnect = TRUE;
1967 return;
1968 }
1969 os_memcpy(sm->PMK, msk, pmk_len);
1970 sm->pmk_len = pmk_len;
4ec1fd8e 1971#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 1972 if (len >= 2 * PMK_LEN) {
1973 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
1974 sm->xxkey_len = PMK_LEN;
1975 }
4ec1fd8e 1976#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 1977 } else {
400de9b1 1978 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p",
cef8fac0 1979 sm->wpa_auth->cb->get_msk);
1180dd66
JM		 1980 sm->Disconnect = TRUE;
1981 return;
6fc6879b 1982 }
40aaa64f 1983 os_memset(msk, 0, sizeof(msk));
6fc6879b
JM		 1984
1985 sm->req_replay_counter_used = 0;
1986 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this
1987 * will break reauthentication since EAPOL state machines may not be
1988 * get into AUTHENTICATING state that clears keyRun before WPA state
1989 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK
1990 * state and takes PMK from the previously used AAA Key. This will
1991 * eventually fail in 4-Way Handshake because Supplicant uses PMK
1992 * derived from the new AAA Key. Setting keyRun = FALSE here seems to
1993 * be good workaround for this issue. */
1994 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0);
1995}
1996
1997
1998SM_STATE(WPA_PTK, INITPSK)
1999{
2000 const u8 *psk;
2001 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk);
759fd76b 2002 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL);
6fc6879b
JM		 2003 if (psk) {
2004 os_memcpy(sm->PMK, psk, PMK_LEN);
207976f0 2005 sm->pmk_len = PMK_LEN;
4ec1fd8e 2006#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 2007 os_memcpy(sm->xxkey, psk, PMK_LEN);
2008 sm->xxkey_len = PMK_LEN;
4ec1fd8e 2009#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 2010 }
2011 sm->req_replay_counter_used = 0;
2012}
2013
2014
2015SM_STATE(WPA_PTK, PTKSTART)
2016{
2017 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL;
2018 size_t pmkid_len = 0;
2019
2020 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk);
2021 sm->PTKRequest = FALSE;
2022 sm->TimeoutEvt = FALSE;
f23c5b17 2023 sm->alt_snonce_valid = FALSE;
bae61562
JM		 2024
2025 sm->TimeoutCtr++;
41f140d3 2026 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
bae61562
JM		 2027 /* No point in sending the EAPOL-Key - we will disconnect
2028 * immediately following this. */
2029 return;
2030 }
2031
6fc6879b
JM		 2032 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2033 "sending 1/4 msg of 4-Way Handshake");
2034 /*
2035 * TODO: Could add PMKID even with WPA2-PSK, but only if there is only
2036 * one possible PSK for this STA.
2037 */
2038 if (sm->wpa == WPA_VERSION_WPA2 &&
a14896e8
JM		 2039 wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
2040 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) {
6fc6879b
JM		 2041 pmkid = buf;
2042 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
2043 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC;
2044 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN;
2045 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID);
929a2ea5 2046 if (sm->pmksa) {
6fc6879b
JM		 2047 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2048 sm->pmksa->pmkid, PMKID_LEN);
929a2ea5
JM		 2049 } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) {
2050 /* No KCK available to derive PMKID */
2051 pmkid = NULL;
2052 } else {
6fc6879b
JM		 2053 /*
2054 * Calculate PMKID since no PMKSA cache entry was
2055 * available with pre-calculated PMKID.
2056 */
207976f0 2057 rsn_pmkid(sm->PMK, sm->pmk_len, sm->wpa_auth->addr,
56586197
JM		 2058 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN],
2059 wpa_key_mgmt_sha256(sm->wpa_key_mgmt));
6fc6879b
JM		 2060 }
2061 }
2062 wpa_send_eapol(sm->wpa_auth, sm,
2063 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
2064 sm->ANonce, pmkid, pmkid_len, 0, 0);
6fc6879b
JM		 2065}
2066
2067
f23c5b17 2068static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
207976f0
JM		 2069 const u8 *pmk, unsigned int pmk_len,
2070 struct wpa_ptk *ptk)
6fc6879b 2071{
4ec1fd8e 2072#ifdef CONFIG_IEEE80211R_AP
56586197 2073 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
98cd3d1c 2074 return wpa_auth_derive_ptk_ft(sm, pmk, ptk);
4ec1fd8e 2075#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 2076
207976f0 2077 return wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion",
98cd3d1c
JM		 2078 sm->wpa_auth->addr, sm->addr, sm->ANonce, snonce,
2079 ptk, sm->wpa_key_mgmt, sm->pairwise);
6fc6879b
JM		 2080}
2081
2082
3b5b7aa8 2083#ifdef CONFIG_FILS
c4fd6d8a
JM		 2084
2085int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk,
80ddf5d9
JM		 2086 size_t pmk_len, const u8 *snonce, const u8 *anonce,
2087 struct wpabuf *g_sta, struct wpabuf *g_ap)
c4fd6d8a
JM		 2088{
2089 u8 ick[FILS_ICK_MAX_LEN];
2090 size_t ick_len;
2091 int res;
2092
2093 res = fils_pmk_to_ptk(pmk, pmk_len, sm->addr, sm->wpa_auth->addr,
2094 snonce, anonce, &sm->PTK, ick, &ick_len,
215eaa74 2095 sm->wpa_key_mgmt, sm->pairwise, NULL, NULL);
c4fd6d8a
JM		 2096 if (res < 0)
2097 return res;
2098 sm->PTK_valid = TRUE;
2099
2100 res = fils_key_auth_sk(ick, ick_len, snonce, anonce,
2101 sm->addr, sm->wpa_auth->addr,
80ddf5d9
JM		 2102 g_sta ? wpabuf_head(g_sta) : NULL,
2103 g_sta ? wpabuf_len(g_sta) : 0,
2104 g_ap ? wpabuf_head(g_ap) : NULL,
2105 g_ap ? wpabuf_len(g_ap) : 0,
c4fd6d8a
JM		 2106 sm->wpa_key_mgmt, sm->fils_key_auth_sta,
2107 sm->fils_key_auth_ap,
2108 &sm->fils_key_auth_len);
2109 os_memset(ick, 0, sizeof(ick));
78815f3d
JM		 2110
2111 /* Store nonces for (Re)Association Request/Response frame processing */
2112 os_memcpy(sm->SNonce, snonce, FILS_NONCE_LEN);
2113 os_memcpy(sm->ANonce, anonce, FILS_NONCE_LEN);
2114
c4fd6d8a
JM		 2115 return res;
2116}
2117
2118
3b5b7aa8 2119static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
75c8563e 2120 u8 *buf, size_t buf_len, u16 *_key_data_len)
3b5b7aa8
JM		 2121{
2122 struct ieee802_1x_hdr *hdr;
2123 struct wpa_eapol_key *key;
2124 u8 *pos;
2125 u16 key_data_len;
2126 u8 *tmp;
2127 const u8 *aad[1];
2128 size_t aad_len[1];
2129
75c8563e 2130 hdr = (struct ieee802_1x_hdr *) buf;
3b5b7aa8
JM		 2131 key = (struct wpa_eapol_key *) (hdr + 1);
2132 pos = (u8 *) (key + 1);
2133 key_data_len = WPA_GET_BE16(pos);
2134 if (key_data_len < AES_BLOCK_SIZE ||
2135 key_data_len > buf_len - sizeof(*hdr) - sizeof(*key) - 2) {
2136 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2137 "No room for AES-SIV data in the frame");
2138 return -1;
2139 }
2140 pos += 2; /* Pointing at the Encrypted Key Data field */
2141
2142 tmp = os_malloc(key_data_len);
2143 if (!tmp)
2144 return -1;
2145
2146 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
2147 * to Key Data (exclusive). */
75c8563e
JM		 2148 aad[0] = buf;
2149 aad_len[0] = pos - buf;
3b5b7aa8
JM		 2150 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, key_data_len,
2151 1, aad, aad_len, tmp) < 0) {
2152 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2153 "Invalid AES-SIV data in the frame");
2154 bin_clear_free(tmp, key_data_len);
2155 return -1;
2156 }
2157
2158 /* AEAD decryption and validation completed successfully */
2159 key_data_len -= AES_BLOCK_SIZE;
2160 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
2161 tmp, key_data_len);
2162
2163 /* Replace Key Data field with the decrypted version */
2164 os_memcpy(pos, tmp, key_data_len);
2165 pos -= 2; /* Key Data Length field */
2166 WPA_PUT_BE16(pos, key_data_len);
2167 bin_clear_free(tmp, key_data_len);
2168 if (_key_data_len)
2169 *_key_data_len = key_data_len;
2170 return 0;
2171}
78815f3d
JM		 2172
2173
087631b9
JM		 2174const u8 * wpa_fils_validate_fils_session(struct wpa_state_machine *sm,
2175 const u8 *ies, size_t ies_len,
2176 const u8 *fils_session)
2177{
2178 const u8 *ie, *end;
2179 const u8 *session = NULL;
2180
2181 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2182 wpa_printf(MSG_DEBUG,
2183 "FILS: Not a FILS AKM - reject association");
2184 return NULL;
2185 }
2186
2187 /* Verify Session element */
2188 ie = ies;
2189 end = ((const u8 *) ie) + ies_len;
2190 while (ie + 1 < end) {
2191 if (ie + 2 + ie[1] > end)
2192 break;
2193 if (ie[0] == WLAN_EID_EXTENSION &&
2194 ie[1] >= 1 + FILS_SESSION_LEN &&
2195 ie[2] == WLAN_EID_EXT_FILS_SESSION) {
2196 session = ie;
2197 break;
2198 }
2199 ie += 2 + ie[1];
2200 }
2201
2202 if (!session) {
2203 wpa_printf(MSG_DEBUG,
2204 "FILS: %s: Could not find FILS Session element in Assoc Req - reject",
2205 __func__);
2206 return NULL;
2207 }
2208
2209 if (!fils_session) {
2210 wpa_printf(MSG_DEBUG,
2211 "FILS: %s: Could not find FILS Session element in STA entry - reject",
2212 __func__);
2213 return NULL;
2214 }
2215
2216 if (os_memcmp(fils_session, session + 3, FILS_SESSION_LEN) != 0) {
2217 wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
2218 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
2219 fils_session, FILS_SESSION_LEN);
2220 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
2221 session + 3, FILS_SESSION_LEN);
2222 return NULL;
2223 }
2224 return session;
2225}
2226
2227
bd599353
JM		 2228int wpa_fils_validate_key_confirm(struct wpa_state_machine *sm, const u8 *ies,
2229 size_t ies_len)
2230{
2231 struct ieee802_11_elems elems;
2232
2233 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
2234 wpa_printf(MSG_DEBUG,
2235 "FILS: Failed to parse decrypted elements");
2236 return -1;
2237 }
2238
2239 if (!elems.fils_key_confirm) {
2240 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
2241 return -1;
2242 }
2243
2244 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
2245 wpa_printf(MSG_DEBUG,
2246 "FILS: Unexpected Key-Auth length %d (expected %d)",
2247 elems.fils_key_confirm_len,
2248 (int) sm->fils_key_auth_len);
2249 return -1;
2250 }
2251
2252 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_sta,
2253 sm->fils_key_auth_len) != 0) {
2254 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
2255 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
2256 elems.fils_key_confirm, elems.fils_key_confirm_len);
2257 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
2258 sm->fils_key_auth_sta, sm->fils_key_auth_len);
2259 return -1;
2260 }
2261
2262 return 0;
2263}
2264
2265
78815f3d
JM		 2266int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session,
2267 const struct ieee80211_mgmt *mgmt, size_t frame_len,
2268 u8 *pos, size_t left)
2269{
2270 u16 fc, stype;
2271 const u8 *end, *ie_start, *ie, *session, *crypt;
78815f3d
JM		 2272 const u8 *aad[5];
2273 size_t aad_len[5];
2274
2275 if (!sm || !sm->PTK_valid) {
2276 wpa_printf(MSG_DEBUG,
2277 "FILS: No KEK to decrypt Assocication Request frame");
2278 return -1;
2279 }
2280
2281 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2282 wpa_printf(MSG_DEBUG,
2283 "FILS: Not a FILS AKM - reject association");
2284 return -1;
2285 }
2286
2287 end = ((const u8 *) mgmt) + frame_len;
2288 fc = le_to_host16(mgmt->frame_control);
2289 stype = WLAN_FC_GET_STYPE(fc);
2290 if (stype == WLAN_FC_STYPE_REASSOC_REQ)
2291 ie_start = mgmt->u.reassoc_req.variable;
2292 else
2293 ie_start = mgmt->u.assoc_req.variable;
2294 ie = ie_start;
2295
2296 /*
2297 * Find FILS Session element which is the last unencrypted element in
2298 * the frame.
2299 */
087631b9
JM		 2300 session = wpa_fils_validate_fils_session(sm, ie, end - ie,
2301 fils_session);
78815f3d 2302 if (!session) {
087631b9 2303 wpa_printf(MSG_DEBUG, "FILS: Session validation failed");
78815f3d
JM		 2304 return -1;
2305 }
087631b9 2306
78815f3d
JM		 2307 crypt = session + 2 + session[1];
2308
2309 if (end - crypt < AES_BLOCK_SIZE) {
2310 wpa_printf(MSG_DEBUG,
2311 "FILS: Too short frame to include AES-SIV data");
2312 return -1;
2313 }
2314
2315 /* AES-SIV AAD vectors */
2316
2317 /* The STA's MAC address */
2318 aad[0] = mgmt->sa;
2319 aad_len[0] = ETH_ALEN;
2320 /* The AP's BSSID */
2321 aad[1] = mgmt->da;
2322 aad_len[1] = ETH_ALEN;
2323 /* The STA's nonce */
2324 aad[2] = sm->SNonce;
2325 aad_len[2] = FILS_NONCE_LEN;
2326 /* The AP's nonce */
2327 aad[3] = sm->ANonce;
2328 aad_len[3] = FILS_NONCE_LEN;
2329 /*
2330 * The (Re)Association Request frame from the Capability Information
2331 * field to the FILS Session element (both inclusive).
2332 */
2333 aad[4] = (const u8 *) &mgmt->u.assoc_req.capab_info;
d77f3304 2334 aad_len[4] = crypt - aad[4];
78815f3d
JM		 2335
2336 if (aes_siv_decrypt(sm->PTK.kek, sm->PTK.kek_len, crypt, end - crypt,
d77f3304 2337 5, aad, aad_len, pos + (crypt - ie_start)) < 0) {
78815f3d
JM		 2338 wpa_printf(MSG_DEBUG,
2339 "FILS: Invalid AES-SIV data in the frame");
2340 return -1;
2341 }
2342 wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Request elements",
2343 pos, left - AES_BLOCK_SIZE);
2344
bd599353
JM		 2345 if (wpa_fils_validate_key_confirm(sm, pos, left - AES_BLOCK_SIZE) < 0) {
2346 wpa_printf(MSG_DEBUG, "FILS: Key Confirm validation failed");
78815f3d
JM		 2347 return -1;
2348 }
2349
2350 return left - AES_BLOCK_SIZE;
2351}
2352
e73ffa09
JM		 2353
2354int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf,
91d91abf
JM		 2355 size_t current_len, size_t max_len,
2356 const struct wpabuf *hlp)
e73ffa09
JM		 2357{
2358 u8 *end = buf + max_len;
2359 u8 *pos = buf + current_len;
2360 struct ieee80211_mgmt *mgmt;
2361 struct wpabuf *plain;
e73ffa09
JM		 2362 const u8 *aad[5];
2363 size_t aad_len[5];
2364
2365 if (!sm || !sm->PTK_valid)
2366 return -1;
2367
2368 wpa_hexdump(MSG_DEBUG,
2369 "FILS: Association Response frame before FILS processing",
2370 buf, current_len);
2371
2372 mgmt = (struct ieee80211_mgmt *) buf;
2373
2374 /* AES-SIV AAD vectors */
2375
2376 /* The AP's BSSID */
2377 aad[0] = mgmt->sa;
2378 aad_len[0] = ETH_ALEN;
2379 /* The STA's MAC address */
2380 aad[1] = mgmt->da;
2381 aad_len[1] = ETH_ALEN;
2382 /* The AP's nonce */
2383 aad[2] = sm->ANonce;
2384 aad_len[2] = FILS_NONCE_LEN;
2385 /* The STA's nonce */
2386 aad[3] = sm->SNonce;
2387 aad_len[3] = FILS_NONCE_LEN;
2388 /*
2389 * The (Re)Association Response frame from the Capability Information
2390 * field (the same offset in both Association and Reassociation
2391 * Response frames) to the FILS Session element (both inclusive).
2392 */
2393 aad[4] = (const u8 *) &mgmt->u.assoc_resp.capab_info;
2394 aad_len[4] = pos - aad[4];
2395
2396 /* The following elements will be encrypted with AES-SIV */
9392859d
JM		 2397 plain = fils_prepare_plainbuf(sm, hlp);
2398 if (!plain) {
2399 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed");
2400 return -1;
2401 }
2402
2403 if (pos + wpabuf_len(plain) + AES_BLOCK_SIZE > end) {
2404 wpa_printf(MSG_DEBUG,
2405 "FILS: Not enough room for FILS elements");
2406 wpabuf_free(plain);
2407 return -1;
2408 }
2409
2410 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: Association Response plaintext",
2411 plain);
2412
2413 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len,
2414 wpabuf_head(plain), wpabuf_len(plain),
2415 5, aad, aad_len, pos) < 0) {
2416 wpabuf_free(plain);
2417 return -1;
2418 }
2419
2420 wpa_hexdump(MSG_DEBUG,
2421 "FILS: Encrypted Association Response elements",
2422 pos, AES_BLOCK_SIZE + wpabuf_len(plain));
2423 current_len += wpabuf_len(plain) + AES_BLOCK_SIZE;
2424 wpabuf_free(plain);
2425
2426 sm->fils_completed = 1;
2427
2428 return current_len;
2429}
2430
2431
2432static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
2433 const struct wpabuf *hlp)
2434{
2435 struct wpabuf *plain;
2436 u8 *len, *tmp, *tmp2;
2437 u8 hdr[2];
2438 u8 *gtk, dummy_gtk[32];
2439 size_t gtk_len;
2440 struct wpa_group *gsm;
e73ffa09
JM		 2441
2442 plain = wpabuf_alloc(1000);
2443 if (!plain)
9392859d 2444 return NULL;
e73ffa09
JM		 2445
2446 /* TODO: FILS Public Key */
2447
2448 /* FILS Key Confirmation */
2449 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
2450 wpabuf_put_u8(plain, 1 + sm->fils_key_auth_len); /* Length */
2451 /* Element ID Extension */
2452 wpabuf_put_u8(plain, WLAN_EID_EXT_FILS_KEY_CONFIRM);
2453 wpabuf_put_data(plain, sm->fils_key_auth_ap, sm->fils_key_auth_len);
2454
91d91abf
JM		 2455 /* FILS HLP Container */
2456 if (hlp)
2457 wpabuf_put_buf(plain, hlp);
e73ffa09
JM		 2458
2459 /* TODO: FILS IP Address Assignment */
2460
2461 /* Key Delivery */
2462 gsm = sm->group;
2463 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
2464 len = wpabuf_put(plain, 1);
2465 wpabuf_put_u8(plain, WLAN_EID_EXT_KEY_DELIVERY);
2466 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN,
2467 wpabuf_put(plain, WPA_KEY_RSC_LEN));
2468 /* GTK KDE */
2469 gtk = gsm->GTK[gsm->GN - 1];
2470 gtk_len = gsm->GTK_len;
2471 if (sm->wpa_auth->conf.disable_gtk) {
2472 /*
2473 * Provide unique random GTK to each STA to prevent use
2474 * of GTK in the BSS.
2475 */
2476 if (random_get_bytes(dummy_gtk, gtk_len) < 0) {
2477 wpabuf_free(plain);
9392859d 2478 return NULL;
e73ffa09
JM		 2479 }
2480 gtk = dummy_gtk;
2481 }
2482 hdr[0] = gsm->GN & 0x03;
2483 hdr[1] = 0;
2484 tmp = wpabuf_put(plain, 0);
2485 tmp2 = wpa_add_kde(tmp, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2486 gtk, gtk_len);
2487 wpabuf_put(plain, tmp2 - tmp);
2488
2489 /* IGTK KDE */
2490 tmp = wpabuf_put(plain, 0);
2491 tmp2 = ieee80211w_kde_add(sm, tmp);
2492 wpabuf_put(plain, tmp2 - tmp);
2493
2494 *len = (u8 *) wpabuf_put(plain, 0) - len - 1;
9392859d 2495 return plain;
e73ffa09
JM		 2496}
2497
da24c5aa
JM		 2498
2499int fils_set_tk(struct wpa_state_machine *sm)
2500{
2501 enum wpa_alg alg;
2502 int klen;
2503
2504 if (!sm || !sm->PTK_valid)
2505 return -1;
2506
2507 alg = wpa_cipher_to_alg(sm->pairwise);
2508 klen = wpa_cipher_key_len(sm->pairwise);
2509
2510 wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver");
2511 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
2512 sm->PTK.tk, klen)) {
2513 wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver");
2514 return -1;
2515 }
2516
2517 return 0;
2518}
2519
fa61bff6
JM		 2520
2521u8 * hostapd_eid_assoc_fils_session(struct wpa_state_machine *sm, u8 *buf,
2522 const u8 *fils_session)
2523{
2524 struct wpabuf *plain;
2525 u8 *pos = buf;
2526
2527 /* FILS Session */
2528 *pos++ = WLAN_EID_EXTENSION; /* Element ID */
2529 *pos++ = 1 + FILS_SESSION_LEN; /* Length */
2530 *pos++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
2531 os_memcpy(pos, fils_session, FILS_SESSION_LEN);
2532 pos += FILS_SESSION_LEN;
2533
2534 plain = fils_prepare_plainbuf(sm, NULL);
2535 if (!plain) {
2536 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed");
2537 return NULL;
2538 }
2539
2540 os_memcpy(pos, wpabuf_head(plain), wpabuf_len(plain));
2541 pos += wpabuf_len(plain);
2542
2543 wpa_printf(MSG_DEBUG, "%s: plain buf_len: %u", __func__,
2544 (unsigned int) wpabuf_len(plain));
2545 wpabuf_free(plain);
2546 sm->fils_completed = 1;
2547 return pos;
2548}
2549
3b5b7aa8
JM		 2550#endif /* CONFIG_FILS */
2551
2552
6fc6879b
JM		 2553SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
2554{
3b5b7aa8 2555 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
6fc6879b 2556 struct wpa_ptk PTK;
2c502460 2557 int ok = 0, psk_found = 0;
6fc6879b 2558 const u8 *pmk = NULL;
207976f0 2559 unsigned int pmk_len;
3b5b7aa8
JM		 2560 int ft;
2561 const u8 *eapol_key_ie, *key_data, *mic;
2562 u16 key_data_length;
2563 size_t mic_len, eapol_key_ie_len;
2564 struct ieee802_1x_hdr *hdr;
2565 struct wpa_eapol_key *key;
2566 struct wpa_eapol_ie_parse kde;
6fc6879b
JM		 2567
2568 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
2569 sm->EAPOLKeyReceived = FALSE;
68921e24 2570 sm->update_snonce = FALSE;
b729fd8d 2571 os_memset(&PTK, 0, sizeof(PTK));
6fc6879b 2572
3b5b7aa8
JM		 2573 mic_len = wpa_mic_len(sm->wpa_key_mgmt);
2574
6fc6879b
JM		 2575 /* WPA with IEEE 802.1X: use the derived PMK from EAP
2576 * WPA-PSK: iterate through possible PSKs and select the one matching
2577 * the packet */
2578 for (;;) {
56586197 2579 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
759fd76b
JM		 2580 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
2581 sm->p2p_dev_addr, pmk);
6fc6879b
JM		 2582 if (pmk == NULL)
2583 break;
2c502460 2584 psk_found = 1;
207976f0
JM		 2585 pmk_len = PMK_LEN;
2586 } else {
6fc6879b 2587 pmk = sm->PMK;
207976f0
JM		 2588 pmk_len = sm->pmk_len;
2589 }
6fc6879b 2590
364c064a
JM		 2591 if (wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK) < 0)
2592 break;
6fc6879b 2593
3b5b7aa8
JM		 2594 if (mic_len &&
2595 wpa_verify_key_mic(sm->wpa_key_mgmt, &PTK,
929a2ea5 2596 sm->last_rx_eapol_key,
6fc6879b
JM		 2597 sm->last_rx_eapol_key_len) == 0) {
2598 ok = 1;
2599 break;
2600 }
2601
3b5b7aa8 2602#ifdef CONFIG_FILS
75c8563e
JM		 2603 if (!mic_len &&
2604 wpa_aead_decrypt(sm, &PTK, sm->last_rx_eapol_key,
2605 sm->last_rx_eapol_key_len, NULL) == 0) {
3b5b7aa8
JM		 2606 ok = 1;
2607 break;
2608 }
2609#endif /* CONFIG_FILS */
2610
56586197 2611 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
6fc6879b
JM		 2612 break;
2613 }
2614
2615 if (!ok) {
2616 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2617 "invalid MIC in msg 2/4 of 4-Way Handshake");
2c502460
JM		 2618 if (psk_found)
2619 wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr);
6fc6879b
JM		 2620 return;
2621 }
2622
3b5b7aa8
JM		 2623 /*
2624 * Note: last_rx_eapol_key length fields have already been validated in
2625 * wpa_receive().
2626 */
2627 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
2628 key = (struct wpa_eapol_key *) (hdr + 1);
2629 mic = (u8 *) (key + 1);
2630 key_data = mic + mic_len + 2;
2631 key_data_length = WPA_GET_BE16(mic + mic_len);
2632 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
2633 sizeof(*key) - mic_len - 2)
2634 return;
2635
2636 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
2637 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
2638 "received EAPOL-Key msg 2/4 with invalid Key Data contents");
2639 return;
2640 }
2641 if (kde.rsn_ie) {
2642 eapol_key_ie = kde.rsn_ie;
2643 eapol_key_ie_len = kde.rsn_ie_len;
2644 } else if (kde.osen) {
2645 eapol_key_ie = kde.osen;
2646 eapol_key_ie_len = kde.osen_len;
2647 } else {
2648 eapol_key_ie = kde.wpa_ie;
2649 eapol_key_ie_len = kde.wpa_ie_len;
2650 }
2651 ft = sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt);
2652 if (sm->wpa_ie == NULL ||
2653 wpa_compare_rsn_ie(ft, sm->wpa_ie, sm->wpa_ie_len,
2654 eapol_key_ie, eapol_key_ie_len)) {
2655 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
2656 "WPA IE from (Re)AssocReq did not match with msg 2/4");
2657 if (sm->wpa_ie) {
2658 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq",
2659 sm->wpa_ie, sm->wpa_ie_len);
2660 }
2661 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4",
2662 eapol_key_ie, eapol_key_ie_len);
2663 /* MLME-DEAUTHENTICATE.request */
2664 wpa_sta_disconnect(wpa_auth, sm->addr);
2665 return;
2666 }
4ec1fd8e 2667#ifdef CONFIG_IEEE80211R_AP
3b5b7aa8
JM		 2668 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
2669 wpa_sta_disconnect(wpa_auth, sm->addr);
2670 return;
2671 }
4ec1fd8e 2672#endif /* CONFIG_IEEE80211R_AP */
3b5b7aa8
JM		 2673#ifdef CONFIG_P2P
2674 if (kde.ip_addr_req && kde.ip_addr_req[0] &&
2675 wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) {
2676 int idx;
2677 wpa_printf(MSG_DEBUG,
2678 "P2P: IP address requested in EAPOL-Key exchange");
2679 idx = bitfield_get_first_zero(wpa_auth->ip_pool);
2680 if (idx >= 0) {
2681 u32 start = WPA_GET_BE32(wpa_auth->conf.ip_addr_start);
2682 bitfield_set(wpa_auth->ip_pool, idx);
2683 WPA_PUT_BE32(sm->ip_addr, start + idx);
2684 wpa_printf(MSG_DEBUG,
2685 "P2P: Assigned IP address %u.%u.%u.%u to "
2686 MACSTR, sm->ip_addr[0], sm->ip_addr[1],
2687 sm->ip_addr[2], sm->ip_addr[3],
2688 MAC2STR(sm->addr));
2689 }
2690 }
2691#endif /* CONFIG_P2P */
2692
4ec1fd8e 2693#ifdef CONFIG_IEEE80211R_AP
26e23750
JM		 2694 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2695 /*
2696 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches
2697 * with the value we derived.
2698 */
870834a1
JM		 2699 if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name,
2700 WPA_PMK_NAME_LEN) != 0) {
26e23750
JM		 2701 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2702 "PMKR1Name mismatch in FT 4-way "
2703 "handshake");
2704 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from "
2705 "Supplicant",
2706 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN);
2707 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
2708 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
2709 return;
2710 }
2711 }
4ec1fd8e 2712#endif /* CONFIG_IEEE80211R_AP */
26e23750 2713
e4bf4db9 2714 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 2715 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
2716
56586197 2717 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
6fc6879b
JM		 2718 /* PSK may have changed from the previous choice, so update
2719 * state machine data based on whatever PSK was selected here.
2720 */
2721 os_memcpy(sm->PMK, pmk, PMK_LEN);
207976f0 2722 sm->pmk_len = PMK_LEN;
6fc6879b
JM		 2723 }
2724
2725 sm->MICVerified = TRUE;
2726
2727 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
2728 sm->PTK_valid = TRUE;
2729}
2730
2731
2732SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2)
2733{
2734 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk);
2735 sm->TimeoutCtr = 0;
2736}
2737
2738
2739#ifdef CONFIG_IEEE80211W
2740
2741static int ieee80211w_kde_len(struct wpa_state_machine *sm)
2742{
2743 if (sm->mgmt_frame_prot) {
8dd9f9cd
JM		 2744 size_t len;
2745 len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
2746 return 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN + len;
6fc6879b
JM		 2747 }
2748
2749 return 0;
2750}
2751
2752
2753static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
2754{
2755 struct wpa_igtk_kde igtk;
2756 struct wpa_group *gsm = sm->group;
03610ad2 2757 u8 rsc[WPA_KEY_RSC_LEN];
8dd9f9cd 2758 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
6fc6879b
JM		 2759
2760 if (!sm->mgmt_frame_prot)
2761 return pos;
2762
2763 igtk.keyid[0] = gsm->GN_igtk;
2764 igtk.keyid[1] = 0;
7b1080da 2765 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
03610ad2 2766 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0)
6fc6879b 2767 os_memset(igtk.pn, 0, sizeof(igtk.pn));
03610ad2
JM		 2768 else
2769 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn));
8dd9f9cd 2770 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len);
83421850
JM		 2771 if (sm->wpa_auth->conf.disable_gtk) {
2772 /*
2773 * Provide unique random IGTK to each STA to prevent use of
2774 * IGTK in the BSS.
2775 */
8dd9f9cd 2776 if (random_get_bytes(igtk.igtk, len) < 0)
83421850
JM		 2777 return pos;
2778 }
6fc6879b 2779 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK,
8dd9f9cd
JM		 2780 (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len,
2781 NULL, 0);
6fc6879b
JM		 2782
2783 return pos;
2784}
2785
2786#else /* CONFIG_IEEE80211W */
2787
2788static int ieee80211w_kde_len(struct wpa_state_machine *sm)
2789{
2790 return 0;
2791}
2792
2793
2794static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
2795{
2796 return pos;
2797}
2798
2799#endif /* CONFIG_IEEE80211W */
2800
2801
2802SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
2803{
83421850 2804 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32];
6fc6879b
JM		 2805 size_t gtk_len, kde_len;
2806 struct wpa_group *gsm = sm->group;
2807 u8 *wpa_ie;
2808 int wpa_ie_len, secure, keyidx, encr = 0;
2809
2810 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk);
2811 sm->TimeoutEvt = FALSE;
bae61562
JM		 2812
2813 sm->TimeoutCtr++;
41f140d3 2814 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
bae61562
JM		 2815 /* No point in sending the EAPOL-Key - we will disconnect
2816 * immediately following this. */
2817 return;
2818 }
2819
86dfabb8
JM		 2820 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
2821 GTK[GN], IGTK, [FTIE], [TIE * 2])
6fc6879b
JM		 2822 */
2823 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
2824 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
86dfabb8 2825 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
6fc6879b
JM		 2826 wpa_ie = sm->wpa_auth->wpa_ie;
2827 wpa_ie_len = sm->wpa_auth->wpa_ie_len;
2828 if (sm->wpa == WPA_VERSION_WPA &&
2829 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
2830 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
774d4145 2831 /* WPA-only STA, remove RSN IE and possible MDIE */
6fc6879b 2832 wpa_ie = wpa_ie + wpa_ie[1] + 2;
774d4145
JM		 2833 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
2834 wpa_ie = wpa_ie + wpa_ie[1] + 2;
6fc6879b
JM		 2835 wpa_ie_len = wpa_ie[1] + 2;
2836 }
2837 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2838 "sending 3/4 msg of 4-Way Handshake");
2839 if (sm->wpa == WPA_VERSION_WPA2) {
2840 /* WPA2 send GTK in the 4-way handshake */
2841 secure = 1;
2842 gtk = gsm->GTK[gsm->GN - 1];
2843 gtk_len = gsm->GTK_len;
83421850
JM		 2844 if (sm->wpa_auth->conf.disable_gtk) {
2845 /*
2846 * Provide unique random GTK to each STA to prevent use
2847 * of GTK in the BSS.
2848 */
2849 if (random_get_bytes(dummy_gtk, gtk_len) < 0)
2850 return;
2851 gtk = dummy_gtk;
2852 }
6fc6879b
JM		 2853 keyidx = gsm->GN;
2854 _rsc = rsc;
2855 encr = 1;
2856 } else {
2857 /* WPA does not include GTK in msg 3/4 */
2858 secure = 0;
2859 gtk = NULL;
2860 gtk_len = 0;
2861 keyidx = 0;
2862 _rsc = NULL;
0d442aff
JM		 2863 if (sm->rx_eapol_key_secure) {
2864 /*
2865 * It looks like Windows 7 supplicant tries to use
2866 * Secure bit in msg 2/4 after having reported Michael
2867 * MIC failure and it then rejects the 4-way handshake
2868 * if msg 3/4 does not set Secure bit. Work around this
2869 * by setting the Secure bit here even in the case of
2870 * WPA if the supplicant used it first.
2871 */
2872 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4740d5b9
JM		 2873 "STA used Secure bit in WPA msg 2/4 - "
2874 "set Secure for 3/4 as workaround");
0d442aff
JM		 2875 secure = 1;
2876 }
6fc6879b
JM		 2877 }
2878
2879 kde_len = wpa_ie_len + ieee80211w_kde_len(sm);
2880 if (gtk)
2881 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
4ec1fd8e 2882#ifdef CONFIG_IEEE80211R_AP
86dfabb8
JM		 2883 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2884 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
2885 kde_len += 300; /* FTIE + 2 * TIE */
2886 }
4ec1fd8e 2887#endif /* CONFIG_IEEE80211R_AP */
25ef8529
JM		 2888#ifdef CONFIG_P2P
2889 if (WPA_GET_BE32(sm->ip_addr) > 0)
2890 kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4;
2891#endif /* CONFIG_P2P */
6fc6879b
JM		 2892 kde = os_malloc(kde_len);
2893 if (kde == NULL)
2894 return;
2895
2896 pos = kde;
2897 os_memcpy(pos, wpa_ie, wpa_ie_len);
2898 pos += wpa_ie_len;
4ec1fd8e 2899#ifdef CONFIG_IEEE80211R_AP
26e23750 2900 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
59e78c24
JM		 2901 int res;
2902 size_t elen;
2903
2904 elen = pos - kde;
2905 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name);
26e23750
JM		 2906 if (res < 0) {
2907 wpa_printf(MSG_ERROR, "FT: Failed to insert "
2908 "PMKR1Name into RSN IE in EAPOL-Key data");
2909 os_free(kde);
2910 return;
2911 }
59e78c24
JM		 2912 pos -= wpa_ie_len;
2913 pos += elen;
26e23750 2914 }
4ec1fd8e 2915#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 2916 if (gtk) {
2917 u8 hdr[2];
2918 hdr[0] = keyidx & 0x03;
2919 hdr[1] = 0;
2920 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2921 gtk, gtk_len);
2922 }
2923 pos = ieee80211w_kde_add(sm, pos);
2924
4ec1fd8e 2925#ifdef CONFIG_IEEE80211R_AP
86dfabb8
JM		 2926 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2927 int res;
2928 struct wpa_auth_config *conf;
2929
2930 conf = &sm->wpa_auth->conf;
9257610a
JM		 2931 if (sm->assoc_resp_ftie &&
2932 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) {
2933 os_memcpy(pos, sm->assoc_resp_ftie,
2934 2 + sm->assoc_resp_ftie[1]);
2935 res = 2 + sm->assoc_resp_ftie[1];
2936 } else {
2937 res = wpa_write_ftie(conf, conf->r0_key_holder,
2938 conf->r0_key_holder_len,
2939 NULL, NULL, pos,
2940 kde + kde_len - pos,
2941 NULL, 0);
2942 }
86dfabb8
JM		 2943 if (res < 0) {
2944 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE "
2945 "into EAPOL-Key Key Data");
2946 os_free(kde);
2947 return;
2948 }
2949 pos += res;
2950
2951 /* TIE[ReassociationDeadline] (TU) */
2952 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
2953 *pos++ = 5;
2954 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
2955 WPA_PUT_LE32(pos, conf->reassociation_deadline);
2956 pos += 4;
2957
2958 /* TIE[KeyLifetime] (seconds) */
2959 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
2960 *pos++ = 5;
2961 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
2962 WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60);
2963 pos += 4;
2964 }
4ec1fd8e 2965#endif /* CONFIG_IEEE80211R_AP */
25ef8529
JM		 2966#ifdef CONFIG_P2P
2967 if (WPA_GET_BE32(sm->ip_addr) > 0) {
2968 u8 addr[3 * 4];
2969 os_memcpy(addr, sm->ip_addr, 4);
2970 os_memcpy(addr + 4, sm->wpa_auth->conf.ip_addr_mask, 4);
2971 os_memcpy(addr + 8, sm->wpa_auth->conf.ip_addr_go, 4);
2972 pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC,
2973 addr, sizeof(addr), NULL, 0);
2974 }
2975#endif /* CONFIG_P2P */
86dfabb8 2976
6fc6879b 2977 wpa_send_eapol(sm->wpa_auth, sm,
b729fd8d
JM		 2978 (secure ? WPA_KEY_INFO_SECURE : 0) |
2979 (wpa_mic_len(sm->wpa_key_mgmt) ? WPA_KEY_INFO_MIC : 0) |
6fc6879b
JM		 2980 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
2981 WPA_KEY_INFO_KEY_TYPE,
2982 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr);
2983 os_free(kde);
6fc6879b
JM		 2984}
2985
2986
2987SM_STATE(WPA_PTK, PTKINITDONE)
2988{
2989 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk);
2990 sm->EAPOLKeyReceived = FALSE;
2991 if (sm->Pair) {
c3550295
JM		 2992 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
2993 int klen = wpa_cipher_key_len(sm->pairwise);
6fc6879b 2994 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
98cd3d1c 2995 sm->PTK.tk, klen)) {
6fc6879b
JM		 2996 wpa_sta_disconnect(sm->wpa_auth, sm->addr);
2997 return;
2998 }
2999 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
3000 sm->pairwise_set = TRUE;
3001
581a8cde
JM		 3002 if (sm->wpa_auth->conf.wpa_ptk_rekey) {
3003 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
3004 eloop_register_timeout(sm->wpa_auth->conf.
3005 wpa_ptk_rekey, 0, wpa_rekey_ptk,
3006 sm->wpa_auth, sm);
3007 }
3008
a1ea1b45
JM		 3009 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
3010 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
6fc6879b
JM		 3011 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
3012 WPA_EAPOL_authorized, 1);
3013 }
3014 }
3015
3016 if (0 /* IBSS == TRUE */) {
3017 sm->keycount++;
3018 if (sm->keycount == 2) {
3019 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
3020 WPA_EAPOL_portValid, 1);
3021 }
3022 } else {
3023 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid,
3024 1);
3025 }
3026 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0);
3027 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1);
3028 if (sm->wpa == WPA_VERSION_WPA)
3029 sm->PInitAKeys = TRUE;
3030 else
3031 sm->has_GTK = TRUE;
3032 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3033 "pairwise key handshake completed (%s)",
3034 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
3035
4ec1fd8e 3036#ifdef CONFIG_IEEE80211R_AP
6fc6879b 3037 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr);
4ec1fd8e 3038#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 3039}
3040
3041
3042SM_STEP(WPA_PTK)
3043{
3044 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
3045
3046 if (sm->Init)
3047 SM_ENTER(WPA_PTK, INITIALIZE);
3048 else if (sm->Disconnect
1aae01fc
BG		 3049 /* || FIX: dot11RSNAConfigSALifetime timeout */) {
3050 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
3051 "WPA_PTK: sm->Disconnect");
6fc6879b 3052 SM_ENTER(WPA_PTK, DISCONNECT);
1aae01fc 3053 }
6fc6879b
JM		 3054 else if (sm->DeauthenticationRequest)
3055 SM_ENTER(WPA_PTK, DISCONNECTED);
3056 else if (sm->AuthenticationRequest)
3057 SM_ENTER(WPA_PTK, AUTHENTICATION);
3058 else if (sm->ReAuthenticationRequest)
3059 SM_ENTER(WPA_PTK, AUTHENTICATION2);
3060 else if (sm->PTKRequest)
3061 SM_ENTER(WPA_PTK, PTKSTART);
3062 else switch (sm->wpa_ptk_state) {
3063 case WPA_PTK_INITIALIZE:
3064 break;
3065 case WPA_PTK_DISCONNECT:
3066 SM_ENTER(WPA_PTK, DISCONNECTED);
3067 break;
3068 case WPA_PTK_DISCONNECTED:
3069 SM_ENTER(WPA_PTK, INITIALIZE);
3070 break;
3071 case WPA_PTK_AUTHENTICATION:
3072 SM_ENTER(WPA_PTK, AUTHENTICATION2);
3073 break;
3074 case WPA_PTK_AUTHENTICATION2:
56586197 3075 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
6fc6879b
JM		 3076 wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
3077 WPA_EAPOL_keyRun) > 0)
3078 SM_ENTER(WPA_PTK, INITPMK);
a1ea1b45
JM		 3079 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
3080 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE
6fc6879b
JM		 3081 /* FIX: && 802.1X::keyRun */)
3082 SM_ENTER(WPA_PTK, INITPSK);
3083 break;
3084 case WPA_PTK_INITPMK:
3085 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
3086 WPA_EAPOL_keyAvailable) > 0)
3087 SM_ENTER(WPA_PTK, PTKSTART);
3088 else {
3089 wpa_auth->dot11RSNA4WayHandshakeFailures++;
1aae01fc
BG		 3090 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3091 "INITPMK - keyAvailable = false");
6fc6879b
JM		 3092 SM_ENTER(WPA_PTK, DISCONNECT);
3093 }
3094 break;
3095 case WPA_PTK_INITPSK:
759fd76b
JM		 3096 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr,
3097 NULL))
6fc6879b
JM		 3098 SM_ENTER(WPA_PTK, PTKSTART);
3099 else {
3100 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3101 "no PSK configured for the STA");
3102 wpa_auth->dot11RSNA4WayHandshakeFailures++;
3103 SM_ENTER(WPA_PTK, DISCONNECT);
3104 }
3105 break;
3106 case WPA_PTK_PTKSTART:
3107 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3108 sm->EAPOLKeyPairwise)
3109 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3110 else if (sm->TimeoutCtr >
41f140d3 3111 sm->wpa_auth->conf.wpa_pairwise_update_count) {
6fc6879b 3112 wpa_auth->dot11RSNA4WayHandshakeFailures++;
41f140d3
GK		 3113 wpa_auth_vlogger(
3114 sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3115 "PTKSTART: Retry limit %u reached",
3116 sm->wpa_auth->conf.wpa_pairwise_update_count);
6fc6879b
JM		 3117 SM_ENTER(WPA_PTK, DISCONNECT);
3118 } else if (sm->TimeoutEvt)
3119 SM_ENTER(WPA_PTK, PTKSTART);
3120 break;
3121 case WPA_PTK_PTKCALCNEGOTIATING:
3122 if (sm->MICVerified)
3123 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2);
3124 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3125 sm->EAPOLKeyPairwise)
3126 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3127 else if (sm->TimeoutEvt)
3128 SM_ENTER(WPA_PTK, PTKSTART);
3129 break;
3130 case WPA_PTK_PTKCALCNEGOTIATING2:
3131 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
3132 break;
3133 case WPA_PTK_PTKINITNEGOTIATING:
68921e24
JM		 3134 if (sm->update_snonce)
3135 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3136 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3137 sm->EAPOLKeyPairwise && sm->MICVerified)
6fc6879b
JM		 3138 SM_ENTER(WPA_PTK, PTKINITDONE);
3139 else if (sm->TimeoutCtr >
41f140d3 3140 sm->wpa_auth->conf.wpa_pairwise_update_count) {
6fc6879b 3141 wpa_auth->dot11RSNA4WayHandshakeFailures++;
41f140d3
GK		 3142 wpa_auth_vlogger(
3143 sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3144 "PTKINITNEGOTIATING: Retry limit %u reached",
3145 sm->wpa_auth->conf.wpa_pairwise_update_count);
6fc6879b
JM		 3146 SM_ENTER(WPA_PTK, DISCONNECT);
3147 } else if (sm->TimeoutEvt)
3148 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
3149 break;
3150 case WPA_PTK_PTKINITDONE:
3151 break;
3152 }
3153}
3154
3155
3156SM_STATE(WPA_PTK_GROUP, IDLE)
3157{
3158 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group);
3159 if (sm->Init) {
3160 /* Init flag is not cleared here, so avoid busy
3161 * loop by claiming nothing changed. */
3162 sm->changed = FALSE;
3163 }
3164 sm->GTimeoutCtr = 0;
3165}
3166
3167
3168SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
3169{
3170 u8 rsc[WPA_KEY_RSC_LEN];
3171 struct wpa_group *gsm = sm->group;
e41e4f9e
JM		 3172 const u8 *kde;
3173 u8 *kde_buf = NULL, *pos, hdr[2];
6fc6879b 3174 size_t kde_len;
83421850 3175 u8 *gtk, dummy_gtk[32];
6fc6879b
JM		 3176
3177 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
bae61562
JM		 3178
3179 sm->GTimeoutCtr++;
41f140d3 3180 if (sm->GTimeoutCtr > sm->wpa_auth->conf.wpa_group_update_count) {
bae61562
JM		 3181 /* No point in sending the EAPOL-Key - we will disconnect
3182 * immediately following this. */
3183 return;
3184 }
3185
6fc6879b
JM		 3186 if (sm->wpa == WPA_VERSION_WPA)
3187 sm->PInitAKeys = FALSE;
3188 sm->TimeoutEvt = FALSE;
3189 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
3190 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
3191 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE)
3192 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
3193 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3194 "sending 1/2 msg of Group Key Handshake");
3195
83421850
JM		 3196 gtk = gsm->GTK[gsm->GN - 1];
3197 if (sm->wpa_auth->conf.disable_gtk) {
3198 /*
3199 * Provide unique random GTK to each STA to prevent use
3200 * of GTK in the BSS.
3201 */
3202 if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0)
3203 return;
3204 gtk = dummy_gtk;
3205 }
6fc6879b
JM		 3206 if (sm->wpa == WPA_VERSION_WPA2) {
3207 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
3208 ieee80211w_kde_len(sm);
e41e4f9e
JM		 3209 kde_buf = os_malloc(kde_len);
3210 if (kde_buf == NULL)
6fc6879b
JM		 3211 return;
3212
e41e4f9e 3213 kde = pos = kde_buf;
6fc6879b
JM		 3214 hdr[0] = gsm->GN & 0x03;
3215 hdr[1] = 0;
3216 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
83421850 3217 gtk, gsm->GTK_len);
6fc6879b 3218 pos = ieee80211w_kde_add(sm, pos);
e41e4f9e 3219 kde_len = pos - kde;
6fc6879b 3220 } else {
83421850 3221 kde = gtk;
e41e4f9e 3222 kde_len = gsm->GTK_len;
6fc6879b
JM		 3223 }
3224
3225 wpa_send_eapol(sm->wpa_auth, sm,
b729fd8d
JM		 3226 WPA_KEY_INFO_SECURE |
3227 (wpa_mic_len(sm->wpa_key_mgmt) ? WPA_KEY_INFO_MIC : 0) |
6fc6879b
JM		 3228 WPA_KEY_INFO_ACK |
3229 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
b0fb2be7 3230 rsc, NULL, kde, kde_len, gsm->GN, 1);
e41e4f9e
JM		 3231
3232 os_free(kde_buf);
6fc6879b
JM		 3233}
3234
3235
3236SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED)
3237{
3238 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group);
3239 sm->EAPOLKeyReceived = FALSE;
3240 if (sm->GUpdateStationKeys)
3241 sm->group->GKeyDoneStations--;
3242 sm->GUpdateStationKeys = FALSE;
3243 sm->GTimeoutCtr = 0;
3244 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */
3245 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3246 "group key handshake completed (%s)",
3247 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
3248 sm->has_GTK = TRUE;
3249}
3250
3251
3252SM_STATE(WPA_PTK_GROUP, KEYERROR)
3253{
3254 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group);
3255 if (sm->GUpdateStationKeys)
3256 sm->group->GKeyDoneStations--;
3257 sm->GUpdateStationKeys = FALSE;
3258 sm->Disconnect = TRUE;
4bb9b674
GK		 3259 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3260 "group key handshake failed (%s) after %u tries",
3261 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN",
3262 sm->wpa_auth->conf.wpa_group_update_count);
6fc6879b
JM		 3263}
3264
3265
3266SM_STEP(WPA_PTK_GROUP)
3267{
9663596f 3268 if (sm->Init || sm->PtkGroupInit) {
6fc6879b 3269 SM_ENTER(WPA_PTK_GROUP, IDLE);
9663596f
JM		 3270 sm->PtkGroupInit = FALSE;
3271 } else switch (sm->wpa_ptk_group_state) {
6fc6879b
JM		 3272 case WPA_PTK_GROUP_IDLE:
3273 if (sm->GUpdateStationKeys ||
3274 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys))
3275 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
3276 break;
3277 case WPA_PTK_GROUP_REKEYNEGOTIATING:
3278 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3279 !sm->EAPOLKeyPairwise && sm->MICVerified)
3280 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
3281 else if (sm->GTimeoutCtr >
41f140d3 3282 sm->wpa_auth->conf.wpa_group_update_count)
6fc6879b
JM		 3283 SM_ENTER(WPA_PTK_GROUP, KEYERROR);
3284 else if (sm->TimeoutEvt)
3285 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
3286 break;
3287 case WPA_PTK_GROUP_KEYERROR:
3288 SM_ENTER(WPA_PTK_GROUP, IDLE);
3289 break;
3290 case WPA_PTK_GROUP_REKEYESTABLISHED:
3291 SM_ENTER(WPA_PTK_GROUP, IDLE);
3292 break;
3293 }
3294}
3295
3296
3297static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
3298 struct wpa_group *group)
3299{
3300 int ret = 0;
3301
6fc6879b
JM		 3302 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
3303 inc_byte_array(group->Counter, WPA_NONCE_LEN);
3c7302c2
JM		 3304 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion",
3305 wpa_auth->addr, group->GNonce,
3306 group->GTK[group->GN - 1], group->GTK_len) < 0)
3307 ret = -1;
5cb9d5c3
JM		 3308 wpa_hexdump_key(MSG_DEBUG, "GTK",
3309 group->GTK[group->GN - 1], group->GTK_len);
6fc6879b
JM		 3310
3311#ifdef CONFIG_IEEE80211W
70f8cc8e 3312 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
8dd9f9cd
JM		 3313 size_t len;
3314 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
5cb9d5c3
JM		 3315 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
3316 inc_byte_array(group->Counter, WPA_NONCE_LEN);
3c7302c2
JM		 3317 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion",
3318 wpa_auth->addr, group->GNonce,
8dd9f9cd 3319 group->IGTK[group->GN_igtk - 4], len) < 0)
3c7302c2 3320 ret = -1;
6fc6879b 3321 wpa_hexdump_key(MSG_DEBUG, "IGTK",
8dd9f9cd 3322 group->IGTK[group->GN_igtk - 4], len);
6fc6879b
JM		 3323 }
3324#endif /* CONFIG_IEEE80211W */
3325
3326 return ret;
3327}
3328
3329
3330static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth,
3331 struct wpa_group *group)
3332{
3333 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3334 "GTK_INIT (VLAN-ID %d)", group->vlan_id);
3335 group->changed = FALSE; /* GInit is not cleared here; avoid loop */
3336 group->wpa_group_state = WPA_GROUP_GTK_INIT;
3337
3338 /* GTK[0..N] = 0 */
3339 os_memset(group->GTK, 0, sizeof(group->GTK));
3340 group->GN = 1;
3341 group->GM = 2;
3342#ifdef CONFIG_IEEE80211W
3343 group->GN_igtk = 4;
3344 group->GM_igtk = 5;
3345#endif /* CONFIG_IEEE80211W */
3346 /* GTK[GN] = CalcGTK() */
3347 wpa_gtk_update(wpa_auth, group);
3348}
3349
3350
3351static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
3352{
473b6f22
MB		 3353 if (ctx != NULL && ctx != sm->group)
3354 return 0;
3355
6fc6879b
JM		 3356 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) {
3357 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3358 "Not in PTKINITDONE; skip Group Key update");
3c183894 3359 sm->GUpdateStationKeys = FALSE;
6fc6879b
JM		 3360 return 0;
3361 }
9663596f
JM		 3362 if (sm->GUpdateStationKeys) {
3363 /*
3c183894
JM		 3364 * This should not really happen, so add a debug log entry.
3365 * Since we clear the GKeyDoneStations before the loop, the
3366 * station needs to be counted here anyway.
9663596f
JM		 3367 */
3368 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3c183894
JM		 3369 "GUpdateStationKeys was already set when "
3370 "marking station for GTK rekeying");
9663596f 3371 }
3c183894 3372
ad3872a3 3373 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */
d32d94db
XC		 3374 if (sm->is_wnmsleep)
3375 return 0;
d32d94db 3376
3c183894
JM		 3377 sm->group->GKeyDoneStations++;
3378 sm->GUpdateStationKeys = TRUE;
3379
6fc6879b
JM		 3380 wpa_sm_step(sm);
3381 return 0;
3382}
3383
3384
ad3872a3
JM		 3385#ifdef CONFIG_WNM
3386/* update GTK when exiting WNM-Sleep Mode */
d32d94db
XC		 3387void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm)
3388{
629edfef 3389 if (sm == NULL || sm->is_wnmsleep)
d32d94db
XC		 3390 return;
3391
3392 wpa_group_update_sta(sm, NULL);
3393}
3394
3395
3396void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag)
3397{
629edfef
JM		 3398 if (sm)
3399 sm->is_wnmsleep = !!flag;
d32d94db
XC		 3400}
3401
3402
3403int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos)
3404{
d32d94db 3405 struct wpa_group *gsm = sm->group;
835822d4 3406 u8 *start = pos;
d32d94db
XC		 3407
3408 /*
835822d4 3409 * GTK subelement:
d32d94db 3410 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] |
835822d4 3411 * Key[5..32]
d32d94db 3412 */
835822d4
JM		 3413 *pos++ = WNM_SLEEP_SUBELEM_GTK;
3414 *pos++ = 11 + gsm->GTK_len;
d32d94db 3415 /* Key ID in B0-B1 of Key Info */
835822d4
JM		 3416 WPA_PUT_LE16(pos, gsm->GN & 0x03);
3417 pos += 2;
3418 *pos++ = gsm->GTK_len;
3419 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0)
d32d94db 3420 return 0;
835822d4
JM		 3421 pos += 8;
3422 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len);
3423 pos += gsm->GTK_len;
d32d94db 3424
835822d4
JM		 3425 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit",
3426 gsm->GN);
3427 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit",
d32d94db 3428 gsm->GTK[gsm->GN - 1], gsm->GTK_len);
d32d94db 3429
835822d4 3430 return pos - start;
d32d94db
XC		 3431}
3432
3433
3434#ifdef CONFIG_IEEE80211W
3435int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos)
3436{
d32d94db 3437 struct wpa_group *gsm = sm->group;
835822d4 3438 u8 *start = pos;
8dd9f9cd 3439 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
d32d94db 3440
835822d4
JM		 3441 /*
3442 * IGTK subelement:
3443 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16]
3444 */
3445 *pos++ = WNM_SLEEP_SUBELEM_IGTK;
8dd9f9cd 3446 *pos++ = 2 + 6 + len;
835822d4
JM		 3447 WPA_PUT_LE16(pos, gsm->GN_igtk);
3448 pos += 2;
3449 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0)
d32d94db 3450 return 0;
835822d4 3451 pos += 6;
d32d94db 3452
8dd9f9cd
JM		 3453 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len);
3454 pos += len;
d32d94db 3455
835822d4
JM		 3456 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit",
3457 gsm->GN_igtk);
3458 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit",
8dd9f9cd 3459 gsm->IGTK[gsm->GN_igtk - 4], len);
d32d94db 3460
835822d4 3461 return pos - start;
d32d94db
XC		 3462}
3463#endif /* CONFIG_IEEE80211W */
ad3872a3 3464#endif /* CONFIG_WNM */
d32d94db
XC		 3465
3466
6fc6879b
JM		 3467static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth,
3468 struct wpa_group *group)
3469{
3470 int tmp;
3471
3472 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3473 "SETKEYS (VLAN-ID %d)", group->vlan_id);
3474 group->changed = TRUE;
3475 group->wpa_group_state = WPA_GROUP_SETKEYS;
3476 group->GTKReKey = FALSE;
3477 tmp = group->GM;
3478 group->GM = group->GN;
3479 group->GN = tmp;
3480#ifdef CONFIG_IEEE80211W
3481 tmp = group->GM_igtk;
3482 group->GM_igtk = group->GN_igtk;
3483 group->GN_igtk = tmp;
3484#endif /* CONFIG_IEEE80211W */
3485 /* "GKeyDoneStations = GNoStations" is done in more robust way by
3486 * counting the STAs that are marked with GUpdateStationKeys instead of
3487 * including all STAs that could be in not-yet-completed state. */
3488 wpa_gtk_update(wpa_auth, group);
3489
3c183894
JM		 3490 if (group->GKeyDoneStations) {
3491 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected "
3492 "GKeyDoneStations=%d when starting new GTK rekey",
3493 group->GKeyDoneStations);
3494 group->GKeyDoneStations = 0;
3495 }
473b6f22 3496 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group);
6fc6879b
JM		 3497 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d",
3498 group->GKeyDoneStations);
3499}
3500
3501
1bdb7ab3
JM		 3502static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
3503 struct wpa_group *group)
6fc6879b 3504{
3c7302c2
JM		 3505 int ret = 0;
3506
3c7302c2 3507 if (wpa_auth_set_key(wpa_auth, group->vlan_id,
c3550295 3508 wpa_cipher_to_alg(wpa_auth->conf.wpa_group),
0382097e
JM		 3509 broadcast_ether_addr, group->GN,
3510 group->GTK[group->GN - 1], group->GTK_len) < 0)
3c7302c2 3511 ret = -1;
6fc6879b
JM		 3512
3513#ifdef CONFIG_IEEE80211W
8dd9f9cd
JM		 3514 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
3515 enum wpa_alg alg;
3516 size_t len;
3517
3518 alg = wpa_cipher_to_alg(wpa_auth->conf.group_mgmt_cipher);
3519 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
3520
3521 if (ret == 0 &&
3522 wpa_auth_set_key(wpa_auth, group->vlan_id, alg,
3523 broadcast_ether_addr, group->GN_igtk,
3524 group->IGTK[group->GN_igtk - 4], len) < 0)
3525 ret = -1;
3526 }
6fc6879b 3527#endif /* CONFIG_IEEE80211W */
3c7302c2
JM		 3528
3529 return ret;
6fc6879b
JM		 3530}
3531
3532
7d7f7be2
JM		 3533static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx)
3534{
3535 if (sm->group == ctx) {
3536 wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR
3537 " for discconnection due to fatal failure",
3538 MAC2STR(sm->addr));
3539 sm->Disconnect = TRUE;
3540 }
3541
3542 return 0;
3543}
3544
3545
3546static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth,
3547 struct wpa_group *group)
3548{
3549 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state FATAL_FAILURE");
3550 group->changed = TRUE;
3551 group->wpa_group_state = WPA_GROUP_FATAL_FAILURE;
3552 wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group);
3553}
3554
3555
1bdb7ab3
JM		 3556static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
3557 struct wpa_group *group)
3558{
3559 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3560 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id);
3561 group->changed = TRUE;
3562 group->wpa_group_state = WPA_GROUP_SETKEYSDONE;
3563
7d7f7be2
JM		 3564 if (wpa_group_config_group_keys(wpa_auth, group) < 0) {
3565 wpa_group_fatal_failure(wpa_auth, group);
1bdb7ab3 3566 return -1;
7d7f7be2 3567 }
1bdb7ab3
JM		 3568
3569 return 0;
3570}
3571
3572
6fc6879b
JM		 3573static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
3574 struct wpa_group *group)
3575{
3576 if (group->GInit) {
3577 wpa_group_gtk_init(wpa_auth, group);
7d7f7be2
JM		 3578 } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) {
3579 /* Do not allow group operations */
6fc6879b
JM		 3580 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT &&
3581 group->GTKAuthenticator) {
3582 wpa_group_setkeysdone(wpa_auth, group);
3583 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE &&
3584 group->GTKReKey) {
3585 wpa_group_setkeys(wpa_auth, group);
3586 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) {
3587 if (group->GKeyDoneStations == 0)
3588 wpa_group_setkeysdone(wpa_auth, group);
3589 else if (group->GTKReKey)
3590 wpa_group_setkeys(wpa_auth, group);
3591 }
3592}
3593
3594
e4a6ea1d 3595static int wpa_sm_step(struct wpa_state_machine *sm)
6fc6879b
JM		 3596{
3597 if (sm == NULL)
e4a6ea1d 3598 return 0;
6fc6879b
JM		 3599
3600 if (sm->in_step_loop) {
3601 /* This should not happen, but if it does, make sure we do not
3602 * end up freeing the state machine too early by exiting the
3603 * recursive call. */
3604 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively");
e4a6ea1d 3605 return 0;
6fc6879b
JM		 3606 }
3607
3608 sm->in_step_loop = 1;
3609 do {
3610 if (sm->pending_deinit)
3611 break;
3612
3613 sm->changed = FALSE;
3614 sm->wpa_auth->group->changed = FALSE;
3615
3616 SM_STEP_RUN(WPA_PTK);
3617 if (sm->pending_deinit)
3618 break;
3619 SM_STEP_RUN(WPA_PTK_GROUP);
3620 if (sm->pending_deinit)
3621 break;
3622 wpa_group_sm_step(sm->wpa_auth, sm->group);
3623 } while (sm->changed || sm->wpa_auth->group->changed);
3624 sm->in_step_loop = 0;
3625
3626 if (sm->pending_deinit) {
3627 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state "
3628 "machine deinit for " MACSTR, MAC2STR(sm->addr));
3629 wpa_free_sta_sm(sm);
e4a6ea1d 3630 return 1;
6fc6879b 3631 }
e4a6ea1d 3632 return 0;
6fc6879b
JM		 3633}
3634
3635
3636static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx)
3637{
3638 struct wpa_state_machine *sm = eloop_ctx;
3639 wpa_sm_step(sm);
3640}
3641
3642
3643void wpa_auth_sm_notify(struct wpa_state_machine *sm)
3644{
3645 if (sm == NULL)
3646 return;
3647 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
3648}
3649
3650
3651void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth)
3652{
3653 int tmp, i;
3654 struct wpa_group *group;
3655
3656 if (wpa_auth == NULL)
3657 return;
3658
3659 group = wpa_auth->group;
3660
3661 for (i = 0; i < 2; i++) {
3662 tmp = group->GM;
3663 group->GM = group->GN;
3664 group->GN = tmp;
3665#ifdef CONFIG_IEEE80211W
3666 tmp = group->GM_igtk;
3667 group->GM_igtk = group->GN_igtk;
3668 group->GN_igtk = tmp;
3669#endif /* CONFIG_IEEE80211W */
3670 wpa_gtk_update(wpa_auth, group);
9354e594 3671 wpa_group_config_group_keys(wpa_auth, group);
6fc6879b
JM		 3672 }
3673}
3674
3675
a6da824b 3676static const char * wpa_bool_txt(int val)
6fc6879b 3677{
a6da824b 3678 return val ? "TRUE" : "FALSE";
6fc6879b
JM		 3679}
3680
3681
6fc6879b
JM		 3682#define RSN_SUITE "%02x-%02x-%02x-%d"
3683#define RSN_SUITE_ARG(s) \
3684((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
3685
3686int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen)
3687{
3688 int len = 0, ret;
3689 char pmkid_txt[PMKID_LEN * 2 + 1];
8ce58ceb
IH		 3690#ifdef CONFIG_RSN_PREAUTH
3691 const int preauth = 1;
3692#else /* CONFIG_RSN_PREAUTH */
3693 const int preauth = 0;
3694#endif /* CONFIG_RSN_PREAUTH */
6fc6879b
JM		 3695
3696 if (wpa_auth == NULL)
3697 return len;
3698
3699 ret = os_snprintf(buf + len, buflen - len,
3700 "dot11RSNAOptionImplemented=TRUE\n"
8ce58ceb 3701 "dot11RSNAPreauthenticationImplemented=%s\n"
6fc6879b
JM		 3702 "dot11RSNAEnabled=%s\n"
3703 "dot11RSNAPreauthenticationEnabled=%s\n",
8ce58ceb 3704 wpa_bool_txt(preauth),
6fc6879b
JM		 3705 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN),
3706 wpa_bool_txt(wpa_auth->conf.rsn_preauth));
d85e1fc8 3707 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3708 return len;
3709 len += ret;
3710
3711 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
3712 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN);
3713
3714 ret = os_snprintf(
3715 buf + len, buflen - len,
3716 "dot11RSNAConfigVersion=%u\n"
3717 "dot11RSNAConfigPairwiseKeysSupported=9999\n"
3718 /* FIX: dot11RSNAConfigGroupCipher */
3719 /* FIX: dot11RSNAConfigGroupRekeyMethod */
3720 /* FIX: dot11RSNAConfigGroupRekeyTime */
3721 /* FIX: dot11RSNAConfigGroupRekeyPackets */
3722 "dot11RSNAConfigGroupRekeyStrict=%u\n"
3723 "dot11RSNAConfigGroupUpdateCount=%u\n"
3724 "dot11RSNAConfigPairwiseUpdateCount=%u\n"
3725 "dot11RSNAConfigGroupCipherSize=%u\n"
3726 "dot11RSNAConfigPMKLifetime=%u\n"
3727 "dot11RSNAConfigPMKReauthThreshold=%u\n"
3728 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n"
3729 "dot11RSNAConfigSATimeout=%u\n"
3730 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
3731 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
3732 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
3733 "dot11RSNAPMKIDUsed=%s\n"
3734 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
3735 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
3736 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
3737 "dot11RSNATKIPCounterMeasuresInvoked=%u\n"
3738 "dot11RSNA4WayHandshakeFailures=%u\n"
3739 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n",
3740 RSN_VERSION,
3741 !!wpa_auth->conf.wpa_strict_rekey,
41f140d3
GK		 3742 wpa_auth->conf.wpa_group_update_count,
3743 wpa_auth->conf.wpa_pairwise_update_count,
c3550295 3744 wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8,
6fc6879b
JM		 3745 dot11RSNAConfigPMKLifetime,
3746 dot11RSNAConfigPMKReauthThreshold,
3747 dot11RSNAConfigSATimeout,
3748 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected),
3749 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected),
3750 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected),
3751 pmkid_txt,
3752 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested),
3753 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested),
3754 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested),
3755 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked,
3756 wpa_auth->dot11RSNA4WayHandshakeFailures);
d85e1fc8 3757 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3758 return len;
3759 len += ret;
3760
3761 /* TODO: dot11RSNAConfigPairwiseCiphersTable */
3762 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */
3763
3764 /* Private MIB */
3765 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n",
3766 wpa_auth->group->wpa_group_state);
d85e1fc8 3767 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3768 return len;
3769 len += ret;
3770
3771 return len;
3772}
3773
3774
3775int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen)
3776{
3777 int len = 0, ret;
3778 u32 pairwise = 0;
3779
3780 if (sm == NULL)
3781 return 0;
3782
3783 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */
3784
3785 /* dot11RSNAStatsEntry */
3786
c3550295
JM		 3787 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ?
3788 WPA_PROTO_RSN : WPA_PROTO_WPA,
3789 sm->pairwise);
3790 if (pairwise == 0)
6fc6879b
JM		 3791 return 0;
3792
3793 ret = os_snprintf(
3794 buf + len, buflen - len,
3795 /* TODO: dot11RSNAStatsIndex */
3796 "dot11RSNAStatsSTAAddress=" MACSTR "\n"
3797 "dot11RSNAStatsVersion=1\n"
3798 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n"
3799 /* TODO: dot11RSNAStatsTKIPICVErrors */
3800 "dot11RSNAStatsTKIPLocalMICFailures=%u\n"
d9040cdb 3801 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n"
6fc6879b
JM		 3802 /* TODO: dot11RSNAStatsCCMPReplays */
3803 /* TODO: dot11RSNAStatsCCMPDecryptErrors */
3804 /* TODO: dot11RSNAStatsTKIPReplays */,
3805 MAC2STR(sm->addr),
3806 RSN_SUITE_ARG(pairwise),
3807 sm->dot11RSNAStatsTKIPLocalMICFailures,
3808 sm->dot11RSNAStatsTKIPRemoteMICFailures);
d85e1fc8 3809 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3810 return len;
3811 len += ret;
3812
3813 /* Private MIB */
3814 ret = os_snprintf(buf + len, buflen - len,
3815 "hostapdWPAPTKState=%d\n"
3816 "hostapdWPAPTKGroupState=%d\n",
3817 sm->wpa_ptk_state,
3818 sm->wpa_ptk_group_state);
d85e1fc8 3819 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3820 return len;
3821 len += ret;
3822
3823 return len;
3824}
3825
3826
3827void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth)
3828{
3829 if (wpa_auth)
3830 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++;
3831}
3832
3833
3834int wpa_auth_pairwise_set(struct wpa_state_machine *sm)
3835{
3836 return sm && sm->pairwise_set;
3837}
3838
3839
ff36ff00
JM		 3840int wpa_auth_get_pairwise(struct wpa_state_machine *sm)
3841{
3842 return sm->pairwise;
3843}
3844
3845
6fc6879b
JM		 3846int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm)
3847{
3848 if (sm == NULL)
3849 return -1;
3850 return sm->wpa_key_mgmt;
3851}
3852
3853
3854int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
3855{
3856 if (sm == NULL)
3857 return 0;
3858 return sm->wpa;
3859}
3860
3861
3862int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
3863 struct rsn_pmksa_cache_entry *entry)
3864{
3865 if (sm == NULL || sm->pmksa != entry)
3866 return -1;
3867 sm->pmksa = NULL;
3868 return 0;
3869}
3870
3871
3872struct rsn_pmksa_cache_entry *
3873wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm)
3874{
3875 return sm ? sm->pmksa : NULL;
3876}
3877
3878
3879void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm)
3880{
3881 if (sm)
3882 sm->dot11RSNAStatsTKIPLocalMICFailures++;
3883}
3884
3885
3886const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
3887{
3888 if (wpa_auth == NULL)
3889 return NULL;
3890 *len = wpa_auth->wpa_ie_len;
3891 return wpa_auth->wpa_ie;
3892}
3893
3894
3895int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
207976f0 3896 unsigned int pmk_len,
6fc6879b
JM		 3897 int session_timeout, struct eapol_state_machine *eapol)
3898{
cb465555
JM		 3899 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 ||
3900 sm->wpa_auth->conf.disable_pmksa_caching)
6fc6879b
JM		 3901 return -1;
3902
834c5d68 3903 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
207976f0
JM		 3904 if (pmk_len > PMK_LEN_SUITE_B_192)
3905 pmk_len = PMK_LEN_SUITE_B_192;
3906 } else if (pmk_len > PMK_LEN) {
3907 pmk_len = PMK_LEN;
3908 }
3909
70c93963 3910 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL,
98cd3d1c 3911 sm->PTK.kck, sm->PTK.kck_len,
4bb081f1
JM		 3912 sm->wpa_auth->addr, sm->addr, session_timeout,
3913 eapol, sm->wpa_key_mgmt))
6fc6879b
JM		 3914 return 0;
3915
3916 return -1;
3917}
3918
3919
3920int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
3921 const u8 *pmk, size_t len, const u8 *sta_addr,
3922 int session_timeout,
3923 struct eapol_state_machine *eapol)
3924{
3925 if (wpa_auth == NULL)
3926 return -1;
3927
70c93963 3928 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL,
087a1f4e
JM		 3929 NULL, 0,
3930 wpa_auth->addr,
4bb081f1
JM		 3931 sta_addr, session_timeout, eapol,
3932 WPA_KEY_MGMT_IEEE8021X))
6fc6879b
JM		 3933 return 0;
3934
3935 return -1;
3936}
3937
3938
f2991170 3939int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr,
70c93963 3940 const u8 *pmk, const u8 *pmkid)
f2991170
JM		 3941{
3942 if (wpa_auth->conf.disable_pmksa_caching)
3943 return -1;
3944
70c93963 3945 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN, pmkid,
087a1f4e 3946 NULL, 0,
f2991170
JM		 3947 wpa_auth->addr, addr, 0, NULL,
3948 WPA_KEY_MGMT_SAE))
3949 return 0;
3950
3951 return -1;
3952}
3953
3954
901d1fe1
JM		 3955void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
3956 const u8 *sta_addr)
3957{
3958 struct rsn_pmksa_cache_entry *pmksa;
3959
3960 if (wpa_auth == NULL || wpa_auth->pmksa == NULL)
3961 return;
3962 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL);
3963 if (pmksa) {
3964 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for "
3965 MACSTR " based on request", MAC2STR(sta_addr));
3966 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa);
3967 }
3968}
3969
3970
b8daac18
MH		 3971int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf,
3972 size_t len)
3973{
3974 if (!wpa_auth || !wpa_auth->pmksa)
3975 return 0;
3976 return pmksa_cache_auth_list(wpa_auth->pmksa, buf, len);
3977}
3978
3979
4c522c77
MH		 3980void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth)
3981{
3982 if (wpa_auth && wpa_auth->pmksa)
3983 pmksa_cache_auth_flush(wpa_auth->pmksa);
3984}
3985
3986
4d77d80e
MH		 3987#ifdef CONFIG_PMKSA_CACHE_EXTERNAL
3988#ifdef CONFIG_MESH
3989
3990int wpa_auth_pmksa_list_mesh(struct wpa_authenticator *wpa_auth, const u8 *addr,
3991 char *buf, size_t len)
3992{
3993 if (!wpa_auth || !wpa_auth->pmksa)
3994 return 0;
3995
3996 return pmksa_cache_auth_list_mesh(wpa_auth->pmksa, addr, buf, len);
3997}
3998
3999
4000struct rsn_pmksa_cache_entry *
4001wpa_auth_pmksa_create_entry(const u8 *aa, const u8 *spa, const u8 *pmk,
4002 const u8 *pmkid, int expiration)
4003{
4004 struct rsn_pmksa_cache_entry *entry;
4005 struct os_reltime now;
4006
4007 entry = pmksa_cache_auth_create_entry(pmk, PMK_LEN, pmkid, NULL, 0, aa,
4008 spa, 0, NULL, WPA_KEY_MGMT_SAE);
4009 if (!entry)
4010 return NULL;
4011
4012 os_get_reltime(&now);
4013 entry->expiration = now.sec + expiration;
4014 return entry;
4015}
4016
4017
4018int wpa_auth_pmksa_add_entry(struct wpa_authenticator *wpa_auth,
4019 struct rsn_pmksa_cache_entry *entry)
4020{
4021 int ret;
4022
4023 if (!wpa_auth || !wpa_auth->pmksa)
4024 return -1;
4025
4026 ret = pmksa_cache_auth_add_entry(wpa_auth->pmksa, entry);
4027 if (ret < 0)
4028 wpa_printf(MSG_DEBUG,
4029 "RSN: Failed to store external PMKSA cache for "
4030 MACSTR, MAC2STR(entry->spa));
4031
4032 return ret;
4033}
4034
4035#endif /* CONFIG_MESH */
4036#endif /* CONFIG_PMKSA_CACHE_EXTERNAL */
4037
4038
9f2cf23e 4039struct rsn_pmksa_cache_entry *
c1bd4bac
JM		 4040wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
4041 const u8 *pmkid)
9f2cf23e
MH		 4042{
4043 if (!wpa_auth || !wpa_auth->pmksa)
4044 return NULL;
c1bd4bac 4045 return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, pmkid);
9f2cf23e
MH		 4046}
4047
4048
4049void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa,
4050 struct wpa_state_machine *sm,
4051 struct wpa_authenticator *wpa_auth,
4052 u8 *pmkid, u8 *pmk)
4053{
4054 if (!sm)
4055 return;
4056
4057 sm->pmksa = pmksa;
8854f90b
JM		 4058 os_memcpy(pmk, pmksa->pmk, PMK_LEN);
4059 os_memcpy(pmkid, pmksa->pmkid, PMKID_LEN);
4060 os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmksa->pmkid, PMKID_LEN);
9f2cf23e
MH		 4061}
4062
4063
a0ad9e8c
MB		 4064/*
4065 * Remove and free the group from wpa_authenticator. This is triggered by a
4066 * callback to make sure nobody is currently iterating the group list while it
4067 * gets modified.
4068 */
4069static void wpa_group_free(struct wpa_authenticator *wpa_auth,
4070 struct wpa_group *group)
4071{
4072 struct wpa_group *prev = wpa_auth->group;
4073
4074 wpa_printf(MSG_DEBUG, "WPA: Remove group state machine for VLAN-ID %d",
4075 group->vlan_id);
4076
4077 while (prev) {
4078 if (prev->next == group) {
4079 /* This never frees the special first group as needed */
4080 prev->next = group->next;
4081 os_free(group);
4082 break;
4083 }
4084 prev = prev->next;
4085 }
4086
4087}
4088
4089
4090/* Increase the reference counter for group */
4091static void wpa_group_get(struct wpa_authenticator *wpa_auth,
4092 struct wpa_group *group)
4093{
4094 /* Skip the special first group */
4095 if (wpa_auth->group == group)
4096 return;
4097
4098 group->references++;
4099}
4100
4101
4102/* Decrease the reference counter and maybe free the group */
4103static void wpa_group_put(struct wpa_authenticator *wpa_auth,
4104 struct wpa_group *group)
4105{
4106 /* Skip the special first group */
4107 if (wpa_auth->group == group)
4108 return;
4109
4110 group->references--;
4111 if (group->references)
4112 return;
4113 wpa_group_free(wpa_auth, group);
4114}
4115
4116
4117/*
4118 * Add a group that has its references counter set to zero. Caller needs to
4119 * call wpa_group_get() on the return value to mark the entry in use.
4120 */
6fc6879b
JM		 4121static struct wpa_group *
4122wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4123{
4124 struct wpa_group *group;
4125
4126 if (wpa_auth == NULL || wpa_auth->group == NULL)
4127 return NULL;
4128
4129 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d",
4130 vlan_id);
bdffdc5d 4131 group = wpa_group_init(wpa_auth, vlan_id, 0);
6fc6879b
JM		 4132 if (group == NULL)
4133 return NULL;
4134
4135 group->next = wpa_auth->group->next;
4136 wpa_auth->group->next = group;
4137
4138 return group;
4139}
4140
4141
7cebc8e2
MB		 4142/*
4143 * Enforce that the group state machine for the VLAN is running, increase
4144 * reference counter as interface is up. References might have been increased
4145 * even if a negative value is returned.
4146 * Returns: -1 on error (group missing, group already failed); otherwise, 0
4147 */
4148int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4149{
4150 struct wpa_group *group;
4151
4152 if (wpa_auth == NULL)
4153 return 0;
4154
4155 group = wpa_auth->group;
4156 while (group) {
4157 if (group->vlan_id == vlan_id)
4158 break;
4159 group = group->next;
4160 }
4161
4162 if (group == NULL) {
4163 group = wpa_auth_add_group(wpa_auth, vlan_id);
4164 if (group == NULL)
4165 return -1;
4166 }
4167
4168 wpa_printf(MSG_DEBUG,
4169 "WPA: Ensure group state machine running for VLAN ID %d",
4170 vlan_id);
4171
4172 wpa_group_get(wpa_auth, group);
4173 group->num_setup_iface++;
4174
4175 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4176 return -1;
4177
4178 return 0;
4179}
4180
4181
4182/*
4183 * Decrease reference counter, expected to be zero afterwards.
4184 * returns: -1 on error (group not found, group in fail state)
4185 * -2 if wpa_group is still referenced
4186 * 0 else
4187 */
4188int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4189{
4190 struct wpa_group *group;
4191 int ret = 0;
4192
4193 if (wpa_auth == NULL)
4194 return 0;
4195
4196 group = wpa_auth->group;
4197 while (group) {
4198 if (group->vlan_id == vlan_id)
4199 break;
4200 group = group->next;
4201 }
4202
4203 if (group == NULL)
4204 return -1;
4205
4206 wpa_printf(MSG_DEBUG,
4207 "WPA: Try stopping group state machine for VLAN ID %d",
4208 vlan_id);
4209
4210 if (group->num_setup_iface <= 0) {
4211 wpa_printf(MSG_ERROR,
4212 "WPA: wpa_auth_release_group called more often than wpa_auth_ensure_group for VLAN ID %d, skipping.",
4213 vlan_id);
4214 return -1;
4215 }
4216 group->num_setup_iface--;
4217
4218 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4219 ret = -1;
4220
4221 if (group->references > 1) {
4222 wpa_printf(MSG_DEBUG,
4223 "WPA: Cannot stop group state machine for VLAN ID %d as references are still hold",
4224 vlan_id);
4225 ret = -2;
4226 }
4227
4228 wpa_group_put(wpa_auth, group);
4229
4230 return ret;
4231}
4232
4233
6fc6879b
JM		 4234int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id)
4235{
4236 struct wpa_group *group;
4237
4238 if (sm == NULL || sm->wpa_auth == NULL)
4239 return 0;
4240
4241 group = sm->wpa_auth->group;
4242 while (group) {
4243 if (group->vlan_id == vlan_id)
4244 break;
4245 group = group->next;
4246 }
4247
4248 if (group == NULL) {
4249 group = wpa_auth_add_group(sm->wpa_auth, vlan_id);
4250 if (group == NULL)
4251 return -1;
4252 }
4253
4254 if (sm->group == group)
4255 return 0;
4256
7d7f7be2
JM		 4257 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4258 return -1;
4259
6fc6879b
JM		 4260 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state "
4261 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id);
4262
a0ad9e8c
MB		 4263 wpa_group_get(sm->wpa_auth, group);
4264 wpa_group_put(sm->wpa_auth, sm->group);
6fc6879b 4265 sm->group = group;
a0ad9e8c 4266
6fc6879b
JM		 4267 return 0;
4268}
e4bf4db9
JM		 4269
4270
4271void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
4272 struct wpa_state_machine *sm, int ack)
4273{
4274 if (wpa_auth == NULL || sm == NULL)
4275 return;
4276 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR
4277 " ack=%d", MAC2STR(sm->addr), ack);
4278 if (sm->pending_1_of_4_timeout && ack) {
4279 /*
4280 * Some deployed supplicant implementations update their SNonce
4281 * for each EAPOL-Key 2/4 message even within the same 4-way
4282 * handshake and then fail to use the first SNonce when
4283 * deriving the PTK. This results in unsuccessful 4-way
4284 * handshake whenever the relatively short initial timeout is
4285 * reached and EAPOL-Key 1/4 is retransmitted. Try to work
4286 * around this by increasing the timeout now that we know that
4287 * the station has received the frame.
4288 */
4289 int timeout_ms = eapol_key_timeout_subseq;
4290 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 "
4291 "timeout by %u ms because of acknowledged frame",
4292 timeout_ms);
4293 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
4294 eloop_register_timeout(timeout_ms / 1000,
4295 (timeout_ms % 1000) * 1000,
4296 wpa_send_eapol_timeout, wpa_auth, sm);
4297 }
4298}
c10347f2
JM		 4299
4300
4301int wpa_auth_uses_sae(struct wpa_state_machine *sm)
4302{
4303 if (sm == NULL)
4304 return 0;
4305 return wpa_key_mgmt_sae(sm->wpa_key_mgmt);
4306}
aa189ac9
JM		 4307
4308
4309int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm)
4310{
4311 if (sm == NULL)
4312 return 0;
4313 return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE;
4314}
25ef8529
JM		 4315
4316
4317#ifdef CONFIG_P2P
4318int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr)
4319{
4320 if (sm == NULL || WPA_GET_BE32(sm->ip_addr) == 0)
4321 return -1;
4322 os_memcpy(addr, sm->ip_addr, 4);
4323 return 0;
4324}
4325#endif /* CONFIG_P2P */
cbc210de
JM		 4326
4327
4328int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth,
4329 struct radius_das_attrs *attr)
4330{
4331 return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr);
4332}
34782730
JM		 4333
4334
4335void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth)
4336{
4337 struct wpa_group *group;
4338
4339 if (!wpa_auth)
4340 return;
4341 for (group = wpa_auth->group; group; group = group->next)
4342 wpa_group_config_group_keys(wpa_auth, group);
4343}
7eace378
JM		 4344
4345
4346#ifdef CONFIG_FILS
4347
4348struct wpa_auth_fils_iter_data {
4349 struct wpa_authenticator *auth;
4350 const u8 *cache_id;
4351 struct rsn_pmksa_cache_entry *pmksa;
4352 const u8 *spa;
4353 const u8 *pmkid;
4354};
4355
4356
4357static int wpa_auth_fils_iter(struct wpa_authenticator *a, void *ctx)
4358{
4359 struct wpa_auth_fils_iter_data *data = ctx;
4360
4cc6574d 4361 if (a == data->auth || !a->conf.fils_cache_id_set ||
7eace378
JM		 4362 os_memcmp(a->conf.fils_cache_id, data->cache_id,
4363 FILS_CACHE_ID_LEN) != 0)
4364 return 0;
4365 data->pmksa = pmksa_cache_auth_get(a->pmksa, data->spa, data->pmkid);
4366 return data->pmksa != NULL;
4367}
4368
4369
4370struct rsn_pmksa_cache_entry *
4371wpa_auth_pmksa_get_fils_cache_id(struct wpa_authenticator *wpa_auth,
4372 const u8 *sta_addr, const u8 *pmkid)
4373{
4374 struct wpa_auth_fils_iter_data idata;
4375
4376 if (!wpa_auth->conf.fils_cache_id_set)
4377 return NULL;
4378 idata.auth = wpa_auth;
4379 idata.cache_id = wpa_auth->conf.fils_cache_id;
4380 idata.pmksa = NULL;
4381 idata.spa = sta_addr;
4382 idata.pmkid = pmkid;
4383 wpa_auth_for_each_auth(wpa_auth, wpa_auth_fils_iter, &idata);
4384 return idata.pmksa;
4385}
4386
5db997e3
JM		 4387
4388#ifdef CONFIG_IEEE80211R_AP
4389int wpa_auth_write_fte(struct wpa_authenticator *wpa_auth, u8 *buf, size_t len)
4390{
4391 struct wpa_auth_config *conf = &wpa_auth->conf;
4392
4393 return wpa_write_ftie(conf, conf->r0_key_holder,
4394 conf->r0_key_holder_len,
4395 NULL, NULL, buf, len, NULL, 0);
4396}
4397#endif /* CONFIG_IEEE80211R_AP */
4398
8acbf85f
JM		 4399
4400void wpa_auth_get_fils_aead_params(struct wpa_state_machine *sm,
4401 u8 *fils_anonce, u8 *fils_snonce,
4402 u8 *fils_kek, size_t *fils_kek_len)
4403{
4404 os_memcpy(fils_anonce, sm->ANonce, WPA_NONCE_LEN);
4405 os_memcpy(fils_snonce, sm->SNonce, WPA_NONCE_LEN);
4406 os_memcpy(fils_kek, sm->PTK.kek, WPA_KEK_MAX_LEN);
4407 *fils_kek_len = sm->PTK.kek_len;
4408}
4409
7eace378 4410#endif /* CONFIG_FILS */
Unnamed repository; edit this file 'description' to name the repository.