1 /* 2 * IEEE 802.11 RSN / WPA Authenticator 3 * Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "utils/eloop.h" 13 #include "utils/state_machine.h" 14 #include "utils/bitfield.h" 15 #include "common/ieee802_11_defs.h" 16 #include "common/ocv.h" 17 #include "crypto/aes.h" 18 #include "crypto/aes_wrap.h" 19 #include "crypto/aes_siv.h" 20 #include "crypto/crypto.h" 21 #include "crypto/sha1.h" 22 #include "crypto/sha256.h" 23 #include "crypto/sha384.h" 24 #include "crypto/random.h" 25 #include "eapol_auth/eapol_auth_sm.h" 26 #include "drivers/driver.h" 27 #include "ap_config.h" 28 #include "ieee802_11.h" 29 #include "wpa_auth.h" 30 #include "pmksa_cache_auth.h" 31 #include "wpa_auth_i.h" 32 #include "wpa_auth_ie.h" 33 34 #define STATE_MACHINE_DATA struct wpa_state_machine 35 #define STATE_MACHINE_DEBUG_PREFIX "WPA" 36 #define STATE_MACHINE_ADDR sm->addr 37 38 39 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx); 40 static int wpa_sm_step(struct wpa_state_machine *sm); 41 static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK, 42 u8 *data, size_t data_len); 43 #ifdef CONFIG_FILS 44 static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk, 45 u8 *buf, size_t buf_len, u16 *_key_data_len); 46 static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm, 47 const struct wpabuf *hlp); 48 #endif /* CONFIG_FILS */ 49 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx); 50 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 51 struct wpa_group *group); 52 static void wpa_request_new_ptk(struct wpa_state_machine *sm); 53 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 54 struct wpa_group *group); 55 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 56 struct wpa_group *group); 57 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce, 58 const u8 *pmk, unsigned int pmk_len, 59 struct wpa_ptk *ptk); 60 static void wpa_group_free(struct wpa_authenticator *wpa_auth, 61 struct wpa_group *group); 62 static void wpa_group_get(struct wpa_authenticator *wpa_auth, 63 struct wpa_group *group); 64 static void wpa_group_put(struct wpa_authenticator *wpa_auth, 65 struct wpa_group *group); 66 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos); 67 68 static const u32 eapol_key_timeout_first = 100; /* ms */ 69 static const u32 eapol_key_timeout_subseq = 1000; /* ms */ 70 static const u32 eapol_key_timeout_first_group = 500; /* ms */ 71 static const u32 eapol_key_timeout_no_retrans = 4000; /* ms */ 72 73 /* TODO: make these configurable */ 74 static const int dot11RSNAConfigPMKLifetime = 43200; 75 static const int dot11RSNAConfigPMKReauthThreshold = 70; 76 static const int dot11RSNAConfigSATimeout = 60; 77 78 79 static inline int wpa_auth_mic_failure_report( 80 struct wpa_authenticator *wpa_auth, const u8 *addr) 81 { 82 if (wpa_auth->cb->mic_failure_report) 83 return wpa_auth->cb->mic_failure_report(wpa_auth->cb_ctx, addr); 84 return 0; 85 } 86 87 88 static inline void wpa_auth_psk_failure_report( 89 struct wpa_authenticator *wpa_auth, const u8 *addr) 90 { 91 if (wpa_auth->cb->psk_failure_report) 92 wpa_auth->cb->psk_failure_report(wpa_auth->cb_ctx, addr); 93 } 94 95 96 static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth, 97 const u8 *addr, wpa_eapol_variable var, 98 int value) 99 { 100 if (wpa_auth->cb->set_eapol) 101 wpa_auth->cb->set_eapol(wpa_auth->cb_ctx, addr, var, value); 102 } 103 104 105 static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth, 106 const u8 *addr, wpa_eapol_variable var) 107 { 108 if (wpa_auth->cb->get_eapol == NULL) 109 return -1; 110 return wpa_auth->cb->get_eapol(wpa_auth->cb_ctx, addr, var); 111 } 112 113 114 static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth, 115 const u8 *addr, 116 const u8 *p2p_dev_addr, 117 const u8 *prev_psk, size_t *psk_len, 118 int *vlan_id) 119 { 120 if (wpa_auth->cb->get_psk == NULL) 121 return NULL; 122 return wpa_auth->cb->get_psk(wpa_auth->cb_ctx, addr, p2p_dev_addr, 123 prev_psk, psk_len, vlan_id); 124 } 125 126 127 static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth, 128 const u8 *addr, u8 *msk, size_t *len) 129 { 130 if (wpa_auth->cb->get_msk == NULL) 131 return -1; 132 return wpa_auth->cb->get_msk(wpa_auth->cb_ctx, addr, msk, len); 133 } 134 135 136 static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth, 137 int vlan_id, 138 enum wpa_alg alg, const u8 *addr, int idx, 139 u8 *key, size_t key_len) 140 { 141 if (wpa_auth->cb->set_key == NULL) 142 return -1; 143 return wpa_auth->cb->set_key(wpa_auth->cb_ctx, vlan_id, alg, addr, idx, 144 key, key_len); 145 } 146 147 148 static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth, 149 const u8 *addr, int idx, u8 *seq) 150 { 151 if (wpa_auth->cb->get_seqnum == NULL) 152 return -1; 153 return wpa_auth->cb->get_seqnum(wpa_auth->cb_ctx, addr, idx, seq); 154 } 155 156 157 static inline int 158 wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr, 159 const u8 *data, size_t data_len, int encrypt) 160 { 161 if (wpa_auth->cb->send_eapol == NULL) 162 return -1; 163 return wpa_auth->cb->send_eapol(wpa_auth->cb_ctx, addr, data, data_len, 164 encrypt); 165 } 166 167 168 #ifdef CONFIG_MESH 169 static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth, 170 const u8 *addr) 171 { 172 if (wpa_auth->cb->start_ampe == NULL) 173 return -1; 174 return wpa_auth->cb->start_ampe(wpa_auth->cb_ctx, addr); 175 } 176 #endif /* CONFIG_MESH */ 177 178 179 int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth, 180 int (*cb)(struct wpa_state_machine *sm, void *ctx), 181 void *cb_ctx) 182 { 183 if (wpa_auth->cb->for_each_sta == NULL) 184 return 0; 185 return wpa_auth->cb->for_each_sta(wpa_auth->cb_ctx, cb, cb_ctx); 186 } 187 188 189 int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth, 190 int (*cb)(struct wpa_authenticator *a, void *ctx), 191 void *cb_ctx) 192 { 193 if (wpa_auth->cb->for_each_auth == NULL) 194 return 0; 195 return wpa_auth->cb->for_each_auth(wpa_auth->cb_ctx, cb, cb_ctx); 196 } 197 198 199 void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr, 200 logger_level level, const char *txt) 201 { 202 if (wpa_auth->cb->logger == NULL) 203 return; 204 wpa_auth->cb->logger(wpa_auth->cb_ctx, addr, level, txt); 205 } 206 207 208 void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr, 209 logger_level level, const char *fmt, ...) 210 { 211 char *format; 212 int maxlen; 213 va_list ap; 214 215 if (wpa_auth->cb->logger == NULL) 216 return; 217 218 maxlen = os_strlen(fmt) + 100; 219 format = os_malloc(maxlen); 220 if (!format) 221 return; 222 223 va_start(ap, fmt); 224 vsnprintf(format, maxlen, fmt, ap); 225 va_end(ap); 226 227 wpa_auth_logger(wpa_auth, addr, level, format); 228 229 os_free(format); 230 } 231 232 233 static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth, 234 const u8 *addr, u16 reason) 235 { 236 if (wpa_auth->cb->disconnect == NULL) 237 return; 238 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR " (reason %u)", 239 MAC2STR(addr), reason); 240 wpa_auth->cb->disconnect(wpa_auth->cb_ctx, addr, reason); 241 } 242 243 244 #ifdef CONFIG_OCV 245 static int wpa_channel_info(struct wpa_authenticator *wpa_auth, 246 struct wpa_channel_info *ci) 247 { 248 if (!wpa_auth->cb->channel_info) 249 return -1; 250 return wpa_auth->cb->channel_info(wpa_auth->cb_ctx, ci); 251 } 252 #endif /* CONFIG_OCV */ 253 254 255 static int wpa_auth_update_vlan(struct wpa_authenticator *wpa_auth, 256 const u8 *addr, int vlan_id) 257 { 258 if (!wpa_auth->cb->update_vlan) 259 return -1; 260 return wpa_auth->cb->update_vlan(wpa_auth->cb_ctx, addr, vlan_id); 261 } 262 263 264 static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx) 265 { 266 struct wpa_authenticator *wpa_auth = eloop_ctx; 267 268 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) { 269 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 270 "initialization."); 271 } else { 272 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd"); 273 wpa_hexdump_key(MSG_DEBUG, "GMK", 274 wpa_auth->group->GMK, WPA_GMK_LEN); 275 } 276 277 if (wpa_auth->conf.wpa_gmk_rekey) { 278 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 279 wpa_rekey_gmk, wpa_auth, NULL); 280 } 281 } 282 283 284 static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx) 285 { 286 struct wpa_authenticator *wpa_auth = eloop_ctx; 287 struct wpa_group *group, *next; 288 289 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK"); 290 group = wpa_auth->group; 291 while (group) { 292 wpa_group_get(wpa_auth, group); 293 294 group->GTKReKey = TRUE; 295 do { 296 group->changed = FALSE; 297 wpa_group_sm_step(wpa_auth, group); 298 } while (group->changed); 299 300 next = group->next; 301 wpa_group_put(wpa_auth, group); 302 group = next; 303 } 304 305 if (wpa_auth->conf.wpa_group_rekey) { 306 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 307 0, wpa_rekey_gtk, wpa_auth, NULL); 308 } 309 } 310 311 312 static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx) 313 { 314 struct wpa_authenticator *wpa_auth = eloop_ctx; 315 struct wpa_state_machine *sm = timeout_ctx; 316 317 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK"); 318 wpa_request_new_ptk(sm); 319 wpa_sm_step(sm); 320 } 321 322 323 void wpa_auth_set_ptk_rekey_timer(struct wpa_state_machine *sm) 324 { 325 if (sm && sm->wpa_auth->conf.wpa_ptk_rekey) { 326 wpa_printf(MSG_DEBUG, "WPA: Start PTK rekeying timer for " 327 MACSTR " (%d seconds)", MAC2STR(sm->addr), 328 sm->wpa_auth->conf.wpa_ptk_rekey); 329 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 330 eloop_register_timeout(sm->wpa_auth->conf.wpa_ptk_rekey, 0, 331 wpa_rekey_ptk, sm->wpa_auth, sm); 332 } 333 } 334 335 336 static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx) 337 { 338 if (sm->pmksa == ctx) 339 sm->pmksa = NULL; 340 return 0; 341 } 342 343 344 static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry, 345 void *ctx) 346 { 347 struct wpa_authenticator *wpa_auth = ctx; 348 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry); 349 } 350 351 352 static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth, 353 struct wpa_group *group) 354 { 355 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)]; 356 u8 rkey[32]; 357 unsigned long ptr; 358 359 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0) 360 return -1; 361 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN); 362 363 /* 364 * Counter = PRF-256(Random number, "Init Counter", 365 * Local MAC Address || Time) 366 */ 367 os_memcpy(buf, wpa_auth->addr, ETH_ALEN); 368 wpa_get_ntp_timestamp(buf + ETH_ALEN); 369 ptr = (unsigned long) group; 370 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr)); 371 #ifdef TEST_FUZZ 372 os_memset(buf + ETH_ALEN, 0xab, 8); 373 os_memset(buf + ETH_ALEN + 8, 0xcd, sizeof(ptr)); 374 #endif /* TEST_FUZZ */ 375 if (random_get_bytes(rkey, sizeof(rkey)) < 0) 376 return -1; 377 378 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf), 379 group->Counter, WPA_NONCE_LEN) < 0) 380 return -1; 381 wpa_hexdump_key(MSG_DEBUG, "Key Counter", 382 group->Counter, WPA_NONCE_LEN); 383 384 return 0; 385 } 386 387 388 static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth, 389 int vlan_id, int delay_init) 390 { 391 struct wpa_group *group; 392 393 group = os_zalloc(sizeof(struct wpa_group)); 394 if (group == NULL) 395 return NULL; 396 397 group->GTKAuthenticator = TRUE; 398 group->vlan_id = vlan_id; 399 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 400 401 if (random_pool_ready() != 1) { 402 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 403 "for secure operations - update keys later when " 404 "the first station connects"); 405 } 406 407 /* 408 * Set initial GMK/Counter value here. The actual values that will be 409 * used in negotiations will be set once the first station tries to 410 * connect. This allows more time for collecting additional randomness 411 * on embedded devices. 412 */ 413 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) { 414 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 415 "initialization."); 416 os_free(group); 417 return NULL; 418 } 419 420 group->GInit = TRUE; 421 if (delay_init) { 422 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start " 423 "until Beacon frames have been configured"); 424 /* Initialization is completed in wpa_init_keys(). */ 425 } else { 426 wpa_group_sm_step(wpa_auth, group); 427 group->GInit = FALSE; 428 wpa_group_sm_step(wpa_auth, group); 429 } 430 431 return group; 432 } 433 434 435 /** 436 * wpa_init - Initialize WPA authenticator 437 * @addr: Authenticator address 438 * @conf: Configuration for WPA authenticator 439 * @cb: Callback functions for WPA authenticator 440 * Returns: Pointer to WPA authenticator data or %NULL on failure 441 */ 442 struct wpa_authenticator * wpa_init(const u8 *addr, 443 struct wpa_auth_config *conf, 444 const struct wpa_auth_callbacks *cb, 445 void *cb_ctx) 446 { 447 struct wpa_authenticator *wpa_auth; 448 449 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator)); 450 if (wpa_auth == NULL) 451 return NULL; 452 os_memcpy(wpa_auth->addr, addr, ETH_ALEN); 453 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 454 wpa_auth->cb = cb; 455 wpa_auth->cb_ctx = cb_ctx; 456 457 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 458 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 459 os_free(wpa_auth); 460 return NULL; 461 } 462 463 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1); 464 if (wpa_auth->group == NULL) { 465 os_free(wpa_auth->wpa_ie); 466 os_free(wpa_auth); 467 return NULL; 468 } 469 470 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb, 471 wpa_auth); 472 if (wpa_auth->pmksa == NULL) { 473 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed."); 474 os_free(wpa_auth->group); 475 os_free(wpa_auth->wpa_ie); 476 os_free(wpa_auth); 477 return NULL; 478 } 479 480 #ifdef CONFIG_IEEE80211R_AP 481 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init(); 482 if (wpa_auth->ft_pmk_cache == NULL) { 483 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed."); 484 os_free(wpa_auth->group); 485 os_free(wpa_auth->wpa_ie); 486 pmksa_cache_auth_deinit(wpa_auth->pmksa); 487 os_free(wpa_auth); 488 return NULL; 489 } 490 #endif /* CONFIG_IEEE80211R_AP */ 491 492 if (wpa_auth->conf.wpa_gmk_rekey) { 493 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 494 wpa_rekey_gmk, wpa_auth, NULL); 495 } 496 497 if (wpa_auth->conf.wpa_group_rekey) { 498 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0, 499 wpa_rekey_gtk, wpa_auth, NULL); 500 } 501 502 #ifdef CONFIG_P2P 503 if (WPA_GET_BE32(conf->ip_addr_start)) { 504 int count = WPA_GET_BE32(conf->ip_addr_end) - 505 WPA_GET_BE32(conf->ip_addr_start) + 1; 506 if (count > 1000) 507 count = 1000; 508 if (count > 0) 509 wpa_auth->ip_pool = bitfield_alloc(count); 510 } 511 #endif /* CONFIG_P2P */ 512 513 return wpa_auth; 514 } 515 516 517 int wpa_init_keys(struct wpa_authenticator *wpa_auth) 518 { 519 struct wpa_group *group = wpa_auth->group; 520 521 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial " 522 "keys"); 523 wpa_group_sm_step(wpa_auth, group); 524 group->GInit = FALSE; 525 wpa_group_sm_step(wpa_auth, group); 526 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 527 return -1; 528 return 0; 529 } 530 531 532 /** 533 * wpa_deinit - Deinitialize WPA authenticator 534 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 535 */ 536 void wpa_deinit(struct wpa_authenticator *wpa_auth) 537 { 538 struct wpa_group *group, *prev; 539 540 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL); 541 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 542 543 pmksa_cache_auth_deinit(wpa_auth->pmksa); 544 545 #ifdef CONFIG_IEEE80211R_AP 546 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache); 547 wpa_auth->ft_pmk_cache = NULL; 548 wpa_ft_deinit(wpa_auth); 549 #endif /* CONFIG_IEEE80211R_AP */ 550 551 #ifdef CONFIG_P2P 552 bitfield_free(wpa_auth->ip_pool); 553 #endif /* CONFIG_P2P */ 554 555 556 os_free(wpa_auth->wpa_ie); 557 558 group = wpa_auth->group; 559 while (group) { 560 prev = group; 561 group = group->next; 562 os_free(prev); 563 } 564 565 os_free(wpa_auth); 566 } 567 568 569 /** 570 * wpa_reconfig - Update WPA authenticator configuration 571 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 572 * @conf: Configuration for WPA authenticator 573 */ 574 int wpa_reconfig(struct wpa_authenticator *wpa_auth, 575 struct wpa_auth_config *conf) 576 { 577 struct wpa_group *group; 578 if (wpa_auth == NULL) 579 return 0; 580 581 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 582 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 583 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 584 return -1; 585 } 586 587 /* 588 * Reinitialize GTK to make sure it is suitable for the new 589 * configuration. 590 */ 591 group = wpa_auth->group; 592 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 593 group->GInit = TRUE; 594 wpa_group_sm_step(wpa_auth, group); 595 group->GInit = FALSE; 596 wpa_group_sm_step(wpa_auth, group); 597 598 return 0; 599 } 600 601 602 struct wpa_state_machine * 603 wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr, 604 const u8 *p2p_dev_addr) 605 { 606 struct wpa_state_machine *sm; 607 608 if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 609 return NULL; 610 611 sm = os_zalloc(sizeof(struct wpa_state_machine)); 612 if (sm == NULL) 613 return NULL; 614 os_memcpy(sm->addr, addr, ETH_ALEN); 615 if (p2p_dev_addr) 616 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN); 617 618 sm->wpa_auth = wpa_auth; 619 sm->group = wpa_auth->group; 620 wpa_group_get(sm->wpa_auth, sm->group); 621 622 return sm; 623 } 624 625 626 int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth, 627 struct wpa_state_machine *sm) 628 { 629 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 630 return -1; 631 632 #ifdef CONFIG_IEEE80211R_AP 633 if (sm->ft_completed) { 634 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 635 "FT authentication already completed - do not " 636 "start 4-way handshake"); 637 /* Go to PTKINITDONE state to allow GTK rekeying */ 638 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE; 639 sm->Pair = TRUE; 640 return 0; 641 } 642 #endif /* CONFIG_IEEE80211R_AP */ 643 644 #ifdef CONFIG_FILS 645 if (sm->fils_completed) { 646 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 647 "FILS authentication already completed - do not start 4-way handshake"); 648 /* Go to PTKINITDONE state to allow GTK rekeying */ 649 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE; 650 sm->Pair = TRUE; 651 return 0; 652 } 653 #endif /* CONFIG_FILS */ 654 655 if (sm->started) { 656 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay)); 657 sm->ReAuthenticationRequest = TRUE; 658 return wpa_sm_step(sm); 659 } 660 661 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 662 "start authentication"); 663 sm->started = 1; 664 665 sm->Init = TRUE; 666 if (wpa_sm_step(sm) == 1) 667 return 1; /* should not really happen */ 668 sm->Init = FALSE; 669 sm->AuthenticationRequest = TRUE; 670 return wpa_sm_step(sm); 671 } 672 673 674 void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm) 675 { 676 /* WPA/RSN was not used - clear WPA state. This is needed if the STA 677 * reassociates back to the same AP while the previous entry for the 678 * STA has not yet been removed. */ 679 if (sm == NULL) 680 return; 681 682 sm->wpa_key_mgmt = 0; 683 } 684 685 686 static void wpa_free_sta_sm(struct wpa_state_machine *sm) 687 { 688 #ifdef CONFIG_P2P 689 if (WPA_GET_BE32(sm->ip_addr)) { 690 u32 start; 691 wpa_printf(MSG_DEBUG, "P2P: Free assigned IP " 692 "address %u.%u.%u.%u from " MACSTR, 693 sm->ip_addr[0], sm->ip_addr[1], 694 sm->ip_addr[2], sm->ip_addr[3], 695 MAC2STR(sm->addr)); 696 start = WPA_GET_BE32(sm->wpa_auth->conf.ip_addr_start); 697 bitfield_clear(sm->wpa_auth->ip_pool, 698 WPA_GET_BE32(sm->ip_addr) - start); 699 } 700 #endif /* CONFIG_P2P */ 701 if (sm->GUpdateStationKeys) { 702 sm->group->GKeyDoneStations--; 703 sm->GUpdateStationKeys = FALSE; 704 } 705 #ifdef CONFIG_IEEE80211R_AP 706 os_free(sm->assoc_resp_ftie); 707 wpabuf_free(sm->ft_pending_req_ies); 708 #endif /* CONFIG_IEEE80211R_AP */ 709 os_free(sm->last_rx_eapol_key); 710 os_free(sm->wpa_ie); 711 wpa_group_put(sm->wpa_auth, sm->group); 712 #ifdef CONFIG_DPP2 713 wpabuf_clear_free(sm->dpp_z); 714 #endif /* CONFIG_DPP2 */ 715 bin_clear_free(sm, sizeof(*sm)); 716 } 717 718 719 void wpa_auth_sta_deinit(struct wpa_state_machine *sm) 720 { 721 if (sm == NULL) 722 return; 723 724 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) { 725 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 726 "strict rekeying - force GTK rekey since STA " 727 "is leaving"); 728 if (eloop_deplete_timeout(0, 500000, wpa_rekey_gtk, 729 sm->wpa_auth, NULL) == -1) 730 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth, 731 NULL); 732 } 733 734 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 735 sm->pending_1_of_4_timeout = 0; 736 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL); 737 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 738 #ifdef CONFIG_IEEE80211R_AP 739 wpa_ft_sta_deinit(sm); 740 #endif /* CONFIG_IEEE80211R_AP */ 741 if (sm->in_step_loop) { 742 /* Must not free state machine while wpa_sm_step() is running. 743 * Freeing will be completed in the end of wpa_sm_step(). */ 744 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state " 745 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 746 sm->pending_deinit = 1; 747 } else 748 wpa_free_sta_sm(sm); 749 } 750 751 752 static void wpa_request_new_ptk(struct wpa_state_machine *sm) 753 { 754 if (sm == NULL) 755 return; 756 757 sm->PTKRequest = TRUE; 758 sm->PTK_valid = 0; 759 } 760 761 762 static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr, 763 const u8 *replay_counter) 764 { 765 int i; 766 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 767 if (!ctr[i].valid) 768 break; 769 if (os_memcmp(replay_counter, ctr[i].counter, 770 WPA_REPLAY_COUNTER_LEN) == 0) 771 return 1; 772 } 773 return 0; 774 } 775 776 777 static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr, 778 const u8 *replay_counter) 779 { 780 int i; 781 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 782 if (ctr[i].valid && 783 (replay_counter == NULL || 784 os_memcmp(replay_counter, ctr[i].counter, 785 WPA_REPLAY_COUNTER_LEN) == 0)) 786 ctr[i].valid = FALSE; 787 } 788 } 789 790 791 #ifdef CONFIG_IEEE80211R_AP 792 static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth, 793 struct wpa_state_machine *sm, 794 struct wpa_eapol_ie_parse *kde) 795 { 796 struct wpa_ie_data ie; 797 struct rsn_mdie *mdie; 798 799 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 || 800 ie.num_pmkid != 1 || ie.pmkid == NULL) { 801 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in " 802 "FT 4-way handshake message 2/4"); 803 return -1; 804 } 805 806 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN); 807 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant", 808 sm->sup_pmk_r1_name, PMKID_LEN); 809 810 if (!kde->mdie || !kde->ftie) { 811 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake " 812 "message 2/4", kde->mdie ? "FTIE" : "MDIE"); 813 return -1; 814 } 815 816 mdie = (struct rsn_mdie *) (kde->mdie + 2); 817 if (kde->mdie[1] < sizeof(struct rsn_mdie) || 818 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain, 819 MOBILITY_DOMAIN_ID_LEN) != 0) { 820 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch"); 821 return -1; 822 } 823 824 if (sm->assoc_resp_ftie && 825 (kde->ftie[1] != sm->assoc_resp_ftie[1] || 826 os_memcmp(kde->ftie, sm->assoc_resp_ftie, 827 2 + sm->assoc_resp_ftie[1]) != 0)) { 828 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch"); 829 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4", 830 kde->ftie, kde->ftie_len); 831 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp", 832 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]); 833 return -1; 834 } 835 836 return 0; 837 } 838 #endif /* CONFIG_IEEE80211R_AP */ 839 840 841 static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth, 842 struct wpa_state_machine *sm, int group) 843 { 844 /* Supplicant reported a Michael MIC error */ 845 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 846 "received EAPOL-Key Error Request " 847 "(STA detected Michael MIC failure (group=%d))", 848 group); 849 850 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) { 851 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 852 "ignore Michael MIC failure report since " 853 "group cipher is not TKIP"); 854 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) { 855 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 856 "ignore Michael MIC failure report since " 857 "pairwise cipher is not TKIP"); 858 } else { 859 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0) 860 return 1; /* STA entry was removed */ 861 sm->dot11RSNAStatsTKIPRemoteMICFailures++; 862 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++; 863 } 864 865 /* 866 * Error report is not a request for a new key handshake, but since 867 * Authenticator may do it, let's change the keys now anyway. 868 */ 869 wpa_request_new_ptk(sm); 870 return 0; 871 } 872 873 874 static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data, 875 size_t data_len) 876 { 877 struct wpa_ptk PTK; 878 int ok = 0; 879 const u8 *pmk = NULL; 880 size_t pmk_len; 881 int vlan_id = 0; 882 883 os_memset(&PTK, 0, sizeof(PTK)); 884 for (;;) { 885 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) && 886 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) { 887 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, 888 sm->p2p_dev_addr, pmk, &pmk_len, 889 &vlan_id); 890 if (pmk == NULL) 891 break; 892 #ifdef CONFIG_IEEE80211R_AP 893 if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) { 894 os_memcpy(sm->xxkey, pmk, pmk_len); 895 sm->xxkey_len = pmk_len; 896 } 897 #endif /* CONFIG_IEEE80211R_AP */ 898 } else { 899 pmk = sm->PMK; 900 pmk_len = sm->pmk_len; 901 } 902 903 if (wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK) < 0) 904 break; 905 906 if (wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK, 907 data, data_len) == 0) { 908 if (sm->PMK != pmk) { 909 os_memcpy(sm->PMK, pmk, pmk_len); 910 sm->pmk_len = pmk_len; 911 } 912 ok = 1; 913 break; 914 } 915 916 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) || 917 wpa_key_mgmt_sae(sm->wpa_key_mgmt)) 918 break; 919 } 920 921 if (!ok) { 922 wpa_printf(MSG_DEBUG, 923 "WPA: Earlier SNonce did not result in matching MIC"); 924 return -1; 925 } 926 927 wpa_printf(MSG_DEBUG, 928 "WPA: Earlier SNonce resulted in matching MIC"); 929 sm->alt_snonce_valid = 0; 930 931 if (vlan_id && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) && 932 wpa_auth_update_vlan(sm->wpa_auth, sm->addr, vlan_id) < 0) 933 return -1; 934 935 os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN); 936 os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); 937 sm->PTK_valid = TRUE; 938 939 return 0; 940 } 941 942 943 void wpa_receive(struct wpa_authenticator *wpa_auth, 944 struct wpa_state_machine *sm, 945 u8 *data, size_t data_len) 946 { 947 struct ieee802_1x_hdr *hdr; 948 struct wpa_eapol_key *key; 949 u16 key_info, key_data_length; 950 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST } msg; 951 char *msgtxt; 952 struct wpa_eapol_ie_parse kde; 953 const u8 *key_data; 954 size_t keyhdrlen, mic_len; 955 u8 *mic; 956 957 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 958 return; 959 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL data", data, data_len); 960 961 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len); 962 keyhdrlen = sizeof(*key) + mic_len + 2; 963 964 if (data_len < sizeof(*hdr) + keyhdrlen) { 965 wpa_printf(MSG_DEBUG, "WPA: Ignore too short EAPOL-Key frame"); 966 return; 967 } 968 969 hdr = (struct ieee802_1x_hdr *) data; 970 key = (struct wpa_eapol_key *) (hdr + 1); 971 mic = (u8 *) (key + 1); 972 key_info = WPA_GET_BE16(key->key_info); 973 key_data = mic + mic_len + 2; 974 key_data_length = WPA_GET_BE16(mic + mic_len); 975 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR 976 " key_info=0x%x type=%u mic_len=%u key_data_length=%u", 977 MAC2STR(sm->addr), key_info, key->type, 978 (unsigned int) mic_len, key_data_length); 979 wpa_hexdump(MSG_MSGDUMP, 980 "WPA: EAPOL-Key header (ending before Key MIC)", 981 key, sizeof(*key)); 982 wpa_hexdump(MSG_MSGDUMP, "WPA: EAPOL-Key Key MIC", 983 mic, mic_len); 984 if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) { 985 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - " 986 "key_data overflow (%d > %lu)", 987 key_data_length, 988 (unsigned long) (data_len - sizeof(*hdr) - 989 keyhdrlen)); 990 return; 991 } 992 993 if (sm->wpa == WPA_VERSION_WPA2) { 994 if (key->type == EAPOL_KEY_TYPE_WPA) { 995 /* 996 * Some deployed station implementations seem to send 997 * msg 4/4 with incorrect type value in WPA2 mode. 998 */ 999 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key " 1000 "with unexpected WPA type in RSN mode"); 1001 } else if (key->type != EAPOL_KEY_TYPE_RSN) { 1002 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 1003 "unexpected type %d in RSN mode", 1004 key->type); 1005 return; 1006 } 1007 } else { 1008 if (key->type != EAPOL_KEY_TYPE_WPA) { 1009 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 1010 "unexpected type %d in WPA mode", 1011 key->type); 1012 return; 1013 } 1014 } 1015 1016 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce, 1017 WPA_NONCE_LEN); 1018 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter", 1019 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 1020 1021 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys 1022 * are set */ 1023 1024 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) { 1025 wpa_printf(MSG_DEBUG, "WPA: Ignore SMK message"); 1026 return; 1027 } 1028 1029 if (key_info & WPA_KEY_INFO_REQUEST) { 1030 msg = REQUEST; 1031 msgtxt = "Request"; 1032 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) { 1033 msg = GROUP_2; 1034 msgtxt = "2/2 Group"; 1035 } else if (key_data_length == 0 || 1036 (mic_len == 0 && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && 1037 key_data_length == AES_BLOCK_SIZE)) { 1038 msg = PAIRWISE_4; 1039 msgtxt = "4/4 Pairwise"; 1040 } else { 1041 msg = PAIRWISE_2; 1042 msgtxt = "2/4 Pairwise"; 1043 } 1044 1045 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 || 1046 msg == GROUP_2) { 1047 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK; 1048 if (sm->pairwise == WPA_CIPHER_CCMP || 1049 sm->pairwise == WPA_CIPHER_GCMP) { 1050 if (wpa_use_cmac(sm->wpa_key_mgmt) && 1051 !wpa_use_akm_defined(sm->wpa_key_mgmt) && 1052 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) { 1053 wpa_auth_logger(wpa_auth, sm->addr, 1054 LOGGER_WARNING, 1055 "advertised support for " 1056 "AES-128-CMAC, but did not " 1057 "use it"); 1058 return; 1059 } 1060 1061 if (!wpa_use_cmac(sm->wpa_key_mgmt) && 1062 !wpa_use_akm_defined(sm->wpa_key_mgmt) && 1063 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1064 wpa_auth_logger(wpa_auth, sm->addr, 1065 LOGGER_WARNING, 1066 "did not use HMAC-SHA1-AES " 1067 "with CCMP/GCMP"); 1068 return; 1069 } 1070 } 1071 1072 if (wpa_use_akm_defined(sm->wpa_key_mgmt) && 1073 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) { 1074 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, 1075 "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases"); 1076 return; 1077 } 1078 } 1079 1080 if (key_info & WPA_KEY_INFO_REQUEST) { 1081 if (sm->req_replay_counter_used && 1082 os_memcmp(key->replay_counter, sm->req_replay_counter, 1083 WPA_REPLAY_COUNTER_LEN) <= 0) { 1084 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, 1085 "received EAPOL-Key request with " 1086 "replayed counter"); 1087 return; 1088 } 1089 } 1090 1091 if (!(key_info & WPA_KEY_INFO_REQUEST) && 1092 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) { 1093 int i; 1094 1095 if (msg == PAIRWISE_2 && 1096 wpa_replay_counter_valid(sm->prev_key_replay, 1097 key->replay_counter) && 1098 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING && 1099 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0) 1100 { 1101 /* 1102 * Some supplicant implementations (e.g., Windows XP 1103 * WZC) update SNonce for each EAPOL-Key 2/4. This 1104 * breaks the workaround on accepting any of the 1105 * pending requests, so allow the SNonce to be updated 1106 * even if we have already sent out EAPOL-Key 3/4. 1107 */ 1108 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1109 "Process SNonce update from STA " 1110 "based on retransmitted EAPOL-Key " 1111 "1/4"); 1112 sm->update_snonce = 1; 1113 os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN); 1114 sm->alt_snonce_valid = TRUE; 1115 os_memcpy(sm->alt_replay_counter, 1116 sm->key_replay[0].counter, 1117 WPA_REPLAY_COUNTER_LEN); 1118 goto continue_processing; 1119 } 1120 1121 if (msg == PAIRWISE_4 && sm->alt_snonce_valid && 1122 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING && 1123 os_memcmp(key->replay_counter, sm->alt_replay_counter, 1124 WPA_REPLAY_COUNTER_LEN) == 0) { 1125 /* 1126 * Supplicant may still be using the old SNonce since 1127 * there was two EAPOL-Key 2/4 messages and they had 1128 * different SNonce values. 1129 */ 1130 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1131 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4"); 1132 goto continue_processing; 1133 } 1134 1135 if (msg == PAIRWISE_2 && 1136 wpa_replay_counter_valid(sm->prev_key_replay, 1137 key->replay_counter) && 1138 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) { 1139 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1140 "ignore retransmitted EAPOL-Key %s - " 1141 "SNonce did not change", msgtxt); 1142 } else { 1143 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1144 "received EAPOL-Key %s with " 1145 "unexpected replay counter", msgtxt); 1146 } 1147 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 1148 if (!sm->key_replay[i].valid) 1149 break; 1150 wpa_hexdump(MSG_DEBUG, "pending replay counter", 1151 sm->key_replay[i].counter, 1152 WPA_REPLAY_COUNTER_LEN); 1153 } 1154 wpa_hexdump(MSG_DEBUG, "received replay counter", 1155 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 1156 return; 1157 } 1158 1159 continue_processing: 1160 #ifdef CONFIG_FILS 1161 if (sm->wpa == WPA_VERSION_WPA2 && mic_len == 0 && 1162 !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 1163 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1164 "WPA: Encr Key Data bit not set even though AEAD cipher is supposed to be used - drop frame"); 1165 return; 1166 } 1167 #endif /* CONFIG_FILS */ 1168 1169 switch (msg) { 1170 case PAIRWISE_2: 1171 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART && 1172 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING && 1173 (!sm->update_snonce || 1174 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) { 1175 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1176 "received EAPOL-Key msg 2/4 in " 1177 "invalid state (%d) - dropped", 1178 sm->wpa_ptk_state); 1179 return; 1180 } 1181 random_add_randomness(key->key_nonce, WPA_NONCE_LEN); 1182 if (sm->group->reject_4way_hs_for_entropy) { 1183 /* 1184 * The system did not have enough entropy to generate 1185 * strong random numbers. Reject the first 4-way 1186 * handshake(s) and collect some entropy based on the 1187 * information from it. Once enough entropy is 1188 * available, the next atempt will trigger GMK/Key 1189 * Counter update and the station will be allowed to 1190 * continue. 1191 */ 1192 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to " 1193 "collect more entropy for random number " 1194 "generation"); 1195 random_mark_pool_ready(); 1196 wpa_sta_disconnect(wpa_auth, sm->addr, 1197 WLAN_REASON_PREV_AUTH_NOT_VALID); 1198 return; 1199 } 1200 break; 1201 case PAIRWISE_4: 1202 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING || 1203 !sm->PTK_valid) { 1204 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1205 "received EAPOL-Key msg 4/4 in " 1206 "invalid state (%d) - dropped", 1207 sm->wpa_ptk_state); 1208 return; 1209 } 1210 break; 1211 case GROUP_2: 1212 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING 1213 || !sm->PTK_valid) { 1214 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1215 "received EAPOL-Key msg 2/2 in " 1216 "invalid state (%d) - dropped", 1217 sm->wpa_ptk_group_state); 1218 return; 1219 } 1220 break; 1221 case REQUEST: 1222 break; 1223 } 1224 1225 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1226 "received EAPOL-Key frame (%s)", msgtxt); 1227 1228 if (key_info & WPA_KEY_INFO_ACK) { 1229 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1230 "received invalid EAPOL-Key: Key Ack set"); 1231 return; 1232 } 1233 1234 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt) && 1235 !(key_info & WPA_KEY_INFO_MIC)) { 1236 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1237 "received invalid EAPOL-Key: Key MIC not set"); 1238 return; 1239 } 1240 1241 #ifdef CONFIG_FILS 1242 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) && 1243 (key_info & WPA_KEY_INFO_MIC)) { 1244 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1245 "received invalid EAPOL-Key: Key MIC set"); 1246 return; 1247 } 1248 #endif /* CONFIG_FILS */ 1249 1250 sm->MICVerified = FALSE; 1251 if (sm->PTK_valid && !sm->update_snonce) { 1252 if (mic_len && 1253 wpa_verify_key_mic(sm->wpa_key_mgmt, sm->pmk_len, &sm->PTK, 1254 data, data_len) && 1255 (msg != PAIRWISE_4 || !sm->alt_snonce_valid || 1256 wpa_try_alt_snonce(sm, data, data_len))) { 1257 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1258 "received EAPOL-Key with invalid MIC"); 1259 #ifdef TEST_FUZZ 1260 wpa_printf(MSG_INFO, 1261 "TEST: Ignore Key MIC failure for fuzz testing"); 1262 goto continue_fuzz; 1263 #endif /* TEST_FUZZ */ 1264 return; 1265 } 1266 #ifdef CONFIG_FILS 1267 if (!mic_len && 1268 wpa_aead_decrypt(sm, &sm->PTK, data, data_len, 1269 &key_data_length) < 0) { 1270 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1271 "received EAPOL-Key with invalid MIC"); 1272 #ifdef TEST_FUZZ 1273 wpa_printf(MSG_INFO, 1274 "TEST: Ignore Key MIC failure for fuzz testing"); 1275 goto continue_fuzz; 1276 #endif /* TEST_FUZZ */ 1277 return; 1278 } 1279 #endif /* CONFIG_FILS */ 1280 #ifdef TEST_FUZZ 1281 continue_fuzz: 1282 #endif /* TEST_FUZZ */ 1283 sm->MICVerified = TRUE; 1284 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 1285 sm->pending_1_of_4_timeout = 0; 1286 } 1287 1288 if (key_info & WPA_KEY_INFO_REQUEST) { 1289 if (sm->MICVerified) { 1290 sm->req_replay_counter_used = 1; 1291 os_memcpy(sm->req_replay_counter, key->replay_counter, 1292 WPA_REPLAY_COUNTER_LEN); 1293 } else { 1294 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1295 "received EAPOL-Key request with " 1296 "invalid MIC"); 1297 return; 1298 } 1299 1300 /* 1301 * TODO: should decrypt key data field if encryption was used; 1302 * even though MAC address KDE is not normally encrypted, 1303 * supplicant is allowed to encrypt it. 1304 */ 1305 if (key_info & WPA_KEY_INFO_ERROR) { 1306 if (wpa_receive_error_report( 1307 wpa_auth, sm, 1308 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0) 1309 return; /* STA entry was removed */ 1310 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) { 1311 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1312 "received EAPOL-Key Request for new " 1313 "4-Way Handshake"); 1314 wpa_request_new_ptk(sm); 1315 } else if (key_data_length > 0 && 1316 wpa_parse_kde_ies(key_data, key_data_length, 1317 &kde) == 0 && 1318 kde.mac_addr) { 1319 } else { 1320 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1321 "received EAPOL-Key Request for GTK " 1322 "rekeying"); 1323 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 1324 wpa_rekey_gtk(wpa_auth, NULL); 1325 } 1326 } else { 1327 /* Do not allow the same key replay counter to be reused. */ 1328 wpa_replay_counter_mark_invalid(sm->key_replay, 1329 key->replay_counter); 1330 1331 if (msg == PAIRWISE_2) { 1332 /* 1333 * Maintain a copy of the pending EAPOL-Key frames in 1334 * case the EAPOL-Key frame was retransmitted. This is 1335 * needed to allow EAPOL-Key msg 2/4 reply to another 1336 * pending msg 1/4 to update the SNonce to work around 1337 * unexpected supplicant behavior. 1338 */ 1339 os_memcpy(sm->prev_key_replay, sm->key_replay, 1340 sizeof(sm->key_replay)); 1341 } else { 1342 os_memset(sm->prev_key_replay, 0, 1343 sizeof(sm->prev_key_replay)); 1344 } 1345 1346 /* 1347 * Make sure old valid counters are not accepted anymore and 1348 * do not get copied again. 1349 */ 1350 wpa_replay_counter_mark_invalid(sm->key_replay, NULL); 1351 } 1352 1353 os_free(sm->last_rx_eapol_key); 1354 sm->last_rx_eapol_key = os_memdup(data, data_len); 1355 if (sm->last_rx_eapol_key == NULL) 1356 return; 1357 sm->last_rx_eapol_key_len = data_len; 1358 1359 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE); 1360 sm->EAPOLKeyReceived = TRUE; 1361 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1362 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST); 1363 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN); 1364 wpa_sm_step(sm); 1365 } 1366 1367 1368 static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr, 1369 const u8 *gnonce, u8 *gtk, size_t gtk_len) 1370 { 1371 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + WPA_GTK_MAX_LEN]; 1372 u8 *pos; 1373 int ret = 0; 1374 1375 /* GTK = PRF-X(GMK, "Group key expansion", 1376 * AA || GNonce || Time || random data) 1377 * The example described in the IEEE 802.11 standard uses only AA and 1378 * GNonce as inputs here. Add some more entropy since this derivation 1379 * is done only at the Authenticator and as such, does not need to be 1380 * exactly same. 1381 */ 1382 os_memset(data, 0, sizeof(data)); 1383 os_memcpy(data, addr, ETH_ALEN); 1384 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN); 1385 pos = data + ETH_ALEN + WPA_NONCE_LEN; 1386 wpa_get_ntp_timestamp(pos); 1387 #ifdef TEST_FUZZ 1388 os_memset(pos, 0xef, 8); 1389 #endif /* TEST_FUZZ */ 1390 pos += 8; 1391 if (random_get_bytes(pos, gtk_len) < 0) 1392 ret = -1; 1393 1394 #ifdef CONFIG_SHA384 1395 if (sha384_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), 1396 gtk, gtk_len) < 0) 1397 ret = -1; 1398 #else /* CONFIG_SHA384 */ 1399 #ifdef CONFIG_SHA256 1400 if (sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), 1401 gtk, gtk_len) < 0) 1402 ret = -1; 1403 #else /* CONFIG_SHA256 */ 1404 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), 1405 gtk, gtk_len) < 0) 1406 ret = -1; 1407 #endif /* CONFIG_SHA256 */ 1408 #endif /* CONFIG_SHA384 */ 1409 1410 return ret; 1411 } 1412 1413 1414 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx) 1415 { 1416 struct wpa_authenticator *wpa_auth = eloop_ctx; 1417 struct wpa_state_machine *sm = timeout_ctx; 1418 1419 sm->pending_1_of_4_timeout = 0; 1420 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout"); 1421 sm->TimeoutEvt = TRUE; 1422 wpa_sm_step(sm); 1423 } 1424 1425 1426 void __wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1427 struct wpa_state_machine *sm, int key_info, 1428 const u8 *key_rsc, const u8 *nonce, 1429 const u8 *kde, size_t kde_len, 1430 int keyidx, int encr, int force_version) 1431 { 1432 struct ieee802_1x_hdr *hdr; 1433 struct wpa_eapol_key *key; 1434 size_t len, mic_len, keyhdrlen; 1435 int alg; 1436 int key_data_len, pad_len = 0; 1437 u8 *buf, *pos; 1438 int version, pairwise; 1439 int i; 1440 u8 *key_mic, *key_data; 1441 1442 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len); 1443 keyhdrlen = sizeof(*key) + mic_len + 2; 1444 1445 len = sizeof(struct ieee802_1x_hdr) + keyhdrlen; 1446 1447 if (force_version) 1448 version = force_version; 1449 else if (wpa_use_akm_defined(sm->wpa_key_mgmt)) 1450 version = WPA_KEY_INFO_TYPE_AKM_DEFINED; 1451 else if (wpa_use_cmac(sm->wpa_key_mgmt)) 1452 version = WPA_KEY_INFO_TYPE_AES_128_CMAC; 1453 else if (sm->pairwise != WPA_CIPHER_TKIP) 1454 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 1455 else 1456 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 1457 1458 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1459 1460 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d " 1461 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d " 1462 "encr=%d)", 1463 version, 1464 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0, 1465 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0, 1466 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0, 1467 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0, 1468 pairwise, (unsigned long) kde_len, keyidx, encr); 1469 1470 key_data_len = kde_len; 1471 1472 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1473 wpa_use_aes_key_wrap(sm->wpa_key_mgmt) || 1474 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) { 1475 pad_len = key_data_len % 8; 1476 if (pad_len) 1477 pad_len = 8 - pad_len; 1478 key_data_len += pad_len + 8; 1479 } 1480 1481 len += key_data_len; 1482 if (!mic_len && encr) 1483 len += AES_BLOCK_SIZE; 1484 1485 hdr = os_zalloc(len); 1486 if (hdr == NULL) 1487 return; 1488 hdr->version = wpa_auth->conf.eapol_version; 1489 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 1490 hdr->length = host_to_be16(len - sizeof(*hdr)); 1491 key = (struct wpa_eapol_key *) (hdr + 1); 1492 key_mic = (u8 *) (key + 1); 1493 key_data = ((u8 *) (hdr + 1)) + keyhdrlen; 1494 1495 key->type = sm->wpa == WPA_VERSION_WPA2 ? 1496 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1497 key_info |= version; 1498 if (encr && sm->wpa == WPA_VERSION_WPA2) 1499 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 1500 if (sm->wpa != WPA_VERSION_WPA2) 1501 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT; 1502 WPA_PUT_BE16(key->key_info, key_info); 1503 1504 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group; 1505 if (sm->wpa == WPA_VERSION_WPA2 && !pairwise) 1506 WPA_PUT_BE16(key->key_length, 0); 1507 else 1508 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg)); 1509 1510 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) { 1511 sm->key_replay[i].valid = sm->key_replay[i - 1].valid; 1512 os_memcpy(sm->key_replay[i].counter, 1513 sm->key_replay[i - 1].counter, 1514 WPA_REPLAY_COUNTER_LEN); 1515 } 1516 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN); 1517 os_memcpy(key->replay_counter, sm->key_replay[0].counter, 1518 WPA_REPLAY_COUNTER_LEN); 1519 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", 1520 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 1521 sm->key_replay[0].valid = TRUE; 1522 1523 if (nonce) 1524 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN); 1525 1526 if (key_rsc) 1527 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN); 1528 1529 if (kde && !encr) { 1530 os_memcpy(key_data, kde, kde_len); 1531 WPA_PUT_BE16(key_mic + mic_len, kde_len); 1532 #ifdef CONFIG_FILS 1533 } else if (!mic_len && kde) { 1534 const u8 *aad[1]; 1535 size_t aad_len[1]; 1536 1537 WPA_PUT_BE16(key_mic, AES_BLOCK_SIZE + kde_len); 1538 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data", 1539 kde, kde_len); 1540 1541 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", 1542 sm->PTK.kek, sm->PTK.kek_len); 1543 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to 1544 * to Key Data (exclusive). */ 1545 aad[0] = (u8 *) hdr; 1546 aad_len[0] = key_mic + 2 - (u8 *) hdr; 1547 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, kde, kde_len, 1548 1, aad, aad_len, key_mic + 2) < 0) { 1549 wpa_printf(MSG_DEBUG, "WPA: AES-SIV encryption failed"); 1550 return; 1551 } 1552 1553 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV", 1554 key_mic + 2, AES_BLOCK_SIZE + kde_len); 1555 #endif /* CONFIG_FILS */ 1556 } else if (encr && kde) { 1557 buf = os_zalloc(key_data_len); 1558 if (buf == NULL) { 1559 os_free(hdr); 1560 return; 1561 } 1562 pos = buf; 1563 os_memcpy(pos, kde, kde_len); 1564 pos += kde_len; 1565 1566 if (pad_len) 1567 *pos++ = 0xdd; 1568 1569 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data", 1570 buf, key_data_len); 1571 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1572 wpa_use_aes_key_wrap(sm->wpa_key_mgmt) || 1573 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) { 1574 wpa_printf(MSG_DEBUG, 1575 "WPA: Encrypt Key Data using AES-WRAP (KEK length %u)", 1576 (unsigned int) sm->PTK.kek_len); 1577 if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len, 1578 (key_data_len - 8) / 8, buf, key_data)) { 1579 os_free(hdr); 1580 os_free(buf); 1581 return; 1582 } 1583 WPA_PUT_BE16(key_mic + mic_len, key_data_len); 1584 #ifndef CONFIG_NO_RC4 1585 } else if (sm->PTK.kek_len == 16) { 1586 u8 ek[32]; 1587 1588 wpa_printf(MSG_DEBUG, 1589 "WPA: Encrypt Key Data using RC4"); 1590 os_memcpy(key->key_iv, 1591 sm->group->Counter + WPA_NONCE_LEN - 16, 16); 1592 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN); 1593 os_memcpy(ek, key->key_iv, 16); 1594 os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len); 1595 os_memcpy(key_data, buf, key_data_len); 1596 rc4_skip(ek, 32, 256, key_data, key_data_len); 1597 WPA_PUT_BE16(key_mic + mic_len, key_data_len); 1598 #endif /* CONFIG_NO_RC4 */ 1599 } else { 1600 os_free(hdr); 1601 os_free(buf); 1602 return; 1603 } 1604 os_free(buf); 1605 } 1606 1607 if (key_info & WPA_KEY_INFO_MIC) { 1608 if (!sm->PTK_valid || !mic_len) { 1609 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 1610 "PTK not valid when sending EAPOL-Key " 1611 "frame"); 1612 os_free(hdr); 1613 return; 1614 } 1615 1616 if (wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len, 1617 sm->wpa_key_mgmt, version, 1618 (u8 *) hdr, len, key_mic) < 0) { 1619 os_free(hdr); 1620 return; 1621 } 1622 #ifdef CONFIG_TESTING_OPTIONS 1623 if (!pairwise && 1624 wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0 && 1625 drand48() < 1626 wpa_auth->conf.corrupt_gtk_rekey_mic_probability) { 1627 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1628 "Corrupting group EAPOL-Key Key MIC"); 1629 key_mic[0]++; 1630 } 1631 #endif /* CONFIG_TESTING_OPTIONS */ 1632 } 1633 1634 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx, 1635 1); 1636 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len, 1637 sm->pairwise_set); 1638 os_free(hdr); 1639 } 1640 1641 1642 static void wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1643 struct wpa_state_machine *sm, int key_info, 1644 const u8 *key_rsc, const u8 *nonce, 1645 const u8 *kde, size_t kde_len, 1646 int keyidx, int encr) 1647 { 1648 int timeout_ms; 1649 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE; 1650 u32 ctr; 1651 1652 if (sm == NULL) 1653 return; 1654 1655 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len, 1656 keyidx, encr, 0); 1657 1658 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr; 1659 if (ctr == 1 && wpa_auth->conf.tx_status) 1660 timeout_ms = pairwise ? eapol_key_timeout_first : 1661 eapol_key_timeout_first_group; 1662 else 1663 timeout_ms = eapol_key_timeout_subseq; 1664 if (wpa_auth->conf.wpa_disable_eapol_key_retries && 1665 (!pairwise || (key_info & WPA_KEY_INFO_MIC))) 1666 timeout_ms = eapol_key_timeout_no_retrans; 1667 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC)) 1668 sm->pending_1_of_4_timeout = 1; 1669 #ifdef TEST_FUZZ 1670 timeout_ms = 1; 1671 #endif /* TEST_FUZZ */ 1672 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry " 1673 "counter %u)", timeout_ms, ctr); 1674 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000, 1675 wpa_send_eapol_timeout, wpa_auth, sm); 1676 } 1677 1678 1679 static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK, 1680 u8 *data, size_t data_len) 1681 { 1682 struct ieee802_1x_hdr *hdr; 1683 struct wpa_eapol_key *key; 1684 u16 key_info; 1685 int ret = 0; 1686 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN], *mic_pos; 1687 size_t mic_len = wpa_mic_len(akmp, pmk_len); 1688 1689 if (data_len < sizeof(*hdr) + sizeof(*key)) 1690 return -1; 1691 1692 hdr = (struct ieee802_1x_hdr *) data; 1693 key = (struct wpa_eapol_key *) (hdr + 1); 1694 mic_pos = (u8 *) (key + 1); 1695 key_info = WPA_GET_BE16(key->key_info); 1696 os_memcpy(mic, mic_pos, mic_len); 1697 os_memset(mic_pos, 0, mic_len); 1698 if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp, 1699 key_info & WPA_KEY_INFO_TYPE_MASK, 1700 data, data_len, mic_pos) || 1701 os_memcmp_const(mic, mic_pos, mic_len) != 0) 1702 ret = -1; 1703 os_memcpy(mic_pos, mic, mic_len); 1704 return ret; 1705 } 1706 1707 1708 void wpa_remove_ptk(struct wpa_state_machine *sm) 1709 { 1710 sm->PTK_valid = FALSE; 1711 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1712 if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 1713 0)) 1714 wpa_printf(MSG_DEBUG, 1715 "RSN: PTK removal from the driver failed"); 1716 sm->pairwise_set = FALSE; 1717 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 1718 } 1719 1720 1721 int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event) 1722 { 1723 int remove_ptk = 1; 1724 1725 if (sm == NULL) 1726 return -1; 1727 1728 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1729 "event %d notification", event); 1730 1731 switch (event) { 1732 case WPA_AUTH: 1733 #ifdef CONFIG_MESH 1734 /* PTKs are derived through AMPE */ 1735 if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) { 1736 /* not mesh */ 1737 break; 1738 } 1739 return 0; 1740 #endif /* CONFIG_MESH */ 1741 case WPA_ASSOC: 1742 break; 1743 case WPA_DEAUTH: 1744 case WPA_DISASSOC: 1745 sm->DeauthenticationRequest = TRUE; 1746 #ifdef CONFIG_IEEE80211R_AP 1747 os_memset(sm->PMK, 0, sizeof(sm->PMK)); 1748 sm->pmk_len = 0; 1749 os_memset(sm->xxkey, 0, sizeof(sm->xxkey)); 1750 sm->xxkey_len = 0; 1751 os_memset(sm->pmk_r1, 0, sizeof(sm->pmk_r1)); 1752 sm->pmk_r1_len = 0; 1753 #endif /* CONFIG_IEEE80211R_AP */ 1754 break; 1755 case WPA_REAUTH: 1756 case WPA_REAUTH_EAPOL: 1757 if (!sm->started) { 1758 /* 1759 * When using WPS, we may end up here if the STA 1760 * manages to re-associate without the previous STA 1761 * entry getting removed. Consequently, we need to make 1762 * sure that the WPA state machines gets initialized 1763 * properly at this point. 1764 */ 1765 wpa_printf(MSG_DEBUG, "WPA state machine had not been " 1766 "started - initialize now"); 1767 sm->started = 1; 1768 sm->Init = TRUE; 1769 if (wpa_sm_step(sm) == 1) 1770 return 1; /* should not really happen */ 1771 sm->Init = FALSE; 1772 sm->AuthenticationRequest = TRUE; 1773 break; 1774 } 1775 if (sm->GUpdateStationKeys) { 1776 /* 1777 * Reauthentication cancels the pending group key 1778 * update for this STA. 1779 */ 1780 sm->group->GKeyDoneStations--; 1781 sm->GUpdateStationKeys = FALSE; 1782 sm->PtkGroupInit = TRUE; 1783 } 1784 sm->ReAuthenticationRequest = TRUE; 1785 break; 1786 case WPA_ASSOC_FT: 1787 #ifdef CONFIG_IEEE80211R_AP 1788 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration " 1789 "after association"); 1790 wpa_ft_install_ptk(sm); 1791 1792 /* Using FT protocol, not WPA auth state machine */ 1793 sm->ft_completed = 1; 1794 wpa_auth_set_ptk_rekey_timer(sm); 1795 return 0; 1796 #else /* CONFIG_IEEE80211R_AP */ 1797 break; 1798 #endif /* CONFIG_IEEE80211R_AP */ 1799 case WPA_ASSOC_FILS: 1800 #ifdef CONFIG_FILS 1801 wpa_printf(MSG_DEBUG, 1802 "FILS: TK configuration after association"); 1803 fils_set_tk(sm); 1804 sm->fils_completed = 1; 1805 return 0; 1806 #else /* CONFIG_FILS */ 1807 break; 1808 #endif /* CONFIG_FILS */ 1809 case WPA_DRV_STA_REMOVED: 1810 sm->tk_already_set = FALSE; 1811 return 0; 1812 } 1813 1814 #ifdef CONFIG_IEEE80211R_AP 1815 sm->ft_completed = 0; 1816 #endif /* CONFIG_IEEE80211R_AP */ 1817 1818 #ifdef CONFIG_IEEE80211W 1819 if (sm->mgmt_frame_prot && event == WPA_AUTH) 1820 remove_ptk = 0; 1821 #endif /* CONFIG_IEEE80211W */ 1822 #ifdef CONFIG_FILS 1823 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) && 1824 (event == WPA_AUTH || event == WPA_ASSOC)) 1825 remove_ptk = 0; 1826 #endif /* CONFIG_FILS */ 1827 1828 if (remove_ptk) { 1829 sm->PTK_valid = FALSE; 1830 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1831 1832 if (event != WPA_REAUTH_EAPOL) 1833 wpa_remove_ptk(sm); 1834 } 1835 1836 if (sm->in_step_loop) { 1837 /* 1838 * wpa_sm_step() is already running - avoid recursive call to 1839 * it by making the existing loop process the new update. 1840 */ 1841 sm->changed = TRUE; 1842 return 0; 1843 } 1844 return wpa_sm_step(sm); 1845 } 1846 1847 1848 SM_STATE(WPA_PTK, INITIALIZE) 1849 { 1850 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk); 1851 if (sm->Init) { 1852 /* Init flag is not cleared here, so avoid busy 1853 * loop by claiming nothing changed. */ 1854 sm->changed = FALSE; 1855 } 1856 1857 sm->keycount = 0; 1858 if (sm->GUpdateStationKeys) 1859 sm->group->GKeyDoneStations--; 1860 sm->GUpdateStationKeys = FALSE; 1861 if (sm->wpa == WPA_VERSION_WPA) 1862 sm->PInitAKeys = FALSE; 1863 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and 1864 * Local AA > Remote AA)) */) { 1865 sm->Pair = TRUE; 1866 } 1867 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0); 1868 wpa_remove_ptk(sm); 1869 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0); 1870 sm->TimeoutCtr = 0; 1871 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) || 1872 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP || 1873 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) { 1874 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 1875 WPA_EAPOL_authorized, 0); 1876 } 1877 } 1878 1879 1880 SM_STATE(WPA_PTK, DISCONNECT) 1881 { 1882 u16 reason = sm->disconnect_reason; 1883 1884 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk); 1885 sm->Disconnect = FALSE; 1886 sm->disconnect_reason = 0; 1887 if (!reason) 1888 reason = WLAN_REASON_PREV_AUTH_NOT_VALID; 1889 wpa_sta_disconnect(sm->wpa_auth, sm->addr, reason); 1890 } 1891 1892 1893 SM_STATE(WPA_PTK, DISCONNECTED) 1894 { 1895 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk); 1896 sm->DeauthenticationRequest = FALSE; 1897 } 1898 1899 1900 SM_STATE(WPA_PTK, AUTHENTICATION) 1901 { 1902 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk); 1903 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1904 sm->PTK_valid = FALSE; 1905 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto, 1906 1); 1907 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1); 1908 sm->AuthenticationRequest = FALSE; 1909 } 1910 1911 1912 static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth, 1913 struct wpa_group *group) 1914 { 1915 if (group->first_sta_seen) 1916 return; 1917 /* 1918 * System has run bit further than at the time hostapd was started 1919 * potentially very early during boot up. This provides better chances 1920 * of collecting more randomness on embedded systems. Re-initialize the 1921 * GMK and Counter here to improve their strength if there was not 1922 * enough entropy available immediately after system startup. 1923 */ 1924 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first " 1925 "station"); 1926 if (random_pool_ready() != 1) { 1927 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 1928 "to proceed - reject first 4-way handshake"); 1929 group->reject_4way_hs_for_entropy = TRUE; 1930 } else { 1931 group->first_sta_seen = TRUE; 1932 group->reject_4way_hs_for_entropy = FALSE; 1933 } 1934 1935 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 || 1936 wpa_gtk_update(wpa_auth, group) < 0 || 1937 wpa_group_config_group_keys(wpa_auth, group) < 0) { 1938 wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed"); 1939 group->first_sta_seen = FALSE; 1940 group->reject_4way_hs_for_entropy = TRUE; 1941 } 1942 } 1943 1944 1945 SM_STATE(WPA_PTK, AUTHENTICATION2) 1946 { 1947 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk); 1948 1949 wpa_group_ensure_init(sm->wpa_auth, sm->group); 1950 sm->ReAuthenticationRequest = FALSE; 1951 1952 /* 1953 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat 1954 * ambiguous. The Authenticator state machine uses a counter that is 1955 * incremented by one for each 4-way handshake. However, the security 1956 * analysis of 4-way handshake points out that unpredictable nonces 1957 * help in preventing precomputation attacks. Instead of the state 1958 * machine definition, use an unpredictable nonce value here to provide 1959 * stronger protection against potential precomputation attacks. 1960 */ 1961 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { 1962 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for " 1963 "ANonce."); 1964 sm->Disconnect = TRUE; 1965 return; 1966 } 1967 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce, 1968 WPA_NONCE_LEN); 1969 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more 1970 * logical place than INITIALIZE since AUTHENTICATION2 can be 1971 * re-entered on ReAuthenticationRequest without going through 1972 * INITIALIZE. */ 1973 sm->TimeoutCtr = 0; 1974 } 1975 1976 1977 static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm) 1978 { 1979 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { 1980 wpa_printf(MSG_ERROR, 1981 "WPA: Failed to get random data for ANonce"); 1982 sm->Disconnect = TRUE; 1983 return -1; 1984 } 1985 wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce, 1986 WPA_NONCE_LEN); 1987 sm->TimeoutCtr = 0; 1988 return 0; 1989 } 1990 1991 1992 SM_STATE(WPA_PTK, INITPMK) 1993 { 1994 u8 msk[2 * PMK_LEN]; 1995 size_t len = 2 * PMK_LEN; 1996 1997 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk); 1998 #ifdef CONFIG_IEEE80211R_AP 1999 sm->xxkey_len = 0; 2000 #endif /* CONFIG_IEEE80211R_AP */ 2001 if (sm->pmksa) { 2002 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache"); 2003 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len); 2004 sm->pmk_len = sm->pmksa->pmk_len; 2005 #ifdef CONFIG_DPP 2006 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) { 2007 wpa_printf(MSG_DEBUG, 2008 "DPP: No PMKSA cache entry for STA - reject connection"); 2009 sm->Disconnect = TRUE; 2010 sm->disconnect_reason = WLAN_REASON_INVALID_PMKID; 2011 return; 2012 #endif /* CONFIG_DPP */ 2013 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) { 2014 unsigned int pmk_len; 2015 2016 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) 2017 pmk_len = PMK_LEN_SUITE_B_192; 2018 else 2019 pmk_len = PMK_LEN; 2020 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine " 2021 "(MSK len=%lu PMK len=%u)", (unsigned long) len, 2022 pmk_len); 2023 if (len < pmk_len) { 2024 wpa_printf(MSG_DEBUG, 2025 "WPA: MSK not long enough (%u) to create PMK (%u)", 2026 (unsigned int) len, (unsigned int) pmk_len); 2027 sm->Disconnect = TRUE; 2028 return; 2029 } 2030 os_memcpy(sm->PMK, msk, pmk_len); 2031 sm->pmk_len = pmk_len; 2032 #ifdef CONFIG_IEEE80211R_AP 2033 if (len >= 2 * PMK_LEN) { 2034 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) { 2035 os_memcpy(sm->xxkey, msk, SHA384_MAC_LEN); 2036 sm->xxkey_len = SHA384_MAC_LEN; 2037 } else { 2038 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN); 2039 sm->xxkey_len = PMK_LEN; 2040 } 2041 } 2042 #endif /* CONFIG_IEEE80211R_AP */ 2043 } else { 2044 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p", 2045 sm->wpa_auth->cb->get_msk); 2046 sm->Disconnect = TRUE; 2047 return; 2048 } 2049 os_memset(msk, 0, sizeof(msk)); 2050 2051 sm->req_replay_counter_used = 0; 2052 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this 2053 * will break reauthentication since EAPOL state machines may not be 2054 * get into AUTHENTICATING state that clears keyRun before WPA state 2055 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK 2056 * state and takes PMK from the previously used AAA Key. This will 2057 * eventually fail in 4-Way Handshake because Supplicant uses PMK 2058 * derived from the new AAA Key. Setting keyRun = FALSE here seems to 2059 * be good workaround for this issue. */ 2060 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0); 2061 } 2062 2063 2064 SM_STATE(WPA_PTK, INITPSK) 2065 { 2066 const u8 *psk; 2067 size_t psk_len; 2068 2069 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk); 2070 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL, 2071 &psk_len, NULL); 2072 if (psk) { 2073 os_memcpy(sm->PMK, psk, psk_len); 2074 sm->pmk_len = psk_len; 2075 #ifdef CONFIG_IEEE80211R_AP 2076 os_memcpy(sm->xxkey, psk, PMK_LEN); 2077 sm->xxkey_len = PMK_LEN; 2078 #endif /* CONFIG_IEEE80211R_AP */ 2079 } 2080 #ifdef CONFIG_SAE 2081 if (wpa_auth_uses_sae(sm) && sm->pmksa) { 2082 wpa_printf(MSG_DEBUG, "SAE: PMK from PMKSA cache"); 2083 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len); 2084 sm->pmk_len = sm->pmksa->pmk_len; 2085 #ifdef CONFIG_IEEE80211R_AP 2086 os_memcpy(sm->xxkey, sm->pmksa->pmk, sm->pmksa->pmk_len); 2087 sm->xxkey_len = sm->pmksa->pmk_len; 2088 #endif /* CONFIG_IEEE80211R_AP */ 2089 } 2090 #endif /* CONFIG_SAE */ 2091 sm->req_replay_counter_used = 0; 2092 } 2093 2094 2095 SM_STATE(WPA_PTK, PTKSTART) 2096 { 2097 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL; 2098 size_t pmkid_len = 0; 2099 2100 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk); 2101 sm->PTKRequest = FALSE; 2102 sm->TimeoutEvt = FALSE; 2103 sm->alt_snonce_valid = FALSE; 2104 2105 sm->TimeoutCtr++; 2106 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) { 2107 /* No point in sending the EAPOL-Key - we will disconnect 2108 * immediately following this. */ 2109 return; 2110 } 2111 2112 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2113 "sending 1/4 msg of 4-Way Handshake"); 2114 /* 2115 * For infrastructure BSS cases, it is better for the AP not to include 2116 * the PMKID KDE in EAPOL-Key msg 1/4 since it could be used to initiate 2117 * offline search for the passphrase/PSK without having to be able to 2118 * capture a 4-way handshake from a STA that has access to the network. 2119 * 2120 * For IBSS cases, addition of PMKID KDE could be considered even with 2121 * WPA2-PSK cases that use multiple PSKs, but only if there is a single 2122 * possible PSK for this STA. However, this should not be done unless 2123 * there is support for using that information on the supplicant side. 2124 * The concern about exposing PMKID unnecessarily in infrastructure BSS 2125 * cases would also apply here, but at least in the IBSS case, this 2126 * would cover a potential real use case. 2127 */ 2128 if (sm->wpa == WPA_VERSION_WPA2 && 2129 (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) || 2130 (sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE && sm->pmksa) || 2131 wpa_key_mgmt_sae(sm->wpa_key_mgmt)) && 2132 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) { 2133 pmkid = buf; 2134 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN; 2135 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC; 2136 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN; 2137 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID); 2138 if (sm->pmksa) { 2139 wpa_hexdump(MSG_DEBUG, 2140 "RSN: Message 1/4 PMKID from PMKSA entry", 2141 sm->pmksa->pmkid, PMKID_LEN); 2142 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN], 2143 sm->pmksa->pmkid, PMKID_LEN); 2144 } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) { 2145 /* No KCK available to derive PMKID */ 2146 wpa_printf(MSG_DEBUG, 2147 "RSN: No KCK available to derive PMKID for message 1/4"); 2148 pmkid = NULL; 2149 #ifdef CONFIG_FILS 2150 } else if (wpa_key_mgmt_fils(sm->wpa_key_mgmt)) { 2151 if (sm->pmkid_set) { 2152 wpa_hexdump(MSG_DEBUG, 2153 "RSN: Message 1/4 PMKID from FILS/ERP", 2154 sm->pmkid, PMKID_LEN); 2155 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN], 2156 sm->pmkid, PMKID_LEN); 2157 } else { 2158 /* No PMKID available */ 2159 wpa_printf(MSG_DEBUG, 2160 "RSN: No FILS/ERP PMKID available for message 1/4"); 2161 pmkid = NULL; 2162 } 2163 #endif /* CONFIG_FILS */ 2164 #ifdef CONFIG_IEEE80211R_AP 2165 } else if (wpa_key_mgmt_ft(sm->wpa_key_mgmt) && 2166 sm->ft_completed) { 2167 wpa_printf(MSG_DEBUG, 2168 "FT: No PMKID in message 1/4 when using FT protocol"); 2169 pmkid = NULL; 2170 pmkid_len = 0; 2171 #endif /* CONFIG_IEEE80211R_AP */ 2172 #ifdef CONFIG_SAE 2173 } else if (wpa_key_mgmt_sae(sm->wpa_key_mgmt)) { 2174 if (sm->pmkid_set) { 2175 wpa_hexdump(MSG_DEBUG, 2176 "RSN: Message 1/4 PMKID from SAE", 2177 sm->pmkid, PMKID_LEN); 2178 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN], 2179 sm->pmkid, PMKID_LEN); 2180 } else { 2181 /* No PMKID available */ 2182 wpa_printf(MSG_DEBUG, 2183 "RSN: No SAE PMKID available for message 1/4"); 2184 pmkid = NULL; 2185 } 2186 #endif /* CONFIG_SAE */ 2187 } else { 2188 /* 2189 * Calculate PMKID since no PMKSA cache entry was 2190 * available with pre-calculated PMKID. 2191 */ 2192 rsn_pmkid(sm->PMK, sm->pmk_len, sm->wpa_auth->addr, 2193 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN], 2194 sm->wpa_key_mgmt); 2195 wpa_hexdump(MSG_DEBUG, 2196 "RSN: Message 1/4 PMKID derived from PMK", 2197 &pmkid[2 + RSN_SELECTOR_LEN], PMKID_LEN); 2198 } 2199 } 2200 wpa_send_eapol(sm->wpa_auth, sm, 2201 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL, 2202 sm->ANonce, pmkid, pmkid_len, 0, 0); 2203 } 2204 2205 2206 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce, 2207 const u8 *pmk, unsigned int pmk_len, 2208 struct wpa_ptk *ptk) 2209 { 2210 const u8 *z = NULL; 2211 size_t z_len = 0; 2212 2213 #ifdef CONFIG_IEEE80211R_AP 2214 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2215 if (sm->ft_completed) { 2216 u8 ptk_name[WPA_PMK_NAME_LEN]; 2217 2218 return wpa_pmk_r1_to_ptk(sm->pmk_r1, sm->pmk_r1_len, 2219 sm->SNonce, sm->ANonce, 2220 sm->addr, sm->wpa_auth->addr, 2221 sm->pmk_r1_name, 2222 ptk, ptk_name, 2223 sm->wpa_key_mgmt, 2224 sm->pairwise); 2225 } 2226 return wpa_auth_derive_ptk_ft(sm, ptk); 2227 } 2228 #endif /* CONFIG_IEEE80211R_AP */ 2229 2230 #ifdef CONFIG_DPP2 2231 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) { 2232 z = wpabuf_head(sm->dpp_z); 2233 z_len = wpabuf_len(sm->dpp_z); 2234 } 2235 #endif /* CONFIG_DPP2 */ 2236 2237 return wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion", 2238 sm->wpa_auth->addr, sm->addr, sm->ANonce, snonce, 2239 ptk, sm->wpa_key_mgmt, sm->pairwise, z, z_len); 2240 } 2241 2242 2243 #ifdef CONFIG_FILS 2244 2245 int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk, 2246 size_t pmk_len, const u8 *snonce, const u8 *anonce, 2247 const u8 *dhss, size_t dhss_len, 2248 struct wpabuf *g_sta, struct wpabuf *g_ap) 2249 { 2250 u8 ick[FILS_ICK_MAX_LEN]; 2251 size_t ick_len; 2252 int res; 2253 u8 fils_ft[FILS_FT_MAX_LEN]; 2254 size_t fils_ft_len = 0; 2255 2256 res = fils_pmk_to_ptk(pmk, pmk_len, sm->addr, sm->wpa_auth->addr, 2257 snonce, anonce, dhss, dhss_len, 2258 &sm->PTK, ick, &ick_len, 2259 sm->wpa_key_mgmt, sm->pairwise, 2260 fils_ft, &fils_ft_len); 2261 if (res < 0) 2262 return res; 2263 sm->PTK_valid = TRUE; 2264 sm->tk_already_set = FALSE; 2265 2266 #ifdef CONFIG_IEEE80211R_AP 2267 if (fils_ft_len) { 2268 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 2269 struct wpa_auth_config *conf = &wpa_auth->conf; 2270 u8 pmk_r0[PMK_LEN_MAX], pmk_r0_name[WPA_PMK_NAME_LEN]; 2271 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt); 2272 size_t pmk_r0_len = use_sha384 ? SHA384_MAC_LEN : PMK_LEN; 2273 2274 if (wpa_derive_pmk_r0(fils_ft, fils_ft_len, 2275 conf->ssid, conf->ssid_len, 2276 conf->mobility_domain, 2277 conf->r0_key_holder, 2278 conf->r0_key_holder_len, 2279 sm->addr, pmk_r0, pmk_r0_name, 2280 use_sha384) < 0) 2281 return -1; 2282 2283 wpa_hexdump_key(MSG_DEBUG, "FILS+FT: PMK-R0", 2284 pmk_r0, pmk_r0_len); 2285 wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR0Name", 2286 pmk_r0_name, WPA_PMK_NAME_LEN); 2287 wpa_ft_store_pmk_fils(sm, pmk_r0, pmk_r0_name); 2288 os_memset(fils_ft, 0, sizeof(fils_ft)); 2289 2290 res = wpa_derive_pmk_r1_name(pmk_r0_name, conf->r1_key_holder, 2291 sm->addr, sm->pmk_r1_name, 2292 use_sha384); 2293 os_memset(pmk_r0, 0, PMK_LEN_MAX); 2294 if (res < 0) 2295 return -1; 2296 wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR1Name", sm->pmk_r1_name, 2297 WPA_PMK_NAME_LEN); 2298 sm->pmk_r1_name_valid = 1; 2299 } 2300 #endif /* CONFIG_IEEE80211R_AP */ 2301 2302 res = fils_key_auth_sk(ick, ick_len, snonce, anonce, 2303 sm->addr, sm->wpa_auth->addr, 2304 g_sta ? wpabuf_head(g_sta) : NULL, 2305 g_sta ? wpabuf_len(g_sta) : 0, 2306 g_ap ? wpabuf_head(g_ap) : NULL, 2307 g_ap ? wpabuf_len(g_ap) : 0, 2308 sm->wpa_key_mgmt, sm->fils_key_auth_sta, 2309 sm->fils_key_auth_ap, 2310 &sm->fils_key_auth_len); 2311 os_memset(ick, 0, sizeof(ick)); 2312 2313 /* Store nonces for (Re)Association Request/Response frame processing */ 2314 os_memcpy(sm->SNonce, snonce, FILS_NONCE_LEN); 2315 os_memcpy(sm->ANonce, anonce, FILS_NONCE_LEN); 2316 2317 return res; 2318 } 2319 2320 2321 static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk, 2322 u8 *buf, size_t buf_len, u16 *_key_data_len) 2323 { 2324 struct ieee802_1x_hdr *hdr; 2325 struct wpa_eapol_key *key; 2326 u8 *pos; 2327 u16 key_data_len; 2328 u8 *tmp; 2329 const u8 *aad[1]; 2330 size_t aad_len[1]; 2331 2332 hdr = (struct ieee802_1x_hdr *) buf; 2333 key = (struct wpa_eapol_key *) (hdr + 1); 2334 pos = (u8 *) (key + 1); 2335 key_data_len = WPA_GET_BE16(pos); 2336 if (key_data_len < AES_BLOCK_SIZE || 2337 key_data_len > buf_len - sizeof(*hdr) - sizeof(*key) - 2) { 2338 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2339 "No room for AES-SIV data in the frame"); 2340 return -1; 2341 } 2342 pos += 2; /* Pointing at the Encrypted Key Data field */ 2343 2344 tmp = os_malloc(key_data_len); 2345 if (!tmp) 2346 return -1; 2347 2348 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to 2349 * to Key Data (exclusive). */ 2350 aad[0] = buf; 2351 aad_len[0] = pos - buf; 2352 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, key_data_len, 2353 1, aad, aad_len, tmp) < 0) { 2354 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2355 "Invalid AES-SIV data in the frame"); 2356 bin_clear_free(tmp, key_data_len); 2357 return -1; 2358 } 2359 2360 /* AEAD decryption and validation completed successfully */ 2361 key_data_len -= AES_BLOCK_SIZE; 2362 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data", 2363 tmp, key_data_len); 2364 2365 /* Replace Key Data field with the decrypted version */ 2366 os_memcpy(pos, tmp, key_data_len); 2367 pos -= 2; /* Key Data Length field */ 2368 WPA_PUT_BE16(pos, key_data_len); 2369 bin_clear_free(tmp, key_data_len); 2370 if (_key_data_len) 2371 *_key_data_len = key_data_len; 2372 return 0; 2373 } 2374 2375 2376 const u8 * wpa_fils_validate_fils_session(struct wpa_state_machine *sm, 2377 const u8 *ies, size_t ies_len, 2378 const u8 *fils_session) 2379 { 2380 const u8 *ie, *end; 2381 const u8 *session = NULL; 2382 2383 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) { 2384 wpa_printf(MSG_DEBUG, 2385 "FILS: Not a FILS AKM - reject association"); 2386 return NULL; 2387 } 2388 2389 /* Verify Session element */ 2390 ie = ies; 2391 end = ((const u8 *) ie) + ies_len; 2392 while (ie + 1 < end) { 2393 if (ie + 2 + ie[1] > end) 2394 break; 2395 if (ie[0] == WLAN_EID_EXTENSION && 2396 ie[1] >= 1 + FILS_SESSION_LEN && 2397 ie[2] == WLAN_EID_EXT_FILS_SESSION) { 2398 session = ie; 2399 break; 2400 } 2401 ie += 2 + ie[1]; 2402 } 2403 2404 if (!session) { 2405 wpa_printf(MSG_DEBUG, 2406 "FILS: %s: Could not find FILS Session element in Assoc Req - reject", 2407 __func__); 2408 return NULL; 2409 } 2410 2411 if (!fils_session) { 2412 wpa_printf(MSG_DEBUG, 2413 "FILS: %s: Could not find FILS Session element in STA entry - reject", 2414 __func__); 2415 return NULL; 2416 } 2417 2418 if (os_memcmp(fils_session, session + 3, FILS_SESSION_LEN) != 0) { 2419 wpa_printf(MSG_DEBUG, "FILS: Session mismatch"); 2420 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session", 2421 fils_session, FILS_SESSION_LEN); 2422 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session", 2423 session + 3, FILS_SESSION_LEN); 2424 return NULL; 2425 } 2426 return session; 2427 } 2428 2429 2430 int wpa_fils_validate_key_confirm(struct wpa_state_machine *sm, const u8 *ies, 2431 size_t ies_len) 2432 { 2433 struct ieee802_11_elems elems; 2434 2435 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) { 2436 wpa_printf(MSG_DEBUG, 2437 "FILS: Failed to parse decrypted elements"); 2438 return -1; 2439 } 2440 2441 if (!elems.fils_session) { 2442 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element"); 2443 return -1; 2444 } 2445 2446 if (!elems.fils_key_confirm) { 2447 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element"); 2448 return -1; 2449 } 2450 2451 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) { 2452 wpa_printf(MSG_DEBUG, 2453 "FILS: Unexpected Key-Auth length %d (expected %d)", 2454 elems.fils_key_confirm_len, 2455 (int) sm->fils_key_auth_len); 2456 return -1; 2457 } 2458 2459 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_sta, 2460 sm->fils_key_auth_len) != 0) { 2461 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch"); 2462 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth", 2463 elems.fils_key_confirm, elems.fils_key_confirm_len); 2464 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth", 2465 sm->fils_key_auth_sta, sm->fils_key_auth_len); 2466 return -1; 2467 } 2468 2469 return 0; 2470 } 2471 2472 2473 int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session, 2474 const struct ieee80211_mgmt *mgmt, size_t frame_len, 2475 u8 *pos, size_t left) 2476 { 2477 u16 fc, stype; 2478 const u8 *end, *ie_start, *ie, *session, *crypt; 2479 const u8 *aad[5]; 2480 size_t aad_len[5]; 2481 2482 if (!sm || !sm->PTK_valid) { 2483 wpa_printf(MSG_DEBUG, 2484 "FILS: No KEK to decrypt Assocication Request frame"); 2485 return -1; 2486 } 2487 2488 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) { 2489 wpa_printf(MSG_DEBUG, 2490 "FILS: Not a FILS AKM - reject association"); 2491 return -1; 2492 } 2493 2494 end = ((const u8 *) mgmt) + frame_len; 2495 fc = le_to_host16(mgmt->frame_control); 2496 stype = WLAN_FC_GET_STYPE(fc); 2497 if (stype == WLAN_FC_STYPE_REASSOC_REQ) 2498 ie_start = mgmt->u.reassoc_req.variable; 2499 else 2500 ie_start = mgmt->u.assoc_req.variable; 2501 ie = ie_start; 2502 2503 /* 2504 * Find FILS Session element which is the last unencrypted element in 2505 * the frame. 2506 */ 2507 session = wpa_fils_validate_fils_session(sm, ie, end - ie, 2508 fils_session); 2509 if (!session) { 2510 wpa_printf(MSG_DEBUG, "FILS: Session validation failed"); 2511 return -1; 2512 } 2513 2514 crypt = session + 2 + session[1]; 2515 2516 if (end - crypt < AES_BLOCK_SIZE) { 2517 wpa_printf(MSG_DEBUG, 2518 "FILS: Too short frame to include AES-SIV data"); 2519 return -1; 2520 } 2521 2522 /* AES-SIV AAD vectors */ 2523 2524 /* The STA's MAC address */ 2525 aad[0] = mgmt->sa; 2526 aad_len[0] = ETH_ALEN; 2527 /* The AP's BSSID */ 2528 aad[1] = mgmt->da; 2529 aad_len[1] = ETH_ALEN; 2530 /* The STA's nonce */ 2531 aad[2] = sm->SNonce; 2532 aad_len[2] = FILS_NONCE_LEN; 2533 /* The AP's nonce */ 2534 aad[3] = sm->ANonce; 2535 aad_len[3] = FILS_NONCE_LEN; 2536 /* 2537 * The (Re)Association Request frame from the Capability Information 2538 * field to the FILS Session element (both inclusive). 2539 */ 2540 aad[4] = (const u8 *) &mgmt->u.assoc_req.capab_info; 2541 aad_len[4] = crypt - aad[4]; 2542 2543 if (aes_siv_decrypt(sm->PTK.kek, sm->PTK.kek_len, crypt, end - crypt, 2544 5, aad, aad_len, pos + (crypt - ie_start)) < 0) { 2545 wpa_printf(MSG_DEBUG, 2546 "FILS: Invalid AES-SIV data in the frame"); 2547 return -1; 2548 } 2549 wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Request elements", 2550 pos, left - AES_BLOCK_SIZE); 2551 2552 if (wpa_fils_validate_key_confirm(sm, pos, left - AES_BLOCK_SIZE) < 0) { 2553 wpa_printf(MSG_DEBUG, "FILS: Key Confirm validation failed"); 2554 return -1; 2555 } 2556 2557 return left - AES_BLOCK_SIZE; 2558 } 2559 2560 2561 int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf, 2562 size_t current_len, size_t max_len, 2563 const struct wpabuf *hlp) 2564 { 2565 u8 *end = buf + max_len; 2566 u8 *pos = buf + current_len; 2567 struct ieee80211_mgmt *mgmt; 2568 struct wpabuf *plain; 2569 const u8 *aad[5]; 2570 size_t aad_len[5]; 2571 2572 if (!sm || !sm->PTK_valid) 2573 return -1; 2574 2575 wpa_hexdump(MSG_DEBUG, 2576 "FILS: Association Response frame before FILS processing", 2577 buf, current_len); 2578 2579 mgmt = (struct ieee80211_mgmt *) buf; 2580 2581 /* AES-SIV AAD vectors */ 2582 2583 /* The AP's BSSID */ 2584 aad[0] = mgmt->sa; 2585 aad_len[0] = ETH_ALEN; 2586 /* The STA's MAC address */ 2587 aad[1] = mgmt->da; 2588 aad_len[1] = ETH_ALEN; 2589 /* The AP's nonce */ 2590 aad[2] = sm->ANonce; 2591 aad_len[2] = FILS_NONCE_LEN; 2592 /* The STA's nonce */ 2593 aad[3] = sm->SNonce; 2594 aad_len[3] = FILS_NONCE_LEN; 2595 /* 2596 * The (Re)Association Response frame from the Capability Information 2597 * field (the same offset in both Association and Reassociation 2598 * Response frames) to the FILS Session element (both inclusive). 2599 */ 2600 aad[4] = (const u8 *) &mgmt->u.assoc_resp.capab_info; 2601 aad_len[4] = pos - aad[4]; 2602 2603 /* The following elements will be encrypted with AES-SIV */ 2604 plain = fils_prepare_plainbuf(sm, hlp); 2605 if (!plain) { 2606 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed"); 2607 return -1; 2608 } 2609 2610 if (pos + wpabuf_len(plain) + AES_BLOCK_SIZE > end) { 2611 wpa_printf(MSG_DEBUG, 2612 "FILS: Not enough room for FILS elements"); 2613 wpabuf_free(plain); 2614 return -1; 2615 } 2616 2617 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: Association Response plaintext", 2618 plain); 2619 2620 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, 2621 wpabuf_head(plain), wpabuf_len(plain), 2622 5, aad, aad_len, pos) < 0) { 2623 wpabuf_free(plain); 2624 return -1; 2625 } 2626 2627 wpa_hexdump(MSG_DEBUG, 2628 "FILS: Encrypted Association Response elements", 2629 pos, AES_BLOCK_SIZE + wpabuf_len(plain)); 2630 current_len += wpabuf_len(plain) + AES_BLOCK_SIZE; 2631 wpabuf_free(plain); 2632 2633 sm->fils_completed = 1; 2634 2635 return current_len; 2636 } 2637 2638 2639 static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm, 2640 const struct wpabuf *hlp) 2641 { 2642 struct wpabuf *plain; 2643 u8 *len, *tmp, *tmp2; 2644 u8 hdr[2]; 2645 u8 *gtk, dummy_gtk[32]; 2646 size_t gtk_len; 2647 struct wpa_group *gsm; 2648 2649 plain = wpabuf_alloc(1000); 2650 if (!plain) 2651 return NULL; 2652 2653 /* TODO: FILS Public Key */ 2654 2655 /* FILS Key Confirmation */ 2656 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */ 2657 wpabuf_put_u8(plain, 1 + sm->fils_key_auth_len); /* Length */ 2658 /* Element ID Extension */ 2659 wpabuf_put_u8(plain, WLAN_EID_EXT_FILS_KEY_CONFIRM); 2660 wpabuf_put_data(plain, sm->fils_key_auth_ap, sm->fils_key_auth_len); 2661 2662 /* FILS HLP Container */ 2663 if (hlp) 2664 wpabuf_put_buf(plain, hlp); 2665 2666 /* TODO: FILS IP Address Assignment */ 2667 2668 /* Key Delivery */ 2669 gsm = sm->group; 2670 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */ 2671 len = wpabuf_put(plain, 1); 2672 wpabuf_put_u8(plain, WLAN_EID_EXT_KEY_DELIVERY); 2673 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, 2674 wpabuf_put(plain, WPA_KEY_RSC_LEN)); 2675 /* GTK KDE */ 2676 gtk = gsm->GTK[gsm->GN - 1]; 2677 gtk_len = gsm->GTK_len; 2678 if (sm->wpa_auth->conf.disable_gtk || 2679 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) { 2680 /* 2681 * Provide unique random GTK to each STA to prevent use 2682 * of GTK in the BSS. 2683 */ 2684 if (random_get_bytes(dummy_gtk, gtk_len) < 0) { 2685 wpabuf_free(plain); 2686 return NULL; 2687 } 2688 gtk = dummy_gtk; 2689 } 2690 hdr[0] = gsm->GN & 0x03; 2691 hdr[1] = 0; 2692 tmp = wpabuf_put(plain, 0); 2693 tmp2 = wpa_add_kde(tmp, RSN_KEY_DATA_GROUPKEY, hdr, 2, 2694 gtk, gtk_len); 2695 wpabuf_put(plain, tmp2 - tmp); 2696 2697 /* IGTK KDE */ 2698 tmp = wpabuf_put(plain, 0); 2699 tmp2 = ieee80211w_kde_add(sm, tmp); 2700 wpabuf_put(plain, tmp2 - tmp); 2701 2702 *len = (u8 *) wpabuf_put(plain, 0) - len - 1; 2703 2704 #ifdef CONFIG_OCV 2705 if (wpa_auth_uses_ocv(sm)) { 2706 struct wpa_channel_info ci; 2707 u8 *pos; 2708 2709 if (wpa_channel_info(sm->wpa_auth, &ci) != 0) { 2710 wpa_printf(MSG_WARNING, 2711 "FILS: Failed to get channel info for OCI element"); 2712 wpabuf_free(plain); 2713 return NULL; 2714 } 2715 2716 pos = wpabuf_put(plain, OCV_OCI_EXTENDED_LEN); 2717 if (ocv_insert_extended_oci(&ci, pos) < 0) { 2718 wpabuf_free(plain); 2719 return NULL; 2720 } 2721 } 2722 #endif /* CONFIG_OCV */ 2723 2724 return plain; 2725 } 2726 2727 2728 int fils_set_tk(struct wpa_state_machine *sm) 2729 { 2730 enum wpa_alg alg; 2731 int klen; 2732 2733 if (!sm || !sm->PTK_valid) { 2734 wpa_printf(MSG_DEBUG, "FILS: No valid PTK available to set TK"); 2735 return -1; 2736 } 2737 if (sm->tk_already_set) { 2738 wpa_printf(MSG_DEBUG, "FILS: TK already set to the driver"); 2739 return -1; 2740 } 2741 2742 alg = wpa_cipher_to_alg(sm->pairwise); 2743 klen = wpa_cipher_key_len(sm->pairwise); 2744 2745 wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver"); 2746 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0, 2747 sm->PTK.tk, klen)) { 2748 wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver"); 2749 return -1; 2750 } 2751 sm->tk_already_set = TRUE; 2752 2753 return 0; 2754 } 2755 2756 2757 u8 * hostapd_eid_assoc_fils_session(struct wpa_state_machine *sm, u8 *buf, 2758 const u8 *fils_session, struct wpabuf *hlp) 2759 { 2760 struct wpabuf *plain; 2761 u8 *pos = buf; 2762 2763 /* FILS Session */ 2764 *pos++ = WLAN_EID_EXTENSION; /* Element ID */ 2765 *pos++ = 1 + FILS_SESSION_LEN; /* Length */ 2766 *pos++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */ 2767 os_memcpy(pos, fils_session, FILS_SESSION_LEN); 2768 pos += FILS_SESSION_LEN; 2769 2770 plain = fils_prepare_plainbuf(sm, hlp); 2771 if (!plain) { 2772 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed"); 2773 return NULL; 2774 } 2775 2776 os_memcpy(pos, wpabuf_head(plain), wpabuf_len(plain)); 2777 pos += wpabuf_len(plain); 2778 2779 wpa_printf(MSG_DEBUG, "%s: plain buf_len: %u", __func__, 2780 (unsigned int) wpabuf_len(plain)); 2781 wpabuf_free(plain); 2782 sm->fils_completed = 1; 2783 return pos; 2784 } 2785 2786 #endif /* CONFIG_FILS */ 2787 2788 2789 #ifdef CONFIG_OCV 2790 int get_sta_tx_parameters(struct wpa_state_machine *sm, int ap_max_chanwidth, 2791 int ap_seg1_idx, int *bandwidth, int *seg1_idx) 2792 { 2793 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 2794 2795 if (!wpa_auth->cb->get_sta_tx_params) 2796 return -1; 2797 return wpa_auth->cb->get_sta_tx_params(wpa_auth->cb_ctx, sm->addr, 2798 ap_max_chanwidth, ap_seg1_idx, 2799 bandwidth, seg1_idx); 2800 } 2801 #endif /* CONFIG_OCV */ 2802 2803 2804 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) 2805 { 2806 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 2807 struct wpa_ptk PTK; 2808 int ok = 0, psk_found = 0; 2809 const u8 *pmk = NULL; 2810 size_t pmk_len; 2811 int ft; 2812 const u8 *eapol_key_ie, *key_data, *mic; 2813 u16 key_data_length; 2814 size_t mic_len, eapol_key_ie_len; 2815 struct ieee802_1x_hdr *hdr; 2816 struct wpa_eapol_key *key; 2817 struct wpa_eapol_ie_parse kde; 2818 int vlan_id = 0; 2819 2820 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk); 2821 sm->EAPOLKeyReceived = FALSE; 2822 sm->update_snonce = FALSE; 2823 os_memset(&PTK, 0, sizeof(PTK)); 2824 2825 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len); 2826 2827 /* WPA with IEEE 802.1X: use the derived PMK from EAP 2828 * WPA-PSK: iterate through possible PSKs and select the one matching 2829 * the packet */ 2830 for (;;) { 2831 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) && 2832 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) { 2833 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, 2834 sm->p2p_dev_addr, pmk, &pmk_len, 2835 &vlan_id); 2836 if (pmk == NULL) 2837 break; 2838 psk_found = 1; 2839 #ifdef CONFIG_IEEE80211R_AP 2840 if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) { 2841 os_memcpy(sm->xxkey, pmk, pmk_len); 2842 sm->xxkey_len = pmk_len; 2843 } 2844 #endif /* CONFIG_IEEE80211R_AP */ 2845 } else { 2846 pmk = sm->PMK; 2847 pmk_len = sm->pmk_len; 2848 } 2849 2850 if ((!pmk || !pmk_len) && sm->pmksa) { 2851 wpa_printf(MSG_DEBUG, "WPA: Use PMK from PMKSA cache"); 2852 pmk = sm->pmksa->pmk; 2853 pmk_len = sm->pmksa->pmk_len; 2854 } 2855 2856 if (wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK) < 0) 2857 break; 2858 2859 if (mic_len && 2860 wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK, 2861 sm->last_rx_eapol_key, 2862 sm->last_rx_eapol_key_len) == 0) { 2863 if (sm->PMK != pmk) { 2864 os_memcpy(sm->PMK, pmk, pmk_len); 2865 sm->pmk_len = pmk_len; 2866 } 2867 ok = 1; 2868 break; 2869 } 2870 2871 #ifdef CONFIG_FILS 2872 if (!mic_len && 2873 wpa_aead_decrypt(sm, &PTK, sm->last_rx_eapol_key, 2874 sm->last_rx_eapol_key_len, NULL) == 0) { 2875 ok = 1; 2876 break; 2877 } 2878 #endif /* CONFIG_FILS */ 2879 2880 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) || 2881 wpa_key_mgmt_sae(sm->wpa_key_mgmt)) 2882 break; 2883 } 2884 2885 if (!ok) { 2886 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2887 "invalid MIC in msg 2/4 of 4-Way Handshake"); 2888 if (psk_found) 2889 wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr); 2890 return; 2891 } 2892 2893 /* 2894 * Note: last_rx_eapol_key length fields have already been validated in 2895 * wpa_receive(). 2896 */ 2897 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key; 2898 key = (struct wpa_eapol_key *) (hdr + 1); 2899 mic = (u8 *) (key + 1); 2900 key_data = mic + mic_len + 2; 2901 key_data_length = WPA_GET_BE16(mic + mic_len); 2902 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) - 2903 sizeof(*key) - mic_len - 2) 2904 return; 2905 2906 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) { 2907 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 2908 "received EAPOL-Key msg 2/4 with invalid Key Data contents"); 2909 return; 2910 } 2911 if (kde.rsn_ie) { 2912 eapol_key_ie = kde.rsn_ie; 2913 eapol_key_ie_len = kde.rsn_ie_len; 2914 } else if (kde.osen) { 2915 eapol_key_ie = kde.osen; 2916 eapol_key_ie_len = kde.osen_len; 2917 } else { 2918 eapol_key_ie = kde.wpa_ie; 2919 eapol_key_ie_len = kde.wpa_ie_len; 2920 } 2921 ft = sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt); 2922 if (sm->wpa_ie == NULL || 2923 wpa_compare_rsn_ie(ft, sm->wpa_ie, sm->wpa_ie_len, 2924 eapol_key_ie, eapol_key_ie_len)) { 2925 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 2926 "WPA IE from (Re)AssocReq did not match with msg 2/4"); 2927 if (sm->wpa_ie) { 2928 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq", 2929 sm->wpa_ie, sm->wpa_ie_len); 2930 } 2931 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4", 2932 eapol_key_ie, eapol_key_ie_len); 2933 /* MLME-DEAUTHENTICATE.request */ 2934 wpa_sta_disconnect(wpa_auth, sm->addr, 2935 WLAN_REASON_PREV_AUTH_NOT_VALID); 2936 return; 2937 } 2938 #ifdef CONFIG_OCV 2939 if (wpa_auth_uses_ocv(sm)) { 2940 struct wpa_channel_info ci; 2941 int tx_chanwidth; 2942 int tx_seg1_idx; 2943 2944 if (wpa_channel_info(wpa_auth, &ci) != 0) { 2945 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 2946 "Failed to get channel info to validate received OCI in EAPOL-Key 2/4"); 2947 return; 2948 } 2949 2950 if (get_sta_tx_parameters(sm, 2951 channel_width_to_int(ci.chanwidth), 2952 ci.seg1_idx, &tx_chanwidth, 2953 &tx_seg1_idx) < 0) 2954 return; 2955 2956 if (ocv_verify_tx_params(kde.oci, kde.oci_len, &ci, 2957 tx_chanwidth, tx_seg1_idx) != 0) { 2958 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 2959 ocv_errorstr); 2960 return; 2961 } 2962 } 2963 #endif /* CONFIG_OCV */ 2964 #ifdef CONFIG_IEEE80211R_AP 2965 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) { 2966 wpa_sta_disconnect(wpa_auth, sm->addr, 2967 WLAN_REASON_PREV_AUTH_NOT_VALID); 2968 return; 2969 } 2970 #endif /* CONFIG_IEEE80211R_AP */ 2971 #ifdef CONFIG_P2P 2972 if (kde.ip_addr_req && kde.ip_addr_req[0] && 2973 wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) { 2974 int idx; 2975 wpa_printf(MSG_DEBUG, 2976 "P2P: IP address requested in EAPOL-Key exchange"); 2977 idx = bitfield_get_first_zero(wpa_auth->ip_pool); 2978 if (idx >= 0) { 2979 u32 start = WPA_GET_BE32(wpa_auth->conf.ip_addr_start); 2980 bitfield_set(wpa_auth->ip_pool, idx); 2981 WPA_PUT_BE32(sm->ip_addr, start + idx); 2982 wpa_printf(MSG_DEBUG, 2983 "P2P: Assigned IP address %u.%u.%u.%u to " 2984 MACSTR, sm->ip_addr[0], sm->ip_addr[1], 2985 sm->ip_addr[2], sm->ip_addr[3], 2986 MAC2STR(sm->addr)); 2987 } 2988 } 2989 #endif /* CONFIG_P2P */ 2990 2991 #ifdef CONFIG_IEEE80211R_AP 2992 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2993 /* 2994 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches 2995 * with the value we derived. 2996 */ 2997 if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name, 2998 WPA_PMK_NAME_LEN) != 0) { 2999 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3000 "PMKR1Name mismatch in FT 4-way " 3001 "handshake"); 3002 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from " 3003 "Supplicant", 3004 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN); 3005 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name", 3006 sm->pmk_r1_name, WPA_PMK_NAME_LEN); 3007 return; 3008 } 3009 } 3010 #endif /* CONFIG_IEEE80211R_AP */ 3011 3012 if (vlan_id && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) && 3013 wpa_auth_update_vlan(wpa_auth, sm->addr, vlan_id) < 0) { 3014 wpa_sta_disconnect(wpa_auth, sm->addr, 3015 WLAN_REASON_PREV_AUTH_NOT_VALID); 3016 return; 3017 } 3018 3019 sm->pending_1_of_4_timeout = 0; 3020 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 3021 3022 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 3023 /* PSK may have changed from the previous choice, so update 3024 * state machine data based on whatever PSK was selected here. 3025 */ 3026 os_memcpy(sm->PMK, pmk, PMK_LEN); 3027 sm->pmk_len = PMK_LEN; 3028 } 3029 3030 sm->MICVerified = TRUE; 3031 3032 os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); 3033 sm->PTK_valid = TRUE; 3034 } 3035 3036 3037 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2) 3038 { 3039 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk); 3040 sm->TimeoutCtr = 0; 3041 } 3042 3043 3044 #ifdef CONFIG_IEEE80211W 3045 3046 static int ieee80211w_kde_len(struct wpa_state_machine *sm) 3047 { 3048 if (sm->mgmt_frame_prot) { 3049 size_t len; 3050 len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 3051 return 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN + len; 3052 } 3053 3054 return 0; 3055 } 3056 3057 3058 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 3059 { 3060 struct wpa_igtk_kde igtk; 3061 struct wpa_group *gsm = sm->group; 3062 u8 rsc[WPA_KEY_RSC_LEN]; 3063 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 3064 3065 if (!sm->mgmt_frame_prot) 3066 return pos; 3067 3068 igtk.keyid[0] = gsm->GN_igtk; 3069 igtk.keyid[1] = 0; 3070 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE || 3071 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0) 3072 os_memset(igtk.pn, 0, sizeof(igtk.pn)); 3073 else 3074 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn)); 3075 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len); 3076 if (sm->wpa_auth->conf.disable_gtk || 3077 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) { 3078 /* 3079 * Provide unique random IGTK to each STA to prevent use of 3080 * IGTK in the BSS. 3081 */ 3082 if (random_get_bytes(igtk.igtk, len) < 0) 3083 return pos; 3084 } 3085 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK, 3086 (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len, 3087 NULL, 0); 3088 3089 return pos; 3090 } 3091 3092 #else /* CONFIG_IEEE80211W */ 3093 3094 static int ieee80211w_kde_len(struct wpa_state_machine *sm) 3095 { 3096 return 0; 3097 } 3098 3099 3100 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 3101 { 3102 return pos; 3103 } 3104 3105 #endif /* CONFIG_IEEE80211W */ 3106 3107 3108 static int ocv_oci_len(struct wpa_state_machine *sm) 3109 { 3110 #ifdef CONFIG_OCV 3111 if (wpa_auth_uses_ocv(sm)) 3112 return OCV_OCI_KDE_LEN; 3113 #endif /* CONFIG_OCV */ 3114 return 0; 3115 } 3116 3117 static int ocv_oci_add(struct wpa_state_machine *sm, u8 **argpos) 3118 { 3119 #ifdef CONFIG_OCV 3120 struct wpa_channel_info ci; 3121 3122 if (!wpa_auth_uses_ocv(sm)) 3123 return 0; 3124 3125 if (wpa_channel_info(sm->wpa_auth, &ci) != 0) { 3126 wpa_printf(MSG_WARNING, 3127 "Failed to get channel info for OCI element"); 3128 return -1; 3129 } 3130 3131 return ocv_insert_oci_kde(&ci, argpos); 3132 #else /* CONFIG_OCV */ 3133 return 0; 3134 #endif /* CONFIG_OCV */ 3135 } 3136 3137 3138 SM_STATE(WPA_PTK, PTKINITNEGOTIATING) 3139 { 3140 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32]; 3141 size_t gtk_len, kde_len; 3142 struct wpa_group *gsm = sm->group; 3143 u8 *wpa_ie; 3144 int wpa_ie_len, secure, keyidx, encr = 0; 3145 3146 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk); 3147 sm->TimeoutEvt = FALSE; 3148 3149 sm->TimeoutCtr++; 3150 if (sm->wpa_auth->conf.wpa_disable_eapol_key_retries && 3151 sm->TimeoutCtr > 1) { 3152 /* Do not allow retransmission of EAPOL-Key msg 3/4 */ 3153 return; 3154 } 3155 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) { 3156 /* No point in sending the EAPOL-Key - we will disconnect 3157 * immediately following this. */ 3158 return; 3159 } 3160 3161 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE], 3162 GTK[GN], IGTK, [FTIE], [TIE * 2]) 3163 */ 3164 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 3165 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 3166 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */ 3167 wpa_ie = sm->wpa_auth->wpa_ie; 3168 wpa_ie_len = sm->wpa_auth->wpa_ie_len; 3169 if (sm->wpa == WPA_VERSION_WPA && 3170 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) && 3171 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) { 3172 /* WPA-only STA, remove RSN IE and possible MDIE */ 3173 wpa_ie = wpa_ie + wpa_ie[1] + 2; 3174 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN) 3175 wpa_ie = wpa_ie + wpa_ie[1] + 2; 3176 wpa_ie_len = wpa_ie[1] + 2; 3177 } 3178 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3179 "sending 3/4 msg of 4-Way Handshake"); 3180 if (sm->wpa == WPA_VERSION_WPA2) { 3181 /* WPA2 send GTK in the 4-way handshake */ 3182 secure = 1; 3183 gtk = gsm->GTK[gsm->GN - 1]; 3184 gtk_len = gsm->GTK_len; 3185 if (sm->wpa_auth->conf.disable_gtk || 3186 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) { 3187 /* 3188 * Provide unique random GTK to each STA to prevent use 3189 * of GTK in the BSS. 3190 */ 3191 if (random_get_bytes(dummy_gtk, gtk_len) < 0) 3192 return; 3193 gtk = dummy_gtk; 3194 } 3195 keyidx = gsm->GN; 3196 _rsc = rsc; 3197 encr = 1; 3198 } else { 3199 /* WPA does not include GTK in msg 3/4 */ 3200 secure = 0; 3201 gtk = NULL; 3202 gtk_len = 0; 3203 keyidx = 0; 3204 _rsc = NULL; 3205 if (sm->rx_eapol_key_secure) { 3206 /* 3207 * It looks like Windows 7 supplicant tries to use 3208 * Secure bit in msg 2/4 after having reported Michael 3209 * MIC failure and it then rejects the 4-way handshake 3210 * if msg 3/4 does not set Secure bit. Work around this 3211 * by setting the Secure bit here even in the case of 3212 * WPA if the supplicant used it first. 3213 */ 3214 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3215 "STA used Secure bit in WPA msg 2/4 - " 3216 "set Secure for 3/4 as workaround"); 3217 secure = 1; 3218 } 3219 } 3220 3221 kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm); 3222 if (gtk) 3223 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len; 3224 #ifdef CONFIG_IEEE80211R_AP 3225 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 3226 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */ 3227 kde_len += 300; /* FTIE + 2 * TIE */ 3228 } 3229 #endif /* CONFIG_IEEE80211R_AP */ 3230 #ifdef CONFIG_P2P 3231 if (WPA_GET_BE32(sm->ip_addr) > 0) 3232 kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4; 3233 #endif /* CONFIG_P2P */ 3234 kde = os_malloc(kde_len); 3235 if (kde == NULL) 3236 return; 3237 3238 pos = kde; 3239 os_memcpy(pos, wpa_ie, wpa_ie_len); 3240 pos += wpa_ie_len; 3241 #ifdef CONFIG_IEEE80211R_AP 3242 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 3243 int res; 3244 size_t elen; 3245 3246 elen = pos - kde; 3247 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name); 3248 if (res < 0) { 3249 wpa_printf(MSG_ERROR, "FT: Failed to insert " 3250 "PMKR1Name into RSN IE in EAPOL-Key data"); 3251 os_free(kde); 3252 return; 3253 } 3254 pos -= wpa_ie_len; 3255 pos += elen; 3256 } 3257 #endif /* CONFIG_IEEE80211R_AP */ 3258 if (gtk) { 3259 u8 hdr[2]; 3260 hdr[0] = keyidx & 0x03; 3261 hdr[1] = 0; 3262 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 3263 gtk, gtk_len); 3264 } 3265 pos = ieee80211w_kde_add(sm, pos); 3266 if (ocv_oci_add(sm, &pos) < 0) { 3267 os_free(kde); 3268 return; 3269 } 3270 3271 #ifdef CONFIG_IEEE80211R_AP 3272 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 3273 int res; 3274 struct wpa_auth_config *conf; 3275 3276 conf = &sm->wpa_auth->conf; 3277 if (sm->assoc_resp_ftie && 3278 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) { 3279 os_memcpy(pos, sm->assoc_resp_ftie, 3280 2 + sm->assoc_resp_ftie[1]); 3281 res = 2 + sm->assoc_resp_ftie[1]; 3282 } else { 3283 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt); 3284 3285 res = wpa_write_ftie(conf, use_sha384, 3286 conf->r0_key_holder, 3287 conf->r0_key_holder_len, 3288 NULL, NULL, pos, 3289 kde + kde_len - pos, 3290 NULL, 0); 3291 } 3292 if (res < 0) { 3293 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE " 3294 "into EAPOL-Key Key Data"); 3295 os_free(kde); 3296 return; 3297 } 3298 pos += res; 3299 3300 /* TIE[ReassociationDeadline] (TU) */ 3301 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 3302 *pos++ = 5; 3303 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE; 3304 WPA_PUT_LE32(pos, conf->reassociation_deadline); 3305 pos += 4; 3306 3307 /* TIE[KeyLifetime] (seconds) */ 3308 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 3309 *pos++ = 5; 3310 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME; 3311 WPA_PUT_LE32(pos, conf->r0_key_lifetime); 3312 pos += 4; 3313 } 3314 #endif /* CONFIG_IEEE80211R_AP */ 3315 #ifdef CONFIG_P2P 3316 if (WPA_GET_BE32(sm->ip_addr) > 0) { 3317 u8 addr[3 * 4]; 3318 os_memcpy(addr, sm->ip_addr, 4); 3319 os_memcpy(addr + 4, sm->wpa_auth->conf.ip_addr_mask, 4); 3320 os_memcpy(addr + 8, sm->wpa_auth->conf.ip_addr_go, 4); 3321 pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC, 3322 addr, sizeof(addr), NULL, 0); 3323 } 3324 #endif /* CONFIG_P2P */ 3325 3326 wpa_send_eapol(sm->wpa_auth, sm, 3327 (secure ? WPA_KEY_INFO_SECURE : 0) | 3328 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ? 3329 WPA_KEY_INFO_MIC : 0) | 3330 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL | 3331 WPA_KEY_INFO_KEY_TYPE, 3332 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr); 3333 os_free(kde); 3334 } 3335 3336 3337 SM_STATE(WPA_PTK, PTKINITDONE) 3338 { 3339 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk); 3340 sm->EAPOLKeyReceived = FALSE; 3341 if (sm->Pair) { 3342 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise); 3343 int klen = wpa_cipher_key_len(sm->pairwise); 3344 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0, 3345 sm->PTK.tk, klen)) { 3346 wpa_sta_disconnect(sm->wpa_auth, sm->addr, 3347 WLAN_REASON_PREV_AUTH_NOT_VALID); 3348 return; 3349 } 3350 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ 3351 sm->pairwise_set = TRUE; 3352 3353 wpa_auth_set_ptk_rekey_timer(sm); 3354 3355 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) || 3356 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP || 3357 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) { 3358 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 3359 WPA_EAPOL_authorized, 1); 3360 } 3361 } 3362 3363 if (0 /* IBSS == TRUE */) { 3364 sm->keycount++; 3365 if (sm->keycount == 2) { 3366 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 3367 WPA_EAPOL_portValid, 1); 3368 } 3369 } else { 3370 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 3371 1); 3372 } 3373 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0); 3374 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1); 3375 if (sm->wpa == WPA_VERSION_WPA) 3376 sm->PInitAKeys = TRUE; 3377 else 3378 sm->has_GTK = TRUE; 3379 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 3380 "pairwise key handshake completed (%s)", 3381 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 3382 3383 #ifdef CONFIG_IEEE80211R_AP 3384 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr); 3385 #endif /* CONFIG_IEEE80211R_AP */ 3386 } 3387 3388 3389 SM_STEP(WPA_PTK) 3390 { 3391 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 3392 3393 if (sm->Init) 3394 SM_ENTER(WPA_PTK, INITIALIZE); 3395 else if (sm->Disconnect 3396 /* || FIX: dot11RSNAConfigSALifetime timeout */) { 3397 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 3398 "WPA_PTK: sm->Disconnect"); 3399 SM_ENTER(WPA_PTK, DISCONNECT); 3400 } 3401 else if (sm->DeauthenticationRequest) 3402 SM_ENTER(WPA_PTK, DISCONNECTED); 3403 else if (sm->AuthenticationRequest) 3404 SM_ENTER(WPA_PTK, AUTHENTICATION); 3405 else if (sm->ReAuthenticationRequest) 3406 SM_ENTER(WPA_PTK, AUTHENTICATION2); 3407 else if (sm->PTKRequest) { 3408 if (wpa_auth_sm_ptk_update(sm) < 0) 3409 SM_ENTER(WPA_PTK, DISCONNECTED); 3410 else 3411 SM_ENTER(WPA_PTK, PTKSTART); 3412 } else switch (sm->wpa_ptk_state) { 3413 case WPA_PTK_INITIALIZE: 3414 break; 3415 case WPA_PTK_DISCONNECT: 3416 SM_ENTER(WPA_PTK, DISCONNECTED); 3417 break; 3418 case WPA_PTK_DISCONNECTED: 3419 SM_ENTER(WPA_PTK, INITIALIZE); 3420 break; 3421 case WPA_PTK_AUTHENTICATION: 3422 SM_ENTER(WPA_PTK, AUTHENTICATION2); 3423 break; 3424 case WPA_PTK_AUTHENTICATION2: 3425 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) && 3426 wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 3427 WPA_EAPOL_keyRun) > 0) 3428 SM_ENTER(WPA_PTK, INITPMK); 3429 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) || 3430 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE 3431 /* FIX: && 802.1X::keyRun */) 3432 SM_ENTER(WPA_PTK, INITPSK); 3433 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) 3434 SM_ENTER(WPA_PTK, INITPMK); 3435 break; 3436 case WPA_PTK_INITPMK: 3437 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 3438 WPA_EAPOL_keyAvailable) > 0) { 3439 SM_ENTER(WPA_PTK, PTKSTART); 3440 #ifdef CONFIG_DPP 3441 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->pmksa) { 3442 SM_ENTER(WPA_PTK, PTKSTART); 3443 #endif /* CONFIG_DPP */ 3444 } else { 3445 wpa_auth->dot11RSNA4WayHandshakeFailures++; 3446 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 3447 "INITPMK - keyAvailable = false"); 3448 SM_ENTER(WPA_PTK, DISCONNECT); 3449 } 3450 break; 3451 case WPA_PTK_INITPSK: 3452 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, 3453 NULL, NULL, NULL)) { 3454 SM_ENTER(WPA_PTK, PTKSTART); 3455 #ifdef CONFIG_SAE 3456 } else if (wpa_auth_uses_sae(sm) && sm->pmksa) { 3457 SM_ENTER(WPA_PTK, PTKSTART); 3458 #endif /* CONFIG_SAE */ 3459 } else { 3460 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 3461 "no PSK configured for the STA"); 3462 wpa_auth->dot11RSNA4WayHandshakeFailures++; 3463 SM_ENTER(WPA_PTK, DISCONNECT); 3464 } 3465 break; 3466 case WPA_PTK_PTKSTART: 3467 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 3468 sm->EAPOLKeyPairwise) 3469 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 3470 else if (sm->TimeoutCtr > 3471 sm->wpa_auth->conf.wpa_pairwise_update_count) { 3472 wpa_auth->dot11RSNA4WayHandshakeFailures++; 3473 wpa_auth_vlogger( 3474 sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3475 "PTKSTART: Retry limit %u reached", 3476 sm->wpa_auth->conf.wpa_pairwise_update_count); 3477 SM_ENTER(WPA_PTK, DISCONNECT); 3478 } else if (sm->TimeoutEvt) 3479 SM_ENTER(WPA_PTK, PTKSTART); 3480 break; 3481 case WPA_PTK_PTKCALCNEGOTIATING: 3482 if (sm->MICVerified) 3483 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2); 3484 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 3485 sm->EAPOLKeyPairwise) 3486 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 3487 else if (sm->TimeoutEvt) 3488 SM_ENTER(WPA_PTK, PTKSTART); 3489 break; 3490 case WPA_PTK_PTKCALCNEGOTIATING2: 3491 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 3492 break; 3493 case WPA_PTK_PTKINITNEGOTIATING: 3494 if (sm->update_snonce) 3495 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 3496 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 3497 sm->EAPOLKeyPairwise && sm->MICVerified) 3498 SM_ENTER(WPA_PTK, PTKINITDONE); 3499 else if (sm->TimeoutCtr > 3500 sm->wpa_auth->conf.wpa_pairwise_update_count || 3501 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries && 3502 sm->TimeoutCtr > 1)) { 3503 wpa_auth->dot11RSNA4WayHandshakeFailures++; 3504 wpa_auth_vlogger( 3505 sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3506 "PTKINITNEGOTIATING: Retry limit %u reached", 3507 sm->wpa_auth->conf.wpa_pairwise_update_count); 3508 SM_ENTER(WPA_PTK, DISCONNECT); 3509 } else if (sm->TimeoutEvt) 3510 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 3511 break; 3512 case WPA_PTK_PTKINITDONE: 3513 break; 3514 } 3515 } 3516 3517 3518 SM_STATE(WPA_PTK_GROUP, IDLE) 3519 { 3520 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group); 3521 if (sm->Init) { 3522 /* Init flag is not cleared here, so avoid busy 3523 * loop by claiming nothing changed. */ 3524 sm->changed = FALSE; 3525 } 3526 sm->GTimeoutCtr = 0; 3527 } 3528 3529 3530 SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING) 3531 { 3532 u8 rsc[WPA_KEY_RSC_LEN]; 3533 struct wpa_group *gsm = sm->group; 3534 const u8 *kde; 3535 u8 *kde_buf = NULL, *pos, hdr[2]; 3536 size_t kde_len; 3537 u8 *gtk, dummy_gtk[32]; 3538 3539 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group); 3540 3541 sm->GTimeoutCtr++; 3542 if (sm->wpa_auth->conf.wpa_disable_eapol_key_retries && 3543 sm->GTimeoutCtr > 1) { 3544 /* Do not allow retransmission of EAPOL-Key group msg 1/2 */ 3545 return; 3546 } 3547 if (sm->GTimeoutCtr > sm->wpa_auth->conf.wpa_group_update_count) { 3548 /* No point in sending the EAPOL-Key - we will disconnect 3549 * immediately following this. */ 3550 return; 3551 } 3552 3553 if (sm->wpa == WPA_VERSION_WPA) 3554 sm->PInitAKeys = FALSE; 3555 sm->TimeoutEvt = FALSE; 3556 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */ 3557 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 3558 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE) 3559 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 3560 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3561 "sending 1/2 msg of Group Key Handshake"); 3562 3563 gtk = gsm->GTK[gsm->GN - 1]; 3564 if (sm->wpa_auth->conf.disable_gtk || 3565 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) { 3566 /* 3567 * Provide unique random GTK to each STA to prevent use 3568 * of GTK in the BSS. 3569 */ 3570 if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0) 3571 return; 3572 gtk = dummy_gtk; 3573 } 3574 if (sm->wpa == WPA_VERSION_WPA2) { 3575 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len + 3576 ieee80211w_kde_len(sm) + ocv_oci_len(sm); 3577 kde_buf = os_malloc(kde_len); 3578 if (kde_buf == NULL) 3579 return; 3580 3581 kde = pos = kde_buf; 3582 hdr[0] = gsm->GN & 0x03; 3583 hdr[1] = 0; 3584 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 3585 gtk, gsm->GTK_len); 3586 pos = ieee80211w_kde_add(sm, pos); 3587 if (ocv_oci_add(sm, &pos) < 0) { 3588 os_free(kde_buf); 3589 return; 3590 } 3591 kde_len = pos - kde; 3592 } else { 3593 kde = gtk; 3594 kde_len = gsm->GTK_len; 3595 } 3596 3597 wpa_send_eapol(sm->wpa_auth, sm, 3598 WPA_KEY_INFO_SECURE | 3599 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ? 3600 WPA_KEY_INFO_MIC : 0) | 3601 WPA_KEY_INFO_ACK | 3602 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0), 3603 rsc, NULL, kde, kde_len, gsm->GN, 1); 3604 3605 os_free(kde_buf); 3606 } 3607 3608 3609 SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED) 3610 { 3611 #ifdef CONFIG_OCV 3612 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 3613 const u8 *key_data, *mic; 3614 struct ieee802_1x_hdr *hdr; 3615 struct wpa_eapol_key *key; 3616 struct wpa_eapol_ie_parse kde; 3617 size_t mic_len; 3618 u16 key_data_length; 3619 #endif /* CONFIG_OCV */ 3620 3621 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group); 3622 sm->EAPOLKeyReceived = FALSE; 3623 3624 #ifdef CONFIG_OCV 3625 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len); 3626 3627 /* 3628 * Note: last_rx_eapol_key length fields have already been validated in 3629 * wpa_receive(). 3630 */ 3631 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key; 3632 key = (struct wpa_eapol_key *) (hdr + 1); 3633 mic = (u8 *) (key + 1); 3634 key_data = mic + mic_len + 2; 3635 key_data_length = WPA_GET_BE16(mic + mic_len); 3636 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) - 3637 sizeof(*key) - mic_len - 2) 3638 return; 3639 3640 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) { 3641 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 3642 "received EAPOL-Key group msg 2/2 with invalid Key Data contents"); 3643 return; 3644 } 3645 3646 if (wpa_auth_uses_ocv(sm)) { 3647 struct wpa_channel_info ci; 3648 int tx_chanwidth; 3649 int tx_seg1_idx; 3650 3651 if (wpa_channel_info(wpa_auth, &ci) != 0) { 3652 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 3653 "Failed to get channel info to validate received OCI in EAPOL-Key group 1/2"); 3654 return; 3655 } 3656 3657 if (get_sta_tx_parameters(sm, 3658 channel_width_to_int(ci.chanwidth), 3659 ci.seg1_idx, &tx_chanwidth, 3660 &tx_seg1_idx) < 0) 3661 return; 3662 3663 if (ocv_verify_tx_params(kde.oci, kde.oci_len, &ci, 3664 tx_chanwidth, tx_seg1_idx) != 0) { 3665 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 3666 ocv_errorstr); 3667 return; 3668 } 3669 } 3670 #endif /* CONFIG_OCV */ 3671 3672 if (sm->GUpdateStationKeys) 3673 sm->group->GKeyDoneStations--; 3674 sm->GUpdateStationKeys = FALSE; 3675 sm->GTimeoutCtr = 0; 3676 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */ 3677 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 3678 "group key handshake completed (%s)", 3679 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 3680 sm->has_GTK = TRUE; 3681 } 3682 3683 3684 SM_STATE(WPA_PTK_GROUP, KEYERROR) 3685 { 3686 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group); 3687 if (sm->GUpdateStationKeys) 3688 sm->group->GKeyDoneStations--; 3689 sm->GUpdateStationKeys = FALSE; 3690 sm->Disconnect = TRUE; 3691 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 3692 "group key handshake failed (%s) after %u tries", 3693 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN", 3694 sm->wpa_auth->conf.wpa_group_update_count); 3695 } 3696 3697 3698 SM_STEP(WPA_PTK_GROUP) 3699 { 3700 if (sm->Init || sm->PtkGroupInit) { 3701 SM_ENTER(WPA_PTK_GROUP, IDLE); 3702 sm->PtkGroupInit = FALSE; 3703 } else switch (sm->wpa_ptk_group_state) { 3704 case WPA_PTK_GROUP_IDLE: 3705 if (sm->GUpdateStationKeys || 3706 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys)) 3707 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 3708 break; 3709 case WPA_PTK_GROUP_REKEYNEGOTIATING: 3710 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 3711 !sm->EAPOLKeyPairwise && sm->MICVerified) 3712 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED); 3713 else if (sm->GTimeoutCtr > 3714 sm->wpa_auth->conf.wpa_group_update_count || 3715 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries && 3716 sm->GTimeoutCtr > 1)) 3717 SM_ENTER(WPA_PTK_GROUP, KEYERROR); 3718 else if (sm->TimeoutEvt) 3719 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 3720 break; 3721 case WPA_PTK_GROUP_KEYERROR: 3722 SM_ENTER(WPA_PTK_GROUP, IDLE); 3723 break; 3724 case WPA_PTK_GROUP_REKEYESTABLISHED: 3725 SM_ENTER(WPA_PTK_GROUP, IDLE); 3726 break; 3727 } 3728 } 3729 3730 3731 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 3732 struct wpa_group *group) 3733 { 3734 int ret = 0; 3735 3736 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 3737 inc_byte_array(group->Counter, WPA_NONCE_LEN); 3738 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion", 3739 wpa_auth->addr, group->GNonce, 3740 group->GTK[group->GN - 1], group->GTK_len) < 0) 3741 ret = -1; 3742 wpa_hexdump_key(MSG_DEBUG, "GTK", 3743 group->GTK[group->GN - 1], group->GTK_len); 3744 3745 #ifdef CONFIG_IEEE80211W 3746 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) { 3747 size_t len; 3748 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher); 3749 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 3750 inc_byte_array(group->Counter, WPA_NONCE_LEN); 3751 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion", 3752 wpa_auth->addr, group->GNonce, 3753 group->IGTK[group->GN_igtk - 4], len) < 0) 3754 ret = -1; 3755 wpa_hexdump_key(MSG_DEBUG, "IGTK", 3756 group->IGTK[group->GN_igtk - 4], len); 3757 } 3758 #endif /* CONFIG_IEEE80211W */ 3759 3760 return ret; 3761 } 3762 3763 3764 static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth, 3765 struct wpa_group *group) 3766 { 3767 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 3768 "GTK_INIT (VLAN-ID %d)", group->vlan_id); 3769 group->changed = FALSE; /* GInit is not cleared here; avoid loop */ 3770 group->wpa_group_state = WPA_GROUP_GTK_INIT; 3771 3772 /* GTK[0..N] = 0 */ 3773 os_memset(group->GTK, 0, sizeof(group->GTK)); 3774 group->GN = 1; 3775 group->GM = 2; 3776 #ifdef CONFIG_IEEE80211W 3777 group->GN_igtk = 4; 3778 group->GM_igtk = 5; 3779 #endif /* CONFIG_IEEE80211W */ 3780 /* GTK[GN] = CalcGTK() */ 3781 wpa_gtk_update(wpa_auth, group); 3782 } 3783 3784 3785 static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx) 3786 { 3787 if (ctx != NULL && ctx != sm->group) 3788 return 0; 3789 3790 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) { 3791 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3792 "Not in PTKINITDONE; skip Group Key update"); 3793 sm->GUpdateStationKeys = FALSE; 3794 return 0; 3795 } 3796 if (sm->GUpdateStationKeys) { 3797 /* 3798 * This should not really happen, so add a debug log entry. 3799 * Since we clear the GKeyDoneStations before the loop, the 3800 * station needs to be counted here anyway. 3801 */ 3802 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3803 "GUpdateStationKeys was already set when " 3804 "marking station for GTK rekeying"); 3805 } 3806 3807 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */ 3808 if (sm->is_wnmsleep) 3809 return 0; 3810 3811 sm->group->GKeyDoneStations++; 3812 sm->GUpdateStationKeys = TRUE; 3813 3814 wpa_sm_step(sm); 3815 return 0; 3816 } 3817 3818 3819 #ifdef CONFIG_WNM_AP 3820 /* update GTK when exiting WNM-Sleep Mode */ 3821 void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm) 3822 { 3823 if (sm == NULL || sm->is_wnmsleep) 3824 return; 3825 3826 wpa_group_update_sta(sm, NULL); 3827 } 3828 3829 3830 void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag) 3831 { 3832 if (sm) 3833 sm->is_wnmsleep = !!flag; 3834 } 3835 3836 3837 int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos) 3838 { 3839 struct wpa_group *gsm = sm->group; 3840 u8 *start = pos; 3841 3842 /* 3843 * GTK subelement: 3844 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] | 3845 * Key[5..32] 3846 */ 3847 *pos++ = WNM_SLEEP_SUBELEM_GTK; 3848 *pos++ = 11 + gsm->GTK_len; 3849 /* Key ID in B0-B1 of Key Info */ 3850 WPA_PUT_LE16(pos, gsm->GN & 0x03); 3851 pos += 2; 3852 *pos++ = gsm->GTK_len; 3853 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0) 3854 return 0; 3855 pos += 8; 3856 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len); 3857 pos += gsm->GTK_len; 3858 3859 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit", 3860 gsm->GN); 3861 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit", 3862 gsm->GTK[gsm->GN - 1], gsm->GTK_len); 3863 3864 return pos - start; 3865 } 3866 3867 3868 #ifdef CONFIG_IEEE80211W 3869 int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos) 3870 { 3871 struct wpa_group *gsm = sm->group; 3872 u8 *start = pos; 3873 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 3874 3875 /* 3876 * IGTK subelement: 3877 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16] 3878 */ 3879 *pos++ = WNM_SLEEP_SUBELEM_IGTK; 3880 *pos++ = 2 + 6 + len; 3881 WPA_PUT_LE16(pos, gsm->GN_igtk); 3882 pos += 2; 3883 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0) 3884 return 0; 3885 pos += 6; 3886 3887 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len); 3888 pos += len; 3889 3890 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit", 3891 gsm->GN_igtk); 3892 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit", 3893 gsm->IGTK[gsm->GN_igtk - 4], len); 3894 3895 return pos - start; 3896 } 3897 #endif /* CONFIG_IEEE80211W */ 3898 #endif /* CONFIG_WNM_AP */ 3899 3900 3901 static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth, 3902 struct wpa_group *group) 3903 { 3904 int tmp; 3905 3906 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 3907 "SETKEYS (VLAN-ID %d)", group->vlan_id); 3908 group->changed = TRUE; 3909 group->wpa_group_state = WPA_GROUP_SETKEYS; 3910 group->GTKReKey = FALSE; 3911 tmp = group->GM; 3912 group->GM = group->GN; 3913 group->GN = tmp; 3914 #ifdef CONFIG_IEEE80211W 3915 tmp = group->GM_igtk; 3916 group->GM_igtk = group->GN_igtk; 3917 group->GN_igtk = tmp; 3918 #endif /* CONFIG_IEEE80211W */ 3919 /* "GKeyDoneStations = GNoStations" is done in more robust way by 3920 * counting the STAs that are marked with GUpdateStationKeys instead of 3921 * including all STAs that could be in not-yet-completed state. */ 3922 wpa_gtk_update(wpa_auth, group); 3923 3924 if (group->GKeyDoneStations) { 3925 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected " 3926 "GKeyDoneStations=%d when starting new GTK rekey", 3927 group->GKeyDoneStations); 3928 group->GKeyDoneStations = 0; 3929 } 3930 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group); 3931 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d", 3932 group->GKeyDoneStations); 3933 } 3934 3935 3936 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 3937 struct wpa_group *group) 3938 { 3939 int ret = 0; 3940 3941 if (wpa_auth_set_key(wpa_auth, group->vlan_id, 3942 wpa_cipher_to_alg(wpa_auth->conf.wpa_group), 3943 broadcast_ether_addr, group->GN, 3944 group->GTK[group->GN - 1], group->GTK_len) < 0) 3945 ret = -1; 3946 3947 #ifdef CONFIG_IEEE80211W 3948 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) { 3949 enum wpa_alg alg; 3950 size_t len; 3951 3952 alg = wpa_cipher_to_alg(wpa_auth->conf.group_mgmt_cipher); 3953 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher); 3954 3955 if (ret == 0 && 3956 wpa_auth_set_key(wpa_auth, group->vlan_id, alg, 3957 broadcast_ether_addr, group->GN_igtk, 3958 group->IGTK[group->GN_igtk - 4], len) < 0) 3959 ret = -1; 3960 } 3961 #endif /* CONFIG_IEEE80211W */ 3962 3963 return ret; 3964 } 3965 3966 3967 static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx) 3968 { 3969 if (sm->group == ctx) { 3970 wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR 3971 " for discconnection due to fatal failure", 3972 MAC2STR(sm->addr)); 3973 sm->Disconnect = TRUE; 3974 } 3975 3976 return 0; 3977 } 3978 3979 3980 static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth, 3981 struct wpa_group *group) 3982 { 3983 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state FATAL_FAILURE"); 3984 group->changed = TRUE; 3985 group->wpa_group_state = WPA_GROUP_FATAL_FAILURE; 3986 wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group); 3987 } 3988 3989 3990 static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth, 3991 struct wpa_group *group) 3992 { 3993 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 3994 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id); 3995 group->changed = TRUE; 3996 group->wpa_group_state = WPA_GROUP_SETKEYSDONE; 3997 3998 if (wpa_group_config_group_keys(wpa_auth, group) < 0) { 3999 wpa_group_fatal_failure(wpa_auth, group); 4000 return -1; 4001 } 4002 4003 return 0; 4004 } 4005 4006 4007 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 4008 struct wpa_group *group) 4009 { 4010 if (group->GInit) { 4011 wpa_group_gtk_init(wpa_auth, group); 4012 } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) { 4013 /* Do not allow group operations */ 4014 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT && 4015 group->GTKAuthenticator) { 4016 wpa_group_setkeysdone(wpa_auth, group); 4017 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE && 4018 group->GTKReKey) { 4019 wpa_group_setkeys(wpa_auth, group); 4020 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) { 4021 if (group->GKeyDoneStations == 0) 4022 wpa_group_setkeysdone(wpa_auth, group); 4023 else if (group->GTKReKey) 4024 wpa_group_setkeys(wpa_auth, group); 4025 } 4026 } 4027 4028 4029 static int wpa_sm_step(struct wpa_state_machine *sm) 4030 { 4031 if (sm == NULL) 4032 return 0; 4033 4034 if (sm->in_step_loop) { 4035 /* This should not happen, but if it does, make sure we do not 4036 * end up freeing the state machine too early by exiting the 4037 * recursive call. */ 4038 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively"); 4039 return 0; 4040 } 4041 4042 sm->in_step_loop = 1; 4043 do { 4044 if (sm->pending_deinit) 4045 break; 4046 4047 sm->changed = FALSE; 4048 sm->wpa_auth->group->changed = FALSE; 4049 4050 SM_STEP_RUN(WPA_PTK); 4051 if (sm->pending_deinit) 4052 break; 4053 SM_STEP_RUN(WPA_PTK_GROUP); 4054 if (sm->pending_deinit) 4055 break; 4056 wpa_group_sm_step(sm->wpa_auth, sm->group); 4057 } while (sm->changed || sm->wpa_auth->group->changed); 4058 sm->in_step_loop = 0; 4059 4060 if (sm->pending_deinit) { 4061 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state " 4062 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 4063 wpa_free_sta_sm(sm); 4064 return 1; 4065 } 4066 return 0; 4067 } 4068 4069 4070 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx) 4071 { 4072 struct wpa_state_machine *sm = eloop_ctx; 4073 wpa_sm_step(sm); 4074 } 4075 4076 4077 void wpa_auth_sm_notify(struct wpa_state_machine *sm) 4078 { 4079 if (sm == NULL) 4080 return; 4081 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL); 4082 } 4083 4084 4085 void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth) 4086 { 4087 int tmp, i; 4088 struct wpa_group *group; 4089 4090 if (wpa_auth == NULL) 4091 return; 4092 4093 group = wpa_auth->group; 4094 4095 for (i = 0; i < 2; i++) { 4096 tmp = group->GM; 4097 group->GM = group->GN; 4098 group->GN = tmp; 4099 #ifdef CONFIG_IEEE80211W 4100 tmp = group->GM_igtk; 4101 group->GM_igtk = group->GN_igtk; 4102 group->GN_igtk = tmp; 4103 #endif /* CONFIG_IEEE80211W */ 4104 wpa_gtk_update(wpa_auth, group); 4105 wpa_group_config_group_keys(wpa_auth, group); 4106 } 4107 } 4108 4109 4110 static const char * wpa_bool_txt(int val) 4111 { 4112 return val ? "TRUE" : "FALSE"; 4113 } 4114 4115 4116 #define RSN_SUITE "%02x-%02x-%02x-%d" 4117 #define RSN_SUITE_ARG(s) \ 4118 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff 4119 4120 int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen) 4121 { 4122 int len = 0, ret; 4123 char pmkid_txt[PMKID_LEN * 2 + 1]; 4124 #ifdef CONFIG_RSN_PREAUTH 4125 const int preauth = 1; 4126 #else /* CONFIG_RSN_PREAUTH */ 4127 const int preauth = 0; 4128 #endif /* CONFIG_RSN_PREAUTH */ 4129 4130 if (wpa_auth == NULL) 4131 return len; 4132 4133 ret = os_snprintf(buf + len, buflen - len, 4134 "dot11RSNAOptionImplemented=TRUE\n" 4135 "dot11RSNAPreauthenticationImplemented=%s\n" 4136 "dot11RSNAEnabled=%s\n" 4137 "dot11RSNAPreauthenticationEnabled=%s\n", 4138 wpa_bool_txt(preauth), 4139 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN), 4140 wpa_bool_txt(wpa_auth->conf.rsn_preauth)); 4141 if (os_snprintf_error(buflen - len, ret)) 4142 return len; 4143 len += ret; 4144 4145 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt), 4146 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN); 4147 4148 ret = os_snprintf( 4149 buf + len, buflen - len, 4150 "dot11RSNAConfigVersion=%u\n" 4151 "dot11RSNAConfigPairwiseKeysSupported=9999\n" 4152 /* FIX: dot11RSNAConfigGroupCipher */ 4153 /* FIX: dot11RSNAConfigGroupRekeyMethod */ 4154 /* FIX: dot11RSNAConfigGroupRekeyTime */ 4155 /* FIX: dot11RSNAConfigGroupRekeyPackets */ 4156 "dot11RSNAConfigGroupRekeyStrict=%u\n" 4157 "dot11RSNAConfigGroupUpdateCount=%u\n" 4158 "dot11RSNAConfigPairwiseUpdateCount=%u\n" 4159 "dot11RSNAConfigGroupCipherSize=%u\n" 4160 "dot11RSNAConfigPMKLifetime=%u\n" 4161 "dot11RSNAConfigPMKReauthThreshold=%u\n" 4162 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n" 4163 "dot11RSNAConfigSATimeout=%u\n" 4164 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n" 4165 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n" 4166 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n" 4167 "dot11RSNAPMKIDUsed=%s\n" 4168 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n" 4169 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n" 4170 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n" 4171 "dot11RSNATKIPCounterMeasuresInvoked=%u\n" 4172 "dot11RSNA4WayHandshakeFailures=%u\n" 4173 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n", 4174 RSN_VERSION, 4175 !!wpa_auth->conf.wpa_strict_rekey, 4176 wpa_auth->conf.wpa_group_update_count, 4177 wpa_auth->conf.wpa_pairwise_update_count, 4178 wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8, 4179 dot11RSNAConfigPMKLifetime, 4180 dot11RSNAConfigPMKReauthThreshold, 4181 dot11RSNAConfigSATimeout, 4182 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected), 4183 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected), 4184 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected), 4185 pmkid_txt, 4186 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested), 4187 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested), 4188 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested), 4189 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked, 4190 wpa_auth->dot11RSNA4WayHandshakeFailures); 4191 if (os_snprintf_error(buflen - len, ret)) 4192 return len; 4193 len += ret; 4194 4195 /* TODO: dot11RSNAConfigPairwiseCiphersTable */ 4196 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */ 4197 4198 /* Private MIB */ 4199 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n", 4200 wpa_auth->group->wpa_group_state); 4201 if (os_snprintf_error(buflen - len, ret)) 4202 return len; 4203 len += ret; 4204 4205 return len; 4206 } 4207 4208 4209 int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen) 4210 { 4211 int len = 0, ret; 4212 u32 pairwise = 0; 4213 4214 if (sm == NULL) 4215 return 0; 4216 4217 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */ 4218 4219 /* dot11RSNAStatsEntry */ 4220 4221 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ? 4222 WPA_PROTO_RSN : WPA_PROTO_WPA, 4223 sm->pairwise); 4224 if (pairwise == 0) 4225 return 0; 4226 4227 ret = os_snprintf( 4228 buf + len, buflen - len, 4229 /* TODO: dot11RSNAStatsIndex */ 4230 "dot11RSNAStatsSTAAddress=" MACSTR "\n" 4231 "dot11RSNAStatsVersion=1\n" 4232 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n" 4233 /* TODO: dot11RSNAStatsTKIPICVErrors */ 4234 "dot11RSNAStatsTKIPLocalMICFailures=%u\n" 4235 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n" 4236 /* TODO: dot11RSNAStatsCCMPReplays */ 4237 /* TODO: dot11RSNAStatsCCMPDecryptErrors */ 4238 /* TODO: dot11RSNAStatsTKIPReplays */, 4239 MAC2STR(sm->addr), 4240 RSN_SUITE_ARG(pairwise), 4241 sm->dot11RSNAStatsTKIPLocalMICFailures, 4242 sm->dot11RSNAStatsTKIPRemoteMICFailures); 4243 if (os_snprintf_error(buflen - len, ret)) 4244 return len; 4245 len += ret; 4246 4247 /* Private MIB */ 4248 ret = os_snprintf(buf + len, buflen - len, 4249 "hostapdWPAPTKState=%d\n" 4250 "hostapdWPAPTKGroupState=%d\n", 4251 sm->wpa_ptk_state, 4252 sm->wpa_ptk_group_state); 4253 if (os_snprintf_error(buflen - len, ret)) 4254 return len; 4255 len += ret; 4256 4257 return len; 4258 } 4259 4260 4261 void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth) 4262 { 4263 if (wpa_auth) 4264 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++; 4265 } 4266 4267 4268 int wpa_auth_pairwise_set(struct wpa_state_machine *sm) 4269 { 4270 return sm && sm->pairwise_set; 4271 } 4272 4273 4274 int wpa_auth_get_pairwise(struct wpa_state_machine *sm) 4275 { 4276 return sm->pairwise; 4277 } 4278 4279 4280 const u8 * wpa_auth_get_pmk(struct wpa_state_machine *sm, int *len) 4281 { 4282 if (!sm) 4283 return NULL; 4284 *len = sm->pmk_len; 4285 return sm->PMK; 4286 } 4287 4288 4289 int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm) 4290 { 4291 if (sm == NULL) 4292 return -1; 4293 return sm->wpa_key_mgmt; 4294 } 4295 4296 4297 int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm) 4298 { 4299 if (sm == NULL) 4300 return 0; 4301 return sm->wpa; 4302 } 4303 4304 4305 int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm) 4306 { 4307 if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 4308 return 0; 4309 return sm->tk_already_set; 4310 } 4311 4312 4313 int wpa_auth_sta_fils_tk_already_set(struct wpa_state_machine *sm) 4314 { 4315 if (!sm || !wpa_key_mgmt_fils(sm->wpa_key_mgmt)) 4316 return 0; 4317 return sm->tk_already_set; 4318 } 4319 4320 4321 int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, 4322 struct rsn_pmksa_cache_entry *entry) 4323 { 4324 if (sm == NULL || sm->pmksa != entry) 4325 return -1; 4326 sm->pmksa = NULL; 4327 return 0; 4328 } 4329 4330 4331 struct rsn_pmksa_cache_entry * 4332 wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm) 4333 { 4334 return sm ? sm->pmksa : NULL; 4335 } 4336 4337 4338 void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm) 4339 { 4340 if (sm) 4341 sm->dot11RSNAStatsTKIPLocalMICFailures++; 4342 } 4343 4344 4345 const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len) 4346 { 4347 if (wpa_auth == NULL) 4348 return NULL; 4349 *len = wpa_auth->wpa_ie_len; 4350 return wpa_auth->wpa_ie; 4351 } 4352 4353 4354 int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk, 4355 unsigned int pmk_len, 4356 int session_timeout, struct eapol_state_machine *eapol) 4357 { 4358 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 || 4359 sm->wpa_auth->conf.disable_pmksa_caching) 4360 return -1; 4361 4362 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) { 4363 if (pmk_len > PMK_LEN_SUITE_B_192) 4364 pmk_len = PMK_LEN_SUITE_B_192; 4365 } else if (pmk_len > PMK_LEN) { 4366 pmk_len = PMK_LEN; 4367 } 4368 4369 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL, 4370 sm->PTK.kck, sm->PTK.kck_len, 4371 sm->wpa_auth->addr, sm->addr, session_timeout, 4372 eapol, sm->wpa_key_mgmt)) 4373 return 0; 4374 4375 return -1; 4376 } 4377 4378 4379 int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth, 4380 const u8 *pmk, size_t len, const u8 *sta_addr, 4381 int session_timeout, 4382 struct eapol_state_machine *eapol) 4383 { 4384 if (wpa_auth == NULL) 4385 return -1; 4386 4387 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL, 4388 NULL, 0, 4389 wpa_auth->addr, 4390 sta_addr, session_timeout, eapol, 4391 WPA_KEY_MGMT_IEEE8021X)) 4392 return 0; 4393 4394 return -1; 4395 } 4396 4397 4398 int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr, 4399 const u8 *pmk, const u8 *pmkid) 4400 { 4401 if (wpa_auth->conf.disable_pmksa_caching) 4402 return -1; 4403 4404 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN, pmkid, 4405 NULL, 0, 4406 wpa_auth->addr, addr, 0, NULL, 4407 WPA_KEY_MGMT_SAE)) 4408 return 0; 4409 4410 return -1; 4411 } 4412 4413 4414 void wpa_auth_add_sae_pmkid(struct wpa_state_machine *sm, const u8 *pmkid) 4415 { 4416 os_memcpy(sm->pmkid, pmkid, PMKID_LEN); 4417 sm->pmkid_set = 1; 4418 } 4419 4420 4421 int wpa_auth_pmksa_add2(struct wpa_authenticator *wpa_auth, const u8 *addr, 4422 const u8 *pmk, size_t pmk_len, const u8 *pmkid, 4423 int session_timeout, int akmp) 4424 { 4425 if (wpa_auth->conf.disable_pmksa_caching) 4426 return -1; 4427 4428 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, pmk_len, pmkid, 4429 NULL, 0, wpa_auth->addr, addr, session_timeout, 4430 NULL, akmp)) 4431 return 0; 4432 4433 return -1; 4434 } 4435 4436 4437 void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth, 4438 const u8 *sta_addr) 4439 { 4440 struct rsn_pmksa_cache_entry *pmksa; 4441 4442 if (wpa_auth == NULL || wpa_auth->pmksa == NULL) 4443 return; 4444 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL); 4445 if (pmksa) { 4446 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for " 4447 MACSTR " based on request", MAC2STR(sta_addr)); 4448 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa); 4449 } 4450 } 4451 4452 4453 int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf, 4454 size_t len) 4455 { 4456 if (!wpa_auth || !wpa_auth->pmksa) 4457 return 0; 4458 return pmksa_cache_auth_list(wpa_auth->pmksa, buf, len); 4459 } 4460 4461 4462 void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth) 4463 { 4464 if (wpa_auth && wpa_auth->pmksa) 4465 pmksa_cache_auth_flush(wpa_auth->pmksa); 4466 } 4467 4468 4469 #ifdef CONFIG_PMKSA_CACHE_EXTERNAL 4470 #ifdef CONFIG_MESH 4471 4472 int wpa_auth_pmksa_list_mesh(struct wpa_authenticator *wpa_auth, const u8 *addr, 4473 char *buf, size_t len) 4474 { 4475 if (!wpa_auth || !wpa_auth->pmksa) 4476 return 0; 4477 4478 return pmksa_cache_auth_list_mesh(wpa_auth->pmksa, addr, buf, len); 4479 } 4480 4481 4482 struct rsn_pmksa_cache_entry * 4483 wpa_auth_pmksa_create_entry(const u8 *aa, const u8 *spa, const u8 *pmk, 4484 const u8 *pmkid, int expiration) 4485 { 4486 struct rsn_pmksa_cache_entry *entry; 4487 struct os_reltime now; 4488 4489 entry = pmksa_cache_auth_create_entry(pmk, PMK_LEN, pmkid, NULL, 0, aa, 4490 spa, 0, NULL, WPA_KEY_MGMT_SAE); 4491 if (!entry) 4492 return NULL; 4493 4494 os_get_reltime(&now); 4495 entry->expiration = now.sec + expiration; 4496 return entry; 4497 } 4498 4499 4500 int wpa_auth_pmksa_add_entry(struct wpa_authenticator *wpa_auth, 4501 struct rsn_pmksa_cache_entry *entry) 4502 { 4503 int ret; 4504 4505 if (!wpa_auth || !wpa_auth->pmksa) 4506 return -1; 4507 4508 ret = pmksa_cache_auth_add_entry(wpa_auth->pmksa, entry); 4509 if (ret < 0) 4510 wpa_printf(MSG_DEBUG, 4511 "RSN: Failed to store external PMKSA cache for " 4512 MACSTR, MAC2STR(entry->spa)); 4513 4514 return ret; 4515 } 4516 4517 #endif /* CONFIG_MESH */ 4518 #endif /* CONFIG_PMKSA_CACHE_EXTERNAL */ 4519 4520 4521 struct rsn_pmksa_cache_entry * 4522 wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr, 4523 const u8 *pmkid) 4524 { 4525 if (!wpa_auth || !wpa_auth->pmksa) 4526 return NULL; 4527 return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, pmkid); 4528 } 4529 4530 4531 void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa, 4532 struct wpa_state_machine *sm, 4533 struct wpa_authenticator *wpa_auth, 4534 u8 *pmkid, u8 *pmk) 4535 { 4536 if (!sm) 4537 return; 4538 4539 sm->pmksa = pmksa; 4540 os_memcpy(pmk, pmksa->pmk, PMK_LEN); 4541 os_memcpy(pmkid, pmksa->pmkid, PMKID_LEN); 4542 os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmksa->pmkid, PMKID_LEN); 4543 } 4544 4545 4546 /* 4547 * Remove and free the group from wpa_authenticator. This is triggered by a 4548 * callback to make sure nobody is currently iterating the group list while it 4549 * gets modified. 4550 */ 4551 static void wpa_group_free(struct wpa_authenticator *wpa_auth, 4552 struct wpa_group *group) 4553 { 4554 struct wpa_group *prev = wpa_auth->group; 4555 4556 wpa_printf(MSG_DEBUG, "WPA: Remove group state machine for VLAN-ID %d", 4557 group->vlan_id); 4558 4559 while (prev) { 4560 if (prev->next == group) { 4561 /* This never frees the special first group as needed */ 4562 prev->next = group->next; 4563 os_free(group); 4564 break; 4565 } 4566 prev = prev->next; 4567 } 4568 4569 } 4570 4571 4572 /* Increase the reference counter for group */ 4573 static void wpa_group_get(struct wpa_authenticator *wpa_auth, 4574 struct wpa_group *group) 4575 { 4576 /* Skip the special first group */ 4577 if (wpa_auth->group == group) 4578 return; 4579 4580 group->references++; 4581 } 4582 4583 4584 /* Decrease the reference counter and maybe free the group */ 4585 static void wpa_group_put(struct wpa_authenticator *wpa_auth, 4586 struct wpa_group *group) 4587 { 4588 /* Skip the special first group */ 4589 if (wpa_auth->group == group) 4590 return; 4591 4592 group->references--; 4593 if (group->references) 4594 return; 4595 wpa_group_free(wpa_auth, group); 4596 } 4597 4598 4599 /* 4600 * Add a group that has its references counter set to zero. Caller needs to 4601 * call wpa_group_get() on the return value to mark the entry in use. 4602 */ 4603 static struct wpa_group * 4604 wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id) 4605 { 4606 struct wpa_group *group; 4607 4608 if (wpa_auth == NULL || wpa_auth->group == NULL) 4609 return NULL; 4610 4611 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d", 4612 vlan_id); 4613 group = wpa_group_init(wpa_auth, vlan_id, 0); 4614 if (group == NULL) 4615 return NULL; 4616 4617 group->next = wpa_auth->group->next; 4618 wpa_auth->group->next = group; 4619 4620 return group; 4621 } 4622 4623 4624 /* 4625 * Enforce that the group state machine for the VLAN is running, increase 4626 * reference counter as interface is up. References might have been increased 4627 * even if a negative value is returned. 4628 * Returns: -1 on error (group missing, group already failed); otherwise, 0 4629 */ 4630 int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id) 4631 { 4632 struct wpa_group *group; 4633 4634 if (wpa_auth == NULL) 4635 return 0; 4636 4637 group = wpa_auth->group; 4638 while (group) { 4639 if (group->vlan_id == vlan_id) 4640 break; 4641 group = group->next; 4642 } 4643 4644 if (group == NULL) { 4645 group = wpa_auth_add_group(wpa_auth, vlan_id); 4646 if (group == NULL) 4647 return -1; 4648 } 4649 4650 wpa_printf(MSG_DEBUG, 4651 "WPA: Ensure group state machine running for VLAN ID %d", 4652 vlan_id); 4653 4654 wpa_group_get(wpa_auth, group); 4655 group->num_setup_iface++; 4656 4657 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 4658 return -1; 4659 4660 return 0; 4661 } 4662 4663 4664 /* 4665 * Decrease reference counter, expected to be zero afterwards. 4666 * returns: -1 on error (group not found, group in fail state) 4667 * -2 if wpa_group is still referenced 4668 * 0 else 4669 */ 4670 int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id) 4671 { 4672 struct wpa_group *group; 4673 int ret = 0; 4674 4675 if (wpa_auth == NULL) 4676 return 0; 4677 4678 group = wpa_auth->group; 4679 while (group) { 4680 if (group->vlan_id == vlan_id) 4681 break; 4682 group = group->next; 4683 } 4684 4685 if (group == NULL) 4686 return -1; 4687 4688 wpa_printf(MSG_DEBUG, 4689 "WPA: Try stopping group state machine for VLAN ID %d", 4690 vlan_id); 4691 4692 if (group->num_setup_iface <= 0) { 4693 wpa_printf(MSG_ERROR, 4694 "WPA: wpa_auth_release_group called more often than wpa_auth_ensure_group for VLAN ID %d, skipping.", 4695 vlan_id); 4696 return -1; 4697 } 4698 group->num_setup_iface--; 4699 4700 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 4701 ret = -1; 4702 4703 if (group->references > 1) { 4704 wpa_printf(MSG_DEBUG, 4705 "WPA: Cannot stop group state machine for VLAN ID %d as references are still hold", 4706 vlan_id); 4707 ret = -2; 4708 } 4709 4710 wpa_group_put(wpa_auth, group); 4711 4712 return ret; 4713 } 4714 4715 4716 int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id) 4717 { 4718 struct wpa_group *group; 4719 4720 if (sm == NULL || sm->wpa_auth == NULL) 4721 return 0; 4722 4723 group = sm->wpa_auth->group; 4724 while (group) { 4725 if (group->vlan_id == vlan_id) 4726 break; 4727 group = group->next; 4728 } 4729 4730 if (group == NULL) { 4731 group = wpa_auth_add_group(sm->wpa_auth, vlan_id); 4732 if (group == NULL) 4733 return -1; 4734 } 4735 4736 if (sm->group == group) 4737 return 0; 4738 4739 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 4740 return -1; 4741 4742 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state " 4743 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id); 4744 4745 wpa_group_get(sm->wpa_auth, group); 4746 wpa_group_put(sm->wpa_auth, sm->group); 4747 sm->group = group; 4748 4749 return 0; 4750 } 4751 4752 4753 void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth, 4754 struct wpa_state_machine *sm, int ack) 4755 { 4756 if (wpa_auth == NULL || sm == NULL) 4757 return; 4758 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR 4759 " ack=%d", MAC2STR(sm->addr), ack); 4760 if (sm->pending_1_of_4_timeout && ack) { 4761 /* 4762 * Some deployed supplicant implementations update their SNonce 4763 * for each EAPOL-Key 2/4 message even within the same 4-way 4764 * handshake and then fail to use the first SNonce when 4765 * deriving the PTK. This results in unsuccessful 4-way 4766 * handshake whenever the relatively short initial timeout is 4767 * reached and EAPOL-Key 1/4 is retransmitted. Try to work 4768 * around this by increasing the timeout now that we know that 4769 * the station has received the frame. 4770 */ 4771 int timeout_ms = eapol_key_timeout_subseq; 4772 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 " 4773 "timeout by %u ms because of acknowledged frame", 4774 timeout_ms); 4775 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 4776 eloop_register_timeout(timeout_ms / 1000, 4777 (timeout_ms % 1000) * 1000, 4778 wpa_send_eapol_timeout, wpa_auth, sm); 4779 } 4780 4781 #ifdef CONFIG_TESTING_OPTIONS 4782 if (sm->eapol_status_cb) { 4783 sm->eapol_status_cb(sm->eapol_status_cb_ctx1, 4784 sm->eapol_status_cb_ctx2); 4785 sm->eapol_status_cb = NULL; 4786 } 4787 #endif /* CONFIG_TESTING_OPTIONS */ 4788 } 4789 4790 4791 int wpa_auth_uses_sae(struct wpa_state_machine *sm) 4792 { 4793 if (sm == NULL) 4794 return 0; 4795 return wpa_key_mgmt_sae(sm->wpa_key_mgmt); 4796 } 4797 4798 4799 int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm) 4800 { 4801 if (sm == NULL) 4802 return 0; 4803 return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE; 4804 } 4805 4806 4807 #ifdef CONFIG_P2P 4808 int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr) 4809 { 4810 if (sm == NULL || WPA_GET_BE32(sm->ip_addr) == 0) 4811 return -1; 4812 os_memcpy(addr, sm->ip_addr, 4); 4813 return 0; 4814 } 4815 #endif /* CONFIG_P2P */ 4816 4817 4818 int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth, 4819 struct radius_das_attrs *attr) 4820 { 4821 return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr); 4822 } 4823 4824 4825 void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth) 4826 { 4827 struct wpa_group *group; 4828 4829 if (!wpa_auth) 4830 return; 4831 for (group = wpa_auth->group; group; group = group->next) 4832 wpa_group_config_group_keys(wpa_auth, group); 4833 } 4834 4835 4836 #ifdef CONFIG_FILS 4837 4838 struct wpa_auth_fils_iter_data { 4839 struct wpa_authenticator *auth; 4840 const u8 *cache_id; 4841 struct rsn_pmksa_cache_entry *pmksa; 4842 const u8 *spa; 4843 const u8 *pmkid; 4844 }; 4845 4846 4847 static int wpa_auth_fils_iter(struct wpa_authenticator *a, void *ctx) 4848 { 4849 struct wpa_auth_fils_iter_data *data = ctx; 4850 4851 if (a == data->auth || !a->conf.fils_cache_id_set || 4852 os_memcmp(a->conf.fils_cache_id, data->cache_id, 4853 FILS_CACHE_ID_LEN) != 0) 4854 return 0; 4855 data->pmksa = pmksa_cache_auth_get(a->pmksa, data->spa, data->pmkid); 4856 return data->pmksa != NULL; 4857 } 4858 4859 4860 struct rsn_pmksa_cache_entry * 4861 wpa_auth_pmksa_get_fils_cache_id(struct wpa_authenticator *wpa_auth, 4862 const u8 *sta_addr, const u8 *pmkid) 4863 { 4864 struct wpa_auth_fils_iter_data idata; 4865 4866 if (!wpa_auth->conf.fils_cache_id_set) 4867 return NULL; 4868 idata.auth = wpa_auth; 4869 idata.cache_id = wpa_auth->conf.fils_cache_id; 4870 idata.pmksa = NULL; 4871 idata.spa = sta_addr; 4872 idata.pmkid = pmkid; 4873 wpa_auth_for_each_auth(wpa_auth, wpa_auth_fils_iter, &idata); 4874 return idata.pmksa; 4875 } 4876 4877 4878 #ifdef CONFIG_IEEE80211R_AP 4879 int wpa_auth_write_fte(struct wpa_authenticator *wpa_auth, int use_sha384, 4880 u8 *buf, size_t len) 4881 { 4882 struct wpa_auth_config *conf = &wpa_auth->conf; 4883 4884 return wpa_write_ftie(conf, use_sha384, conf->r0_key_holder, 4885 conf->r0_key_holder_len, 4886 NULL, NULL, buf, len, NULL, 0); 4887 } 4888 #endif /* CONFIG_IEEE80211R_AP */ 4889 4890 4891 void wpa_auth_get_fils_aead_params(struct wpa_state_machine *sm, 4892 u8 *fils_anonce, u8 *fils_snonce, 4893 u8 *fils_kek, size_t *fils_kek_len) 4894 { 4895 os_memcpy(fils_anonce, sm->ANonce, WPA_NONCE_LEN); 4896 os_memcpy(fils_snonce, sm->SNonce, WPA_NONCE_LEN); 4897 os_memcpy(fils_kek, sm->PTK.kek, WPA_KEK_MAX_LEN); 4898 *fils_kek_len = sm->PTK.kek_len; 4899 } 4900 4901 4902 void wpa_auth_add_fils_pmk_pmkid(struct wpa_state_machine *sm, const u8 *pmk, 4903 size_t pmk_len, const u8 *pmkid) 4904 { 4905 os_memcpy(sm->PMK, pmk, pmk_len); 4906 sm->pmk_len = pmk_len; 4907 os_memcpy(sm->pmkid, pmkid, PMKID_LEN); 4908 sm->pmkid_set = 1; 4909 } 4910 4911 #endif /* CONFIG_FILS */ 4912 4913 4914 void wpa_auth_set_auth_alg(struct wpa_state_machine *sm, u16 auth_alg) 4915 { 4916 if (sm) 4917 sm->auth_alg = auth_alg; 4918 } 4919 4920 4921 #ifdef CONFIG_DPP2 4922 void wpa_auth_set_dpp_z(struct wpa_state_machine *sm, const struct wpabuf *z) 4923 { 4924 if (sm) { 4925 wpabuf_clear_free(sm->dpp_z); 4926 sm->dpp_z = z ? wpabuf_dup(z) : NULL; 4927 } 4928 } 4929 #endif /* CONFIG_DPP2 */ 4930 4931 4932 #ifdef CONFIG_TESTING_OPTIONS 4933 4934 int wpa_auth_resend_m1(struct wpa_state_machine *sm, int change_anonce, 4935 void (*cb)(void *ctx1, void *ctx2), 4936 void *ctx1, void *ctx2) 4937 { 4938 const u8 *anonce = sm->ANonce; 4939 u8 anonce_buf[WPA_NONCE_LEN]; 4940 4941 if (change_anonce) { 4942 if (random_get_bytes(anonce_buf, WPA_NONCE_LEN)) 4943 return -1; 4944 anonce = anonce_buf; 4945 } 4946 4947 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 4948 "sending 1/4 msg of 4-Way Handshake (TESTING)"); 4949 wpa_send_eapol(sm->wpa_auth, sm, 4950 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL, 4951 anonce, NULL, 0, 0, 0); 4952 return 0; 4953 } 4954 4955 4956 int wpa_auth_resend_m3(struct wpa_state_machine *sm, 4957 void (*cb)(void *ctx1, void *ctx2), 4958 void *ctx1, void *ctx2) 4959 { 4960 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos; 4961 #ifdef CONFIG_IEEE80211W 4962 u8 *opos; 4963 #endif /* CONFIG_IEEE80211W */ 4964 size_t gtk_len, kde_len; 4965 struct wpa_group *gsm = sm->group; 4966 u8 *wpa_ie; 4967 int wpa_ie_len, secure, keyidx, encr = 0; 4968 4969 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE], 4970 GTK[GN], IGTK, [FTIE], [TIE * 2]) 4971 */ 4972 4973 /* Use 0 RSC */ 4974 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 4975 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */ 4976 wpa_ie = sm->wpa_auth->wpa_ie; 4977 wpa_ie_len = sm->wpa_auth->wpa_ie_len; 4978 if (sm->wpa == WPA_VERSION_WPA && 4979 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) && 4980 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) { 4981 /* WPA-only STA, remove RSN IE and possible MDIE */ 4982 wpa_ie = wpa_ie + wpa_ie[1] + 2; 4983 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN) 4984 wpa_ie = wpa_ie + wpa_ie[1] + 2; 4985 wpa_ie_len = wpa_ie[1] + 2; 4986 } 4987 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 4988 "sending 3/4 msg of 4-Way Handshake (TESTING)"); 4989 if (sm->wpa == WPA_VERSION_WPA2) { 4990 /* WPA2 send GTK in the 4-way handshake */ 4991 secure = 1; 4992 gtk = gsm->GTK[gsm->GN - 1]; 4993 gtk_len = gsm->GTK_len; 4994 keyidx = gsm->GN; 4995 _rsc = rsc; 4996 encr = 1; 4997 } else { 4998 /* WPA does not include GTK in msg 3/4 */ 4999 secure = 0; 5000 gtk = NULL; 5001 gtk_len = 0; 5002 keyidx = 0; 5003 _rsc = NULL; 5004 if (sm->rx_eapol_key_secure) { 5005 /* 5006 * It looks like Windows 7 supplicant tries to use 5007 * Secure bit in msg 2/4 after having reported Michael 5008 * MIC failure and it then rejects the 4-way handshake 5009 * if msg 3/4 does not set Secure bit. Work around this 5010 * by setting the Secure bit here even in the case of 5011 * WPA if the supplicant used it first. 5012 */ 5013 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 5014 "STA used Secure bit in WPA msg 2/4 - " 5015 "set Secure for 3/4 as workaround"); 5016 secure = 1; 5017 } 5018 } 5019 5020 kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm); 5021 if (gtk) 5022 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len; 5023 #ifdef CONFIG_IEEE80211R_AP 5024 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 5025 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */ 5026 kde_len += 300; /* FTIE + 2 * TIE */ 5027 } 5028 #endif /* CONFIG_IEEE80211R_AP */ 5029 kde = os_malloc(kde_len); 5030 if (kde == NULL) 5031 return -1; 5032 5033 pos = kde; 5034 os_memcpy(pos, wpa_ie, wpa_ie_len); 5035 pos += wpa_ie_len; 5036 #ifdef CONFIG_IEEE80211R_AP 5037 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 5038 int res; 5039 size_t elen; 5040 5041 elen = pos - kde; 5042 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name); 5043 if (res < 0) { 5044 wpa_printf(MSG_ERROR, "FT: Failed to insert " 5045 "PMKR1Name into RSN IE in EAPOL-Key data"); 5046 os_free(kde); 5047 return -1; 5048 } 5049 pos -= wpa_ie_len; 5050 pos += elen; 5051 } 5052 #endif /* CONFIG_IEEE80211R_AP */ 5053 if (gtk) { 5054 u8 hdr[2]; 5055 hdr[0] = keyidx & 0x03; 5056 hdr[1] = 0; 5057 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 5058 gtk, gtk_len); 5059 } 5060 #ifdef CONFIG_IEEE80211W 5061 opos = pos; 5062 pos = ieee80211w_kde_add(sm, pos); 5063 if (pos - opos >= 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) { 5064 /* skip KDE header and keyid */ 5065 opos += 2 + RSN_SELECTOR_LEN + 2; 5066 os_memset(opos, 0, 6); /* clear PN */ 5067 } 5068 #endif /* CONFIG_IEEE80211W */ 5069 if (ocv_oci_add(sm, &pos) < 0) { 5070 os_free(kde); 5071 return -1; 5072 } 5073 5074 #ifdef CONFIG_IEEE80211R_AP 5075 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 5076 int res; 5077 struct wpa_auth_config *conf; 5078 5079 conf = &sm->wpa_auth->conf; 5080 if (sm->assoc_resp_ftie && 5081 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) { 5082 os_memcpy(pos, sm->assoc_resp_ftie, 5083 2 + sm->assoc_resp_ftie[1]); 5084 res = 2 + sm->assoc_resp_ftie[1]; 5085 } else { 5086 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt); 5087 5088 res = wpa_write_ftie(conf, use_sha384, 5089 conf->r0_key_holder, 5090 conf->r0_key_holder_len, 5091 NULL, NULL, pos, 5092 kde + kde_len - pos, 5093 NULL, 0); 5094 } 5095 if (res < 0) { 5096 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE " 5097 "into EAPOL-Key Key Data"); 5098 os_free(kde); 5099 return -1; 5100 } 5101 pos += res; 5102 5103 /* TIE[ReassociationDeadline] (TU) */ 5104 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 5105 *pos++ = 5; 5106 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE; 5107 WPA_PUT_LE32(pos, conf->reassociation_deadline); 5108 pos += 4; 5109 5110 /* TIE[KeyLifetime] (seconds) */ 5111 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 5112 *pos++ = 5; 5113 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME; 5114 WPA_PUT_LE32(pos, conf->r0_key_lifetime); 5115 pos += 4; 5116 } 5117 #endif /* CONFIG_IEEE80211R_AP */ 5118 5119 wpa_send_eapol(sm->wpa_auth, sm, 5120 (secure ? WPA_KEY_INFO_SECURE : 0) | 5121 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ? 5122 WPA_KEY_INFO_MIC : 0) | 5123 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL | 5124 WPA_KEY_INFO_KEY_TYPE, 5125 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr); 5126 os_free(kde); 5127 return 0; 5128 } 5129 5130 5131 int wpa_auth_resend_group_m1(struct wpa_state_machine *sm, 5132 void (*cb)(void *ctx1, void *ctx2), 5133 void *ctx1, void *ctx2) 5134 { 5135 u8 rsc[WPA_KEY_RSC_LEN]; 5136 struct wpa_group *gsm = sm->group; 5137 const u8 *kde; 5138 u8 *kde_buf = NULL, *pos, hdr[2]; 5139 #ifdef CONFIG_IEEE80211W 5140 u8 *opos; 5141 #endif /* CONFIG_IEEE80211W */ 5142 size_t kde_len; 5143 u8 *gtk; 5144 5145 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */ 5146 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 5147 /* Use 0 RSC */ 5148 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 5149 "sending 1/2 msg of Group Key Handshake (TESTING)"); 5150 5151 gtk = gsm->GTK[gsm->GN - 1]; 5152 if (sm->wpa == WPA_VERSION_WPA2) { 5153 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len + 5154 ieee80211w_kde_len(sm) + ocv_oci_len(sm); 5155 kde_buf = os_malloc(kde_len); 5156 if (kde_buf == NULL) 5157 return -1; 5158 5159 kde = pos = kde_buf; 5160 hdr[0] = gsm->GN & 0x03; 5161 hdr[1] = 0; 5162 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 5163 gtk, gsm->GTK_len); 5164 #ifdef CONFIG_IEEE80211W 5165 opos = pos; 5166 pos = ieee80211w_kde_add(sm, pos); 5167 if (pos - opos >= 5168 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) { 5169 /* skip KDE header and keyid */ 5170 opos += 2 + RSN_SELECTOR_LEN + 2; 5171 os_memset(opos, 0, 6); /* clear PN */ 5172 } 5173 #endif /* CONFIG_IEEE80211W */ 5174 if (ocv_oci_add(sm, &pos) < 0) { 5175 os_free(kde_buf); 5176 return -1; 5177 } 5178 kde_len = pos - kde; 5179 } else { 5180 kde = gtk; 5181 kde_len = gsm->GTK_len; 5182 } 5183 5184 sm->eapol_status_cb = cb; 5185 sm->eapol_status_cb_ctx1 = ctx1; 5186 sm->eapol_status_cb_ctx2 = ctx2; 5187 5188 wpa_send_eapol(sm->wpa_auth, sm, 5189 WPA_KEY_INFO_SECURE | 5190 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ? 5191 WPA_KEY_INFO_MIC : 0) | 5192 WPA_KEY_INFO_ACK | 5193 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0), 5194 rsc, NULL, kde, kde_len, gsm->GN, 1); 5195 5196 os_free(kde_buf); 5197 return 0; 5198 } 5199 5200 5201 int wpa_auth_rekey_gtk(struct wpa_authenticator *wpa_auth) 5202 { 5203 if (!wpa_auth) 5204 return -1; 5205 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 5206 return eloop_register_timeout(0, 0, wpa_rekey_gtk, wpa_auth, NULL); 5207 } 5208 5209 #endif /* CONFIG_TESTING_OPTIONS */ 5210