1 /*
2  * WPA Supplicant - WPA state machine and EAPOL-Key processing
3  * Copyright (c) 2003-2018, Jouni Malinen <j@w1.fi>
4  * Copyright(c) 2015 Intel Deutschland GmbH
5  *
6  * This software may be distributed under the terms of the BSD license.
7  * See README for more details.
8  */
9 
10 #include "includes.h"
11 
12 #include "common.h"
13 #include "crypto/aes.h"
14 #include "crypto/aes_wrap.h"
15 #include "crypto/crypto.h"
16 #include "crypto/random.h"
17 #include "crypto/aes_siv.h"
18 #include "crypto/sha256.h"
19 #include "crypto/sha384.h"
20 #include "crypto/sha512.h"
21 #include "common/ieee802_11_defs.h"
22 #include "common/ieee802_11_common.h"
23 #include "common/ocv.h"
24 #include "eap_common/eap_defs.h"
25 #include "eapol_supp/eapol_supp_sm.h"
26 #include "drivers/driver.h"
27 #include "wpa.h"
28 #include "eloop.h"
29 #include "preauth.h"
30 #include "pmksa_cache.h"
31 #include "wpa_i.h"
32 #include "wpa_ie.h"
33 
34 
35 static const u8 null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
36 
37 
38 /**
39  * wpa_eapol_key_send - Send WPA/RSN EAPOL-Key message
40  * @sm: Pointer to WPA state machine data from wpa_sm_init()
41  * @ptk: PTK for Key Confirmation/Encryption Key
42  * @ver: Version field from Key Info
43  * @dest: Destination address for the frame
44  * @proto: Ethertype (usually ETH_P_EAPOL)
45  * @msg: EAPOL-Key message
46  * @msg_len: Length of message
47  * @key_mic: Pointer to the buffer to which the EAPOL-Key MIC is written
48  * Returns: >= 0 on success, < 0 on failure
49  */
50 int wpa_eapol_key_send(struct wpa_sm *sm, struct wpa_ptk *ptk,
51 		       int ver, const u8 *dest, u16 proto,
52 		       u8 *msg, size_t msg_len, u8 *key_mic)
53 {
54 	int ret = -1;
55 	size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
56 
57 	wpa_printf(MSG_DEBUG, "WPA: Send EAPOL-Key frame to " MACSTR
58 		   " ver=%d mic_len=%d key_mgmt=0x%x",
59 		   MAC2STR(dest), ver, (int) mic_len, sm->key_mgmt);
60 	if (is_zero_ether_addr(dest) && is_zero_ether_addr(sm->bssid)) {
61 		/*
62 		 * Association event was not yet received; try to fetch
63 		 * BSSID from the driver.
64 		 */
65 		if (wpa_sm_get_bssid(sm, sm->bssid) < 0) {
66 			wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
67 				"WPA: Failed to read BSSID for "
68 				"EAPOL-Key destination address");
69 		} else {
70 			dest = sm->bssid;
71 			wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
72 				"WPA: Use BSSID (" MACSTR
73 				") as the destination for EAPOL-Key",
74 				MAC2STR(dest));
75 		}
76 	}
77 
78 	if (mic_len) {
79 		if (key_mic && (!ptk || !ptk->kck_len))
80 			goto out;
81 
82 		if (key_mic &&
83 		    wpa_eapol_key_mic(ptk->kck, ptk->kck_len, sm->key_mgmt, ver,
84 				      msg, msg_len, key_mic)) {
85 			wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
86 				"WPA: Failed to generate EAPOL-Key version %d key_mgmt 0x%x MIC",
87 				ver, sm->key_mgmt);
88 			goto out;
89 		}
90 		if (ptk)
91 			wpa_hexdump_key(MSG_DEBUG, "WPA: KCK",
92 					ptk->kck, ptk->kck_len);
93 		wpa_hexdump(MSG_DEBUG, "WPA: Derived Key MIC",
94 			    key_mic, mic_len);
95 	} else {
96 #ifdef CONFIG_FILS
97 		/* AEAD cipher - Key MIC field not used */
98 		struct ieee802_1x_hdr *s_hdr, *hdr;
99 		struct wpa_eapol_key *s_key, *key;
100 		u8 *buf, *s_key_data, *key_data;
101 		size_t buf_len = msg_len + AES_BLOCK_SIZE;
102 		size_t key_data_len;
103 		u16 eapol_len;
104 		const u8 *aad[1];
105 		size_t aad_len[1];
106 
107 		if (!ptk || !ptk->kek_len)
108 			goto out;
109 
110 		key_data_len = msg_len - sizeof(struct ieee802_1x_hdr) -
111 			sizeof(struct wpa_eapol_key) - 2;
112 
113 		buf = os_malloc(buf_len);
114 		if (!buf)
115 			goto out;
116 
117 		os_memcpy(buf, msg, msg_len);
118 		hdr = (struct ieee802_1x_hdr *) buf;
119 		key = (struct wpa_eapol_key *) (hdr + 1);
120 		key_data = ((u8 *) (key + 1)) + 2;
121 
122 		/* Update EAPOL header to include AES-SIV overhead */
123 		eapol_len = be_to_host16(hdr->length);
124 		eapol_len += AES_BLOCK_SIZE;
125 		hdr->length = host_to_be16(eapol_len);
126 
127 		/* Update Key Data Length field to include AES-SIV overhead */
128 		WPA_PUT_BE16((u8 *) (key + 1), AES_BLOCK_SIZE + key_data_len);
129 
130 		s_hdr = (struct ieee802_1x_hdr *) msg;
131 		s_key = (struct wpa_eapol_key *) (s_hdr + 1);
132 		s_key_data = ((u8 *) (s_key + 1)) + 2;
133 
134 		wpa_hexdump_key(MSG_DEBUG, "WPA: Plaintext Key Data",
135 				s_key_data, key_data_len);
136 
137 		wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len);
138 		 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
139 		  * to Key Data (exclusive). */
140 		aad[0] = buf;
141 		aad_len[0] = key_data - buf;
142 		if (aes_siv_encrypt(ptk->kek, ptk->kek_len,
143 				    s_key_data, key_data_len,
144 				    1, aad, aad_len, key_data) < 0) {
145 			os_free(buf);
146 			goto out;
147 		}
148 
149 		wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
150 			    key_data, AES_BLOCK_SIZE + key_data_len);
151 
152 		os_free(msg);
153 		msg = buf;
154 		msg_len = buf_len;
155 #else /* CONFIG_FILS */
156 		goto out;
157 #endif /* CONFIG_FILS */
158 	}
159 
160 	wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key", msg, msg_len);
161 	ret = wpa_sm_ether_send(sm, dest, proto, msg, msg_len);
162 	eapol_sm_notify_tx_eapol_key(sm->eapol);
163 out:
164 	os_free(msg);
165 	return ret;
166 }
167 
168 
169 /**
170  * wpa_sm_key_request - Send EAPOL-Key Request
171  * @sm: Pointer to WPA state machine data from wpa_sm_init()
172  * @error: Indicate whether this is an Michael MIC error report
173  * @pairwise: 1 = error report for pairwise packet, 0 = for group packet
174  *
175  * Send an EAPOL-Key Request to the current authenticator. This function is
176  * used to request rekeying and it is usually called when a local Michael MIC
177  * failure is detected.
178  */
179 void wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise)
180 {
181 	size_t mic_len, hdrlen, rlen;
182 	struct wpa_eapol_key *reply;
183 	int key_info, ver;
184 	u8 bssid[ETH_ALEN], *rbuf, *key_mic, *mic;
185 
186 	if (wpa_use_akm_defined(sm->key_mgmt))
187 		ver = WPA_KEY_INFO_TYPE_AKM_DEFINED;
188 	else if (wpa_key_mgmt_ft(sm->key_mgmt) ||
189 		 wpa_key_mgmt_sha256(sm->key_mgmt))
190 		ver = WPA_KEY_INFO_TYPE_AES_128_CMAC;
191 	else if (sm->pairwise_cipher != WPA_CIPHER_TKIP)
192 		ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
193 	else
194 		ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
195 
196 	if (wpa_sm_get_bssid(sm, bssid) < 0) {
197 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
198 			"Failed to read BSSID for EAPOL-Key request");
199 		return;
200 	}
201 
202 	mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
203 	hdrlen = sizeof(*reply) + mic_len + 2;
204 	rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
205 				  hdrlen, &rlen, (void *) &reply);
206 	if (rbuf == NULL)
207 		return;
208 
209 	reply->type = (sm->proto == WPA_PROTO_RSN ||
210 		       sm->proto == WPA_PROTO_OSEN) ?
211 		EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
212 	key_info = WPA_KEY_INFO_REQUEST | ver;
213 	if (sm->ptk_set)
214 		key_info |= WPA_KEY_INFO_SECURE;
215 	if (sm->ptk_set && mic_len)
216 		key_info |= WPA_KEY_INFO_MIC;
217 	if (error)
218 		key_info |= WPA_KEY_INFO_ERROR;
219 	if (pairwise)
220 		key_info |= WPA_KEY_INFO_KEY_TYPE;
221 	WPA_PUT_BE16(reply->key_info, key_info);
222 	WPA_PUT_BE16(reply->key_length, 0);
223 	os_memcpy(reply->replay_counter, sm->request_counter,
224 		  WPA_REPLAY_COUNTER_LEN);
225 	inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
226 
227 	mic = (u8 *) (reply + 1);
228 	WPA_PUT_BE16(mic + mic_len, 0);
229 	if (!(key_info & WPA_KEY_INFO_MIC))
230 		key_mic = NULL;
231 	else
232 		key_mic = mic;
233 
234 	wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
235 		"WPA: Sending EAPOL-Key Request (error=%d "
236 		"pairwise=%d ptk_set=%d len=%lu)",
237 		error, pairwise, sm->ptk_set, (unsigned long) rlen);
238 	wpa_eapol_key_send(sm, &sm->ptk, ver, bssid, ETH_P_EAPOL, rbuf, rlen,
239 			   key_mic);
240 }
241 
242 
243 static void wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm *sm)
244 {
245 #ifdef CONFIG_IEEE80211R
246 	if (sm->key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X) {
247 		if (wpa_sm_key_mgmt_set_pmk(sm, sm->xxkey, sm->xxkey_len))
248 			wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
249 				"RSN: Cannot set low order 256 bits of MSK for key management offload");
250 	} else {
251 #endif /* CONFIG_IEEE80211R */
252 		if (wpa_sm_key_mgmt_set_pmk(sm, sm->pmk, sm->pmk_len))
253 			wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
254 				"RSN: Cannot set PMK for key management offload");
255 #ifdef CONFIG_IEEE80211R
256 	}
257 #endif /* CONFIG_IEEE80211R */
258 }
259 
260 
261 static int wpa_supplicant_get_pmk(struct wpa_sm *sm,
262 				  const unsigned char *src_addr,
263 				  const u8 *pmkid)
264 {
265 	int abort_cached = 0;
266 
267 	if (pmkid && !sm->cur_pmksa) {
268 		/* When using drivers that generate RSN IE, wpa_supplicant may
269 		 * not have enough time to get the association information
270 		 * event before receiving this 1/4 message, so try to find a
271 		 * matching PMKSA cache entry here. */
272 		sm->cur_pmksa = pmksa_cache_get(sm->pmksa, src_addr, pmkid,
273 						NULL, 0);
274 		if (sm->cur_pmksa) {
275 			wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
276 				"RSN: found matching PMKID from PMKSA cache");
277 		} else {
278 			wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
279 				"RSN: no matching PMKID found");
280 			abort_cached = 1;
281 		}
282 	}
283 
284 	if (pmkid && sm->cur_pmksa &&
285 	    os_memcmp_const(pmkid, sm->cur_pmksa->pmkid, PMKID_LEN) == 0) {
286 		wpa_hexdump(MSG_DEBUG, "RSN: matched PMKID", pmkid, PMKID_LEN);
287 		wpa_sm_set_pmk_from_pmksa(sm);
288 		wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from PMKSA cache",
289 				sm->pmk, sm->pmk_len);
290 		eapol_sm_notify_cached(sm->eapol);
291 #ifdef CONFIG_IEEE80211R
292 		sm->xxkey_len = 0;
293 #ifdef CONFIG_SAE
294 		if (sm->key_mgmt == WPA_KEY_MGMT_FT_SAE &&
295 		    sm->pmk_len == PMK_LEN) {
296 			/* Need to allow FT key derivation to proceed with
297 			 * PMK from SAE being used as the XXKey in cases where
298 			 * the PMKID in msg 1/4 matches the PMKSA entry that was
299 			 * just added based on SAE authentication for the
300 			 * initial mobility domain association. */
301 			os_memcpy(sm->xxkey, sm->pmk, sm->pmk_len);
302 			sm->xxkey_len = sm->pmk_len;
303 		}
304 #endif /* CONFIG_SAE */
305 #endif /* CONFIG_IEEE80211R */
306 	} else if (wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && sm->eapol) {
307 		int res, pmk_len;
308 #ifdef CONFIG_IEEE80211R
309 		u8 buf[2 * PMK_LEN];
310 #endif /* CONFIG_IEEE80211R */
311 
312 		if (wpa_key_mgmt_sha384(sm->key_mgmt))
313 			pmk_len = PMK_LEN_SUITE_B_192;
314 		else
315 			pmk_len = PMK_LEN;
316 		res = eapol_sm_get_key(sm->eapol, sm->pmk, pmk_len);
317 		if (res) {
318 			if (pmk_len == PMK_LEN) {
319 				/*
320 				 * EAP-LEAP is an exception from other EAP
321 				 * methods: it uses only 16-byte PMK.
322 				 */
323 				res = eapol_sm_get_key(sm->eapol, sm->pmk, 16);
324 				pmk_len = 16;
325 			}
326 		}
327 #ifdef CONFIG_IEEE80211R
328 		if (res == 0 &&
329 		    eapol_sm_get_key(sm->eapol, buf, 2 * PMK_LEN) == 0) {
330 			if (wpa_key_mgmt_sha384(sm->key_mgmt)) {
331 				os_memcpy(sm->xxkey, buf, SHA384_MAC_LEN);
332 				sm->xxkey_len = SHA384_MAC_LEN;
333 			} else {
334 				os_memcpy(sm->xxkey, buf + PMK_LEN, PMK_LEN);
335 				sm->xxkey_len = PMK_LEN;
336 			}
337 			forced_memzero(buf, sizeof(buf));
338 			if (sm->proto == WPA_PROTO_RSN &&
339 			    wpa_key_mgmt_ft(sm->key_mgmt)) {
340 				struct rsn_pmksa_cache_entry *sa = NULL;
341 				const u8 *fils_cache_id = NULL;
342 
343 #ifdef CONFIG_FILS
344 				if (sm->fils_cache_id_set)
345 					fils_cache_id = sm->fils_cache_id;
346 #endif /* CONFIG_FILS */
347 				wpa_hexdump_key(MSG_DEBUG,
348 						"FT: Cache XXKey/MPMK",
349 						sm->xxkey, sm->xxkey_len);
350 				sa = pmksa_cache_add(sm->pmksa,
351 						     sm->xxkey, sm->xxkey_len,
352 						     NULL, NULL, 0,
353 						     src_addr, sm->own_addr,
354 						     sm->network_ctx,
355 						     sm->key_mgmt,
356 						     fils_cache_id);
357 				if (!sm->cur_pmksa)
358 					sm->cur_pmksa = sa;
359 			}
360 		}
361 #endif /* CONFIG_IEEE80211R */
362 		if (res == 0) {
363 			struct rsn_pmksa_cache_entry *sa = NULL;
364 			const u8 *fils_cache_id = NULL;
365 
366 #ifdef CONFIG_FILS
367 			if (sm->fils_cache_id_set)
368 				fils_cache_id = sm->fils_cache_id;
369 #endif /* CONFIG_FILS */
370 
371 			wpa_hexdump_key(MSG_DEBUG, "WPA: PMK from EAPOL state "
372 					"machines", sm->pmk, pmk_len);
373 			sm->pmk_len = pmk_len;
374 			wpa_supplicant_key_mgmt_set_pmk(sm);
375 			if (sm->proto == WPA_PROTO_RSN &&
376 			    !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
377 			    !wpa_key_mgmt_ft(sm->key_mgmt)) {
378 				sa = pmksa_cache_add(sm->pmksa,
379 						     sm->pmk, pmk_len, NULL,
380 						     NULL, 0,
381 						     src_addr, sm->own_addr,
382 						     sm->network_ctx,
383 						     sm->key_mgmt,
384 						     fils_cache_id);
385 			}
386 			if (!sm->cur_pmksa && pmkid &&
387 			    pmksa_cache_get(sm->pmksa, src_addr, pmkid, NULL,
388 				    0)) {
389 				wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
390 					"RSN: the new PMK matches with the "
391 					"PMKID");
392 				abort_cached = 0;
393 			} else if (sa && !sm->cur_pmksa && pmkid) {
394 				/*
395 				 * It looks like the authentication server
396 				 * derived mismatching MSK. This should not
397 				 * really happen, but bugs happen.. There is not
398 				 * much we can do here without knowing what
399 				 * exactly caused the server to misbehave.
400 				 */
401 				wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
402 					"RSN: PMKID mismatch - authentication server may have derived different MSK?!");
403 				return -1;
404 			}
405 
406 			if (!sm->cur_pmksa)
407 				sm->cur_pmksa = sa;
408 #ifdef CONFIG_IEEE80211R
409 		} else if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->ft_protocol) {
410 			wpa_printf(MSG_DEBUG,
411 				   "FT: Continue 4-way handshake without PMK/PMKID for association using FT protocol");
412 #endif /* CONFIG_IEEE80211R */
413 		} else {
414 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
415 				"WPA: Failed to get master session key from "
416 				"EAPOL state machines - key handshake "
417 				"aborted");
418 			if (sm->cur_pmksa) {
419 				wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
420 					"RSN: Cancelled PMKSA caching "
421 					"attempt");
422 				sm->cur_pmksa = NULL;
423 				abort_cached = 1;
424 			} else if (!abort_cached) {
425 				return -1;
426 			}
427 		}
428 	}
429 
430 	if (abort_cached && wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) &&
431 	    !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
432 	    !wpa_key_mgmt_ft(sm->key_mgmt) && sm->key_mgmt != WPA_KEY_MGMT_OSEN)
433 	{
434 		/* Send EAPOL-Start to trigger full EAP authentication. */
435 		u8 *buf;
436 		size_t buflen;
437 
438 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
439 			"RSN: no PMKSA entry found - trigger "
440 			"full EAP authentication");
441 		buf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_START,
442 					 NULL, 0, &buflen, NULL);
443 		if (buf) {
444 			wpa_sm_ether_send(sm, sm->bssid, ETH_P_EAPOL,
445 					  buf, buflen);
446 			os_free(buf);
447 			return -2;
448 		}
449 
450 		return -1;
451 	}
452 
453 	return 0;
454 }
455 
456 
457 /**
458  * wpa_supplicant_send_2_of_4 - Send message 2 of WPA/RSN 4-Way Handshake
459  * @sm: Pointer to WPA state machine data from wpa_sm_init()
460  * @dst: Destination address for the frame
461  * @key: Pointer to the EAPOL-Key frame header
462  * @ver: Version bits from EAPOL-Key Key Info
463  * @nonce: Nonce value for the EAPOL-Key frame
464  * @wpa_ie: WPA/RSN IE
465  * @wpa_ie_len: Length of the WPA/RSN IE
466  * @ptk: PTK to use for keyed hash and encryption
467  * Returns: >= 0 on success, < 0 on failure
468  */
469 int wpa_supplicant_send_2_of_4(struct wpa_sm *sm, const unsigned char *dst,
470 			       const struct wpa_eapol_key *key,
471 			       int ver, const u8 *nonce,
472 			       const u8 *wpa_ie, size_t wpa_ie_len,
473 			       struct wpa_ptk *ptk)
474 {
475 	size_t mic_len, hdrlen, rlen;
476 	struct wpa_eapol_key *reply;
477 	u8 *rbuf, *key_mic;
478 	u8 *rsn_ie_buf = NULL;
479 	u16 key_info;
480 
481 	if (wpa_ie == NULL) {
482 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No wpa_ie set - "
483 			"cannot generate msg 2/4");
484 		return -1;
485 	}
486 
487 #ifdef CONFIG_IEEE80211R
488 	if (wpa_key_mgmt_ft(sm->key_mgmt)) {
489 		int res;
490 
491 		/*
492 		 * Add PMKR1Name into RSN IE (PMKID-List) and add MDIE and
493 		 * FTIE from (Re)Association Response.
494 		 */
495 		rsn_ie_buf = os_malloc(wpa_ie_len + 2 + 2 + PMKID_LEN +
496 				       sm->assoc_resp_ies_len);
497 		if (rsn_ie_buf == NULL)
498 			return -1;
499 		os_memcpy(rsn_ie_buf, wpa_ie, wpa_ie_len);
500 		res = wpa_insert_pmkid(rsn_ie_buf, &wpa_ie_len,
501 				       sm->pmk_r1_name);
502 		if (res < 0) {
503 			os_free(rsn_ie_buf);
504 			return -1;
505 		}
506 
507 		if (sm->assoc_resp_ies) {
508 			os_memcpy(rsn_ie_buf + wpa_ie_len, sm->assoc_resp_ies,
509 				  sm->assoc_resp_ies_len);
510 			wpa_ie_len += sm->assoc_resp_ies_len;
511 		}
512 
513 		wpa_ie = rsn_ie_buf;
514 	}
515 #endif /* CONFIG_IEEE80211R */
516 
517 	wpa_hexdump(MSG_DEBUG, "WPA: WPA IE for msg 2/4", wpa_ie, wpa_ie_len);
518 
519 	mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
520 	hdrlen = sizeof(*reply) + mic_len + 2;
521 	rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY,
522 				  NULL, hdrlen + wpa_ie_len,
523 				  &rlen, (void *) &reply);
524 	if (rbuf == NULL) {
525 		os_free(rsn_ie_buf);
526 		return -1;
527 	}
528 
529 	reply->type = (sm->proto == WPA_PROTO_RSN ||
530 		       sm->proto == WPA_PROTO_OSEN) ?
531 		EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
532 	key_info = ver | WPA_KEY_INFO_KEY_TYPE;
533 	if (mic_len)
534 		key_info |= WPA_KEY_INFO_MIC;
535 	else
536 		key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
537 	WPA_PUT_BE16(reply->key_info, key_info);
538 	if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
539 		WPA_PUT_BE16(reply->key_length, 0);
540 	else
541 		os_memcpy(reply->key_length, key->key_length, 2);
542 	os_memcpy(reply->replay_counter, key->replay_counter,
543 		  WPA_REPLAY_COUNTER_LEN);
544 	wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", reply->replay_counter,
545 		    WPA_REPLAY_COUNTER_LEN);
546 
547 	key_mic = (u8 *) (reply + 1);
548 	WPA_PUT_BE16(key_mic + mic_len, wpa_ie_len); /* Key Data Length */
549 	os_memcpy(key_mic + mic_len + 2, wpa_ie, wpa_ie_len); /* Key Data */
550 	os_free(rsn_ie_buf);
551 
552 	os_memcpy(reply->key_nonce, nonce, WPA_NONCE_LEN);
553 
554 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/4");
555 	return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
556 				  key_mic);
557 }
558 
559 
560 static int wpa_derive_ptk(struct wpa_sm *sm, const unsigned char *src_addr,
561 			  const struct wpa_eapol_key *key, struct wpa_ptk *ptk)
562 {
563 	const u8 *z = NULL;
564 	size_t z_len = 0;
565 
566 #ifdef CONFIG_IEEE80211R
567 	if (wpa_key_mgmt_ft(sm->key_mgmt))
568 		return wpa_derive_ptk_ft(sm, src_addr, key, ptk);
569 #endif /* CONFIG_IEEE80211R */
570 
571 #ifdef CONFIG_DPP2
572 	if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
573 		z = wpabuf_head(sm->dpp_z);
574 		z_len = wpabuf_len(sm->dpp_z);
575 	}
576 #endif /* CONFIG_DPP2 */
577 
578 	return wpa_pmk_to_ptk(sm->pmk, sm->pmk_len, "Pairwise key expansion",
579 			      sm->own_addr, sm->bssid, sm->snonce,
580 			      key->key_nonce, ptk, sm->key_mgmt,
581 			      sm->pairwise_cipher, z, z_len);
582 }
583 
584 
585 static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
586 					  const unsigned char *src_addr,
587 					  const struct wpa_eapol_key *key,
588 					  u16 ver, const u8 *key_data,
589 					  size_t key_data_len)
590 {
591 	struct wpa_eapol_ie_parse ie;
592 	struct wpa_ptk *ptk;
593 	int res;
594 	u8 *kde, *kde_buf = NULL;
595 	size_t kde_len;
596 
597 	if (wpa_sm_get_network_ctx(sm) == NULL) {
598 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No SSID info "
599 			"found (msg 1 of 4)");
600 		return;
601 	}
602 
603 	wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
604 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of 4-Way "
605 		"Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
606 
607 	os_memset(&ie, 0, sizeof(ie));
608 
609 	if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
610 		/* RSN: msg 1/4 should contain PMKID for the selected PMK */
611 		wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data",
612 			    key_data, key_data_len);
613 		if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
614 			goto failed;
615 		if (ie.pmkid) {
616 			wpa_hexdump(MSG_DEBUG, "RSN: PMKID from "
617 				    "Authenticator", ie.pmkid, PMKID_LEN);
618 		}
619 	}
620 
621 	res = wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid);
622 	if (res == -2) {
623 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: Do not reply to "
624 			"msg 1/4 - requesting full EAP authentication");
625 		return;
626 	}
627 	if (res)
628 		goto failed;
629 
630 	if (sm->renew_snonce) {
631 		if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) {
632 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
633 				"WPA: Failed to get random data for SNonce");
634 			goto failed;
635 		}
636 		sm->renew_snonce = 0;
637 		wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce",
638 			    sm->snonce, WPA_NONCE_LEN);
639 	}
640 
641 	/* Calculate PTK which will be stored as a temporary PTK until it has
642 	 * been verified when processing message 3/4. */
643 	ptk = &sm->tptk;
644 	if (wpa_derive_ptk(sm, src_addr, key, ptk) < 0)
645 		goto failed;
646 	if (sm->pairwise_cipher == WPA_CIPHER_TKIP) {
647 		u8 buf[8];
648 		/* Supplicant: swap tx/rx Mic keys */
649 		os_memcpy(buf, &ptk->tk[16], 8);
650 		os_memcpy(&ptk->tk[16], &ptk->tk[24], 8);
651 		os_memcpy(&ptk->tk[24], buf, 8);
652 		forced_memzero(buf, sizeof(buf));
653 	}
654 	sm->tptk_set = 1;
655 
656 	kde = sm->assoc_wpa_ie;
657 	kde_len = sm->assoc_wpa_ie_len;
658 
659 #ifdef CONFIG_OCV
660 	if (wpa_sm_ocv_enabled(sm)) {
661 		struct wpa_channel_info ci;
662 		u8 *pos;
663 
664 		if (wpa_sm_channel_info(sm, &ci) != 0) {
665 			wpa_printf(MSG_WARNING,
666 				   "Failed to get channel info for OCI element in EAPOL-Key 2/4");
667 			goto failed;
668 		}
669 
670 		kde_buf = os_malloc(kde_len + 2 + RSN_SELECTOR_LEN + 3);
671 		if (!kde_buf) {
672 			wpa_printf(MSG_WARNING,
673 				   "Failed to allocate memory for KDE with OCI in EAPOL-Key 2/4");
674 			goto failed;
675 		}
676 
677 		os_memcpy(kde_buf, kde, kde_len);
678 		kde = kde_buf;
679 		pos = kde + kde_len;
680 		if (ocv_insert_oci_kde(&ci, &pos) < 0)
681 			goto failed;
682 		kde_len = pos - kde;
683 	}
684 #endif /* CONFIG_OCV */
685 
686 #ifdef CONFIG_P2P
687 	if (sm->p2p) {
688 		kde_buf = os_malloc(kde_len + 2 + RSN_SELECTOR_LEN + 1);
689 		if (kde_buf) {
690 			u8 *pos;
691 			wpa_printf(MSG_DEBUG, "P2P: Add IP Address Request KDE "
692 				   "into EAPOL-Key 2/4");
693 			os_memcpy(kde_buf, kde, kde_len);
694 			kde = kde_buf;
695 			pos = kde + kde_len;
696 			*pos++ = WLAN_EID_VENDOR_SPECIFIC;
697 			*pos++ = RSN_SELECTOR_LEN + 1;
698 			RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_IP_ADDR_REQ);
699 			pos += RSN_SELECTOR_LEN;
700 			*pos++ = 0x01;
701 			kde_len = pos - kde;
702 		}
703 	}
704 #endif /* CONFIG_P2P */
705 
706 	if (wpa_supplicant_send_2_of_4(sm, sm->bssid, key, ver, sm->snonce,
707 				       kde, kde_len, ptk) < 0)
708 		goto failed;
709 
710 	os_free(kde_buf);
711 	os_memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN);
712 	return;
713 
714 failed:
715 	os_free(kde_buf);
716 	wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
717 }
718 
719 
720 static void wpa_sm_start_preauth(void *eloop_ctx, void *timeout_ctx)
721 {
722 	struct wpa_sm *sm = eloop_ctx;
723 	rsn_preauth_candidate_process(sm);
724 }
725 
726 
727 static void wpa_supplicant_key_neg_complete(struct wpa_sm *sm,
728 					    const u8 *addr, int secure)
729 {
730 	wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
731 		"WPA: Key negotiation completed with "
732 		MACSTR " [PTK=%s GTK=%s]", MAC2STR(addr),
733 		wpa_cipher_txt(sm->pairwise_cipher),
734 		wpa_cipher_txt(sm->group_cipher));
735 	wpa_sm_cancel_auth_timeout(sm);
736 	wpa_sm_set_state(sm, WPA_COMPLETED);
737 
738 	if (secure) {
739 		wpa_sm_mlme_setprotection(
740 			sm, addr, MLME_SETPROTECTION_PROTECT_TYPE_RX_TX,
741 			MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
742 		eapol_sm_notify_portValid(sm->eapol, TRUE);
743 		if (wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
744 		    sm->key_mgmt == WPA_KEY_MGMT_DPP ||
745 		    sm->key_mgmt == WPA_KEY_MGMT_OWE)
746 			eapol_sm_notify_eap_success(sm->eapol, TRUE);
747 		/*
748 		 * Start preauthentication after a short wait to avoid a
749 		 * possible race condition between the data receive and key
750 		 * configuration after the 4-Way Handshake. This increases the
751 		 * likelihood of the first preauth EAPOL-Start frame getting to
752 		 * the target AP.
753 		 */
754 		if (!dl_list_empty(&sm->pmksa_candidates))
755 			eloop_register_timeout(1, 0, wpa_sm_start_preauth,
756 					       sm, NULL);
757 	}
758 
759 	if (sm->cur_pmksa && sm->cur_pmksa->opportunistic) {
760 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
761 			"RSN: Authenticator accepted "
762 			"opportunistic PMKSA entry - marking it valid");
763 		sm->cur_pmksa->opportunistic = 0;
764 	}
765 
766 #ifdef CONFIG_IEEE80211R
767 	if (wpa_key_mgmt_ft(sm->key_mgmt)) {
768 		/* Prepare for the next transition */
769 		wpa_ft_prepare_auth_request(sm, NULL);
770 	}
771 #endif /* CONFIG_IEEE80211R */
772 }
773 
774 
775 static void wpa_sm_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
776 {
777 	struct wpa_sm *sm = eloop_ctx;
778 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Request PTK rekeying");
779 	wpa_sm_key_request(sm, 0, 1);
780 }
781 
782 
783 static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
784 				      const struct wpa_eapol_key *key)
785 {
786 	int keylen, rsclen;
787 	enum wpa_alg alg;
788 	const u8 *key_rsc;
789 
790 	if (sm->ptk.installed) {
791 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
792 			"WPA: Do not re-install same PTK to the driver");
793 		return 0;
794 	}
795 
796 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
797 		"WPA: Installing PTK to the driver");
798 
799 	if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
800 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Pairwise Cipher "
801 			"Suite: NONE - do not use pairwise keys");
802 		return 0;
803 	}
804 
805 	if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
806 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
807 			"WPA: Unsupported pairwise cipher %d",
808 			sm->pairwise_cipher);
809 		return -1;
810 	}
811 
812 	alg = wpa_cipher_to_alg(sm->pairwise_cipher);
813 	keylen = wpa_cipher_key_len(sm->pairwise_cipher);
814 	if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) {
815 		wpa_printf(MSG_DEBUG, "WPA: TK length mismatch: %d != %lu",
816 			   keylen, (long unsigned int) sm->ptk.tk_len);
817 		return -1;
818 	}
819 	rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
820 
821 	if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
822 		key_rsc = null_rsc;
823 	} else {
824 		key_rsc = key->key_rsc;
825 		wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen);
826 	}
827 
828 	if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, key_rsc, rsclen,
829 			   sm->ptk.tk, keylen) < 0) {
830 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
831 			"WPA: Failed to set PTK to the "
832 			"driver (alg=%d keylen=%d bssid=" MACSTR ")",
833 			alg, keylen, MAC2STR(sm->bssid));
834 		return -1;
835 	}
836 
837 	/* TK is not needed anymore in supplicant */
838 	os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
839 	sm->ptk.tk_len = 0;
840 	sm->ptk.installed = 1;
841 
842 	if (sm->wpa_ptk_rekey) {
843 		eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
844 		eloop_register_timeout(sm->wpa_ptk_rekey, 0, wpa_sm_rekey_ptk,
845 				       sm, NULL);
846 	}
847 
848 	return 0;
849 }
850 
851 
852 static int wpa_supplicant_check_group_cipher(struct wpa_sm *sm,
853 					     int group_cipher,
854 					     int keylen, int maxkeylen,
855 					     int *key_rsc_len,
856 					     enum wpa_alg *alg)
857 {
858 	int klen;
859 
860 	*alg = wpa_cipher_to_alg(group_cipher);
861 	if (*alg == WPA_ALG_NONE) {
862 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
863 			"WPA: Unsupported Group Cipher %d",
864 			group_cipher);
865 		return -1;
866 	}
867 	*key_rsc_len = wpa_cipher_rsc_len(group_cipher);
868 
869 	klen = wpa_cipher_key_len(group_cipher);
870 	if (keylen != klen || maxkeylen < klen) {
871 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
872 			"WPA: Unsupported %s Group Cipher key length %d (%d)",
873 			wpa_cipher_txt(group_cipher), keylen, maxkeylen);
874 		return -1;
875 	}
876 	return 0;
877 }
878 
879 
880 struct wpa_gtk_data {
881 	enum wpa_alg alg;
882 	int tx, key_rsc_len, keyidx;
883 	u8 gtk[32];
884 	int gtk_len;
885 };
886 
887 
888 static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
889 				      const struct wpa_gtk_data *gd,
890 				      const u8 *key_rsc, int wnm_sleep)
891 {
892 	const u8 *_gtk = gd->gtk;
893 	u8 gtk_buf[32];
894 
895 	/* Detect possible key reinstallation */
896 	if ((sm->gtk.gtk_len == (size_t) gd->gtk_len &&
897 	     os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) ||
898 	    (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len &&
899 	     os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk,
900 		       sm->gtk_wnm_sleep.gtk_len) == 0)) {
901 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
902 			"WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
903 			gd->keyidx, gd->tx, gd->gtk_len);
904 		return 0;
905 	}
906 
907 	wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
908 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
909 		"WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
910 		gd->keyidx, gd->tx, gd->gtk_len);
911 	wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, gd->key_rsc_len);
912 	if (sm->group_cipher == WPA_CIPHER_TKIP) {
913 		/* Swap Tx/Rx keys for Michael MIC */
914 		os_memcpy(gtk_buf, gd->gtk, 16);
915 		os_memcpy(gtk_buf + 16, gd->gtk + 24, 8);
916 		os_memcpy(gtk_buf + 24, gd->gtk + 16, 8);
917 		_gtk = gtk_buf;
918 	}
919 	if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
920 		if (wpa_sm_set_key(sm, gd->alg, NULL,
921 				   gd->keyidx, 1, key_rsc, gd->key_rsc_len,
922 				   _gtk, gd->gtk_len) < 0) {
923 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
924 				"WPA: Failed to set GTK to the driver "
925 				"(Group only)");
926 			forced_memzero(gtk_buf, sizeof(gtk_buf));
927 			return -1;
928 		}
929 	} else if (wpa_sm_set_key(sm, gd->alg, broadcast_ether_addr,
930 				  gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len,
931 				  _gtk, gd->gtk_len) < 0) {
932 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
933 			"WPA: Failed to set GTK to "
934 			"the driver (alg=%d keylen=%d keyidx=%d)",
935 			gd->alg, gd->gtk_len, gd->keyidx);
936 		forced_memzero(gtk_buf, sizeof(gtk_buf));
937 		return -1;
938 	}
939 	forced_memzero(gtk_buf, sizeof(gtk_buf));
940 
941 	if (wnm_sleep) {
942 		sm->gtk_wnm_sleep.gtk_len = gd->gtk_len;
943 		os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk,
944 			  sm->gtk_wnm_sleep.gtk_len);
945 	} else {
946 		sm->gtk.gtk_len = gd->gtk_len;
947 		os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
948 	}
949 
950 	return 0;
951 }
952 
953 
954 static int wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm *sm,
955 						int tx)
956 {
957 	if (tx && sm->pairwise_cipher != WPA_CIPHER_NONE) {
958 		/* Ignore Tx bit for GTK if a pairwise key is used. One AP
959 		 * seemed to set this bit (incorrectly, since Tx is only when
960 		 * doing Group Key only APs) and without this workaround, the
961 		 * data connection does not work because wpa_supplicant
962 		 * configured non-zero keyidx to be used for unicast. */
963 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
964 			"WPA: Tx bit set for GTK, but pairwise "
965 			"keys are used - ignore Tx bit");
966 		return 0;
967 	}
968 	return tx;
969 }
970 
971 
972 static int wpa_supplicant_rsc_relaxation(const struct wpa_sm *sm,
973 					 const u8 *rsc)
974 {
975 	int rsclen;
976 
977 	if (!sm->wpa_rsc_relaxation)
978 		return 0;
979 
980 	rsclen = wpa_cipher_rsc_len(sm->group_cipher);
981 
982 	/*
983 	 * Try to detect RSC (endian) corruption issue where the AP sends
984 	 * the RSC bytes in EAPOL-Key message in the wrong order, both if
985 	 * it's actually a 6-byte field (as it should be) and if it treats
986 	 * it as an 8-byte field.
987 	 * An AP model known to have this bug is the Sapido RB-1632.
988 	 */
989 	if (rsclen == 6 && ((rsc[5] && !rsc[0]) || rsc[6] || rsc[7])) {
990 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
991 			"RSC %02x%02x%02x%02x%02x%02x%02x%02x is likely bogus, using 0",
992 			rsc[0], rsc[1], rsc[2], rsc[3],
993 			rsc[4], rsc[5], rsc[6], rsc[7]);
994 
995 		return 1;
996 	}
997 
998 	return 0;
999 }
1000 
1001 
1002 static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
1003 				       const struct wpa_eapol_key *key,
1004 				       const u8 *gtk, size_t gtk_len,
1005 				       int key_info)
1006 {
1007 	struct wpa_gtk_data gd;
1008 	const u8 *key_rsc;
1009 
1010 	/*
1011 	 * IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames - Figure 43x
1012 	 * GTK KDE format:
1013 	 * KeyID[bits 0-1], Tx [bit 2], Reserved [bits 3-7]
1014 	 * Reserved [bits 0-7]
1015 	 * GTK
1016 	 */
1017 
1018 	os_memset(&gd, 0, sizeof(gd));
1019 	wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in pairwise handshake",
1020 			gtk, gtk_len);
1021 
1022 	if (gtk_len < 2 || gtk_len - 2 > sizeof(gd.gtk))
1023 		return -1;
1024 
1025 	gd.keyidx = gtk[0] & 0x3;
1026 	gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
1027 						     !!(gtk[0] & BIT(2)));
1028 	gtk += 2;
1029 	gtk_len -= 2;
1030 
1031 	os_memcpy(gd.gtk, gtk, gtk_len);
1032 	gd.gtk_len = gtk_len;
1033 
1034 	key_rsc = key->key_rsc;
1035 	if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
1036 		key_rsc = null_rsc;
1037 
1038 	if (sm->group_cipher != WPA_CIPHER_GTK_NOT_USED &&
1039 	    (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
1040 					       gtk_len, gtk_len,
1041 					       &gd.key_rsc_len, &gd.alg) ||
1042 	     wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) {
1043 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1044 			"RSN: Failed to install GTK");
1045 		forced_memzero(&gd, sizeof(gd));
1046 		return -1;
1047 	}
1048 	forced_memzero(&gd, sizeof(gd));
1049 
1050 	return 0;
1051 }
1052 
1053 
1054 #ifdef CONFIG_IEEE80211W
1055 static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
1056 				       const struct wpa_igtk_kde *igtk,
1057 				       int wnm_sleep)
1058 {
1059 	size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1060 	u16 keyidx = WPA_GET_LE16(igtk->keyid);
1061 
1062 	/* Detect possible key reinstallation */
1063 	if ((sm->igtk.igtk_len == len &&
1064 	     os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) ||
1065 	    (sm->igtk_wnm_sleep.igtk_len == len &&
1066 	     os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk,
1067 		       sm->igtk_wnm_sleep.igtk_len) == 0)) {
1068 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1069 			"WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
1070 			keyidx);
1071 		return  0;
1072 	}
1073 
1074 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1075 		"WPA: IGTK keyid %d pn " COMPACT_MACSTR,
1076 		keyidx, MAC2STR(igtk->pn));
1077 	wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len);
1078 	if (keyidx > 4095) {
1079 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1080 			"WPA: Invalid IGTK KeyID %d", keyidx);
1081 		return -1;
1082 	}
1083 	if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
1084 			   broadcast_ether_addr,
1085 			   keyidx, 0, igtk->pn, sizeof(igtk->pn),
1086 			   igtk->igtk, len) < 0) {
1087 		if (keyidx == 0x0400 || keyidx == 0x0500) {
1088 			/* Assume the AP has broken PMF implementation since it
1089 			 * seems to have swapped the KeyID bytes. The AP cannot
1090 			 * be trusted to implement BIP correctly or provide a
1091 			 * valid IGTK, so do not try to configure this key with
1092 			 * swapped KeyID bytes. Instead, continue without
1093 			 * configuring the IGTK so that the driver can drop any
1094 			 * received group-addressed robust management frames due
1095 			 * to missing keys.
1096 			 *
1097 			 * Normally, this error behavior would result in us
1098 			 * disconnecting, but there are number of deployed APs
1099 			 * with this broken behavior, so as an interoperability
1100 			 * workaround, allow the connection to proceed. */
1101 			wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1102 				"WPA: Ignore IGTK configuration error due to invalid IGTK KeyID byte order");
1103 		} else {
1104 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1105 				"WPA: Failed to configure IGTK to the driver");
1106 			return -1;
1107 		}
1108 	}
1109 
1110 	if (wnm_sleep) {
1111 		sm->igtk_wnm_sleep.igtk_len = len;
1112 		os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk,
1113 			  sm->igtk_wnm_sleep.igtk_len);
1114 	} else {
1115 		sm->igtk.igtk_len = len;
1116 		os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
1117 	}
1118 
1119 	return 0;
1120 }
1121 #endif /* CONFIG_IEEE80211W */
1122 
1123 
1124 static int ieee80211w_set_keys(struct wpa_sm *sm,
1125 			       struct wpa_eapol_ie_parse *ie)
1126 {
1127 #ifdef CONFIG_IEEE80211W
1128 	if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher))
1129 		return 0;
1130 
1131 	if (ie->igtk) {
1132 		size_t len;
1133 		const struct wpa_igtk_kde *igtk;
1134 
1135 		len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1136 		if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
1137 			return -1;
1138 
1139 		igtk = (const struct wpa_igtk_kde *) ie->igtk;
1140 		if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0)
1141 			return -1;
1142 	}
1143 
1144 	return 0;
1145 #else /* CONFIG_IEEE80211W */
1146 	return 0;
1147 #endif /* CONFIG_IEEE80211W */
1148 }
1149 
1150 
1151 static void wpa_report_ie_mismatch(struct wpa_sm *sm,
1152 				   const char *reason, const u8 *src_addr,
1153 				   const u8 *wpa_ie, size_t wpa_ie_len,
1154 				   const u8 *rsn_ie, size_t rsn_ie_len)
1155 {
1156 	wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: %s (src=" MACSTR ")",
1157 		reason, MAC2STR(src_addr));
1158 
1159 	if (sm->ap_wpa_ie) {
1160 		wpa_hexdump(MSG_INFO, "WPA: WPA IE in Beacon/ProbeResp",
1161 			    sm->ap_wpa_ie, sm->ap_wpa_ie_len);
1162 	}
1163 	if (wpa_ie) {
1164 		if (!sm->ap_wpa_ie) {
1165 			wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1166 				"WPA: No WPA IE in Beacon/ProbeResp");
1167 		}
1168 		wpa_hexdump(MSG_INFO, "WPA: WPA IE in 3/4 msg",
1169 			    wpa_ie, wpa_ie_len);
1170 	}
1171 
1172 	if (sm->ap_rsn_ie) {
1173 		wpa_hexdump(MSG_INFO, "WPA: RSN IE in Beacon/ProbeResp",
1174 			    sm->ap_rsn_ie, sm->ap_rsn_ie_len);
1175 	}
1176 	if (rsn_ie) {
1177 		if (!sm->ap_rsn_ie) {
1178 			wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1179 				"WPA: No RSN IE in Beacon/ProbeResp");
1180 		}
1181 		wpa_hexdump(MSG_INFO, "WPA: RSN IE in 3/4 msg",
1182 			    rsn_ie, rsn_ie_len);
1183 	}
1184 
1185 	wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
1186 }
1187 
1188 
1189 #ifdef CONFIG_IEEE80211R
1190 
1191 static int ft_validate_mdie(struct wpa_sm *sm,
1192 			    const unsigned char *src_addr,
1193 			    struct wpa_eapol_ie_parse *ie,
1194 			    const u8 *assoc_resp_mdie)
1195 {
1196 	struct rsn_mdie *mdie;
1197 
1198 	mdie = (struct rsn_mdie *) (ie->mdie + 2);
1199 	if (ie->mdie == NULL || ie->mdie_len < 2 + sizeof(*mdie) ||
1200 	    os_memcmp(mdie->mobility_domain, sm->mobility_domain,
1201 		      MOBILITY_DOMAIN_ID_LEN) != 0) {
1202 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE in msg 3/4 did "
1203 			"not match with the current mobility domain");
1204 		return -1;
1205 	}
1206 
1207 	if (assoc_resp_mdie &&
1208 	    (assoc_resp_mdie[1] != ie->mdie[1] ||
1209 	     os_memcmp(assoc_resp_mdie, ie->mdie, 2 + ie->mdie[1]) != 0)) {
1210 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE mismatch");
1211 		wpa_hexdump(MSG_DEBUG, "FT: MDIE in EAPOL-Key msg 3/4",
1212 			    ie->mdie, 2 + ie->mdie[1]);
1213 		wpa_hexdump(MSG_DEBUG, "FT: MDIE in (Re)Association Response",
1214 			    assoc_resp_mdie, 2 + assoc_resp_mdie[1]);
1215 		return -1;
1216 	}
1217 
1218 	return 0;
1219 }
1220 
1221 
1222 static int ft_validate_ftie(struct wpa_sm *sm,
1223 			    const unsigned char *src_addr,
1224 			    struct wpa_eapol_ie_parse *ie,
1225 			    const u8 *assoc_resp_ftie)
1226 {
1227 	if (ie->ftie == NULL) {
1228 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1229 			"FT: No FTIE in EAPOL-Key msg 3/4");
1230 		return -1;
1231 	}
1232 
1233 	if (assoc_resp_ftie == NULL)
1234 		return 0;
1235 
1236 	if (assoc_resp_ftie[1] != ie->ftie[1] ||
1237 	    os_memcmp(assoc_resp_ftie, ie->ftie, 2 + ie->ftie[1]) != 0) {
1238 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: FTIE mismatch");
1239 		wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 3/4",
1240 			    ie->ftie, 2 + ie->ftie[1]);
1241 		wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)Association Response",
1242 			    assoc_resp_ftie, 2 + assoc_resp_ftie[1]);
1243 		return -1;
1244 	}
1245 
1246 	return 0;
1247 }
1248 
1249 
1250 static int ft_validate_rsnie(struct wpa_sm *sm,
1251 			     const unsigned char *src_addr,
1252 			     struct wpa_eapol_ie_parse *ie)
1253 {
1254 	struct wpa_ie_data rsn;
1255 
1256 	if (!ie->rsn_ie)
1257 		return 0;
1258 
1259 	/*
1260 	 * Verify that PMKR1Name from EAPOL-Key message 3/4
1261 	 * matches with the value we derived.
1262 	 */
1263 	if (wpa_parse_wpa_ie_rsn(ie->rsn_ie, ie->rsn_ie_len, &rsn) < 0 ||
1264 	    rsn.num_pmkid != 1 || rsn.pmkid == NULL) {
1265 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: No PMKR1Name in "
1266 			"FT 4-way handshake message 3/4");
1267 		return -1;
1268 	}
1269 
1270 	if (os_memcmp_const(rsn.pmkid, sm->pmk_r1_name, WPA_PMK_NAME_LEN) != 0)
1271 	{
1272 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1273 			"FT: PMKR1Name mismatch in "
1274 			"FT 4-way handshake message 3/4");
1275 		wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Authenticator",
1276 			    rsn.pmkid, WPA_PMK_NAME_LEN);
1277 		wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
1278 			    sm->pmk_r1_name, WPA_PMK_NAME_LEN);
1279 		return -1;
1280 	}
1281 
1282 	return 0;
1283 }
1284 
1285 
1286 static int wpa_supplicant_validate_ie_ft(struct wpa_sm *sm,
1287 					 const unsigned char *src_addr,
1288 					 struct wpa_eapol_ie_parse *ie)
1289 {
1290 	const u8 *pos, *end, *mdie = NULL, *ftie = NULL;
1291 
1292 	if (sm->assoc_resp_ies) {
1293 		pos = sm->assoc_resp_ies;
1294 		end = pos + sm->assoc_resp_ies_len;
1295 		while (end - pos > 2) {
1296 			if (2 + pos[1] > end - pos)
1297 				break;
1298 			switch (*pos) {
1299 			case WLAN_EID_MOBILITY_DOMAIN:
1300 				mdie = pos;
1301 				break;
1302 			case WLAN_EID_FAST_BSS_TRANSITION:
1303 				ftie = pos;
1304 				break;
1305 			}
1306 			pos += 2 + pos[1];
1307 		}
1308 	}
1309 
1310 	if (ft_validate_mdie(sm, src_addr, ie, mdie) < 0 ||
1311 	    ft_validate_ftie(sm, src_addr, ie, ftie) < 0 ||
1312 	    ft_validate_rsnie(sm, src_addr, ie) < 0)
1313 		return -1;
1314 
1315 	return 0;
1316 }
1317 
1318 #endif /* CONFIG_IEEE80211R */
1319 
1320 
1321 static int wpa_supplicant_validate_ie(struct wpa_sm *sm,
1322 				      const unsigned char *src_addr,
1323 				      struct wpa_eapol_ie_parse *ie)
1324 {
1325 	if (sm->ap_wpa_ie == NULL && sm->ap_rsn_ie == NULL) {
1326 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1327 			"WPA: No WPA/RSN IE for this AP known. "
1328 			"Trying to get from scan results");
1329 		if (wpa_sm_get_beacon_ie(sm) < 0) {
1330 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1331 				"WPA: Could not find AP from "
1332 				"the scan results");
1333 		} else {
1334 			wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
1335 				"WPA: Found the current AP from "
1336 				"updated scan results");
1337 		}
1338 	}
1339 
1340 	if (ie->wpa_ie == NULL && ie->rsn_ie == NULL &&
1341 	    (sm->ap_wpa_ie || sm->ap_rsn_ie)) {
1342 		wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
1343 				       "with IE in Beacon/ProbeResp (no IE?)",
1344 				       src_addr, ie->wpa_ie, ie->wpa_ie_len,
1345 				       ie->rsn_ie, ie->rsn_ie_len);
1346 		return -1;
1347 	}
1348 
1349 	if ((ie->wpa_ie && sm->ap_wpa_ie &&
1350 	     (ie->wpa_ie_len != sm->ap_wpa_ie_len ||
1351 	      os_memcmp(ie->wpa_ie, sm->ap_wpa_ie, ie->wpa_ie_len) != 0)) ||
1352 	    (ie->rsn_ie && sm->ap_rsn_ie &&
1353 	     wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
1354 				sm->ap_rsn_ie, sm->ap_rsn_ie_len,
1355 				ie->rsn_ie, ie->rsn_ie_len))) {
1356 		wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
1357 				       "with IE in Beacon/ProbeResp",
1358 				       src_addr, ie->wpa_ie, ie->wpa_ie_len,
1359 				       ie->rsn_ie, ie->rsn_ie_len);
1360 		return -1;
1361 	}
1362 
1363 	if (sm->proto == WPA_PROTO_WPA &&
1364 	    ie->rsn_ie && sm->ap_rsn_ie == NULL && sm->rsn_enabled) {
1365 		wpa_report_ie_mismatch(sm, "Possible downgrade attack "
1366 				       "detected - RSN was enabled and RSN IE "
1367 				       "was in msg 3/4, but not in "
1368 				       "Beacon/ProbeResp",
1369 				       src_addr, ie->wpa_ie, ie->wpa_ie_len,
1370 				       ie->rsn_ie, ie->rsn_ie_len);
1371 		return -1;
1372 	}
1373 
1374 #ifdef CONFIG_IEEE80211R
1375 	if (wpa_key_mgmt_ft(sm->key_mgmt) &&
1376 	    wpa_supplicant_validate_ie_ft(sm, src_addr, ie) < 0)
1377 		return -1;
1378 #endif /* CONFIG_IEEE80211R */
1379 
1380 	return 0;
1381 }
1382 
1383 
1384 /**
1385  * wpa_supplicant_send_4_of_4 - Send message 4 of WPA/RSN 4-Way Handshake
1386  * @sm: Pointer to WPA state machine data from wpa_sm_init()
1387  * @dst: Destination address for the frame
1388  * @key: Pointer to the EAPOL-Key frame header
1389  * @ver: Version bits from EAPOL-Key Key Info
1390  * @key_info: Key Info
1391  * @ptk: PTK to use for keyed hash and encryption
1392  * Returns: >= 0 on success, < 0 on failure
1393  */
1394 int wpa_supplicant_send_4_of_4(struct wpa_sm *sm, const unsigned char *dst,
1395 			       const struct wpa_eapol_key *key,
1396 			       u16 ver, u16 key_info,
1397 			       struct wpa_ptk *ptk)
1398 {
1399 	size_t mic_len, hdrlen, rlen;
1400 	struct wpa_eapol_key *reply;
1401 	u8 *rbuf, *key_mic;
1402 
1403 	mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
1404 	hdrlen = sizeof(*reply) + mic_len + 2;
1405 	rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
1406 				  hdrlen, &rlen, (void *) &reply);
1407 	if (rbuf == NULL)
1408 		return -1;
1409 
1410 	reply->type = (sm->proto == WPA_PROTO_RSN ||
1411 		       sm->proto == WPA_PROTO_OSEN) ?
1412 		EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1413 	key_info &= WPA_KEY_INFO_SECURE;
1414 	key_info |= ver | WPA_KEY_INFO_KEY_TYPE;
1415 	if (mic_len)
1416 		key_info |= WPA_KEY_INFO_MIC;
1417 	else
1418 		key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1419 	WPA_PUT_BE16(reply->key_info, key_info);
1420 	if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
1421 		WPA_PUT_BE16(reply->key_length, 0);
1422 	else
1423 		os_memcpy(reply->key_length, key->key_length, 2);
1424 	os_memcpy(reply->replay_counter, key->replay_counter,
1425 		  WPA_REPLAY_COUNTER_LEN);
1426 
1427 	key_mic = (u8 *) (reply + 1);
1428 	WPA_PUT_BE16(key_mic + mic_len, 0);
1429 
1430 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 4/4");
1431 	return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
1432 				  key_mic);
1433 }
1434 
1435 
1436 static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
1437 					  const struct wpa_eapol_key *key,
1438 					  u16 ver, const u8 *key_data,
1439 					  size_t key_data_len)
1440 {
1441 	u16 key_info, keylen;
1442 	struct wpa_eapol_ie_parse ie;
1443 
1444 	wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
1445 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 3 of 4-Way "
1446 		"Handshake from " MACSTR " (ver=%d)", MAC2STR(sm->bssid), ver);
1447 
1448 	key_info = WPA_GET_BE16(key->key_info);
1449 
1450 	wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", key_data, key_data_len);
1451 	if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
1452 		goto failed;
1453 	if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1454 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1455 			"WPA: GTK IE in unencrypted key data");
1456 		goto failed;
1457 	}
1458 #ifdef CONFIG_IEEE80211W
1459 	if (ie.igtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1460 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1461 			"WPA: IGTK KDE in unencrypted key data");
1462 		goto failed;
1463 	}
1464 
1465 	if (ie.igtk &&
1466 	    wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) &&
1467 	    ie.igtk_len != WPA_IGTK_KDE_PREFIX_LEN +
1468 	    (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
1469 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1470 			"WPA: Invalid IGTK KDE length %lu",
1471 			(unsigned long) ie.igtk_len);
1472 		goto failed;
1473 	}
1474 #endif /* CONFIG_IEEE80211W */
1475 
1476 	if (wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0)
1477 		goto failed;
1478 
1479 	if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
1480 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1481 			"WPA: ANonce from message 1 of 4-Way Handshake "
1482 			"differs from 3 of 4-Way Handshake - drop packet (src="
1483 			MACSTR ")", MAC2STR(sm->bssid));
1484 		goto failed;
1485 	}
1486 
1487 	keylen = WPA_GET_BE16(key->key_length);
1488 	if (keylen != wpa_cipher_key_len(sm->pairwise_cipher)) {
1489 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1490 			"WPA: Invalid %s key length %d (src=" MACSTR
1491 			")", wpa_cipher_txt(sm->pairwise_cipher), keylen,
1492 			MAC2STR(sm->bssid));
1493 		goto failed;
1494 	}
1495 
1496 #ifdef CONFIG_P2P
1497 	if (ie.ip_addr_alloc) {
1498 		os_memcpy(sm->p2p_ip_addr, ie.ip_addr_alloc, 3 * 4);
1499 		wpa_hexdump(MSG_DEBUG, "P2P: IP address info",
1500 			    sm->p2p_ip_addr, sizeof(sm->p2p_ip_addr));
1501 	}
1502 #endif /* CONFIG_P2P */
1503 
1504 #ifdef CONFIG_OCV
1505 	if (wpa_sm_ocv_enabled(sm)) {
1506 		struct wpa_channel_info ci;
1507 
1508 		if (wpa_sm_channel_info(sm, &ci) != 0) {
1509 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1510 				"Failed to get channel info to validate received OCI in EAPOL-Key 3/4");
1511 			return;
1512 		}
1513 
1514 		if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci,
1515 					 channel_width_to_int(ci.chanwidth),
1516 					 ci.seg1_idx) != 0) {
1517 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "%s",
1518 				ocv_errorstr);
1519 			return;
1520 		}
1521 	}
1522 #endif /* CONFIG_OCV */
1523 
1524 	if (wpa_supplicant_send_4_of_4(sm, sm->bssid, key, ver, key_info,
1525 				       &sm->ptk) < 0) {
1526 		goto failed;
1527 	}
1528 
1529 	/* SNonce was successfully used in msg 3/4, so mark it to be renewed
1530 	 * for the next 4-Way Handshake. If msg 3 is received again, the old
1531 	 * SNonce will still be used to avoid changing PTK. */
1532 	sm->renew_snonce = 1;
1533 
1534 	if (key_info & WPA_KEY_INFO_INSTALL) {
1535 		if (wpa_supplicant_install_ptk(sm, key))
1536 			goto failed;
1537 	}
1538 
1539 	if (key_info & WPA_KEY_INFO_SECURE) {
1540 		wpa_sm_mlme_setprotection(
1541 			sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX,
1542 			MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
1543 		eapol_sm_notify_portValid(sm->eapol, TRUE);
1544 	}
1545 	wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
1546 
1547 	if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED) {
1548 		/* No GTK to be set to the driver */
1549 	} else if (!ie.gtk && sm->proto == WPA_PROTO_RSN) {
1550 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1551 			"RSN: No GTK KDE included in EAPOL-Key msg 3/4");
1552 		goto failed;
1553 	} else if (ie.gtk &&
1554 	    wpa_supplicant_pairwise_gtk(sm, key,
1555 					ie.gtk, ie.gtk_len, key_info) < 0) {
1556 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1557 			"RSN: Failed to configure GTK");
1558 		goto failed;
1559 	}
1560 
1561 	if (ieee80211w_set_keys(sm, &ie) < 0) {
1562 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1563 			"RSN: Failed to configure IGTK");
1564 		goto failed;
1565 	}
1566 
1567 	if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED || ie.gtk)
1568 		wpa_supplicant_key_neg_complete(sm, sm->bssid,
1569 						key_info & WPA_KEY_INFO_SECURE);
1570 
1571 	if (ie.gtk)
1572 		wpa_sm_set_rekey_offload(sm);
1573 
1574 	/* Add PMKSA cache entry for Suite B AKMs here since PMKID can be
1575 	 * calculated only after KCK has been derived. Though, do not replace an
1576 	 * existing PMKSA entry after each 4-way handshake (i.e., new KCK/PMKID)
1577 	 * to avoid unnecessary changes of PMKID while continuing to use the
1578 	 * same PMK. */
1579 	if (sm->proto == WPA_PROTO_RSN && wpa_key_mgmt_suite_b(sm->key_mgmt) &&
1580 	    !sm->cur_pmksa) {
1581 		struct rsn_pmksa_cache_entry *sa;
1582 
1583 		sa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, NULL,
1584 				     sm->ptk.kck, sm->ptk.kck_len,
1585 				     sm->bssid, sm->own_addr,
1586 				     sm->network_ctx, sm->key_mgmt, NULL);
1587 		if (!sm->cur_pmksa)
1588 			sm->cur_pmksa = sa;
1589 	}
1590 
1591 	sm->msg_3_of_4_ok = 1;
1592 	return;
1593 
1594 failed:
1595 	wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
1596 }
1597 
1598 
1599 static int wpa_supplicant_process_1_of_2_rsn(struct wpa_sm *sm,
1600 					     const u8 *keydata,
1601 					     size_t keydatalen,
1602 					     u16 key_info,
1603 					     struct wpa_gtk_data *gd)
1604 {
1605 	int maxkeylen;
1606 	struct wpa_eapol_ie_parse ie;
1607 
1608 	wpa_hexdump_key(MSG_DEBUG, "RSN: msg 1/2 key data",
1609 			keydata, keydatalen);
1610 	if (wpa_supplicant_parse_ies(keydata, keydatalen, &ie) < 0)
1611 		return -1;
1612 	if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1613 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1614 			"WPA: GTK IE in unencrypted key data");
1615 		return -1;
1616 	}
1617 	if (ie.gtk == NULL) {
1618 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1619 			"WPA: No GTK IE in Group Key msg 1/2");
1620 		return -1;
1621 	}
1622 	maxkeylen = gd->gtk_len = ie.gtk_len - 2;
1623 
1624 #ifdef CONFIG_OCV
1625 	if (wpa_sm_ocv_enabled(sm)) {
1626 		struct wpa_channel_info ci;
1627 
1628 		if (wpa_sm_channel_info(sm, &ci) != 0) {
1629 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1630 				"Failed to get channel info to validate received OCI in EAPOL-Key group msg 1/2");
1631 			return -1;
1632 		}
1633 
1634 		if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci,
1635 					 channel_width_to_int(ci.chanwidth),
1636 					 ci.seg1_idx) != 0) {
1637 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "%s",
1638 				ocv_errorstr);
1639 			return -1;
1640 		}
1641 	}
1642 #endif /* CONFIG_OCV */
1643 
1644 	if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
1645 					      gd->gtk_len, maxkeylen,
1646 					      &gd->key_rsc_len, &gd->alg))
1647 		return -1;
1648 
1649 	wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in group key handshake",
1650 			ie.gtk, ie.gtk_len);
1651 	gd->keyidx = ie.gtk[0] & 0x3;
1652 	gd->tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
1653 						      !!(ie.gtk[0] & BIT(2)));
1654 	if (ie.gtk_len - 2 > sizeof(gd->gtk)) {
1655 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1656 			"RSN: Too long GTK in GTK IE (len=%lu)",
1657 			(unsigned long) ie.gtk_len - 2);
1658 		return -1;
1659 	}
1660 	os_memcpy(gd->gtk, ie.gtk + 2, ie.gtk_len - 2);
1661 
1662 	if (ieee80211w_set_keys(sm, &ie) < 0)
1663 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1664 			"RSN: Failed to configure IGTK");
1665 
1666 	return 0;
1667 }
1668 
1669 
1670 static int wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm,
1671 					     const struct wpa_eapol_key *key,
1672 					     const u8 *key_data,
1673 					     size_t key_data_len, u16 key_info,
1674 					     u16 ver, struct wpa_gtk_data *gd)
1675 {
1676 	size_t maxkeylen;
1677 	u16 gtk_len;
1678 
1679 	gtk_len = WPA_GET_BE16(key->key_length);
1680 	maxkeylen = key_data_len;
1681 	if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1682 		if (maxkeylen < 8) {
1683 			wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1684 				"WPA: Too short maxkeylen (%lu)",
1685 				(unsigned long) maxkeylen);
1686 			return -1;
1687 		}
1688 		maxkeylen -= 8;
1689 	}
1690 
1691 	if (gtk_len > maxkeylen ||
1692 	    wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
1693 					      gtk_len, maxkeylen,
1694 					      &gd->key_rsc_len, &gd->alg))
1695 		return -1;
1696 
1697 	gd->gtk_len = gtk_len;
1698 	gd->keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
1699 		WPA_KEY_INFO_KEY_INDEX_SHIFT;
1700 	if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
1701 #ifdef CONFIG_NO_RC4
1702 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1703 			"WPA: RC4 not supported in the build");
1704 		return -1;
1705 #else /* CONFIG_NO_RC4 */
1706 		u8 ek[32];
1707 		if (key_data_len > sizeof(gd->gtk)) {
1708 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1709 				"WPA: RC4 key data too long (%lu)",
1710 				(unsigned long) key_data_len);
1711 			return -1;
1712 		}
1713 		os_memcpy(ek, key->key_iv, 16);
1714 		os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
1715 		os_memcpy(gd->gtk, key_data, key_data_len);
1716 		if (rc4_skip(ek, 32, 256, gd->gtk, key_data_len)) {
1717 			forced_memzero(ek, sizeof(ek));
1718 			wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
1719 				"WPA: RC4 failed");
1720 			return -1;
1721 		}
1722 		forced_memzero(ek, sizeof(ek));
1723 #endif /* CONFIG_NO_RC4 */
1724 	} else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1725 		if (maxkeylen % 8) {
1726 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1727 				"WPA: Unsupported AES-WRAP len %lu",
1728 				(unsigned long) maxkeylen);
1729 			return -1;
1730 		}
1731 		if (maxkeylen > sizeof(gd->gtk)) {
1732 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1733 				"WPA: AES-WRAP key data "
1734 				"too long (keydatalen=%lu maxkeylen=%lu)",
1735 				(unsigned long) key_data_len,
1736 				(unsigned long) maxkeylen);
1737 			return -1;
1738 		}
1739 		if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, maxkeylen / 8,
1740 			       key_data, gd->gtk)) {
1741 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1742 				"WPA: AES unwrap failed - could not decrypt "
1743 				"GTK");
1744 			return -1;
1745 		}
1746 	} else {
1747 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1748 			"WPA: Unsupported key_info type %d", ver);
1749 		return -1;
1750 	}
1751 	gd->tx = wpa_supplicant_gtk_tx_bit_workaround(
1752 		sm, !!(key_info & WPA_KEY_INFO_TXRX));
1753 	return 0;
1754 }
1755 
1756 
1757 static int wpa_supplicant_send_2_of_2(struct wpa_sm *sm,
1758 				      const struct wpa_eapol_key *key,
1759 				      int ver, u16 key_info)
1760 {
1761 	size_t mic_len, hdrlen, rlen;
1762 	struct wpa_eapol_key *reply;
1763 	u8 *rbuf, *key_mic;
1764 	size_t kde_len = 0;
1765 
1766 #ifdef CONFIG_OCV
1767 	if (wpa_sm_ocv_enabled(sm))
1768 		kde_len = OCV_OCI_KDE_LEN;
1769 #endif /* CONFIG_OCV */
1770 
1771 	mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
1772 	hdrlen = sizeof(*reply) + mic_len + 2;
1773 	rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
1774 				  hdrlen + kde_len, &rlen, (void *) &reply);
1775 	if (rbuf == NULL)
1776 		return -1;
1777 
1778 	reply->type = (sm->proto == WPA_PROTO_RSN ||
1779 		       sm->proto == WPA_PROTO_OSEN) ?
1780 		EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1781 	key_info &= WPA_KEY_INFO_KEY_INDEX_MASK;
1782 	key_info |= ver | WPA_KEY_INFO_SECURE;
1783 	if (mic_len)
1784 		key_info |= WPA_KEY_INFO_MIC;
1785 	else
1786 		key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1787 	WPA_PUT_BE16(reply->key_info, key_info);
1788 	if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
1789 		WPA_PUT_BE16(reply->key_length, 0);
1790 	else
1791 		os_memcpy(reply->key_length, key->key_length, 2);
1792 	os_memcpy(reply->replay_counter, key->replay_counter,
1793 		  WPA_REPLAY_COUNTER_LEN);
1794 
1795 	key_mic = (u8 *) (reply + 1);
1796 	WPA_PUT_BE16(key_mic + mic_len, kde_len); /* Key Data Length */
1797 
1798 #ifdef CONFIG_OCV
1799 	if (wpa_sm_ocv_enabled(sm)) {
1800 		struct wpa_channel_info ci;
1801 		u8 *pos;
1802 
1803 		if (wpa_sm_channel_info(sm, &ci) != 0) {
1804 			wpa_printf(MSG_WARNING,
1805 				   "Failed to get channel info for OCI element in EAPOL-Key 2/2");
1806 			os_free(rbuf);
1807 			return -1;
1808 		}
1809 
1810 		pos = key_mic + mic_len + 2; /* Key Data */
1811 		if (ocv_insert_oci_kde(&ci, &pos) < 0) {
1812 			os_free(rbuf);
1813 			return -1;
1814 		}
1815 	}
1816 #endif /* CONFIG_OCV */
1817 
1818 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/2");
1819 	return wpa_eapol_key_send(sm, &sm->ptk, ver, sm->bssid, ETH_P_EAPOL,
1820 				  rbuf, rlen, key_mic);
1821 }
1822 
1823 
1824 static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
1825 					  const unsigned char *src_addr,
1826 					  const struct wpa_eapol_key *key,
1827 					  const u8 *key_data,
1828 					  size_t key_data_len, u16 ver)
1829 {
1830 	u16 key_info;
1831 	int rekey, ret;
1832 	struct wpa_gtk_data gd;
1833 	const u8 *key_rsc;
1834 
1835 	if (!sm->msg_3_of_4_ok && !wpa_fils_is_completed(sm)) {
1836 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1837 			"WPA: Group Key Handshake started prior to completion of 4-way handshake");
1838 		goto failed;
1839 	}
1840 
1841 	os_memset(&gd, 0, sizeof(gd));
1842 
1843 	rekey = wpa_sm_get_state(sm) == WPA_COMPLETED;
1844 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of Group Key "
1845 		"Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
1846 
1847 	key_info = WPA_GET_BE16(key->key_info);
1848 
1849 	if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
1850 		ret = wpa_supplicant_process_1_of_2_rsn(sm, key_data,
1851 							key_data_len, key_info,
1852 							&gd);
1853 	} else {
1854 		ret = wpa_supplicant_process_1_of_2_wpa(sm, key, key_data,
1855 							key_data_len,
1856 							key_info, ver, &gd);
1857 	}
1858 
1859 	wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
1860 
1861 	if (ret)
1862 		goto failed;
1863 
1864 	key_rsc = key->key_rsc;
1865 	if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
1866 		key_rsc = null_rsc;
1867 
1868 	if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
1869 	    wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
1870 		goto failed;
1871 	forced_memzero(&gd, sizeof(gd));
1872 
1873 	if (rekey) {
1874 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Group rekeying "
1875 			"completed with " MACSTR " [GTK=%s]",
1876 			MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher));
1877 		wpa_sm_cancel_auth_timeout(sm);
1878 		wpa_sm_set_state(sm, WPA_COMPLETED);
1879 	} else {
1880 		wpa_supplicant_key_neg_complete(sm, sm->bssid,
1881 						key_info &
1882 						WPA_KEY_INFO_SECURE);
1883 	}
1884 
1885 	wpa_sm_set_rekey_offload(sm);
1886 
1887 	return;
1888 
1889 failed:
1890 	forced_memzero(&gd, sizeof(gd));
1891 	wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
1892 }
1893 
1894 
1895 static int wpa_supplicant_verify_eapol_key_mic(struct wpa_sm *sm,
1896 					       struct wpa_eapol_key *key,
1897 					       u16 ver,
1898 					       const u8 *buf, size_t len)
1899 {
1900 	u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN];
1901 	int ok = 0;
1902 	size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
1903 
1904 	os_memcpy(mic, key + 1, mic_len);
1905 	if (sm->tptk_set) {
1906 		os_memset(key + 1, 0, mic_len);
1907 		if (wpa_eapol_key_mic(sm->tptk.kck, sm->tptk.kck_len,
1908 				      sm->key_mgmt,
1909 				      ver, buf, len, (u8 *) (key + 1)) < 0 ||
1910 		    os_memcmp_const(mic, key + 1, mic_len) != 0) {
1911 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1912 				"WPA: Invalid EAPOL-Key MIC "
1913 				"when using TPTK - ignoring TPTK");
1914 #ifdef TEST_FUZZ
1915 			wpa_printf(MSG_INFO,
1916 				   "TEST: Ignore Key MIC failure for fuzz testing");
1917 			goto continue_fuzz;
1918 #endif /* TEST_FUZZ */
1919 		} else {
1920 #ifdef TEST_FUZZ
1921 		continue_fuzz:
1922 #endif /* TEST_FUZZ */
1923 			ok = 1;
1924 			sm->tptk_set = 0;
1925 			sm->ptk_set = 1;
1926 			os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
1927 			os_memset(&sm->tptk, 0, sizeof(sm->tptk));
1928 			/*
1929 			 * This assures the same TPTK in sm->tptk can never be
1930 			 * copied twice to sm->ptk as the new PTK. In
1931 			 * combination with the installed flag in the wpa_ptk
1932 			 * struct, this assures the same PTK is only installed
1933 			 * once.
1934 			 */
1935 			sm->renew_snonce = 1;
1936 		}
1937 	}
1938 
1939 	if (!ok && sm->ptk_set) {
1940 		os_memset(key + 1, 0, mic_len);
1941 		if (wpa_eapol_key_mic(sm->ptk.kck, sm->ptk.kck_len,
1942 				      sm->key_mgmt,
1943 				      ver, buf, len, (u8 *) (key + 1)) < 0 ||
1944 		    os_memcmp_const(mic, key + 1, mic_len) != 0) {
1945 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1946 				"WPA: Invalid EAPOL-Key MIC - "
1947 				"dropping packet");
1948 #ifdef TEST_FUZZ
1949 			wpa_printf(MSG_INFO,
1950 				   "TEST: Ignore Key MIC failure for fuzz testing");
1951 			goto continue_fuzz2;
1952 #endif /* TEST_FUZZ */
1953 			return -1;
1954 		}
1955 #ifdef TEST_FUZZ
1956 	continue_fuzz2:
1957 #endif /* TEST_FUZZ */
1958 		ok = 1;
1959 	}
1960 
1961 	if (!ok) {
1962 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1963 			"WPA: Could not verify EAPOL-Key MIC - "
1964 			"dropping packet");
1965 		return -1;
1966 	}
1967 
1968 	os_memcpy(sm->rx_replay_counter, key->replay_counter,
1969 		  WPA_REPLAY_COUNTER_LEN);
1970 	sm->rx_replay_counter_set = 1;
1971 	return 0;
1972 }
1973 
1974 
1975 /* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */
1976 static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm,
1977 					   struct wpa_eapol_key *key,
1978 					   size_t mic_len, u16 ver,
1979 					   u8 *key_data, size_t *key_data_len)
1980 {
1981 	wpa_hexdump(MSG_DEBUG, "RSN: encrypted key data",
1982 		    key_data, *key_data_len);
1983 	if (!sm->ptk_set) {
1984 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1985 			"WPA: PTK not available, cannot decrypt EAPOL-Key Key "
1986 			"Data");
1987 		return -1;
1988 	}
1989 
1990 	/* Decrypt key data here so that this operation does not need
1991 	 * to be implemented separately for each message type. */
1992 	if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
1993 #ifdef CONFIG_NO_RC4
1994 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1995 			"WPA: RC4 not supported in the build");
1996 		return -1;
1997 #else /* CONFIG_NO_RC4 */
1998 		u8 ek[32];
1999 
2000 		wpa_printf(MSG_DEBUG, "WPA: Decrypt Key Data using RC4");
2001 		os_memcpy(ek, key->key_iv, 16);
2002 		os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
2003 		if (rc4_skip(ek, 32, 256, key_data, *key_data_len)) {
2004 			forced_memzero(ek, sizeof(ek));
2005 			wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
2006 				"WPA: RC4 failed");
2007 			return -1;
2008 		}
2009 		forced_memzero(ek, sizeof(ek));
2010 #endif /* CONFIG_NO_RC4 */
2011 	} else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
2012 		   ver == WPA_KEY_INFO_TYPE_AES_128_CMAC ||
2013 		   wpa_use_aes_key_wrap(sm->key_mgmt)) {
2014 		u8 *buf;
2015 
2016 		wpa_printf(MSG_DEBUG,
2017 			   "WPA: Decrypt Key Data using AES-UNWRAP (KEK length %u)",
2018 			   (unsigned int) sm->ptk.kek_len);
2019 		if (*key_data_len < 8 || *key_data_len % 8) {
2020 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2021 				"WPA: Unsupported AES-WRAP len %u",
2022 				(unsigned int) *key_data_len);
2023 			return -1;
2024 		}
2025 		*key_data_len -= 8; /* AES-WRAP adds 8 bytes */
2026 		buf = os_malloc(*key_data_len);
2027 		if (buf == NULL) {
2028 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2029 				"WPA: No memory for AES-UNWRAP buffer");
2030 			return -1;
2031 		}
2032 #ifdef TEST_FUZZ
2033 		os_memset(buf, 0x11, *key_data_len);
2034 #endif /* TEST_FUZZ */
2035 		if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, *key_data_len / 8,
2036 			       key_data, buf)) {
2037 #ifdef TEST_FUZZ
2038 			wpa_printf(MSG_INFO,
2039 				   "TEST: Ignore AES unwrap failure for fuzz testing");
2040 			goto continue_fuzz;
2041 #endif /* TEST_FUZZ */
2042 			bin_clear_free(buf, *key_data_len);
2043 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2044 				"WPA: AES unwrap failed - "
2045 				"could not decrypt EAPOL-Key key data");
2046 			return -1;
2047 		}
2048 #ifdef TEST_FUZZ
2049 	continue_fuzz:
2050 #endif /* TEST_FUZZ */
2051 		os_memcpy(key_data, buf, *key_data_len);
2052 		bin_clear_free(buf, *key_data_len);
2053 		WPA_PUT_BE16(((u8 *) (key + 1)) + mic_len, *key_data_len);
2054 	} else {
2055 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2056 			"WPA: Unsupported key_info type %d", ver);
2057 		return -1;
2058 	}
2059 	wpa_hexdump_key(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data",
2060 			key_data, *key_data_len);
2061 	return 0;
2062 }
2063 
2064 
2065 /**
2066  * wpa_sm_aborted_cached - Notify WPA that PMKSA caching was aborted
2067  * @sm: Pointer to WPA state machine data from wpa_sm_init()
2068  */
2069 void wpa_sm_aborted_cached(struct wpa_sm *sm)
2070 {
2071 	if (sm && sm->cur_pmksa) {
2072 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2073 			"RSN: Cancelling PMKSA caching attempt");
2074 		sm->cur_pmksa = NULL;
2075 	}
2076 }
2077 
2078 
2079 static void wpa_eapol_key_dump(struct wpa_sm *sm,
2080 			       const struct wpa_eapol_key *key,
2081 			       unsigned int key_data_len,
2082 			       const u8 *mic, unsigned int mic_len)
2083 {
2084 #ifndef CONFIG_NO_STDOUT_DEBUG
2085 	u16 key_info = WPA_GET_BE16(key->key_info);
2086 
2087 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "  EAPOL-Key type=%d", key->type);
2088 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2089 		"  key_info 0x%x (ver=%d keyidx=%d rsvd=%d %s%s%s%s%s%s%s%s)",
2090 		key_info, key_info & WPA_KEY_INFO_TYPE_MASK,
2091 		(key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
2092 		WPA_KEY_INFO_KEY_INDEX_SHIFT,
2093 		(key_info & (BIT(13) | BIT(14) | BIT(15))) >> 13,
2094 		key_info & WPA_KEY_INFO_KEY_TYPE ? "Pairwise" : "Group",
2095 		key_info & WPA_KEY_INFO_INSTALL ? " Install" : "",
2096 		key_info & WPA_KEY_INFO_ACK ? " Ack" : "",
2097 		key_info & WPA_KEY_INFO_MIC ? " MIC" : "",
2098 		key_info & WPA_KEY_INFO_SECURE ? " Secure" : "",
2099 		key_info & WPA_KEY_INFO_ERROR ? " Error" : "",
2100 		key_info & WPA_KEY_INFO_REQUEST ? " Request" : "",
2101 		key_info & WPA_KEY_INFO_ENCR_KEY_DATA ? " Encr" : "");
2102 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2103 		"  key_length=%u key_data_length=%u",
2104 		WPA_GET_BE16(key->key_length), key_data_len);
2105 	wpa_hexdump(MSG_DEBUG, "  replay_counter",
2106 		    key->replay_counter, WPA_REPLAY_COUNTER_LEN);
2107 	wpa_hexdump(MSG_DEBUG, "  key_nonce", key->key_nonce, WPA_NONCE_LEN);
2108 	wpa_hexdump(MSG_DEBUG, "  key_iv", key->key_iv, 16);
2109 	wpa_hexdump(MSG_DEBUG, "  key_rsc", key->key_rsc, 8);
2110 	wpa_hexdump(MSG_DEBUG, "  key_id (reserved)", key->key_id, 8);
2111 	wpa_hexdump(MSG_DEBUG, "  key_mic", mic, mic_len);
2112 #endif /* CONFIG_NO_STDOUT_DEBUG */
2113 }
2114 
2115 
2116 #ifdef CONFIG_FILS
2117 static int wpa_supp_aead_decrypt(struct wpa_sm *sm, u8 *buf, size_t buf_len,
2118 				 size_t *key_data_len)
2119 {
2120 	struct wpa_ptk *ptk;
2121 	struct ieee802_1x_hdr *hdr;
2122 	struct wpa_eapol_key *key;
2123 	u8 *pos, *tmp;
2124 	const u8 *aad[1];
2125 	size_t aad_len[1];
2126 
2127 	if (*key_data_len < AES_BLOCK_SIZE) {
2128 		wpa_printf(MSG_INFO, "No room for AES-SIV data in the frame");
2129 		return -1;
2130 	}
2131 
2132 	if (sm->tptk_set)
2133 		ptk = &sm->tptk;
2134 	else if (sm->ptk_set)
2135 		ptk = &sm->ptk;
2136 	else
2137 		return -1;
2138 
2139 	hdr = (struct ieee802_1x_hdr *) buf;
2140 	key = (struct wpa_eapol_key *) (hdr + 1);
2141 	pos = (u8 *) (key + 1);
2142 	pos += 2; /* Pointing at the Encrypted Key Data field */
2143 
2144 	tmp = os_malloc(*key_data_len);
2145 	if (!tmp)
2146 		return -1;
2147 
2148 	/* AES-SIV AAD from EAPOL protocol version field (inclusive) to
2149 	 * to Key Data (exclusive). */
2150 	aad[0] = buf;
2151 	aad_len[0] = pos - buf;
2152 	if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, *key_data_len,
2153 			    1, aad, aad_len, tmp) < 0) {
2154 		wpa_printf(MSG_INFO, "Invalid AES-SIV data in the frame");
2155 		bin_clear_free(tmp, *key_data_len);
2156 		return -1;
2157 	}
2158 
2159 	/* AEAD decryption and validation completed successfully */
2160 	(*key_data_len) -= AES_BLOCK_SIZE;
2161 	wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
2162 			tmp, *key_data_len);
2163 
2164 	/* Replace Key Data field with the decrypted version */
2165 	os_memcpy(pos, tmp, *key_data_len);
2166 	pos -= 2; /* Key Data Length field */
2167 	WPA_PUT_BE16(pos, *key_data_len);
2168 	bin_clear_free(tmp, *key_data_len);
2169 
2170 	if (sm->tptk_set) {
2171 		sm->tptk_set = 0;
2172 		sm->ptk_set = 1;
2173 		os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
2174 		os_memset(&sm->tptk, 0, sizeof(sm->tptk));
2175 	}
2176 
2177 	os_memcpy(sm->rx_replay_counter, key->replay_counter,
2178 		  WPA_REPLAY_COUNTER_LEN);
2179 	sm->rx_replay_counter_set = 1;
2180 
2181 	return 0;
2182 }
2183 #endif /* CONFIG_FILS */
2184 
2185 
2186 /**
2187  * wpa_sm_rx_eapol - Process received WPA EAPOL frames
2188  * @sm: Pointer to WPA state machine data from wpa_sm_init()
2189  * @src_addr: Source MAC address of the EAPOL packet
2190  * @buf: Pointer to the beginning of the EAPOL data (EAPOL header)
2191  * @len: Length of the EAPOL frame
2192  * Returns: 1 = WPA EAPOL-Key processed, 0 = not a WPA EAPOL-Key, -1 failure
2193  *
2194  * This function is called for each received EAPOL frame. Other than EAPOL-Key
2195  * frames can be skipped if filtering is done elsewhere. wpa_sm_rx_eapol() is
2196  * only processing WPA and WPA2 EAPOL-Key frames.
2197  *
2198  * The received EAPOL-Key packets are validated and valid packets are replied
2199  * to. In addition, key material (PTK, GTK) is configured at the end of a
2200  * successful key handshake.
2201  */
2202 int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr,
2203 		    const u8 *buf, size_t len)
2204 {
2205 	size_t plen, data_len, key_data_len;
2206 	const struct ieee802_1x_hdr *hdr;
2207 	struct wpa_eapol_key *key;
2208 	u16 key_info, ver;
2209 	u8 *tmp = NULL;
2210 	int ret = -1;
2211 	u8 *mic, *key_data;
2212 	size_t mic_len, keyhdrlen;
2213 
2214 #ifdef CONFIG_IEEE80211R
2215 	sm->ft_completed = 0;
2216 #endif /* CONFIG_IEEE80211R */
2217 
2218 	mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
2219 	keyhdrlen = sizeof(*key) + mic_len + 2;
2220 
2221 	if (len < sizeof(*hdr) + keyhdrlen) {
2222 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2223 			"WPA: EAPOL frame too short to be a WPA "
2224 			"EAPOL-Key (len %lu, expecting at least %lu)",
2225 			(unsigned long) len,
2226 			(unsigned long) sizeof(*hdr) + keyhdrlen);
2227 		return 0;
2228 	}
2229 
2230 	hdr = (const struct ieee802_1x_hdr *) buf;
2231 	plen = be_to_host16(hdr->length);
2232 	data_len = plen + sizeof(*hdr);
2233 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2234 		"IEEE 802.1X RX: version=%d type=%d length=%lu",
2235 		hdr->version, hdr->type, (unsigned long) plen);
2236 
2237 	if (hdr->version < EAPOL_VERSION) {
2238 		/* TODO: backwards compatibility */
2239 	}
2240 	if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) {
2241 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2242 			"WPA: EAPOL frame (type %u) discarded, "
2243 			"not a Key frame", hdr->type);
2244 		ret = 0;
2245 		goto out;
2246 	}
2247 	wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", buf, len);
2248 	if (plen > len - sizeof(*hdr) || plen < keyhdrlen) {
2249 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2250 			"WPA: EAPOL frame payload size %lu "
2251 			"invalid (frame size %lu)",
2252 			(unsigned long) plen, (unsigned long) len);
2253 		ret = 0;
2254 		goto out;
2255 	}
2256 	if (data_len < len) {
2257 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2258 			"WPA: ignoring %lu bytes after the IEEE 802.1X data",
2259 			(unsigned long) len - data_len);
2260 	}
2261 
2262 	/*
2263 	 * Make a copy of the frame since we need to modify the buffer during
2264 	 * MAC validation and Key Data decryption.
2265 	 */
2266 	tmp = os_memdup(buf, data_len);
2267 	if (tmp == NULL)
2268 		goto out;
2269 	key = (struct wpa_eapol_key *) (tmp + sizeof(struct ieee802_1x_hdr));
2270 	mic = (u8 *) (key + 1);
2271 	key_data = mic + mic_len + 2;
2272 
2273 	if (key->type != EAPOL_KEY_TYPE_WPA && key->type != EAPOL_KEY_TYPE_RSN)
2274 	{
2275 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2276 			"WPA: EAPOL-Key type (%d) unknown, discarded",
2277 			key->type);
2278 		ret = 0;
2279 		goto out;
2280 	}
2281 
2282 	key_data_len = WPA_GET_BE16(mic + mic_len);
2283 	wpa_eapol_key_dump(sm, key, key_data_len, mic, mic_len);
2284 
2285 	if (key_data_len > plen - keyhdrlen) {
2286 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Invalid EAPOL-Key "
2287 			"frame - key_data overflow (%u > %u)",
2288 			(unsigned int) key_data_len,
2289 			(unsigned int) (plen - keyhdrlen));
2290 		goto out;
2291 	}
2292 
2293 	eapol_sm_notify_lower_layer_success(sm->eapol, 0);
2294 	key_info = WPA_GET_BE16(key->key_info);
2295 	ver = key_info & WPA_KEY_INFO_TYPE_MASK;
2296 	if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
2297 #if defined(CONFIG_IEEE80211R) || defined(CONFIG_IEEE80211W)
2298 	    ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
2299 #endif /* CONFIG_IEEE80211R || CONFIG_IEEE80211W */
2300 	    ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES &&
2301 	    !wpa_use_akm_defined(sm->key_mgmt)) {
2302 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2303 			"WPA: Unsupported EAPOL-Key descriptor version %d",
2304 			ver);
2305 		goto out;
2306 	}
2307 
2308 	if (wpa_use_akm_defined(sm->key_mgmt) &&
2309 	    ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
2310 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2311 			"RSN: Unsupported EAPOL-Key descriptor version %d (expected AKM defined = 0)",
2312 			ver);
2313 		goto out;
2314 	}
2315 
2316 #ifdef CONFIG_IEEE80211R
2317 	if (wpa_key_mgmt_ft(sm->key_mgmt)) {
2318 		/* IEEE 802.11r uses a new key_info type (AES-128-CMAC). */
2319 		if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
2320 		    !wpa_use_akm_defined(sm->key_mgmt)) {
2321 			wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2322 				"FT: AP did not use AES-128-CMAC");
2323 			goto out;
2324 		}
2325 	} else
2326 #endif /* CONFIG_IEEE80211R */
2327 #ifdef CONFIG_IEEE80211W
2328 	if (wpa_key_mgmt_sha256(sm->key_mgmt)) {
2329 		if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
2330 		    !wpa_use_akm_defined(sm->key_mgmt)) {
2331 			wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2332 				"WPA: AP did not use the "
2333 				"negotiated AES-128-CMAC");
2334 			goto out;
2335 		}
2336 	} else
2337 #endif /* CONFIG_IEEE80211W */
2338 	if (sm->pairwise_cipher == WPA_CIPHER_CCMP &&
2339 	    !wpa_use_akm_defined(sm->key_mgmt) &&
2340 	    ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
2341 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2342 			"WPA: CCMP is used, but EAPOL-Key "
2343 			"descriptor version (%d) is not 2", ver);
2344 		if (sm->group_cipher != WPA_CIPHER_CCMP &&
2345 		    !(key_info & WPA_KEY_INFO_KEY_TYPE)) {
2346 			/* Earlier versions of IEEE 802.11i did not explicitly
2347 			 * require version 2 descriptor for all EAPOL-Key
2348 			 * packets, so allow group keys to use version 1 if
2349 			 * CCMP is not used for them. */
2350 			wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2351 				"WPA: Backwards compatibility: allow invalid "
2352 				"version for non-CCMP group keys");
2353 		} else if (ver == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
2354 			wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2355 				"WPA: Interoperability workaround: allow incorrect (should have been HMAC-SHA1), but stronger (is AES-128-CMAC), descriptor version to be used");
2356 		} else
2357 			goto out;
2358 	} else if (sm->pairwise_cipher == WPA_CIPHER_GCMP &&
2359 		   !wpa_use_akm_defined(sm->key_mgmt) &&
2360 		   ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
2361 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2362 			"WPA: GCMP is used, but EAPOL-Key "
2363 			"descriptor version (%d) is not 2", ver);
2364 		goto out;
2365 	}
2366 
2367 	if (sm->rx_replay_counter_set &&
2368 	    os_memcmp(key->replay_counter, sm->rx_replay_counter,
2369 		      WPA_REPLAY_COUNTER_LEN) <= 0) {
2370 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2371 			"WPA: EAPOL-Key Replay Counter did not increase - "
2372 			"dropping packet");
2373 		goto out;
2374 	}
2375 
2376 	if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
2377 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2378 			"WPA: Unsupported SMK bit in key_info");
2379 		goto out;
2380 	}
2381 
2382 	if (!(key_info & WPA_KEY_INFO_ACK)) {
2383 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2384 			"WPA: No Ack bit in key_info");
2385 		goto out;
2386 	}
2387 
2388 	if (key_info & WPA_KEY_INFO_REQUEST) {
2389 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2390 			"WPA: EAPOL-Key with Request bit - dropped");
2391 		goto out;
2392 	}
2393 
2394 	if ((key_info & WPA_KEY_INFO_MIC) &&
2395 	    wpa_supplicant_verify_eapol_key_mic(sm, key, ver, tmp, data_len))
2396 		goto out;
2397 
2398 #ifdef CONFIG_FILS
2399 	if (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
2400 		if (wpa_supp_aead_decrypt(sm, tmp, data_len, &key_data_len))
2401 			goto out;
2402 	}
2403 #endif /* CONFIG_FILS */
2404 
2405 	if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
2406 	    (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && mic_len) {
2407 		/*
2408 		 * Only decrypt the Key Data field if the frame's authenticity
2409 		 * was verified. When using AES-SIV (FILS), the MIC flag is not
2410 		 * set, so this check should only be performed if mic_len != 0
2411 		 * which is the case in this code branch.
2412 		 */
2413 		if (!(key_info & WPA_KEY_INFO_MIC)) {
2414 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2415 				"WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
2416 			goto out;
2417 		}
2418 		if (wpa_supplicant_decrypt_key_data(sm, key, mic_len,
2419 						    ver, key_data,
2420 						    &key_data_len))
2421 			goto out;
2422 	}
2423 
2424 	if (key_info & WPA_KEY_INFO_KEY_TYPE) {
2425 		if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) {
2426 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2427 				"WPA: Ignored EAPOL-Key (Pairwise) with "
2428 				"non-zero key index");
2429 			goto out;
2430 		}
2431 		if (key_info & (WPA_KEY_INFO_MIC |
2432 				WPA_KEY_INFO_ENCR_KEY_DATA)) {
2433 			/* 3/4 4-Way Handshake */
2434 			wpa_supplicant_process_3_of_4(sm, key, ver, key_data,
2435 						      key_data_len);
2436 		} else {
2437 			/* 1/4 4-Way Handshake */
2438 			wpa_supplicant_process_1_of_4(sm, src_addr, key,
2439 						      ver, key_data,
2440 						      key_data_len);
2441 		}
2442 	} else {
2443 		if ((mic_len && (key_info & WPA_KEY_INFO_MIC)) ||
2444 		    (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA))) {
2445 			/* 1/2 Group Key Handshake */
2446 			wpa_supplicant_process_1_of_2(sm, src_addr, key,
2447 						      key_data, key_data_len,
2448 						      ver);
2449 		} else {
2450 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2451 				"WPA: EAPOL-Key (Group) without Mic/Encr bit - "
2452 				"dropped");
2453 		}
2454 	}
2455 
2456 	ret = 1;
2457 
2458 out:
2459 	bin_clear_free(tmp, data_len);
2460 	return ret;
2461 }
2462 
2463 
2464 #ifdef CONFIG_CTRL_IFACE
2465 static u32 wpa_key_mgmt_suite(struct wpa_sm *sm)
2466 {
2467 	switch (sm->key_mgmt) {
2468 	case WPA_KEY_MGMT_IEEE8021X:
2469 		return ((sm->proto == WPA_PROTO_RSN ||
2470 			 sm->proto == WPA_PROTO_OSEN) ?
2471 			RSN_AUTH_KEY_MGMT_UNSPEC_802_1X :
2472 			WPA_AUTH_KEY_MGMT_UNSPEC_802_1X);
2473 	case WPA_KEY_MGMT_PSK:
2474 		return (sm->proto == WPA_PROTO_RSN ?
2475 			RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X :
2476 			WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X);
2477 #ifdef CONFIG_IEEE80211R
2478 	case WPA_KEY_MGMT_FT_IEEE8021X:
2479 		return RSN_AUTH_KEY_MGMT_FT_802_1X;
2480 	case WPA_KEY_MGMT_FT_PSK:
2481 		return RSN_AUTH_KEY_MGMT_FT_PSK;
2482 #endif /* CONFIG_IEEE80211R */
2483 #ifdef CONFIG_IEEE80211W
2484 	case WPA_KEY_MGMT_IEEE8021X_SHA256:
2485 		return RSN_AUTH_KEY_MGMT_802_1X_SHA256;
2486 	case WPA_KEY_MGMT_PSK_SHA256:
2487 		return RSN_AUTH_KEY_MGMT_PSK_SHA256;
2488 #endif /* CONFIG_IEEE80211W */
2489 	case WPA_KEY_MGMT_CCKM:
2490 		return (sm->proto == WPA_PROTO_RSN ?
2491 			RSN_AUTH_KEY_MGMT_CCKM:
2492 			WPA_AUTH_KEY_MGMT_CCKM);
2493 	case WPA_KEY_MGMT_WPA_NONE:
2494 		return WPA_AUTH_KEY_MGMT_NONE;
2495 	case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
2496 		return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B;
2497 	case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
2498 		return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192;
2499 	default:
2500 		return 0;
2501 	}
2502 }
2503 
2504 
2505 #define RSN_SUITE "%02x-%02x-%02x-%d"
2506 #define RSN_SUITE_ARG(s) \
2507 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
2508 
2509 /**
2510  * wpa_sm_get_mib - Dump text list of MIB entries
2511  * @sm: Pointer to WPA state machine data from wpa_sm_init()
2512  * @buf: Buffer for the list
2513  * @buflen: Length of the buffer
2514  * Returns: Number of bytes written to buffer
2515  *
2516  * This function is used fetch dot11 MIB variables.
2517  */
2518 int wpa_sm_get_mib(struct wpa_sm *sm, char *buf, size_t buflen)
2519 {
2520 	char pmkid_txt[PMKID_LEN * 2 + 1];
2521 	int rsna, ret;
2522 	size_t len;
2523 
2524 	if (sm->cur_pmksa) {
2525 		wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
2526 				 sm->cur_pmksa->pmkid, PMKID_LEN);
2527 	} else
2528 		pmkid_txt[0] = '\0';
2529 
2530 	if ((wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
2531 	     wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt)) &&
2532 	    sm->proto == WPA_PROTO_RSN)
2533 		rsna = 1;
2534 	else
2535 		rsna = 0;
2536 
2537 	ret = os_snprintf(buf, buflen,
2538 			  "dot11RSNAOptionImplemented=TRUE\n"
2539 			  "dot11RSNAPreauthenticationImplemented=TRUE\n"
2540 			  "dot11RSNAEnabled=%s\n"
2541 			  "dot11RSNAPreauthenticationEnabled=%s\n"
2542 			  "dot11RSNAConfigVersion=%d\n"
2543 			  "dot11RSNAConfigPairwiseKeysSupported=5\n"
2544 			  "dot11RSNAConfigGroupCipherSize=%d\n"
2545 			  "dot11RSNAConfigPMKLifetime=%d\n"
2546 			  "dot11RSNAConfigPMKReauthThreshold=%d\n"
2547 			  "dot11RSNAConfigNumberOfPTKSAReplayCounters=1\n"
2548 			  "dot11RSNAConfigSATimeout=%d\n",
2549 			  rsna ? "TRUE" : "FALSE",
2550 			  rsna ? "TRUE" : "FALSE",
2551 			  RSN_VERSION,
2552 			  wpa_cipher_key_len(sm->group_cipher) * 8,
2553 			  sm->dot11RSNAConfigPMKLifetime,
2554 			  sm->dot11RSNAConfigPMKReauthThreshold,
2555 			  sm->dot11RSNAConfigSATimeout);
2556 	if (os_snprintf_error(buflen, ret))
2557 		return 0;
2558 	len = ret;
2559 
2560 	ret = os_snprintf(
2561 		buf + len, buflen - len,
2562 		"dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
2563 		"dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
2564 		"dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
2565 		"dot11RSNAPMKIDUsed=%s\n"
2566 		"dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
2567 		"dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
2568 		"dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
2569 		"dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n"
2570 		"dot11RSNA4WayHandshakeFailures=%u\n",
2571 		RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
2572 		RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2573 						  sm->pairwise_cipher)),
2574 		RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2575 						  sm->group_cipher)),
2576 		pmkid_txt,
2577 		RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
2578 		RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2579 						  sm->pairwise_cipher)),
2580 		RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2581 						  sm->group_cipher)),
2582 		sm->dot11RSNA4WayHandshakeFailures);
2583 	if (!os_snprintf_error(buflen - len, ret))
2584 		len += ret;
2585 
2586 	return (int) len;
2587 }
2588 #endif /* CONFIG_CTRL_IFACE */
2589 
2590 
2591 static void wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
2592 				 void *ctx, enum pmksa_free_reason reason)
2593 {
2594 	struct wpa_sm *sm = ctx;
2595 	int deauth = 0;
2596 
2597 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: PMKSA cache entry free_cb: "
2598 		MACSTR " reason=%d", MAC2STR(entry->aa), reason);
2599 
2600 	if (sm->cur_pmksa == entry) {
2601 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2602 			"RSN: %s current PMKSA entry",
2603 			reason == PMKSA_REPLACE ? "replaced" : "removed");
2604 		pmksa_cache_clear_current(sm);
2605 
2606 		/*
2607 		 * If an entry is simply being replaced, there's no need to
2608 		 * deauthenticate because it will be immediately re-added.
2609 		 * This happens when EAP authentication is completed again
2610 		 * (reauth or failed PMKSA caching attempt).
2611 		 */
2612 		if (reason != PMKSA_REPLACE)
2613 			deauth = 1;
2614 	}
2615 
2616 	if (reason == PMKSA_EXPIRE &&
2617 	    (sm->pmk_len == entry->pmk_len &&
2618 	     os_memcmp(sm->pmk, entry->pmk, sm->pmk_len) == 0)) {
2619 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2620 			"RSN: deauthenticating due to expired PMK");
2621 		pmksa_cache_clear_current(sm);
2622 		deauth = 1;
2623 	}
2624 
2625 	if (deauth) {
2626 		sm->pmk_len = 0;
2627 		os_memset(sm->pmk, 0, sizeof(sm->pmk));
2628 		wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
2629 	}
2630 }
2631 
2632 
2633 /**
2634  * wpa_sm_init - Initialize WPA state machine
2635  * @ctx: Context pointer for callbacks; this needs to be an allocated buffer
2636  * Returns: Pointer to the allocated WPA state machine data
2637  *
2638  * This function is used to allocate a new WPA state machine and the returned
2639  * value is passed to all WPA state machine calls.
2640  */
2641 struct wpa_sm * wpa_sm_init(struct wpa_sm_ctx *ctx)
2642 {
2643 	struct wpa_sm *sm;
2644 
2645 	sm = os_zalloc(sizeof(*sm));
2646 	if (sm == NULL)
2647 		return NULL;
2648 	dl_list_init(&sm->pmksa_candidates);
2649 	sm->renew_snonce = 1;
2650 	sm->ctx = ctx;
2651 
2652 	sm->dot11RSNAConfigPMKLifetime = 43200;
2653 	sm->dot11RSNAConfigPMKReauthThreshold = 70;
2654 	sm->dot11RSNAConfigSATimeout = 60;
2655 
2656 	sm->pmksa = pmksa_cache_init(wpa_sm_pmksa_free_cb, sm, sm);
2657 	if (sm->pmksa == NULL) {
2658 		wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
2659 			"RSN: PMKSA cache initialization failed");
2660 		os_free(sm);
2661 		return NULL;
2662 	}
2663 
2664 	return sm;
2665 }
2666 
2667 
2668 /**
2669  * wpa_sm_deinit - Deinitialize WPA state machine
2670  * @sm: Pointer to WPA state machine data from wpa_sm_init()
2671  */
2672 void wpa_sm_deinit(struct wpa_sm *sm)
2673 {
2674 	if (sm == NULL)
2675 		return;
2676 	pmksa_cache_deinit(sm->pmksa);
2677 	eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
2678 	eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
2679 	os_free(sm->assoc_wpa_ie);
2680 	os_free(sm->ap_wpa_ie);
2681 	os_free(sm->ap_rsn_ie);
2682 	wpa_sm_drop_sa(sm);
2683 	os_free(sm->ctx);
2684 #ifdef CONFIG_IEEE80211R
2685 	os_free(sm->assoc_resp_ies);
2686 #endif /* CONFIG_IEEE80211R */
2687 #ifdef CONFIG_TESTING_OPTIONS
2688 	wpabuf_free(sm->test_assoc_ie);
2689 #endif /* CONFIG_TESTING_OPTIONS */
2690 #ifdef CONFIG_FILS_SK_PFS
2691 	crypto_ecdh_deinit(sm->fils_ecdh);
2692 #endif /* CONFIG_FILS_SK_PFS */
2693 #ifdef CONFIG_FILS
2694 	wpabuf_free(sm->fils_ft_ies);
2695 #endif /* CONFIG_FILS */
2696 #ifdef CONFIG_OWE
2697 	crypto_ecdh_deinit(sm->owe_ecdh);
2698 #endif /* CONFIG_OWE */
2699 #ifdef CONFIG_DPP2
2700 	wpabuf_clear_free(sm->dpp_z);
2701 #endif /* CONFIG_DPP2 */
2702 	os_free(sm);
2703 }
2704 
2705 
2706 /**
2707  * wpa_sm_notify_assoc - Notify WPA state machine about association
2708  * @sm: Pointer to WPA state machine data from wpa_sm_init()
2709  * @bssid: The BSSID of the new association
2710  *
2711  * This function is called to let WPA state machine know that the connection
2712  * was established.
2713  */
2714 void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
2715 {
2716 	int clear_keys = 1;
2717 
2718 	if (sm == NULL)
2719 		return;
2720 
2721 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2722 		"WPA: Association event - clear replay counter");
2723 	os_memcpy(sm->bssid, bssid, ETH_ALEN);
2724 	os_memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN);
2725 	sm->rx_replay_counter_set = 0;
2726 	sm->renew_snonce = 1;
2727 	if (os_memcmp(sm->preauth_bssid, bssid, ETH_ALEN) == 0)
2728 		rsn_preauth_deinit(sm);
2729 
2730 #ifdef CONFIG_IEEE80211R
2731 	if (wpa_ft_is_completed(sm)) {
2732 		/*
2733 		 * Clear portValid to kick EAPOL state machine to re-enter
2734 		 * AUTHENTICATED state to get the EAPOL port Authorized.
2735 		 */
2736 		eapol_sm_notify_portValid(sm->eapol, FALSE);
2737 		wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
2738 
2739 		/* Prepare for the next transition */
2740 		wpa_ft_prepare_auth_request(sm, NULL);
2741 
2742 		clear_keys = 0;
2743 		sm->ft_protocol = 1;
2744 	} else {
2745 		sm->ft_protocol = 0;
2746 	}
2747 #endif /* CONFIG_IEEE80211R */
2748 #ifdef CONFIG_FILS
2749 	if (sm->fils_completed) {
2750 		/*
2751 		 * Clear portValid to kick EAPOL state machine to re-enter
2752 		 * AUTHENTICATED state to get the EAPOL port Authorized.
2753 		 */
2754 		wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
2755 		clear_keys = 0;
2756 	}
2757 #endif /* CONFIG_FILS */
2758 
2759 	if (clear_keys) {
2760 		/*
2761 		 * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
2762 		 * this is not part of a Fast BSS Transition.
2763 		 */
2764 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PTK");
2765 		sm->ptk_set = 0;
2766 		os_memset(&sm->ptk, 0, sizeof(sm->ptk));
2767 		sm->tptk_set = 0;
2768 		os_memset(&sm->tptk, 0, sizeof(sm->tptk));
2769 		os_memset(&sm->gtk, 0, sizeof(sm->gtk));
2770 		os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
2771 #ifdef CONFIG_IEEE80211W
2772 		os_memset(&sm->igtk, 0, sizeof(sm->igtk));
2773 		os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
2774 #endif /* CONFIG_IEEE80211W */
2775 	}
2776 
2777 #ifdef CONFIG_TDLS
2778 	wpa_tdls_assoc(sm);
2779 #endif /* CONFIG_TDLS */
2780 
2781 #ifdef CONFIG_P2P
2782 	os_memset(sm->p2p_ip_addr, 0, sizeof(sm->p2p_ip_addr));
2783 #endif /* CONFIG_P2P */
2784 }
2785 
2786 
2787 /**
2788  * wpa_sm_notify_disassoc - Notify WPA state machine about disassociation
2789  * @sm: Pointer to WPA state machine data from wpa_sm_init()
2790  *
2791  * This function is called to let WPA state machine know that the connection
2792  * was lost. This will abort any existing pre-authentication session.
2793  */
2794 void wpa_sm_notify_disassoc(struct wpa_sm *sm)
2795 {
2796 	eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
2797 	eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
2798 	rsn_preauth_deinit(sm);
2799 	pmksa_cache_clear_current(sm);
2800 	if (wpa_sm_get_state(sm) == WPA_4WAY_HANDSHAKE)
2801 		sm->dot11RSNA4WayHandshakeFailures++;
2802 #ifdef CONFIG_TDLS
2803 	wpa_tdls_disassoc(sm);
2804 #endif /* CONFIG_TDLS */
2805 #ifdef CONFIG_FILS
2806 	sm->fils_completed = 0;
2807 #endif /* CONFIG_FILS */
2808 #ifdef CONFIG_IEEE80211R
2809 	sm->ft_reassoc_completed = 0;
2810 	sm->ft_protocol = 0;
2811 #endif /* CONFIG_IEEE80211R */
2812 
2813 	/* Keys are not needed in the WPA state machine anymore */
2814 	wpa_sm_drop_sa(sm);
2815 
2816 	sm->msg_3_of_4_ok = 0;
2817 	os_memset(sm->bssid, 0, ETH_ALEN);
2818 }
2819 
2820 
2821 /**
2822  * wpa_sm_set_pmk - Set PMK
2823  * @sm: Pointer to WPA state machine data from wpa_sm_init()
2824  * @pmk: The new PMK
2825  * @pmk_len: The length of the new PMK in bytes
2826  * @pmkid: Calculated PMKID
2827  * @bssid: AA to add into PMKSA cache or %NULL to not cache the PMK
2828  *
2829  * Configure the PMK for WPA state machine.
2830  */
2831 void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
2832 		    const u8 *pmkid, const u8 *bssid)
2833 {
2834 	if (sm == NULL)
2835 		return;
2836 
2837 	wpa_hexdump_key(MSG_DEBUG, "WPA: Set PMK based on external data",
2838 			pmk, pmk_len);
2839 	sm->pmk_len = pmk_len;
2840 	os_memcpy(sm->pmk, pmk, pmk_len);
2841 
2842 #ifdef CONFIG_IEEE80211R
2843 	/* Set XXKey to be PSK for FT key derivation */
2844 	sm->xxkey_len = pmk_len;
2845 	os_memcpy(sm->xxkey, pmk, pmk_len);
2846 #endif /* CONFIG_IEEE80211R */
2847 
2848 	if (bssid) {
2849 		pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0,
2850 				bssid, sm->own_addr,
2851 				sm->network_ctx, sm->key_mgmt, NULL);
2852 	}
2853 }
2854 
2855 
2856 /**
2857  * wpa_sm_set_pmk_from_pmksa - Set PMK based on the current PMKSA
2858  * @sm: Pointer to WPA state machine data from wpa_sm_init()
2859  *
2860  * Take the PMK from the current PMKSA into use. If no PMKSA is active, the PMK
2861  * will be cleared.
2862  */
2863 void wpa_sm_set_pmk_from_pmksa(struct wpa_sm *sm)
2864 {
2865 	if (sm == NULL)
2866 		return;
2867 
2868 	if (sm->cur_pmksa) {
2869 		wpa_hexdump_key(MSG_DEBUG,
2870 				"WPA: Set PMK based on current PMKSA",
2871 				sm->cur_pmksa->pmk, sm->cur_pmksa->pmk_len);
2872 		sm->pmk_len = sm->cur_pmksa->pmk_len;
2873 		os_memcpy(sm->pmk, sm->cur_pmksa->pmk, sm->pmk_len);
2874 	} else {
2875 		wpa_printf(MSG_DEBUG, "WPA: No current PMKSA - clear PMK");
2876 		sm->pmk_len = 0;
2877 		os_memset(sm->pmk, 0, PMK_LEN_MAX);
2878 	}
2879 }
2880 
2881 
2882 /**
2883  * wpa_sm_set_fast_reauth - Set fast reauthentication (EAP) enabled/disabled
2884  * @sm: Pointer to WPA state machine data from wpa_sm_init()
2885  * @fast_reauth: Whether fast reauthentication (EAP) is allowed
2886  */
2887 void wpa_sm_set_fast_reauth(struct wpa_sm *sm, int fast_reauth)
2888 {
2889 	if (sm)
2890 		sm->fast_reauth = fast_reauth;
2891 }
2892 
2893 
2894 /**
2895  * wpa_sm_set_scard_ctx - Set context pointer for smartcard callbacks
2896  * @sm: Pointer to WPA state machine data from wpa_sm_init()
2897  * @scard_ctx: Context pointer for smartcard related callback functions
2898  */
2899 void wpa_sm_set_scard_ctx(struct wpa_sm *sm, void *scard_ctx)
2900 {
2901 	if (sm == NULL)
2902 		return;
2903 	sm->scard_ctx = scard_ctx;
2904 	if (sm->preauth_eapol)
2905 		eapol_sm_register_scard_ctx(sm->preauth_eapol, scard_ctx);
2906 }
2907 
2908 
2909 /**
2910  * wpa_sm_set_config - Notification of current configration change
2911  * @sm: Pointer to WPA state machine data from wpa_sm_init()
2912  * @config: Pointer to current network configuration
2913  *
2914  * Notify WPA state machine that configuration has changed. config will be
2915  * stored as a backpointer to network configuration. This can be %NULL to clear
2916  * the stored pointed.
2917  */
2918 void wpa_sm_set_config(struct wpa_sm *sm, struct rsn_supp_config *config)
2919 {
2920 	if (!sm)
2921 		return;
2922 
2923 	if (config) {
2924 		sm->network_ctx = config->network_ctx;
2925 		sm->allowed_pairwise_cipher = config->allowed_pairwise_cipher;
2926 		sm->proactive_key_caching = config->proactive_key_caching;
2927 		sm->eap_workaround = config->eap_workaround;
2928 		sm->eap_conf_ctx = config->eap_conf_ctx;
2929 		if (config->ssid) {
2930 			os_memcpy(sm->ssid, config->ssid, config->ssid_len);
2931 			sm->ssid_len = config->ssid_len;
2932 		} else
2933 			sm->ssid_len = 0;
2934 		sm->wpa_ptk_rekey = config->wpa_ptk_rekey;
2935 		sm->p2p = config->p2p;
2936 		sm->wpa_rsc_relaxation = config->wpa_rsc_relaxation;
2937 #ifdef CONFIG_FILS
2938 		if (config->fils_cache_id) {
2939 			sm->fils_cache_id_set = 1;
2940 			os_memcpy(sm->fils_cache_id, config->fils_cache_id,
2941 				  FILS_CACHE_ID_LEN);
2942 		} else {
2943 			sm->fils_cache_id_set = 0;
2944 		}
2945 #endif /* CONFIG_FILS */
2946 	} else {
2947 		sm->network_ctx = NULL;
2948 		sm->allowed_pairwise_cipher = 0;
2949 		sm->proactive_key_caching = 0;
2950 		sm->eap_workaround = 0;
2951 		sm->eap_conf_ctx = NULL;
2952 		sm->ssid_len = 0;
2953 		sm->wpa_ptk_rekey = 0;
2954 		sm->p2p = 0;
2955 		sm->wpa_rsc_relaxation = 0;
2956 	}
2957 }
2958 
2959 
2960 /**
2961  * wpa_sm_set_own_addr - Set own MAC address
2962  * @sm: Pointer to WPA state machine data from wpa_sm_init()
2963  * @addr: Own MAC address
2964  */
2965 void wpa_sm_set_own_addr(struct wpa_sm *sm, const u8 *addr)
2966 {
2967 	if (sm)
2968 		os_memcpy(sm->own_addr, addr, ETH_ALEN);
2969 }
2970 
2971 
2972 /**
2973  * wpa_sm_set_ifname - Set network interface name
2974  * @sm: Pointer to WPA state machine data from wpa_sm_init()
2975  * @ifname: Interface name
2976  * @bridge_ifname: Optional bridge interface name (for pre-auth)
2977  */
2978 void wpa_sm_set_ifname(struct wpa_sm *sm, const char *ifname,
2979 		       const char *bridge_ifname)
2980 {
2981 	if (sm) {
2982 		sm->ifname = ifname;
2983 		sm->bridge_ifname = bridge_ifname;
2984 	}
2985 }
2986 
2987 
2988 /**
2989  * wpa_sm_set_eapol - Set EAPOL state machine pointer
2990  * @sm: Pointer to WPA state machine data from wpa_sm_init()
2991  * @eapol: Pointer to EAPOL state machine allocated with eapol_sm_init()
2992  */
2993 void wpa_sm_set_eapol(struct wpa_sm *sm, struct eapol_sm *eapol)
2994 {
2995 	if (sm)
2996 		sm->eapol = eapol;
2997 }
2998 
2999 
3000 /**
3001  * wpa_sm_set_param - Set WPA state machine parameters
3002  * @sm: Pointer to WPA state machine data from wpa_sm_init()
3003  * @param: Parameter field
3004  * @value: Parameter value
3005  * Returns: 0 on success, -1 on failure
3006  */
3007 int wpa_sm_set_param(struct wpa_sm *sm, enum wpa_sm_conf_params param,
3008 		     unsigned int value)
3009 {
3010 	int ret = 0;
3011 
3012 	if (sm == NULL)
3013 		return -1;
3014 
3015 	switch (param) {
3016 	case RSNA_PMK_LIFETIME:
3017 		if (value > 0)
3018 			sm->dot11RSNAConfigPMKLifetime = value;
3019 		else
3020 			ret = -1;
3021 		break;
3022 	case RSNA_PMK_REAUTH_THRESHOLD:
3023 		if (value > 0 && value <= 100)
3024 			sm->dot11RSNAConfigPMKReauthThreshold = value;
3025 		else
3026 			ret = -1;
3027 		break;
3028 	case RSNA_SA_TIMEOUT:
3029 		if (value > 0)
3030 			sm->dot11RSNAConfigSATimeout = value;
3031 		else
3032 			ret = -1;
3033 		break;
3034 	case WPA_PARAM_PROTO:
3035 		sm->proto = value;
3036 		break;
3037 	case WPA_PARAM_PAIRWISE:
3038 		sm->pairwise_cipher = value;
3039 		break;
3040 	case WPA_PARAM_GROUP:
3041 		sm->group_cipher = value;
3042 		break;
3043 	case WPA_PARAM_KEY_MGMT:
3044 		sm->key_mgmt = value;
3045 		break;
3046 #ifdef CONFIG_IEEE80211W
3047 	case WPA_PARAM_MGMT_GROUP:
3048 		sm->mgmt_group_cipher = value;
3049 		break;
3050 #endif /* CONFIG_IEEE80211W */
3051 	case WPA_PARAM_RSN_ENABLED:
3052 		sm->rsn_enabled = value;
3053 		break;
3054 	case WPA_PARAM_MFP:
3055 		sm->mfp = value;
3056 		break;
3057 	case WPA_PARAM_OCV:
3058 		sm->ocv = value;
3059 		break;
3060 	default:
3061 		break;
3062 	}
3063 
3064 	return ret;
3065 }
3066 
3067 
3068 /**
3069  * wpa_sm_get_status - Get WPA state machine
3070  * @sm: Pointer to WPA state machine data from wpa_sm_init()
3071  * @buf: Buffer for status information
3072  * @buflen: Maximum buffer length
3073  * @verbose: Whether to include verbose status information
3074  * Returns: Number of bytes written to buf.
3075  *
3076  * Query WPA state machine for status information. This function fills in
3077  * a text area with current status information. If the buffer (buf) is not
3078  * large enough, status information will be truncated to fit the buffer.
3079  */
3080 int wpa_sm_get_status(struct wpa_sm *sm, char *buf, size_t buflen,
3081 		      int verbose)
3082 {
3083 	char *pos = buf, *end = buf + buflen;
3084 	int ret;
3085 
3086 	ret = os_snprintf(pos, end - pos,
3087 			  "pairwise_cipher=%s\n"
3088 			  "group_cipher=%s\n"
3089 			  "key_mgmt=%s\n",
3090 			  wpa_cipher_txt(sm->pairwise_cipher),
3091 			  wpa_cipher_txt(sm->group_cipher),
3092 			  wpa_key_mgmt_txt(sm->key_mgmt, sm->proto));
3093 	if (os_snprintf_error(end - pos, ret))
3094 		return pos - buf;
3095 	pos += ret;
3096 
3097 	if (sm->mfp != NO_MGMT_FRAME_PROTECTION && sm->ap_rsn_ie) {
3098 		struct wpa_ie_data rsn;
3099 		if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn)
3100 		    >= 0 &&
3101 		    rsn.capabilities & (WPA_CAPABILITY_MFPR |
3102 					WPA_CAPABILITY_MFPC)) {
3103 			ret = os_snprintf(pos, end - pos, "pmf=%d\n"
3104 					  "mgmt_group_cipher=%s\n",
3105 					  (rsn.capabilities &
3106 					   WPA_CAPABILITY_MFPR) ? 2 : 1,
3107 					  wpa_cipher_txt(
3108 						  sm->mgmt_group_cipher));
3109 			if (os_snprintf_error(end - pos, ret))
3110 				return pos - buf;
3111 			pos += ret;
3112 		}
3113 	}
3114 
3115 	return pos - buf;
3116 }
3117 
3118 
3119 int wpa_sm_pmf_enabled(struct wpa_sm *sm)
3120 {
3121 	struct wpa_ie_data rsn;
3122 
3123 	if (sm->mfp == NO_MGMT_FRAME_PROTECTION || !sm->ap_rsn_ie)
3124 		return 0;
3125 
3126 	if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn) >= 0 &&
3127 	    rsn.capabilities & (WPA_CAPABILITY_MFPR | WPA_CAPABILITY_MFPC))
3128 		return 1;
3129 
3130 	return 0;
3131 }
3132 
3133 
3134 int wpa_sm_ocv_enabled(struct wpa_sm *sm)
3135 {
3136 	struct wpa_ie_data rsn;
3137 
3138 	if (!sm->ocv || !sm->ap_rsn_ie)
3139 		return 0;
3140 
3141 	return wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len,
3142 				    &rsn) >= 0 &&
3143 		(rsn.capabilities & WPA_CAPABILITY_OCVC);
3144 }
3145 
3146 
3147 /**
3148  * wpa_sm_set_assoc_wpa_ie_default - Generate own WPA/RSN IE from configuration
3149  * @sm: Pointer to WPA state machine data from wpa_sm_init()
3150  * @wpa_ie: Pointer to buffer for WPA/RSN IE
3151  * @wpa_ie_len: Pointer to the length of the wpa_ie buffer
3152  * Returns: 0 on success, -1 on failure
3153  */
3154 int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm *sm, u8 *wpa_ie,
3155 				    size_t *wpa_ie_len)
3156 {
3157 	int res;
3158 
3159 	if (sm == NULL)
3160 		return -1;
3161 
3162 #ifdef CONFIG_TESTING_OPTIONS
3163 	if (sm->test_assoc_ie) {
3164 		wpa_printf(MSG_DEBUG,
3165 			   "TESTING: Replace association WPA/RSN IE");
3166 		if (*wpa_ie_len < wpabuf_len(sm->test_assoc_ie))
3167 			return -1;
3168 		os_memcpy(wpa_ie, wpabuf_head(sm->test_assoc_ie),
3169 			  wpabuf_len(sm->test_assoc_ie));
3170 		res = wpabuf_len(sm->test_assoc_ie);
3171 	} else
3172 #endif /* CONFIG_TESTING_OPTIONS */
3173 	res = wpa_gen_wpa_ie(sm, wpa_ie, *wpa_ie_len);
3174 	if (res < 0)
3175 		return -1;
3176 	*wpa_ie_len = res;
3177 
3178 	wpa_hexdump(MSG_DEBUG, "WPA: Set own WPA IE default",
3179 		    wpa_ie, *wpa_ie_len);
3180 
3181 	if (sm->assoc_wpa_ie == NULL) {
3182 		/*
3183 		 * Make a copy of the WPA/RSN IE so that 4-Way Handshake gets
3184 		 * the correct version of the IE even if PMKSA caching is
3185 		 * aborted (which would remove PMKID from IE generation).
3186 		 */
3187 		sm->assoc_wpa_ie = os_memdup(wpa_ie, *wpa_ie_len);
3188 		if (sm->assoc_wpa_ie == NULL)
3189 			return -1;
3190 
3191 		sm->assoc_wpa_ie_len = *wpa_ie_len;
3192 	} else {
3193 		wpa_hexdump(MSG_DEBUG,
3194 			    "WPA: Leave previously set WPA IE default",
3195 			    sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
3196 	}
3197 
3198 	return 0;
3199 }
3200 
3201 
3202 /**
3203  * wpa_sm_set_assoc_wpa_ie - Set own WPA/RSN IE from (Re)AssocReq
3204  * @sm: Pointer to WPA state machine data from wpa_sm_init()
3205  * @ie: Pointer to IE data (starting from id)
3206  * @len: IE length
3207  * Returns: 0 on success, -1 on failure
3208  *
3209  * Inform WPA state machine about the WPA/RSN IE used in (Re)Association
3210  * Request frame. The IE will be used to override the default value generated
3211  * with wpa_sm_set_assoc_wpa_ie_default().
3212  */
3213 int wpa_sm_set_assoc_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
3214 {
3215 	if (sm == NULL)
3216 		return -1;
3217 
3218 	os_free(sm->assoc_wpa_ie);
3219 	if (ie == NULL || len == 0) {
3220 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3221 			"WPA: clearing own WPA/RSN IE");
3222 		sm->assoc_wpa_ie = NULL;
3223 		sm->assoc_wpa_ie_len = 0;
3224 	} else {
3225 		wpa_hexdump(MSG_DEBUG, "WPA: set own WPA/RSN IE", ie, len);
3226 		sm->assoc_wpa_ie = os_memdup(ie, len);
3227 		if (sm->assoc_wpa_ie == NULL)
3228 			return -1;
3229 
3230 		sm->assoc_wpa_ie_len = len;
3231 	}
3232 
3233 	return 0;
3234 }
3235 
3236 
3237 /**
3238  * wpa_sm_set_ap_wpa_ie - Set AP WPA IE from Beacon/ProbeResp
3239  * @sm: Pointer to WPA state machine data from wpa_sm_init()
3240  * @ie: Pointer to IE data (starting from id)
3241  * @len: IE length
3242  * Returns: 0 on success, -1 on failure
3243  *
3244  * Inform WPA state machine about the WPA IE used in Beacon / Probe Response
3245  * frame.
3246  */
3247 int wpa_sm_set_ap_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
3248 {
3249 	if (sm == NULL)
3250 		return -1;
3251 
3252 	os_free(sm->ap_wpa_ie);
3253 	if (ie == NULL || len == 0) {
3254 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3255 			"WPA: clearing AP WPA IE");
3256 		sm->ap_wpa_ie = NULL;
3257 		sm->ap_wpa_ie_len = 0;
3258 	} else {
3259 		wpa_hexdump(MSG_DEBUG, "WPA: set AP WPA IE", ie, len);
3260 		sm->ap_wpa_ie = os_memdup(ie, len);
3261 		if (sm->ap_wpa_ie == NULL)
3262 			return -1;
3263 
3264 		sm->ap_wpa_ie_len = len;
3265 	}
3266 
3267 	return 0;
3268 }
3269 
3270 
3271 /**
3272  * wpa_sm_set_ap_rsn_ie - Set AP RSN IE from Beacon/ProbeResp
3273  * @sm: Pointer to WPA state machine data from wpa_sm_init()
3274  * @ie: Pointer to IE data (starting from id)
3275  * @len: IE length
3276  * Returns: 0 on success, -1 on failure
3277  *
3278  * Inform WPA state machine about the RSN IE used in Beacon / Probe Response
3279  * frame.
3280  */
3281 int wpa_sm_set_ap_rsn_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
3282 {
3283 	if (sm == NULL)
3284 		return -1;
3285 
3286 	os_free(sm->ap_rsn_ie);
3287 	if (ie == NULL || len == 0) {
3288 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3289 			"WPA: clearing AP RSN IE");
3290 		sm->ap_rsn_ie = NULL;
3291 		sm->ap_rsn_ie_len = 0;
3292 	} else {
3293 		wpa_hexdump(MSG_DEBUG, "WPA: set AP RSN IE", ie, len);
3294 		sm->ap_rsn_ie = os_memdup(ie, len);
3295 		if (sm->ap_rsn_ie == NULL)
3296 			return -1;
3297 
3298 		sm->ap_rsn_ie_len = len;
3299 	}
3300 
3301 	return 0;
3302 }
3303 
3304 
3305 /**
3306  * wpa_sm_parse_own_wpa_ie - Parse own WPA/RSN IE
3307  * @sm: Pointer to WPA state machine data from wpa_sm_init()
3308  * @data: Pointer to data area for parsing results
3309  * Returns: 0 on success, -1 if IE is not known, or -2 on parsing failure
3310  *
3311  * Parse the contents of the own WPA or RSN IE from (Re)AssocReq and write the
3312  * parsed data into data.
3313  */
3314 int wpa_sm_parse_own_wpa_ie(struct wpa_sm *sm, struct wpa_ie_data *data)
3315 {
3316 	if (sm == NULL)
3317 		return -1;
3318 
3319 	if (sm->assoc_wpa_ie == NULL) {
3320 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3321 			"WPA: No WPA/RSN IE available from association info");
3322 		return -1;
3323 	}
3324 	if (wpa_parse_wpa_ie(sm->assoc_wpa_ie, sm->assoc_wpa_ie_len, data))
3325 		return -2;
3326 	return 0;
3327 }
3328 
3329 
3330 int wpa_sm_pmksa_cache_list(struct wpa_sm *sm, char *buf, size_t len)
3331 {
3332 	return pmksa_cache_list(sm->pmksa, buf, len);
3333 }
3334 
3335 
3336 struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_head(struct wpa_sm *sm)
3337 {
3338 	return pmksa_cache_head(sm->pmksa);
3339 }
3340 
3341 
3342 struct rsn_pmksa_cache_entry *
3343 wpa_sm_pmksa_cache_add_entry(struct wpa_sm *sm,
3344 			     struct rsn_pmksa_cache_entry * entry)
3345 {
3346 	return pmksa_cache_add_entry(sm->pmksa, entry);
3347 }
3348 
3349 
3350 void wpa_sm_pmksa_cache_add(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
3351 			    const u8 *pmkid, const u8 *bssid,
3352 			    const u8 *fils_cache_id)
3353 {
3354 	sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0,
3355 					bssid, sm->own_addr, sm->network_ctx,
3356 					sm->key_mgmt, fils_cache_id);
3357 }
3358 
3359 
3360 int wpa_sm_pmksa_exists(struct wpa_sm *sm, const u8 *bssid,
3361 			const void *network_ctx)
3362 {
3363 	return pmksa_cache_get(sm->pmksa, bssid, NULL, network_ctx, 0) != NULL;
3364 }
3365 
3366 
3367 void wpa_sm_drop_sa(struct wpa_sm *sm)
3368 {
3369 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PMK and PTK");
3370 	sm->ptk_set = 0;
3371 	sm->tptk_set = 0;
3372 	sm->pmk_len = 0;
3373 	os_memset(sm->pmk, 0, sizeof(sm->pmk));
3374 	os_memset(&sm->ptk, 0, sizeof(sm->ptk));
3375 	os_memset(&sm->tptk, 0, sizeof(sm->tptk));
3376 	os_memset(&sm->gtk, 0, sizeof(sm->gtk));
3377 	os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
3378 #ifdef CONFIG_IEEE80211W
3379 	os_memset(&sm->igtk, 0, sizeof(sm->igtk));
3380 	os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
3381 #endif /* CONFIG_IEEE80211W */
3382 #ifdef CONFIG_IEEE80211R
3383 	os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
3384 	sm->xxkey_len = 0;
3385 	os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
3386 	sm->pmk_r0_len = 0;
3387 	os_memset(sm->pmk_r1, 0, sizeof(sm->pmk_r1));
3388 	sm->pmk_r1_len = 0;
3389 #endif /* CONFIG_IEEE80211R */
3390 }
3391 
3392 
3393 int wpa_sm_has_ptk(struct wpa_sm *sm)
3394 {
3395 	if (sm == NULL)
3396 		return 0;
3397 	return sm->ptk_set;
3398 }
3399 
3400 
3401 void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr)
3402 {
3403 	os_memcpy(sm->rx_replay_counter, replay_ctr, WPA_REPLAY_COUNTER_LEN);
3404 }
3405 
3406 
3407 void wpa_sm_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx)
3408 {
3409 	pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0);
3410 }
3411 
3412 
3413 #ifdef CONFIG_WNM
3414 int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
3415 {
3416 	u16 keyinfo;
3417 	u8 keylen;  /* plaintext key len */
3418 	u8 *key_rsc;
3419 
3420 	if (subelem_id == WNM_SLEEP_SUBELEM_GTK) {
3421 		struct wpa_gtk_data gd;
3422 
3423 		os_memset(&gd, 0, sizeof(gd));
3424 		keylen = wpa_cipher_key_len(sm->group_cipher);
3425 		gd.key_rsc_len = wpa_cipher_rsc_len(sm->group_cipher);
3426 		gd.alg = wpa_cipher_to_alg(sm->group_cipher);
3427 		if (gd.alg == WPA_ALG_NONE) {
3428 			wpa_printf(MSG_DEBUG, "Unsupported group cipher suite");
3429 			return -1;
3430 		}
3431 
3432 		key_rsc = buf + 5;
3433 		keyinfo = WPA_GET_LE16(buf + 2);
3434 		gd.gtk_len = keylen;
3435 		if (gd.gtk_len != buf[4]) {
3436 			wpa_printf(MSG_DEBUG, "GTK len mismatch len %d vs %d",
3437 				   gd.gtk_len, buf[4]);
3438 			return -1;
3439 		}
3440 		gd.keyidx = keyinfo & 0x03; /* B0 - B1 */
3441 		gd.tx = wpa_supplicant_gtk_tx_bit_workaround(
3442 		         sm, !!(keyinfo & WPA_KEY_INFO_TXRX));
3443 
3444 		os_memcpy(gd.gtk, buf + 13, gd.gtk_len);
3445 
3446 		wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)",
3447 				gd.gtk, gd.gtk_len);
3448 		if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) {
3449 			forced_memzero(&gd, sizeof(gd));
3450 			wpa_printf(MSG_DEBUG, "Failed to install the GTK in "
3451 				   "WNM mode");
3452 			return -1;
3453 		}
3454 		forced_memzero(&gd, sizeof(gd));
3455 #ifdef CONFIG_IEEE80211W
3456 	} else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
3457 		const struct wpa_igtk_kde *igtk;
3458 
3459 		igtk = (const struct wpa_igtk_kde *) (buf + 2);
3460 		if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0)
3461 			return -1;
3462 #endif /* CONFIG_IEEE80211W */
3463 	} else {
3464 		wpa_printf(MSG_DEBUG, "Unknown element id");
3465 		return -1;
3466 	}
3467 
3468 	return 0;
3469 }
3470 #endif /* CONFIG_WNM */
3471 
3472 
3473 #ifdef CONFIG_P2P
3474 
3475 int wpa_sm_get_p2p_ip_addr(struct wpa_sm *sm, u8 *buf)
3476 {
3477 	if (sm == NULL || WPA_GET_BE32(sm->p2p_ip_addr) == 0)
3478 		return -1;
3479 	os_memcpy(buf, sm->p2p_ip_addr, 3 * 4);
3480 	return 0;
3481 }
3482 
3483 #endif /* CONFIG_P2P */
3484 
3485 
3486 void wpa_sm_set_rx_replay_ctr(struct wpa_sm *sm, const u8 *rx_replay_counter)
3487 {
3488 	if (rx_replay_counter == NULL)
3489 		return;
3490 
3491 	os_memcpy(sm->rx_replay_counter, rx_replay_counter,
3492 		  WPA_REPLAY_COUNTER_LEN);
3493 	sm->rx_replay_counter_set = 1;
3494 	wpa_printf(MSG_DEBUG, "Updated key replay counter");
3495 }
3496 
3497 
3498 void wpa_sm_set_ptk_kck_kek(struct wpa_sm *sm,
3499 			    const u8 *ptk_kck, size_t ptk_kck_len,
3500 			    const u8 *ptk_kek, size_t ptk_kek_len)
3501 {
3502 	if (ptk_kck && ptk_kck_len <= WPA_KCK_MAX_LEN) {
3503 		os_memcpy(sm->ptk.kck, ptk_kck, ptk_kck_len);
3504 		sm->ptk.kck_len = ptk_kck_len;
3505 		wpa_printf(MSG_DEBUG, "Updated PTK KCK");
3506 	}
3507 	if (ptk_kek && ptk_kek_len <= WPA_KEK_MAX_LEN) {
3508 		os_memcpy(sm->ptk.kek, ptk_kek, ptk_kek_len);
3509 		sm->ptk.kek_len = ptk_kek_len;
3510 		wpa_printf(MSG_DEBUG, "Updated PTK KEK");
3511 	}
3512 	sm->ptk_set = 1;
3513 }
3514 
3515 
3516 #ifdef CONFIG_TESTING_OPTIONS
3517 
3518 void wpa_sm_set_test_assoc_ie(struct wpa_sm *sm, struct wpabuf *buf)
3519 {
3520 	wpabuf_free(sm->test_assoc_ie);
3521 	sm->test_assoc_ie = buf;
3522 }
3523 
3524 
3525 const u8 * wpa_sm_get_anonce(struct wpa_sm *sm)
3526 {
3527 	return sm->anonce;
3528 }
3529 
3530 #endif /* CONFIG_TESTING_OPTIONS */
3531 
3532 
3533 unsigned int wpa_sm_get_key_mgmt(struct wpa_sm *sm)
3534 {
3535 	return sm->key_mgmt;
3536 }
3537 
3538 
3539 #ifdef CONFIG_FILS
3540 
3541 struct wpabuf * fils_build_auth(struct wpa_sm *sm, int dh_group, const u8 *md)
3542 {
3543 	struct wpabuf *buf = NULL;
3544 	struct wpabuf *erp_msg;
3545 	struct wpabuf *pub = NULL;
3546 
3547 	erp_msg = eapol_sm_build_erp_reauth_start(sm->eapol);
3548 	if (!erp_msg && !sm->cur_pmksa) {
3549 		wpa_printf(MSG_DEBUG,
3550 			   "FILS: Neither ERP EAP-Initiate/Re-auth nor PMKSA cache entry is available - skip FILS");
3551 		goto fail;
3552 	}
3553 
3554 	wpa_printf(MSG_DEBUG, "FILS: Try to use FILS (erp=%d pmksa_cache=%d)",
3555 		   erp_msg != NULL, sm->cur_pmksa != NULL);
3556 
3557 	sm->fils_completed = 0;
3558 
3559 	if (!sm->assoc_wpa_ie) {
3560 		wpa_printf(MSG_INFO, "FILS: No own RSN IE set for FILS");
3561 		goto fail;
3562 	}
3563 
3564 	if (random_get_bytes(sm->fils_nonce, FILS_NONCE_LEN) < 0 ||
3565 	    random_get_bytes(sm->fils_session, FILS_SESSION_LEN) < 0)
3566 		goto fail;
3567 
3568 	wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Nonce",
3569 		    sm->fils_nonce, FILS_NONCE_LEN);
3570 	wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Session",
3571 		    sm->fils_session, FILS_SESSION_LEN);
3572 
3573 #ifdef CONFIG_FILS_SK_PFS
3574 	sm->fils_dh_group = dh_group;
3575 	if (dh_group) {
3576 		crypto_ecdh_deinit(sm->fils_ecdh);
3577 		sm->fils_ecdh = crypto_ecdh_init(dh_group);
3578 		if (!sm->fils_ecdh) {
3579 			wpa_printf(MSG_INFO,
3580 				   "FILS: Could not initialize ECDH with group %d",
3581 				   dh_group);
3582 			goto fail;
3583 		}
3584 		pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1);
3585 		if (!pub)
3586 			goto fail;
3587 		wpa_hexdump_buf(MSG_DEBUG, "FILS: Element (DH public key)",
3588 				pub);
3589 		sm->fils_dh_elem_len = wpabuf_len(pub);
3590 	}
3591 #endif /* CONFIG_FILS_SK_PFS */
3592 
3593 	buf = wpabuf_alloc(1000 + sm->assoc_wpa_ie_len +
3594 			   (pub ? wpabuf_len(pub) : 0));
3595 	if (!buf)
3596 		goto fail;
3597 
3598 	/* Fields following the Authentication algorithm number field */
3599 
3600 	/* Authentication Transaction seq# */
3601 	wpabuf_put_le16(buf, 1);
3602 
3603 	/* Status Code */
3604 	wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
3605 
3606 	/* TODO: FILS PK */
3607 #ifdef CONFIG_FILS_SK_PFS
3608 	if (dh_group) {
3609 		/* Finite Cyclic Group */
3610 		wpabuf_put_le16(buf, dh_group);
3611 		/* Element */
3612 		wpabuf_put_buf(buf, pub);
3613 	}
3614 #endif /* CONFIG_FILS_SK_PFS */
3615 
3616 	/* RSNE */
3617 	wpa_hexdump(MSG_DEBUG, "FILS: RSNE in FILS Authentication frame",
3618 		    sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
3619 	wpabuf_put_data(buf, sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
3620 
3621 	if (md) {
3622 		/* MDE when using FILS for FT initial association */
3623 		struct rsn_mdie *mdie;
3624 
3625 		wpabuf_put_u8(buf, WLAN_EID_MOBILITY_DOMAIN);
3626 		wpabuf_put_u8(buf, sizeof(*mdie));
3627 		mdie = wpabuf_put(buf, sizeof(*mdie));
3628 		os_memcpy(mdie->mobility_domain, md, MOBILITY_DOMAIN_ID_LEN);
3629 		mdie->ft_capab = 0;
3630 	}
3631 
3632 	/* FILS Nonce */
3633 	wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3634 	wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN); /* Length */
3635 	/* Element ID Extension */
3636 	wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
3637 	wpabuf_put_data(buf, sm->fils_nonce, FILS_NONCE_LEN);
3638 
3639 	/* FILS Session */
3640 	wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3641 	wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
3642 	/* Element ID Extension */
3643 	wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
3644 	wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
3645 
3646 	/* FILS Wrapped Data */
3647 	sm->fils_erp_pmkid_set = 0;
3648 	if (erp_msg) {
3649 		wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3650 		wpabuf_put_u8(buf, 1 + wpabuf_len(erp_msg)); /* Length */
3651 		/* Element ID Extension */
3652 		wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_WRAPPED_DATA);
3653 		wpabuf_put_buf(buf, erp_msg);
3654 		/* Calculate pending PMKID here so that we do not need to
3655 		 * maintain a copy of the EAP-Initiate/Reauth message. */
3656 		if (fils_pmkid_erp(sm->key_mgmt, wpabuf_head(erp_msg),
3657 				   wpabuf_len(erp_msg),
3658 				   sm->fils_erp_pmkid) == 0)
3659 			sm->fils_erp_pmkid_set = 1;
3660 	}
3661 
3662 	wpa_hexdump_buf(MSG_DEBUG, "RSN: FILS fields for Authentication frame",
3663 			buf);
3664 
3665 fail:
3666 	wpabuf_free(erp_msg);
3667 	wpabuf_free(pub);
3668 	return buf;
3669 }
3670 
3671 
3672 int fils_process_auth(struct wpa_sm *sm, const u8 *bssid, const u8 *data,
3673 		      size_t len)
3674 {
3675 	const u8 *pos, *end;
3676 	struct ieee802_11_elems elems;
3677 	struct wpa_ie_data rsn;
3678 	int pmkid_match = 0;
3679 	u8 ick[FILS_ICK_MAX_LEN];
3680 	size_t ick_len;
3681 	int res;
3682 	struct wpabuf *dh_ss = NULL;
3683 	const u8 *g_sta = NULL;
3684 	size_t g_sta_len = 0;
3685 	const u8 *g_ap = NULL;
3686 	size_t g_ap_len = 0;
3687 	struct wpabuf *pub = NULL;
3688 
3689 	os_memcpy(sm->bssid, bssid, ETH_ALEN);
3690 
3691 	wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
3692 		    data, len);
3693 	pos = data;
3694 	end = data + len;
3695 
3696 	/* TODO: FILS PK */
3697 #ifdef CONFIG_FILS_SK_PFS
3698 	if (sm->fils_dh_group) {
3699 		u16 group;
3700 
3701 		/* Using FILS PFS */
3702 
3703 		/* Finite Cyclic Group */
3704 		if (end - pos < 2) {
3705 			wpa_printf(MSG_DEBUG,
3706 				   "FILS: No room for Finite Cyclic Group");
3707 			goto fail;
3708 		}
3709 		group = WPA_GET_LE16(pos);
3710 		pos += 2;
3711 		if (group != sm->fils_dh_group) {
3712 			wpa_printf(MSG_DEBUG,
3713 				   "FILS: Unexpected change in Finite Cyclic Group: %u (expected %u)",
3714 				   group, sm->fils_dh_group);
3715 			goto fail;
3716 		}
3717 
3718 		/* Element */
3719 		if ((size_t) (end - pos) < sm->fils_dh_elem_len) {
3720 			wpa_printf(MSG_DEBUG, "FILS: No room for Element");
3721 			goto fail;
3722 		}
3723 
3724 		if (!sm->fils_ecdh) {
3725 			wpa_printf(MSG_DEBUG, "FILS: No ECDH state available");
3726 			goto fail;
3727 		}
3728 		dh_ss = crypto_ecdh_set_peerkey(sm->fils_ecdh, 1, pos,
3729 						sm->fils_dh_elem_len);
3730 		if (!dh_ss) {
3731 			wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
3732 			goto fail;
3733 		}
3734 		wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", dh_ss);
3735 		g_ap = pos;
3736 		g_ap_len = sm->fils_dh_elem_len;
3737 		pos += sm->fils_dh_elem_len;
3738 	}
3739 #endif /* CONFIG_FILS_SK_PFS */
3740 
3741 	wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
3742 	if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
3743 		wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
3744 		goto fail;
3745 	}
3746 
3747 	/* RSNE */
3748 	wpa_hexdump(MSG_DEBUG, "FILS: RSN element", elems.rsn_ie,
3749 		    elems.rsn_ie_len);
3750 	if (!elems.rsn_ie ||
3751 	    wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
3752 				 &rsn) < 0) {
3753 		wpa_printf(MSG_DEBUG, "FILS: No RSN element");
3754 		goto fail;
3755 	}
3756 
3757 	if (!elems.fils_nonce) {
3758 		wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
3759 		goto fail;
3760 	}
3761 	os_memcpy(sm->fils_anonce, elems.fils_nonce, FILS_NONCE_LEN);
3762 	wpa_hexdump(MSG_DEBUG, "FILS: ANonce", sm->fils_anonce, FILS_NONCE_LEN);
3763 
3764 #ifdef CONFIG_IEEE80211R
3765 	if (wpa_key_mgmt_ft(sm->key_mgmt)) {
3766 		struct wpa_ft_ies parse;
3767 
3768 		if (!elems.mdie || !elems.ftie) {
3769 			wpa_printf(MSG_DEBUG, "FILS+FT: No MDE or FTE");
3770 			goto fail;
3771 		}
3772 
3773 		if (wpa_ft_parse_ies(pos, end - pos, &parse,
3774 				     wpa_key_mgmt_sha384(sm->key_mgmt)) < 0) {
3775 			wpa_printf(MSG_DEBUG, "FILS+FT: Failed to parse IEs");
3776 			goto fail;
3777 		}
3778 
3779 		if (!parse.r0kh_id) {
3780 			wpa_printf(MSG_DEBUG,
3781 				   "FILS+FT: No R0KH-ID subelem in FTE");
3782 			goto fail;
3783 		}
3784 		os_memcpy(sm->r0kh_id, parse.r0kh_id, parse.r0kh_id_len);
3785 		sm->r0kh_id_len = parse.r0kh_id_len;
3786 		wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID",
3787 				  sm->r0kh_id, sm->r0kh_id_len);
3788 
3789 		if (!parse.r1kh_id) {
3790 			wpa_printf(MSG_DEBUG,
3791 				   "FILS+FT: No R1KH-ID subelem in FTE");
3792 			goto fail;
3793 		}
3794 		os_memcpy(sm->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN);
3795 		wpa_hexdump(MSG_DEBUG, "FILS+FT: R1KH-ID",
3796 			    sm->r1kh_id, FT_R1KH_ID_LEN);
3797 
3798 		/* TODO: Check MDE and FTE payload */
3799 
3800 		wpabuf_free(sm->fils_ft_ies);
3801 		sm->fils_ft_ies = wpabuf_alloc(2 + elems.mdie_len +
3802 					       2 + elems.ftie_len);
3803 		if (!sm->fils_ft_ies)
3804 			goto fail;
3805 		wpabuf_put_data(sm->fils_ft_ies, elems.mdie - 2,
3806 				2 + elems.mdie_len);
3807 		wpabuf_put_data(sm->fils_ft_ies, elems.ftie - 2,
3808 				2 + elems.ftie_len);
3809 	} else {
3810 		wpabuf_free(sm->fils_ft_ies);
3811 		sm->fils_ft_ies = NULL;
3812 	}
3813 #endif /* CONFIG_IEEE80211R */
3814 
3815 	/* PMKID List */
3816 	if (rsn.pmkid && rsn.num_pmkid > 0) {
3817 		wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
3818 			    rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
3819 
3820 		if (rsn.num_pmkid != 1) {
3821 			wpa_printf(MSG_DEBUG, "FILS: Invalid PMKID selection");
3822 			goto fail;
3823 		}
3824 		wpa_hexdump(MSG_DEBUG, "FILS: PMKID", rsn.pmkid, PMKID_LEN);
3825 		if (os_memcmp(sm->cur_pmksa->pmkid, rsn.pmkid, PMKID_LEN) != 0)
3826 		{
3827 			wpa_printf(MSG_DEBUG, "FILS: PMKID mismatch");
3828 			wpa_hexdump(MSG_DEBUG, "FILS: Expected PMKID",
3829 				    sm->cur_pmksa->pmkid, PMKID_LEN);
3830 			goto fail;
3831 		}
3832 		wpa_printf(MSG_DEBUG,
3833 			   "FILS: Matching PMKID - continue using PMKSA caching");
3834 		pmkid_match = 1;
3835 	}
3836 	if (!pmkid_match && sm->cur_pmksa) {
3837 		wpa_printf(MSG_DEBUG,
3838 			   "FILS: No PMKID match - cannot use cached PMKSA entry");
3839 		sm->cur_pmksa = NULL;
3840 	}
3841 
3842 	/* FILS Session */
3843 	if (!elems.fils_session) {
3844 		wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
3845 		goto fail;
3846 	}
3847 	wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
3848 		    FILS_SESSION_LEN);
3849 	if (os_memcmp(sm->fils_session, elems.fils_session, FILS_SESSION_LEN)
3850 	    != 0) {
3851 		wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
3852 		wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
3853 			    sm->fils_session, FILS_SESSION_LEN);
3854 		goto fail;
3855 	}
3856 
3857 	/* FILS Wrapped Data */
3858 	if (!sm->cur_pmksa && elems.fils_wrapped_data) {
3859 		u8 rmsk[ERP_MAX_KEY_LEN];
3860 		size_t rmsk_len;
3861 
3862 		wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
3863 			    elems.fils_wrapped_data,
3864 			    elems.fils_wrapped_data_len);
3865 		eapol_sm_process_erp_finish(sm->eapol, elems.fils_wrapped_data,
3866 					    elems.fils_wrapped_data_len);
3867 		if (eapol_sm_failed(sm->eapol))
3868 			goto fail;
3869 
3870 		rmsk_len = ERP_MAX_KEY_LEN;
3871 		res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
3872 		if (res == PMK_LEN) {
3873 			rmsk_len = PMK_LEN;
3874 			res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
3875 		}
3876 		if (res)
3877 			goto fail;
3878 
3879 		res = fils_rmsk_to_pmk(sm->key_mgmt, rmsk, rmsk_len,
3880 				       sm->fils_nonce, sm->fils_anonce,
3881 				       dh_ss ? wpabuf_head(dh_ss) : NULL,
3882 				       dh_ss ? wpabuf_len(dh_ss) : 0,
3883 				       sm->pmk, &sm->pmk_len);
3884 		forced_memzero(rmsk, sizeof(rmsk));
3885 
3886 		/* Don't use DHss in PTK derivation if PMKSA caching is not
3887 		 * used. */
3888 		wpabuf_clear_free(dh_ss);
3889 		dh_ss = NULL;
3890 
3891 		if (res)
3892 			goto fail;
3893 
3894 		if (!sm->fils_erp_pmkid_set) {
3895 			wpa_printf(MSG_DEBUG, "FILS: PMKID not available");
3896 			goto fail;
3897 		}
3898 		wpa_hexdump(MSG_DEBUG, "FILS: PMKID", sm->fils_erp_pmkid,
3899 			    PMKID_LEN);
3900 		wpa_printf(MSG_DEBUG, "FILS: ERP processing succeeded - add PMKSA cache entry for the result");
3901 		sm->cur_pmksa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len,
3902 						sm->fils_erp_pmkid, NULL, 0,
3903 						sm->bssid, sm->own_addr,
3904 						sm->network_ctx, sm->key_mgmt,
3905 						NULL);
3906 	}
3907 
3908 	if (!sm->cur_pmksa) {
3909 		wpa_printf(MSG_DEBUG,
3910 			   "FILS: No remaining options to continue FILS authentication");
3911 		goto fail;
3912 	}
3913 
3914 	if (fils_pmk_to_ptk(sm->pmk, sm->pmk_len, sm->own_addr, sm->bssid,
3915 			    sm->fils_nonce, sm->fils_anonce,
3916 			    dh_ss ? wpabuf_head(dh_ss) : NULL,
3917 			    dh_ss ? wpabuf_len(dh_ss) : 0,
3918 			    &sm->ptk, ick, &ick_len,
3919 			    sm->key_mgmt, sm->pairwise_cipher,
3920 			    sm->fils_ft, &sm->fils_ft_len) < 0) {
3921 		wpa_printf(MSG_DEBUG, "FILS: Failed to derive PTK");
3922 		goto fail;
3923 	}
3924 
3925 	wpabuf_clear_free(dh_ss);
3926 	dh_ss = NULL;
3927 
3928 	sm->ptk_set = 1;
3929 	sm->tptk_set = 0;
3930 	os_memset(&sm->tptk, 0, sizeof(sm->tptk));
3931 
3932 #ifdef CONFIG_FILS_SK_PFS
3933 	if (sm->fils_dh_group) {
3934 		if (!sm->fils_ecdh) {
3935 			wpa_printf(MSG_INFO, "FILS: ECDH not initialized");
3936 			goto fail;
3937 		}
3938 		pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1);
3939 		if (!pub)
3940 			goto fail;
3941 		wpa_hexdump_buf(MSG_DEBUG, "FILS: gSTA", pub);
3942 		g_sta = wpabuf_head(pub);
3943 		g_sta_len = wpabuf_len(pub);
3944 		if (!g_ap) {
3945 			wpa_printf(MSG_INFO, "FILS: gAP not available");
3946 			goto fail;
3947 		}
3948 		wpa_hexdump(MSG_DEBUG, "FILS: gAP", g_ap, g_ap_len);
3949 	}
3950 #endif /* CONFIG_FILS_SK_PFS */
3951 
3952 	res = fils_key_auth_sk(ick, ick_len, sm->fils_nonce,
3953 			       sm->fils_anonce, sm->own_addr, sm->bssid,
3954 			       g_sta, g_sta_len, g_ap, g_ap_len,
3955 			       sm->key_mgmt, sm->fils_key_auth_sta,
3956 			       sm->fils_key_auth_ap,
3957 			       &sm->fils_key_auth_len);
3958 	wpabuf_free(pub);
3959 	forced_memzero(ick, sizeof(ick));
3960 	return res;
3961 fail:
3962 	wpabuf_free(pub);
3963 	wpabuf_clear_free(dh_ss);
3964 	return -1;
3965 }
3966 
3967 
3968 #ifdef CONFIG_IEEE80211R
3969 static int fils_ft_build_assoc_req_rsne(struct wpa_sm *sm, struct wpabuf *buf)
3970 {
3971 	struct rsn_ie_hdr *rsnie;
3972 	u16 capab;
3973 	u8 *pos;
3974 	int use_sha384 = wpa_key_mgmt_sha384(sm->key_mgmt);
3975 
3976 	/* RSNIE[PMKR0Name/PMKR1Name] */
3977 	rsnie = wpabuf_put(buf, sizeof(*rsnie));
3978 	rsnie->elem_id = WLAN_EID_RSN;
3979 	WPA_PUT_LE16(rsnie->version, RSN_VERSION);
3980 
3981 	/* Group Suite Selector */
3982 	if (!wpa_cipher_valid_group(sm->group_cipher)) {
3983 		wpa_printf(MSG_WARNING, "FT: Invalid group cipher (%d)",
3984 			   sm->group_cipher);
3985 		return -1;
3986 	}
3987 	pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
3988 	RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
3989 						  sm->group_cipher));
3990 
3991 	/* Pairwise Suite Count */
3992 	wpabuf_put_le16(buf, 1);
3993 
3994 	/* Pairwise Suite List */
3995 	if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
3996 		wpa_printf(MSG_WARNING, "FT: Invalid pairwise cipher (%d)",
3997 			   sm->pairwise_cipher);
3998 		return -1;
3999 	}
4000 	pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
4001 	RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
4002 						  sm->pairwise_cipher));
4003 
4004 	/* Authenticated Key Management Suite Count */
4005 	wpabuf_put_le16(buf, 1);
4006 
4007 	/* Authenticated Key Management Suite List */
4008 	pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
4009 	if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA256)
4010 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA256);
4011 	else if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA384)
4012 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA384);
4013 	else {
4014 		wpa_printf(MSG_WARNING,
4015 			   "FILS+FT: Invalid key management type (%d)",
4016 			   sm->key_mgmt);
4017 		return -1;
4018 	}
4019 
4020 	/* RSN Capabilities */
4021 	capab = 0;
4022 #ifdef CONFIG_IEEE80211W
4023 	if (sm->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC)
4024 		capab |= WPA_CAPABILITY_MFPC;
4025 #endif /* CONFIG_IEEE80211W */
4026 	if (sm->ocv)
4027 		capab |= WPA_CAPABILITY_OCVC;
4028 	wpabuf_put_le16(buf, capab);
4029 
4030 	/* PMKID Count */
4031 	wpabuf_put_le16(buf, 1);
4032 
4033 	/* PMKID List [PMKR1Name] */
4034 	wpa_hexdump_key(MSG_DEBUG, "FILS+FT: XXKey (FILS-FT)",
4035 			sm->fils_ft, sm->fils_ft_len);
4036 	wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: SSID", sm->ssid, sm->ssid_len);
4037 	wpa_hexdump(MSG_DEBUG, "FILS+FT: MDID",
4038 		    sm->mobility_domain, MOBILITY_DOMAIN_ID_LEN);
4039 	wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID",
4040 			  sm->r0kh_id, sm->r0kh_id_len);
4041 	if (wpa_derive_pmk_r0(sm->fils_ft, sm->fils_ft_len, sm->ssid,
4042 			      sm->ssid_len, sm->mobility_domain,
4043 			      sm->r0kh_id, sm->r0kh_id_len, sm->own_addr,
4044 			      sm->pmk_r0, sm->pmk_r0_name, use_sha384) < 0) {
4045 		wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMK-R0");
4046 		return -1;
4047 	}
4048 	sm->pmk_r0_len = use_sha384 ? SHA384_MAC_LEN : PMK_LEN;
4049 	wpa_hexdump_key(MSG_DEBUG, "FILS+FT: PMK-R0",
4050 			sm->pmk_r0, sm->pmk_r0_len);
4051 	wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR0Name",
4052 		    sm->pmk_r0_name, WPA_PMK_NAME_LEN);
4053 	wpa_printf(MSG_DEBUG, "FILS+FT: R1KH-ID: " MACSTR,
4054 		   MAC2STR(sm->r1kh_id));
4055 	pos = wpabuf_put(buf, WPA_PMK_NAME_LEN);
4056 	if (wpa_derive_pmk_r1_name(sm->pmk_r0_name, sm->r1kh_id, sm->own_addr,
4057 				   sm->pmk_r1_name, use_sha384) < 0) {
4058 		wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMKR1Name");
4059 		return -1;
4060 	}
4061 	wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR1Name", sm->pmk_r1_name,
4062 		    WPA_PMK_NAME_LEN);
4063 	os_memcpy(pos, sm->pmk_r1_name, WPA_PMK_NAME_LEN);
4064 
4065 #ifdef CONFIG_IEEE80211W
4066 	if (sm->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC) {
4067 		/* Management Group Cipher Suite */
4068 		pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
4069 		RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_AES_128_CMAC);
4070 	}
4071 #endif /* CONFIG_IEEE80211W */
4072 
4073 	rsnie->len = ((u8 *) wpabuf_put(buf, 0) - (u8 *) rsnie) - 2;
4074 	return 0;
4075 }
4076 #endif /* CONFIG_IEEE80211R */
4077 
4078 
4079 struct wpabuf * fils_build_assoc_req(struct wpa_sm *sm, const u8 **kek,
4080 				     size_t *kek_len, const u8 **snonce,
4081 				     const u8 **anonce,
4082 				     const struct wpabuf **hlp,
4083 				     unsigned int num_hlp)
4084 {
4085 	struct wpabuf *buf;
4086 	size_t len;
4087 	unsigned int i;
4088 
4089 	len = 1000;
4090 #ifdef CONFIG_IEEE80211R
4091 	if (sm->fils_ft_ies)
4092 		len += wpabuf_len(sm->fils_ft_ies);
4093 	if (wpa_key_mgmt_ft(sm->key_mgmt))
4094 		len += 256;
4095 #endif /* CONFIG_IEEE80211R */
4096 	for (i = 0; hlp && i < num_hlp; i++)
4097 		len += 10 + wpabuf_len(hlp[i]);
4098 	buf = wpabuf_alloc(len);
4099 	if (!buf)
4100 		return NULL;
4101 
4102 #ifdef CONFIG_IEEE80211R
4103 	if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) {
4104 		/* MDE and FTE when using FILS+FT */
4105 		wpabuf_put_buf(buf, sm->fils_ft_ies);
4106 		/* RSNE with PMKR1Name in PMKID field */
4107 		if (fils_ft_build_assoc_req_rsne(sm, buf) < 0) {
4108 			wpabuf_free(buf);
4109 			return NULL;
4110 		}
4111 	}
4112 #endif /* CONFIG_IEEE80211R */
4113 
4114 	/* FILS Session */
4115 	wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
4116 	wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
4117 	/* Element ID Extension */
4118 	wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
4119 	wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
4120 
4121 	/* Everything after FILS Session element gets encrypted in the driver
4122 	 * with KEK. The buffer returned from here is the plaintext version. */
4123 
4124 	/* TODO: FILS Public Key */
4125 
4126 	/* FILS Key Confirm */
4127 	wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
4128 	wpabuf_put_u8(buf, 1 + sm->fils_key_auth_len); /* Length */
4129 	/* Element ID Extension */
4130 	wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_KEY_CONFIRM);
4131 	wpabuf_put_data(buf, sm->fils_key_auth_sta, sm->fils_key_auth_len);
4132 
4133 	/* FILS HLP Container */
4134 	for (i = 0; hlp && i < num_hlp; i++) {
4135 		const u8 *pos = wpabuf_head(hlp[i]);
4136 		size_t left = wpabuf_len(hlp[i]);
4137 
4138 		wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
4139 		if (left <= 254)
4140 			len = 1 + left;
4141 		else
4142 			len = 255;
4143 		wpabuf_put_u8(buf, len); /* Length */
4144 		/* Element ID Extension */
4145 		wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_HLP_CONTAINER);
4146 		/* Destination MAC Address, Source MAC Address, HLP Packet.
4147 		 * HLP Packet is in MSDU format (i.e., included the LLC/SNAP
4148 		 * header when LPD is used). */
4149 		wpabuf_put_data(buf, pos, len - 1);
4150 		pos += len - 1;
4151 		left -= len - 1;
4152 		while (left) {
4153 			wpabuf_put_u8(buf, WLAN_EID_FRAGMENT);
4154 			len = left > 255 ? 255 : left;
4155 			wpabuf_put_u8(buf, len);
4156 			wpabuf_put_data(buf, pos, len);
4157 			pos += len;
4158 			left -= len;
4159 		}
4160 	}
4161 
4162 	/* TODO: FILS IP Address Assignment */
4163 
4164 #ifdef CONFIG_OCV
4165 	if (wpa_sm_ocv_enabled(sm)) {
4166 		struct wpa_channel_info ci;
4167 		u8 *pos;
4168 
4169 		if (wpa_sm_channel_info(sm, &ci) != 0) {
4170 			wpa_printf(MSG_WARNING,
4171 				   "FILS: Failed to get channel info for OCI element");
4172 			wpabuf_free(buf);
4173 			return NULL;
4174 		}
4175 
4176 		pos = wpabuf_put(buf, OCV_OCI_EXTENDED_LEN);
4177 		if (ocv_insert_extended_oci(&ci, pos) < 0) {
4178 			wpabuf_free(buf);
4179 			return NULL;
4180 		}
4181 	}
4182 #endif /* CONFIG_OCV */
4183 
4184 	wpa_hexdump_buf(MSG_DEBUG, "FILS: Association Request plaintext", buf);
4185 
4186 	*kek = sm->ptk.kek;
4187 	*kek_len = sm->ptk.kek_len;
4188 	wpa_hexdump_key(MSG_DEBUG, "FILS: KEK for AEAD", *kek, *kek_len);
4189 	*snonce = sm->fils_nonce;
4190 	wpa_hexdump(MSG_DEBUG, "FILS: SNonce for AEAD AAD",
4191 		    *snonce, FILS_NONCE_LEN);
4192 	*anonce = sm->fils_anonce;
4193 	wpa_hexdump(MSG_DEBUG, "FILS: ANonce for AEAD AAD",
4194 		    *anonce, FILS_NONCE_LEN);
4195 
4196 	return buf;
4197 }
4198 
4199 
4200 static void fils_process_hlp_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
4201 {
4202 	const u8 *pos, *end;
4203 
4204 	wpa_hexdump(MSG_MSGDUMP, "FILS: HLP response", resp, len);
4205 	if (len < 2 * ETH_ALEN)
4206 		return;
4207 	pos = resp + 2 * ETH_ALEN;
4208 	end = resp + len;
4209 	if (end - pos >= 6 &&
4210 	    os_memcmp(pos, "\xaa\xaa\x03\x00\x00\x00", 6) == 0)
4211 		pos += 6; /* Remove SNAP/LLC header */
4212 	wpa_sm_fils_hlp_rx(sm, resp, resp + ETH_ALEN, pos, end - pos);
4213 }
4214 
4215 
4216 static void fils_process_hlp_container(struct wpa_sm *sm, const u8 *pos,
4217 				       size_t len)
4218 {
4219 	const u8 *end = pos + len;
4220 	u8 *tmp, *tmp_pos;
4221 
4222 	/* Check if there are any FILS HLP Container elements */
4223 	while (end - pos >= 2) {
4224 		if (2 + pos[1] > end - pos)
4225 			return;
4226 		if (pos[0] == WLAN_EID_EXTENSION &&
4227 		    pos[1] >= 1 + 2 * ETH_ALEN &&
4228 		    pos[2] == WLAN_EID_EXT_FILS_HLP_CONTAINER)
4229 			break;
4230 		pos += 2 + pos[1];
4231 	}
4232 	if (end - pos < 2)
4233 		return; /* No FILS HLP Container elements */
4234 
4235 	tmp = os_malloc(end - pos);
4236 	if (!tmp)
4237 		return;
4238 
4239 	while (end - pos >= 2) {
4240 		if (2 + pos[1] > end - pos ||
4241 		    pos[0] != WLAN_EID_EXTENSION ||
4242 		    pos[1] < 1 + 2 * ETH_ALEN ||
4243 		    pos[2] != WLAN_EID_EXT_FILS_HLP_CONTAINER)
4244 			break;
4245 		tmp_pos = tmp;
4246 		os_memcpy(tmp_pos, pos + 3, pos[1] - 1);
4247 		tmp_pos += pos[1] - 1;
4248 		pos += 2 + pos[1];
4249 
4250 		/* Add possible fragments */
4251 		while (end - pos >= 2 && pos[0] == WLAN_EID_FRAGMENT &&
4252 		       2 + pos[1] <= end - pos) {
4253 			os_memcpy(tmp_pos, pos + 2, pos[1]);
4254 			tmp_pos += pos[1];
4255 			pos += 2 + pos[1];
4256 		}
4257 
4258 		fils_process_hlp_resp(sm, tmp, tmp_pos - tmp);
4259 	}
4260 
4261 	os_free(tmp);
4262 }
4263 
4264 
4265 int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
4266 {
4267 	const struct ieee80211_mgmt *mgmt;
4268 	const u8 *end, *ie_start;
4269 	struct ieee802_11_elems elems;
4270 	int keylen, rsclen;
4271 	enum wpa_alg alg;
4272 	struct wpa_gtk_data gd;
4273 	int maxkeylen;
4274 	struct wpa_eapol_ie_parse kde;
4275 
4276 	if (!sm || !sm->ptk_set) {
4277 		wpa_printf(MSG_DEBUG, "FILS: No KEK available");
4278 		return -1;
4279 	}
4280 
4281 	if (!wpa_key_mgmt_fils(sm->key_mgmt)) {
4282 		wpa_printf(MSG_DEBUG, "FILS: Not a FILS AKM");
4283 		return -1;
4284 	}
4285 
4286 	if (sm->fils_completed) {
4287 		wpa_printf(MSG_DEBUG,
4288 			   "FILS: Association has already been completed for this FILS authentication - ignore unexpected retransmission");
4289 		return -1;
4290 	}
4291 
4292 	wpa_hexdump(MSG_DEBUG, "FILS: (Re)Association Response frame",
4293 		    resp, len);
4294 
4295 	mgmt = (const struct ieee80211_mgmt *) resp;
4296 	if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_resp))
4297 		return -1;
4298 
4299 	end = resp + len;
4300 	/* Same offset for Association Response and Reassociation Response */
4301 	ie_start = mgmt->u.assoc_resp.variable;
4302 
4303 	if (ieee802_11_parse_elems(ie_start, end - ie_start, &elems, 1) ==
4304 	    ParseFailed) {
4305 		wpa_printf(MSG_DEBUG,
4306 			   "FILS: Failed to parse decrypted elements");
4307 		goto fail;
4308 	}
4309 
4310 	if (!elems.fils_session) {
4311 		wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
4312 		return -1;
4313 	}
4314 	if (os_memcmp(elems.fils_session, sm->fils_session,
4315 		      FILS_SESSION_LEN) != 0) {
4316 		wpa_printf(MSG_DEBUG, "FILS: FILS Session mismatch");
4317 		wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
4318 			    elems.fils_session, FILS_SESSION_LEN);
4319 		wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
4320 			    sm->fils_session, FILS_SESSION_LEN);
4321 	}
4322 
4323 	if (!elems.rsn_ie) {
4324 		wpa_printf(MSG_DEBUG,
4325 			   "FILS: No RSNE in (Re)Association Response");
4326 		/* As an interop workaround, allow this for now since IEEE Std
4327 		 * 802.11ai-2016 did not include all the needed changes to make
4328 		 * a FILS AP include RSNE in the frame. This workaround might
4329 		 * eventually be removed and replaced with rejection (goto fail)
4330 		 * to follow a strict interpretation of the standard. */
4331 	} else if (wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
4332 				      sm->ap_rsn_ie, sm->ap_rsn_ie_len,
4333 				      elems.rsn_ie - 2, elems.rsn_ie_len + 2)) {
4334 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
4335 			"FILS: RSNE mismatch between Beacon/Probe Response and (Re)Association Response");
4336 		wpa_hexdump(MSG_DEBUG, "FILS: RSNE in Beacon/Probe Response",
4337 			    sm->ap_rsn_ie, sm->ap_rsn_ie_len);
4338 		wpa_hexdump(MSG_DEBUG, "FILS: RSNE in (Re)Association Response",
4339 			    elems.rsn_ie, elems.rsn_ie_len);
4340 		goto fail;
4341 	}
4342 
4343 	/* TODO: FILS Public Key */
4344 
4345 	if (!elems.fils_key_confirm) {
4346 		wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
4347 		goto fail;
4348 	}
4349 	if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
4350 		wpa_printf(MSG_DEBUG,
4351 			   "FILS: Unexpected Key-Auth length %d (expected %d)",
4352 			   elems.fils_key_confirm_len,
4353 			   (int) sm->fils_key_auth_len);
4354 		goto fail;
4355 	}
4356 	if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_ap,
4357 		      sm->fils_key_auth_len) != 0) {
4358 		wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
4359 		wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
4360 			    elems.fils_key_confirm,
4361 			    elems.fils_key_confirm_len);
4362 		wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
4363 			    sm->fils_key_auth_ap, sm->fils_key_auth_len);
4364 		goto fail;
4365 	}
4366 
4367 #ifdef CONFIG_OCV
4368 	if (wpa_sm_ocv_enabled(sm)) {
4369 		struct wpa_channel_info ci;
4370 
4371 		if (wpa_sm_channel_info(sm, &ci) != 0) {
4372 			wpa_printf(MSG_WARNING,
4373 				   "Failed to get channel info to validate received OCI in FILS (Re)Association Response frame");
4374 			goto fail;
4375 		}
4376 
4377 		if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci,
4378 					 channel_width_to_int(ci.chanwidth),
4379 					 ci.seg1_idx) != 0) {
4380 			wpa_printf(MSG_WARNING, "FILS: %s", ocv_errorstr);
4381 			goto fail;
4382 		}
4383 	}
4384 #endif /* CONFIG_OCV */
4385 
4386 #ifdef CONFIG_IEEE80211R
4387 	if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) {
4388 		struct wpa_ie_data rsn;
4389 
4390 		/* Check that PMKR1Name derived by the AP matches */
4391 		if (!elems.rsn_ie ||
4392 		    wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
4393 					 &rsn) < 0 ||
4394 		    !rsn.pmkid || rsn.num_pmkid != 1 ||
4395 		    os_memcmp(rsn.pmkid, sm->pmk_r1_name,
4396 			      WPA_PMK_NAME_LEN) != 0) {
4397 			wpa_printf(MSG_DEBUG,
4398 				   "FILS+FT: No RSNE[PMKR1Name] match in AssocResp");
4399 			goto fail;
4400 		}
4401 	}
4402 #endif /* CONFIG_IEEE80211R */
4403 
4404 	/* Key Delivery */
4405 	if (!elems.key_delivery) {
4406 		wpa_printf(MSG_DEBUG, "FILS: No Key Delivery element");
4407 		goto fail;
4408 	}
4409 
4410 	/* Parse GTK and set the key to the driver */
4411 	os_memset(&gd, 0, sizeof(gd));
4412 	if (wpa_supplicant_parse_ies(elems.key_delivery + WPA_KEY_RSC_LEN,
4413 				     elems.key_delivery_len - WPA_KEY_RSC_LEN,
4414 				     &kde) < 0) {
4415 		wpa_printf(MSG_DEBUG, "FILS: Failed to parse KDEs");
4416 		goto fail;
4417 	}
4418 	if (!kde.gtk) {
4419 		wpa_printf(MSG_DEBUG, "FILS: No GTK KDE");
4420 		goto fail;
4421 	}
4422 	maxkeylen = gd.gtk_len = kde.gtk_len - 2;
4423 	if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
4424 					      gd.gtk_len, maxkeylen,
4425 					      &gd.key_rsc_len, &gd.alg))
4426 		goto fail;
4427 
4428 	wpa_hexdump_key(MSG_DEBUG, "FILS: Received GTK", kde.gtk, kde.gtk_len);
4429 	gd.keyidx = kde.gtk[0] & 0x3;
4430 	gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
4431 						     !!(kde.gtk[0] & BIT(2)));
4432 	if (kde.gtk_len - 2 > sizeof(gd.gtk)) {
4433 		wpa_printf(MSG_DEBUG, "FILS: Too long GTK in GTK KDE (len=%lu)",
4434 			   (unsigned long) kde.gtk_len - 2);
4435 		goto fail;
4436 	}
4437 	os_memcpy(gd.gtk, kde.gtk + 2, kde.gtk_len - 2);
4438 
4439 	wpa_printf(MSG_DEBUG, "FILS: Set GTK to driver");
4440 	if (wpa_supplicant_install_gtk(sm, &gd, elems.key_delivery, 0) < 0) {
4441 		wpa_printf(MSG_DEBUG, "FILS: Failed to set GTK");
4442 		goto fail;
4443 	}
4444 
4445 	if (ieee80211w_set_keys(sm, &kde) < 0) {
4446 		wpa_printf(MSG_DEBUG, "FILS: Failed to set IGTK");
4447 		goto fail;
4448 	}
4449 
4450 	alg = wpa_cipher_to_alg(sm->pairwise_cipher);
4451 	keylen = wpa_cipher_key_len(sm->pairwise_cipher);
4452 	if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) {
4453 		wpa_printf(MSG_DEBUG, "FILS: TK length mismatch: %u != %lu",
4454 			   keylen, (long unsigned int) sm->ptk.tk_len);
4455 		goto fail;
4456 	}
4457 	rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
4458 	wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver",
4459 			sm->ptk.tk, keylen);
4460 	if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, null_rsc, rsclen,
4461 			   sm->ptk.tk, keylen) < 0) {
4462 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
4463 			"FILS: Failed to set PTK to the driver (alg=%d keylen=%d bssid="
4464 			MACSTR ")",
4465 			alg, keylen, MAC2STR(sm->bssid));
4466 		goto fail;
4467 	}
4468 
4469 	/* TODO: TK could be cleared after auth frame exchange now that driver
4470 	 * takes care of association frame encryption/decryption. */
4471 	/* TK is not needed anymore in supplicant */
4472 	os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
4473 	sm->ptk.tk_len = 0;
4474 	sm->ptk.installed = 1;
4475 
4476 	/* FILS HLP Container */
4477 	fils_process_hlp_container(sm, ie_start, end - ie_start);
4478 
4479 	/* TODO: FILS IP Address Assignment */
4480 
4481 	wpa_printf(MSG_DEBUG, "FILS: Auth+Assoc completed successfully");
4482 	sm->fils_completed = 1;
4483 	forced_memzero(&gd, sizeof(gd));
4484 
4485 	return 0;
4486 fail:
4487 	forced_memzero(&gd, sizeof(gd));
4488 	return -1;
4489 }
4490 
4491 
4492 void wpa_sm_set_reset_fils_completed(struct wpa_sm *sm, int set)
4493 {
4494 	if (sm)
4495 		sm->fils_completed = !!set;
4496 }
4497 
4498 #endif /* CONFIG_FILS */
4499 
4500 
4501 int wpa_fils_is_completed(struct wpa_sm *sm)
4502 {
4503 #ifdef CONFIG_FILS
4504 	return sm && sm->fils_completed;
4505 #else /* CONFIG_FILS */
4506 	return 0;
4507 #endif /* CONFIG_FILS */
4508 }
4509 
4510 
4511 #ifdef CONFIG_OWE
4512 
4513 struct wpabuf * owe_build_assoc_req(struct wpa_sm *sm, u16 group)
4514 {
4515 	struct wpabuf *ie = NULL, *pub = NULL;
4516 	size_t prime_len;
4517 
4518 	if (group == 19)
4519 		prime_len = 32;
4520 	else if (group == 20)
4521 		prime_len = 48;
4522 	else if (group == 21)
4523 		prime_len = 66;
4524 	else
4525 		return NULL;
4526 
4527 	crypto_ecdh_deinit(sm->owe_ecdh);
4528 	sm->owe_ecdh = crypto_ecdh_init(group);
4529 	if (!sm->owe_ecdh)
4530 		goto fail;
4531 	sm->owe_group = group;
4532 	pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
4533 	pub = wpabuf_zeropad(pub, prime_len);
4534 	if (!pub)
4535 		goto fail;
4536 
4537 	ie = wpabuf_alloc(5 + wpabuf_len(pub));
4538 	if (!ie)
4539 		goto fail;
4540 	wpabuf_put_u8(ie, WLAN_EID_EXTENSION);
4541 	wpabuf_put_u8(ie, 1 + 2 + wpabuf_len(pub));
4542 	wpabuf_put_u8(ie, WLAN_EID_EXT_OWE_DH_PARAM);
4543 	wpabuf_put_le16(ie, group);
4544 	wpabuf_put_buf(ie, pub);
4545 	wpabuf_free(pub);
4546 	wpa_hexdump_buf(MSG_DEBUG, "OWE: Diffie-Hellman Parameter element",
4547 			ie);
4548 
4549 	return ie;
4550 fail:
4551 	wpabuf_free(pub);
4552 	crypto_ecdh_deinit(sm->owe_ecdh);
4553 	sm->owe_ecdh = NULL;
4554 	return NULL;
4555 }
4556 
4557 
4558 int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *bssid,
4559 			   const u8 *resp_ies, size_t resp_ies_len)
4560 {
4561 	struct ieee802_11_elems elems;
4562 	u16 group;
4563 	struct wpabuf *secret, *pub, *hkey;
4564 	int res;
4565 	u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
4566 	const char *info = "OWE Key Generation";
4567 	const u8 *addr[2];
4568 	size_t len[2];
4569 	size_t hash_len, prime_len;
4570 	struct wpa_ie_data data;
4571 
4572 	if (!resp_ies ||
4573 	    ieee802_11_parse_elems(resp_ies, resp_ies_len, &elems, 1) ==
4574 	    ParseFailed) {
4575 		wpa_printf(MSG_INFO,
4576 			   "OWE: Could not parse Association Response frame elements");
4577 		return -1;
4578 	}
4579 
4580 	if (sm->cur_pmksa && elems.rsn_ie &&
4581 	    wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, 2 + elems.rsn_ie_len,
4582 				 &data) == 0 &&
4583 	    data.num_pmkid == 1 && data.pmkid &&
4584 	    os_memcmp(sm->cur_pmksa->pmkid, data.pmkid, PMKID_LEN) == 0) {
4585 		wpa_printf(MSG_DEBUG, "OWE: Use PMKSA caching");
4586 		wpa_sm_set_pmk_from_pmksa(sm);
4587 		return 0;
4588 	}
4589 
4590 	if (!elems.owe_dh) {
4591 		wpa_printf(MSG_INFO,
4592 			   "OWE: No Diffie-Hellman Parameter element found in Association Response frame");
4593 		return -1;
4594 	}
4595 
4596 	group = WPA_GET_LE16(elems.owe_dh);
4597 	if (group != sm->owe_group) {
4598 		wpa_printf(MSG_INFO,
4599 			   "OWE: Unexpected Diffie-Hellman group in response: %u",
4600 			   group);
4601 		return -1;
4602 	}
4603 
4604 	if (!sm->owe_ecdh) {
4605 		wpa_printf(MSG_INFO, "OWE: No ECDH state available");
4606 		return -1;
4607 	}
4608 
4609 	if (group == 19)
4610 		prime_len = 32;
4611 	else if (group == 20)
4612 		prime_len = 48;
4613 	else if (group == 21)
4614 		prime_len = 66;
4615 	else
4616 		return -1;
4617 
4618 	secret = crypto_ecdh_set_peerkey(sm->owe_ecdh, 0,
4619 					 elems.owe_dh + 2,
4620 					 elems.owe_dh_len - 2);
4621 	secret = wpabuf_zeropad(secret, prime_len);
4622 	if (!secret) {
4623 		wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
4624 		return -1;
4625 	}
4626 	wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
4627 
4628 	/* prk = HKDF-extract(C | A | group, z) */
4629 
4630 	pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
4631 	if (!pub) {
4632 		wpabuf_clear_free(secret);
4633 		return -1;
4634 	}
4635 
4636 	/* PMKID = Truncate-128(Hash(C | A)) */
4637 	addr[0] = wpabuf_head(pub);
4638 	len[0] = wpabuf_len(pub);
4639 	addr[1] = elems.owe_dh + 2;
4640 	len[1] = elems.owe_dh_len - 2;
4641 	if (group == 19) {
4642 		res = sha256_vector(2, addr, len, pmkid);
4643 		hash_len = SHA256_MAC_LEN;
4644 	} else if (group == 20) {
4645 		res = sha384_vector(2, addr, len, pmkid);
4646 		hash_len = SHA384_MAC_LEN;
4647 	} else if (group == 21) {
4648 		res = sha512_vector(2, addr, len, pmkid);
4649 		hash_len = SHA512_MAC_LEN;
4650 	} else {
4651 		res = -1;
4652 		hash_len = 0;
4653 	}
4654 	pub = wpabuf_zeropad(pub, prime_len);
4655 	if (res < 0 || !pub) {
4656 		wpabuf_free(pub);
4657 		wpabuf_clear_free(secret);
4658 		return -1;
4659 	}
4660 
4661 	hkey = wpabuf_alloc(wpabuf_len(pub) + elems.owe_dh_len - 2 + 2);
4662 	if (!hkey) {
4663 		wpabuf_free(pub);
4664 		wpabuf_clear_free(secret);
4665 		return -1;
4666 	}
4667 
4668 	wpabuf_put_buf(hkey, pub); /* C */
4669 	wpabuf_free(pub);
4670 	wpabuf_put_data(hkey, elems.owe_dh + 2, elems.owe_dh_len - 2); /* A */
4671 	wpabuf_put_le16(hkey, sm->owe_group); /* group */
4672 	if (group == 19)
4673 		res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
4674 				  wpabuf_head(secret), wpabuf_len(secret), prk);
4675 	else if (group == 20)
4676 		res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
4677 				  wpabuf_head(secret), wpabuf_len(secret), prk);
4678 	else if (group == 21)
4679 		res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
4680 				  wpabuf_head(secret), wpabuf_len(secret), prk);
4681 	wpabuf_clear_free(hkey);
4682 	wpabuf_clear_free(secret);
4683 	if (res < 0)
4684 		return -1;
4685 
4686 	wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
4687 
4688 	/* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
4689 
4690 	if (group == 19)
4691 		res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
4692 				      os_strlen(info), sm->pmk, hash_len);
4693 	else if (group == 20)
4694 		res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
4695 				      os_strlen(info), sm->pmk, hash_len);
4696 	else if (group == 21)
4697 		res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
4698 				      os_strlen(info), sm->pmk, hash_len);
4699 	forced_memzero(prk, SHA512_MAC_LEN);
4700 	if (res < 0) {
4701 		sm->pmk_len = 0;
4702 		return -1;
4703 	}
4704 	sm->pmk_len = hash_len;
4705 
4706 	wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sm->pmk, sm->pmk_len);
4707 	wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
4708 	pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, pmkid, NULL, 0,
4709 			bssid, sm->own_addr, sm->network_ctx, sm->key_mgmt,
4710 			NULL);
4711 
4712 	return 0;
4713 }
4714 
4715 #endif /* CONFIG_OWE */
4716 
4717 
4718 void wpa_sm_set_fils_cache_id(struct wpa_sm *sm, const u8 *fils_cache_id)
4719 {
4720 #ifdef CONFIG_FILS
4721 	if (sm && fils_cache_id) {
4722 		sm->fils_cache_id_set = 1;
4723 		os_memcpy(sm->fils_cache_id, fils_cache_id, FILS_CACHE_ID_LEN);
4724 	}
4725 #endif /* CONFIG_FILS */
4726 }
4727 
4728 
4729 #ifdef CONFIG_DPP2
4730 void wpa_sm_set_dpp_z(struct wpa_sm *sm, const struct wpabuf *z)
4731 {
4732 	if (sm) {
4733 		wpabuf_clear_free(sm->dpp_z);
4734 		sm->dpp_z = z ? wpabuf_dup(z) : NULL;
4735 	}
4736 }
4737 #endif /* CONFIG_DPP2 */
4738