]> git.ipfire.org Git - thirdparty/hostap.git/blob - src/ap/wpa_auth.c
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Fix memcpy regression in PMK handling
[thirdparty/hostap.git] / src / ap / wpa_auth.c
1 /*
2 * IEEE 802.11 RSN / WPA Authenticator
3 * Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "utils/state_machine.h"
14 #include "utils/bitfield.h"
15 #include "common/ieee802_11_defs.h"
16 #include "common/ocv.h"
17 #include "crypto/aes.h"
18 #include "crypto/aes_wrap.h"
19 #include "crypto/aes_siv.h"
20 #include "crypto/crypto.h"
21 #include "crypto/sha1.h"
22 #include "crypto/sha256.h"
23 #include "crypto/sha384.h"
24 #include "crypto/random.h"
25 #include "eapol_auth/eapol_auth_sm.h"
26 #include "drivers/driver.h"
27 #include "ap_config.h"
28 #include "ieee802_11.h"
29 #include "wpa_auth.h"
30 #include "pmksa_cache_auth.h"
31 #include "wpa_auth_i.h"
32 #include "wpa_auth_ie.h"
33
34 #define STATE_MACHINE_DATA struct wpa_state_machine
35 #define STATE_MACHINE_DEBUG_PREFIX "WPA"
36 #define STATE_MACHINE_ADDR sm->addr
37
38
39 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx);
40 static int wpa_sm_step(struct wpa_state_machine *sm);
41 static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK,
42 u8 *data, size_t data_len);
43 #ifdef CONFIG_FILS
44 static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
45 u8 *buf, size_t buf_len, u16 *_key_data_len);
46 static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
47 const struct wpabuf *hlp);
48 #endif /* CONFIG_FILS */
49 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx);
50 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
51 struct wpa_group *group);
52 static void wpa_request_new_ptk(struct wpa_state_machine *sm);
53 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
54 struct wpa_group *group);
55 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
56 struct wpa_group *group);
57 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
58 const u8 *pmk, unsigned int pmk_len,
59 struct wpa_ptk *ptk);
60 static void wpa_group_free(struct wpa_authenticator *wpa_auth,
61 struct wpa_group *group);
62 static void wpa_group_get(struct wpa_authenticator *wpa_auth,
63 struct wpa_group *group);
64 static void wpa_group_put(struct wpa_authenticator *wpa_auth,
65 struct wpa_group *group);
66 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
67
68 static const u32 eapol_key_timeout_first = 100; /* ms */
69 static const u32 eapol_key_timeout_subseq = 1000; /* ms */
70 static const u32 eapol_key_timeout_first_group = 500; /* ms */
71 static const u32 eapol_key_timeout_no_retrans = 4000; /* ms */
72
73 /* TODO: make these configurable */
74 static const int dot11RSNAConfigPMKLifetime = 43200;
75 static const int dot11RSNAConfigPMKReauthThreshold = 70;
76 static const int dot11RSNAConfigSATimeout = 60;
77
78
79 static inline int wpa_auth_mic_failure_report(
80 struct wpa_authenticator *wpa_auth, const u8 *addr)
81 {
82 if (wpa_auth->cb->mic_failure_report)
83 return wpa_auth->cb->mic_failure_report(wpa_auth->cb_ctx, addr);
84 return 0;
85 }
86
87
88 static inline void wpa_auth_psk_failure_report(
89 struct wpa_authenticator *wpa_auth, const u8 *addr)
90 {
91 if (wpa_auth->cb->psk_failure_report)
92 wpa_auth->cb->psk_failure_report(wpa_auth->cb_ctx, addr);
93 }
94
95
96 static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth,
97 const u8 *addr, wpa_eapol_variable var,
98 int value)
99 {
100 if (wpa_auth->cb->set_eapol)
101 wpa_auth->cb->set_eapol(wpa_auth->cb_ctx, addr, var, value);
102 }
103
104
105 static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth,
106 const u8 *addr, wpa_eapol_variable var)
107 {
108 if (wpa_auth->cb->get_eapol == NULL)
109 return -1;
110 return wpa_auth->cb->get_eapol(wpa_auth->cb_ctx, addr, var);
111 }
112
113
114 static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth,
115 const u8 *addr,
116 const u8 *p2p_dev_addr,
117 const u8 *prev_psk, size_t *psk_len,
118 int *vlan_id)
119 {
120 if (wpa_auth->cb->get_psk == NULL)
121 return NULL;
122 return wpa_auth->cb->get_psk(wpa_auth->cb_ctx, addr, p2p_dev_addr,
123 prev_psk, psk_len, vlan_id);
124 }
125
126
127 static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth,
128 const u8 *addr, u8 *msk, size_t *len)
129 {
130 if (wpa_auth->cb->get_msk == NULL)
131 return -1;
132 return wpa_auth->cb->get_msk(wpa_auth->cb_ctx, addr, msk, len);
133 }
134
135
136 static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
137 int vlan_id,
138 enum wpa_alg alg, const u8 *addr, int idx,
139 u8 *key, size_t key_len)
140 {
141 if (wpa_auth->cb->set_key == NULL)
142 return -1;
143 return wpa_auth->cb->set_key(wpa_auth->cb_ctx, vlan_id, alg, addr, idx,
144 key, key_len);
145 }
146
147
148 static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth,
149 const u8 *addr, int idx, u8 *seq)
150 {
151 if (wpa_auth->cb->get_seqnum == NULL)
152 return -1;
153 return wpa_auth->cb->get_seqnum(wpa_auth->cb_ctx, addr, idx, seq);
154 }
155
156
157 static inline int
158 wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr,
159 const u8 *data, size_t data_len, int encrypt)
160 {
161 if (wpa_auth->cb->send_eapol == NULL)
162 return -1;
163 return wpa_auth->cb->send_eapol(wpa_auth->cb_ctx, addr, data, data_len,
164 encrypt);
165 }
166
167
168 #ifdef CONFIG_MESH
169 static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth,
170 const u8 *addr)
171 {
172 if (wpa_auth->cb->start_ampe == NULL)
173 return -1;
174 return wpa_auth->cb->start_ampe(wpa_auth->cb_ctx, addr);
175 }
176 #endif /* CONFIG_MESH */
177
178
179 int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
180 int (*cb)(struct wpa_state_machine *sm, void *ctx),
181 void *cb_ctx)
182 {
183 if (wpa_auth->cb->for_each_sta == NULL)
184 return 0;
185 return wpa_auth->cb->for_each_sta(wpa_auth->cb_ctx, cb, cb_ctx);
186 }
187
188
189 int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
190 int (*cb)(struct wpa_authenticator *a, void *ctx),
191 void *cb_ctx)
192 {
193 if (wpa_auth->cb->for_each_auth == NULL)
194 return 0;
195 return wpa_auth->cb->for_each_auth(wpa_auth->cb_ctx, cb, cb_ctx);
196 }
197
198
199 void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr,
200 logger_level level, const char *txt)
201 {
202 if (wpa_auth->cb->logger == NULL)
203 return;
204 wpa_auth->cb->logger(wpa_auth->cb_ctx, addr, level, txt);
205 }
206
207
208 void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr,
209 logger_level level, const char *fmt, ...)
210 {
211 char *format;
212 int maxlen;
213 va_list ap;
214
215 if (wpa_auth->cb->logger == NULL)
216 return;
217
218 maxlen = os_strlen(fmt) + 100;
219 format = os_malloc(maxlen);
220 if (!format)
221 return;
222
223 va_start(ap, fmt);
224 vsnprintf(format, maxlen, fmt, ap);
225 va_end(ap);
226
227 wpa_auth_logger(wpa_auth, addr, level, format);
228
229 os_free(format);
230 }
231
232
233 static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth,
234 const u8 *addr, u16 reason)
235 {
236 if (wpa_auth->cb->disconnect == NULL)
237 return;
238 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR " (reason %u)",
239 MAC2STR(addr), reason);
240 wpa_auth->cb->disconnect(wpa_auth->cb_ctx, addr, reason);
241 }
242
243
244 #ifdef CONFIG_OCV
245 static int wpa_channel_info(struct wpa_authenticator *wpa_auth,
246 struct wpa_channel_info *ci)
247 {
248 if (!wpa_auth->cb->channel_info)
249 return -1;
250 return wpa_auth->cb->channel_info(wpa_auth->cb_ctx, ci);
251 }
252 #endif /* CONFIG_OCV */
253
254
255 static int wpa_auth_update_vlan(struct wpa_authenticator *wpa_auth,
256 const u8 *addr, int vlan_id)
257 {
258 if (!wpa_auth->cb->update_vlan)
259 return -1;
260 return wpa_auth->cb->update_vlan(wpa_auth->cb_ctx, addr, vlan_id);
261 }
262
263
264 static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx)
265 {
266 struct wpa_authenticator *wpa_auth = eloop_ctx;
267
268 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) {
269 wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
270 "initialization.");
271 } else {
272 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd");
273 wpa_hexdump_key(MSG_DEBUG, "GMK",
274 wpa_auth->group->GMK, WPA_GMK_LEN);
275 }
276
277 if (wpa_auth->conf.wpa_gmk_rekey) {
278 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
279 wpa_rekey_gmk, wpa_auth, NULL);
280 }
281 }
282
283
284 static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx)
285 {
286 struct wpa_authenticator *wpa_auth = eloop_ctx;
287 struct wpa_group *group, *next;
288
289 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK");
290 group = wpa_auth->group;
291 while (group) {
292 wpa_group_get(wpa_auth, group);
293
294 group->GTKReKey = TRUE;
295 do {
296 group->changed = FALSE;
297 wpa_group_sm_step(wpa_auth, group);
298 } while (group->changed);
299
300 next = group->next;
301 wpa_group_put(wpa_auth, group);
302 group = next;
303 }
304
305 if (wpa_auth->conf.wpa_group_rekey) {
306 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey,
307 0, wpa_rekey_gtk, wpa_auth, NULL);
308 }
309 }
310
311
312 static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
313 {
314 struct wpa_authenticator *wpa_auth = eloop_ctx;
315 struct wpa_state_machine *sm = timeout_ctx;
316
317 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK");
318 wpa_request_new_ptk(sm);
319 wpa_sm_step(sm);
320 }
321
322
323 static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx)
324 {
325 if (sm->pmksa == ctx)
326 sm->pmksa = NULL;
327 return 0;
328 }
329
330
331 static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
332 void *ctx)
333 {
334 struct wpa_authenticator *wpa_auth = ctx;
335 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry);
336 }
337
338
339 static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth,
340 struct wpa_group *group)
341 {
342 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)];
343 u8 rkey[32];
344 unsigned long ptr;
345
346 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0)
347 return -1;
348 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN);
349
350 /*
351 * Counter = PRF-256(Random number, "Init Counter",
352 * Local MAC Address || Time)
353 */
354 os_memcpy(buf, wpa_auth->addr, ETH_ALEN);
355 wpa_get_ntp_timestamp(buf + ETH_ALEN);
356 ptr = (unsigned long) group;
357 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr));
358 #ifdef TEST_FUZZ
359 os_memset(buf + ETH_ALEN, 0xab, 8);
360 os_memset(buf + ETH_ALEN + 8, 0xcd, sizeof(ptr));
361 #endif /* TEST_FUZZ */
362 if (random_get_bytes(rkey, sizeof(rkey)) < 0)
363 return -1;
364
365 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf),
366 group->Counter, WPA_NONCE_LEN) < 0)
367 return -1;
368 wpa_hexdump_key(MSG_DEBUG, "Key Counter",
369 group->Counter, WPA_NONCE_LEN);
370
371 return 0;
372 }
373
374
375 static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth,
376 int vlan_id, int delay_init)
377 {
378 struct wpa_group *group;
379
380 group = os_zalloc(sizeof(struct wpa_group));
381 if (group == NULL)
382 return NULL;
383
384 group->GTKAuthenticator = TRUE;
385 group->vlan_id = vlan_id;
386 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
387
388 if (random_pool_ready() != 1) {
389 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
390 "for secure operations - update keys later when "
391 "the first station connects");
392 }
393
394 /*
395 * Set initial GMK/Counter value here. The actual values that will be
396 * used in negotiations will be set once the first station tries to
397 * connect. This allows more time for collecting additional randomness
398 * on embedded devices.
399 */
400 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) {
401 wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
402 "initialization.");
403 os_free(group);
404 return NULL;
405 }
406
407 group->GInit = TRUE;
408 if (delay_init) {
409 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start "
410 "until Beacon frames have been configured");
411 /* Initialization is completed in wpa_init_keys(). */
412 } else {
413 wpa_group_sm_step(wpa_auth, group);
414 group->GInit = FALSE;
415 wpa_group_sm_step(wpa_auth, group);
416 }
417
418 return group;
419 }
420
421
422 /**
423 * wpa_init - Initialize WPA authenticator
424 * @addr: Authenticator address
425 * @conf: Configuration for WPA authenticator
426 * @cb: Callback functions for WPA authenticator
427 * Returns: Pointer to WPA authenticator data or %NULL on failure
428 */
429 struct wpa_authenticator * wpa_init(const u8 *addr,
430 struct wpa_auth_config *conf,
431 const struct wpa_auth_callbacks *cb,
432 void *cb_ctx)
433 {
434 struct wpa_authenticator *wpa_auth;
435
436 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator));
437 if (wpa_auth == NULL)
438 return NULL;
439 os_memcpy(wpa_auth->addr, addr, ETH_ALEN);
440 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
441 wpa_auth->cb = cb;
442 wpa_auth->cb_ctx = cb_ctx;
443
444 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
445 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
446 os_free(wpa_auth);
447 return NULL;
448 }
449
450 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1);
451 if (wpa_auth->group == NULL) {
452 os_free(wpa_auth->wpa_ie);
453 os_free(wpa_auth);
454 return NULL;
455 }
456
457 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb,
458 wpa_auth);
459 if (wpa_auth->pmksa == NULL) {
460 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed.");
461 os_free(wpa_auth->group);
462 os_free(wpa_auth->wpa_ie);
463 os_free(wpa_auth);
464 return NULL;
465 }
466
467 #ifdef CONFIG_IEEE80211R_AP
468 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init();
469 if (wpa_auth->ft_pmk_cache == NULL) {
470 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed.");
471 os_free(wpa_auth->group);
472 os_free(wpa_auth->wpa_ie);
473 pmksa_cache_auth_deinit(wpa_auth->pmksa);
474 os_free(wpa_auth);
475 return NULL;
476 }
477 #endif /* CONFIG_IEEE80211R_AP */
478
479 if (wpa_auth->conf.wpa_gmk_rekey) {
480 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
481 wpa_rekey_gmk, wpa_auth, NULL);
482 }
483
484 if (wpa_auth->conf.wpa_group_rekey) {
485 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0,
486 wpa_rekey_gtk, wpa_auth, NULL);
487 }
488
489 #ifdef CONFIG_P2P
490 if (WPA_GET_BE32(conf->ip_addr_start)) {
491 int count = WPA_GET_BE32(conf->ip_addr_end) -
492 WPA_GET_BE32(conf->ip_addr_start) + 1;
493 if (count > 1000)
494 count = 1000;
495 if (count > 0)
496 wpa_auth->ip_pool = bitfield_alloc(count);
497 }
498 #endif /* CONFIG_P2P */
499
500 return wpa_auth;
501 }
502
503
504 int wpa_init_keys(struct wpa_authenticator *wpa_auth)
505 {
506 struct wpa_group *group = wpa_auth->group;
507
508 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial "
509 "keys");
510 wpa_group_sm_step(wpa_auth, group);
511 group->GInit = FALSE;
512 wpa_group_sm_step(wpa_auth, group);
513 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
514 return -1;
515 return 0;
516 }
517
518
519 /**
520 * wpa_deinit - Deinitialize WPA authenticator
521 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
522 */
523 void wpa_deinit(struct wpa_authenticator *wpa_auth)
524 {
525 struct wpa_group *group, *prev;
526
527 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL);
528 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
529
530 pmksa_cache_auth_deinit(wpa_auth->pmksa);
531
532 #ifdef CONFIG_IEEE80211R_AP
533 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache);
534 wpa_auth->ft_pmk_cache = NULL;
535 wpa_ft_deinit(wpa_auth);
536 #endif /* CONFIG_IEEE80211R_AP */
537
538 #ifdef CONFIG_P2P
539 bitfield_free(wpa_auth->ip_pool);
540 #endif /* CONFIG_P2P */
541
542
543 os_free(wpa_auth->wpa_ie);
544
545 group = wpa_auth->group;
546 while (group) {
547 prev = group;
548 group = group->next;
549 os_free(prev);
550 }
551
552 os_free(wpa_auth);
553 }
554
555
556 /**
557 * wpa_reconfig - Update WPA authenticator configuration
558 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
559 * @conf: Configuration for WPA authenticator
560 */
561 int wpa_reconfig(struct wpa_authenticator *wpa_auth,
562 struct wpa_auth_config *conf)
563 {
564 struct wpa_group *group;
565 if (wpa_auth == NULL)
566 return 0;
567
568 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
569 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
570 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
571 return -1;
572 }
573
574 /*
575 * Reinitialize GTK to make sure it is suitable for the new
576 * configuration.
577 */
578 group = wpa_auth->group;
579 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
580 group->GInit = TRUE;
581 wpa_group_sm_step(wpa_auth, group);
582 group->GInit = FALSE;
583 wpa_group_sm_step(wpa_auth, group);
584
585 return 0;
586 }
587
588
589 struct wpa_state_machine *
590 wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr,
591 const u8 *p2p_dev_addr)
592 {
593 struct wpa_state_machine *sm;
594
595 if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
596 return NULL;
597
598 sm = os_zalloc(sizeof(struct wpa_state_machine));
599 if (sm == NULL)
600 return NULL;
601 os_memcpy(sm->addr, addr, ETH_ALEN);
602 if (p2p_dev_addr)
603 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN);
604
605 sm->wpa_auth = wpa_auth;
606 sm->group = wpa_auth->group;
607 wpa_group_get(sm->wpa_auth, sm->group);
608
609 return sm;
610 }
611
612
613 int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
614 struct wpa_state_machine *sm)
615 {
616 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
617 return -1;
618
619 #ifdef CONFIG_IEEE80211R_AP
620 if (sm->ft_completed) {
621 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
622 "FT authentication already completed - do not "
623 "start 4-way handshake");
624 /* Go to PTKINITDONE state to allow GTK rekeying */
625 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
626 sm->Pair = TRUE;
627 return 0;
628 }
629 #endif /* CONFIG_IEEE80211R_AP */
630
631 #ifdef CONFIG_FILS
632 if (sm->fils_completed) {
633 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
634 "FILS authentication already completed - do not start 4-way handshake");
635 /* Go to PTKINITDONE state to allow GTK rekeying */
636 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
637 sm->Pair = TRUE;
638 return 0;
639 }
640 #endif /* CONFIG_FILS */
641
642 if (sm->started) {
643 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay));
644 sm->ReAuthenticationRequest = TRUE;
645 return wpa_sm_step(sm);
646 }
647
648 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
649 "start authentication");
650 sm->started = 1;
651
652 sm->Init = TRUE;
653 if (wpa_sm_step(sm) == 1)
654 return 1; /* should not really happen */
655 sm->Init = FALSE;
656 sm->AuthenticationRequest = TRUE;
657 return wpa_sm_step(sm);
658 }
659
660
661 void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm)
662 {
663 /* WPA/RSN was not used - clear WPA state. This is needed if the STA
664 * reassociates back to the same AP while the previous entry for the
665 * STA has not yet been removed. */
666 if (sm == NULL)
667 return;
668
669 sm->wpa_key_mgmt = 0;
670 }
671
672
673 static void wpa_free_sta_sm(struct wpa_state_machine *sm)
674 {
675 #ifdef CONFIG_P2P
676 if (WPA_GET_BE32(sm->ip_addr)) {
677 u32 start;
678 wpa_printf(MSG_DEBUG, "P2P: Free assigned IP "
679 "address %u.%u.%u.%u from " MACSTR,
680 sm->ip_addr[0], sm->ip_addr[1],
681 sm->ip_addr[2], sm->ip_addr[3],
682 MAC2STR(sm->addr));
683 start = WPA_GET_BE32(sm->wpa_auth->conf.ip_addr_start);
684 bitfield_clear(sm->wpa_auth->ip_pool,
685 WPA_GET_BE32(sm->ip_addr) - start);
686 }
687 #endif /* CONFIG_P2P */
688 if (sm->GUpdateStationKeys) {
689 sm->group->GKeyDoneStations--;
690 sm->GUpdateStationKeys = FALSE;
691 }
692 #ifdef CONFIG_IEEE80211R_AP
693 os_free(sm->assoc_resp_ftie);
694 wpabuf_free(sm->ft_pending_req_ies);
695 #endif /* CONFIG_IEEE80211R_AP */
696 os_free(sm->last_rx_eapol_key);
697 os_free(sm->wpa_ie);
698 wpa_group_put(sm->wpa_auth, sm->group);
699 #ifdef CONFIG_DPP2
700 wpabuf_clear_free(sm->dpp_z);
701 #endif /* CONFIG_DPP2 */
702 os_free(sm);
703 }
704
705
706 void wpa_auth_sta_deinit(struct wpa_state_machine *sm)
707 {
708 if (sm == NULL)
709 return;
710
711 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) {
712 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
713 "strict rekeying - force GTK rekey since STA "
714 "is leaving");
715 if (eloop_deplete_timeout(0, 500000, wpa_rekey_gtk,
716 sm->wpa_auth, NULL) == -1)
717 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth,
718 NULL);
719 }
720
721 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
722 sm->pending_1_of_4_timeout = 0;
723 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL);
724 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
725 #ifdef CONFIG_IEEE80211R_AP
726 wpa_ft_sta_deinit(sm);
727 #endif /* CONFIG_IEEE80211R_AP */
728 if (sm->in_step_loop) {
729 /* Must not free state machine while wpa_sm_step() is running.
730 * Freeing will be completed in the end of wpa_sm_step(). */
731 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state "
732 "machine deinit for " MACSTR, MAC2STR(sm->addr));
733 sm->pending_deinit = 1;
734 } else
735 wpa_free_sta_sm(sm);
736 }
737
738
739 static void wpa_request_new_ptk(struct wpa_state_machine *sm)
740 {
741 if (sm == NULL)
742 return;
743
744 sm->PTKRequest = TRUE;
745 sm->PTK_valid = 0;
746 }
747
748
749 static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr,
750 const u8 *replay_counter)
751 {
752 int i;
753 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
754 if (!ctr[i].valid)
755 break;
756 if (os_memcmp(replay_counter, ctr[i].counter,
757 WPA_REPLAY_COUNTER_LEN) == 0)
758 return 1;
759 }
760 return 0;
761 }
762
763
764 static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr,
765 const u8 *replay_counter)
766 {
767 int i;
768 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
769 if (ctr[i].valid &&
770 (replay_counter == NULL ||
771 os_memcmp(replay_counter, ctr[i].counter,
772 WPA_REPLAY_COUNTER_LEN) == 0))
773 ctr[i].valid = FALSE;
774 }
775 }
776
777
778 #ifdef CONFIG_IEEE80211R_AP
779 static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth,
780 struct wpa_state_machine *sm,
781 struct wpa_eapol_ie_parse *kde)
782 {
783 struct wpa_ie_data ie;
784 struct rsn_mdie *mdie;
785
786 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 ||
787 ie.num_pmkid != 1 || ie.pmkid == NULL) {
788 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in "
789 "FT 4-way handshake message 2/4");
790 return -1;
791 }
792
793 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN);
794 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant",
795 sm->sup_pmk_r1_name, PMKID_LEN);
796
797 if (!kde->mdie || !kde->ftie) {
798 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake "
799 "message 2/4", kde->mdie ? "FTIE" : "MDIE");
800 return -1;
801 }
802
803 mdie = (struct rsn_mdie *) (kde->mdie + 2);
804 if (kde->mdie[1] < sizeof(struct rsn_mdie) ||
805 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain,
806 MOBILITY_DOMAIN_ID_LEN) != 0) {
807 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch");
808 return -1;
809 }
810
811 if (sm->assoc_resp_ftie &&
812 (kde->ftie[1] != sm->assoc_resp_ftie[1] ||
813 os_memcmp(kde->ftie, sm->assoc_resp_ftie,
814 2 + sm->assoc_resp_ftie[1]) != 0)) {
815 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch");
816 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4",
817 kde->ftie, kde->ftie_len);
818 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp",
819 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]);
820 return -1;
821 }
822
823 return 0;
824 }
825 #endif /* CONFIG_IEEE80211R_AP */
826
827
828 static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
829 struct wpa_state_machine *sm, int group)
830 {
831 /* Supplicant reported a Michael MIC error */
832 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
833 "received EAPOL-Key Error Request "
834 "(STA detected Michael MIC failure (group=%d))",
835 group);
836
837 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
838 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
839 "ignore Michael MIC failure report since "
840 "group cipher is not TKIP");
841 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
842 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
843 "ignore Michael MIC failure report since "
844 "pairwise cipher is not TKIP");
845 } else {
846 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0)
847 return 1; /* STA entry was removed */
848 sm->dot11RSNAStatsTKIPRemoteMICFailures++;
849 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
850 }
851
852 /*
853 * Error report is not a request for a new key handshake, but since
854 * Authenticator may do it, let's change the keys now anyway.
855 */
856 wpa_request_new_ptk(sm);
857 return 0;
858 }
859
860
861 static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data,
862 size_t data_len)
863 {
864 struct wpa_ptk PTK;
865 int ok = 0;
866 const u8 *pmk = NULL;
867 size_t pmk_len;
868 int vlan_id = 0;
869
870 os_memset(&PTK, 0, sizeof(PTK));
871 for (;;) {
872 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
873 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
874 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
875 sm->p2p_dev_addr, pmk, &pmk_len,
876 &vlan_id);
877 if (pmk == NULL)
878 break;
879 #ifdef CONFIG_IEEE80211R_AP
880 if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) {
881 os_memcpy(sm->xxkey, pmk, pmk_len);
882 sm->xxkey_len = pmk_len;
883 }
884 #endif /* CONFIG_IEEE80211R_AP */
885 } else {
886 pmk = sm->PMK;
887 pmk_len = sm->pmk_len;
888 }
889
890 if (wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK) < 0)
891 break;
892
893 if (wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
894 data, data_len) == 0) {
895 if (sm->PMK != pmk) {
896 os_memcpy(sm->PMK, pmk, pmk_len);
897 sm->pmk_len = pmk_len;
898 }
899 ok = 1;
900 break;
901 }
902
903 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
904 wpa_key_mgmt_sae(sm->wpa_key_mgmt))
905 break;
906 }
907
908 if (!ok) {
909 wpa_printf(MSG_DEBUG,
910 "WPA: Earlier SNonce did not result in matching MIC");
911 return -1;
912 }
913
914 wpa_printf(MSG_DEBUG,
915 "WPA: Earlier SNonce resulted in matching MIC");
916 sm->alt_snonce_valid = 0;
917
918 if (vlan_id && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
919 wpa_auth_update_vlan(sm->wpa_auth, sm->addr, vlan_id) < 0)
920 return -1;
921
922 os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN);
923 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
924 sm->PTK_valid = TRUE;
925
926 return 0;
927 }
928
929
930 void wpa_receive(struct wpa_authenticator *wpa_auth,
931 struct wpa_state_machine *sm,
932 u8 *data, size_t data_len)
933 {
934 struct ieee802_1x_hdr *hdr;
935 struct wpa_eapol_key *key;
936 u16 key_info, key_data_length;
937 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST } msg;
938 char *msgtxt;
939 struct wpa_eapol_ie_parse kde;
940 const u8 *key_data;
941 size_t keyhdrlen, mic_len;
942 u8 *mic;
943
944 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
945 return;
946 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL data", data, data_len);
947
948 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
949 keyhdrlen = sizeof(*key) + mic_len + 2;
950
951 if (data_len < sizeof(*hdr) + keyhdrlen) {
952 wpa_printf(MSG_DEBUG, "WPA: Ignore too short EAPOL-Key frame");
953 return;
954 }
955
956 hdr = (struct ieee802_1x_hdr *) data;
957 key = (struct wpa_eapol_key *) (hdr + 1);
958 mic = (u8 *) (key + 1);
959 key_info = WPA_GET_BE16(key->key_info);
960 key_data = mic + mic_len + 2;
961 key_data_length = WPA_GET_BE16(mic + mic_len);
962 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR
963 " key_info=0x%x type=%u mic_len=%u key_data_length=%u",
964 MAC2STR(sm->addr), key_info, key->type,
965 (unsigned int) mic_len, key_data_length);
966 wpa_hexdump(MSG_MSGDUMP,
967 "WPA: EAPOL-Key header (ending before Key MIC)",
968 key, sizeof(*key));
969 wpa_hexdump(MSG_MSGDUMP, "WPA: EAPOL-Key Key MIC",
970 mic, mic_len);
971 if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) {
972 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
973 "key_data overflow (%d > %lu)",
974 key_data_length,
975 (unsigned long) (data_len - sizeof(*hdr) -
976 keyhdrlen));
977 return;
978 }
979
980 if (sm->wpa == WPA_VERSION_WPA2) {
981 if (key->type == EAPOL_KEY_TYPE_WPA) {
982 /*
983 * Some deployed station implementations seem to send
984 * msg 4/4 with incorrect type value in WPA2 mode.
985 */
986 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key "
987 "with unexpected WPA type in RSN mode");
988 } else if (key->type != EAPOL_KEY_TYPE_RSN) {
989 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
990 "unexpected type %d in RSN mode",
991 key->type);
992 return;
993 }
994 } else {
995 if (key->type != EAPOL_KEY_TYPE_WPA) {
996 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
997 "unexpected type %d in WPA mode",
998 key->type);
999 return;
1000 }
1001 }
1002
1003 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce,
1004 WPA_NONCE_LEN);
1005 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter",
1006 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1007
1008 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
1009 * are set */
1010
1011 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
1012 wpa_printf(MSG_DEBUG, "WPA: Ignore SMK message");
1013 return;
1014 }
1015
1016 if (key_info & WPA_KEY_INFO_REQUEST) {
1017 msg = REQUEST;
1018 msgtxt = "Request";
1019 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) {
1020 msg = GROUP_2;
1021 msgtxt = "2/2 Group";
1022 } else if (key_data_length == 0 ||
1023 (mic_len == 0 && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) &&
1024 key_data_length == AES_BLOCK_SIZE)) {
1025 msg = PAIRWISE_4;
1026 msgtxt = "4/4 Pairwise";
1027 } else {
1028 msg = PAIRWISE_2;
1029 msgtxt = "2/4 Pairwise";
1030 }
1031
1032 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 ||
1033 msg == GROUP_2) {
1034 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
1035 if (sm->pairwise == WPA_CIPHER_CCMP ||
1036 sm->pairwise == WPA_CIPHER_GCMP) {
1037 if (wpa_use_cmac(sm->wpa_key_mgmt) &&
1038 !wpa_use_akm_defined(sm->wpa_key_mgmt) &&
1039 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1040 wpa_auth_logger(wpa_auth, sm->addr,
1041 LOGGER_WARNING,
1042 "advertised support for "
1043 "AES-128-CMAC, but did not "
1044 "use it");
1045 return;
1046 }
1047
1048 if (!wpa_use_cmac(sm->wpa_key_mgmt) &&
1049 !wpa_use_akm_defined(sm->wpa_key_mgmt) &&
1050 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1051 wpa_auth_logger(wpa_auth, sm->addr,
1052 LOGGER_WARNING,
1053 "did not use HMAC-SHA1-AES "
1054 "with CCMP/GCMP");
1055 return;
1056 }
1057 }
1058
1059 if (wpa_use_akm_defined(sm->wpa_key_mgmt) &&
1060 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
1061 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1062 "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases");
1063 return;
1064 }
1065 }
1066
1067 if (key_info & WPA_KEY_INFO_REQUEST) {
1068 if (sm->req_replay_counter_used &&
1069 os_memcmp(key->replay_counter, sm->req_replay_counter,
1070 WPA_REPLAY_COUNTER_LEN) <= 0) {
1071 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1072 "received EAPOL-Key request with "
1073 "replayed counter");
1074 return;
1075 }
1076 }
1077
1078 if (!(key_info & WPA_KEY_INFO_REQUEST) &&
1079 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) {
1080 int i;
1081
1082 if (msg == PAIRWISE_2 &&
1083 wpa_replay_counter_valid(sm->prev_key_replay,
1084 key->replay_counter) &&
1085 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1086 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0)
1087 {
1088 /*
1089 * Some supplicant implementations (e.g., Windows XP
1090 * WZC) update SNonce for each EAPOL-Key 2/4. This
1091 * breaks the workaround on accepting any of the
1092 * pending requests, so allow the SNonce to be updated
1093 * even if we have already sent out EAPOL-Key 3/4.
1094 */
1095 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1096 "Process SNonce update from STA "
1097 "based on retransmitted EAPOL-Key "
1098 "1/4");
1099 sm->update_snonce = 1;
1100 os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN);
1101 sm->alt_snonce_valid = TRUE;
1102 os_memcpy(sm->alt_replay_counter,
1103 sm->key_replay[0].counter,
1104 WPA_REPLAY_COUNTER_LEN);
1105 goto continue_processing;
1106 }
1107
1108 if (msg == PAIRWISE_4 && sm->alt_snonce_valid &&
1109 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1110 os_memcmp(key->replay_counter, sm->alt_replay_counter,
1111 WPA_REPLAY_COUNTER_LEN) == 0) {
1112 /*
1113 * Supplicant may still be using the old SNonce since
1114 * there was two EAPOL-Key 2/4 messages and they had
1115 * different SNonce values.
1116 */
1117 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1118 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4");
1119 goto continue_processing;
1120 }
1121
1122 if (msg == PAIRWISE_2 &&
1123 wpa_replay_counter_valid(sm->prev_key_replay,
1124 key->replay_counter) &&
1125 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
1126 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1127 "ignore retransmitted EAPOL-Key %s - "
1128 "SNonce did not change", msgtxt);
1129 } else {
1130 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1131 "received EAPOL-Key %s with "
1132 "unexpected replay counter", msgtxt);
1133 }
1134 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
1135 if (!sm->key_replay[i].valid)
1136 break;
1137 wpa_hexdump(MSG_DEBUG, "pending replay counter",
1138 sm->key_replay[i].counter,
1139 WPA_REPLAY_COUNTER_LEN);
1140 }
1141 wpa_hexdump(MSG_DEBUG, "received replay counter",
1142 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1143 return;
1144 }
1145
1146 continue_processing:
1147 #ifdef CONFIG_FILS
1148 if (sm->wpa == WPA_VERSION_WPA2 && mic_len == 0 &&
1149 !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1150 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1151 "WPA: Encr Key Data bit not set even though AEAD cipher is supposed to be used - drop frame");
1152 return;
1153 }
1154 #endif /* CONFIG_FILS */
1155
1156 switch (msg) {
1157 case PAIRWISE_2:
1158 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART &&
1159 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING &&
1160 (!sm->update_snonce ||
1161 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) {
1162 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1163 "received EAPOL-Key msg 2/4 in "
1164 "invalid state (%d) - dropped",
1165 sm->wpa_ptk_state);
1166 return;
1167 }
1168 random_add_randomness(key->key_nonce, WPA_NONCE_LEN);
1169 if (sm->group->reject_4way_hs_for_entropy) {
1170 /*
1171 * The system did not have enough entropy to generate
1172 * strong random numbers. Reject the first 4-way
1173 * handshake(s) and collect some entropy based on the
1174 * information from it. Once enough entropy is
1175 * available, the next atempt will trigger GMK/Key
1176 * Counter update and the station will be allowed to
1177 * continue.
1178 */
1179 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to "
1180 "collect more entropy for random number "
1181 "generation");
1182 random_mark_pool_ready();
1183 wpa_sta_disconnect(wpa_auth, sm->addr,
1184 WLAN_REASON_PREV_AUTH_NOT_VALID);
1185 return;
1186 }
1187 break;
1188 case PAIRWISE_4:
1189 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING ||
1190 !sm->PTK_valid) {
1191 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1192 "received EAPOL-Key msg 4/4 in "
1193 "invalid state (%d) - dropped",
1194 sm->wpa_ptk_state);
1195 return;
1196 }
1197 break;
1198 case GROUP_2:
1199 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING
1200 || !sm->PTK_valid) {
1201 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1202 "received EAPOL-Key msg 2/2 in "
1203 "invalid state (%d) - dropped",
1204 sm->wpa_ptk_group_state);
1205 return;
1206 }
1207 break;
1208 case REQUEST:
1209 break;
1210 }
1211
1212 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1213 "received EAPOL-Key frame (%s)", msgtxt);
1214
1215 if (key_info & WPA_KEY_INFO_ACK) {
1216 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1217 "received invalid EAPOL-Key: Key Ack set");
1218 return;
1219 }
1220
1221 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1222 !(key_info & WPA_KEY_INFO_MIC)) {
1223 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1224 "received invalid EAPOL-Key: Key MIC not set");
1225 return;
1226 }
1227
1228 #ifdef CONFIG_FILS
1229 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1230 (key_info & WPA_KEY_INFO_MIC)) {
1231 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1232 "received invalid EAPOL-Key: Key MIC set");
1233 return;
1234 }
1235 #endif /* CONFIG_FILS */
1236
1237 sm->MICVerified = FALSE;
1238 if (sm->PTK_valid && !sm->update_snonce) {
1239 if (mic_len &&
1240 wpa_verify_key_mic(sm->wpa_key_mgmt, sm->pmk_len, &sm->PTK,
1241 data, data_len) &&
1242 (msg != PAIRWISE_4 || !sm->alt_snonce_valid ||
1243 wpa_try_alt_snonce(sm, data, data_len))) {
1244 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1245 "received EAPOL-Key with invalid MIC");
1246 #ifdef TEST_FUZZ
1247 wpa_printf(MSG_INFO,
1248 "TEST: Ignore Key MIC failure for fuzz testing");
1249 goto continue_fuzz;
1250 #endif /* TEST_FUZZ */
1251 return;
1252 }
1253 #ifdef CONFIG_FILS
1254 if (!mic_len &&
1255 wpa_aead_decrypt(sm, &sm->PTK, data, data_len,
1256 &key_data_length) < 0) {
1257 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1258 "received EAPOL-Key with invalid MIC");
1259 #ifdef TEST_FUZZ
1260 wpa_printf(MSG_INFO,
1261 "TEST: Ignore Key MIC failure for fuzz testing");
1262 goto continue_fuzz;
1263 #endif /* TEST_FUZZ */
1264 return;
1265 }
1266 #endif /* CONFIG_FILS */
1267 #ifdef TEST_FUZZ
1268 continue_fuzz:
1269 #endif /* TEST_FUZZ */
1270 sm->MICVerified = TRUE;
1271 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
1272 sm->pending_1_of_4_timeout = 0;
1273 }
1274
1275 if (key_info & WPA_KEY_INFO_REQUEST) {
1276 if (sm->MICVerified) {
1277 sm->req_replay_counter_used = 1;
1278 os_memcpy(sm->req_replay_counter, key->replay_counter,
1279 WPA_REPLAY_COUNTER_LEN);
1280 } else {
1281 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1282 "received EAPOL-Key request with "
1283 "invalid MIC");
1284 return;
1285 }
1286
1287 /*
1288 * TODO: should decrypt key data field if encryption was used;
1289 * even though MAC address KDE is not normally encrypted,
1290 * supplicant is allowed to encrypt it.
1291 */
1292 if (key_info & WPA_KEY_INFO_ERROR) {
1293 if (wpa_receive_error_report(
1294 wpa_auth, sm,
1295 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0)
1296 return; /* STA entry was removed */
1297 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) {
1298 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1299 "received EAPOL-Key Request for new "
1300 "4-Way Handshake");
1301 wpa_request_new_ptk(sm);
1302 } else if (key_data_length > 0 &&
1303 wpa_parse_kde_ies(key_data, key_data_length,
1304 &kde) == 0 &&
1305 kde.mac_addr) {
1306 } else {
1307 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1308 "received EAPOL-Key Request for GTK "
1309 "rekeying");
1310 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
1311 wpa_rekey_gtk(wpa_auth, NULL);
1312 }
1313 } else {
1314 /* Do not allow the same key replay counter to be reused. */
1315 wpa_replay_counter_mark_invalid(sm->key_replay,
1316 key->replay_counter);
1317
1318 if (msg == PAIRWISE_2) {
1319 /*
1320 * Maintain a copy of the pending EAPOL-Key frames in
1321 * case the EAPOL-Key frame was retransmitted. This is
1322 * needed to allow EAPOL-Key msg 2/4 reply to another
1323 * pending msg 1/4 to update the SNonce to work around
1324 * unexpected supplicant behavior.
1325 */
1326 os_memcpy(sm->prev_key_replay, sm->key_replay,
1327 sizeof(sm->key_replay));
1328 } else {
1329 os_memset(sm->prev_key_replay, 0,
1330 sizeof(sm->prev_key_replay));
1331 }
1332
1333 /*
1334 * Make sure old valid counters are not accepted anymore and
1335 * do not get copied again.
1336 */
1337 wpa_replay_counter_mark_invalid(sm->key_replay, NULL);
1338 }
1339
1340 os_free(sm->last_rx_eapol_key);
1341 sm->last_rx_eapol_key = os_memdup(data, data_len);
1342 if (sm->last_rx_eapol_key == NULL)
1343 return;
1344 sm->last_rx_eapol_key_len = data_len;
1345
1346 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE);
1347 sm->EAPOLKeyReceived = TRUE;
1348 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1349 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST);
1350 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN);
1351 wpa_sm_step(sm);
1352 }
1353
1354
1355 static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr,
1356 const u8 *gnonce, u8 *gtk, size_t gtk_len)
1357 {
1358 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + WPA_GTK_MAX_LEN];
1359 u8 *pos;
1360 int ret = 0;
1361
1362 /* GTK = PRF-X(GMK, "Group key expansion",
1363 * AA || GNonce || Time || random data)
1364 * The example described in the IEEE 802.11 standard uses only AA and
1365 * GNonce as inputs here. Add some more entropy since this derivation
1366 * is done only at the Authenticator and as such, does not need to be
1367 * exactly same.
1368 */
1369 os_memset(data, 0, sizeof(data));
1370 os_memcpy(data, addr, ETH_ALEN);
1371 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN);
1372 pos = data + ETH_ALEN + WPA_NONCE_LEN;
1373 wpa_get_ntp_timestamp(pos);
1374 #ifdef TEST_FUZZ
1375 os_memset(pos, 0xef, 8);
1376 #endif /* TEST_FUZZ */
1377 pos += 8;
1378 if (random_get_bytes(pos, gtk_len) < 0)
1379 ret = -1;
1380
1381 #ifdef CONFIG_SHA384
1382 if (sha384_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
1383 gtk, gtk_len) < 0)
1384 ret = -1;
1385 #else /* CONFIG_SHA384 */
1386 #ifdef CONFIG_SHA256
1387 if (sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
1388 gtk, gtk_len) < 0)
1389 ret = -1;
1390 #else /* CONFIG_SHA256 */
1391 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
1392 gtk, gtk_len) < 0)
1393 ret = -1;
1394 #endif /* CONFIG_SHA256 */
1395 #endif /* CONFIG_SHA384 */
1396
1397 return ret;
1398 }
1399
1400
1401 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx)
1402 {
1403 struct wpa_authenticator *wpa_auth = eloop_ctx;
1404 struct wpa_state_machine *sm = timeout_ctx;
1405
1406 sm->pending_1_of_4_timeout = 0;
1407 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout");
1408 sm->TimeoutEvt = TRUE;
1409 wpa_sm_step(sm);
1410 }
1411
1412
1413 void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1414 struct wpa_state_machine *sm, int key_info,
1415 const u8 *key_rsc, const u8 *nonce,
1416 const u8 *kde, size_t kde_len,
1417 int keyidx, int encr, int force_version)
1418 {
1419 struct ieee802_1x_hdr *hdr;
1420 struct wpa_eapol_key *key;
1421 size_t len, mic_len, keyhdrlen;
1422 int alg;
1423 int key_data_len, pad_len = 0;
1424 u8 *buf, *pos;
1425 int version, pairwise;
1426 int i;
1427 u8 *key_mic, *key_data;
1428
1429 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
1430 keyhdrlen = sizeof(*key) + mic_len + 2;
1431
1432 len = sizeof(struct ieee802_1x_hdr) + keyhdrlen;
1433
1434 if (force_version)
1435 version = force_version;
1436 else if (wpa_use_akm_defined(sm->wpa_key_mgmt))
1437 version = WPA_KEY_INFO_TYPE_AKM_DEFINED;
1438 else if (wpa_use_cmac(sm->wpa_key_mgmt))
1439 version = WPA_KEY_INFO_TYPE_AES_128_CMAC;
1440 else if (sm->pairwise != WPA_CIPHER_TKIP)
1441 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
1442 else
1443 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
1444
1445 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1446
1447 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d "
1448 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d "
1449 "encr=%d)",
1450 version,
1451 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0,
1452 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0,
1453 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0,
1454 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0,
1455 pairwise, (unsigned long) kde_len, keyidx, encr);
1456
1457 key_data_len = kde_len;
1458
1459 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1460 wpa_use_aes_key_wrap(sm->wpa_key_mgmt) ||
1461 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) {
1462 pad_len = key_data_len % 8;
1463 if (pad_len)
1464 pad_len = 8 - pad_len;
1465 key_data_len += pad_len + 8;
1466 }
1467
1468 len += key_data_len;
1469 if (!mic_len && encr)
1470 len += AES_BLOCK_SIZE;
1471
1472 hdr = os_zalloc(len);
1473 if (hdr == NULL)
1474 return;
1475 hdr->version = wpa_auth->conf.eapol_version;
1476 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
1477 hdr->length = host_to_be16(len - sizeof(*hdr));
1478 key = (struct wpa_eapol_key *) (hdr + 1);
1479 key_mic = (u8 *) (key + 1);
1480 key_data = ((u8 *) (hdr + 1)) + keyhdrlen;
1481
1482 key->type = sm->wpa == WPA_VERSION_WPA2 ?
1483 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1484 key_info |= version;
1485 if (encr && sm->wpa == WPA_VERSION_WPA2)
1486 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1487 if (sm->wpa != WPA_VERSION_WPA2)
1488 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT;
1489 WPA_PUT_BE16(key->key_info, key_info);
1490
1491 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group;
1492 if (sm->wpa == WPA_VERSION_WPA2 && !pairwise)
1493 WPA_PUT_BE16(key->key_length, 0);
1494 else
1495 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg));
1496
1497 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) {
1498 sm->key_replay[i].valid = sm->key_replay[i - 1].valid;
1499 os_memcpy(sm->key_replay[i].counter,
1500 sm->key_replay[i - 1].counter,
1501 WPA_REPLAY_COUNTER_LEN);
1502 }
1503 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN);
1504 os_memcpy(key->replay_counter, sm->key_replay[0].counter,
1505 WPA_REPLAY_COUNTER_LEN);
1506 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter",
1507 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1508 sm->key_replay[0].valid = TRUE;
1509
1510 if (nonce)
1511 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN);
1512
1513 if (key_rsc)
1514 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN);
1515
1516 if (kde && !encr) {
1517 os_memcpy(key_data, kde, kde_len);
1518 WPA_PUT_BE16(key_mic + mic_len, kde_len);
1519 #ifdef CONFIG_FILS
1520 } else if (!mic_len && kde) {
1521 const u8 *aad[1];
1522 size_t aad_len[1];
1523
1524 WPA_PUT_BE16(key_mic, AES_BLOCK_SIZE + kde_len);
1525 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1526 kde, kde_len);
1527
1528 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK",
1529 sm->PTK.kek, sm->PTK.kek_len);
1530 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
1531 * to Key Data (exclusive). */
1532 aad[0] = (u8 *) hdr;
1533 aad_len[0] = key_mic + 2 - (u8 *) hdr;
1534 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, kde, kde_len,
1535 1, aad, aad_len, key_mic + 2) < 0) {
1536 wpa_printf(MSG_DEBUG, "WPA: AES-SIV encryption failed");
1537 return;
1538 }
1539
1540 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
1541 key_mic + 2, AES_BLOCK_SIZE + kde_len);
1542 #endif /* CONFIG_FILS */
1543 } else if (encr && kde) {
1544 buf = os_zalloc(key_data_len);
1545 if (buf == NULL) {
1546 os_free(hdr);
1547 return;
1548 }
1549 pos = buf;
1550 os_memcpy(pos, kde, kde_len);
1551 pos += kde_len;
1552
1553 if (pad_len)
1554 *pos++ = 0xdd;
1555
1556 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1557 buf, key_data_len);
1558 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1559 wpa_use_aes_key_wrap(sm->wpa_key_mgmt) ||
1560 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1561 wpa_printf(MSG_DEBUG,
1562 "WPA: Encrypt Key Data using AES-WRAP (KEK length %u)",
1563 (unsigned int) sm->PTK.kek_len);
1564 if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len,
1565 (key_data_len - 8) / 8, buf, key_data)) {
1566 os_free(hdr);
1567 os_free(buf);
1568 return;
1569 }
1570 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
1571 #ifndef CONFIG_NO_RC4
1572 } else if (sm->PTK.kek_len == 16) {
1573 u8 ek[32];
1574
1575 wpa_printf(MSG_DEBUG,
1576 "WPA: Encrypt Key Data using RC4");
1577 os_memcpy(key->key_iv,
1578 sm->group->Counter + WPA_NONCE_LEN - 16, 16);
1579 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
1580 os_memcpy(ek, key->key_iv, 16);
1581 os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len);
1582 os_memcpy(key_data, buf, key_data_len);
1583 rc4_skip(ek, 32, 256, key_data, key_data_len);
1584 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
1585 #endif /* CONFIG_NO_RC4 */
1586 } else {
1587 os_free(hdr);
1588 os_free(buf);
1589 return;
1590 }
1591 os_free(buf);
1592 }
1593
1594 if (key_info & WPA_KEY_INFO_MIC) {
1595 if (!sm->PTK_valid || !mic_len) {
1596 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
1597 "PTK not valid when sending EAPOL-Key "
1598 "frame");
1599 os_free(hdr);
1600 return;
1601 }
1602
1603 if (wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len,
1604 sm->wpa_key_mgmt, version,
1605 (u8 *) hdr, len, key_mic) < 0) {
1606 os_free(hdr);
1607 return;
1608 }
1609 #ifdef CONFIG_TESTING_OPTIONS
1610 if (!pairwise &&
1611 wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0 &&
1612 drand48() <
1613 wpa_auth->conf.corrupt_gtk_rekey_mic_probability) {
1614 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1615 "Corrupting group EAPOL-Key Key MIC");
1616 key_mic[0]++;
1617 }
1618 #endif /* CONFIG_TESTING_OPTIONS */
1619 }
1620
1621 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx,
1622 1);
1623 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len,
1624 sm->pairwise_set);
1625 os_free(hdr);
1626 }
1627
1628
1629 static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1630 struct wpa_state_machine *sm, int key_info,
1631 const u8 *key_rsc, const u8 *nonce,
1632 const u8 *kde, size_t kde_len,
1633 int keyidx, int encr)
1634 {
1635 int timeout_ms;
1636 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
1637 u32 ctr;
1638
1639 if (sm == NULL)
1640 return;
1641
1642 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len,
1643 keyidx, encr, 0);
1644
1645 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr;
1646 if (ctr == 1 && wpa_auth->conf.tx_status)
1647 timeout_ms = pairwise ? eapol_key_timeout_first :
1648 eapol_key_timeout_first_group;
1649 else
1650 timeout_ms = eapol_key_timeout_subseq;
1651 if (wpa_auth->conf.wpa_disable_eapol_key_retries &&
1652 (!pairwise || (key_info & WPA_KEY_INFO_MIC)))
1653 timeout_ms = eapol_key_timeout_no_retrans;
1654 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
1655 sm->pending_1_of_4_timeout = 1;
1656 #ifdef TEST_FUZZ
1657 timeout_ms = 1;
1658 #endif /* TEST_FUZZ */
1659 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry "
1660 "counter %u)", timeout_ms, ctr);
1661 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000,
1662 wpa_send_eapol_timeout, wpa_auth, sm);
1663 }
1664
1665
1666 static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK,
1667 u8 *data, size_t data_len)
1668 {
1669 struct ieee802_1x_hdr *hdr;
1670 struct wpa_eapol_key *key;
1671 u16 key_info;
1672 int ret = 0;
1673 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN], *mic_pos;
1674 size_t mic_len = wpa_mic_len(akmp, pmk_len);
1675
1676 if (data_len < sizeof(*hdr) + sizeof(*key))
1677 return -1;
1678
1679 hdr = (struct ieee802_1x_hdr *) data;
1680 key = (struct wpa_eapol_key *) (hdr + 1);
1681 mic_pos = (u8 *) (key + 1);
1682 key_info = WPA_GET_BE16(key->key_info);
1683 os_memcpy(mic, mic_pos, mic_len);
1684 os_memset(mic_pos, 0, mic_len);
1685 if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp,
1686 key_info & WPA_KEY_INFO_TYPE_MASK,
1687 data, data_len, mic_pos) ||
1688 os_memcmp_const(mic, mic_pos, mic_len) != 0)
1689 ret = -1;
1690 os_memcpy(mic_pos, mic, mic_len);
1691 return ret;
1692 }
1693
1694
1695 void wpa_remove_ptk(struct wpa_state_machine *sm)
1696 {
1697 sm->PTK_valid = FALSE;
1698 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1699 if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL,
1700 0))
1701 wpa_printf(MSG_DEBUG,
1702 "RSN: PTK removal from the driver failed");
1703 sm->pairwise_set = FALSE;
1704 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
1705 }
1706
1707
1708 int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
1709 {
1710 int remove_ptk = 1;
1711
1712 if (sm == NULL)
1713 return -1;
1714
1715 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1716 "event %d notification", event);
1717
1718 switch (event) {
1719 case WPA_AUTH:
1720 #ifdef CONFIG_MESH
1721 /* PTKs are derived through AMPE */
1722 if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) {
1723 /* not mesh */
1724 break;
1725 }
1726 return 0;
1727 #endif /* CONFIG_MESH */
1728 case WPA_ASSOC:
1729 break;
1730 case WPA_DEAUTH:
1731 case WPA_DISASSOC:
1732 sm->DeauthenticationRequest = TRUE;
1733 break;
1734 case WPA_REAUTH:
1735 case WPA_REAUTH_EAPOL:
1736 if (!sm->started) {
1737 /*
1738 * When using WPS, we may end up here if the STA
1739 * manages to re-associate without the previous STA
1740 * entry getting removed. Consequently, we need to make
1741 * sure that the WPA state machines gets initialized
1742 * properly at this point.
1743 */
1744 wpa_printf(MSG_DEBUG, "WPA state machine had not been "
1745 "started - initialize now");
1746 sm->started = 1;
1747 sm->Init = TRUE;
1748 if (wpa_sm_step(sm) == 1)
1749 return 1; /* should not really happen */
1750 sm->Init = FALSE;
1751 sm->AuthenticationRequest = TRUE;
1752 break;
1753 }
1754 if (sm->GUpdateStationKeys) {
1755 /*
1756 * Reauthentication cancels the pending group key
1757 * update for this STA.
1758 */
1759 sm->group->GKeyDoneStations--;
1760 sm->GUpdateStationKeys = FALSE;
1761 sm->PtkGroupInit = TRUE;
1762 }
1763 sm->ReAuthenticationRequest = TRUE;
1764 break;
1765 case WPA_ASSOC_FT:
1766 #ifdef CONFIG_IEEE80211R_AP
1767 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration "
1768 "after association");
1769 wpa_ft_install_ptk(sm);
1770
1771 /* Using FT protocol, not WPA auth state machine */
1772 sm->ft_completed = 1;
1773 return 0;
1774 #else /* CONFIG_IEEE80211R_AP */
1775 break;
1776 #endif /* CONFIG_IEEE80211R_AP */
1777 case WPA_ASSOC_FILS:
1778 #ifdef CONFIG_FILS
1779 wpa_printf(MSG_DEBUG,
1780 "FILS: TK configuration after association");
1781 fils_set_tk(sm);
1782 sm->fils_completed = 1;
1783 return 0;
1784 #else /* CONFIG_FILS */
1785 break;
1786 #endif /* CONFIG_FILS */
1787 case WPA_DRV_STA_REMOVED:
1788 sm->tk_already_set = FALSE;
1789 return 0;
1790 }
1791
1792 #ifdef CONFIG_IEEE80211R_AP
1793 sm->ft_completed = 0;
1794 #endif /* CONFIG_IEEE80211R_AP */
1795
1796 #ifdef CONFIG_IEEE80211W
1797 if (sm->mgmt_frame_prot && event == WPA_AUTH)
1798 remove_ptk = 0;
1799 #endif /* CONFIG_IEEE80211W */
1800 #ifdef CONFIG_FILS
1801 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1802 (event == WPA_AUTH || event == WPA_ASSOC))
1803 remove_ptk = 0;
1804 #endif /* CONFIG_FILS */
1805
1806 if (remove_ptk) {
1807 sm->PTK_valid = FALSE;
1808 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1809
1810 if (event != WPA_REAUTH_EAPOL)
1811 wpa_remove_ptk(sm);
1812 }
1813
1814 if (sm->in_step_loop) {
1815 /*
1816 * wpa_sm_step() is already running - avoid recursive call to
1817 * it by making the existing loop process the new update.
1818 */
1819 sm->changed = TRUE;
1820 return 0;
1821 }
1822 return wpa_sm_step(sm);
1823 }
1824
1825
1826 SM_STATE(WPA_PTK, INITIALIZE)
1827 {
1828 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk);
1829 if (sm->Init) {
1830 /* Init flag is not cleared here, so avoid busy
1831 * loop by claiming nothing changed. */
1832 sm->changed = FALSE;
1833 }
1834
1835 sm->keycount = 0;
1836 if (sm->GUpdateStationKeys)
1837 sm->group->GKeyDoneStations--;
1838 sm->GUpdateStationKeys = FALSE;
1839 if (sm->wpa == WPA_VERSION_WPA)
1840 sm->PInitAKeys = FALSE;
1841 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and
1842 * Local AA > Remote AA)) */) {
1843 sm->Pair = TRUE;
1844 }
1845 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0);
1846 wpa_remove_ptk(sm);
1847 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0);
1848 sm->TimeoutCtr = 0;
1849 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
1850 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
1851 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
1852 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
1853 WPA_EAPOL_authorized, 0);
1854 }
1855 }
1856
1857
1858 SM_STATE(WPA_PTK, DISCONNECT)
1859 {
1860 u16 reason = sm->disconnect_reason;
1861
1862 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk);
1863 sm->Disconnect = FALSE;
1864 sm->disconnect_reason = 0;
1865 if (!reason)
1866 reason = WLAN_REASON_PREV_AUTH_NOT_VALID;
1867 wpa_sta_disconnect(sm->wpa_auth, sm->addr, reason);
1868 }
1869
1870
1871 SM_STATE(WPA_PTK, DISCONNECTED)
1872 {
1873 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk);
1874 sm->DeauthenticationRequest = FALSE;
1875 }
1876
1877
1878 SM_STATE(WPA_PTK, AUTHENTICATION)
1879 {
1880 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk);
1881 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1882 sm->PTK_valid = FALSE;
1883 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto,
1884 1);
1885 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1);
1886 sm->AuthenticationRequest = FALSE;
1887 }
1888
1889
1890 static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth,
1891 struct wpa_group *group)
1892 {
1893 if (group->first_sta_seen)
1894 return;
1895 /*
1896 * System has run bit further than at the time hostapd was started
1897 * potentially very early during boot up. This provides better chances
1898 * of collecting more randomness on embedded systems. Re-initialize the
1899 * GMK and Counter here to improve their strength if there was not
1900 * enough entropy available immediately after system startup.
1901 */
1902 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first "
1903 "station");
1904 if (random_pool_ready() != 1) {
1905 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
1906 "to proceed - reject first 4-way handshake");
1907 group->reject_4way_hs_for_entropy = TRUE;
1908 } else {
1909 group->first_sta_seen = TRUE;
1910 group->reject_4way_hs_for_entropy = FALSE;
1911 }
1912
1913 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 ||
1914 wpa_gtk_update(wpa_auth, group) < 0 ||
1915 wpa_group_config_group_keys(wpa_auth, group) < 0) {
1916 wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed");
1917 group->first_sta_seen = FALSE;
1918 group->reject_4way_hs_for_entropy = TRUE;
1919 }
1920 }
1921
1922
1923 SM_STATE(WPA_PTK, AUTHENTICATION2)
1924 {
1925 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk);
1926
1927 wpa_group_ensure_init(sm->wpa_auth, sm->group);
1928 sm->ReAuthenticationRequest = FALSE;
1929
1930 /*
1931 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
1932 * ambiguous. The Authenticator state machine uses a counter that is
1933 * incremented by one for each 4-way handshake. However, the security
1934 * analysis of 4-way handshake points out that unpredictable nonces
1935 * help in preventing precomputation attacks. Instead of the state
1936 * machine definition, use an unpredictable nonce value here to provide
1937 * stronger protection against potential precomputation attacks.
1938 */
1939 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
1940 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for "
1941 "ANonce.");
1942 sm->Disconnect = TRUE;
1943 return;
1944 }
1945 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
1946 WPA_NONCE_LEN);
1947 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more
1948 * logical place than INITIALIZE since AUTHENTICATION2 can be
1949 * re-entered on ReAuthenticationRequest without going through
1950 * INITIALIZE. */
1951 sm->TimeoutCtr = 0;
1952 }
1953
1954
1955 static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm)
1956 {
1957 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
1958 wpa_printf(MSG_ERROR,
1959 "WPA: Failed to get random data for ANonce");
1960 sm->Disconnect = TRUE;
1961 return -1;
1962 }
1963 wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce,
1964 WPA_NONCE_LEN);
1965 sm->TimeoutCtr = 0;
1966 return 0;
1967 }
1968
1969
1970 SM_STATE(WPA_PTK, INITPMK)
1971 {
1972 u8 msk[2 * PMK_LEN];
1973 size_t len = 2 * PMK_LEN;
1974
1975 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk);
1976 #ifdef CONFIG_IEEE80211R_AP
1977 sm->xxkey_len = 0;
1978 #endif /* CONFIG_IEEE80211R_AP */
1979 if (sm->pmksa) {
1980 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache");
1981 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
1982 sm->pmk_len = sm->pmksa->pmk_len;
1983 #ifdef CONFIG_DPP
1984 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) {
1985 wpa_printf(MSG_DEBUG,
1986 "DPP: No PMKSA cache entry for STA - reject connection");
1987 sm->Disconnect = TRUE;
1988 sm->disconnect_reason = WLAN_REASON_INVALID_PMKID;
1989 return;
1990 #endif /* CONFIG_DPP */
1991 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) {
1992 unsigned int pmk_len;
1993
1994 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt))
1995 pmk_len = PMK_LEN_SUITE_B_192;
1996 else
1997 pmk_len = PMK_LEN;
1998 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine "
1999 "(MSK len=%lu PMK len=%u)", (unsigned long) len,
2000 pmk_len);
2001 if (len < pmk_len) {
2002 wpa_printf(MSG_DEBUG,
2003 "WPA: MSK not long enough (%u) to create PMK (%u)",
2004 (unsigned int) len, (unsigned int) pmk_len);
2005 sm->Disconnect = TRUE;
2006 return;
2007 }
2008 os_memcpy(sm->PMK, msk, pmk_len);
2009 sm->pmk_len = pmk_len;
2010 #ifdef CONFIG_IEEE80211R_AP
2011 if (len >= 2 * PMK_LEN) {
2012 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
2013 os_memcpy(sm->xxkey, msk, SHA384_MAC_LEN);
2014 sm->xxkey_len = SHA384_MAC_LEN;
2015 } else {
2016 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
2017 sm->xxkey_len = PMK_LEN;
2018 }
2019 }
2020 #endif /* CONFIG_IEEE80211R_AP */
2021 } else {
2022 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p",
2023 sm->wpa_auth->cb->get_msk);
2024 sm->Disconnect = TRUE;
2025 return;
2026 }
2027 os_memset(msk, 0, sizeof(msk));
2028
2029 sm->req_replay_counter_used = 0;
2030 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this
2031 * will break reauthentication since EAPOL state machines may not be
2032 * get into AUTHENTICATING state that clears keyRun before WPA state
2033 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK
2034 * state and takes PMK from the previously used AAA Key. This will
2035 * eventually fail in 4-Way Handshake because Supplicant uses PMK
2036 * derived from the new AAA Key. Setting keyRun = FALSE here seems to
2037 * be good workaround for this issue. */
2038 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0);
2039 }
2040
2041
2042 SM_STATE(WPA_PTK, INITPSK)
2043 {
2044 const u8 *psk;
2045 size_t psk_len;
2046
2047 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk);
2048 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL,
2049 &psk_len, NULL);
2050 if (psk) {
2051 os_memcpy(sm->PMK, psk, psk_len);
2052 sm->pmk_len = psk_len;
2053 #ifdef CONFIG_IEEE80211R_AP
2054 os_memcpy(sm->xxkey, psk, PMK_LEN);
2055 sm->xxkey_len = PMK_LEN;
2056 #endif /* CONFIG_IEEE80211R_AP */
2057 }
2058 #ifdef CONFIG_SAE
2059 if (wpa_auth_uses_sae(sm) && sm->pmksa) {
2060 wpa_printf(MSG_DEBUG, "SAE: PMK from PMKSA cache");
2061 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
2062 sm->pmk_len = sm->pmksa->pmk_len;
2063 }
2064 #endif /* CONFIG_SAE */
2065 sm->req_replay_counter_used = 0;
2066 }
2067
2068
2069 SM_STATE(WPA_PTK, PTKSTART)
2070 {
2071 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL;
2072 size_t pmkid_len = 0;
2073
2074 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk);
2075 sm->PTKRequest = FALSE;
2076 sm->TimeoutEvt = FALSE;
2077 sm->alt_snonce_valid = FALSE;
2078
2079 sm->TimeoutCtr++;
2080 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
2081 /* No point in sending the EAPOL-Key - we will disconnect
2082 * immediately following this. */
2083 return;
2084 }
2085
2086 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2087 "sending 1/4 msg of 4-Way Handshake");
2088 /*
2089 * For infrastructure BSS cases, it is better for the AP not to include
2090 * the PMKID KDE in EAPOL-Key msg 1/4 since it could be used to initiate
2091 * offline search for the passphrase/PSK without having to be able to
2092 * capture a 4-way handshake from a STA that has access to the network.
2093 *
2094 * For IBSS cases, addition of PMKID KDE could be considered even with
2095 * WPA2-PSK cases that use multiple PSKs, but only if there is a single
2096 * possible PSK for this STA. However, this should not be done unless
2097 * there is support for using that information on the supplicant side.
2098 * The concern about exposing PMKID unnecessarily in infrastructure BSS
2099 * cases would also apply here, but at least in the IBSS case, this
2100 * would cover a potential real use case.
2101 */
2102 if (sm->wpa == WPA_VERSION_WPA2 &&
2103 (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) ||
2104 (sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE && sm->pmksa) ||
2105 wpa_key_mgmt_sae(sm->wpa_key_mgmt)) &&
2106 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) {
2107 pmkid = buf;
2108 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
2109 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC;
2110 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN;
2111 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID);
2112 if (sm->pmksa) {
2113 wpa_hexdump(MSG_DEBUG,
2114 "RSN: Message 1/4 PMKID from PMKSA entry",
2115 sm->pmksa->pmkid, PMKID_LEN);
2116 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2117 sm->pmksa->pmkid, PMKID_LEN);
2118 } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) {
2119 /* No KCK available to derive PMKID */
2120 wpa_printf(MSG_DEBUG,
2121 "RSN: No KCK available to derive PMKID for message 1/4");
2122 pmkid = NULL;
2123 #ifdef CONFIG_SAE
2124 } else if (wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
2125 if (sm->pmkid_set) {
2126 wpa_hexdump(MSG_DEBUG,
2127 "RSN: Message 1/4 PMKID from SAE",
2128 sm->pmkid, PMKID_LEN);
2129 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2130 sm->pmkid, PMKID_LEN);
2131 } else {
2132 /* No PMKID available */
2133 wpa_printf(MSG_DEBUG,
2134 "RSN: No SAE PMKID available for message 1/4");
2135 pmkid = NULL;
2136 }
2137 #endif /* CONFIG_SAE */
2138 } else {
2139 /*
2140 * Calculate PMKID since no PMKSA cache entry was
2141 * available with pre-calculated PMKID.
2142 */
2143 rsn_pmkid(sm->PMK, sm->pmk_len, sm->wpa_auth->addr,
2144 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN],
2145 sm->wpa_key_mgmt);
2146 wpa_hexdump(MSG_DEBUG,
2147 "RSN: Message 1/4 PMKID derived from PMK",
2148 &pmkid[2 + RSN_SELECTOR_LEN], PMKID_LEN);
2149 }
2150 }
2151 wpa_send_eapol(sm->wpa_auth, sm,
2152 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
2153 sm->ANonce, pmkid, pmkid_len, 0, 0);
2154 }
2155
2156
2157 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
2158 const u8 *pmk, unsigned int pmk_len,
2159 struct wpa_ptk *ptk)
2160 {
2161 const u8 *z = NULL;
2162 size_t z_len = 0;
2163
2164 #ifdef CONFIG_IEEE80211R_AP
2165 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
2166 return wpa_auth_derive_ptk_ft(sm, pmk, ptk);
2167 #endif /* CONFIG_IEEE80211R_AP */
2168
2169 #ifdef CONFIG_DPP2
2170 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
2171 z = wpabuf_head(sm->dpp_z);
2172 z_len = wpabuf_len(sm->dpp_z);
2173 }
2174 #endif /* CONFIG_DPP2 */
2175
2176 return wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion",
2177 sm->wpa_auth->addr, sm->addr, sm->ANonce, snonce,
2178 ptk, sm->wpa_key_mgmt, sm->pairwise, z, z_len);
2179 }
2180
2181
2182 #ifdef CONFIG_FILS
2183
2184 int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk,
2185 size_t pmk_len, const u8 *snonce, const u8 *anonce,
2186 const u8 *dhss, size_t dhss_len,
2187 struct wpabuf *g_sta, struct wpabuf *g_ap)
2188 {
2189 u8 ick[FILS_ICK_MAX_LEN];
2190 size_t ick_len;
2191 int res;
2192 u8 fils_ft[FILS_FT_MAX_LEN];
2193 size_t fils_ft_len = 0;
2194
2195 res = fils_pmk_to_ptk(pmk, pmk_len, sm->addr, sm->wpa_auth->addr,
2196 snonce, anonce, dhss, dhss_len,
2197 &sm->PTK, ick, &ick_len,
2198 sm->wpa_key_mgmt, sm->pairwise,
2199 fils_ft, &fils_ft_len);
2200 if (res < 0)
2201 return res;
2202 sm->PTK_valid = TRUE;
2203 sm->tk_already_set = FALSE;
2204
2205 #ifdef CONFIG_IEEE80211R_AP
2206 if (fils_ft_len) {
2207 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2208 struct wpa_auth_config *conf = &wpa_auth->conf;
2209 u8 pmk_r0[PMK_LEN_MAX], pmk_r0_name[WPA_PMK_NAME_LEN];
2210 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt);
2211 size_t pmk_r0_len = use_sha384 ? SHA384_MAC_LEN : PMK_LEN;
2212
2213 if (wpa_derive_pmk_r0(fils_ft, fils_ft_len,
2214 conf->ssid, conf->ssid_len,
2215 conf->mobility_domain,
2216 conf->r0_key_holder,
2217 conf->r0_key_holder_len,
2218 sm->addr, pmk_r0, pmk_r0_name,
2219 use_sha384) < 0)
2220 return -1;
2221
2222 wpa_hexdump_key(MSG_DEBUG, "FILS+FT: PMK-R0",
2223 pmk_r0, pmk_r0_len);
2224 wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR0Name",
2225 pmk_r0_name, WPA_PMK_NAME_LEN);
2226 wpa_ft_store_pmk_fils(sm, pmk_r0, pmk_r0_name);
2227 os_memset(fils_ft, 0, sizeof(fils_ft));
2228
2229 res = wpa_derive_pmk_r1_name(pmk_r0_name, conf->r1_key_holder,
2230 sm->addr, sm->pmk_r1_name,
2231 use_sha384);
2232 os_memset(pmk_r0, 0, PMK_LEN_MAX);
2233 if (res < 0)
2234 return -1;
2235 wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR1Name", sm->pmk_r1_name,
2236 WPA_PMK_NAME_LEN);
2237 sm->pmk_r1_name_valid = 1;
2238 }
2239 #endif /* CONFIG_IEEE80211R_AP */
2240
2241 res = fils_key_auth_sk(ick, ick_len, snonce, anonce,
2242 sm->addr, sm->wpa_auth->addr,
2243 g_sta ? wpabuf_head(g_sta) : NULL,
2244 g_sta ? wpabuf_len(g_sta) : 0,
2245 g_ap ? wpabuf_head(g_ap) : NULL,
2246 g_ap ? wpabuf_len(g_ap) : 0,
2247 sm->wpa_key_mgmt, sm->fils_key_auth_sta,
2248 sm->fils_key_auth_ap,
2249 &sm->fils_key_auth_len);
2250 os_memset(ick, 0, sizeof(ick));
2251
2252 /* Store nonces for (Re)Association Request/Response frame processing */
2253 os_memcpy(sm->SNonce, snonce, FILS_NONCE_LEN);
2254 os_memcpy(sm->ANonce, anonce, FILS_NONCE_LEN);
2255
2256 return res;
2257 }
2258
2259
2260 static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
2261 u8 *buf, size_t buf_len, u16 *_key_data_len)
2262 {
2263 struct ieee802_1x_hdr *hdr;
2264 struct wpa_eapol_key *key;
2265 u8 *pos;
2266 u16 key_data_len;
2267 u8 *tmp;
2268 const u8 *aad[1];
2269 size_t aad_len[1];
2270
2271 hdr = (struct ieee802_1x_hdr *) buf;
2272 key = (struct wpa_eapol_key *) (hdr + 1);
2273 pos = (u8 *) (key + 1);
2274 key_data_len = WPA_GET_BE16(pos);
2275 if (key_data_len < AES_BLOCK_SIZE ||
2276 key_data_len > buf_len - sizeof(*hdr) - sizeof(*key) - 2) {
2277 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2278 "No room for AES-SIV data in the frame");
2279 return -1;
2280 }
2281 pos += 2; /* Pointing at the Encrypted Key Data field */
2282
2283 tmp = os_malloc(key_data_len);
2284 if (!tmp)
2285 return -1;
2286
2287 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
2288 * to Key Data (exclusive). */
2289 aad[0] = buf;
2290 aad_len[0] = pos - buf;
2291 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, key_data_len,
2292 1, aad, aad_len, tmp) < 0) {
2293 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2294 "Invalid AES-SIV data in the frame");
2295 bin_clear_free(tmp, key_data_len);
2296 return -1;
2297 }
2298
2299 /* AEAD decryption and validation completed successfully */
2300 key_data_len -= AES_BLOCK_SIZE;
2301 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
2302 tmp, key_data_len);
2303
2304 /* Replace Key Data field with the decrypted version */
2305 os_memcpy(pos, tmp, key_data_len);
2306 pos -= 2; /* Key Data Length field */
2307 WPA_PUT_BE16(pos, key_data_len);
2308 bin_clear_free(tmp, key_data_len);
2309 if (_key_data_len)
2310 *_key_data_len = key_data_len;
2311 return 0;
2312 }
2313
2314
2315 const u8 * wpa_fils_validate_fils_session(struct wpa_state_machine *sm,
2316 const u8 *ies, size_t ies_len,
2317 const u8 *fils_session)
2318 {
2319 const u8 *ie, *end;
2320 const u8 *session = NULL;
2321
2322 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2323 wpa_printf(MSG_DEBUG,
2324 "FILS: Not a FILS AKM - reject association");
2325 return NULL;
2326 }
2327
2328 /* Verify Session element */
2329 ie = ies;
2330 end = ((const u8 *) ie) + ies_len;
2331 while (ie + 1 < end) {
2332 if (ie + 2 + ie[1] > end)
2333 break;
2334 if (ie[0] == WLAN_EID_EXTENSION &&
2335 ie[1] >= 1 + FILS_SESSION_LEN &&
2336 ie[2] == WLAN_EID_EXT_FILS_SESSION) {
2337 session = ie;
2338 break;
2339 }
2340 ie += 2 + ie[1];
2341 }
2342
2343 if (!session) {
2344 wpa_printf(MSG_DEBUG,
2345 "FILS: %s: Could not find FILS Session element in Assoc Req - reject",
2346 __func__);
2347 return NULL;
2348 }
2349
2350 if (!fils_session) {
2351 wpa_printf(MSG_DEBUG,
2352 "FILS: %s: Could not find FILS Session element in STA entry - reject",
2353 __func__);
2354 return NULL;
2355 }
2356
2357 if (os_memcmp(fils_session, session + 3, FILS_SESSION_LEN) != 0) {
2358 wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
2359 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
2360 fils_session, FILS_SESSION_LEN);
2361 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
2362 session + 3, FILS_SESSION_LEN);
2363 return NULL;
2364 }
2365 return session;
2366 }
2367
2368
2369 int wpa_fils_validate_key_confirm(struct wpa_state_machine *sm, const u8 *ies,
2370 size_t ies_len)
2371 {
2372 struct ieee802_11_elems elems;
2373
2374 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
2375 wpa_printf(MSG_DEBUG,
2376 "FILS: Failed to parse decrypted elements");
2377 return -1;
2378 }
2379
2380 if (!elems.fils_session) {
2381 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
2382 return -1;
2383 }
2384
2385 if (!elems.fils_key_confirm) {
2386 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
2387 return -1;
2388 }
2389
2390 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
2391 wpa_printf(MSG_DEBUG,
2392 "FILS: Unexpected Key-Auth length %d (expected %d)",
2393 elems.fils_key_confirm_len,
2394 (int) sm->fils_key_auth_len);
2395 return -1;
2396 }
2397
2398 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_sta,
2399 sm->fils_key_auth_len) != 0) {
2400 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
2401 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
2402 elems.fils_key_confirm, elems.fils_key_confirm_len);
2403 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
2404 sm->fils_key_auth_sta, sm->fils_key_auth_len);
2405 return -1;
2406 }
2407
2408 return 0;
2409 }
2410
2411
2412 int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session,
2413 const struct ieee80211_mgmt *mgmt, size_t frame_len,
2414 u8 *pos, size_t left)
2415 {
2416 u16 fc, stype;
2417 const u8 *end, *ie_start, *ie, *session, *crypt;
2418 const u8 *aad[5];
2419 size_t aad_len[5];
2420
2421 if (!sm || !sm->PTK_valid) {
2422 wpa_printf(MSG_DEBUG,
2423 "FILS: No KEK to decrypt Assocication Request frame");
2424 return -1;
2425 }
2426
2427 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2428 wpa_printf(MSG_DEBUG,
2429 "FILS: Not a FILS AKM - reject association");
2430 return -1;
2431 }
2432
2433 end = ((const u8 *) mgmt) + frame_len;
2434 fc = le_to_host16(mgmt->frame_control);
2435 stype = WLAN_FC_GET_STYPE(fc);
2436 if (stype == WLAN_FC_STYPE_REASSOC_REQ)
2437 ie_start = mgmt->u.reassoc_req.variable;
2438 else
2439 ie_start = mgmt->u.assoc_req.variable;
2440 ie = ie_start;
2441
2442 /*
2443 * Find FILS Session element which is the last unencrypted element in
2444 * the frame.
2445 */
2446 session = wpa_fils_validate_fils_session(sm, ie, end - ie,
2447 fils_session);
2448 if (!session) {
2449 wpa_printf(MSG_DEBUG, "FILS: Session validation failed");
2450 return -1;
2451 }
2452
2453 crypt = session + 2 + session[1];
2454
2455 if (end - crypt < AES_BLOCK_SIZE) {
2456 wpa_printf(MSG_DEBUG,
2457 "FILS: Too short frame to include AES-SIV data");
2458 return -1;
2459 }
2460
2461 /* AES-SIV AAD vectors */
2462
2463 /* The STA's MAC address */
2464 aad[0] = mgmt->sa;
2465 aad_len[0] = ETH_ALEN;
2466 /* The AP's BSSID */
2467 aad[1] = mgmt->da;
2468 aad_len[1] = ETH_ALEN;
2469 /* The STA's nonce */
2470 aad[2] = sm->SNonce;
2471 aad_len[2] = FILS_NONCE_LEN;
2472 /* The AP's nonce */
2473 aad[3] = sm->ANonce;
2474 aad_len[3] = FILS_NONCE_LEN;
2475 /*
2476 * The (Re)Association Request frame from the Capability Information
2477 * field to the FILS Session element (both inclusive).
2478 */
2479 aad[4] = (const u8 *) &mgmt->u.assoc_req.capab_info;
2480 aad_len[4] = crypt - aad[4];
2481
2482 if (aes_siv_decrypt(sm->PTK.kek, sm->PTK.kek_len, crypt, end - crypt,
2483 5, aad, aad_len, pos + (crypt - ie_start)) < 0) {
2484 wpa_printf(MSG_DEBUG,
2485 "FILS: Invalid AES-SIV data in the frame");
2486 return -1;
2487 }
2488 wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Request elements",
2489 pos, left - AES_BLOCK_SIZE);
2490
2491 if (wpa_fils_validate_key_confirm(sm, pos, left - AES_BLOCK_SIZE) < 0) {
2492 wpa_printf(MSG_DEBUG, "FILS: Key Confirm validation failed");
2493 return -1;
2494 }
2495
2496 return left - AES_BLOCK_SIZE;
2497 }
2498
2499
2500 int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf,
2501 size_t current_len, size_t max_len,
2502 const struct wpabuf *hlp)
2503 {
2504 u8 *end = buf + max_len;
2505 u8 *pos = buf + current_len;
2506 struct ieee80211_mgmt *mgmt;
2507 struct wpabuf *plain;
2508 const u8 *aad[5];
2509 size_t aad_len[5];
2510
2511 if (!sm || !sm->PTK_valid)
2512 return -1;
2513
2514 wpa_hexdump(MSG_DEBUG,
2515 "FILS: Association Response frame before FILS processing",
2516 buf, current_len);
2517
2518 mgmt = (struct ieee80211_mgmt *) buf;
2519
2520 /* AES-SIV AAD vectors */
2521
2522 /* The AP's BSSID */
2523 aad[0] = mgmt->sa;
2524 aad_len[0] = ETH_ALEN;
2525 /* The STA's MAC address */
2526 aad[1] = mgmt->da;
2527 aad_len[1] = ETH_ALEN;
2528 /* The AP's nonce */
2529 aad[2] = sm->ANonce;
2530 aad_len[2] = FILS_NONCE_LEN;
2531 /* The STA's nonce */
2532 aad[3] = sm->SNonce;
2533 aad_len[3] = FILS_NONCE_LEN;
2534 /*
2535 * The (Re)Association Response frame from the Capability Information
2536 * field (the same offset in both Association and Reassociation
2537 * Response frames) to the FILS Session element (both inclusive).
2538 */
2539 aad[4] = (const u8 *) &mgmt->u.assoc_resp.capab_info;
2540 aad_len[4] = pos - aad[4];
2541
2542 /* The following elements will be encrypted with AES-SIV */
2543 plain = fils_prepare_plainbuf(sm, hlp);
2544 if (!plain) {
2545 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed");
2546 return -1;
2547 }
2548
2549 if (pos + wpabuf_len(plain) + AES_BLOCK_SIZE > end) {
2550 wpa_printf(MSG_DEBUG,
2551 "FILS: Not enough room for FILS elements");
2552 wpabuf_free(plain);
2553 return -1;
2554 }
2555
2556 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: Association Response plaintext",
2557 plain);
2558
2559 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len,
2560 wpabuf_head(plain), wpabuf_len(plain),
2561 5, aad, aad_len, pos) < 0) {
2562 wpabuf_free(plain);
2563 return -1;
2564 }
2565
2566 wpa_hexdump(MSG_DEBUG,
2567 "FILS: Encrypted Association Response elements",
2568 pos, AES_BLOCK_SIZE + wpabuf_len(plain));
2569 current_len += wpabuf_len(plain) + AES_BLOCK_SIZE;
2570 wpabuf_free(plain);
2571
2572 sm->fils_completed = 1;
2573
2574 return current_len;
2575 }
2576
2577
2578 static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
2579 const struct wpabuf *hlp)
2580 {
2581 struct wpabuf *plain;
2582 u8 *len, *tmp, *tmp2;
2583 u8 hdr[2];
2584 u8 *gtk, dummy_gtk[32];
2585 size_t gtk_len;
2586 struct wpa_group *gsm;
2587
2588 plain = wpabuf_alloc(1000);
2589 if (!plain)
2590 return NULL;
2591
2592 /* TODO: FILS Public Key */
2593
2594 /* FILS Key Confirmation */
2595 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
2596 wpabuf_put_u8(plain, 1 + sm->fils_key_auth_len); /* Length */
2597 /* Element ID Extension */
2598 wpabuf_put_u8(plain, WLAN_EID_EXT_FILS_KEY_CONFIRM);
2599 wpabuf_put_data(plain, sm->fils_key_auth_ap, sm->fils_key_auth_len);
2600
2601 /* FILS HLP Container */
2602 if (hlp)
2603 wpabuf_put_buf(plain, hlp);
2604
2605 /* TODO: FILS IP Address Assignment */
2606
2607 /* Key Delivery */
2608 gsm = sm->group;
2609 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
2610 len = wpabuf_put(plain, 1);
2611 wpabuf_put_u8(plain, WLAN_EID_EXT_KEY_DELIVERY);
2612 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN,
2613 wpabuf_put(plain, WPA_KEY_RSC_LEN));
2614 /* GTK KDE */
2615 gtk = gsm->GTK[gsm->GN - 1];
2616 gtk_len = gsm->GTK_len;
2617 if (sm->wpa_auth->conf.disable_gtk ||
2618 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
2619 /*
2620 * Provide unique random GTK to each STA to prevent use
2621 * of GTK in the BSS.
2622 */
2623 if (random_get_bytes(dummy_gtk, gtk_len) < 0) {
2624 wpabuf_free(plain);
2625 return NULL;
2626 }
2627 gtk = dummy_gtk;
2628 }
2629 hdr[0] = gsm->GN & 0x03;
2630 hdr[1] = 0;
2631 tmp = wpabuf_put(plain, 0);
2632 tmp2 = wpa_add_kde(tmp, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2633 gtk, gtk_len);
2634 wpabuf_put(plain, tmp2 - tmp);
2635
2636 /* IGTK KDE */
2637 tmp = wpabuf_put(plain, 0);
2638 tmp2 = ieee80211w_kde_add(sm, tmp);
2639 wpabuf_put(plain, tmp2 - tmp);
2640
2641 *len = (u8 *) wpabuf_put(plain, 0) - len - 1;
2642
2643 #ifdef CONFIG_OCV
2644 if (wpa_auth_uses_ocv(sm)) {
2645 struct wpa_channel_info ci;
2646 u8 *pos;
2647
2648 if (wpa_channel_info(sm->wpa_auth, &ci) != 0) {
2649 wpa_printf(MSG_WARNING,
2650 "FILS: Failed to get channel info for OCI element");
2651 wpabuf_free(plain);
2652 return NULL;
2653 }
2654
2655 pos = wpabuf_put(plain, OCV_OCI_EXTENDED_LEN);
2656 if (ocv_insert_extended_oci(&ci, pos) < 0) {
2657 wpabuf_free(plain);
2658 return NULL;
2659 }
2660 }
2661 #endif /* CONFIG_OCV */
2662
2663 return plain;
2664 }
2665
2666
2667 int fils_set_tk(struct wpa_state_machine *sm)
2668 {
2669 enum wpa_alg alg;
2670 int klen;
2671
2672 if (!sm || !sm->PTK_valid) {
2673 wpa_printf(MSG_DEBUG, "FILS: No valid PTK available to set TK");
2674 return -1;
2675 }
2676 if (sm->tk_already_set) {
2677 wpa_printf(MSG_DEBUG, "FILS: TK already set to the driver");
2678 return -1;
2679 }
2680
2681 alg = wpa_cipher_to_alg(sm->pairwise);
2682 klen = wpa_cipher_key_len(sm->pairwise);
2683
2684 wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver");
2685 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
2686 sm->PTK.tk, klen)) {
2687 wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver");
2688 return -1;
2689 }
2690 sm->tk_already_set = TRUE;
2691
2692 return 0;
2693 }
2694
2695
2696 u8 * hostapd_eid_assoc_fils_session(struct wpa_state_machine *sm, u8 *buf,
2697 const u8 *fils_session, struct wpabuf *hlp)
2698 {
2699 struct wpabuf *plain;
2700 u8 *pos = buf;
2701
2702 /* FILS Session */
2703 *pos++ = WLAN_EID_EXTENSION; /* Element ID */
2704 *pos++ = 1 + FILS_SESSION_LEN; /* Length */
2705 *pos++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
2706 os_memcpy(pos, fils_session, FILS_SESSION_LEN);
2707 pos += FILS_SESSION_LEN;
2708
2709 plain = fils_prepare_plainbuf(sm, hlp);
2710 if (!plain) {
2711 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed");
2712 return NULL;
2713 }
2714
2715 os_memcpy(pos, wpabuf_head(plain), wpabuf_len(plain));
2716 pos += wpabuf_len(plain);
2717
2718 wpa_printf(MSG_DEBUG, "%s: plain buf_len: %u", __func__,
2719 (unsigned int) wpabuf_len(plain));
2720 wpabuf_free(plain);
2721 sm->fils_completed = 1;
2722 return pos;
2723 }
2724
2725 #endif /* CONFIG_FILS */
2726
2727
2728 #ifdef CONFIG_OCV
2729 int get_sta_tx_parameters(struct wpa_state_machine *sm, int ap_max_chanwidth,
2730 int ap_seg1_idx, int *bandwidth, int *seg1_idx)
2731 {
2732 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2733
2734 if (!wpa_auth->cb->get_sta_tx_params)
2735 return -1;
2736 return wpa_auth->cb->get_sta_tx_params(wpa_auth->cb_ctx, sm->addr,
2737 ap_max_chanwidth, ap_seg1_idx,
2738 bandwidth, seg1_idx);
2739 }
2740 #endif /* CONFIG_OCV */
2741
2742
2743 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
2744 {
2745 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2746 struct wpa_ptk PTK;
2747 int ok = 0, psk_found = 0;
2748 const u8 *pmk = NULL;
2749 size_t pmk_len;
2750 int ft;
2751 const u8 *eapol_key_ie, *key_data, *mic;
2752 u16 key_data_length;
2753 size_t mic_len, eapol_key_ie_len;
2754 struct ieee802_1x_hdr *hdr;
2755 struct wpa_eapol_key *key;
2756 struct wpa_eapol_ie_parse kde;
2757 int vlan_id = 0;
2758
2759 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
2760 sm->EAPOLKeyReceived = FALSE;
2761 sm->update_snonce = FALSE;
2762 os_memset(&PTK, 0, sizeof(PTK));
2763
2764 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
2765
2766 /* WPA with IEEE 802.1X: use the derived PMK from EAP
2767 * WPA-PSK: iterate through possible PSKs and select the one matching
2768 * the packet */
2769 for (;;) {
2770 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
2771 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
2772 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
2773 sm->p2p_dev_addr, pmk, &pmk_len,
2774 &vlan_id);
2775 if (pmk == NULL)
2776 break;
2777 psk_found = 1;
2778 #ifdef CONFIG_IEEE80211R_AP
2779 if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) {
2780 os_memcpy(sm->xxkey, pmk, pmk_len);
2781 sm->xxkey_len = pmk_len;
2782 }
2783 #endif /* CONFIG_IEEE80211R_AP */
2784 } else {
2785 pmk = sm->PMK;
2786 pmk_len = sm->pmk_len;
2787 }
2788
2789 if (wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK) < 0)
2790 break;
2791
2792 if (mic_len &&
2793 wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
2794 sm->last_rx_eapol_key,
2795 sm->last_rx_eapol_key_len) == 0) {
2796 if (sm->PMK != pmk) {
2797 os_memcpy(sm->PMK, pmk, pmk_len);
2798 sm->pmk_len = pmk_len;
2799 }
2800 ok = 1;
2801 break;
2802 }
2803
2804 #ifdef CONFIG_FILS
2805 if (!mic_len &&
2806 wpa_aead_decrypt(sm, &PTK, sm->last_rx_eapol_key,
2807 sm->last_rx_eapol_key_len, NULL) == 0) {
2808 ok = 1;
2809 break;
2810 }
2811 #endif /* CONFIG_FILS */
2812
2813 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
2814 wpa_key_mgmt_sae(sm->wpa_key_mgmt))
2815 break;
2816 }
2817
2818 if (!ok) {
2819 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2820 "invalid MIC in msg 2/4 of 4-Way Handshake");
2821 if (psk_found)
2822 wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr);
2823 return;
2824 }
2825
2826 /*
2827 * Note: last_rx_eapol_key length fields have already been validated in
2828 * wpa_receive().
2829 */
2830 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
2831 key = (struct wpa_eapol_key *) (hdr + 1);
2832 mic = (u8 *) (key + 1);
2833 key_data = mic + mic_len + 2;
2834 key_data_length = WPA_GET_BE16(mic + mic_len);
2835 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
2836 sizeof(*key) - mic_len - 2)
2837 return;
2838
2839 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
2840 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
2841 "received EAPOL-Key msg 2/4 with invalid Key Data contents");
2842 return;
2843 }
2844 if (kde.rsn_ie) {
2845 eapol_key_ie = kde.rsn_ie;
2846 eapol_key_ie_len = kde.rsn_ie_len;
2847 } else if (kde.osen) {
2848 eapol_key_ie = kde.osen;
2849 eapol_key_ie_len = kde.osen_len;
2850 } else {
2851 eapol_key_ie = kde.wpa_ie;
2852 eapol_key_ie_len = kde.wpa_ie_len;
2853 }
2854 ft = sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt);
2855 if (sm->wpa_ie == NULL ||
2856 wpa_compare_rsn_ie(ft, sm->wpa_ie, sm->wpa_ie_len,
2857 eapol_key_ie, eapol_key_ie_len)) {
2858 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
2859 "WPA IE from (Re)AssocReq did not match with msg 2/4");
2860 if (sm->wpa_ie) {
2861 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq",
2862 sm->wpa_ie, sm->wpa_ie_len);
2863 }
2864 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4",
2865 eapol_key_ie, eapol_key_ie_len);
2866 /* MLME-DEAUTHENTICATE.request */
2867 wpa_sta_disconnect(wpa_auth, sm->addr,
2868 WLAN_REASON_PREV_AUTH_NOT_VALID);
2869 return;
2870 }
2871 #ifdef CONFIG_OCV
2872 if (wpa_auth_uses_ocv(sm)) {
2873 struct wpa_channel_info ci;
2874 int tx_chanwidth;
2875 int tx_seg1_idx;
2876
2877 if (wpa_channel_info(wpa_auth, &ci) != 0) {
2878 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
2879 "Failed to get channel info to validate received OCI in EAPOL-Key 2/4");
2880 return;
2881 }
2882
2883 if (get_sta_tx_parameters(sm,
2884 channel_width_to_int(ci.chanwidth),
2885 ci.seg1_idx, &tx_chanwidth,
2886 &tx_seg1_idx) < 0)
2887 return;
2888
2889 if (ocv_verify_tx_params(kde.oci, kde.oci_len, &ci,
2890 tx_chanwidth, tx_seg1_idx) != 0) {
2891 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
2892 ocv_errorstr);
2893 return;
2894 }
2895 }
2896 #endif /* CONFIG_OCV */
2897 #ifdef CONFIG_IEEE80211R_AP
2898 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
2899 wpa_sta_disconnect(wpa_auth, sm->addr,
2900 WLAN_REASON_PREV_AUTH_NOT_VALID);
2901 return;
2902 }
2903 #endif /* CONFIG_IEEE80211R_AP */
2904 #ifdef CONFIG_P2P
2905 if (kde.ip_addr_req && kde.ip_addr_req[0] &&
2906 wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) {
2907 int idx;
2908 wpa_printf(MSG_DEBUG,
2909 "P2P: IP address requested in EAPOL-Key exchange");
2910 idx = bitfield_get_first_zero(wpa_auth->ip_pool);
2911 if (idx >= 0) {
2912 u32 start = WPA_GET_BE32(wpa_auth->conf.ip_addr_start);
2913 bitfield_set(wpa_auth->ip_pool, idx);
2914 WPA_PUT_BE32(sm->ip_addr, start + idx);
2915 wpa_printf(MSG_DEBUG,
2916 "P2P: Assigned IP address %u.%u.%u.%u to "
2917 MACSTR, sm->ip_addr[0], sm->ip_addr[1],
2918 sm->ip_addr[2], sm->ip_addr[3],
2919 MAC2STR(sm->addr));
2920 }
2921 }
2922 #endif /* CONFIG_P2P */
2923
2924 #ifdef CONFIG_IEEE80211R_AP
2925 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2926 /*
2927 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches
2928 * with the value we derived.
2929 */
2930 if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name,
2931 WPA_PMK_NAME_LEN) != 0) {
2932 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2933 "PMKR1Name mismatch in FT 4-way "
2934 "handshake");
2935 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from "
2936 "Supplicant",
2937 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN);
2938 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
2939 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
2940 return;
2941 }
2942 }
2943 #endif /* CONFIG_IEEE80211R_AP */
2944
2945 if (vlan_id && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
2946 wpa_auth_update_vlan(wpa_auth, sm->addr, vlan_id) < 0) {
2947 wpa_sta_disconnect(wpa_auth, sm->addr,
2948 WLAN_REASON_PREV_AUTH_NOT_VALID);
2949 return;
2950 }
2951
2952 sm->pending_1_of_4_timeout = 0;
2953 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
2954
2955 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
2956 /* PSK may have changed from the previous choice, so update
2957 * state machine data based on whatever PSK was selected here.
2958 */
2959 os_memcpy(sm->PMK, pmk, PMK_LEN);
2960 sm->pmk_len = PMK_LEN;
2961 }
2962
2963 sm->MICVerified = TRUE;
2964
2965 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
2966 sm->PTK_valid = TRUE;
2967 }
2968
2969
2970 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2)
2971 {
2972 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk);
2973 sm->TimeoutCtr = 0;
2974 }
2975
2976
2977 #ifdef CONFIG_IEEE80211W
2978
2979 static int ieee80211w_kde_len(struct wpa_state_machine *sm)
2980 {
2981 if (sm->mgmt_frame_prot) {
2982 size_t len;
2983 len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
2984 return 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN + len;
2985 }
2986
2987 return 0;
2988 }
2989
2990
2991 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
2992 {
2993 struct wpa_igtk_kde igtk;
2994 struct wpa_group *gsm = sm->group;
2995 u8 rsc[WPA_KEY_RSC_LEN];
2996 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
2997
2998 if (!sm->mgmt_frame_prot)
2999 return pos;
3000
3001 igtk.keyid[0] = gsm->GN_igtk;
3002 igtk.keyid[1] = 0;
3003 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
3004 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0)
3005 os_memset(igtk.pn, 0, sizeof(igtk.pn));
3006 else
3007 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn));
3008 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len);
3009 if (sm->wpa_auth->conf.disable_gtk ||
3010 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
3011 /*
3012 * Provide unique random IGTK to each STA to prevent use of
3013 * IGTK in the BSS.
3014 */
3015 if (random_get_bytes(igtk.igtk, len) < 0)
3016 return pos;
3017 }
3018 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK,
3019 (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len,
3020 NULL, 0);
3021
3022 return pos;
3023 }
3024
3025 #else /* CONFIG_IEEE80211W */
3026
3027 static int ieee80211w_kde_len(struct wpa_state_machine *sm)
3028 {
3029 return 0;
3030 }
3031
3032
3033 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
3034 {
3035 return pos;
3036 }
3037
3038 #endif /* CONFIG_IEEE80211W */
3039
3040
3041 static int ocv_oci_len(struct wpa_state_machine *sm)
3042 {
3043 #ifdef CONFIG_OCV
3044 if (wpa_auth_uses_ocv(sm))
3045 return OCV_OCI_KDE_LEN;
3046 #endif /* CONFIG_OCV */
3047 return 0;
3048 }
3049
3050 static int ocv_oci_add(struct wpa_state_machine *sm, u8 **argpos)
3051 {
3052 #ifdef CONFIG_OCV
3053 struct wpa_channel_info ci;
3054
3055 if (!wpa_auth_uses_ocv(sm))
3056 return 0;
3057
3058 if (wpa_channel_info(sm->wpa_auth, &ci) != 0) {
3059 wpa_printf(MSG_WARNING,
3060 "Failed to get channel info for OCI element");
3061 return -1;
3062 }
3063
3064 return ocv_insert_oci_kde(&ci, argpos);
3065 #else /* CONFIG_OCV */
3066 return 0;
3067 #endif /* CONFIG_OCV */
3068 }
3069
3070
3071 SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
3072 {
3073 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32];
3074 size_t gtk_len, kde_len;
3075 struct wpa_group *gsm = sm->group;
3076 u8 *wpa_ie;
3077 int wpa_ie_len, secure, keyidx, encr = 0;
3078
3079 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk);
3080 sm->TimeoutEvt = FALSE;
3081
3082 sm->TimeoutCtr++;
3083 if (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
3084 sm->TimeoutCtr > 1) {
3085 /* Do not allow retransmission of EAPOL-Key msg 3/4 */
3086 return;
3087 }
3088 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
3089 /* No point in sending the EAPOL-Key - we will disconnect
3090 * immediately following this. */
3091 return;
3092 }
3093
3094 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
3095 GTK[GN], IGTK, [FTIE], [TIE * 2])
3096 */
3097 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
3098 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
3099 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
3100 wpa_ie = sm->wpa_auth->wpa_ie;
3101 wpa_ie_len = sm->wpa_auth->wpa_ie_len;
3102 if (sm->wpa == WPA_VERSION_WPA &&
3103 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
3104 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
3105 /* WPA-only STA, remove RSN IE and possible MDIE */
3106 wpa_ie = wpa_ie + wpa_ie[1] + 2;
3107 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
3108 wpa_ie = wpa_ie + wpa_ie[1] + 2;
3109 wpa_ie_len = wpa_ie[1] + 2;
3110 }
3111 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3112 "sending 3/4 msg of 4-Way Handshake");
3113 if (sm->wpa == WPA_VERSION_WPA2) {
3114 /* WPA2 send GTK in the 4-way handshake */
3115 secure = 1;
3116 gtk = gsm->GTK[gsm->GN - 1];
3117 gtk_len = gsm->GTK_len;
3118 if (sm->wpa_auth->conf.disable_gtk ||
3119 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
3120 /*
3121 * Provide unique random GTK to each STA to prevent use
3122 * of GTK in the BSS.
3123 */
3124 if (random_get_bytes(dummy_gtk, gtk_len) < 0)
3125 return;
3126 gtk = dummy_gtk;
3127 }
3128 keyidx = gsm->GN;
3129 _rsc = rsc;
3130 encr = 1;
3131 } else {
3132 /* WPA does not include GTK in msg 3/4 */
3133 secure = 0;
3134 gtk = NULL;
3135 gtk_len = 0;
3136 keyidx = 0;
3137 _rsc = NULL;
3138 if (sm->rx_eapol_key_secure) {
3139 /*
3140 * It looks like Windows 7 supplicant tries to use
3141 * Secure bit in msg 2/4 after having reported Michael
3142 * MIC failure and it then rejects the 4-way handshake
3143 * if msg 3/4 does not set Secure bit. Work around this
3144 * by setting the Secure bit here even in the case of
3145 * WPA if the supplicant used it first.
3146 */
3147 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3148 "STA used Secure bit in WPA msg 2/4 - "
3149 "set Secure for 3/4 as workaround");
3150 secure = 1;
3151 }
3152 }
3153
3154 kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm);
3155 if (gtk)
3156 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
3157 #ifdef CONFIG_IEEE80211R_AP
3158 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
3159 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
3160 kde_len += 300; /* FTIE + 2 * TIE */
3161 }
3162 #endif /* CONFIG_IEEE80211R_AP */
3163 #ifdef CONFIG_P2P
3164 if (WPA_GET_BE32(sm->ip_addr) > 0)
3165 kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4;
3166 #endif /* CONFIG_P2P */
3167 kde = os_malloc(kde_len);
3168 if (kde == NULL)
3169 return;
3170
3171 pos = kde;
3172 os_memcpy(pos, wpa_ie, wpa_ie_len);
3173 pos += wpa_ie_len;
3174 #ifdef CONFIG_IEEE80211R_AP
3175 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
3176 int res;
3177 size_t elen;
3178
3179 elen = pos - kde;
3180 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name);
3181 if (res < 0) {
3182 wpa_printf(MSG_ERROR, "FT: Failed to insert "
3183 "PMKR1Name into RSN IE in EAPOL-Key data");
3184 os_free(kde);
3185 return;
3186 }
3187 pos -= wpa_ie_len;
3188 pos += elen;
3189 }
3190 #endif /* CONFIG_IEEE80211R_AP */
3191 if (gtk) {
3192 u8 hdr[2];
3193 hdr[0] = keyidx & 0x03;
3194 hdr[1] = 0;
3195 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
3196 gtk, gtk_len);
3197 }
3198 pos = ieee80211w_kde_add(sm, pos);
3199 if (ocv_oci_add(sm, &pos) < 0) {
3200 os_free(kde);
3201 return;
3202 }
3203
3204 #ifdef CONFIG_IEEE80211R_AP
3205 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
3206 int res;
3207 struct wpa_auth_config *conf;
3208
3209 conf = &sm->wpa_auth->conf;
3210 if (sm->assoc_resp_ftie &&
3211 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) {
3212 os_memcpy(pos, sm->assoc_resp_ftie,
3213 2 + sm->assoc_resp_ftie[1]);
3214 res = 2 + sm->assoc_resp_ftie[1];
3215 } else {
3216 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt);
3217
3218 res = wpa_write_ftie(conf, use_sha384,
3219 conf->r0_key_holder,
3220 conf->r0_key_holder_len,
3221 NULL, NULL, pos,
3222 kde + kde_len - pos,
3223 NULL, 0);
3224 }
3225 if (res < 0) {
3226 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE "
3227 "into EAPOL-Key Key Data");
3228 os_free(kde);
3229 return;
3230 }
3231 pos += res;
3232
3233 /* TIE[ReassociationDeadline] (TU) */
3234 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
3235 *pos++ = 5;
3236 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
3237 WPA_PUT_LE32(pos, conf->reassociation_deadline);
3238 pos += 4;
3239
3240 /* TIE[KeyLifetime] (seconds) */
3241 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
3242 *pos++ = 5;
3243 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
3244 WPA_PUT_LE32(pos, conf->r0_key_lifetime);
3245 pos += 4;
3246 }
3247 #endif /* CONFIG_IEEE80211R_AP */
3248 #ifdef CONFIG_P2P
3249 if (WPA_GET_BE32(sm->ip_addr) > 0) {
3250 u8 addr[3 * 4];
3251 os_memcpy(addr, sm->ip_addr, 4);
3252 os_memcpy(addr + 4, sm->wpa_auth->conf.ip_addr_mask, 4);
3253 os_memcpy(addr + 8, sm->wpa_auth->conf.ip_addr_go, 4);
3254 pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC,
3255 addr, sizeof(addr), NULL, 0);
3256 }
3257 #endif /* CONFIG_P2P */
3258
3259 wpa_send_eapol(sm->wpa_auth, sm,
3260 (secure ? WPA_KEY_INFO_SECURE : 0) |
3261 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
3262 WPA_KEY_INFO_MIC : 0) |
3263 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
3264 WPA_KEY_INFO_KEY_TYPE,
3265 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr);
3266 os_free(kde);
3267 }
3268
3269
3270 SM_STATE(WPA_PTK, PTKINITDONE)
3271 {
3272 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk);
3273 sm->EAPOLKeyReceived = FALSE;
3274 if (sm->Pair) {
3275 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
3276 int klen = wpa_cipher_key_len(sm->pairwise);
3277 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
3278 sm->PTK.tk, klen)) {
3279 wpa_sta_disconnect(sm->wpa_auth, sm->addr,
3280 WLAN_REASON_PREV_AUTH_NOT_VALID);
3281 return;
3282 }
3283 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
3284 sm->pairwise_set = TRUE;
3285
3286 if (sm->wpa_auth->conf.wpa_ptk_rekey) {
3287 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
3288 eloop_register_timeout(sm->wpa_auth->conf.
3289 wpa_ptk_rekey, 0, wpa_rekey_ptk,
3290 sm->wpa_auth, sm);
3291 }
3292
3293 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
3294 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
3295 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
3296 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
3297 WPA_EAPOL_authorized, 1);
3298 }
3299 }
3300
3301 if (0 /* IBSS == TRUE */) {
3302 sm->keycount++;
3303 if (sm->keycount == 2) {
3304 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
3305 WPA_EAPOL_portValid, 1);
3306 }
3307 } else {
3308 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid,
3309 1);
3310 }
3311 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0);
3312 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1);
3313 if (sm->wpa == WPA_VERSION_WPA)
3314 sm->PInitAKeys = TRUE;
3315 else
3316 sm->has_GTK = TRUE;
3317 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3318 "pairwise key handshake completed (%s)",
3319 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
3320
3321 #ifdef CONFIG_IEEE80211R_AP
3322 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr);
3323 #endif /* CONFIG_IEEE80211R_AP */
3324 }
3325
3326
3327 SM_STEP(WPA_PTK)
3328 {
3329 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
3330
3331 if (sm->Init)
3332 SM_ENTER(WPA_PTK, INITIALIZE);
3333 else if (sm->Disconnect
3334 /* || FIX: dot11RSNAConfigSALifetime timeout */) {
3335 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
3336 "WPA_PTK: sm->Disconnect");
3337 SM_ENTER(WPA_PTK, DISCONNECT);
3338 }
3339 else if (sm->DeauthenticationRequest)
3340 SM_ENTER(WPA_PTK, DISCONNECTED);
3341 else if (sm->AuthenticationRequest)
3342 SM_ENTER(WPA_PTK, AUTHENTICATION);
3343 else if (sm->ReAuthenticationRequest)
3344 SM_ENTER(WPA_PTK, AUTHENTICATION2);
3345 else if (sm->PTKRequest) {
3346 if (wpa_auth_sm_ptk_update(sm) < 0)
3347 SM_ENTER(WPA_PTK, DISCONNECTED);
3348 else
3349 SM_ENTER(WPA_PTK, PTKSTART);
3350 } else switch (sm->wpa_ptk_state) {
3351 case WPA_PTK_INITIALIZE:
3352 break;
3353 case WPA_PTK_DISCONNECT:
3354 SM_ENTER(WPA_PTK, DISCONNECTED);
3355 break;
3356 case WPA_PTK_DISCONNECTED:
3357 SM_ENTER(WPA_PTK, INITIALIZE);
3358 break;
3359 case WPA_PTK_AUTHENTICATION:
3360 SM_ENTER(WPA_PTK, AUTHENTICATION2);
3361 break;
3362 case WPA_PTK_AUTHENTICATION2:
3363 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
3364 wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
3365 WPA_EAPOL_keyRun) > 0)
3366 SM_ENTER(WPA_PTK, INITPMK);
3367 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
3368 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE
3369 /* FIX: && 802.1X::keyRun */)
3370 SM_ENTER(WPA_PTK, INITPSK);
3371 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP)
3372 SM_ENTER(WPA_PTK, INITPMK);
3373 break;
3374 case WPA_PTK_INITPMK:
3375 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
3376 WPA_EAPOL_keyAvailable) > 0) {
3377 SM_ENTER(WPA_PTK, PTKSTART);
3378 #ifdef CONFIG_DPP
3379 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->pmksa) {
3380 SM_ENTER(WPA_PTK, PTKSTART);
3381 #endif /* CONFIG_DPP */
3382 } else {
3383 wpa_auth->dot11RSNA4WayHandshakeFailures++;
3384 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3385 "INITPMK - keyAvailable = false");
3386 SM_ENTER(WPA_PTK, DISCONNECT);
3387 }
3388 break;
3389 case WPA_PTK_INITPSK:
3390 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr,
3391 NULL, NULL, NULL)) {
3392 SM_ENTER(WPA_PTK, PTKSTART);
3393 #ifdef CONFIG_SAE
3394 } else if (wpa_auth_uses_sae(sm) && sm->pmksa) {
3395 SM_ENTER(WPA_PTK, PTKSTART);
3396 #endif /* CONFIG_SAE */
3397 } else {
3398 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3399 "no PSK configured for the STA");
3400 wpa_auth->dot11RSNA4WayHandshakeFailures++;
3401 SM_ENTER(WPA_PTK, DISCONNECT);
3402 }
3403 break;
3404 case WPA_PTK_PTKSTART:
3405 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3406 sm->EAPOLKeyPairwise)
3407 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3408 else if (sm->TimeoutCtr >
3409 sm->wpa_auth->conf.wpa_pairwise_update_count) {
3410 wpa_auth->dot11RSNA4WayHandshakeFailures++;
3411 wpa_auth_vlogger(
3412 sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3413 "PTKSTART: Retry limit %u reached",
3414 sm->wpa_auth->conf.wpa_pairwise_update_count);
3415 SM_ENTER(WPA_PTK, DISCONNECT);
3416 } else if (sm->TimeoutEvt)
3417 SM_ENTER(WPA_PTK, PTKSTART);
3418 break;
3419 case WPA_PTK_PTKCALCNEGOTIATING:
3420 if (sm->MICVerified)
3421 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2);
3422 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3423 sm->EAPOLKeyPairwise)
3424 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3425 else if (sm->TimeoutEvt)
3426 SM_ENTER(WPA_PTK, PTKSTART);
3427 break;
3428 case WPA_PTK_PTKCALCNEGOTIATING2:
3429 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
3430 break;
3431 case WPA_PTK_PTKINITNEGOTIATING:
3432 if (sm->update_snonce)
3433 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3434 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3435 sm->EAPOLKeyPairwise && sm->MICVerified)
3436 SM_ENTER(WPA_PTK, PTKINITDONE);
3437 else if (sm->TimeoutCtr >
3438 sm->wpa_auth->conf.wpa_pairwise_update_count ||
3439 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
3440 sm->TimeoutCtr > 1)) {
3441 wpa_auth->dot11RSNA4WayHandshakeFailures++;
3442 wpa_auth_vlogger(
3443 sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3444 "PTKINITNEGOTIATING: Retry limit %u reached",
3445 sm->wpa_auth->conf.wpa_pairwise_update_count);
3446 SM_ENTER(WPA_PTK, DISCONNECT);
3447 } else if (sm->TimeoutEvt)
3448 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
3449 break;
3450 case WPA_PTK_PTKINITDONE:
3451 break;
3452 }
3453 }
3454
3455
3456 SM_STATE(WPA_PTK_GROUP, IDLE)
3457 {
3458 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group);
3459 if (sm->Init) {
3460 /* Init flag is not cleared here, so avoid busy
3461 * loop by claiming nothing changed. */
3462 sm->changed = FALSE;
3463 }
3464 sm->GTimeoutCtr = 0;
3465 }
3466
3467
3468 SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
3469 {
3470 u8 rsc[WPA_KEY_RSC_LEN];
3471 struct wpa_group *gsm = sm->group;
3472 const u8 *kde;
3473 u8 *kde_buf = NULL, *pos, hdr[2];
3474 size_t kde_len;
3475 u8 *gtk, dummy_gtk[32];
3476
3477 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
3478
3479 sm->GTimeoutCtr++;
3480 if (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
3481 sm->GTimeoutCtr > 1) {
3482 /* Do not allow retransmission of EAPOL-Key group msg 1/2 */
3483 return;
3484 }
3485 if (sm->GTimeoutCtr > sm->wpa_auth->conf.wpa_group_update_count) {
3486 /* No point in sending the EAPOL-Key - we will disconnect
3487 * immediately following this. */
3488 return;
3489 }
3490
3491 if (sm->wpa == WPA_VERSION_WPA)
3492 sm->PInitAKeys = FALSE;
3493 sm->TimeoutEvt = FALSE;
3494 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
3495 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
3496 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE)
3497 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
3498 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3499 "sending 1/2 msg of Group Key Handshake");
3500
3501 gtk = gsm->GTK[gsm->GN - 1];
3502 if (sm->wpa_auth->conf.disable_gtk ||
3503 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
3504 /*
3505 * Provide unique random GTK to each STA to prevent use
3506 * of GTK in the BSS.
3507 */
3508 if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0)
3509 return;
3510 gtk = dummy_gtk;
3511 }
3512 if (sm->wpa == WPA_VERSION_WPA2) {
3513 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
3514 ieee80211w_kde_len(sm) + ocv_oci_len(sm);
3515 kde_buf = os_malloc(kde_len);
3516 if (kde_buf == NULL)
3517 return;
3518
3519 kde = pos = kde_buf;
3520 hdr[0] = gsm->GN & 0x03;
3521 hdr[1] = 0;
3522 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
3523 gtk, gsm->GTK_len);
3524 pos = ieee80211w_kde_add(sm, pos);
3525 if (ocv_oci_add(sm, &pos) < 0) {
3526 os_free(kde_buf);
3527 return;
3528 }
3529 kde_len = pos - kde;
3530 } else {
3531 kde = gtk;
3532 kde_len = gsm->GTK_len;
3533 }
3534
3535 wpa_send_eapol(sm->wpa_auth, sm,
3536 WPA_KEY_INFO_SECURE |
3537 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
3538 WPA_KEY_INFO_MIC : 0) |
3539 WPA_KEY_INFO_ACK |
3540 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
3541 rsc, NULL, kde, kde_len, gsm->GN, 1);
3542
3543 os_free(kde_buf);
3544 }
3545
3546
3547 SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED)
3548 {
3549 #ifdef CONFIG_OCV
3550 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
3551 const u8 *key_data, *mic;
3552 struct ieee802_1x_hdr *hdr;
3553 struct wpa_eapol_key *key;
3554 struct wpa_eapol_ie_parse kde;
3555 size_t mic_len;
3556 u16 key_data_length;
3557 #endif /* CONFIG_OCV */
3558
3559 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group);
3560 sm->EAPOLKeyReceived = FALSE;
3561
3562 #ifdef CONFIG_OCV
3563 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
3564
3565 /*
3566 * Note: last_rx_eapol_key length fields have already been validated in
3567 * wpa_receive().
3568 */
3569 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
3570 key = (struct wpa_eapol_key *) (hdr + 1);
3571 mic = (u8 *) (key + 1);
3572 key_data = mic + mic_len + 2;
3573 key_data_length = WPA_GET_BE16(mic + mic_len);
3574 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
3575 sizeof(*key) - mic_len - 2)
3576 return;
3577
3578 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
3579 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
3580 "received EAPOL-Key group msg 2/2 with invalid Key Data contents");
3581 return;
3582 }
3583
3584 if (wpa_auth_uses_ocv(sm)) {
3585 struct wpa_channel_info ci;
3586 int tx_chanwidth;
3587 int tx_seg1_idx;
3588
3589 if (wpa_channel_info(wpa_auth, &ci) != 0) {
3590 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
3591 "Failed to get channel info to validate received OCI in EAPOL-Key group 1/2");
3592 return;
3593 }
3594
3595 if (get_sta_tx_parameters(sm,
3596 channel_width_to_int(ci.chanwidth),
3597 ci.seg1_idx, &tx_chanwidth,
3598 &tx_seg1_idx) < 0)
3599 return;
3600
3601 if (ocv_verify_tx_params(kde.oci, kde.oci_len, &ci,
3602 tx_chanwidth, tx_seg1_idx) != 0) {
3603 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
3604 ocv_errorstr);
3605 return;
3606 }
3607 }
3608 #endif /* CONFIG_OCV */
3609
3610 if (sm->GUpdateStationKeys)
3611 sm->group->GKeyDoneStations--;
3612 sm->GUpdateStationKeys = FALSE;
3613 sm->GTimeoutCtr = 0;
3614 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */
3615 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3616 "group key handshake completed (%s)",
3617 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
3618 sm->has_GTK = TRUE;
3619 }
3620
3621
3622 SM_STATE(WPA_PTK_GROUP, KEYERROR)
3623 {
3624 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group);
3625 if (sm->GUpdateStationKeys)
3626 sm->group->GKeyDoneStations--;
3627 sm->GUpdateStationKeys = FALSE;
3628 sm->Disconnect = TRUE;
3629 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3630 "group key handshake failed (%s) after %u tries",
3631 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN",
3632 sm->wpa_auth->conf.wpa_group_update_count);
3633 }
3634
3635
3636 SM_STEP(WPA_PTK_GROUP)
3637 {
3638 if (sm->Init || sm->PtkGroupInit) {
3639 SM_ENTER(WPA_PTK_GROUP, IDLE);
3640 sm->PtkGroupInit = FALSE;
3641 } else switch (sm->wpa_ptk_group_state) {
3642 case WPA_PTK_GROUP_IDLE:
3643 if (sm->GUpdateStationKeys ||
3644 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys))
3645 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
3646 break;
3647 case WPA_PTK_GROUP_REKEYNEGOTIATING:
3648 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3649 !sm->EAPOLKeyPairwise && sm->MICVerified)
3650 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
3651 else if (sm->GTimeoutCtr >
3652 sm->wpa_auth->conf.wpa_group_update_count ||
3653 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
3654 sm->GTimeoutCtr > 1))
3655 SM_ENTER(WPA_PTK_GROUP, KEYERROR);
3656 else if (sm->TimeoutEvt)
3657 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
3658 break;
3659 case WPA_PTK_GROUP_KEYERROR:
3660 SM_ENTER(WPA_PTK_GROUP, IDLE);
3661 break;
3662 case WPA_PTK_GROUP_REKEYESTABLISHED:
3663 SM_ENTER(WPA_PTK_GROUP, IDLE);
3664 break;
3665 }
3666 }
3667
3668
3669 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
3670 struct wpa_group *group)
3671 {
3672 int ret = 0;
3673
3674 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
3675 inc_byte_array(group->Counter, WPA_NONCE_LEN);
3676 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion",
3677 wpa_auth->addr, group->GNonce,
3678 group->GTK[group->GN - 1], group->GTK_len) < 0)
3679 ret = -1;
3680 wpa_hexdump_key(MSG_DEBUG, "GTK",
3681 group->GTK[group->GN - 1], group->GTK_len);
3682
3683 #ifdef CONFIG_IEEE80211W
3684 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
3685 size_t len;
3686 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
3687 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
3688 inc_byte_array(group->Counter, WPA_NONCE_LEN);
3689 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion",
3690 wpa_auth->addr, group->GNonce,
3691 group->IGTK[group->GN_igtk - 4], len) < 0)
3692 ret = -1;
3693 wpa_hexdump_key(MSG_DEBUG, "IGTK",
3694 group->IGTK[group->GN_igtk - 4], len);
3695 }
3696 #endif /* CONFIG_IEEE80211W */
3697
3698 return ret;
3699 }
3700
3701
3702 static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth,
3703 struct wpa_group *group)
3704 {
3705 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3706 "GTK_INIT (VLAN-ID %d)", group->vlan_id);
3707 group->changed = FALSE; /* GInit is not cleared here; avoid loop */
3708 group->wpa_group_state = WPA_GROUP_GTK_INIT;
3709
3710 /* GTK[0..N] = 0 */
3711 os_memset(group->GTK, 0, sizeof(group->GTK));
3712 group->GN = 1;
3713 group->GM = 2;
3714 #ifdef CONFIG_IEEE80211W
3715 group->GN_igtk = 4;
3716 group->GM_igtk = 5;
3717 #endif /* CONFIG_IEEE80211W */
3718 /* GTK[GN] = CalcGTK() */
3719 wpa_gtk_update(wpa_auth, group);
3720 }
3721
3722
3723 static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
3724 {
3725 if (ctx != NULL && ctx != sm->group)
3726 return 0;
3727
3728 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) {
3729 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3730 "Not in PTKINITDONE; skip Group Key update");
3731 sm->GUpdateStationKeys = FALSE;
3732 return 0;
3733 }
3734 if (sm->GUpdateStationKeys) {
3735 /*
3736 * This should not really happen, so add a debug log entry.
3737 * Since we clear the GKeyDoneStations before the loop, the
3738 * station needs to be counted here anyway.
3739 */
3740 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3741 "GUpdateStationKeys was already set when "
3742 "marking station for GTK rekeying");
3743 }
3744
3745 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */
3746 if (sm->is_wnmsleep)
3747 return 0;
3748
3749 sm->group->GKeyDoneStations++;
3750 sm->GUpdateStationKeys = TRUE;
3751
3752 wpa_sm_step(sm);
3753 return 0;
3754 }
3755
3756
3757 #ifdef CONFIG_WNM_AP
3758 /* update GTK when exiting WNM-Sleep Mode */
3759 void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm)
3760 {
3761 if (sm == NULL || sm->is_wnmsleep)
3762 return;
3763
3764 wpa_group_update_sta(sm, NULL);
3765 }
3766
3767
3768 void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag)
3769 {
3770 if (sm)
3771 sm->is_wnmsleep = !!flag;
3772 }
3773
3774
3775 int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos)
3776 {
3777 struct wpa_group *gsm = sm->group;
3778 u8 *start = pos;
3779
3780 /*
3781 * GTK subelement:
3782 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] |
3783 * Key[5..32]
3784 */
3785 *pos++ = WNM_SLEEP_SUBELEM_GTK;
3786 *pos++ = 11 + gsm->GTK_len;
3787 /* Key ID in B0-B1 of Key Info */
3788 WPA_PUT_LE16(pos, gsm->GN & 0x03);
3789 pos += 2;
3790 *pos++ = gsm->GTK_len;
3791 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0)
3792 return 0;
3793 pos += 8;
3794 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len);
3795 pos += gsm->GTK_len;
3796
3797 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit",
3798 gsm->GN);
3799 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit",
3800 gsm->GTK[gsm->GN - 1], gsm->GTK_len);
3801
3802 return pos - start;
3803 }
3804
3805
3806 #ifdef CONFIG_IEEE80211W
3807 int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos)
3808 {
3809 struct wpa_group *gsm = sm->group;
3810 u8 *start = pos;
3811 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
3812
3813 /*
3814 * IGTK subelement:
3815 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16]
3816 */
3817 *pos++ = WNM_SLEEP_SUBELEM_IGTK;
3818 *pos++ = 2 + 6 + len;
3819 WPA_PUT_LE16(pos, gsm->GN_igtk);
3820 pos += 2;
3821 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0)
3822 return 0;
3823 pos += 6;
3824
3825 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len);
3826 pos += len;
3827
3828 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit",
3829 gsm->GN_igtk);
3830 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit",
3831 gsm->IGTK[gsm->GN_igtk - 4], len);
3832
3833 return pos - start;
3834 }
3835 #endif /* CONFIG_IEEE80211W */
3836 #endif /* CONFIG_WNM_AP */
3837
3838
3839 static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth,
3840 struct wpa_group *group)
3841 {
3842 int tmp;
3843
3844 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3845 "SETKEYS (VLAN-ID %d)", group->vlan_id);
3846 group->changed = TRUE;
3847 group->wpa_group_state = WPA_GROUP_SETKEYS;
3848 group->GTKReKey = FALSE;
3849 tmp = group->GM;
3850 group->GM = group->GN;
3851 group->GN = tmp;
3852 #ifdef CONFIG_IEEE80211W
3853 tmp = group->GM_igtk;
3854 group->GM_igtk = group->GN_igtk;
3855 group->GN_igtk = tmp;
3856 #endif /* CONFIG_IEEE80211W */
3857 /* "GKeyDoneStations = GNoStations" is done in more robust way by
3858 * counting the STAs that are marked with GUpdateStationKeys instead of
3859 * including all STAs that could be in not-yet-completed state. */
3860 wpa_gtk_update(wpa_auth, group);
3861
3862 if (group->GKeyDoneStations) {
3863 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected "
3864 "GKeyDoneStations=%d when starting new GTK rekey",
3865 group->GKeyDoneStations);
3866 group->GKeyDoneStations = 0;
3867 }
3868 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group);
3869 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d",
3870 group->GKeyDoneStations);
3871 }
3872
3873
3874 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
3875 struct wpa_group *group)
3876 {
3877 int ret = 0;
3878
3879 if (wpa_auth_set_key(wpa_auth, group->vlan_id,
3880 wpa_cipher_to_alg(wpa_auth->conf.wpa_group),
3881 broadcast_ether_addr, group->GN,
3882 group->GTK[group->GN - 1], group->GTK_len) < 0)
3883 ret = -1;
3884
3885 #ifdef CONFIG_IEEE80211W
3886 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
3887 enum wpa_alg alg;
3888 size_t len;
3889
3890 alg = wpa_cipher_to_alg(wpa_auth->conf.group_mgmt_cipher);
3891 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
3892
3893 if (ret == 0 &&
3894 wpa_auth_set_key(wpa_auth, group->vlan_id, alg,
3895 broadcast_ether_addr, group->GN_igtk,
3896 group->IGTK[group->GN_igtk - 4], len) < 0)
3897 ret = -1;
3898 }
3899 #endif /* CONFIG_IEEE80211W */
3900
3901 return ret;
3902 }
3903
3904
3905 static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx)
3906 {
3907 if (sm->group == ctx) {
3908 wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR
3909 " for discconnection due to fatal failure",
3910 MAC2STR(sm->addr));
3911 sm->Disconnect = TRUE;
3912 }
3913
3914 return 0;
3915 }
3916
3917
3918 static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth,
3919 struct wpa_group *group)
3920 {
3921 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state FATAL_FAILURE");
3922 group->changed = TRUE;
3923 group->wpa_group_state = WPA_GROUP_FATAL_FAILURE;
3924 wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group);
3925 }
3926
3927
3928 static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
3929 struct wpa_group *group)
3930 {
3931 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3932 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id);
3933 group->changed = TRUE;
3934 group->wpa_group_state = WPA_GROUP_SETKEYSDONE;
3935
3936 if (wpa_group_config_group_keys(wpa_auth, group) < 0) {
3937 wpa_group_fatal_failure(wpa_auth, group);
3938 return -1;
3939 }
3940
3941 return 0;
3942 }
3943
3944
3945 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
3946 struct wpa_group *group)
3947 {
3948 if (group->GInit) {
3949 wpa_group_gtk_init(wpa_auth, group);
3950 } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) {
3951 /* Do not allow group operations */
3952 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT &&
3953 group->GTKAuthenticator) {
3954 wpa_group_setkeysdone(wpa_auth, group);
3955 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE &&
3956 group->GTKReKey) {
3957 wpa_group_setkeys(wpa_auth, group);
3958 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) {
3959 if (group->GKeyDoneStations == 0)
3960 wpa_group_setkeysdone(wpa_auth, group);
3961 else if (group->GTKReKey)
3962 wpa_group_setkeys(wpa_auth, group);
3963 }
3964 }
3965
3966
3967 static int wpa_sm_step(struct wpa_state_machine *sm)
3968 {
3969 if (sm == NULL)
3970 return 0;
3971
3972 if (sm->in_step_loop) {
3973 /* This should not happen, but if it does, make sure we do not
3974 * end up freeing the state machine too early by exiting the
3975 * recursive call. */
3976 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively");
3977 return 0;
3978 }
3979
3980 sm->in_step_loop = 1;
3981 do {
3982 if (sm->pending_deinit)
3983 break;
3984
3985 sm->changed = FALSE;
3986 sm->wpa_auth->group->changed = FALSE;
3987
3988 SM_STEP_RUN(WPA_PTK);
3989 if (sm->pending_deinit)
3990 break;
3991 SM_STEP_RUN(WPA_PTK_GROUP);
3992 if (sm->pending_deinit)
3993 break;
3994 wpa_group_sm_step(sm->wpa_auth, sm->group);
3995 } while (sm->changed || sm->wpa_auth->group->changed);
3996 sm->in_step_loop = 0;
3997
3998 if (sm->pending_deinit) {
3999 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state "
4000 "machine deinit for " MACSTR, MAC2STR(sm->addr));
4001 wpa_free_sta_sm(sm);
4002 return 1;
4003 }
4004 return 0;
4005 }
4006
4007
4008 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx)
4009 {
4010 struct wpa_state_machine *sm = eloop_ctx;
4011 wpa_sm_step(sm);
4012 }
4013
4014
4015 void wpa_auth_sm_notify(struct wpa_state_machine *sm)
4016 {
4017 if (sm == NULL)
4018 return;
4019 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
4020 }
4021
4022
4023 void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth)
4024 {
4025 int tmp, i;
4026 struct wpa_group *group;
4027
4028 if (wpa_auth == NULL)
4029 return;
4030
4031 group = wpa_auth->group;
4032
4033 for (i = 0; i < 2; i++) {
4034 tmp = group->GM;
4035 group->GM = group->GN;
4036 group->GN = tmp;
4037 #ifdef CONFIG_IEEE80211W
4038 tmp = group->GM_igtk;
4039 group->GM_igtk = group->GN_igtk;
4040 group->GN_igtk = tmp;
4041 #endif /* CONFIG_IEEE80211W */
4042 wpa_gtk_update(wpa_auth, group);
4043 wpa_group_config_group_keys(wpa_auth, group);
4044 }
4045 }
4046
4047
4048 static const char * wpa_bool_txt(int val)
4049 {
4050 return val ? "TRUE" : "FALSE";
4051 }
4052
4053
4054 #define RSN_SUITE "%02x-%02x-%02x-%d"
4055 #define RSN_SUITE_ARG(s) \
4056 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
4057
4058 int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen)
4059 {
4060 int len = 0, ret;
4061 char pmkid_txt[PMKID_LEN * 2 + 1];
4062 #ifdef CONFIG_RSN_PREAUTH
4063 const int preauth = 1;
4064 #else /* CONFIG_RSN_PREAUTH */
4065 const int preauth = 0;
4066 #endif /* CONFIG_RSN_PREAUTH */
4067
4068 if (wpa_auth == NULL)
4069 return len;
4070
4071 ret = os_snprintf(buf + len, buflen - len,
4072 "dot11RSNAOptionImplemented=TRUE\n"
4073 "dot11RSNAPreauthenticationImplemented=%s\n"
4074 "dot11RSNAEnabled=%s\n"
4075 "dot11RSNAPreauthenticationEnabled=%s\n",
4076 wpa_bool_txt(preauth),
4077 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN),
4078 wpa_bool_txt(wpa_auth->conf.rsn_preauth));
4079 if (os_snprintf_error(buflen - len, ret))
4080 return len;
4081 len += ret;
4082
4083 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
4084 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN);
4085
4086 ret = os_snprintf(
4087 buf + len, buflen - len,
4088 "dot11RSNAConfigVersion=%u\n"
4089 "dot11RSNAConfigPairwiseKeysSupported=9999\n"
4090 /* FIX: dot11RSNAConfigGroupCipher */
4091 /* FIX: dot11RSNAConfigGroupRekeyMethod */
4092 /* FIX: dot11RSNAConfigGroupRekeyTime */
4093 /* FIX: dot11RSNAConfigGroupRekeyPackets */
4094 "dot11RSNAConfigGroupRekeyStrict=%u\n"
4095 "dot11RSNAConfigGroupUpdateCount=%u\n"
4096 "dot11RSNAConfigPairwiseUpdateCount=%u\n"
4097 "dot11RSNAConfigGroupCipherSize=%u\n"
4098 "dot11RSNAConfigPMKLifetime=%u\n"
4099 "dot11RSNAConfigPMKReauthThreshold=%u\n"
4100 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n"
4101 "dot11RSNAConfigSATimeout=%u\n"
4102 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
4103 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
4104 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
4105 "dot11RSNAPMKIDUsed=%s\n"
4106 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
4107 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
4108 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
4109 "dot11RSNATKIPCounterMeasuresInvoked=%u\n"
4110 "dot11RSNA4WayHandshakeFailures=%u\n"
4111 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n",
4112 RSN_VERSION,
4113 !!wpa_auth->conf.wpa_strict_rekey,
4114 wpa_auth->conf.wpa_group_update_count,
4115 wpa_auth->conf.wpa_pairwise_update_count,
4116 wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8,
4117 dot11RSNAConfigPMKLifetime,
4118 dot11RSNAConfigPMKReauthThreshold,
4119 dot11RSNAConfigSATimeout,
4120 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected),
4121 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected),
4122 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected),
4123 pmkid_txt,
4124 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested),
4125 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested),
4126 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested),
4127 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked,
4128 wpa_auth->dot11RSNA4WayHandshakeFailures);
4129 if (os_snprintf_error(buflen - len, ret))
4130 return len;
4131 len += ret;
4132
4133 /* TODO: dot11RSNAConfigPairwiseCiphersTable */
4134 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */
4135
4136 /* Private MIB */
4137 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n",
4138 wpa_auth->group->wpa_group_state);
4139 if (os_snprintf_error(buflen - len, ret))
4140 return len;
4141 len += ret;
4142
4143 return len;
4144 }
4145
4146
4147 int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen)
4148 {
4149 int len = 0, ret;
4150 u32 pairwise = 0;
4151
4152 if (sm == NULL)
4153 return 0;
4154
4155 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */
4156
4157 /* dot11RSNAStatsEntry */
4158
4159 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ?
4160 WPA_PROTO_RSN : WPA_PROTO_WPA,
4161 sm->pairwise);
4162 if (pairwise == 0)
4163 return 0;
4164
4165 ret = os_snprintf(
4166 buf + len, buflen - len,
4167 /* TODO: dot11RSNAStatsIndex */
4168 "dot11RSNAStatsSTAAddress=" MACSTR "\n"
4169 "dot11RSNAStatsVersion=1\n"
4170 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n"
4171 /* TODO: dot11RSNAStatsTKIPICVErrors */
4172 "dot11RSNAStatsTKIPLocalMICFailures=%u\n"
4173 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n"
4174 /* TODO: dot11RSNAStatsCCMPReplays */
4175 /* TODO: dot11RSNAStatsCCMPDecryptErrors */
4176 /* TODO: dot11RSNAStatsTKIPReplays */,
4177 MAC2STR(sm->addr),
4178 RSN_SUITE_ARG(pairwise),
4179 sm->dot11RSNAStatsTKIPLocalMICFailures,
4180 sm->dot11RSNAStatsTKIPRemoteMICFailures);
4181 if (os_snprintf_error(buflen - len, ret))
4182 return len;
4183 len += ret;
4184
4185 /* Private MIB */
4186 ret = os_snprintf(buf + len, buflen - len,
4187 "hostapdWPAPTKState=%d\n"
4188 "hostapdWPAPTKGroupState=%d\n",
4189 sm->wpa_ptk_state,
4190 sm->wpa_ptk_group_state);
4191 if (os_snprintf_error(buflen - len, ret))
4192 return len;
4193 len += ret;
4194
4195 return len;
4196 }
4197
4198
4199 void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth)
4200 {
4201 if (wpa_auth)
4202 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++;
4203 }
4204
4205
4206 int wpa_auth_pairwise_set(struct wpa_state_machine *sm)
4207 {
4208 return sm && sm->pairwise_set;
4209 }
4210
4211
4212 int wpa_auth_get_pairwise(struct wpa_state_machine *sm)
4213 {
4214 return sm->pairwise;
4215 }
4216
4217
4218 const u8 * wpa_auth_get_pmk(struct wpa_state_machine *sm, int *len)
4219 {
4220 if (!sm)
4221 return NULL;
4222 *len = sm->pmk_len;
4223 return sm->PMK;
4224 }
4225
4226
4227 int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm)
4228 {
4229 if (sm == NULL)
4230 return -1;
4231 return sm->wpa_key_mgmt;
4232 }
4233
4234
4235 int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
4236 {
4237 if (sm == NULL)
4238 return 0;
4239 return sm->wpa;
4240 }
4241
4242
4243 int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm)
4244 {
4245 if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt))
4246 return 0;
4247 return sm->tk_already_set;
4248 }
4249
4250
4251 int wpa_auth_sta_fils_tk_already_set(struct wpa_state_machine *sm)
4252 {
4253 if (!sm || !wpa_key_mgmt_fils(sm->wpa_key_mgmt))
4254 return 0;
4255 return sm->tk_already_set;
4256 }
4257
4258
4259 int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
4260 struct rsn_pmksa_cache_entry *entry)
4261 {
4262 if (sm == NULL || sm->pmksa != entry)
4263 return -1;
4264 sm->pmksa = NULL;
4265 return 0;
4266 }
4267
4268
4269 struct rsn_pmksa_cache_entry *
4270 wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm)
4271 {
4272 return sm ? sm->pmksa : NULL;
4273 }
4274
4275
4276 void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm)
4277 {
4278 if (sm)
4279 sm->dot11RSNAStatsTKIPLocalMICFailures++;
4280 }
4281
4282
4283 const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
4284 {
4285 if (wpa_auth == NULL)
4286 return NULL;
4287 *len = wpa_auth->wpa_ie_len;
4288 return wpa_auth->wpa_ie;
4289 }
4290
4291
4292 int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
4293 unsigned int pmk_len,
4294 int session_timeout, struct eapol_state_machine *eapol)
4295 {
4296 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 ||
4297 sm->wpa_auth->conf.disable_pmksa_caching)
4298 return -1;
4299
4300 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
4301 if (pmk_len > PMK_LEN_SUITE_B_192)
4302 pmk_len = PMK_LEN_SUITE_B_192;
4303 } else if (pmk_len > PMK_LEN) {
4304 pmk_len = PMK_LEN;
4305 }
4306
4307 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL,
4308 sm->PTK.kck, sm->PTK.kck_len,
4309 sm->wpa_auth->addr, sm->addr, session_timeout,
4310 eapol, sm->wpa_key_mgmt))
4311 return 0;
4312
4313 return -1;
4314 }
4315
4316
4317 int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
4318 const u8 *pmk, size_t len, const u8 *sta_addr,
4319 int session_timeout,
4320 struct eapol_state_machine *eapol)
4321 {
4322 if (wpa_auth == NULL)
4323 return -1;
4324
4325 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL,
4326 NULL, 0,
4327 wpa_auth->addr,
4328 sta_addr, session_timeout, eapol,
4329 WPA_KEY_MGMT_IEEE8021X))
4330 return 0;
4331
4332 return -1;
4333 }
4334
4335
4336 int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr,
4337 const u8 *pmk, const u8 *pmkid)
4338 {
4339 if (wpa_auth->conf.disable_pmksa_caching)
4340 return -1;
4341
4342 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN, pmkid,
4343 NULL, 0,
4344 wpa_auth->addr, addr, 0, NULL,
4345 WPA_KEY_MGMT_SAE))
4346 return 0;
4347
4348 return -1;
4349 }
4350
4351
4352 void wpa_auth_add_sae_pmkid(struct wpa_state_machine *sm, const u8 *pmkid)
4353 {
4354 os_memcpy(sm->pmkid, pmkid, PMKID_LEN);
4355 sm->pmkid_set = 1;
4356 }
4357
4358
4359 int wpa_auth_pmksa_add2(struct wpa_authenticator *wpa_auth, const u8 *addr,
4360 const u8 *pmk, size_t pmk_len, const u8 *pmkid,
4361 int session_timeout, int akmp)
4362 {
4363 if (wpa_auth->conf.disable_pmksa_caching)
4364 return -1;
4365
4366 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, pmk_len, pmkid,
4367 NULL, 0, wpa_auth->addr, addr, session_timeout,
4368 NULL, akmp))
4369 return 0;
4370
4371 return -1;
4372 }
4373
4374
4375 void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
4376 const u8 *sta_addr)
4377 {
4378 struct rsn_pmksa_cache_entry *pmksa;
4379
4380 if (wpa_auth == NULL || wpa_auth->pmksa == NULL)
4381 return;
4382 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL);
4383 if (pmksa) {
4384 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for "
4385 MACSTR " based on request", MAC2STR(sta_addr));
4386 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa);
4387 }
4388 }
4389
4390
4391 int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf,
4392 size_t len)
4393 {
4394 if (!wpa_auth || !wpa_auth->pmksa)
4395 return 0;
4396 return pmksa_cache_auth_list(wpa_auth->pmksa, buf, len);
4397 }
4398
4399
4400 void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth)
4401 {
4402 if (wpa_auth && wpa_auth->pmksa)
4403 pmksa_cache_auth_flush(wpa_auth->pmksa);
4404 }
4405
4406
4407 #ifdef CONFIG_PMKSA_CACHE_EXTERNAL
4408 #ifdef CONFIG_MESH
4409
4410 int wpa_auth_pmksa_list_mesh(struct wpa_authenticator *wpa_auth, const u8 *addr,
4411 char *buf, size_t len)
4412 {
4413 if (!wpa_auth || !wpa_auth->pmksa)
4414 return 0;
4415
4416 return pmksa_cache_auth_list_mesh(wpa_auth->pmksa, addr, buf, len);
4417 }
4418
4419
4420 struct rsn_pmksa_cache_entry *
4421 wpa_auth_pmksa_create_entry(const u8 *aa, const u8 *spa, const u8 *pmk,
4422 const u8 *pmkid, int expiration)
4423 {
4424 struct rsn_pmksa_cache_entry *entry;
4425 struct os_reltime now;
4426
4427 entry = pmksa_cache_auth_create_entry(pmk, PMK_LEN, pmkid, NULL, 0, aa,
4428 spa, 0, NULL, WPA_KEY_MGMT_SAE);
4429 if (!entry)
4430 return NULL;
4431
4432 os_get_reltime(&now);
4433 entry->expiration = now.sec + expiration;
4434 return entry;
4435 }
4436
4437
4438 int wpa_auth_pmksa_add_entry(struct wpa_authenticator *wpa_auth,
4439 struct rsn_pmksa_cache_entry *entry)
4440 {
4441 int ret;
4442
4443 if (!wpa_auth || !wpa_auth->pmksa)
4444 return -1;
4445
4446 ret = pmksa_cache_auth_add_entry(wpa_auth->pmksa, entry);
4447 if (ret < 0)
4448 wpa_printf(MSG_DEBUG,
4449 "RSN: Failed to store external PMKSA cache for "
4450 MACSTR, MAC2STR(entry->spa));
4451
4452 return ret;
4453 }
4454
4455 #endif /* CONFIG_MESH */
4456 #endif /* CONFIG_PMKSA_CACHE_EXTERNAL */
4457
4458
4459 struct rsn_pmksa_cache_entry *
4460 wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
4461 const u8 *pmkid)
4462 {
4463 if (!wpa_auth || !wpa_auth->pmksa)
4464 return NULL;
4465 return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, pmkid);
4466 }
4467
4468
4469 void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa,
4470 struct wpa_state_machine *sm,
4471 struct wpa_authenticator *wpa_auth,
4472 u8 *pmkid, u8 *pmk)
4473 {
4474 if (!sm)
4475 return;
4476
4477 sm->pmksa = pmksa;
4478 os_memcpy(pmk, pmksa->pmk, PMK_LEN);
4479 os_memcpy(pmkid, pmksa->pmkid, PMKID_LEN);
4480 os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmksa->pmkid, PMKID_LEN);
4481 }
4482
4483
4484 /*
4485 * Remove and free the group from wpa_authenticator. This is triggered by a
4486 * callback to make sure nobody is currently iterating the group list while it
4487 * gets modified.
4488 */
4489 static void wpa_group_free(struct wpa_authenticator *wpa_auth,
4490 struct wpa_group *group)
4491 {
4492 struct wpa_group *prev = wpa_auth->group;
4493
4494 wpa_printf(MSG_DEBUG, "WPA: Remove group state machine for VLAN-ID %d",
4495 group->vlan_id);
4496
4497 while (prev) {
4498 if (prev->next == group) {
4499 /* This never frees the special first group as needed */
4500 prev->next = group->next;
4501 os_free(group);
4502 break;
4503 }
4504 prev = prev->next;
4505 }
4506
4507 }
4508
4509
4510 /* Increase the reference counter for group */
4511 static void wpa_group_get(struct wpa_authenticator *wpa_auth,
4512 struct wpa_group *group)
4513 {
4514 /* Skip the special first group */
4515 if (wpa_auth->group == group)
4516 return;
4517
4518 group->references++;
4519 }
4520
4521
4522 /* Decrease the reference counter and maybe free the group */
4523 static void wpa_group_put(struct wpa_authenticator *wpa_auth,
4524 struct wpa_group *group)
4525 {
4526 /* Skip the special first group */
4527 if (wpa_auth->group == group)
4528 return;
4529
4530 group->references--;
4531 if (group->references)
4532 return;
4533 wpa_group_free(wpa_auth, group);
4534 }
4535
4536
4537 /*
4538 * Add a group that has its references counter set to zero. Caller needs to
4539 * call wpa_group_get() on the return value to mark the entry in use.
4540 */
4541 static struct wpa_group *
4542 wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4543 {
4544 struct wpa_group *group;
4545
4546 if (wpa_auth == NULL || wpa_auth->group == NULL)
4547 return NULL;
4548
4549 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d",
4550 vlan_id);
4551 group = wpa_group_init(wpa_auth, vlan_id, 0);
4552 if (group == NULL)
4553 return NULL;
4554
4555 group->next = wpa_auth->group->next;
4556 wpa_auth->group->next = group;
4557
4558 return group;
4559 }
4560
4561
4562 /*
4563 * Enforce that the group state machine for the VLAN is running, increase
4564 * reference counter as interface is up. References might have been increased
4565 * even if a negative value is returned.
4566 * Returns: -1 on error (group missing, group already failed); otherwise, 0
4567 */
4568 int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4569 {
4570 struct wpa_group *group;
4571
4572 if (wpa_auth == NULL)
4573 return 0;
4574
4575 group = wpa_auth->group;
4576 while (group) {
4577 if (group->vlan_id == vlan_id)
4578 break;
4579 group = group->next;
4580 }
4581
4582 if (group == NULL) {
4583 group = wpa_auth_add_group(wpa_auth, vlan_id);
4584 if (group == NULL)
4585 return -1;
4586 }
4587
4588 wpa_printf(MSG_DEBUG,
4589 "WPA: Ensure group state machine running for VLAN ID %d",
4590 vlan_id);
4591
4592 wpa_group_get(wpa_auth, group);
4593 group->num_setup_iface++;
4594
4595 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4596 return -1;
4597
4598 return 0;
4599 }
4600
4601
4602 /*
4603 * Decrease reference counter, expected to be zero afterwards.
4604 * returns: -1 on error (group not found, group in fail state)
4605 * -2 if wpa_group is still referenced
4606 * 0 else
4607 */
4608 int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4609 {
4610 struct wpa_group *group;
4611 int ret = 0;
4612
4613 if (wpa_auth == NULL)
4614 return 0;
4615
4616 group = wpa_auth->group;
4617 while (group) {
4618 if (group->vlan_id == vlan_id)
4619 break;
4620 group = group->next;
4621 }
4622
4623 if (group == NULL)
4624 return -1;
4625
4626 wpa_printf(MSG_DEBUG,
4627 "WPA: Try stopping group state machine for VLAN ID %d",
4628 vlan_id);
4629
4630 if (group->num_setup_iface <= 0) {
4631 wpa_printf(MSG_ERROR,
4632 "WPA: wpa_auth_release_group called more often than wpa_auth_ensure_group for VLAN ID %d, skipping.",
4633 vlan_id);
4634 return -1;
4635 }
4636 group->num_setup_iface--;
4637
4638 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4639 ret = -1;
4640
4641 if (group->references > 1) {
4642 wpa_printf(MSG_DEBUG,
4643 "WPA: Cannot stop group state machine for VLAN ID %d as references are still hold",
4644 vlan_id);
4645 ret = -2;
4646 }
4647
4648 wpa_group_put(wpa_auth, group);
4649
4650 return ret;
4651 }
4652
4653
4654 int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id)
4655 {
4656 struct wpa_group *group;
4657
4658 if (sm == NULL || sm->wpa_auth == NULL)
4659 return 0;
4660
4661 group = sm->wpa_auth->group;
4662 while (group) {
4663 if (group->vlan_id == vlan_id)
4664 break;
4665 group = group->next;
4666 }
4667
4668 if (group == NULL) {
4669 group = wpa_auth_add_group(sm->wpa_auth, vlan_id);
4670 if (group == NULL)
4671 return -1;
4672 }
4673
4674 if (sm->group == group)
4675 return 0;
4676
4677 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4678 return -1;
4679
4680 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state "
4681 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id);
4682
4683 wpa_group_get(sm->wpa_auth, group);
4684 wpa_group_put(sm->wpa_auth, sm->group);
4685 sm->group = group;
4686
4687 return 0;
4688 }
4689
4690
4691 void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
4692 struct wpa_state_machine *sm, int ack)
4693 {
4694 if (wpa_auth == NULL || sm == NULL)
4695 return;
4696 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR
4697 " ack=%d", MAC2STR(sm->addr), ack);
4698 if (sm->pending_1_of_4_timeout && ack) {
4699 /*
4700 * Some deployed supplicant implementations update their SNonce
4701 * for each EAPOL-Key 2/4 message even within the same 4-way
4702 * handshake and then fail to use the first SNonce when
4703 * deriving the PTK. This results in unsuccessful 4-way
4704 * handshake whenever the relatively short initial timeout is
4705 * reached and EAPOL-Key 1/4 is retransmitted. Try to work
4706 * around this by increasing the timeout now that we know that
4707 * the station has received the frame.
4708 */
4709 int timeout_ms = eapol_key_timeout_subseq;
4710 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 "
4711 "timeout by %u ms because of acknowledged frame",
4712 timeout_ms);
4713 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
4714 eloop_register_timeout(timeout_ms / 1000,
4715 (timeout_ms % 1000) * 1000,
4716 wpa_send_eapol_timeout, wpa_auth, sm);
4717 }
4718
4719 #ifdef CONFIG_TESTING_OPTIONS
4720 if (sm->eapol_status_cb) {
4721 sm->eapol_status_cb(sm->eapol_status_cb_ctx1,
4722 sm->eapol_status_cb_ctx2);
4723 sm->eapol_status_cb = NULL;
4724 }
4725 #endif /* CONFIG_TESTING_OPTIONS */
4726 }
4727
4728
4729 int wpa_auth_uses_sae(struct wpa_state_machine *sm)
4730 {
4731 if (sm == NULL)
4732 return 0;
4733 return wpa_key_mgmt_sae(sm->wpa_key_mgmt);
4734 }
4735
4736
4737 int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm)
4738 {
4739 if (sm == NULL)
4740 return 0;
4741 return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE;
4742 }
4743
4744
4745 #ifdef CONFIG_P2P
4746 int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr)
4747 {
4748 if (sm == NULL || WPA_GET_BE32(sm->ip_addr) == 0)
4749 return -1;
4750 os_memcpy(addr, sm->ip_addr, 4);
4751 return 0;
4752 }
4753 #endif /* CONFIG_P2P */
4754
4755
4756 int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth,
4757 struct radius_das_attrs *attr)
4758 {
4759 return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr);
4760 }
4761
4762
4763 void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth)
4764 {
4765 struct wpa_group *group;
4766
4767 if (!wpa_auth)
4768 return;
4769 for (group = wpa_auth->group; group; group = group->next)
4770 wpa_group_config_group_keys(wpa_auth, group);
4771 }
4772
4773
4774 #ifdef CONFIG_FILS
4775
4776 struct wpa_auth_fils_iter_data {
4777 struct wpa_authenticator *auth;
4778 const u8 *cache_id;
4779 struct rsn_pmksa_cache_entry *pmksa;
4780 const u8 *spa;
4781 const u8 *pmkid;
4782 };
4783
4784
4785 static int wpa_auth_fils_iter(struct wpa_authenticator *a, void *ctx)
4786 {
4787 struct wpa_auth_fils_iter_data *data = ctx;
4788
4789 if (a == data->auth || !a->conf.fils_cache_id_set ||
4790 os_memcmp(a->conf.fils_cache_id, data->cache_id,
4791 FILS_CACHE_ID_LEN) != 0)
4792 return 0;
4793 data->pmksa = pmksa_cache_auth_get(a->pmksa, data->spa, data->pmkid);
4794 return data->pmksa != NULL;
4795 }
4796
4797
4798 struct rsn_pmksa_cache_entry *
4799 wpa_auth_pmksa_get_fils_cache_id(struct wpa_authenticator *wpa_auth,
4800 const u8 *sta_addr, const u8 *pmkid)
4801 {
4802 struct wpa_auth_fils_iter_data idata;
4803
4804 if (!wpa_auth->conf.fils_cache_id_set)
4805 return NULL;
4806 idata.auth = wpa_auth;
4807 idata.cache_id = wpa_auth->conf.fils_cache_id;
4808 idata.pmksa = NULL;
4809 idata.spa = sta_addr;
4810 idata.pmkid = pmkid;
4811 wpa_auth_for_each_auth(wpa_auth, wpa_auth_fils_iter, &idata);
4812 return idata.pmksa;
4813 }
4814
4815
4816 #ifdef CONFIG_IEEE80211R_AP
4817 int wpa_auth_write_fte(struct wpa_authenticator *wpa_auth, int use_sha384,
4818 u8 *buf, size_t len)
4819 {
4820 struct wpa_auth_config *conf = &wpa_auth->conf;
4821
4822 return wpa_write_ftie(conf, use_sha384, conf->r0_key_holder,
4823 conf->r0_key_holder_len,
4824 NULL, NULL, buf, len, NULL, 0);
4825 }
4826 #endif /* CONFIG_IEEE80211R_AP */
4827
4828
4829 void wpa_auth_get_fils_aead_params(struct wpa_state_machine *sm,
4830 u8 *fils_anonce, u8 *fils_snonce,
4831 u8 *fils_kek, size_t *fils_kek_len)
4832 {
4833 os_memcpy(fils_anonce, sm->ANonce, WPA_NONCE_LEN);
4834 os_memcpy(fils_snonce, sm->SNonce, WPA_NONCE_LEN);
4835 os_memcpy(fils_kek, sm->PTK.kek, WPA_KEK_MAX_LEN);
4836 *fils_kek_len = sm->PTK.kek_len;
4837 }
4838
4839 #endif /* CONFIG_FILS */
4840
4841
4842 void wpa_auth_set_auth_alg(struct wpa_state_machine *sm, u16 auth_alg)
4843 {
4844 if (sm)
4845 sm->auth_alg = auth_alg;
4846 }
4847
4848
4849 #ifdef CONFIG_DPP2
4850 void wpa_auth_set_dpp_z(struct wpa_state_machine *sm, const struct wpabuf *z)
4851 {
4852 if (sm) {
4853 wpabuf_clear_free(sm->dpp_z);
4854 sm->dpp_z = z ? wpabuf_dup(z) : NULL;
4855 }
4856 }
4857 #endif /* CONFIG_DPP2 */
4858
4859
4860 #ifdef CONFIG_TESTING_OPTIONS
4861
4862 int wpa_auth_resend_m1(struct wpa_state_machine *sm, int change_anonce,
4863 void (*cb)(void *ctx1, void *ctx2),
4864 void *ctx1, void *ctx2)
4865 {
4866 const u8 *anonce = sm->ANonce;
4867 u8 anonce_buf[WPA_NONCE_LEN];
4868
4869 if (change_anonce) {
4870 if (random_get_bytes(anonce_buf, WPA_NONCE_LEN))
4871 return -1;
4872 anonce = anonce_buf;
4873 }
4874
4875 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4876 "sending 1/4 msg of 4-Way Handshake (TESTING)");
4877 wpa_send_eapol(sm->wpa_auth, sm,
4878 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
4879 anonce, NULL, 0, 0, 0);
4880 return 0;
4881 }
4882
4883
4884 int wpa_auth_resend_m3(struct wpa_state_machine *sm,
4885 void (*cb)(void *ctx1, void *ctx2),
4886 void *ctx1, void *ctx2)
4887 {
4888 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos;
4889 #ifdef CONFIG_IEEE80211W
4890 u8 *opos;
4891 #endif /* CONFIG_IEEE80211W */
4892 size_t gtk_len, kde_len;
4893 struct wpa_group *gsm = sm->group;
4894 u8 *wpa_ie;
4895 int wpa_ie_len, secure, keyidx, encr = 0;
4896
4897 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
4898 GTK[GN], IGTK, [FTIE], [TIE * 2])
4899 */
4900
4901 /* Use 0 RSC */
4902 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
4903 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
4904 wpa_ie = sm->wpa_auth->wpa_ie;
4905 wpa_ie_len = sm->wpa_auth->wpa_ie_len;
4906 if (sm->wpa == WPA_VERSION_WPA &&
4907 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
4908 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
4909 /* WPA-only STA, remove RSN IE and possible MDIE */
4910 wpa_ie = wpa_ie + wpa_ie[1] + 2;
4911 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
4912 wpa_ie = wpa_ie + wpa_ie[1] + 2;
4913 wpa_ie_len = wpa_ie[1] + 2;
4914 }
4915 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4916 "sending 3/4 msg of 4-Way Handshake (TESTING)");
4917 if (sm->wpa == WPA_VERSION_WPA2) {
4918 /* WPA2 send GTK in the 4-way handshake */
4919 secure = 1;
4920 gtk = gsm->GTK[gsm->GN - 1];
4921 gtk_len = gsm->GTK_len;
4922 keyidx = gsm->GN;
4923 _rsc = rsc;
4924 encr = 1;
4925 } else {
4926 /* WPA does not include GTK in msg 3/4 */
4927 secure = 0;
4928 gtk = NULL;
4929 gtk_len = 0;
4930 keyidx = 0;
4931 _rsc = NULL;
4932 if (sm->rx_eapol_key_secure) {
4933 /*
4934 * It looks like Windows 7 supplicant tries to use
4935 * Secure bit in msg 2/4 after having reported Michael
4936 * MIC failure and it then rejects the 4-way handshake
4937 * if msg 3/4 does not set Secure bit. Work around this
4938 * by setting the Secure bit here even in the case of
4939 * WPA if the supplicant used it first.
4940 */
4941 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4942 "STA used Secure bit in WPA msg 2/4 - "
4943 "set Secure for 3/4 as workaround");
4944 secure = 1;
4945 }
4946 }
4947
4948 kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm);
4949 if (gtk)
4950 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
4951 #ifdef CONFIG_IEEE80211R_AP
4952 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
4953 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
4954 kde_len += 300; /* FTIE + 2 * TIE */
4955 }
4956 #endif /* CONFIG_IEEE80211R_AP */
4957 kde = os_malloc(kde_len);
4958 if (kde == NULL)
4959 return -1;
4960
4961 pos = kde;
4962 os_memcpy(pos, wpa_ie, wpa_ie_len);
4963 pos += wpa_ie_len;
4964 #ifdef CONFIG_IEEE80211R_AP
4965 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
4966 int res;
4967 size_t elen;
4968
4969 elen = pos - kde;
4970 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name);
4971 if (res < 0) {
4972 wpa_printf(MSG_ERROR, "FT: Failed to insert "
4973 "PMKR1Name into RSN IE in EAPOL-Key data");
4974 os_free(kde);
4975 return -1;
4976 }
4977 pos -= wpa_ie_len;
4978 pos += elen;
4979 }
4980 #endif /* CONFIG_IEEE80211R_AP */
4981 if (gtk) {
4982 u8 hdr[2];
4983 hdr[0] = keyidx & 0x03;
4984 hdr[1] = 0;
4985 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
4986 gtk, gtk_len);
4987 }
4988 #ifdef CONFIG_IEEE80211W
4989 opos = pos;
4990 pos = ieee80211w_kde_add(sm, pos);
4991 if (pos - opos >= 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) {
4992 /* skip KDE header and keyid */
4993 opos += 2 + RSN_SELECTOR_LEN + 2;
4994 os_memset(opos, 0, 6); /* clear PN */
4995 }
4996 #endif /* CONFIG_IEEE80211W */
4997 if (ocv_oci_add(sm, &pos) < 0) {
4998 os_free(kde);
4999 return -1;
5000 }
5001
5002 #ifdef CONFIG_IEEE80211R_AP
5003 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
5004 int res;
5005 struct wpa_auth_config *conf;
5006
5007 conf = &sm->wpa_auth->conf;
5008 if (sm->assoc_resp_ftie &&
5009 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) {
5010 os_memcpy(pos, sm->assoc_resp_ftie,
5011 2 + sm->assoc_resp_ftie[1]);
5012 res = 2 + sm->assoc_resp_ftie[1];
5013 } else {
5014 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt);
5015
5016 res = wpa_write_ftie(conf, use_sha384,
5017 conf->r0_key_holder,
5018 conf->r0_key_holder_len,
5019 NULL, NULL, pos,
5020 kde + kde_len - pos,
5021 NULL, 0);
5022 }
5023 if (res < 0) {
5024 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE "
5025 "into EAPOL-Key Key Data");
5026 os_free(kde);
5027 return -1;
5028 }
5029 pos += res;
5030
5031 /* TIE[ReassociationDeadline] (TU) */
5032 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
5033 *pos++ = 5;
5034 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
5035 WPA_PUT_LE32(pos, conf->reassociation_deadline);
5036 pos += 4;
5037
5038 /* TIE[KeyLifetime] (seconds) */
5039 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
5040 *pos++ = 5;
5041 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
5042 WPA_PUT_LE32(pos, conf->r0_key_lifetime);
5043 pos += 4;
5044 }
5045 #endif /* CONFIG_IEEE80211R_AP */
5046
5047 wpa_send_eapol(sm->wpa_auth, sm,
5048 (secure ? WPA_KEY_INFO_SECURE : 0) |
5049 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
5050 WPA_KEY_INFO_MIC : 0) |
5051 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
5052 WPA_KEY_INFO_KEY_TYPE,
5053 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr);
5054 os_free(kde);
5055 return 0;
5056 }
5057
5058
5059 int wpa_auth_resend_group_m1(struct wpa_state_machine *sm,
5060 void (*cb)(void *ctx1, void *ctx2),
5061 void *ctx1, void *ctx2)
5062 {
5063 u8 rsc[WPA_KEY_RSC_LEN];
5064 struct wpa_group *gsm = sm->group;
5065 const u8 *kde;
5066 u8 *kde_buf = NULL, *pos, hdr[2];
5067 #ifdef CONFIG_IEEE80211W
5068 u8 *opos;
5069 #endif /* CONFIG_IEEE80211W */
5070 size_t kde_len;
5071 u8 *gtk;
5072
5073 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
5074 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
5075 /* Use 0 RSC */
5076 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
5077 "sending 1/2 msg of Group Key Handshake (TESTING)");
5078
5079 gtk = gsm->GTK[gsm->GN - 1];
5080 if (sm->wpa == WPA_VERSION_WPA2) {
5081 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
5082 ieee80211w_kde_len(sm) + ocv_oci_len(sm);
5083 kde_buf = os_malloc(kde_len);
5084 if (kde_buf == NULL)
5085 return -1;
5086
5087 kde = pos = kde_buf;
5088 hdr[0] = gsm->GN & 0x03;
5089 hdr[1] = 0;
5090 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
5091 gtk, gsm->GTK_len);
5092 #ifdef CONFIG_IEEE80211W
5093 opos = pos;
5094 pos = ieee80211w_kde_add(sm, pos);
5095 if (pos - opos >=
5096 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) {
5097 /* skip KDE header and keyid */
5098 opos += 2 + RSN_SELECTOR_LEN + 2;
5099 os_memset(opos, 0, 6); /* clear PN */
5100 }
5101 #endif /* CONFIG_IEEE80211W */
5102 if (ocv_oci_add(sm, &pos) < 0) {
5103 os_free(kde_buf);
5104 return -1;
5105 }
5106 kde_len = pos - kde;
5107 } else {
5108 kde = gtk;
5109 kde_len = gsm->GTK_len;
5110 }
5111
5112 sm->eapol_status_cb = cb;
5113 sm->eapol_status_cb_ctx1 = ctx1;
5114 sm->eapol_status_cb_ctx2 = ctx2;
5115
5116 wpa_send_eapol(sm->wpa_auth, sm,
5117 WPA_KEY_INFO_SECURE |
5118 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
5119 WPA_KEY_INFO_MIC : 0) |
5120 WPA_KEY_INFO_ACK |
5121 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
5122 rsc, NULL, kde, kde_len, gsm->GN, 1);
5123
5124 os_free(kde_buf);
5125 return 0;
5126 }
5127
5128
5129 int wpa_auth_rekey_gtk(struct wpa_authenticator *wpa_auth)
5130 {
5131 if (!wpa_auth)
5132 return -1;
5133 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
5134 return eloop_register_timeout(0, 0, wpa_rekey_gtk, wpa_auth, NULL);
5135 }
5136
5137 #endif /* CONFIG_TESTING_OPTIONS */
Unnamed repository; edit this file 'description' to name the repository.