]> git.ipfire.org Git - thirdparty/hostap.git/blob - src/ap/wpa_auth.c
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
FILS: Fix fils_cache_id check
[thirdparty/hostap.git] / src / ap / wpa_auth.c
1 /*
2 * IEEE 802.11 RSN / WPA Authenticator
3 * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "utils/state_machine.h"
14 #include "utils/bitfield.h"
15 #include "common/ieee802_11_defs.h"
16 #include "crypto/aes.h"
17 #include "crypto/aes_wrap.h"
18 #include "crypto/aes_siv.h"
19 #include "crypto/crypto.h"
20 #include "crypto/sha1.h"
21 #include "crypto/sha256.h"
22 #include "crypto/random.h"
23 #include "eapol_auth/eapol_auth_sm.h"
24 #include "ap_config.h"
25 #include "ieee802_11.h"
26 #include "wpa_auth.h"
27 #include "pmksa_cache_auth.h"
28 #include "wpa_auth_i.h"
29 #include "wpa_auth_ie.h"
30
31 #define STATE_MACHINE_DATA struct wpa_state_machine
32 #define STATE_MACHINE_DEBUG_PREFIX "WPA"
33 #define STATE_MACHINE_ADDR sm->addr
34
35
36 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx);
37 static int wpa_sm_step(struct wpa_state_machine *sm);
38 static int wpa_verify_key_mic(int akmp, struct wpa_ptk *PTK, u8 *data,
39 size_t data_len);
40 #ifdef CONFIG_FILS
41 static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
42 u8 *buf, size_t buf_len, u16 *_key_data_len);
43 #endif /* CONFIG_FILS */
44 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx);
45 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
46 struct wpa_group *group);
47 static void wpa_request_new_ptk(struct wpa_state_machine *sm);
48 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
49 struct wpa_group *group);
50 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
51 struct wpa_group *group);
52 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
53 const u8 *pmk, unsigned int pmk_len,
54 struct wpa_ptk *ptk);
55 static void wpa_group_free(struct wpa_authenticator *wpa_auth,
56 struct wpa_group *group);
57 static void wpa_group_get(struct wpa_authenticator *wpa_auth,
58 struct wpa_group *group);
59 static void wpa_group_put(struct wpa_authenticator *wpa_auth,
60 struct wpa_group *group);
61 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
62
63 static const u32 eapol_key_timeout_first = 100; /* ms */
64 static const u32 eapol_key_timeout_subseq = 1000; /* ms */
65 static const u32 eapol_key_timeout_first_group = 500; /* ms */
66
67 /* TODO: make these configurable */
68 static const int dot11RSNAConfigPMKLifetime = 43200;
69 static const int dot11RSNAConfigPMKReauthThreshold = 70;
70 static const int dot11RSNAConfigSATimeout = 60;
71
72
73 static inline int wpa_auth_mic_failure_report(
74 struct wpa_authenticator *wpa_auth, const u8 *addr)
75 {
76 if (wpa_auth->cb->mic_failure_report)
77 return wpa_auth->cb->mic_failure_report(wpa_auth->cb_ctx, addr);
78 return 0;
79 }
80
81
82 static inline void wpa_auth_psk_failure_report(
83 struct wpa_authenticator *wpa_auth, const u8 *addr)
84 {
85 if (wpa_auth->cb->psk_failure_report)
86 wpa_auth->cb->psk_failure_report(wpa_auth->cb_ctx, addr);
87 }
88
89
90 static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth,
91 const u8 *addr, wpa_eapol_variable var,
92 int value)
93 {
94 if (wpa_auth->cb->set_eapol)
95 wpa_auth->cb->set_eapol(wpa_auth->cb_ctx, addr, var, value);
96 }
97
98
99 static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth,
100 const u8 *addr, wpa_eapol_variable var)
101 {
102 if (wpa_auth->cb->get_eapol == NULL)
103 return -1;
104 return wpa_auth->cb->get_eapol(wpa_auth->cb_ctx, addr, var);
105 }
106
107
108 static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth,
109 const u8 *addr,
110 const u8 *p2p_dev_addr,
111 const u8 *prev_psk)
112 {
113 if (wpa_auth->cb->get_psk == NULL)
114 return NULL;
115 return wpa_auth->cb->get_psk(wpa_auth->cb_ctx, addr, p2p_dev_addr,
116 prev_psk);
117 }
118
119
120 static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth,
121 const u8 *addr, u8 *msk, size_t *len)
122 {
123 if (wpa_auth->cb->get_msk == NULL)
124 return -1;
125 return wpa_auth->cb->get_msk(wpa_auth->cb_ctx, addr, msk, len);
126 }
127
128
129 static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
130 int vlan_id,
131 enum wpa_alg alg, const u8 *addr, int idx,
132 u8 *key, size_t key_len)
133 {
134 if (wpa_auth->cb->set_key == NULL)
135 return -1;
136 return wpa_auth->cb->set_key(wpa_auth->cb_ctx, vlan_id, alg, addr, idx,
137 key, key_len);
138 }
139
140
141 static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth,
142 const u8 *addr, int idx, u8 *seq)
143 {
144 if (wpa_auth->cb->get_seqnum == NULL)
145 return -1;
146 return wpa_auth->cb->get_seqnum(wpa_auth->cb_ctx, addr, idx, seq);
147 }
148
149
150 static inline int
151 wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr,
152 const u8 *data, size_t data_len, int encrypt)
153 {
154 if (wpa_auth->cb->send_eapol == NULL)
155 return -1;
156 return wpa_auth->cb->send_eapol(wpa_auth->cb_ctx, addr, data, data_len,
157 encrypt);
158 }
159
160
161 #ifdef CONFIG_MESH
162 static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth,
163 const u8 *addr)
164 {
165 if (wpa_auth->cb->start_ampe == NULL)
166 return -1;
167 return wpa_auth->cb->start_ampe(wpa_auth->cb_ctx, addr);
168 }
169 #endif /* CONFIG_MESH */
170
171
172 int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
173 int (*cb)(struct wpa_state_machine *sm, void *ctx),
174 void *cb_ctx)
175 {
176 if (wpa_auth->cb->for_each_sta == NULL)
177 return 0;
178 return wpa_auth->cb->for_each_sta(wpa_auth->cb_ctx, cb, cb_ctx);
179 }
180
181
182 int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
183 int (*cb)(struct wpa_authenticator *a, void *ctx),
184 void *cb_ctx)
185 {
186 if (wpa_auth->cb->for_each_auth == NULL)
187 return 0;
188 return wpa_auth->cb->for_each_auth(wpa_auth->cb_ctx, cb, cb_ctx);
189 }
190
191
192 void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr,
193 logger_level level, const char *txt)
194 {
195 if (wpa_auth->cb->logger == NULL)
196 return;
197 wpa_auth->cb->logger(wpa_auth->cb_ctx, addr, level, txt);
198 }
199
200
201 void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr,
202 logger_level level, const char *fmt, ...)
203 {
204 char *format;
205 int maxlen;
206 va_list ap;
207
208 if (wpa_auth->cb->logger == NULL)
209 return;
210
211 maxlen = os_strlen(fmt) + 100;
212 format = os_malloc(maxlen);
213 if (!format)
214 return;
215
216 va_start(ap, fmt);
217 vsnprintf(format, maxlen, fmt, ap);
218 va_end(ap);
219
220 wpa_auth_logger(wpa_auth, addr, level, format);
221
222 os_free(format);
223 }
224
225
226 static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth,
227 const u8 *addr)
228 {
229 if (wpa_auth->cb->disconnect == NULL)
230 return;
231 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR, MAC2STR(addr));
232 wpa_auth->cb->disconnect(wpa_auth->cb_ctx, addr,
233 WLAN_REASON_PREV_AUTH_NOT_VALID);
234 }
235
236
237 static int wpa_use_aes_cmac(struct wpa_state_machine *sm)
238 {
239 int ret = 0;
240 #ifdef CONFIG_IEEE80211R_AP
241 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
242 ret = 1;
243 #endif /* CONFIG_IEEE80211R_AP */
244 #ifdef CONFIG_IEEE80211W
245 if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt))
246 ret = 1;
247 #endif /* CONFIG_IEEE80211W */
248 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN)
249 ret = 1;
250 return ret;
251 }
252
253
254 static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx)
255 {
256 struct wpa_authenticator *wpa_auth = eloop_ctx;
257
258 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) {
259 wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
260 "initialization.");
261 } else {
262 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd");
263 wpa_hexdump_key(MSG_DEBUG, "GMK",
264 wpa_auth->group->GMK, WPA_GMK_LEN);
265 }
266
267 if (wpa_auth->conf.wpa_gmk_rekey) {
268 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
269 wpa_rekey_gmk, wpa_auth, NULL);
270 }
271 }
272
273
274 static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx)
275 {
276 struct wpa_authenticator *wpa_auth = eloop_ctx;
277 struct wpa_group *group, *next;
278
279 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK");
280 group = wpa_auth->group;
281 while (group) {
282 wpa_group_get(wpa_auth, group);
283
284 group->GTKReKey = TRUE;
285 do {
286 group->changed = FALSE;
287 wpa_group_sm_step(wpa_auth, group);
288 } while (group->changed);
289
290 next = group->next;
291 wpa_group_put(wpa_auth, group);
292 group = next;
293 }
294
295 if (wpa_auth->conf.wpa_group_rekey) {
296 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey,
297 0, wpa_rekey_gtk, wpa_auth, NULL);
298 }
299 }
300
301
302 static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
303 {
304 struct wpa_authenticator *wpa_auth = eloop_ctx;
305 struct wpa_state_machine *sm = timeout_ctx;
306
307 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK");
308 wpa_request_new_ptk(sm);
309 wpa_sm_step(sm);
310 }
311
312
313 static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx)
314 {
315 if (sm->pmksa == ctx)
316 sm->pmksa = NULL;
317 return 0;
318 }
319
320
321 static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
322 void *ctx)
323 {
324 struct wpa_authenticator *wpa_auth = ctx;
325 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry);
326 }
327
328
329 static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth,
330 struct wpa_group *group)
331 {
332 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)];
333 u8 rkey[32];
334 unsigned long ptr;
335
336 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0)
337 return -1;
338 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN);
339
340 /*
341 * Counter = PRF-256(Random number, "Init Counter",
342 * Local MAC Address || Time)
343 */
344 os_memcpy(buf, wpa_auth->addr, ETH_ALEN);
345 wpa_get_ntp_timestamp(buf + ETH_ALEN);
346 ptr = (unsigned long) group;
347 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr));
348 if (random_get_bytes(rkey, sizeof(rkey)) < 0)
349 return -1;
350
351 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf),
352 group->Counter, WPA_NONCE_LEN) < 0)
353 return -1;
354 wpa_hexdump_key(MSG_DEBUG, "Key Counter",
355 group->Counter, WPA_NONCE_LEN);
356
357 return 0;
358 }
359
360
361 static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth,
362 int vlan_id, int delay_init)
363 {
364 struct wpa_group *group;
365
366 group = os_zalloc(sizeof(struct wpa_group));
367 if (group == NULL)
368 return NULL;
369
370 group->GTKAuthenticator = TRUE;
371 group->vlan_id = vlan_id;
372 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
373
374 if (random_pool_ready() != 1) {
375 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
376 "for secure operations - update keys later when "
377 "the first station connects");
378 }
379
380 /*
381 * Set initial GMK/Counter value here. The actual values that will be
382 * used in negotiations will be set once the first station tries to
383 * connect. This allows more time for collecting additional randomness
384 * on embedded devices.
385 */
386 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) {
387 wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
388 "initialization.");
389 os_free(group);
390 return NULL;
391 }
392
393 group->GInit = TRUE;
394 if (delay_init) {
395 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start "
396 "until Beacon frames have been configured");
397 /* Initialization is completed in wpa_init_keys(). */
398 } else {
399 wpa_group_sm_step(wpa_auth, group);
400 group->GInit = FALSE;
401 wpa_group_sm_step(wpa_auth, group);
402 }
403
404 return group;
405 }
406
407
408 /**
409 * wpa_init - Initialize WPA authenticator
410 * @addr: Authenticator address
411 * @conf: Configuration for WPA authenticator
412 * @cb: Callback functions for WPA authenticator
413 * Returns: Pointer to WPA authenticator data or %NULL on failure
414 */
415 struct wpa_authenticator * wpa_init(const u8 *addr,
416 struct wpa_auth_config *conf,
417 const struct wpa_auth_callbacks *cb,
418 void *cb_ctx)
419 {
420 struct wpa_authenticator *wpa_auth;
421
422 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator));
423 if (wpa_auth == NULL)
424 return NULL;
425 os_memcpy(wpa_auth->addr, addr, ETH_ALEN);
426 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
427 wpa_auth->cb = cb;
428 wpa_auth->cb_ctx = cb_ctx;
429
430 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
431 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
432 os_free(wpa_auth);
433 return NULL;
434 }
435
436 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1);
437 if (wpa_auth->group == NULL) {
438 os_free(wpa_auth->wpa_ie);
439 os_free(wpa_auth);
440 return NULL;
441 }
442
443 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb,
444 wpa_auth);
445 if (wpa_auth->pmksa == NULL) {
446 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed.");
447 os_free(wpa_auth->group);
448 os_free(wpa_auth->wpa_ie);
449 os_free(wpa_auth);
450 return NULL;
451 }
452
453 #ifdef CONFIG_IEEE80211R_AP
454 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init();
455 if (wpa_auth->ft_pmk_cache == NULL) {
456 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed.");
457 os_free(wpa_auth->group);
458 os_free(wpa_auth->wpa_ie);
459 pmksa_cache_auth_deinit(wpa_auth->pmksa);
460 os_free(wpa_auth);
461 return NULL;
462 }
463 #endif /* CONFIG_IEEE80211R_AP */
464
465 if (wpa_auth->conf.wpa_gmk_rekey) {
466 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
467 wpa_rekey_gmk, wpa_auth, NULL);
468 }
469
470 if (wpa_auth->conf.wpa_group_rekey) {
471 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0,
472 wpa_rekey_gtk, wpa_auth, NULL);
473 }
474
475 #ifdef CONFIG_P2P
476 if (WPA_GET_BE32(conf->ip_addr_start)) {
477 int count = WPA_GET_BE32(conf->ip_addr_end) -
478 WPA_GET_BE32(conf->ip_addr_start) + 1;
479 if (count > 1000)
480 count = 1000;
481 if (count > 0)
482 wpa_auth->ip_pool = bitfield_alloc(count);
483 }
484 #endif /* CONFIG_P2P */
485
486 return wpa_auth;
487 }
488
489
490 int wpa_init_keys(struct wpa_authenticator *wpa_auth)
491 {
492 struct wpa_group *group = wpa_auth->group;
493
494 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial "
495 "keys");
496 wpa_group_sm_step(wpa_auth, group);
497 group->GInit = FALSE;
498 wpa_group_sm_step(wpa_auth, group);
499 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
500 return -1;
501 return 0;
502 }
503
504
505 /**
506 * wpa_deinit - Deinitialize WPA authenticator
507 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
508 */
509 void wpa_deinit(struct wpa_authenticator *wpa_auth)
510 {
511 struct wpa_group *group, *prev;
512
513 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL);
514 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
515
516 pmksa_cache_auth_deinit(wpa_auth->pmksa);
517
518 #ifdef CONFIG_IEEE80211R_AP
519 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache);
520 wpa_auth->ft_pmk_cache = NULL;
521 #endif /* CONFIG_IEEE80211R_AP */
522
523 #ifdef CONFIG_P2P
524 bitfield_free(wpa_auth->ip_pool);
525 #endif /* CONFIG_P2P */
526
527
528 os_free(wpa_auth->wpa_ie);
529
530 group = wpa_auth->group;
531 while (group) {
532 prev = group;
533 group = group->next;
534 os_free(prev);
535 }
536
537 os_free(wpa_auth);
538 }
539
540
541 /**
542 * wpa_reconfig - Update WPA authenticator configuration
543 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
544 * @conf: Configuration for WPA authenticator
545 */
546 int wpa_reconfig(struct wpa_authenticator *wpa_auth,
547 struct wpa_auth_config *conf)
548 {
549 struct wpa_group *group;
550 if (wpa_auth == NULL)
551 return 0;
552
553 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
554 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
555 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
556 return -1;
557 }
558
559 /*
560 * Reinitialize GTK to make sure it is suitable for the new
561 * configuration.
562 */
563 group = wpa_auth->group;
564 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
565 group->GInit = TRUE;
566 wpa_group_sm_step(wpa_auth, group);
567 group->GInit = FALSE;
568 wpa_group_sm_step(wpa_auth, group);
569
570 return 0;
571 }
572
573
574 struct wpa_state_machine *
575 wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr,
576 const u8 *p2p_dev_addr)
577 {
578 struct wpa_state_machine *sm;
579
580 if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
581 return NULL;
582
583 sm = os_zalloc(sizeof(struct wpa_state_machine));
584 if (sm == NULL)
585 return NULL;
586 os_memcpy(sm->addr, addr, ETH_ALEN);
587 if (p2p_dev_addr)
588 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN);
589
590 sm->wpa_auth = wpa_auth;
591 sm->group = wpa_auth->group;
592 wpa_group_get(sm->wpa_auth, sm->group);
593
594 return sm;
595 }
596
597
598 int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
599 struct wpa_state_machine *sm)
600 {
601 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
602 return -1;
603
604 #ifdef CONFIG_IEEE80211R_AP
605 if (sm->ft_completed) {
606 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
607 "FT authentication already completed - do not "
608 "start 4-way handshake");
609 /* Go to PTKINITDONE state to allow GTK rekeying */
610 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
611 sm->Pair = TRUE;
612 return 0;
613 }
614 #endif /* CONFIG_IEEE80211R_AP */
615
616 #ifdef CONFIG_FILS
617 if (sm->fils_completed) {
618 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
619 "FILS authentication already completed - do not start 4-way handshake");
620 /* Go to PTKINITDONE state to allow GTK rekeying */
621 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
622 sm->Pair = TRUE;
623 return 0;
624 }
625 #endif /* CONFIG_FILS */
626
627 if (sm->started) {
628 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay));
629 sm->ReAuthenticationRequest = TRUE;
630 return wpa_sm_step(sm);
631 }
632
633 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
634 "start authentication");
635 sm->started = 1;
636
637 sm->Init = TRUE;
638 if (wpa_sm_step(sm) == 1)
639 return 1; /* should not really happen */
640 sm->Init = FALSE;
641 sm->AuthenticationRequest = TRUE;
642 return wpa_sm_step(sm);
643 }
644
645
646 void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm)
647 {
648 /* WPA/RSN was not used - clear WPA state. This is needed if the STA
649 * reassociates back to the same AP while the previous entry for the
650 * STA has not yet been removed. */
651 if (sm == NULL)
652 return;
653
654 sm->wpa_key_mgmt = 0;
655 }
656
657
658 static void wpa_free_sta_sm(struct wpa_state_machine *sm)
659 {
660 #ifdef CONFIG_P2P
661 if (WPA_GET_BE32(sm->ip_addr)) {
662 u32 start;
663 wpa_printf(MSG_DEBUG, "P2P: Free assigned IP "
664 "address %u.%u.%u.%u from " MACSTR,
665 sm->ip_addr[0], sm->ip_addr[1],
666 sm->ip_addr[2], sm->ip_addr[3],
667 MAC2STR(sm->addr));
668 start = WPA_GET_BE32(sm->wpa_auth->conf.ip_addr_start);
669 bitfield_clear(sm->wpa_auth->ip_pool,
670 WPA_GET_BE32(sm->ip_addr) - start);
671 }
672 #endif /* CONFIG_P2P */
673 if (sm->GUpdateStationKeys) {
674 sm->group->GKeyDoneStations--;
675 sm->GUpdateStationKeys = FALSE;
676 }
677 #ifdef CONFIG_IEEE80211R_AP
678 os_free(sm->assoc_resp_ftie);
679 wpabuf_free(sm->ft_pending_req_ies);
680 #endif /* CONFIG_IEEE80211R_AP */
681 os_free(sm->last_rx_eapol_key);
682 os_free(sm->wpa_ie);
683 wpa_group_put(sm->wpa_auth, sm->group);
684 os_free(sm);
685 }
686
687
688 void wpa_auth_sta_deinit(struct wpa_state_machine *sm)
689 {
690 if (sm == NULL)
691 return;
692
693 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) {
694 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
695 "strict rekeying - force GTK rekey since STA "
696 "is leaving");
697 eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL);
698 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth,
699 NULL);
700 }
701
702 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
703 sm->pending_1_of_4_timeout = 0;
704 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL);
705 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
706 if (sm->in_step_loop) {
707 /* Must not free state machine while wpa_sm_step() is running.
708 * Freeing will be completed in the end of wpa_sm_step(). */
709 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state "
710 "machine deinit for " MACSTR, MAC2STR(sm->addr));
711 sm->pending_deinit = 1;
712 } else
713 wpa_free_sta_sm(sm);
714 }
715
716
717 static void wpa_request_new_ptk(struct wpa_state_machine *sm)
718 {
719 if (sm == NULL)
720 return;
721
722 sm->PTKRequest = TRUE;
723 sm->PTK_valid = 0;
724 }
725
726
727 static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr,
728 const u8 *replay_counter)
729 {
730 int i;
731 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
732 if (!ctr[i].valid)
733 break;
734 if (os_memcmp(replay_counter, ctr[i].counter,
735 WPA_REPLAY_COUNTER_LEN) == 0)
736 return 1;
737 }
738 return 0;
739 }
740
741
742 static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr,
743 const u8 *replay_counter)
744 {
745 int i;
746 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
747 if (ctr[i].valid &&
748 (replay_counter == NULL ||
749 os_memcmp(replay_counter, ctr[i].counter,
750 WPA_REPLAY_COUNTER_LEN) == 0))
751 ctr[i].valid = FALSE;
752 }
753 }
754
755
756 #ifdef CONFIG_IEEE80211R_AP
757 static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth,
758 struct wpa_state_machine *sm,
759 struct wpa_eapol_ie_parse *kde)
760 {
761 struct wpa_ie_data ie;
762 struct rsn_mdie *mdie;
763
764 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 ||
765 ie.num_pmkid != 1 || ie.pmkid == NULL) {
766 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in "
767 "FT 4-way handshake message 2/4");
768 return -1;
769 }
770
771 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN);
772 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant",
773 sm->sup_pmk_r1_name, PMKID_LEN);
774
775 if (!kde->mdie || !kde->ftie) {
776 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake "
777 "message 2/4", kde->mdie ? "FTIE" : "MDIE");
778 return -1;
779 }
780
781 mdie = (struct rsn_mdie *) (kde->mdie + 2);
782 if (kde->mdie[1] < sizeof(struct rsn_mdie) ||
783 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain,
784 MOBILITY_DOMAIN_ID_LEN) != 0) {
785 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch");
786 return -1;
787 }
788
789 if (sm->assoc_resp_ftie &&
790 (kde->ftie[1] != sm->assoc_resp_ftie[1] ||
791 os_memcmp(kde->ftie, sm->assoc_resp_ftie,
792 2 + sm->assoc_resp_ftie[1]) != 0)) {
793 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch");
794 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4",
795 kde->ftie, kde->ftie_len);
796 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp",
797 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]);
798 return -1;
799 }
800
801 return 0;
802 }
803 #endif /* CONFIG_IEEE80211R_AP */
804
805
806 static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
807 struct wpa_state_machine *sm, int group)
808 {
809 /* Supplicant reported a Michael MIC error */
810 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
811 "received EAPOL-Key Error Request "
812 "(STA detected Michael MIC failure (group=%d))",
813 group);
814
815 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
816 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
817 "ignore Michael MIC failure report since "
818 "group cipher is not TKIP");
819 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
820 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
821 "ignore Michael MIC failure report since "
822 "pairwise cipher is not TKIP");
823 } else {
824 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0)
825 return 1; /* STA entry was removed */
826 sm->dot11RSNAStatsTKIPRemoteMICFailures++;
827 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
828 }
829
830 /*
831 * Error report is not a request for a new key handshake, but since
832 * Authenticator may do it, let's change the keys now anyway.
833 */
834 wpa_request_new_ptk(sm);
835 return 0;
836 }
837
838
839 static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data,
840 size_t data_len)
841 {
842 struct wpa_ptk PTK;
843 int ok = 0;
844 const u8 *pmk = NULL;
845 unsigned int pmk_len;
846
847 os_memset(&PTK, 0, sizeof(PTK));
848 for (;;) {
849 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
850 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
851 sm->p2p_dev_addr, pmk);
852 if (pmk == NULL)
853 break;
854 pmk_len = PMK_LEN;
855 } else {
856 pmk = sm->PMK;
857 pmk_len = sm->pmk_len;
858 }
859
860 if (wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK) < 0)
861 break;
862
863 if (wpa_verify_key_mic(sm->wpa_key_mgmt, &PTK, data, data_len)
864 == 0) {
865 ok = 1;
866 break;
867 }
868
869 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
870 break;
871 }
872
873 if (!ok) {
874 wpa_printf(MSG_DEBUG,
875 "WPA: Earlier SNonce did not result in matching MIC");
876 return -1;
877 }
878
879 wpa_printf(MSG_DEBUG,
880 "WPA: Earlier SNonce resulted in matching MIC");
881 sm->alt_snonce_valid = 0;
882 os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN);
883 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
884 sm->PTK_valid = TRUE;
885
886 return 0;
887 }
888
889
890 void wpa_receive(struct wpa_authenticator *wpa_auth,
891 struct wpa_state_machine *sm,
892 u8 *data, size_t data_len)
893 {
894 struct ieee802_1x_hdr *hdr;
895 struct wpa_eapol_key *key;
896 u16 key_info, key_data_length;
897 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST,
898 SMK_M1, SMK_M3, SMK_ERROR } msg;
899 char *msgtxt;
900 struct wpa_eapol_ie_parse kde;
901 const u8 *key_data;
902 size_t keyhdrlen, mic_len;
903 u8 *mic;
904
905 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
906 return;
907 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL data", data, data_len);
908
909 mic_len = wpa_mic_len(sm->wpa_key_mgmt);
910 keyhdrlen = sizeof(*key) + mic_len + 2;
911
912 if (data_len < sizeof(*hdr) + keyhdrlen) {
913 wpa_printf(MSG_DEBUG, "WPA: Ignore too short EAPOL-Key frame");
914 return;
915 }
916
917 hdr = (struct ieee802_1x_hdr *) data;
918 key = (struct wpa_eapol_key *) (hdr + 1);
919 mic = (u8 *) (key + 1);
920 key_info = WPA_GET_BE16(key->key_info);
921 key_data = mic + mic_len + 2;
922 key_data_length = WPA_GET_BE16(mic + mic_len);
923 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR
924 " key_info=0x%x type=%u mic_len=%u key_data_length=%u",
925 MAC2STR(sm->addr), key_info, key->type,
926 (unsigned int) mic_len, key_data_length);
927 wpa_hexdump(MSG_MSGDUMP,
928 "WPA: EAPOL-Key header (ending before Key MIC)",
929 key, sizeof(*key));
930 wpa_hexdump(MSG_MSGDUMP, "WPA: EAPOL-Key Key MIC",
931 mic, mic_len);
932 if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) {
933 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
934 "key_data overflow (%d > %lu)",
935 key_data_length,
936 (unsigned long) (data_len - sizeof(*hdr) -
937 keyhdrlen));
938 return;
939 }
940
941 if (sm->wpa == WPA_VERSION_WPA2) {
942 if (key->type == EAPOL_KEY_TYPE_WPA) {
943 /*
944 * Some deployed station implementations seem to send
945 * msg 4/4 with incorrect type value in WPA2 mode.
946 */
947 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key "
948 "with unexpected WPA type in RSN mode");
949 } else if (key->type != EAPOL_KEY_TYPE_RSN) {
950 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
951 "unexpected type %d in RSN mode",
952 key->type);
953 return;
954 }
955 } else {
956 if (key->type != EAPOL_KEY_TYPE_WPA) {
957 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
958 "unexpected type %d in WPA mode",
959 key->type);
960 return;
961 }
962 }
963
964 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce,
965 WPA_NONCE_LEN);
966 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter",
967 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
968
969 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
970 * are set */
971
972 if ((key_info & (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) ==
973 (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) {
974 if (key_info & WPA_KEY_INFO_ERROR) {
975 msg = SMK_ERROR;
976 msgtxt = "SMK Error";
977 } else {
978 msg = SMK_M1;
979 msgtxt = "SMK M1";
980 }
981 } else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
982 msg = SMK_M3;
983 msgtxt = "SMK M3";
984 } else if (key_info & WPA_KEY_INFO_REQUEST) {
985 msg = REQUEST;
986 msgtxt = "Request";
987 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) {
988 msg = GROUP_2;
989 msgtxt = "2/2 Group";
990 } else if (key_data_length == 0 ||
991 (mic_len == 0 && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) &&
992 key_data_length == AES_BLOCK_SIZE)) {
993 msg = PAIRWISE_4;
994 msgtxt = "4/4 Pairwise";
995 } else {
996 msg = PAIRWISE_2;
997 msgtxt = "2/4 Pairwise";
998 }
999
1000 /* TODO: key_info type validation for PeerKey */
1001 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 ||
1002 msg == GROUP_2) {
1003 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
1004 if (sm->pairwise == WPA_CIPHER_CCMP ||
1005 sm->pairwise == WPA_CIPHER_GCMP) {
1006 if (wpa_use_aes_cmac(sm) &&
1007 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN &&
1008 !wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) &&
1009 !wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1010 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1011 wpa_auth_logger(wpa_auth, sm->addr,
1012 LOGGER_WARNING,
1013 "advertised support for "
1014 "AES-128-CMAC, but did not "
1015 "use it");
1016 return;
1017 }
1018
1019 if (!wpa_use_aes_cmac(sm) &&
1020 !wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1021 sm->wpa_key_mgmt != WPA_KEY_MGMT_OWE &&
1022 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1023 wpa_auth_logger(wpa_auth, sm->addr,
1024 LOGGER_WARNING,
1025 "did not use HMAC-SHA1-AES "
1026 "with CCMP/GCMP");
1027 return;
1028 }
1029 }
1030
1031 if ((wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
1032 wpa_key_mgmt_fils(sm->wpa_key_mgmt) ||
1033 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) &&
1034 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
1035 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1036 "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases");
1037 return;
1038 }
1039 }
1040
1041 if (key_info & WPA_KEY_INFO_REQUEST) {
1042 if (sm->req_replay_counter_used &&
1043 os_memcmp(key->replay_counter, sm->req_replay_counter,
1044 WPA_REPLAY_COUNTER_LEN) <= 0) {
1045 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1046 "received EAPOL-Key request with "
1047 "replayed counter");
1048 return;
1049 }
1050 }
1051
1052 if (!(key_info & WPA_KEY_INFO_REQUEST) &&
1053 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) {
1054 int i;
1055
1056 if (msg == PAIRWISE_2 &&
1057 wpa_replay_counter_valid(sm->prev_key_replay,
1058 key->replay_counter) &&
1059 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1060 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0)
1061 {
1062 /*
1063 * Some supplicant implementations (e.g., Windows XP
1064 * WZC) update SNonce for each EAPOL-Key 2/4. This
1065 * breaks the workaround on accepting any of the
1066 * pending requests, so allow the SNonce to be updated
1067 * even if we have already sent out EAPOL-Key 3/4.
1068 */
1069 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1070 "Process SNonce update from STA "
1071 "based on retransmitted EAPOL-Key "
1072 "1/4");
1073 sm->update_snonce = 1;
1074 os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN);
1075 sm->alt_snonce_valid = TRUE;
1076 os_memcpy(sm->alt_replay_counter,
1077 sm->key_replay[0].counter,
1078 WPA_REPLAY_COUNTER_LEN);
1079 goto continue_processing;
1080 }
1081
1082 if (msg == PAIRWISE_4 && sm->alt_snonce_valid &&
1083 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1084 os_memcmp(key->replay_counter, sm->alt_replay_counter,
1085 WPA_REPLAY_COUNTER_LEN) == 0) {
1086 /*
1087 * Supplicant may still be using the old SNonce since
1088 * there was two EAPOL-Key 2/4 messages and they had
1089 * different SNonce values.
1090 */
1091 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1092 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4");
1093 goto continue_processing;
1094 }
1095
1096 if (msg == PAIRWISE_2 &&
1097 wpa_replay_counter_valid(sm->prev_key_replay,
1098 key->replay_counter) &&
1099 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
1100 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1101 "ignore retransmitted EAPOL-Key %s - "
1102 "SNonce did not change", msgtxt);
1103 } else {
1104 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1105 "received EAPOL-Key %s with "
1106 "unexpected replay counter", msgtxt);
1107 }
1108 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
1109 if (!sm->key_replay[i].valid)
1110 break;
1111 wpa_hexdump(MSG_DEBUG, "pending replay counter",
1112 sm->key_replay[i].counter,
1113 WPA_REPLAY_COUNTER_LEN);
1114 }
1115 wpa_hexdump(MSG_DEBUG, "received replay counter",
1116 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1117 return;
1118 }
1119
1120 continue_processing:
1121 #ifdef CONFIG_FILS
1122 if (sm->wpa == WPA_VERSION_WPA2 && mic_len == 0 &&
1123 !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1124 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1125 "WPA: Encr Key Data bit not set even though AEAD cipher is supposed to be used - drop frame");
1126 return;
1127 }
1128 #endif /* CONFIG_FILS */
1129
1130 switch (msg) {
1131 case PAIRWISE_2:
1132 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART &&
1133 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING &&
1134 (!sm->update_snonce ||
1135 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) {
1136 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1137 "received EAPOL-Key msg 2/4 in "
1138 "invalid state (%d) - dropped",
1139 sm->wpa_ptk_state);
1140 return;
1141 }
1142 random_add_randomness(key->key_nonce, WPA_NONCE_LEN);
1143 if (sm->group->reject_4way_hs_for_entropy) {
1144 /*
1145 * The system did not have enough entropy to generate
1146 * strong random numbers. Reject the first 4-way
1147 * handshake(s) and collect some entropy based on the
1148 * information from it. Once enough entropy is
1149 * available, the next atempt will trigger GMK/Key
1150 * Counter update and the station will be allowed to
1151 * continue.
1152 */
1153 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to "
1154 "collect more entropy for random number "
1155 "generation");
1156 random_mark_pool_ready();
1157 wpa_sta_disconnect(wpa_auth, sm->addr);
1158 return;
1159 }
1160 break;
1161 case PAIRWISE_4:
1162 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING ||
1163 !sm->PTK_valid) {
1164 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1165 "received EAPOL-Key msg 4/4 in "
1166 "invalid state (%d) - dropped",
1167 sm->wpa_ptk_state);
1168 return;
1169 }
1170 break;
1171 case GROUP_2:
1172 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING
1173 || !sm->PTK_valid) {
1174 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1175 "received EAPOL-Key msg 2/2 in "
1176 "invalid state (%d) - dropped",
1177 sm->wpa_ptk_group_state);
1178 return;
1179 }
1180 break;
1181 #ifdef CONFIG_PEERKEY
1182 case SMK_M1:
1183 case SMK_M3:
1184 case SMK_ERROR:
1185 if (!wpa_auth->conf.peerkey) {
1186 wpa_printf(MSG_DEBUG, "RSN: SMK M1/M3/Error, but "
1187 "PeerKey use disabled - ignoring message");
1188 return;
1189 }
1190 if (!sm->PTK_valid) {
1191 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1192 "received EAPOL-Key msg SMK in "
1193 "invalid state - dropped");
1194 return;
1195 }
1196 break;
1197 #else /* CONFIG_PEERKEY */
1198 case SMK_M1:
1199 case SMK_M3:
1200 case SMK_ERROR:
1201 return; /* STSL disabled - ignore SMK messages */
1202 #endif /* CONFIG_PEERKEY */
1203 case REQUEST:
1204 break;
1205 }
1206
1207 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1208 "received EAPOL-Key frame (%s)", msgtxt);
1209
1210 if (key_info & WPA_KEY_INFO_ACK) {
1211 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1212 "received invalid EAPOL-Key: Key Ack set");
1213 return;
1214 }
1215
1216 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1217 !(key_info & WPA_KEY_INFO_MIC)) {
1218 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1219 "received invalid EAPOL-Key: Key MIC not set");
1220 return;
1221 }
1222
1223 #ifdef CONFIG_FILS
1224 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1225 (key_info & WPA_KEY_INFO_MIC)) {
1226 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1227 "received invalid EAPOL-Key: Key MIC set");
1228 return;
1229 }
1230 #endif /* CONFIG_FILS */
1231
1232 sm->MICVerified = FALSE;
1233 if (sm->PTK_valid && !sm->update_snonce) {
1234 if (mic_len &&
1235 wpa_verify_key_mic(sm->wpa_key_mgmt, &sm->PTK, data,
1236 data_len) &&
1237 (msg != PAIRWISE_4 || !sm->alt_snonce_valid ||
1238 wpa_try_alt_snonce(sm, data, data_len))) {
1239 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1240 "received EAPOL-Key with invalid MIC");
1241 return;
1242 }
1243 #ifdef CONFIG_FILS
1244 if (!mic_len &&
1245 wpa_aead_decrypt(sm, &sm->PTK, data, data_len,
1246 &key_data_length) < 0) {
1247 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1248 "received EAPOL-Key with invalid MIC");
1249 return;
1250 }
1251 #endif /* CONFIG_FILS */
1252 sm->MICVerified = TRUE;
1253 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
1254 sm->pending_1_of_4_timeout = 0;
1255 }
1256
1257 if (key_info & WPA_KEY_INFO_REQUEST) {
1258 if (sm->MICVerified) {
1259 sm->req_replay_counter_used = 1;
1260 os_memcpy(sm->req_replay_counter, key->replay_counter,
1261 WPA_REPLAY_COUNTER_LEN);
1262 } else {
1263 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1264 "received EAPOL-Key request with "
1265 "invalid MIC");
1266 return;
1267 }
1268
1269 /*
1270 * TODO: should decrypt key data field if encryption was used;
1271 * even though MAC address KDE is not normally encrypted,
1272 * supplicant is allowed to encrypt it.
1273 */
1274 if (msg == SMK_ERROR) {
1275 #ifdef CONFIG_PEERKEY
1276 wpa_smk_error(wpa_auth, sm, key_data, key_data_length);
1277 #endif /* CONFIG_PEERKEY */
1278 return;
1279 } else if (key_info & WPA_KEY_INFO_ERROR) {
1280 if (wpa_receive_error_report(
1281 wpa_auth, sm,
1282 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0)
1283 return; /* STA entry was removed */
1284 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) {
1285 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1286 "received EAPOL-Key Request for new "
1287 "4-Way Handshake");
1288 wpa_request_new_ptk(sm);
1289 #ifdef CONFIG_PEERKEY
1290 } else if (msg == SMK_M1) {
1291 wpa_smk_m1(wpa_auth, sm, key, key_data,
1292 key_data_length);
1293 #endif /* CONFIG_PEERKEY */
1294 } else if (key_data_length > 0 &&
1295 wpa_parse_kde_ies(key_data, key_data_length,
1296 &kde) == 0 &&
1297 kde.mac_addr) {
1298 } else {
1299 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1300 "received EAPOL-Key Request for GTK "
1301 "rekeying");
1302 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
1303 wpa_rekey_gtk(wpa_auth, NULL);
1304 }
1305 } else {
1306 /* Do not allow the same key replay counter to be reused. */
1307 wpa_replay_counter_mark_invalid(sm->key_replay,
1308 key->replay_counter);
1309
1310 if (msg == PAIRWISE_2) {
1311 /*
1312 * Maintain a copy of the pending EAPOL-Key frames in
1313 * case the EAPOL-Key frame was retransmitted. This is
1314 * needed to allow EAPOL-Key msg 2/4 reply to another
1315 * pending msg 1/4 to update the SNonce to work around
1316 * unexpected supplicant behavior.
1317 */
1318 os_memcpy(sm->prev_key_replay, sm->key_replay,
1319 sizeof(sm->key_replay));
1320 } else {
1321 os_memset(sm->prev_key_replay, 0,
1322 sizeof(sm->prev_key_replay));
1323 }
1324
1325 /*
1326 * Make sure old valid counters are not accepted anymore and
1327 * do not get copied again.
1328 */
1329 wpa_replay_counter_mark_invalid(sm->key_replay, NULL);
1330 }
1331
1332 #ifdef CONFIG_PEERKEY
1333 if (msg == SMK_M3) {
1334 wpa_smk_m3(wpa_auth, sm, key, key_data, key_data_length);
1335 return;
1336 }
1337 #endif /* CONFIG_PEERKEY */
1338
1339 os_free(sm->last_rx_eapol_key);
1340 sm->last_rx_eapol_key = os_memdup(data, data_len);
1341 if (sm->last_rx_eapol_key == NULL)
1342 return;
1343 sm->last_rx_eapol_key_len = data_len;
1344
1345 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE);
1346 sm->EAPOLKeyReceived = TRUE;
1347 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1348 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST);
1349 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN);
1350 wpa_sm_step(sm);
1351 }
1352
1353
1354 static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr,
1355 const u8 *gnonce, u8 *gtk, size_t gtk_len)
1356 {
1357 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16];
1358 u8 *pos;
1359 int ret = 0;
1360
1361 /* GTK = PRF-X(GMK, "Group key expansion",
1362 * AA || GNonce || Time || random data)
1363 * The example described in the IEEE 802.11 standard uses only AA and
1364 * GNonce as inputs here. Add some more entropy since this derivation
1365 * is done only at the Authenticator and as such, does not need to be
1366 * exactly same.
1367 */
1368 os_memcpy(data, addr, ETH_ALEN);
1369 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN);
1370 pos = data + ETH_ALEN + WPA_NONCE_LEN;
1371 wpa_get_ntp_timestamp(pos);
1372 pos += 8;
1373 if (random_get_bytes(pos, 16) < 0)
1374 ret = -1;
1375
1376 #ifdef CONFIG_IEEE80211W
1377 sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len);
1378 #else /* CONFIG_IEEE80211W */
1379 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len)
1380 < 0)
1381 ret = -1;
1382 #endif /* CONFIG_IEEE80211W */
1383
1384 return ret;
1385 }
1386
1387
1388 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx)
1389 {
1390 struct wpa_authenticator *wpa_auth = eloop_ctx;
1391 struct wpa_state_machine *sm = timeout_ctx;
1392
1393 sm->pending_1_of_4_timeout = 0;
1394 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout");
1395 sm->TimeoutEvt = TRUE;
1396 wpa_sm_step(sm);
1397 }
1398
1399
1400 void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1401 struct wpa_state_machine *sm, int key_info,
1402 const u8 *key_rsc, const u8 *nonce,
1403 const u8 *kde, size_t kde_len,
1404 int keyidx, int encr, int force_version)
1405 {
1406 struct ieee802_1x_hdr *hdr;
1407 struct wpa_eapol_key *key;
1408 size_t len, mic_len, keyhdrlen;
1409 int alg;
1410 int key_data_len, pad_len = 0;
1411 u8 *buf, *pos;
1412 int version, pairwise;
1413 int i;
1414 u8 *key_mic, *key_data;
1415
1416 mic_len = wpa_mic_len(sm->wpa_key_mgmt);
1417 keyhdrlen = sizeof(*key) + mic_len + 2;
1418
1419 len = sizeof(struct ieee802_1x_hdr) + keyhdrlen;
1420
1421 if (force_version)
1422 version = force_version;
1423 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
1424 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE ||
1425 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
1426 wpa_key_mgmt_fils(sm->wpa_key_mgmt))
1427 version = WPA_KEY_INFO_TYPE_AKM_DEFINED;
1428 else if (wpa_use_aes_cmac(sm))
1429 version = WPA_KEY_INFO_TYPE_AES_128_CMAC;
1430 else if (sm->pairwise != WPA_CIPHER_TKIP)
1431 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
1432 else
1433 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
1434
1435 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1436
1437 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d "
1438 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d "
1439 "encr=%d)",
1440 version,
1441 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0,
1442 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0,
1443 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0,
1444 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0,
1445 pairwise, (unsigned long) kde_len, keyidx, encr);
1446
1447 key_data_len = kde_len;
1448
1449 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1450 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE ||
1451 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
1452 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
1453 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) {
1454 pad_len = key_data_len % 8;
1455 if (pad_len)
1456 pad_len = 8 - pad_len;
1457 key_data_len += pad_len + 8;
1458 }
1459
1460 len += key_data_len;
1461 if (!mic_len && encr)
1462 len += AES_BLOCK_SIZE;
1463
1464 hdr = os_zalloc(len);
1465 if (hdr == NULL)
1466 return;
1467 hdr->version = wpa_auth->conf.eapol_version;
1468 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
1469 hdr->length = host_to_be16(len - sizeof(*hdr));
1470 key = (struct wpa_eapol_key *) (hdr + 1);
1471 key_mic = (u8 *) (key + 1);
1472 key_data = ((u8 *) (hdr + 1)) + keyhdrlen;
1473
1474 key->type = sm->wpa == WPA_VERSION_WPA2 ?
1475 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1476 key_info |= version;
1477 if (encr && sm->wpa == WPA_VERSION_WPA2)
1478 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1479 if (sm->wpa != WPA_VERSION_WPA2)
1480 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT;
1481 WPA_PUT_BE16(key->key_info, key_info);
1482
1483 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group;
1484 if ((key_info & WPA_KEY_INFO_SMK_MESSAGE) ||
1485 (sm->wpa == WPA_VERSION_WPA2 && !pairwise))
1486 WPA_PUT_BE16(key->key_length, 0);
1487 else
1488 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg));
1489
1490 /* FIX: STSL: what to use as key_replay_counter? */
1491 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) {
1492 sm->key_replay[i].valid = sm->key_replay[i - 1].valid;
1493 os_memcpy(sm->key_replay[i].counter,
1494 sm->key_replay[i - 1].counter,
1495 WPA_REPLAY_COUNTER_LEN);
1496 }
1497 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN);
1498 os_memcpy(key->replay_counter, sm->key_replay[0].counter,
1499 WPA_REPLAY_COUNTER_LEN);
1500 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter",
1501 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1502 sm->key_replay[0].valid = TRUE;
1503
1504 if (nonce)
1505 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN);
1506
1507 if (key_rsc)
1508 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN);
1509
1510 if (kde && !encr) {
1511 os_memcpy(key_data, kde, kde_len);
1512 WPA_PUT_BE16(key_mic + mic_len, kde_len);
1513 #ifdef CONFIG_FILS
1514 } else if (!mic_len) {
1515 const u8 *aad[1];
1516 size_t aad_len[1];
1517
1518 WPA_PUT_BE16(key_mic, AES_BLOCK_SIZE + kde_len);
1519 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1520 kde, kde_len);
1521
1522 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK",
1523 sm->PTK.kek, sm->PTK.kek_len);
1524 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
1525 * to Key Data (exclusive). */
1526 aad[0] = (u8 *) hdr;
1527 aad_len[0] = key_mic + 2 - (u8 *) hdr;
1528 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, kde, kde_len,
1529 1, aad, aad_len, key_mic + 2) < 0) {
1530 wpa_printf(MSG_DEBUG, "WPA: AES-SIV encryption failed");
1531 return;
1532 }
1533
1534 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
1535 key_mic + 2, AES_BLOCK_SIZE + kde_len);
1536 #endif /* CONFIG_FILS */
1537 } else if (encr && kde) {
1538 buf = os_zalloc(key_data_len);
1539 if (buf == NULL) {
1540 os_free(hdr);
1541 return;
1542 }
1543 pos = buf;
1544 os_memcpy(pos, kde, kde_len);
1545 pos += kde_len;
1546
1547 if (pad_len)
1548 *pos++ = 0xdd;
1549
1550 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1551 buf, key_data_len);
1552 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1553 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE ||
1554 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
1555 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
1556 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1557 wpa_printf(MSG_DEBUG,
1558 "WPA: Encrypt Key Data using AES-WRAP (KEK length %u)",
1559 (unsigned int) sm->PTK.kek_len);
1560 if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len,
1561 (key_data_len - 8) / 8, buf, key_data)) {
1562 os_free(hdr);
1563 os_free(buf);
1564 return;
1565 }
1566 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
1567 #ifndef CONFIG_NO_RC4
1568 } else if (sm->PTK.kek_len == 16) {
1569 u8 ek[32];
1570
1571 wpa_printf(MSG_DEBUG,
1572 "WPA: Encrypt Key Data using RC4");
1573 os_memcpy(key->key_iv,
1574 sm->group->Counter + WPA_NONCE_LEN - 16, 16);
1575 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
1576 os_memcpy(ek, key->key_iv, 16);
1577 os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len);
1578 os_memcpy(key_data, buf, key_data_len);
1579 rc4_skip(ek, 32, 256, key_data, key_data_len);
1580 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
1581 #endif /* CONFIG_NO_RC4 */
1582 } else {
1583 os_free(hdr);
1584 os_free(buf);
1585 return;
1586 }
1587 os_free(buf);
1588 }
1589
1590 if (key_info & WPA_KEY_INFO_MIC) {
1591 if (!sm->PTK_valid || !mic_len) {
1592 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
1593 "PTK not valid when sending EAPOL-Key "
1594 "frame");
1595 os_free(hdr);
1596 return;
1597 }
1598
1599 wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len,
1600 sm->wpa_key_mgmt, version,
1601 (u8 *) hdr, len, key_mic);
1602 #ifdef CONFIG_TESTING_OPTIONS
1603 if (!pairwise &&
1604 wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0 &&
1605 drand48() <
1606 wpa_auth->conf.corrupt_gtk_rekey_mic_probability) {
1607 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1608 "Corrupting group EAPOL-Key Key MIC");
1609 key_mic[0]++;
1610 }
1611 #endif /* CONFIG_TESTING_OPTIONS */
1612 }
1613
1614 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx,
1615 1);
1616 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len,
1617 sm->pairwise_set);
1618 os_free(hdr);
1619 }
1620
1621
1622 static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1623 struct wpa_state_machine *sm, int key_info,
1624 const u8 *key_rsc, const u8 *nonce,
1625 const u8 *kde, size_t kde_len,
1626 int keyidx, int encr)
1627 {
1628 int timeout_ms;
1629 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
1630 u32 ctr;
1631
1632 if (sm == NULL)
1633 return;
1634
1635 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len,
1636 keyidx, encr, 0);
1637
1638 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr;
1639 if (ctr == 1 && wpa_auth->conf.tx_status)
1640 timeout_ms = pairwise ? eapol_key_timeout_first :
1641 eapol_key_timeout_first_group;
1642 else
1643 timeout_ms = eapol_key_timeout_subseq;
1644 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
1645 sm->pending_1_of_4_timeout = 1;
1646 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry "
1647 "counter %u)", timeout_ms, ctr);
1648 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000,
1649 wpa_send_eapol_timeout, wpa_auth, sm);
1650 }
1651
1652
1653 static int wpa_verify_key_mic(int akmp, struct wpa_ptk *PTK, u8 *data,
1654 size_t data_len)
1655 {
1656 struct ieee802_1x_hdr *hdr;
1657 struct wpa_eapol_key *key;
1658 u16 key_info;
1659 int ret = 0;
1660 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN], *mic_pos;
1661 size_t mic_len = wpa_mic_len(akmp);
1662
1663 if (data_len < sizeof(*hdr) + sizeof(*key))
1664 return -1;
1665
1666 hdr = (struct ieee802_1x_hdr *) data;
1667 key = (struct wpa_eapol_key *) (hdr + 1);
1668 mic_pos = (u8 *) (key + 1);
1669 key_info = WPA_GET_BE16(key->key_info);
1670 os_memcpy(mic, mic_pos, mic_len);
1671 os_memset(mic_pos, 0, mic_len);
1672 if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp,
1673 key_info & WPA_KEY_INFO_TYPE_MASK,
1674 data, data_len, mic_pos) ||
1675 os_memcmp_const(mic, mic_pos, mic_len) != 0)
1676 ret = -1;
1677 os_memcpy(mic_pos, mic, mic_len);
1678 return ret;
1679 }
1680
1681
1682 void wpa_remove_ptk(struct wpa_state_machine *sm)
1683 {
1684 sm->PTK_valid = FALSE;
1685 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1686 if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL,
1687 0))
1688 wpa_printf(MSG_DEBUG,
1689 "RSN: PTK removal from the driver failed");
1690 sm->pairwise_set = FALSE;
1691 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
1692 }
1693
1694
1695 int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
1696 {
1697 int remove_ptk = 1;
1698
1699 if (sm == NULL)
1700 return -1;
1701
1702 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1703 "event %d notification", event);
1704
1705 switch (event) {
1706 case WPA_AUTH:
1707 #ifdef CONFIG_MESH
1708 /* PTKs are derived through AMPE */
1709 if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) {
1710 /* not mesh */
1711 break;
1712 }
1713 return 0;
1714 #endif /* CONFIG_MESH */
1715 case WPA_ASSOC:
1716 break;
1717 case WPA_DEAUTH:
1718 case WPA_DISASSOC:
1719 sm->DeauthenticationRequest = TRUE;
1720 break;
1721 case WPA_REAUTH:
1722 case WPA_REAUTH_EAPOL:
1723 if (!sm->started) {
1724 /*
1725 * When using WPS, we may end up here if the STA
1726 * manages to re-associate without the previous STA
1727 * entry getting removed. Consequently, we need to make
1728 * sure that the WPA state machines gets initialized
1729 * properly at this point.
1730 */
1731 wpa_printf(MSG_DEBUG, "WPA state machine had not been "
1732 "started - initialize now");
1733 sm->started = 1;
1734 sm->Init = TRUE;
1735 if (wpa_sm_step(sm) == 1)
1736 return 1; /* should not really happen */
1737 sm->Init = FALSE;
1738 sm->AuthenticationRequest = TRUE;
1739 break;
1740 }
1741 if (sm->GUpdateStationKeys) {
1742 /*
1743 * Reauthentication cancels the pending group key
1744 * update for this STA.
1745 */
1746 sm->group->GKeyDoneStations--;
1747 sm->GUpdateStationKeys = FALSE;
1748 sm->PtkGroupInit = TRUE;
1749 }
1750 sm->ReAuthenticationRequest = TRUE;
1751 break;
1752 case WPA_ASSOC_FT:
1753 #ifdef CONFIG_IEEE80211R_AP
1754 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration "
1755 "after association");
1756 wpa_ft_install_ptk(sm);
1757
1758 /* Using FT protocol, not WPA auth state machine */
1759 sm->ft_completed = 1;
1760 return 0;
1761 #else /* CONFIG_IEEE80211R_AP */
1762 break;
1763 #endif /* CONFIG_IEEE80211R_AP */
1764 }
1765
1766 #ifdef CONFIG_IEEE80211R_AP
1767 sm->ft_completed = 0;
1768 #endif /* CONFIG_IEEE80211R_AP */
1769
1770 #ifdef CONFIG_IEEE80211W
1771 if (sm->mgmt_frame_prot && event == WPA_AUTH)
1772 remove_ptk = 0;
1773 #endif /* CONFIG_IEEE80211W */
1774 #ifdef CONFIG_FILS
1775 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1776 (event == WPA_AUTH || event == WPA_ASSOC))
1777 remove_ptk = 0;
1778 #endif /* CONFIG_FILS */
1779
1780 if (remove_ptk) {
1781 sm->PTK_valid = FALSE;
1782 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1783
1784 if (event != WPA_REAUTH_EAPOL)
1785 wpa_remove_ptk(sm);
1786 }
1787
1788 if (sm->in_step_loop) {
1789 /*
1790 * wpa_sm_step() is already running - avoid recursive call to
1791 * it by making the existing loop process the new update.
1792 */
1793 sm->changed = TRUE;
1794 return 0;
1795 }
1796 return wpa_sm_step(sm);
1797 }
1798
1799
1800 SM_STATE(WPA_PTK, INITIALIZE)
1801 {
1802 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk);
1803 if (sm->Init) {
1804 /* Init flag is not cleared here, so avoid busy
1805 * loop by claiming nothing changed. */
1806 sm->changed = FALSE;
1807 }
1808
1809 sm->keycount = 0;
1810 if (sm->GUpdateStationKeys)
1811 sm->group->GKeyDoneStations--;
1812 sm->GUpdateStationKeys = FALSE;
1813 if (sm->wpa == WPA_VERSION_WPA)
1814 sm->PInitAKeys = FALSE;
1815 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and
1816 * Local AA > Remote AA)) */) {
1817 sm->Pair = TRUE;
1818 }
1819 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0);
1820 wpa_remove_ptk(sm);
1821 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0);
1822 sm->TimeoutCtr = 0;
1823 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
1824 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
1825 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
1826 WPA_EAPOL_authorized, 0);
1827 }
1828 }
1829
1830
1831 SM_STATE(WPA_PTK, DISCONNECT)
1832 {
1833 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk);
1834 sm->Disconnect = FALSE;
1835 wpa_sta_disconnect(sm->wpa_auth, sm->addr);
1836 }
1837
1838
1839 SM_STATE(WPA_PTK, DISCONNECTED)
1840 {
1841 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk);
1842 sm->DeauthenticationRequest = FALSE;
1843 }
1844
1845
1846 SM_STATE(WPA_PTK, AUTHENTICATION)
1847 {
1848 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk);
1849 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1850 sm->PTK_valid = FALSE;
1851 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto,
1852 1);
1853 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1);
1854 sm->AuthenticationRequest = FALSE;
1855 }
1856
1857
1858 static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth,
1859 struct wpa_group *group)
1860 {
1861 if (group->first_sta_seen)
1862 return;
1863 /*
1864 * System has run bit further than at the time hostapd was started
1865 * potentially very early during boot up. This provides better chances
1866 * of collecting more randomness on embedded systems. Re-initialize the
1867 * GMK and Counter here to improve their strength if there was not
1868 * enough entropy available immediately after system startup.
1869 */
1870 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first "
1871 "station");
1872 if (random_pool_ready() != 1) {
1873 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
1874 "to proceed - reject first 4-way handshake");
1875 group->reject_4way_hs_for_entropy = TRUE;
1876 } else {
1877 group->first_sta_seen = TRUE;
1878 group->reject_4way_hs_for_entropy = FALSE;
1879 }
1880
1881 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 ||
1882 wpa_gtk_update(wpa_auth, group) < 0 ||
1883 wpa_group_config_group_keys(wpa_auth, group) < 0) {
1884 wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed");
1885 group->first_sta_seen = FALSE;
1886 group->reject_4way_hs_for_entropy = TRUE;
1887 }
1888 }
1889
1890
1891 SM_STATE(WPA_PTK, AUTHENTICATION2)
1892 {
1893 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk);
1894
1895 wpa_group_ensure_init(sm->wpa_auth, sm->group);
1896 sm->ReAuthenticationRequest = FALSE;
1897
1898 /*
1899 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
1900 * ambiguous. The Authenticator state machine uses a counter that is
1901 * incremented by one for each 4-way handshake. However, the security
1902 * analysis of 4-way handshake points out that unpredictable nonces
1903 * help in preventing precomputation attacks. Instead of the state
1904 * machine definition, use an unpredictable nonce value here to provide
1905 * stronger protection against potential precomputation attacks.
1906 */
1907 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
1908 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for "
1909 "ANonce.");
1910 sm->Disconnect = TRUE;
1911 return;
1912 }
1913 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
1914 WPA_NONCE_LEN);
1915 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more
1916 * logical place than INITIALIZE since AUTHENTICATION2 can be
1917 * re-entered on ReAuthenticationRequest without going through
1918 * INITIALIZE. */
1919 sm->TimeoutCtr = 0;
1920 }
1921
1922
1923 SM_STATE(WPA_PTK, INITPMK)
1924 {
1925 u8 msk[2 * PMK_LEN];
1926 size_t len = 2 * PMK_LEN;
1927
1928 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk);
1929 #ifdef CONFIG_IEEE80211R_AP
1930 sm->xxkey_len = 0;
1931 #endif /* CONFIG_IEEE80211R_AP */
1932 if (sm->pmksa) {
1933 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache");
1934 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
1935 sm->pmk_len = sm->pmksa->pmk_len;
1936 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) {
1937 unsigned int pmk_len;
1938
1939 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt))
1940 pmk_len = PMK_LEN_SUITE_B_192;
1941 else
1942 pmk_len = PMK_LEN;
1943 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine "
1944 "(MSK len=%lu PMK len=%u)", (unsigned long) len,
1945 pmk_len);
1946 if (len < pmk_len) {
1947 wpa_printf(MSG_DEBUG,
1948 "WPA: MSK not long enough (%u) to create PMK (%u)",
1949 (unsigned int) len, (unsigned int) pmk_len);
1950 sm->Disconnect = TRUE;
1951 return;
1952 }
1953 os_memcpy(sm->PMK, msk, pmk_len);
1954 sm->pmk_len = pmk_len;
1955 #ifdef CONFIG_IEEE80211R_AP
1956 if (len >= 2 * PMK_LEN) {
1957 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
1958 sm->xxkey_len = PMK_LEN;
1959 }
1960 #endif /* CONFIG_IEEE80211R_AP */
1961 } else {
1962 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p",
1963 sm->wpa_auth->cb->get_msk);
1964 sm->Disconnect = TRUE;
1965 return;
1966 }
1967 os_memset(msk, 0, sizeof(msk));
1968
1969 sm->req_replay_counter_used = 0;
1970 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this
1971 * will break reauthentication since EAPOL state machines may not be
1972 * get into AUTHENTICATING state that clears keyRun before WPA state
1973 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK
1974 * state and takes PMK from the previously used AAA Key. This will
1975 * eventually fail in 4-Way Handshake because Supplicant uses PMK
1976 * derived from the new AAA Key. Setting keyRun = FALSE here seems to
1977 * be good workaround for this issue. */
1978 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0);
1979 }
1980
1981
1982 SM_STATE(WPA_PTK, INITPSK)
1983 {
1984 const u8 *psk;
1985 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk);
1986 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL);
1987 if (psk) {
1988 os_memcpy(sm->PMK, psk, PMK_LEN);
1989 sm->pmk_len = PMK_LEN;
1990 #ifdef CONFIG_IEEE80211R_AP
1991 os_memcpy(sm->xxkey, psk, PMK_LEN);
1992 sm->xxkey_len = PMK_LEN;
1993 #endif /* CONFIG_IEEE80211R_AP */
1994 }
1995 sm->req_replay_counter_used = 0;
1996 }
1997
1998
1999 SM_STATE(WPA_PTK, PTKSTART)
2000 {
2001 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL;
2002 size_t pmkid_len = 0;
2003
2004 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk);
2005 sm->PTKRequest = FALSE;
2006 sm->TimeoutEvt = FALSE;
2007 sm->alt_snonce_valid = FALSE;
2008
2009 sm->TimeoutCtr++;
2010 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
2011 /* No point in sending the EAPOL-Key - we will disconnect
2012 * immediately following this. */
2013 return;
2014 }
2015
2016 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2017 "sending 1/4 msg of 4-Way Handshake");
2018 /*
2019 * TODO: Could add PMKID even with WPA2-PSK, but only if there is only
2020 * one possible PSK for this STA.
2021 */
2022 if (sm->wpa == WPA_VERSION_WPA2 &&
2023 wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
2024 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) {
2025 pmkid = buf;
2026 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
2027 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC;
2028 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN;
2029 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID);
2030 if (sm->pmksa) {
2031 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2032 sm->pmksa->pmkid, PMKID_LEN);
2033 } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) {
2034 /* No KCK available to derive PMKID */
2035 pmkid = NULL;
2036 } else {
2037 /*
2038 * Calculate PMKID since no PMKSA cache entry was
2039 * available with pre-calculated PMKID.
2040 */
2041 rsn_pmkid(sm->PMK, sm->pmk_len, sm->wpa_auth->addr,
2042 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN],
2043 wpa_key_mgmt_sha256(sm->wpa_key_mgmt));
2044 }
2045 }
2046 wpa_send_eapol(sm->wpa_auth, sm,
2047 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
2048 sm->ANonce, pmkid, pmkid_len, 0, 0);
2049 }
2050
2051
2052 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
2053 const u8 *pmk, unsigned int pmk_len,
2054 struct wpa_ptk *ptk)
2055 {
2056 #ifdef CONFIG_IEEE80211R_AP
2057 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
2058 return wpa_auth_derive_ptk_ft(sm, pmk, ptk);
2059 #endif /* CONFIG_IEEE80211R_AP */
2060
2061 return wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion",
2062 sm->wpa_auth->addr, sm->addr, sm->ANonce, snonce,
2063 ptk, sm->wpa_key_mgmt, sm->pairwise);
2064 }
2065
2066
2067 #ifdef CONFIG_FILS
2068
2069 int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk,
2070 size_t pmk_len, const u8 *snonce, const u8 *anonce)
2071 {
2072 u8 ick[FILS_ICK_MAX_LEN];
2073 size_t ick_len;
2074 int res;
2075
2076 res = fils_pmk_to_ptk(pmk, pmk_len, sm->addr, sm->wpa_auth->addr,
2077 snonce, anonce, &sm->PTK, ick, &ick_len,
2078 sm->wpa_key_mgmt, sm->pairwise);
2079 if (res < 0)
2080 return res;
2081 sm->PTK_valid = TRUE;
2082
2083 res = fils_key_auth_sk(ick, ick_len, snonce, anonce,
2084 sm->addr, sm->wpa_auth->addr,
2085 NULL, 0, NULL, 0, /* TODO: SK+PFS */
2086 sm->wpa_key_mgmt, sm->fils_key_auth_sta,
2087 sm->fils_key_auth_ap,
2088 &sm->fils_key_auth_len);
2089 os_memset(ick, 0, sizeof(ick));
2090
2091 /* Store nonces for (Re)Association Request/Response frame processing */
2092 os_memcpy(sm->SNonce, snonce, FILS_NONCE_LEN);
2093 os_memcpy(sm->ANonce, anonce, FILS_NONCE_LEN);
2094
2095 return res;
2096 }
2097
2098
2099 static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
2100 u8 *buf, size_t buf_len, u16 *_key_data_len)
2101 {
2102 struct ieee802_1x_hdr *hdr;
2103 struct wpa_eapol_key *key;
2104 u8 *pos;
2105 u16 key_data_len;
2106 u8 *tmp;
2107 const u8 *aad[1];
2108 size_t aad_len[1];
2109
2110 hdr = (struct ieee802_1x_hdr *) buf;
2111 key = (struct wpa_eapol_key *) (hdr + 1);
2112 pos = (u8 *) (key + 1);
2113 key_data_len = WPA_GET_BE16(pos);
2114 if (key_data_len < AES_BLOCK_SIZE ||
2115 key_data_len > buf_len - sizeof(*hdr) - sizeof(*key) - 2) {
2116 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2117 "No room for AES-SIV data in the frame");
2118 return -1;
2119 }
2120 pos += 2; /* Pointing at the Encrypted Key Data field */
2121
2122 tmp = os_malloc(key_data_len);
2123 if (!tmp)
2124 return -1;
2125
2126 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
2127 * to Key Data (exclusive). */
2128 aad[0] = buf;
2129 aad_len[0] = pos - buf;
2130 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, key_data_len,
2131 1, aad, aad_len, tmp) < 0) {
2132 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2133 "Invalid AES-SIV data in the frame");
2134 bin_clear_free(tmp, key_data_len);
2135 return -1;
2136 }
2137
2138 /* AEAD decryption and validation completed successfully */
2139 key_data_len -= AES_BLOCK_SIZE;
2140 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
2141 tmp, key_data_len);
2142
2143 /* Replace Key Data field with the decrypted version */
2144 os_memcpy(pos, tmp, key_data_len);
2145 pos -= 2; /* Key Data Length field */
2146 WPA_PUT_BE16(pos, key_data_len);
2147 bin_clear_free(tmp, key_data_len);
2148 if (_key_data_len)
2149 *_key_data_len = key_data_len;
2150 return 0;
2151 }
2152
2153
2154 int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session,
2155 const struct ieee80211_mgmt *mgmt, size_t frame_len,
2156 u8 *pos, size_t left)
2157 {
2158 u16 fc, stype;
2159 const u8 *end, *ie_start, *ie, *session, *crypt;
2160 struct ieee802_11_elems elems;
2161 const u8 *aad[5];
2162 size_t aad_len[5];
2163
2164 if (!sm || !sm->PTK_valid) {
2165 wpa_printf(MSG_DEBUG,
2166 "FILS: No KEK to decrypt Assocication Request frame");
2167 return -1;
2168 }
2169
2170 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2171 wpa_printf(MSG_DEBUG,
2172 "FILS: Not a FILS AKM - reject association");
2173 return -1;
2174 }
2175
2176 end = ((const u8 *) mgmt) + frame_len;
2177 fc = le_to_host16(mgmt->frame_control);
2178 stype = WLAN_FC_GET_STYPE(fc);
2179 if (stype == WLAN_FC_STYPE_REASSOC_REQ)
2180 ie_start = mgmt->u.reassoc_req.variable;
2181 else
2182 ie_start = mgmt->u.assoc_req.variable;
2183 ie = ie_start;
2184
2185 /*
2186 * Find FILS Session element which is the last unencrypted element in
2187 * the frame.
2188 */
2189 session = NULL;
2190 while (ie + 1 < end) {
2191 if (ie + 2 + ie[1] > end)
2192 break;
2193 if (ie[0] == WLAN_EID_EXTENSION &&
2194 ie[1] >= 1 + FILS_SESSION_LEN &&
2195 ie[2] == WLAN_EID_EXT_FILS_SESSION) {
2196 session = ie;
2197 break;
2198 }
2199 ie += 2 + ie[1];
2200 }
2201
2202 if (!session) {
2203 wpa_printf(MSG_DEBUG,
2204 "FILS: Could not find FILS Session element in Association Request frame - reject");
2205 return -1;
2206 }
2207 if (os_memcmp(fils_session, session + 3, FILS_SESSION_LEN) != 0) {
2208 wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
2209 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
2210 fils_session, FILS_SESSION_LEN);
2211 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
2212 session + 3, FILS_SESSION_LEN);
2213 return -1;
2214 }
2215 crypt = session + 2 + session[1];
2216
2217 if (end - crypt < AES_BLOCK_SIZE) {
2218 wpa_printf(MSG_DEBUG,
2219 "FILS: Too short frame to include AES-SIV data");
2220 return -1;
2221 }
2222
2223 /* AES-SIV AAD vectors */
2224
2225 /* The STA's MAC address */
2226 aad[0] = mgmt->sa;
2227 aad_len[0] = ETH_ALEN;
2228 /* The AP's BSSID */
2229 aad[1] = mgmt->da;
2230 aad_len[1] = ETH_ALEN;
2231 /* The STA's nonce */
2232 aad[2] = sm->SNonce;
2233 aad_len[2] = FILS_NONCE_LEN;
2234 /* The AP's nonce */
2235 aad[3] = sm->ANonce;
2236 aad_len[3] = FILS_NONCE_LEN;
2237 /*
2238 * The (Re)Association Request frame from the Capability Information
2239 * field to the FILS Session element (both inclusive).
2240 */
2241 aad[4] = (const u8 *) &mgmt->u.assoc_req.capab_info;
2242 aad_len[4] = crypt - aad[4];
2243
2244 if (aes_siv_decrypt(sm->PTK.kek, sm->PTK.kek_len, crypt, end - crypt,
2245 5, aad, aad_len, pos + (crypt - ie_start)) < 0) {
2246 wpa_printf(MSG_DEBUG,
2247 "FILS: Invalid AES-SIV data in the frame");
2248 return -1;
2249 }
2250 wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Request elements",
2251 pos, left - AES_BLOCK_SIZE);
2252
2253 if (ieee802_11_parse_elems(pos, left - AES_BLOCK_SIZE, &elems, 1) ==
2254 ParseFailed) {
2255 wpa_printf(MSG_DEBUG,
2256 "FILS: Failed to parse decrypted elements");
2257 return -1;
2258 }
2259 if (!elems.fils_key_confirm) {
2260 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
2261 return -1;
2262 }
2263 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
2264 wpa_printf(MSG_DEBUG,
2265 "FILS: Unexpected Key-Auth length %d (expected %d)",
2266 elems.fils_key_confirm_len,
2267 (int) sm->fils_key_auth_len);
2268 return -1;
2269 }
2270 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_sta,
2271 sm->fils_key_auth_len) != 0) {
2272 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
2273 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
2274 elems.fils_key_confirm,
2275 elems.fils_key_confirm_len);
2276 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
2277 sm->fils_key_auth_sta, sm->fils_key_auth_len);
2278 return -1;
2279 }
2280
2281 return left - AES_BLOCK_SIZE;
2282 }
2283
2284
2285 int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf,
2286 size_t current_len, size_t max_len,
2287 const struct wpabuf *hlp)
2288 {
2289 u8 *end = buf + max_len;
2290 u8 *pos = buf + current_len;
2291 struct ieee80211_mgmt *mgmt;
2292 struct wpabuf *plain;
2293 u8 *len, *tmp, *tmp2;
2294 u8 hdr[2];
2295 u8 *gtk, dummy_gtk[32];
2296 size_t gtk_len;
2297 struct wpa_group *gsm;
2298 const u8 *aad[5];
2299 size_t aad_len[5];
2300
2301 if (!sm || !sm->PTK_valid)
2302 return -1;
2303
2304 wpa_hexdump(MSG_DEBUG,
2305 "FILS: Association Response frame before FILS processing",
2306 buf, current_len);
2307
2308 mgmt = (struct ieee80211_mgmt *) buf;
2309
2310 /* AES-SIV AAD vectors */
2311
2312 /* The AP's BSSID */
2313 aad[0] = mgmt->sa;
2314 aad_len[0] = ETH_ALEN;
2315 /* The STA's MAC address */
2316 aad[1] = mgmt->da;
2317 aad_len[1] = ETH_ALEN;
2318 /* The AP's nonce */
2319 aad[2] = sm->ANonce;
2320 aad_len[2] = FILS_NONCE_LEN;
2321 /* The STA's nonce */
2322 aad[3] = sm->SNonce;
2323 aad_len[3] = FILS_NONCE_LEN;
2324 /*
2325 * The (Re)Association Response frame from the Capability Information
2326 * field (the same offset in both Association and Reassociation
2327 * Response frames) to the FILS Session element (both inclusive).
2328 */
2329 aad[4] = (const u8 *) &mgmt->u.assoc_resp.capab_info;
2330 aad_len[4] = pos - aad[4];
2331
2332 /* The following elements will be encrypted with AES-SIV */
2333
2334 plain = wpabuf_alloc(1000);
2335 if (!plain)
2336 return -1;
2337
2338 /* TODO: FILS Public Key */
2339
2340 /* FILS Key Confirmation */
2341 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
2342 wpabuf_put_u8(plain, 1 + sm->fils_key_auth_len); /* Length */
2343 /* Element ID Extension */
2344 wpabuf_put_u8(plain, WLAN_EID_EXT_FILS_KEY_CONFIRM);
2345 wpabuf_put_data(plain, sm->fils_key_auth_ap, sm->fils_key_auth_len);
2346
2347 /* FILS HLP Container */
2348 if (hlp)
2349 wpabuf_put_buf(plain, hlp);
2350
2351 /* TODO: FILS IP Address Assignment */
2352
2353 /* Key Delivery */
2354 gsm = sm->group;
2355 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
2356 len = wpabuf_put(plain, 1);
2357 wpabuf_put_u8(plain, WLAN_EID_EXT_KEY_DELIVERY);
2358 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN,
2359 wpabuf_put(plain, WPA_KEY_RSC_LEN));
2360 /* GTK KDE */
2361 gtk = gsm->GTK[gsm->GN - 1];
2362 gtk_len = gsm->GTK_len;
2363 if (sm->wpa_auth->conf.disable_gtk) {
2364 /*
2365 * Provide unique random GTK to each STA to prevent use
2366 * of GTK in the BSS.
2367 */
2368 if (random_get_bytes(dummy_gtk, gtk_len) < 0) {
2369 wpabuf_free(plain);
2370 return -1;
2371 }
2372 gtk = dummy_gtk;
2373 }
2374 hdr[0] = gsm->GN & 0x03;
2375 hdr[1] = 0;
2376 tmp = wpabuf_put(plain, 0);
2377 tmp2 = wpa_add_kde(tmp, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2378 gtk, gtk_len);
2379 wpabuf_put(plain, tmp2 - tmp);
2380
2381 /* IGTK KDE */
2382 tmp = wpabuf_put(plain, 0);
2383 tmp2 = ieee80211w_kde_add(sm, tmp);
2384 wpabuf_put(plain, tmp2 - tmp);
2385
2386 *len = (u8 *) wpabuf_put(plain, 0) - len - 1;
2387
2388 if (pos + wpabuf_len(plain) + AES_BLOCK_SIZE > end) {
2389 wpa_printf(MSG_DEBUG,
2390 "FILS: Not enough room for FILS elements");
2391 wpabuf_free(plain);
2392 return -1;
2393 }
2394
2395 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: Association Response plaintext",
2396 plain);
2397
2398 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len,
2399 wpabuf_head(plain), wpabuf_len(plain),
2400 5, aad, aad_len, pos) < 0) {
2401 wpabuf_free(plain);
2402 return -1;
2403 }
2404
2405 wpa_hexdump(MSG_DEBUG,
2406 "FILS: Encrypted Association Response elements",
2407 pos, AES_BLOCK_SIZE + wpabuf_len(plain));
2408 current_len += wpabuf_len(plain) + AES_BLOCK_SIZE;
2409 wpabuf_free(plain);
2410
2411 sm->fils_completed = 1;
2412
2413 return current_len;
2414 }
2415
2416
2417 int fils_set_tk(struct wpa_state_machine *sm)
2418 {
2419 enum wpa_alg alg;
2420 int klen;
2421
2422 if (!sm || !sm->PTK_valid)
2423 return -1;
2424
2425 alg = wpa_cipher_to_alg(sm->pairwise);
2426 klen = wpa_cipher_key_len(sm->pairwise);
2427
2428 wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver");
2429 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
2430 sm->PTK.tk, klen)) {
2431 wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver");
2432 return -1;
2433 }
2434
2435 return 0;
2436 }
2437
2438 #endif /* CONFIG_FILS */
2439
2440
2441 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
2442 {
2443 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2444 struct wpa_ptk PTK;
2445 int ok = 0, psk_found = 0;
2446 const u8 *pmk = NULL;
2447 unsigned int pmk_len;
2448 int ft;
2449 const u8 *eapol_key_ie, *key_data, *mic;
2450 u16 key_data_length;
2451 size_t mic_len, eapol_key_ie_len;
2452 struct ieee802_1x_hdr *hdr;
2453 struct wpa_eapol_key *key;
2454 struct wpa_eapol_ie_parse kde;
2455
2456 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
2457 sm->EAPOLKeyReceived = FALSE;
2458 sm->update_snonce = FALSE;
2459 os_memset(&PTK, 0, sizeof(PTK));
2460
2461 mic_len = wpa_mic_len(sm->wpa_key_mgmt);
2462
2463 /* WPA with IEEE 802.1X: use the derived PMK from EAP
2464 * WPA-PSK: iterate through possible PSKs and select the one matching
2465 * the packet */
2466 for (;;) {
2467 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
2468 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
2469 sm->p2p_dev_addr, pmk);
2470 if (pmk == NULL)
2471 break;
2472 psk_found = 1;
2473 pmk_len = PMK_LEN;
2474 } else {
2475 pmk = sm->PMK;
2476 pmk_len = sm->pmk_len;
2477 }
2478
2479 if (wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK) < 0)
2480 break;
2481
2482 if (mic_len &&
2483 wpa_verify_key_mic(sm->wpa_key_mgmt, &PTK,
2484 sm->last_rx_eapol_key,
2485 sm->last_rx_eapol_key_len) == 0) {
2486 ok = 1;
2487 break;
2488 }
2489
2490 #ifdef CONFIG_FILS
2491 if (!mic_len &&
2492 wpa_aead_decrypt(sm, &PTK, sm->last_rx_eapol_key,
2493 sm->last_rx_eapol_key_len, NULL) == 0) {
2494 ok = 1;
2495 break;
2496 }
2497 #endif /* CONFIG_FILS */
2498
2499 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
2500 break;
2501 }
2502
2503 if (!ok) {
2504 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2505 "invalid MIC in msg 2/4 of 4-Way Handshake");
2506 if (psk_found)
2507 wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr);
2508 return;
2509 }
2510
2511 /*
2512 * Note: last_rx_eapol_key length fields have already been validated in
2513 * wpa_receive().
2514 */
2515 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
2516 key = (struct wpa_eapol_key *) (hdr + 1);
2517 mic = (u8 *) (key + 1);
2518 key_data = mic + mic_len + 2;
2519 key_data_length = WPA_GET_BE16(mic + mic_len);
2520 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
2521 sizeof(*key) - mic_len - 2)
2522 return;
2523
2524 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
2525 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
2526 "received EAPOL-Key msg 2/4 with invalid Key Data contents");
2527 return;
2528 }
2529 if (kde.rsn_ie) {
2530 eapol_key_ie = kde.rsn_ie;
2531 eapol_key_ie_len = kde.rsn_ie_len;
2532 } else if (kde.osen) {
2533 eapol_key_ie = kde.osen;
2534 eapol_key_ie_len = kde.osen_len;
2535 } else {
2536 eapol_key_ie = kde.wpa_ie;
2537 eapol_key_ie_len = kde.wpa_ie_len;
2538 }
2539 ft = sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt);
2540 if (sm->wpa_ie == NULL ||
2541 wpa_compare_rsn_ie(ft, sm->wpa_ie, sm->wpa_ie_len,
2542 eapol_key_ie, eapol_key_ie_len)) {
2543 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
2544 "WPA IE from (Re)AssocReq did not match with msg 2/4");
2545 if (sm->wpa_ie) {
2546 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq",
2547 sm->wpa_ie, sm->wpa_ie_len);
2548 }
2549 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4",
2550 eapol_key_ie, eapol_key_ie_len);
2551 /* MLME-DEAUTHENTICATE.request */
2552 wpa_sta_disconnect(wpa_auth, sm->addr);
2553 return;
2554 }
2555 #ifdef CONFIG_IEEE80211R_AP
2556 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
2557 wpa_sta_disconnect(wpa_auth, sm->addr);
2558 return;
2559 }
2560 #endif /* CONFIG_IEEE80211R_AP */
2561 #ifdef CONFIG_P2P
2562 if (kde.ip_addr_req && kde.ip_addr_req[0] &&
2563 wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) {
2564 int idx;
2565 wpa_printf(MSG_DEBUG,
2566 "P2P: IP address requested in EAPOL-Key exchange");
2567 idx = bitfield_get_first_zero(wpa_auth->ip_pool);
2568 if (idx >= 0) {
2569 u32 start = WPA_GET_BE32(wpa_auth->conf.ip_addr_start);
2570 bitfield_set(wpa_auth->ip_pool, idx);
2571 WPA_PUT_BE32(sm->ip_addr, start + idx);
2572 wpa_printf(MSG_DEBUG,
2573 "P2P: Assigned IP address %u.%u.%u.%u to "
2574 MACSTR, sm->ip_addr[0], sm->ip_addr[1],
2575 sm->ip_addr[2], sm->ip_addr[3],
2576 MAC2STR(sm->addr));
2577 }
2578 }
2579 #endif /* CONFIG_P2P */
2580
2581 #ifdef CONFIG_IEEE80211R_AP
2582 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2583 /*
2584 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches
2585 * with the value we derived.
2586 */
2587 if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name,
2588 WPA_PMK_NAME_LEN) != 0) {
2589 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2590 "PMKR1Name mismatch in FT 4-way "
2591 "handshake");
2592 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from "
2593 "Supplicant",
2594 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN);
2595 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
2596 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
2597 return;
2598 }
2599 }
2600 #endif /* CONFIG_IEEE80211R_AP */
2601
2602 sm->pending_1_of_4_timeout = 0;
2603 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
2604
2605 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
2606 /* PSK may have changed from the previous choice, so update
2607 * state machine data based on whatever PSK was selected here.
2608 */
2609 os_memcpy(sm->PMK, pmk, PMK_LEN);
2610 sm->pmk_len = PMK_LEN;
2611 }
2612
2613 sm->MICVerified = TRUE;
2614
2615 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
2616 sm->PTK_valid = TRUE;
2617 }
2618
2619
2620 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2)
2621 {
2622 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk);
2623 sm->TimeoutCtr = 0;
2624 }
2625
2626
2627 #ifdef CONFIG_IEEE80211W
2628
2629 static int ieee80211w_kde_len(struct wpa_state_machine *sm)
2630 {
2631 if (sm->mgmt_frame_prot) {
2632 size_t len;
2633 len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
2634 return 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN + len;
2635 }
2636
2637 return 0;
2638 }
2639
2640
2641 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
2642 {
2643 struct wpa_igtk_kde igtk;
2644 struct wpa_group *gsm = sm->group;
2645 u8 rsc[WPA_KEY_RSC_LEN];
2646 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
2647
2648 if (!sm->mgmt_frame_prot)
2649 return pos;
2650
2651 igtk.keyid[0] = gsm->GN_igtk;
2652 igtk.keyid[1] = 0;
2653 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
2654 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0)
2655 os_memset(igtk.pn, 0, sizeof(igtk.pn));
2656 else
2657 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn));
2658 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len);
2659 if (sm->wpa_auth->conf.disable_gtk) {
2660 /*
2661 * Provide unique random IGTK to each STA to prevent use of
2662 * IGTK in the BSS.
2663 */
2664 if (random_get_bytes(igtk.igtk, len) < 0)
2665 return pos;
2666 }
2667 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK,
2668 (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len,
2669 NULL, 0);
2670
2671 return pos;
2672 }
2673
2674 #else /* CONFIG_IEEE80211W */
2675
2676 static int ieee80211w_kde_len(struct wpa_state_machine *sm)
2677 {
2678 return 0;
2679 }
2680
2681
2682 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
2683 {
2684 return pos;
2685 }
2686
2687 #endif /* CONFIG_IEEE80211W */
2688
2689
2690 SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
2691 {
2692 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32];
2693 size_t gtk_len, kde_len;
2694 struct wpa_group *gsm = sm->group;
2695 u8 *wpa_ie;
2696 int wpa_ie_len, secure, keyidx, encr = 0;
2697
2698 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk);
2699 sm->TimeoutEvt = FALSE;
2700
2701 sm->TimeoutCtr++;
2702 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
2703 /* No point in sending the EAPOL-Key - we will disconnect
2704 * immediately following this. */
2705 return;
2706 }
2707
2708 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
2709 GTK[GN], IGTK, [FTIE], [TIE * 2])
2710 */
2711 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
2712 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
2713 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
2714 wpa_ie = sm->wpa_auth->wpa_ie;
2715 wpa_ie_len = sm->wpa_auth->wpa_ie_len;
2716 if (sm->wpa == WPA_VERSION_WPA &&
2717 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
2718 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
2719 /* WPA-only STA, remove RSN IE and possible MDIE */
2720 wpa_ie = wpa_ie + wpa_ie[1] + 2;
2721 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
2722 wpa_ie = wpa_ie + wpa_ie[1] + 2;
2723 wpa_ie_len = wpa_ie[1] + 2;
2724 }
2725 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2726 "sending 3/4 msg of 4-Way Handshake");
2727 if (sm->wpa == WPA_VERSION_WPA2) {
2728 /* WPA2 send GTK in the 4-way handshake */
2729 secure = 1;
2730 gtk = gsm->GTK[gsm->GN - 1];
2731 gtk_len = gsm->GTK_len;
2732 if (sm->wpa_auth->conf.disable_gtk) {
2733 /*
2734 * Provide unique random GTK to each STA to prevent use
2735 * of GTK in the BSS.
2736 */
2737 if (random_get_bytes(dummy_gtk, gtk_len) < 0)
2738 return;
2739 gtk = dummy_gtk;
2740 }
2741 keyidx = gsm->GN;
2742 _rsc = rsc;
2743 encr = 1;
2744 } else {
2745 /* WPA does not include GTK in msg 3/4 */
2746 secure = 0;
2747 gtk = NULL;
2748 gtk_len = 0;
2749 keyidx = 0;
2750 _rsc = NULL;
2751 if (sm->rx_eapol_key_secure) {
2752 /*
2753 * It looks like Windows 7 supplicant tries to use
2754 * Secure bit in msg 2/4 after having reported Michael
2755 * MIC failure and it then rejects the 4-way handshake
2756 * if msg 3/4 does not set Secure bit. Work around this
2757 * by setting the Secure bit here even in the case of
2758 * WPA if the supplicant used it first.
2759 */
2760 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2761 "STA used Secure bit in WPA msg 2/4 - "
2762 "set Secure for 3/4 as workaround");
2763 secure = 1;
2764 }
2765 }
2766
2767 kde_len = wpa_ie_len + ieee80211w_kde_len(sm);
2768 if (gtk)
2769 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
2770 #ifdef CONFIG_IEEE80211R_AP
2771 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2772 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
2773 kde_len += 300; /* FTIE + 2 * TIE */
2774 }
2775 #endif /* CONFIG_IEEE80211R_AP */
2776 #ifdef CONFIG_P2P
2777 if (WPA_GET_BE32(sm->ip_addr) > 0)
2778 kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4;
2779 #endif /* CONFIG_P2P */
2780 kde = os_malloc(kde_len);
2781 if (kde == NULL)
2782 return;
2783
2784 pos = kde;
2785 os_memcpy(pos, wpa_ie, wpa_ie_len);
2786 pos += wpa_ie_len;
2787 #ifdef CONFIG_IEEE80211R_AP
2788 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2789 int res;
2790 size_t elen;
2791
2792 elen = pos - kde;
2793 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name);
2794 if (res < 0) {
2795 wpa_printf(MSG_ERROR, "FT: Failed to insert "
2796 "PMKR1Name into RSN IE in EAPOL-Key data");
2797 os_free(kde);
2798 return;
2799 }
2800 pos -= wpa_ie_len;
2801 pos += elen;
2802 }
2803 #endif /* CONFIG_IEEE80211R_AP */
2804 if (gtk) {
2805 u8 hdr[2];
2806 hdr[0] = keyidx & 0x03;
2807 hdr[1] = 0;
2808 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2809 gtk, gtk_len);
2810 }
2811 pos = ieee80211w_kde_add(sm, pos);
2812
2813 #ifdef CONFIG_IEEE80211R_AP
2814 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2815 int res;
2816 struct wpa_auth_config *conf;
2817
2818 conf = &sm->wpa_auth->conf;
2819 if (sm->assoc_resp_ftie &&
2820 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) {
2821 os_memcpy(pos, sm->assoc_resp_ftie,
2822 2 + sm->assoc_resp_ftie[1]);
2823 res = 2 + sm->assoc_resp_ftie[1];
2824 } else {
2825 res = wpa_write_ftie(conf, conf->r0_key_holder,
2826 conf->r0_key_holder_len,
2827 NULL, NULL, pos,
2828 kde + kde_len - pos,
2829 NULL, 0);
2830 }
2831 if (res < 0) {
2832 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE "
2833 "into EAPOL-Key Key Data");
2834 os_free(kde);
2835 return;
2836 }
2837 pos += res;
2838
2839 /* TIE[ReassociationDeadline] (TU) */
2840 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
2841 *pos++ = 5;
2842 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
2843 WPA_PUT_LE32(pos, conf->reassociation_deadline);
2844 pos += 4;
2845
2846 /* TIE[KeyLifetime] (seconds) */
2847 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
2848 *pos++ = 5;
2849 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
2850 WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60);
2851 pos += 4;
2852 }
2853 #endif /* CONFIG_IEEE80211R_AP */
2854 #ifdef CONFIG_P2P
2855 if (WPA_GET_BE32(sm->ip_addr) > 0) {
2856 u8 addr[3 * 4];
2857 os_memcpy(addr, sm->ip_addr, 4);
2858 os_memcpy(addr + 4, sm->wpa_auth->conf.ip_addr_mask, 4);
2859 os_memcpy(addr + 8, sm->wpa_auth->conf.ip_addr_go, 4);
2860 pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC,
2861 addr, sizeof(addr), NULL, 0);
2862 }
2863 #endif /* CONFIG_P2P */
2864
2865 wpa_send_eapol(sm->wpa_auth, sm,
2866 (secure ? WPA_KEY_INFO_SECURE : 0) |
2867 (wpa_mic_len(sm->wpa_key_mgmt) ? WPA_KEY_INFO_MIC : 0) |
2868 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
2869 WPA_KEY_INFO_KEY_TYPE,
2870 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr);
2871 os_free(kde);
2872 }
2873
2874
2875 SM_STATE(WPA_PTK, PTKINITDONE)
2876 {
2877 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk);
2878 sm->EAPOLKeyReceived = FALSE;
2879 if (sm->Pair) {
2880 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
2881 int klen = wpa_cipher_key_len(sm->pairwise);
2882 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
2883 sm->PTK.tk, klen)) {
2884 wpa_sta_disconnect(sm->wpa_auth, sm->addr);
2885 return;
2886 }
2887 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
2888 sm->pairwise_set = TRUE;
2889
2890 if (sm->wpa_auth->conf.wpa_ptk_rekey) {
2891 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
2892 eloop_register_timeout(sm->wpa_auth->conf.
2893 wpa_ptk_rekey, 0, wpa_rekey_ptk,
2894 sm->wpa_auth, sm);
2895 }
2896
2897 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
2898 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
2899 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
2900 WPA_EAPOL_authorized, 1);
2901 }
2902 }
2903
2904 if (0 /* IBSS == TRUE */) {
2905 sm->keycount++;
2906 if (sm->keycount == 2) {
2907 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
2908 WPA_EAPOL_portValid, 1);
2909 }
2910 } else {
2911 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid,
2912 1);
2913 }
2914 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0);
2915 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1);
2916 if (sm->wpa == WPA_VERSION_WPA)
2917 sm->PInitAKeys = TRUE;
2918 else
2919 sm->has_GTK = TRUE;
2920 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2921 "pairwise key handshake completed (%s)",
2922 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
2923
2924 #ifdef CONFIG_IEEE80211R_AP
2925 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr);
2926 #endif /* CONFIG_IEEE80211R_AP */
2927 }
2928
2929
2930 SM_STEP(WPA_PTK)
2931 {
2932 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2933
2934 if (sm->Init)
2935 SM_ENTER(WPA_PTK, INITIALIZE);
2936 else if (sm->Disconnect
2937 /* || FIX: dot11RSNAConfigSALifetime timeout */) {
2938 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
2939 "WPA_PTK: sm->Disconnect");
2940 SM_ENTER(WPA_PTK, DISCONNECT);
2941 }
2942 else if (sm->DeauthenticationRequest)
2943 SM_ENTER(WPA_PTK, DISCONNECTED);
2944 else if (sm->AuthenticationRequest)
2945 SM_ENTER(WPA_PTK, AUTHENTICATION);
2946 else if (sm->ReAuthenticationRequest)
2947 SM_ENTER(WPA_PTK, AUTHENTICATION2);
2948 else if (sm->PTKRequest)
2949 SM_ENTER(WPA_PTK, PTKSTART);
2950 else switch (sm->wpa_ptk_state) {
2951 case WPA_PTK_INITIALIZE:
2952 break;
2953 case WPA_PTK_DISCONNECT:
2954 SM_ENTER(WPA_PTK, DISCONNECTED);
2955 break;
2956 case WPA_PTK_DISCONNECTED:
2957 SM_ENTER(WPA_PTK, INITIALIZE);
2958 break;
2959 case WPA_PTK_AUTHENTICATION:
2960 SM_ENTER(WPA_PTK, AUTHENTICATION2);
2961 break;
2962 case WPA_PTK_AUTHENTICATION2:
2963 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
2964 wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
2965 WPA_EAPOL_keyRun) > 0)
2966 SM_ENTER(WPA_PTK, INITPMK);
2967 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
2968 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE
2969 /* FIX: && 802.1X::keyRun */)
2970 SM_ENTER(WPA_PTK, INITPSK);
2971 break;
2972 case WPA_PTK_INITPMK:
2973 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
2974 WPA_EAPOL_keyAvailable) > 0)
2975 SM_ENTER(WPA_PTK, PTKSTART);
2976 else {
2977 wpa_auth->dot11RSNA4WayHandshakeFailures++;
2978 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2979 "INITPMK - keyAvailable = false");
2980 SM_ENTER(WPA_PTK, DISCONNECT);
2981 }
2982 break;
2983 case WPA_PTK_INITPSK:
2984 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr,
2985 NULL))
2986 SM_ENTER(WPA_PTK, PTKSTART);
2987 else {
2988 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2989 "no PSK configured for the STA");
2990 wpa_auth->dot11RSNA4WayHandshakeFailures++;
2991 SM_ENTER(WPA_PTK, DISCONNECT);
2992 }
2993 break;
2994 case WPA_PTK_PTKSTART:
2995 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2996 sm->EAPOLKeyPairwise)
2997 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
2998 else if (sm->TimeoutCtr >
2999 sm->wpa_auth->conf.wpa_pairwise_update_count) {
3000 wpa_auth->dot11RSNA4WayHandshakeFailures++;
3001 wpa_auth_vlogger(
3002 sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3003 "PTKSTART: Retry limit %u reached",
3004 sm->wpa_auth->conf.wpa_pairwise_update_count);
3005 SM_ENTER(WPA_PTK, DISCONNECT);
3006 } else if (sm->TimeoutEvt)
3007 SM_ENTER(WPA_PTK, PTKSTART);
3008 break;
3009 case WPA_PTK_PTKCALCNEGOTIATING:
3010 if (sm->MICVerified)
3011 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2);
3012 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3013 sm->EAPOLKeyPairwise)
3014 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3015 else if (sm->TimeoutEvt)
3016 SM_ENTER(WPA_PTK, PTKSTART);
3017 break;
3018 case WPA_PTK_PTKCALCNEGOTIATING2:
3019 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
3020 break;
3021 case WPA_PTK_PTKINITNEGOTIATING:
3022 if (sm->update_snonce)
3023 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3024 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3025 sm->EAPOLKeyPairwise && sm->MICVerified)
3026 SM_ENTER(WPA_PTK, PTKINITDONE);
3027 else if (sm->TimeoutCtr >
3028 sm->wpa_auth->conf.wpa_pairwise_update_count) {
3029 wpa_auth->dot11RSNA4WayHandshakeFailures++;
3030 wpa_auth_vlogger(
3031 sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3032 "PTKINITNEGOTIATING: Retry limit %u reached",
3033 sm->wpa_auth->conf.wpa_pairwise_update_count);
3034 SM_ENTER(WPA_PTK, DISCONNECT);
3035 } else if (sm->TimeoutEvt)
3036 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
3037 break;
3038 case WPA_PTK_PTKINITDONE:
3039 break;
3040 }
3041 }
3042
3043
3044 SM_STATE(WPA_PTK_GROUP, IDLE)
3045 {
3046 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group);
3047 if (sm->Init) {
3048 /* Init flag is not cleared here, so avoid busy
3049 * loop by claiming nothing changed. */
3050 sm->changed = FALSE;
3051 }
3052 sm->GTimeoutCtr = 0;
3053 }
3054
3055
3056 SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
3057 {
3058 u8 rsc[WPA_KEY_RSC_LEN];
3059 struct wpa_group *gsm = sm->group;
3060 const u8 *kde;
3061 u8 *kde_buf = NULL, *pos, hdr[2];
3062 size_t kde_len;
3063 u8 *gtk, dummy_gtk[32];
3064
3065 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
3066
3067 sm->GTimeoutCtr++;
3068 if (sm->GTimeoutCtr > sm->wpa_auth->conf.wpa_group_update_count) {
3069 /* No point in sending the EAPOL-Key - we will disconnect
3070 * immediately following this. */
3071 return;
3072 }
3073
3074 if (sm->wpa == WPA_VERSION_WPA)
3075 sm->PInitAKeys = FALSE;
3076 sm->TimeoutEvt = FALSE;
3077 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
3078 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
3079 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE)
3080 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
3081 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3082 "sending 1/2 msg of Group Key Handshake");
3083
3084 gtk = gsm->GTK[gsm->GN - 1];
3085 if (sm->wpa_auth->conf.disable_gtk) {
3086 /*
3087 * Provide unique random GTK to each STA to prevent use
3088 * of GTK in the BSS.
3089 */
3090 if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0)
3091 return;
3092 gtk = dummy_gtk;
3093 }
3094 if (sm->wpa == WPA_VERSION_WPA2) {
3095 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
3096 ieee80211w_kde_len(sm);
3097 kde_buf = os_malloc(kde_len);
3098 if (kde_buf == NULL)
3099 return;
3100
3101 kde = pos = kde_buf;
3102 hdr[0] = gsm->GN & 0x03;
3103 hdr[1] = 0;
3104 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
3105 gtk, gsm->GTK_len);
3106 pos = ieee80211w_kde_add(sm, pos);
3107 kde_len = pos - kde;
3108 } else {
3109 kde = gtk;
3110 kde_len = gsm->GTK_len;
3111 }
3112
3113 wpa_send_eapol(sm->wpa_auth, sm,
3114 WPA_KEY_INFO_SECURE |
3115 (wpa_mic_len(sm->wpa_key_mgmt) ? WPA_KEY_INFO_MIC : 0) |
3116 WPA_KEY_INFO_ACK |
3117 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
3118 rsc, NULL, kde, kde_len, gsm->GN, 1);
3119
3120 os_free(kde_buf);
3121 }
3122
3123
3124 SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED)
3125 {
3126 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group);
3127 sm->EAPOLKeyReceived = FALSE;
3128 if (sm->GUpdateStationKeys)
3129 sm->group->GKeyDoneStations--;
3130 sm->GUpdateStationKeys = FALSE;
3131 sm->GTimeoutCtr = 0;
3132 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */
3133 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3134 "group key handshake completed (%s)",
3135 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
3136 sm->has_GTK = TRUE;
3137 }
3138
3139
3140 SM_STATE(WPA_PTK_GROUP, KEYERROR)
3141 {
3142 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group);
3143 if (sm->GUpdateStationKeys)
3144 sm->group->GKeyDoneStations--;
3145 sm->GUpdateStationKeys = FALSE;
3146 sm->Disconnect = TRUE;
3147 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3148 "group key handshake failed (%s) after %u tries",
3149 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN",
3150 sm->wpa_auth->conf.wpa_group_update_count);
3151 }
3152
3153
3154 SM_STEP(WPA_PTK_GROUP)
3155 {
3156 if (sm->Init || sm->PtkGroupInit) {
3157 SM_ENTER(WPA_PTK_GROUP, IDLE);
3158 sm->PtkGroupInit = FALSE;
3159 } else switch (sm->wpa_ptk_group_state) {
3160 case WPA_PTK_GROUP_IDLE:
3161 if (sm->GUpdateStationKeys ||
3162 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys))
3163 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
3164 break;
3165 case WPA_PTK_GROUP_REKEYNEGOTIATING:
3166 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3167 !sm->EAPOLKeyPairwise && sm->MICVerified)
3168 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
3169 else if (sm->GTimeoutCtr >
3170 sm->wpa_auth->conf.wpa_group_update_count)
3171 SM_ENTER(WPA_PTK_GROUP, KEYERROR);
3172 else if (sm->TimeoutEvt)
3173 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
3174 break;
3175 case WPA_PTK_GROUP_KEYERROR:
3176 SM_ENTER(WPA_PTK_GROUP, IDLE);
3177 break;
3178 case WPA_PTK_GROUP_REKEYESTABLISHED:
3179 SM_ENTER(WPA_PTK_GROUP, IDLE);
3180 break;
3181 }
3182 }
3183
3184
3185 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
3186 struct wpa_group *group)
3187 {
3188 int ret = 0;
3189
3190 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
3191 inc_byte_array(group->Counter, WPA_NONCE_LEN);
3192 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion",
3193 wpa_auth->addr, group->GNonce,
3194 group->GTK[group->GN - 1], group->GTK_len) < 0)
3195 ret = -1;
3196 wpa_hexdump_key(MSG_DEBUG, "GTK",
3197 group->GTK[group->GN - 1], group->GTK_len);
3198
3199 #ifdef CONFIG_IEEE80211W
3200 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
3201 size_t len;
3202 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
3203 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
3204 inc_byte_array(group->Counter, WPA_NONCE_LEN);
3205 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion",
3206 wpa_auth->addr, group->GNonce,
3207 group->IGTK[group->GN_igtk - 4], len) < 0)
3208 ret = -1;
3209 wpa_hexdump_key(MSG_DEBUG, "IGTK",
3210 group->IGTK[group->GN_igtk - 4], len);
3211 }
3212 #endif /* CONFIG_IEEE80211W */
3213
3214 return ret;
3215 }
3216
3217
3218 static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth,
3219 struct wpa_group *group)
3220 {
3221 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3222 "GTK_INIT (VLAN-ID %d)", group->vlan_id);
3223 group->changed = FALSE; /* GInit is not cleared here; avoid loop */
3224 group->wpa_group_state = WPA_GROUP_GTK_INIT;
3225
3226 /* GTK[0..N] = 0 */
3227 os_memset(group->GTK, 0, sizeof(group->GTK));
3228 group->GN = 1;
3229 group->GM = 2;
3230 #ifdef CONFIG_IEEE80211W
3231 group->GN_igtk = 4;
3232 group->GM_igtk = 5;
3233 #endif /* CONFIG_IEEE80211W */
3234 /* GTK[GN] = CalcGTK() */
3235 wpa_gtk_update(wpa_auth, group);
3236 }
3237
3238
3239 static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
3240 {
3241 if (ctx != NULL && ctx != sm->group)
3242 return 0;
3243
3244 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) {
3245 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3246 "Not in PTKINITDONE; skip Group Key update");
3247 sm->GUpdateStationKeys = FALSE;
3248 return 0;
3249 }
3250 if (sm->GUpdateStationKeys) {
3251 /*
3252 * This should not really happen, so add a debug log entry.
3253 * Since we clear the GKeyDoneStations before the loop, the
3254 * station needs to be counted here anyway.
3255 */
3256 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3257 "GUpdateStationKeys was already set when "
3258 "marking station for GTK rekeying");
3259 }
3260
3261 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */
3262 if (sm->is_wnmsleep)
3263 return 0;
3264
3265 sm->group->GKeyDoneStations++;
3266 sm->GUpdateStationKeys = TRUE;
3267
3268 wpa_sm_step(sm);
3269 return 0;
3270 }
3271
3272
3273 #ifdef CONFIG_WNM
3274 /* update GTK when exiting WNM-Sleep Mode */
3275 void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm)
3276 {
3277 if (sm == NULL || sm->is_wnmsleep)
3278 return;
3279
3280 wpa_group_update_sta(sm, NULL);
3281 }
3282
3283
3284 void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag)
3285 {
3286 if (sm)
3287 sm->is_wnmsleep = !!flag;
3288 }
3289
3290
3291 int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos)
3292 {
3293 struct wpa_group *gsm = sm->group;
3294 u8 *start = pos;
3295
3296 /*
3297 * GTK subelement:
3298 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] |
3299 * Key[5..32]
3300 */
3301 *pos++ = WNM_SLEEP_SUBELEM_GTK;
3302 *pos++ = 11 + gsm->GTK_len;
3303 /* Key ID in B0-B1 of Key Info */
3304 WPA_PUT_LE16(pos, gsm->GN & 0x03);
3305 pos += 2;
3306 *pos++ = gsm->GTK_len;
3307 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0)
3308 return 0;
3309 pos += 8;
3310 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len);
3311 pos += gsm->GTK_len;
3312
3313 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit",
3314 gsm->GN);
3315 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit",
3316 gsm->GTK[gsm->GN - 1], gsm->GTK_len);
3317
3318 return pos - start;
3319 }
3320
3321
3322 #ifdef CONFIG_IEEE80211W
3323 int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos)
3324 {
3325 struct wpa_group *gsm = sm->group;
3326 u8 *start = pos;
3327 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
3328
3329 /*
3330 * IGTK subelement:
3331 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16]
3332 */
3333 *pos++ = WNM_SLEEP_SUBELEM_IGTK;
3334 *pos++ = 2 + 6 + len;
3335 WPA_PUT_LE16(pos, gsm->GN_igtk);
3336 pos += 2;
3337 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0)
3338 return 0;
3339 pos += 6;
3340
3341 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len);
3342 pos += len;
3343
3344 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit",
3345 gsm->GN_igtk);
3346 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit",
3347 gsm->IGTK[gsm->GN_igtk - 4], len);
3348
3349 return pos - start;
3350 }
3351 #endif /* CONFIG_IEEE80211W */
3352 #endif /* CONFIG_WNM */
3353
3354
3355 static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth,
3356 struct wpa_group *group)
3357 {
3358 int tmp;
3359
3360 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3361 "SETKEYS (VLAN-ID %d)", group->vlan_id);
3362 group->changed = TRUE;
3363 group->wpa_group_state = WPA_GROUP_SETKEYS;
3364 group->GTKReKey = FALSE;
3365 tmp = group->GM;
3366 group->GM = group->GN;
3367 group->GN = tmp;
3368 #ifdef CONFIG_IEEE80211W
3369 tmp = group->GM_igtk;
3370 group->GM_igtk = group->GN_igtk;
3371 group->GN_igtk = tmp;
3372 #endif /* CONFIG_IEEE80211W */
3373 /* "GKeyDoneStations = GNoStations" is done in more robust way by
3374 * counting the STAs that are marked with GUpdateStationKeys instead of
3375 * including all STAs that could be in not-yet-completed state. */
3376 wpa_gtk_update(wpa_auth, group);
3377
3378 if (group->GKeyDoneStations) {
3379 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected "
3380 "GKeyDoneStations=%d when starting new GTK rekey",
3381 group->GKeyDoneStations);
3382 group->GKeyDoneStations = 0;
3383 }
3384 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group);
3385 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d",
3386 group->GKeyDoneStations);
3387 }
3388
3389
3390 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
3391 struct wpa_group *group)
3392 {
3393 int ret = 0;
3394
3395 if (wpa_auth_set_key(wpa_auth, group->vlan_id,
3396 wpa_cipher_to_alg(wpa_auth->conf.wpa_group),
3397 broadcast_ether_addr, group->GN,
3398 group->GTK[group->GN - 1], group->GTK_len) < 0)
3399 ret = -1;
3400
3401 #ifdef CONFIG_IEEE80211W
3402 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
3403 enum wpa_alg alg;
3404 size_t len;
3405
3406 alg = wpa_cipher_to_alg(wpa_auth->conf.group_mgmt_cipher);
3407 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
3408
3409 if (ret == 0 &&
3410 wpa_auth_set_key(wpa_auth, group->vlan_id, alg,
3411 broadcast_ether_addr, group->GN_igtk,
3412 group->IGTK[group->GN_igtk - 4], len) < 0)
3413 ret = -1;
3414 }
3415 #endif /* CONFIG_IEEE80211W */
3416
3417 return ret;
3418 }
3419
3420
3421 static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx)
3422 {
3423 if (sm->group == ctx) {
3424 wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR
3425 " for discconnection due to fatal failure",
3426 MAC2STR(sm->addr));
3427 sm->Disconnect = TRUE;
3428 }
3429
3430 return 0;
3431 }
3432
3433
3434 static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth,
3435 struct wpa_group *group)
3436 {
3437 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state FATAL_FAILURE");
3438 group->changed = TRUE;
3439 group->wpa_group_state = WPA_GROUP_FATAL_FAILURE;
3440 wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group);
3441 }
3442
3443
3444 static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
3445 struct wpa_group *group)
3446 {
3447 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3448 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id);
3449 group->changed = TRUE;
3450 group->wpa_group_state = WPA_GROUP_SETKEYSDONE;
3451
3452 if (wpa_group_config_group_keys(wpa_auth, group) < 0) {
3453 wpa_group_fatal_failure(wpa_auth, group);
3454 return -1;
3455 }
3456
3457 return 0;
3458 }
3459
3460
3461 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
3462 struct wpa_group *group)
3463 {
3464 if (group->GInit) {
3465 wpa_group_gtk_init(wpa_auth, group);
3466 } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) {
3467 /* Do not allow group operations */
3468 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT &&
3469 group->GTKAuthenticator) {
3470 wpa_group_setkeysdone(wpa_auth, group);
3471 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE &&
3472 group->GTKReKey) {
3473 wpa_group_setkeys(wpa_auth, group);
3474 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) {
3475 if (group->GKeyDoneStations == 0)
3476 wpa_group_setkeysdone(wpa_auth, group);
3477 else if (group->GTKReKey)
3478 wpa_group_setkeys(wpa_auth, group);
3479 }
3480 }
3481
3482
3483 static int wpa_sm_step(struct wpa_state_machine *sm)
3484 {
3485 if (sm == NULL)
3486 return 0;
3487
3488 if (sm->in_step_loop) {
3489 /* This should not happen, but if it does, make sure we do not
3490 * end up freeing the state machine too early by exiting the
3491 * recursive call. */
3492 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively");
3493 return 0;
3494 }
3495
3496 sm->in_step_loop = 1;
3497 do {
3498 if (sm->pending_deinit)
3499 break;
3500
3501 sm->changed = FALSE;
3502 sm->wpa_auth->group->changed = FALSE;
3503
3504 SM_STEP_RUN(WPA_PTK);
3505 if (sm->pending_deinit)
3506 break;
3507 SM_STEP_RUN(WPA_PTK_GROUP);
3508 if (sm->pending_deinit)
3509 break;
3510 wpa_group_sm_step(sm->wpa_auth, sm->group);
3511 } while (sm->changed || sm->wpa_auth->group->changed);
3512 sm->in_step_loop = 0;
3513
3514 if (sm->pending_deinit) {
3515 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state "
3516 "machine deinit for " MACSTR, MAC2STR(sm->addr));
3517 wpa_free_sta_sm(sm);
3518 return 1;
3519 }
3520 return 0;
3521 }
3522
3523
3524 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx)
3525 {
3526 struct wpa_state_machine *sm = eloop_ctx;
3527 wpa_sm_step(sm);
3528 }
3529
3530
3531 void wpa_auth_sm_notify(struct wpa_state_machine *sm)
3532 {
3533 if (sm == NULL)
3534 return;
3535 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
3536 }
3537
3538
3539 void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth)
3540 {
3541 int tmp, i;
3542 struct wpa_group *group;
3543
3544 if (wpa_auth == NULL)
3545 return;
3546
3547 group = wpa_auth->group;
3548
3549 for (i = 0; i < 2; i++) {
3550 tmp = group->GM;
3551 group->GM = group->GN;
3552 group->GN = tmp;
3553 #ifdef CONFIG_IEEE80211W
3554 tmp = group->GM_igtk;
3555 group->GM_igtk = group->GN_igtk;
3556 group->GN_igtk = tmp;
3557 #endif /* CONFIG_IEEE80211W */
3558 wpa_gtk_update(wpa_auth, group);
3559 wpa_group_config_group_keys(wpa_auth, group);
3560 }
3561 }
3562
3563
3564 static const char * wpa_bool_txt(int val)
3565 {
3566 return val ? "TRUE" : "FALSE";
3567 }
3568
3569
3570 #define RSN_SUITE "%02x-%02x-%02x-%d"
3571 #define RSN_SUITE_ARG(s) \
3572 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
3573
3574 int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen)
3575 {
3576 int len = 0, ret;
3577 char pmkid_txt[PMKID_LEN * 2 + 1];
3578 #ifdef CONFIG_RSN_PREAUTH
3579 const int preauth = 1;
3580 #else /* CONFIG_RSN_PREAUTH */
3581 const int preauth = 0;
3582 #endif /* CONFIG_RSN_PREAUTH */
3583
3584 if (wpa_auth == NULL)
3585 return len;
3586
3587 ret = os_snprintf(buf + len, buflen - len,
3588 "dot11RSNAOptionImplemented=TRUE\n"
3589 "dot11RSNAPreauthenticationImplemented=%s\n"
3590 "dot11RSNAEnabled=%s\n"
3591 "dot11RSNAPreauthenticationEnabled=%s\n",
3592 wpa_bool_txt(preauth),
3593 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN),
3594 wpa_bool_txt(wpa_auth->conf.rsn_preauth));
3595 if (os_snprintf_error(buflen - len, ret))
3596 return len;
3597 len += ret;
3598
3599 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
3600 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN);
3601
3602 ret = os_snprintf(
3603 buf + len, buflen - len,
3604 "dot11RSNAConfigVersion=%u\n"
3605 "dot11RSNAConfigPairwiseKeysSupported=9999\n"
3606 /* FIX: dot11RSNAConfigGroupCipher */
3607 /* FIX: dot11RSNAConfigGroupRekeyMethod */
3608 /* FIX: dot11RSNAConfigGroupRekeyTime */
3609 /* FIX: dot11RSNAConfigGroupRekeyPackets */
3610 "dot11RSNAConfigGroupRekeyStrict=%u\n"
3611 "dot11RSNAConfigGroupUpdateCount=%u\n"
3612 "dot11RSNAConfigPairwiseUpdateCount=%u\n"
3613 "dot11RSNAConfigGroupCipherSize=%u\n"
3614 "dot11RSNAConfigPMKLifetime=%u\n"
3615 "dot11RSNAConfigPMKReauthThreshold=%u\n"
3616 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n"
3617 "dot11RSNAConfigSATimeout=%u\n"
3618 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
3619 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
3620 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
3621 "dot11RSNAPMKIDUsed=%s\n"
3622 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
3623 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
3624 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
3625 "dot11RSNATKIPCounterMeasuresInvoked=%u\n"
3626 "dot11RSNA4WayHandshakeFailures=%u\n"
3627 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n",
3628 RSN_VERSION,
3629 !!wpa_auth->conf.wpa_strict_rekey,
3630 wpa_auth->conf.wpa_group_update_count,
3631 wpa_auth->conf.wpa_pairwise_update_count,
3632 wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8,
3633 dot11RSNAConfigPMKLifetime,
3634 dot11RSNAConfigPMKReauthThreshold,
3635 dot11RSNAConfigSATimeout,
3636 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected),
3637 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected),
3638 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected),
3639 pmkid_txt,
3640 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested),
3641 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested),
3642 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested),
3643 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked,
3644 wpa_auth->dot11RSNA4WayHandshakeFailures);
3645 if (os_snprintf_error(buflen - len, ret))
3646 return len;
3647 len += ret;
3648
3649 /* TODO: dot11RSNAConfigPairwiseCiphersTable */
3650 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */
3651
3652 /* Private MIB */
3653 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n",
3654 wpa_auth->group->wpa_group_state);
3655 if (os_snprintf_error(buflen - len, ret))
3656 return len;
3657 len += ret;
3658
3659 return len;
3660 }
3661
3662
3663 int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen)
3664 {
3665 int len = 0, ret;
3666 u32 pairwise = 0;
3667
3668 if (sm == NULL)
3669 return 0;
3670
3671 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */
3672
3673 /* dot11RSNAStatsEntry */
3674
3675 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ?
3676 WPA_PROTO_RSN : WPA_PROTO_WPA,
3677 sm->pairwise);
3678 if (pairwise == 0)
3679 return 0;
3680
3681 ret = os_snprintf(
3682 buf + len, buflen - len,
3683 /* TODO: dot11RSNAStatsIndex */
3684 "dot11RSNAStatsSTAAddress=" MACSTR "\n"
3685 "dot11RSNAStatsVersion=1\n"
3686 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n"
3687 /* TODO: dot11RSNAStatsTKIPICVErrors */
3688 "dot11RSNAStatsTKIPLocalMICFailures=%u\n"
3689 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n"
3690 /* TODO: dot11RSNAStatsCCMPReplays */
3691 /* TODO: dot11RSNAStatsCCMPDecryptErrors */
3692 /* TODO: dot11RSNAStatsTKIPReplays */,
3693 MAC2STR(sm->addr),
3694 RSN_SUITE_ARG(pairwise),
3695 sm->dot11RSNAStatsTKIPLocalMICFailures,
3696 sm->dot11RSNAStatsTKIPRemoteMICFailures);
3697 if (os_snprintf_error(buflen - len, ret))
3698 return len;
3699 len += ret;
3700
3701 /* Private MIB */
3702 ret = os_snprintf(buf + len, buflen - len,
3703 "hostapdWPAPTKState=%d\n"
3704 "hostapdWPAPTKGroupState=%d\n",
3705 sm->wpa_ptk_state,
3706 sm->wpa_ptk_group_state);
3707 if (os_snprintf_error(buflen - len, ret))
3708 return len;
3709 len += ret;
3710
3711 return len;
3712 }
3713
3714
3715 void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth)
3716 {
3717 if (wpa_auth)
3718 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++;
3719 }
3720
3721
3722 int wpa_auth_pairwise_set(struct wpa_state_machine *sm)
3723 {
3724 return sm && sm->pairwise_set;
3725 }
3726
3727
3728 int wpa_auth_get_pairwise(struct wpa_state_machine *sm)
3729 {
3730 return sm->pairwise;
3731 }
3732
3733
3734 int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm)
3735 {
3736 if (sm == NULL)
3737 return -1;
3738 return sm->wpa_key_mgmt;
3739 }
3740
3741
3742 int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
3743 {
3744 if (sm == NULL)
3745 return 0;
3746 return sm->wpa;
3747 }
3748
3749
3750 int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
3751 struct rsn_pmksa_cache_entry *entry)
3752 {
3753 if (sm == NULL || sm->pmksa != entry)
3754 return -1;
3755 sm->pmksa = NULL;
3756 return 0;
3757 }
3758
3759
3760 struct rsn_pmksa_cache_entry *
3761 wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm)
3762 {
3763 return sm ? sm->pmksa : NULL;
3764 }
3765
3766
3767 void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm)
3768 {
3769 if (sm)
3770 sm->dot11RSNAStatsTKIPLocalMICFailures++;
3771 }
3772
3773
3774 const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
3775 {
3776 if (wpa_auth == NULL)
3777 return NULL;
3778 *len = wpa_auth->wpa_ie_len;
3779 return wpa_auth->wpa_ie;
3780 }
3781
3782
3783 int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
3784 unsigned int pmk_len,
3785 int session_timeout, struct eapol_state_machine *eapol)
3786 {
3787 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 ||
3788 sm->wpa_auth->conf.disable_pmksa_caching)
3789 return -1;
3790
3791 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
3792 if (pmk_len > PMK_LEN_SUITE_B_192)
3793 pmk_len = PMK_LEN_SUITE_B_192;
3794 } else if (pmk_len > PMK_LEN) {
3795 pmk_len = PMK_LEN;
3796 }
3797
3798 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL,
3799 sm->PTK.kck, sm->PTK.kck_len,
3800 sm->wpa_auth->addr, sm->addr, session_timeout,
3801 eapol, sm->wpa_key_mgmt))
3802 return 0;
3803
3804 return -1;
3805 }
3806
3807
3808 int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
3809 const u8 *pmk, size_t len, const u8 *sta_addr,
3810 int session_timeout,
3811 struct eapol_state_machine *eapol)
3812 {
3813 if (wpa_auth == NULL)
3814 return -1;
3815
3816 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL,
3817 NULL, 0,
3818 wpa_auth->addr,
3819 sta_addr, session_timeout, eapol,
3820 WPA_KEY_MGMT_IEEE8021X))
3821 return 0;
3822
3823 return -1;
3824 }
3825
3826
3827 int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr,
3828 const u8 *pmk, const u8 *pmkid)
3829 {
3830 if (wpa_auth->conf.disable_pmksa_caching)
3831 return -1;
3832
3833 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN, pmkid,
3834 NULL, 0,
3835 wpa_auth->addr, addr, 0, NULL,
3836 WPA_KEY_MGMT_SAE))
3837 return 0;
3838
3839 return -1;
3840 }
3841
3842
3843 void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
3844 const u8 *sta_addr)
3845 {
3846 struct rsn_pmksa_cache_entry *pmksa;
3847
3848 if (wpa_auth == NULL || wpa_auth->pmksa == NULL)
3849 return;
3850 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL);
3851 if (pmksa) {
3852 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for "
3853 MACSTR " based on request", MAC2STR(sta_addr));
3854 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa);
3855 }
3856 }
3857
3858
3859 int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf,
3860 size_t len)
3861 {
3862 if (!wpa_auth || !wpa_auth->pmksa)
3863 return 0;
3864 return pmksa_cache_auth_list(wpa_auth->pmksa, buf, len);
3865 }
3866
3867
3868 void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth)
3869 {
3870 if (wpa_auth && wpa_auth->pmksa)
3871 pmksa_cache_auth_flush(wpa_auth->pmksa);
3872 }
3873
3874
3875 #ifdef CONFIG_PMKSA_CACHE_EXTERNAL
3876 #ifdef CONFIG_MESH
3877
3878 int wpa_auth_pmksa_list_mesh(struct wpa_authenticator *wpa_auth, const u8 *addr,
3879 char *buf, size_t len)
3880 {
3881 if (!wpa_auth || !wpa_auth->pmksa)
3882 return 0;
3883
3884 return pmksa_cache_auth_list_mesh(wpa_auth->pmksa, addr, buf, len);
3885 }
3886
3887
3888 struct rsn_pmksa_cache_entry *
3889 wpa_auth_pmksa_create_entry(const u8 *aa, const u8 *spa, const u8 *pmk,
3890 const u8 *pmkid, int expiration)
3891 {
3892 struct rsn_pmksa_cache_entry *entry;
3893 struct os_reltime now;
3894
3895 entry = pmksa_cache_auth_create_entry(pmk, PMK_LEN, pmkid, NULL, 0, aa,
3896 spa, 0, NULL, WPA_KEY_MGMT_SAE);
3897 if (!entry)
3898 return NULL;
3899
3900 os_get_reltime(&now);
3901 entry->expiration = now.sec + expiration;
3902 return entry;
3903 }
3904
3905
3906 int wpa_auth_pmksa_add_entry(struct wpa_authenticator *wpa_auth,
3907 struct rsn_pmksa_cache_entry *entry)
3908 {
3909 int ret;
3910
3911 if (!wpa_auth || !wpa_auth->pmksa)
3912 return -1;
3913
3914 ret = pmksa_cache_auth_add_entry(wpa_auth->pmksa, entry);
3915 if (ret < 0)
3916 wpa_printf(MSG_DEBUG,
3917 "RSN: Failed to store external PMKSA cache for "
3918 MACSTR, MAC2STR(entry->spa));
3919
3920 return ret;
3921 }
3922
3923 #endif /* CONFIG_MESH */
3924 #endif /* CONFIG_PMKSA_CACHE_EXTERNAL */
3925
3926
3927 struct rsn_pmksa_cache_entry *
3928 wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
3929 const u8 *pmkid)
3930 {
3931 if (!wpa_auth || !wpa_auth->pmksa)
3932 return NULL;
3933 return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, pmkid);
3934 }
3935
3936
3937 void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa,
3938 struct wpa_state_machine *sm,
3939 struct wpa_authenticator *wpa_auth,
3940 u8 *pmkid, u8 *pmk)
3941 {
3942 if (!sm)
3943 return;
3944
3945 sm->pmksa = pmksa;
3946 os_memcpy(pmk, pmksa->pmk, PMK_LEN);
3947 os_memcpy(pmkid, pmksa->pmkid, PMKID_LEN);
3948 os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmksa->pmkid, PMKID_LEN);
3949 }
3950
3951
3952 /*
3953 * Remove and free the group from wpa_authenticator. This is triggered by a
3954 * callback to make sure nobody is currently iterating the group list while it
3955 * gets modified.
3956 */
3957 static void wpa_group_free(struct wpa_authenticator *wpa_auth,
3958 struct wpa_group *group)
3959 {
3960 struct wpa_group *prev = wpa_auth->group;
3961
3962 wpa_printf(MSG_DEBUG, "WPA: Remove group state machine for VLAN-ID %d",
3963 group->vlan_id);
3964
3965 while (prev) {
3966 if (prev->next == group) {
3967 /* This never frees the special first group as needed */
3968 prev->next = group->next;
3969 os_free(group);
3970 break;
3971 }
3972 prev = prev->next;
3973 }
3974
3975 }
3976
3977
3978 /* Increase the reference counter for group */
3979 static void wpa_group_get(struct wpa_authenticator *wpa_auth,
3980 struct wpa_group *group)
3981 {
3982 /* Skip the special first group */
3983 if (wpa_auth->group == group)
3984 return;
3985
3986 group->references++;
3987 }
3988
3989
3990 /* Decrease the reference counter and maybe free the group */
3991 static void wpa_group_put(struct wpa_authenticator *wpa_auth,
3992 struct wpa_group *group)
3993 {
3994 /* Skip the special first group */
3995 if (wpa_auth->group == group)
3996 return;
3997
3998 group->references--;
3999 if (group->references)
4000 return;
4001 wpa_group_free(wpa_auth, group);
4002 }
4003
4004
4005 /*
4006 * Add a group that has its references counter set to zero. Caller needs to
4007 * call wpa_group_get() on the return value to mark the entry in use.
4008 */
4009 static struct wpa_group *
4010 wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4011 {
4012 struct wpa_group *group;
4013
4014 if (wpa_auth == NULL || wpa_auth->group == NULL)
4015 return NULL;
4016
4017 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d",
4018 vlan_id);
4019 group = wpa_group_init(wpa_auth, vlan_id, 0);
4020 if (group == NULL)
4021 return NULL;
4022
4023 group->next = wpa_auth->group->next;
4024 wpa_auth->group->next = group;
4025
4026 return group;
4027 }
4028
4029
4030 /*
4031 * Enforce that the group state machine for the VLAN is running, increase
4032 * reference counter as interface is up. References might have been increased
4033 * even if a negative value is returned.
4034 * Returns: -1 on error (group missing, group already failed); otherwise, 0
4035 */
4036 int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4037 {
4038 struct wpa_group *group;
4039
4040 if (wpa_auth == NULL)
4041 return 0;
4042
4043 group = wpa_auth->group;
4044 while (group) {
4045 if (group->vlan_id == vlan_id)
4046 break;
4047 group = group->next;
4048 }
4049
4050 if (group == NULL) {
4051 group = wpa_auth_add_group(wpa_auth, vlan_id);
4052 if (group == NULL)
4053 return -1;
4054 }
4055
4056 wpa_printf(MSG_DEBUG,
4057 "WPA: Ensure group state machine running for VLAN ID %d",
4058 vlan_id);
4059
4060 wpa_group_get(wpa_auth, group);
4061 group->num_setup_iface++;
4062
4063 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4064 return -1;
4065
4066 return 0;
4067 }
4068
4069
4070 /*
4071 * Decrease reference counter, expected to be zero afterwards.
4072 * returns: -1 on error (group not found, group in fail state)
4073 * -2 if wpa_group is still referenced
4074 * 0 else
4075 */
4076 int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4077 {
4078 struct wpa_group *group;
4079 int ret = 0;
4080
4081 if (wpa_auth == NULL)
4082 return 0;
4083
4084 group = wpa_auth->group;
4085 while (group) {
4086 if (group->vlan_id == vlan_id)
4087 break;
4088 group = group->next;
4089 }
4090
4091 if (group == NULL)
4092 return -1;
4093
4094 wpa_printf(MSG_DEBUG,
4095 "WPA: Try stopping group state machine for VLAN ID %d",
4096 vlan_id);
4097
4098 if (group->num_setup_iface <= 0) {
4099 wpa_printf(MSG_ERROR,
4100 "WPA: wpa_auth_release_group called more often than wpa_auth_ensure_group for VLAN ID %d, skipping.",
4101 vlan_id);
4102 return -1;
4103 }
4104 group->num_setup_iface--;
4105
4106 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4107 ret = -1;
4108
4109 if (group->references > 1) {
4110 wpa_printf(MSG_DEBUG,
4111 "WPA: Cannot stop group state machine for VLAN ID %d as references are still hold",
4112 vlan_id);
4113 ret = -2;
4114 }
4115
4116 wpa_group_put(wpa_auth, group);
4117
4118 return ret;
4119 }
4120
4121
4122 int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id)
4123 {
4124 struct wpa_group *group;
4125
4126 if (sm == NULL || sm->wpa_auth == NULL)
4127 return 0;
4128
4129 group = sm->wpa_auth->group;
4130 while (group) {
4131 if (group->vlan_id == vlan_id)
4132 break;
4133 group = group->next;
4134 }
4135
4136 if (group == NULL) {
4137 group = wpa_auth_add_group(sm->wpa_auth, vlan_id);
4138 if (group == NULL)
4139 return -1;
4140 }
4141
4142 if (sm->group == group)
4143 return 0;
4144
4145 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4146 return -1;
4147
4148 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state "
4149 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id);
4150
4151 wpa_group_get(sm->wpa_auth, group);
4152 wpa_group_put(sm->wpa_auth, sm->group);
4153 sm->group = group;
4154
4155 return 0;
4156 }
4157
4158
4159 void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
4160 struct wpa_state_machine *sm, int ack)
4161 {
4162 if (wpa_auth == NULL || sm == NULL)
4163 return;
4164 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR
4165 " ack=%d", MAC2STR(sm->addr), ack);
4166 if (sm->pending_1_of_4_timeout && ack) {
4167 /*
4168 * Some deployed supplicant implementations update their SNonce
4169 * for each EAPOL-Key 2/4 message even within the same 4-way
4170 * handshake and then fail to use the first SNonce when
4171 * deriving the PTK. This results in unsuccessful 4-way
4172 * handshake whenever the relatively short initial timeout is
4173 * reached and EAPOL-Key 1/4 is retransmitted. Try to work
4174 * around this by increasing the timeout now that we know that
4175 * the station has received the frame.
4176 */
4177 int timeout_ms = eapol_key_timeout_subseq;
4178 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 "
4179 "timeout by %u ms because of acknowledged frame",
4180 timeout_ms);
4181 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
4182 eloop_register_timeout(timeout_ms / 1000,
4183 (timeout_ms % 1000) * 1000,
4184 wpa_send_eapol_timeout, wpa_auth, sm);
4185 }
4186 }
4187
4188
4189 int wpa_auth_uses_sae(struct wpa_state_machine *sm)
4190 {
4191 if (sm == NULL)
4192 return 0;
4193 return wpa_key_mgmt_sae(sm->wpa_key_mgmt);
4194 }
4195
4196
4197 int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm)
4198 {
4199 if (sm == NULL)
4200 return 0;
4201 return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE;
4202 }
4203
4204
4205 #ifdef CONFIG_P2P
4206 int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr)
4207 {
4208 if (sm == NULL || WPA_GET_BE32(sm->ip_addr) == 0)
4209 return -1;
4210 os_memcpy(addr, sm->ip_addr, 4);
4211 return 0;
4212 }
4213 #endif /* CONFIG_P2P */
4214
4215
4216 int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth,
4217 struct radius_das_attrs *attr)
4218 {
4219 return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr);
4220 }
4221
4222
4223 void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth)
4224 {
4225 struct wpa_group *group;
4226
4227 if (!wpa_auth)
4228 return;
4229 for (group = wpa_auth->group; group; group = group->next)
4230 wpa_group_config_group_keys(wpa_auth, group);
4231 }
4232
4233
4234 #ifdef CONFIG_FILS
4235
4236 struct wpa_auth_fils_iter_data {
4237 struct wpa_authenticator *auth;
4238 const u8 *cache_id;
4239 struct rsn_pmksa_cache_entry *pmksa;
4240 const u8 *spa;
4241 const u8 *pmkid;
4242 };
4243
4244
4245 static int wpa_auth_fils_iter(struct wpa_authenticator *a, void *ctx)
4246 {
4247 struct wpa_auth_fils_iter_data *data = ctx;
4248
4249 if (a == data->auth || !a->conf.fils_cache_id_set ||
4250 os_memcmp(a->conf.fils_cache_id, data->cache_id,
4251 FILS_CACHE_ID_LEN) != 0)
4252 return 0;
4253 data->pmksa = pmksa_cache_auth_get(a->pmksa, data->spa, data->pmkid);
4254 return data->pmksa != NULL;
4255 }
4256
4257
4258 struct rsn_pmksa_cache_entry *
4259 wpa_auth_pmksa_get_fils_cache_id(struct wpa_authenticator *wpa_auth,
4260 const u8 *sta_addr, const u8 *pmkid)
4261 {
4262 struct wpa_auth_fils_iter_data idata;
4263
4264 if (!wpa_auth->conf.fils_cache_id_set)
4265 return NULL;
4266 idata.auth = wpa_auth;
4267 idata.cache_id = wpa_auth->conf.fils_cache_id;
4268 idata.pmksa = NULL;
4269 idata.spa = sta_addr;
4270 idata.pmkid = pmkid;
4271 wpa_auth_for_each_auth(wpa_auth, wpa_auth_fils_iter, &idata);
4272 return idata.pmksa;
4273 }
4274
4275 #endif /* CONFIG_FILS */
Unnamed repository; edit this file 'description' to name the repository.