1 /* 2 * IEEE 802.11 RSN / WPA Authenticator 3 * Copyright (c) 2004-2019, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "utils/eloop.h" 13 #include "utils/state_machine.h" 14 #include "utils/bitfield.h" 15 #include "common/ieee802_11_defs.h" 16 #include "common/ocv.h" 17 #include "crypto/aes.h" 18 #include "crypto/aes_wrap.h" 19 #include "crypto/aes_siv.h" 20 #include "crypto/crypto.h" 21 #include "crypto/sha1.h" 22 #include "crypto/sha256.h" 23 #include "crypto/sha384.h" 24 #include "crypto/random.h" 25 #include "eapol_auth/eapol_auth_sm.h" 26 #include "drivers/driver.h" 27 #include "ap_config.h" 28 #include "ieee802_11.h" 29 #include "wpa_auth.h" 30 #include "pmksa_cache_auth.h" 31 #include "wpa_auth_i.h" 32 #include "wpa_auth_ie.h" 33 34 #define STATE_MACHINE_DATA struct wpa_state_machine 35 #define STATE_MACHINE_DEBUG_PREFIX "WPA" 36 #define STATE_MACHINE_ADDR sm->addr 37 38 39 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx); 40 static int wpa_sm_step(struct wpa_state_machine *sm); 41 static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK, 42 u8 *data, size_t data_len); 43 #ifdef CONFIG_FILS 44 static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk, 45 u8 *buf, size_t buf_len, u16 *_key_data_len); 46 static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm, 47 const struct wpabuf *hlp); 48 #endif /* CONFIG_FILS */ 49 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx); 50 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 51 struct wpa_group *group); 52 static void wpa_request_new_ptk(struct wpa_state_machine *sm); 53 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 54 struct wpa_group *group); 55 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 56 struct wpa_group *group); 57 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce, 58 const u8 *pmk, unsigned int pmk_len, 59 struct wpa_ptk *ptk); 60 static void wpa_group_free(struct wpa_authenticator *wpa_auth, 61 struct wpa_group *group); 62 static void wpa_group_get(struct wpa_authenticator *wpa_auth, 63 struct wpa_group *group); 64 static void wpa_group_put(struct wpa_authenticator *wpa_auth, 65 struct wpa_group *group); 66 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos); 67 68 static const u32 eapol_key_timeout_first = 100; /* ms */ 69 static const u32 eapol_key_timeout_subseq = 1000; /* ms */ 70 static const u32 eapol_key_timeout_first_group = 500; /* ms */ 71 static const u32 eapol_key_timeout_no_retrans = 4000; /* ms */ 72 73 /* TODO: make these configurable */ 74 static const int dot11RSNAConfigPMKLifetime = 43200; 75 static const int dot11RSNAConfigPMKReauthThreshold = 70; 76 static const int dot11RSNAConfigSATimeout = 60; 77 78 79 static inline int wpa_auth_mic_failure_report( 80 struct wpa_authenticator *wpa_auth, const u8 *addr) 81 { 82 if (wpa_auth->cb->mic_failure_report) 83 return wpa_auth->cb->mic_failure_report(wpa_auth->cb_ctx, addr); 84 return 0; 85 } 86 87 88 static inline void wpa_auth_psk_failure_report( 89 struct wpa_authenticator *wpa_auth, const u8 *addr) 90 { 91 if (wpa_auth->cb->psk_failure_report) 92 wpa_auth->cb->psk_failure_report(wpa_auth->cb_ctx, addr); 93 } 94 95 96 static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth, 97 const u8 *addr, wpa_eapol_variable var, 98 int value) 99 { 100 if (wpa_auth->cb->set_eapol) 101 wpa_auth->cb->set_eapol(wpa_auth->cb_ctx, addr, var, value); 102 } 103 104 105 static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth, 106 const u8 *addr, wpa_eapol_variable var) 107 { 108 if (wpa_auth->cb->get_eapol == NULL) 109 return -1; 110 return wpa_auth->cb->get_eapol(wpa_auth->cb_ctx, addr, var); 111 } 112 113 114 static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth, 115 const u8 *addr, 116 const u8 *p2p_dev_addr, 117 const u8 *prev_psk, size_t *psk_len, 118 int *vlan_id) 119 { 120 if (wpa_auth->cb->get_psk == NULL) 121 return NULL; 122 return wpa_auth->cb->get_psk(wpa_auth->cb_ctx, addr, p2p_dev_addr, 123 prev_psk, psk_len, vlan_id); 124 } 125 126 127 static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth, 128 const u8 *addr, u8 *msk, size_t *len) 129 { 130 if (wpa_auth->cb->get_msk == NULL) 131 return -1; 132 return wpa_auth->cb->get_msk(wpa_auth->cb_ctx, addr, msk, len); 133 } 134 135 136 static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth, 137 int vlan_id, 138 enum wpa_alg alg, const u8 *addr, int idx, 139 u8 *key, size_t key_len) 140 { 141 if (wpa_auth->cb->set_key == NULL) 142 return -1; 143 return wpa_auth->cb->set_key(wpa_auth->cb_ctx, vlan_id, alg, addr, idx, 144 key, key_len); 145 } 146 147 148 static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth, 149 const u8 *addr, int idx, u8 *seq) 150 { 151 if (wpa_auth->cb->get_seqnum == NULL) 152 return -1; 153 return wpa_auth->cb->get_seqnum(wpa_auth->cb_ctx, addr, idx, seq); 154 } 155 156 157 static inline int 158 wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr, 159 const u8 *data, size_t data_len, int encrypt) 160 { 161 if (wpa_auth->cb->send_eapol == NULL) 162 return -1; 163 return wpa_auth->cb->send_eapol(wpa_auth->cb_ctx, addr, data, data_len, 164 encrypt); 165 } 166 167 168 #ifdef CONFIG_MESH 169 static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth, 170 const u8 *addr) 171 { 172 if (wpa_auth->cb->start_ampe == NULL) 173 return -1; 174 return wpa_auth->cb->start_ampe(wpa_auth->cb_ctx, addr); 175 } 176 #endif /* CONFIG_MESH */ 177 178 179 int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth, 180 int (*cb)(struct wpa_state_machine *sm, void *ctx), 181 void *cb_ctx) 182 { 183 if (wpa_auth->cb->for_each_sta == NULL) 184 return 0; 185 return wpa_auth->cb->for_each_sta(wpa_auth->cb_ctx, cb, cb_ctx); 186 } 187 188 189 int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth, 190 int (*cb)(struct wpa_authenticator *a, void *ctx), 191 void *cb_ctx) 192 { 193 if (wpa_auth->cb->for_each_auth == NULL) 194 return 0; 195 return wpa_auth->cb->for_each_auth(wpa_auth->cb_ctx, cb, cb_ctx); 196 } 197 198 199 void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr, 200 logger_level level, const char *txt) 201 { 202 if (wpa_auth->cb->logger == NULL) 203 return; 204 wpa_auth->cb->logger(wpa_auth->cb_ctx, addr, level, txt); 205 } 206 207 208 void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr, 209 logger_level level, const char *fmt, ...) 210 { 211 char *format; 212 int maxlen; 213 va_list ap; 214 215 if (wpa_auth->cb->logger == NULL) 216 return; 217 218 maxlen = os_strlen(fmt) + 100; 219 format = os_malloc(maxlen); 220 if (!format) 221 return; 222 223 va_start(ap, fmt); 224 vsnprintf(format, maxlen, fmt, ap); 225 va_end(ap); 226 227 wpa_auth_logger(wpa_auth, addr, level, format); 228 229 os_free(format); 230 } 231 232 233 static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth, 234 const u8 *addr, u16 reason) 235 { 236 if (wpa_auth->cb->disconnect == NULL) 237 return; 238 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR " (reason %u)", 239 MAC2STR(addr), reason); 240 wpa_auth->cb->disconnect(wpa_auth->cb_ctx, addr, reason); 241 } 242 243 244 #ifdef CONFIG_OCV 245 static int wpa_channel_info(struct wpa_authenticator *wpa_auth, 246 struct wpa_channel_info *ci) 247 { 248 if (!wpa_auth->cb->channel_info) 249 return -1; 250 return wpa_auth->cb->channel_info(wpa_auth->cb_ctx, ci); 251 } 252 #endif /* CONFIG_OCV */ 253 254 255 static int wpa_auth_update_vlan(struct wpa_authenticator *wpa_auth, 256 const u8 *addr, int vlan_id) 257 { 258 if (!wpa_auth->cb->update_vlan) 259 return -1; 260 return wpa_auth->cb->update_vlan(wpa_auth->cb_ctx, addr, vlan_id); 261 } 262 263 264 static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx) 265 { 266 struct wpa_authenticator *wpa_auth = eloop_ctx; 267 268 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) { 269 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 270 "initialization."); 271 } else { 272 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd"); 273 wpa_hexdump_key(MSG_DEBUG, "GMK", 274 wpa_auth->group->GMK, WPA_GMK_LEN); 275 } 276 277 if (wpa_auth->conf.wpa_gmk_rekey) { 278 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 279 wpa_rekey_gmk, wpa_auth, NULL); 280 } 281 } 282 283 284 static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx) 285 { 286 struct wpa_authenticator *wpa_auth = eloop_ctx; 287 struct wpa_group *group, *next; 288 289 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK"); 290 group = wpa_auth->group; 291 while (group) { 292 wpa_group_get(wpa_auth, group); 293 294 group->GTKReKey = TRUE; 295 do { 296 group->changed = FALSE; 297 wpa_group_sm_step(wpa_auth, group); 298 } while (group->changed); 299 300 next = group->next; 301 wpa_group_put(wpa_auth, group); 302 group = next; 303 } 304 305 if (wpa_auth->conf.wpa_group_rekey) { 306 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 307 0, wpa_rekey_gtk, wpa_auth, NULL); 308 } 309 } 310 311 312 static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx) 313 { 314 struct wpa_authenticator *wpa_auth = eloop_ctx; 315 struct wpa_state_machine *sm = timeout_ctx; 316 317 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK"); 318 wpa_request_new_ptk(sm); 319 wpa_sm_step(sm); 320 } 321 322 323 static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx) 324 { 325 if (sm->pmksa == ctx) 326 sm->pmksa = NULL; 327 return 0; 328 } 329 330 331 static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry, 332 void *ctx) 333 { 334 struct wpa_authenticator *wpa_auth = ctx; 335 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry); 336 } 337 338 339 static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth, 340 struct wpa_group *group) 341 { 342 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)]; 343 u8 rkey[32]; 344 unsigned long ptr; 345 346 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0) 347 return -1; 348 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN); 349 350 /* 351 * Counter = PRF-256(Random number, "Init Counter", 352 * Local MAC Address || Time) 353 */ 354 os_memcpy(buf, wpa_auth->addr, ETH_ALEN); 355 wpa_get_ntp_timestamp(buf + ETH_ALEN); 356 ptr = (unsigned long) group; 357 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr)); 358 #ifdef TEST_FUZZ 359 os_memset(buf + ETH_ALEN, 0xab, 8); 360 os_memset(buf + ETH_ALEN + 8, 0xcd, sizeof(ptr)); 361 #endif /* TEST_FUZZ */ 362 if (random_get_bytes(rkey, sizeof(rkey)) < 0) 363 return -1; 364 365 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf), 366 group->Counter, WPA_NONCE_LEN) < 0) 367 return -1; 368 wpa_hexdump_key(MSG_DEBUG, "Key Counter", 369 group->Counter, WPA_NONCE_LEN); 370 371 return 0; 372 } 373 374 375 static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth, 376 int vlan_id, int delay_init) 377 { 378 struct wpa_group *group; 379 380 group = os_zalloc(sizeof(struct wpa_group)); 381 if (group == NULL) 382 return NULL; 383 384 group->GTKAuthenticator = TRUE; 385 group->vlan_id = vlan_id; 386 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 387 388 if (random_pool_ready() != 1) { 389 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 390 "for secure operations - update keys later when " 391 "the first station connects"); 392 } 393 394 /* 395 * Set initial GMK/Counter value here. The actual values that will be 396 * used in negotiations will be set once the first station tries to 397 * connect. This allows more time for collecting additional randomness 398 * on embedded devices. 399 */ 400 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) { 401 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 402 "initialization."); 403 os_free(group); 404 return NULL; 405 } 406 407 group->GInit = TRUE; 408 if (delay_init) { 409 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start " 410 "until Beacon frames have been configured"); 411 /* Initialization is completed in wpa_init_keys(). */ 412 } else { 413 wpa_group_sm_step(wpa_auth, group); 414 group->GInit = FALSE; 415 wpa_group_sm_step(wpa_auth, group); 416 } 417 418 return group; 419 } 420 421 422 /** 423 * wpa_init - Initialize WPA authenticator 424 * @addr: Authenticator address 425 * @conf: Configuration for WPA authenticator 426 * @cb: Callback functions for WPA authenticator 427 * Returns: Pointer to WPA authenticator data or %NULL on failure 428 */ 429 struct wpa_authenticator * wpa_init(const u8 *addr, 430 struct wpa_auth_config *conf, 431 const struct wpa_auth_callbacks *cb, 432 void *cb_ctx) 433 { 434 struct wpa_authenticator *wpa_auth; 435 436 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator)); 437 if (wpa_auth == NULL) 438 return NULL; 439 os_memcpy(wpa_auth->addr, addr, ETH_ALEN); 440 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 441 wpa_auth->cb = cb; 442 wpa_auth->cb_ctx = cb_ctx; 443 444 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 445 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 446 os_free(wpa_auth); 447 return NULL; 448 } 449 450 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1); 451 if (wpa_auth->group == NULL) { 452 os_free(wpa_auth->wpa_ie); 453 os_free(wpa_auth); 454 return NULL; 455 } 456 457 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb, 458 wpa_auth); 459 if (wpa_auth->pmksa == NULL) { 460 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed."); 461 os_free(wpa_auth->group); 462 os_free(wpa_auth->wpa_ie); 463 os_free(wpa_auth); 464 return NULL; 465 } 466 467 #ifdef CONFIG_IEEE80211R_AP 468 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init(); 469 if (wpa_auth->ft_pmk_cache == NULL) { 470 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed."); 471 os_free(wpa_auth->group); 472 os_free(wpa_auth->wpa_ie); 473 pmksa_cache_auth_deinit(wpa_auth->pmksa); 474 os_free(wpa_auth); 475 return NULL; 476 } 477 #endif /* CONFIG_IEEE80211R_AP */ 478 479 if (wpa_auth->conf.wpa_gmk_rekey) { 480 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 481 wpa_rekey_gmk, wpa_auth, NULL); 482 } 483 484 if (wpa_auth->conf.wpa_group_rekey) { 485 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0, 486 wpa_rekey_gtk, wpa_auth, NULL); 487 } 488 489 #ifdef CONFIG_P2P 490 if (WPA_GET_BE32(conf->ip_addr_start)) { 491 int count = WPA_GET_BE32(conf->ip_addr_end) - 492 WPA_GET_BE32(conf->ip_addr_start) + 1; 493 if (count > 1000) 494 count = 1000; 495 if (count > 0) 496 wpa_auth->ip_pool = bitfield_alloc(count); 497 } 498 #endif /* CONFIG_P2P */ 499 500 return wpa_auth; 501 } 502 503 504 int wpa_init_keys(struct wpa_authenticator *wpa_auth) 505 { 506 struct wpa_group *group = wpa_auth->group; 507 508 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial " 509 "keys"); 510 wpa_group_sm_step(wpa_auth, group); 511 group->GInit = FALSE; 512 wpa_group_sm_step(wpa_auth, group); 513 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 514 return -1; 515 return 0; 516 } 517 518 519 /** 520 * wpa_deinit - Deinitialize WPA authenticator 521 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 522 */ 523 void wpa_deinit(struct wpa_authenticator *wpa_auth) 524 { 525 struct wpa_group *group, *prev; 526 527 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL); 528 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 529 530 pmksa_cache_auth_deinit(wpa_auth->pmksa); 531 532 #ifdef CONFIG_IEEE80211R_AP 533 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache); 534 wpa_auth->ft_pmk_cache = NULL; 535 wpa_ft_deinit(wpa_auth); 536 #endif /* CONFIG_IEEE80211R_AP */ 537 538 #ifdef CONFIG_P2P 539 bitfield_free(wpa_auth->ip_pool); 540 #endif /* CONFIG_P2P */ 541 542 543 os_free(wpa_auth->wpa_ie); 544 545 group = wpa_auth->group; 546 while (group) { 547 prev = group; 548 group = group->next; 549 os_free(prev); 550 } 551 552 os_free(wpa_auth); 553 } 554 555 556 /** 557 * wpa_reconfig - Update WPA authenticator configuration 558 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 559 * @conf: Configuration for WPA authenticator 560 */ 561 int wpa_reconfig(struct wpa_authenticator *wpa_auth, 562 struct wpa_auth_config *conf) 563 { 564 struct wpa_group *group; 565 if (wpa_auth == NULL) 566 return 0; 567 568 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 569 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 570 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 571 return -1; 572 } 573 574 /* 575 * Reinitialize GTK to make sure it is suitable for the new 576 * configuration. 577 */ 578 group = wpa_auth->group; 579 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 580 group->GInit = TRUE; 581 wpa_group_sm_step(wpa_auth, group); 582 group->GInit = FALSE; 583 wpa_group_sm_step(wpa_auth, group); 584 585 return 0; 586 } 587 588 589 struct wpa_state_machine * 590 wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr, 591 const u8 *p2p_dev_addr) 592 { 593 struct wpa_state_machine *sm; 594 595 if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 596 return NULL; 597 598 sm = os_zalloc(sizeof(struct wpa_state_machine)); 599 if (sm == NULL) 600 return NULL; 601 os_memcpy(sm->addr, addr, ETH_ALEN); 602 if (p2p_dev_addr) 603 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN); 604 605 sm->wpa_auth = wpa_auth; 606 sm->group = wpa_auth->group; 607 wpa_group_get(sm->wpa_auth, sm->group); 608 609 return sm; 610 } 611 612 613 int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth, 614 struct wpa_state_machine *sm) 615 { 616 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 617 return -1; 618 619 #ifdef CONFIG_IEEE80211R_AP 620 if (sm->ft_completed) { 621 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 622 "FT authentication already completed - do not " 623 "start 4-way handshake"); 624 /* Go to PTKINITDONE state to allow GTK rekeying */ 625 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE; 626 sm->Pair = TRUE; 627 return 0; 628 } 629 #endif /* CONFIG_IEEE80211R_AP */ 630 631 #ifdef CONFIG_FILS 632 if (sm->fils_completed) { 633 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 634 "FILS authentication already completed - do not start 4-way handshake"); 635 /* Go to PTKINITDONE state to allow GTK rekeying */ 636 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE; 637 sm->Pair = TRUE; 638 return 0; 639 } 640 #endif /* CONFIG_FILS */ 641 642 if (sm->started) { 643 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay)); 644 sm->ReAuthenticationRequest = TRUE; 645 return wpa_sm_step(sm); 646 } 647 648 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 649 "start authentication"); 650 sm->started = 1; 651 652 sm->Init = TRUE; 653 if (wpa_sm_step(sm) == 1) 654 return 1; /* should not really happen */ 655 sm->Init = FALSE; 656 sm->AuthenticationRequest = TRUE; 657 return wpa_sm_step(sm); 658 } 659 660 661 void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm) 662 { 663 /* WPA/RSN was not used - clear WPA state. This is needed if the STA 664 * reassociates back to the same AP while the previous entry for the 665 * STA has not yet been removed. */ 666 if (sm == NULL) 667 return; 668 669 sm->wpa_key_mgmt = 0; 670 } 671 672 673 static void wpa_free_sta_sm(struct wpa_state_machine *sm) 674 { 675 #ifdef CONFIG_P2P 676 if (WPA_GET_BE32(sm->ip_addr)) { 677 u32 start; 678 wpa_printf(MSG_DEBUG, "P2P: Free assigned IP " 679 "address %u.%u.%u.%u from " MACSTR, 680 sm->ip_addr[0], sm->ip_addr[1], 681 sm->ip_addr[2], sm->ip_addr[3], 682 MAC2STR(sm->addr)); 683 start = WPA_GET_BE32(sm->wpa_auth->conf.ip_addr_start); 684 bitfield_clear(sm->wpa_auth->ip_pool, 685 WPA_GET_BE32(sm->ip_addr) - start); 686 } 687 #endif /* CONFIG_P2P */ 688 if (sm->GUpdateStationKeys) { 689 sm->group->GKeyDoneStations--; 690 sm->GUpdateStationKeys = FALSE; 691 } 692 #ifdef CONFIG_IEEE80211R_AP 693 os_free(sm->assoc_resp_ftie); 694 wpabuf_free(sm->ft_pending_req_ies); 695 #endif /* CONFIG_IEEE80211R_AP */ 696 os_free(sm->last_rx_eapol_key); 697 os_free(sm->wpa_ie); 698 wpa_group_put(sm->wpa_auth, sm->group); 699 #ifdef CONFIG_DPP2 700 wpabuf_clear_free(sm->dpp_z); 701 #endif /* CONFIG_DPP2 */ 702 bin_clear_free(sm, sizeof(*sm)); 703 } 704 705 706 void wpa_auth_sta_deinit(struct wpa_state_machine *sm) 707 { 708 if (sm == NULL) 709 return; 710 711 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) { 712 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 713 "strict rekeying - force GTK rekey since STA " 714 "is leaving"); 715 if (eloop_deplete_timeout(0, 500000, wpa_rekey_gtk, 716 sm->wpa_auth, NULL) == -1) 717 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth, 718 NULL); 719 } 720 721 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 722 sm->pending_1_of_4_timeout = 0; 723 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL); 724 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 725 #ifdef CONFIG_IEEE80211R_AP 726 wpa_ft_sta_deinit(sm); 727 #endif /* CONFIG_IEEE80211R_AP */ 728 if (sm->in_step_loop) { 729 /* Must not free state machine while wpa_sm_step() is running. 730 * Freeing will be completed in the end of wpa_sm_step(). */ 731 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state " 732 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 733 sm->pending_deinit = 1; 734 } else 735 wpa_free_sta_sm(sm); 736 } 737 738 739 static void wpa_request_new_ptk(struct wpa_state_machine *sm) 740 { 741 if (sm == NULL) 742 return; 743 744 sm->PTKRequest = TRUE; 745 sm->PTK_valid = 0; 746 } 747 748 749 static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr, 750 const u8 *replay_counter) 751 { 752 int i; 753 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 754 if (!ctr[i].valid) 755 break; 756 if (os_memcmp(replay_counter, ctr[i].counter, 757 WPA_REPLAY_COUNTER_LEN) == 0) 758 return 1; 759 } 760 return 0; 761 } 762 763 764 static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr, 765 const u8 *replay_counter) 766 { 767 int i; 768 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 769 if (ctr[i].valid && 770 (replay_counter == NULL || 771 os_memcmp(replay_counter, ctr[i].counter, 772 WPA_REPLAY_COUNTER_LEN) == 0)) 773 ctr[i].valid = FALSE; 774 } 775 } 776 777 778 #ifdef CONFIG_IEEE80211R_AP 779 static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth, 780 struct wpa_state_machine *sm, 781 struct wpa_eapol_ie_parse *kde) 782 { 783 struct wpa_ie_data ie; 784 struct rsn_mdie *mdie; 785 786 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 || 787 ie.num_pmkid != 1 || ie.pmkid == NULL) { 788 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in " 789 "FT 4-way handshake message 2/4"); 790 return -1; 791 } 792 793 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN); 794 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant", 795 sm->sup_pmk_r1_name, PMKID_LEN); 796 797 if (!kde->mdie || !kde->ftie) { 798 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake " 799 "message 2/4", kde->mdie ? "FTIE" : "MDIE"); 800 return -1; 801 } 802 803 mdie = (struct rsn_mdie *) (kde->mdie + 2); 804 if (kde->mdie[1] < sizeof(struct rsn_mdie) || 805 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain, 806 MOBILITY_DOMAIN_ID_LEN) != 0) { 807 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch"); 808 return -1; 809 } 810 811 if (sm->assoc_resp_ftie && 812 (kde->ftie[1] != sm->assoc_resp_ftie[1] || 813 os_memcmp(kde->ftie, sm->assoc_resp_ftie, 814 2 + sm->assoc_resp_ftie[1]) != 0)) { 815 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch"); 816 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4", 817 kde->ftie, kde->ftie_len); 818 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp", 819 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]); 820 return -1; 821 } 822 823 return 0; 824 } 825 #endif /* CONFIG_IEEE80211R_AP */ 826 827 828 static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth, 829 struct wpa_state_machine *sm, int group) 830 { 831 /* Supplicant reported a Michael MIC error */ 832 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 833 "received EAPOL-Key Error Request " 834 "(STA detected Michael MIC failure (group=%d))", 835 group); 836 837 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) { 838 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 839 "ignore Michael MIC failure report since " 840 "group cipher is not TKIP"); 841 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) { 842 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 843 "ignore Michael MIC failure report since " 844 "pairwise cipher is not TKIP"); 845 } else { 846 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0) 847 return 1; /* STA entry was removed */ 848 sm->dot11RSNAStatsTKIPRemoteMICFailures++; 849 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++; 850 } 851 852 /* 853 * Error report is not a request for a new key handshake, but since 854 * Authenticator may do it, let's change the keys now anyway. 855 */ 856 wpa_request_new_ptk(sm); 857 return 0; 858 } 859 860 861 static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data, 862 size_t data_len) 863 { 864 struct wpa_ptk PTK; 865 int ok = 0; 866 const u8 *pmk = NULL; 867 size_t pmk_len; 868 int vlan_id = 0; 869 870 os_memset(&PTK, 0, sizeof(PTK)); 871 for (;;) { 872 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) && 873 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) { 874 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, 875 sm->p2p_dev_addr, pmk, &pmk_len, 876 &vlan_id); 877 if (pmk == NULL) 878 break; 879 #ifdef CONFIG_IEEE80211R_AP 880 if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) { 881 os_memcpy(sm->xxkey, pmk, pmk_len); 882 sm->xxkey_len = pmk_len; 883 } 884 #endif /* CONFIG_IEEE80211R_AP */ 885 } else { 886 pmk = sm->PMK; 887 pmk_len = sm->pmk_len; 888 } 889 890 if (wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK) < 0) 891 break; 892 893 if (wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK, 894 data, data_len) == 0) { 895 if (sm->PMK != pmk) { 896 os_memcpy(sm->PMK, pmk, pmk_len); 897 sm->pmk_len = pmk_len; 898 } 899 ok = 1; 900 break; 901 } 902 903 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) || 904 wpa_key_mgmt_sae(sm->wpa_key_mgmt)) 905 break; 906 } 907 908 if (!ok) { 909 wpa_printf(MSG_DEBUG, 910 "WPA: Earlier SNonce did not result in matching MIC"); 911 return -1; 912 } 913 914 wpa_printf(MSG_DEBUG, 915 "WPA: Earlier SNonce resulted in matching MIC"); 916 sm->alt_snonce_valid = 0; 917 918 if (vlan_id && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) && 919 wpa_auth_update_vlan(sm->wpa_auth, sm->addr, vlan_id) < 0) 920 return -1; 921 922 os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN); 923 os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); 924 sm->PTK_valid = TRUE; 925 926 return 0; 927 } 928 929 930 void wpa_receive(struct wpa_authenticator *wpa_auth, 931 struct wpa_state_machine *sm, 932 u8 *data, size_t data_len) 933 { 934 struct ieee802_1x_hdr *hdr; 935 struct wpa_eapol_key *key; 936 u16 key_info, key_data_length; 937 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST } msg; 938 char *msgtxt; 939 struct wpa_eapol_ie_parse kde; 940 const u8 *key_data; 941 size_t keyhdrlen, mic_len; 942 u8 *mic; 943 944 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 945 return; 946 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL data", data, data_len); 947 948 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len); 949 keyhdrlen = sizeof(*key) + mic_len + 2; 950 951 if (data_len < sizeof(*hdr) + keyhdrlen) { 952 wpa_printf(MSG_DEBUG, "WPA: Ignore too short EAPOL-Key frame"); 953 return; 954 } 955 956 hdr = (struct ieee802_1x_hdr *) data; 957 key = (struct wpa_eapol_key *) (hdr + 1); 958 mic = (u8 *) (key + 1); 959 key_info = WPA_GET_BE16(key->key_info); 960 key_data = mic + mic_len + 2; 961 key_data_length = WPA_GET_BE16(mic + mic_len); 962 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR 963 " key_info=0x%x type=%u mic_len=%u key_data_length=%u", 964 MAC2STR(sm->addr), key_info, key->type, 965 (unsigned int) mic_len, key_data_length); 966 wpa_hexdump(MSG_MSGDUMP, 967 "WPA: EAPOL-Key header (ending before Key MIC)", 968 key, sizeof(*key)); 969 wpa_hexdump(MSG_MSGDUMP, "WPA: EAPOL-Key Key MIC", 970 mic, mic_len); 971 if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) { 972 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - " 973 "key_data overflow (%d > %lu)", 974 key_data_length, 975 (unsigned long) (data_len - sizeof(*hdr) - 976 keyhdrlen)); 977 return; 978 } 979 980 if (sm->wpa == WPA_VERSION_WPA2) { 981 if (key->type == EAPOL_KEY_TYPE_WPA) { 982 /* 983 * Some deployed station implementations seem to send 984 * msg 4/4 with incorrect type value in WPA2 mode. 985 */ 986 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key " 987 "with unexpected WPA type in RSN mode"); 988 } else if (key->type != EAPOL_KEY_TYPE_RSN) { 989 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 990 "unexpected type %d in RSN mode", 991 key->type); 992 return; 993 } 994 } else { 995 if (key->type != EAPOL_KEY_TYPE_WPA) { 996 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 997 "unexpected type %d in WPA mode", 998 key->type); 999 return; 1000 } 1001 } 1002 1003 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce, 1004 WPA_NONCE_LEN); 1005 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter", 1006 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 1007 1008 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys 1009 * are set */ 1010 1011 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) { 1012 wpa_printf(MSG_DEBUG, "WPA: Ignore SMK message"); 1013 return; 1014 } 1015 1016 if (key_info & WPA_KEY_INFO_REQUEST) { 1017 msg = REQUEST; 1018 msgtxt = "Request"; 1019 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) { 1020 msg = GROUP_2; 1021 msgtxt = "2/2 Group"; 1022 } else if (key_data_length == 0 || 1023 (mic_len == 0 && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && 1024 key_data_length == AES_BLOCK_SIZE)) { 1025 msg = PAIRWISE_4; 1026 msgtxt = "4/4 Pairwise"; 1027 } else { 1028 msg = PAIRWISE_2; 1029 msgtxt = "2/4 Pairwise"; 1030 } 1031 1032 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 || 1033 msg == GROUP_2) { 1034 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK; 1035 if (sm->pairwise == WPA_CIPHER_CCMP || 1036 sm->pairwise == WPA_CIPHER_GCMP) { 1037 if (wpa_use_cmac(sm->wpa_key_mgmt) && 1038 !wpa_use_akm_defined(sm->wpa_key_mgmt) && 1039 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) { 1040 wpa_auth_logger(wpa_auth, sm->addr, 1041 LOGGER_WARNING, 1042 "advertised support for " 1043 "AES-128-CMAC, but did not " 1044 "use it"); 1045 return; 1046 } 1047 1048 if (!wpa_use_cmac(sm->wpa_key_mgmt) && 1049 !wpa_use_akm_defined(sm->wpa_key_mgmt) && 1050 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1051 wpa_auth_logger(wpa_auth, sm->addr, 1052 LOGGER_WARNING, 1053 "did not use HMAC-SHA1-AES " 1054 "with CCMP/GCMP"); 1055 return; 1056 } 1057 } 1058 1059 if (wpa_use_akm_defined(sm->wpa_key_mgmt) && 1060 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) { 1061 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, 1062 "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases"); 1063 return; 1064 } 1065 } 1066 1067 if (key_info & WPA_KEY_INFO_REQUEST) { 1068 if (sm->req_replay_counter_used && 1069 os_memcmp(key->replay_counter, sm->req_replay_counter, 1070 WPA_REPLAY_COUNTER_LEN) <= 0) { 1071 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, 1072 "received EAPOL-Key request with " 1073 "replayed counter"); 1074 return; 1075 } 1076 } 1077 1078 if (!(key_info & WPA_KEY_INFO_REQUEST) && 1079 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) { 1080 int i; 1081 1082 if (msg == PAIRWISE_2 && 1083 wpa_replay_counter_valid(sm->prev_key_replay, 1084 key->replay_counter) && 1085 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING && 1086 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0) 1087 { 1088 /* 1089 * Some supplicant implementations (e.g., Windows XP 1090 * WZC) update SNonce for each EAPOL-Key 2/4. This 1091 * breaks the workaround on accepting any of the 1092 * pending requests, so allow the SNonce to be updated 1093 * even if we have already sent out EAPOL-Key 3/4. 1094 */ 1095 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1096 "Process SNonce update from STA " 1097 "based on retransmitted EAPOL-Key " 1098 "1/4"); 1099 sm->update_snonce = 1; 1100 os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN); 1101 sm->alt_snonce_valid = TRUE; 1102 os_memcpy(sm->alt_replay_counter, 1103 sm->key_replay[0].counter, 1104 WPA_REPLAY_COUNTER_LEN); 1105 goto continue_processing; 1106 } 1107 1108 if (msg == PAIRWISE_4 && sm->alt_snonce_valid && 1109 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING && 1110 os_memcmp(key->replay_counter, sm->alt_replay_counter, 1111 WPA_REPLAY_COUNTER_LEN) == 0) { 1112 /* 1113 * Supplicant may still be using the old SNonce since 1114 * there was two EAPOL-Key 2/4 messages and they had 1115 * different SNonce values. 1116 */ 1117 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1118 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4"); 1119 goto continue_processing; 1120 } 1121 1122 if (msg == PAIRWISE_2 && 1123 wpa_replay_counter_valid(sm->prev_key_replay, 1124 key->replay_counter) && 1125 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) { 1126 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1127 "ignore retransmitted EAPOL-Key %s - " 1128 "SNonce did not change", msgtxt); 1129 } else { 1130 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1131 "received EAPOL-Key %s with " 1132 "unexpected replay counter", msgtxt); 1133 } 1134 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 1135 if (!sm->key_replay[i].valid) 1136 break; 1137 wpa_hexdump(MSG_DEBUG, "pending replay counter", 1138 sm->key_replay[i].counter, 1139 WPA_REPLAY_COUNTER_LEN); 1140 } 1141 wpa_hexdump(MSG_DEBUG, "received replay counter", 1142 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 1143 return; 1144 } 1145 1146 continue_processing: 1147 #ifdef CONFIG_FILS 1148 if (sm->wpa == WPA_VERSION_WPA2 && mic_len == 0 && 1149 !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 1150 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1151 "WPA: Encr Key Data bit not set even though AEAD cipher is supposed to be used - drop frame"); 1152 return; 1153 } 1154 #endif /* CONFIG_FILS */ 1155 1156 switch (msg) { 1157 case PAIRWISE_2: 1158 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART && 1159 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING && 1160 (!sm->update_snonce || 1161 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) { 1162 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1163 "received EAPOL-Key msg 2/4 in " 1164 "invalid state (%d) - dropped", 1165 sm->wpa_ptk_state); 1166 return; 1167 } 1168 random_add_randomness(key->key_nonce, WPA_NONCE_LEN); 1169 if (sm->group->reject_4way_hs_for_entropy) { 1170 /* 1171 * The system did not have enough entropy to generate 1172 * strong random numbers. Reject the first 4-way 1173 * handshake(s) and collect some entropy based on the 1174 * information from it. Once enough entropy is 1175 * available, the next atempt will trigger GMK/Key 1176 * Counter update and the station will be allowed to 1177 * continue. 1178 */ 1179 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to " 1180 "collect more entropy for random number " 1181 "generation"); 1182 random_mark_pool_ready(); 1183 wpa_sta_disconnect(wpa_auth, sm->addr, 1184 WLAN_REASON_PREV_AUTH_NOT_VALID); 1185 return; 1186 } 1187 break; 1188 case PAIRWISE_4: 1189 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING || 1190 !sm->PTK_valid) { 1191 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1192 "received EAPOL-Key msg 4/4 in " 1193 "invalid state (%d) - dropped", 1194 sm->wpa_ptk_state); 1195 return; 1196 } 1197 break; 1198 case GROUP_2: 1199 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING 1200 || !sm->PTK_valid) { 1201 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1202 "received EAPOL-Key msg 2/2 in " 1203 "invalid state (%d) - dropped", 1204 sm->wpa_ptk_group_state); 1205 return; 1206 } 1207 break; 1208 case REQUEST: 1209 break; 1210 } 1211 1212 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1213 "received EAPOL-Key frame (%s)", msgtxt); 1214 1215 if (key_info & WPA_KEY_INFO_ACK) { 1216 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1217 "received invalid EAPOL-Key: Key Ack set"); 1218 return; 1219 } 1220 1221 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt) && 1222 !(key_info & WPA_KEY_INFO_MIC)) { 1223 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1224 "received invalid EAPOL-Key: Key MIC not set"); 1225 return; 1226 } 1227 1228 #ifdef CONFIG_FILS 1229 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) && 1230 (key_info & WPA_KEY_INFO_MIC)) { 1231 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1232 "received invalid EAPOL-Key: Key MIC set"); 1233 return; 1234 } 1235 #endif /* CONFIG_FILS */ 1236 1237 sm->MICVerified = FALSE; 1238 if (sm->PTK_valid && !sm->update_snonce) { 1239 if (mic_len && 1240 wpa_verify_key_mic(sm->wpa_key_mgmt, sm->pmk_len, &sm->PTK, 1241 data, data_len) && 1242 (msg != PAIRWISE_4 || !sm->alt_snonce_valid || 1243 wpa_try_alt_snonce(sm, data, data_len))) { 1244 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1245 "received EAPOL-Key with invalid MIC"); 1246 #ifdef TEST_FUZZ 1247 wpa_printf(MSG_INFO, 1248 "TEST: Ignore Key MIC failure for fuzz testing"); 1249 goto continue_fuzz; 1250 #endif /* TEST_FUZZ */ 1251 return; 1252 } 1253 #ifdef CONFIG_FILS 1254 if (!mic_len && 1255 wpa_aead_decrypt(sm, &sm->PTK, data, data_len, 1256 &key_data_length) < 0) { 1257 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1258 "received EAPOL-Key with invalid MIC"); 1259 #ifdef TEST_FUZZ 1260 wpa_printf(MSG_INFO, 1261 "TEST: Ignore Key MIC failure for fuzz testing"); 1262 goto continue_fuzz; 1263 #endif /* TEST_FUZZ */ 1264 return; 1265 } 1266 #endif /* CONFIG_FILS */ 1267 #ifdef TEST_FUZZ 1268 continue_fuzz: 1269 #endif /* TEST_FUZZ */ 1270 sm->MICVerified = TRUE; 1271 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 1272 sm->pending_1_of_4_timeout = 0; 1273 } 1274 1275 if (key_info & WPA_KEY_INFO_REQUEST) { 1276 if (sm->MICVerified) { 1277 sm->req_replay_counter_used = 1; 1278 os_memcpy(sm->req_replay_counter, key->replay_counter, 1279 WPA_REPLAY_COUNTER_LEN); 1280 } else { 1281 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1282 "received EAPOL-Key request with " 1283 "invalid MIC"); 1284 return; 1285 } 1286 1287 /* 1288 * TODO: should decrypt key data field if encryption was used; 1289 * even though MAC address KDE is not normally encrypted, 1290 * supplicant is allowed to encrypt it. 1291 */ 1292 if (key_info & WPA_KEY_INFO_ERROR) { 1293 if (wpa_receive_error_report( 1294 wpa_auth, sm, 1295 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0) 1296 return; /* STA entry was removed */ 1297 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) { 1298 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1299 "received EAPOL-Key Request for new " 1300 "4-Way Handshake"); 1301 wpa_request_new_ptk(sm); 1302 } else if (key_data_length > 0 && 1303 wpa_parse_kde_ies(key_data, key_data_length, 1304 &kde) == 0 && 1305 kde.mac_addr) { 1306 } else { 1307 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1308 "received EAPOL-Key Request for GTK " 1309 "rekeying"); 1310 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 1311 wpa_rekey_gtk(wpa_auth, NULL); 1312 } 1313 } else { 1314 /* Do not allow the same key replay counter to be reused. */ 1315 wpa_replay_counter_mark_invalid(sm->key_replay, 1316 key->replay_counter); 1317 1318 if (msg == PAIRWISE_2) { 1319 /* 1320 * Maintain a copy of the pending EAPOL-Key frames in 1321 * case the EAPOL-Key frame was retransmitted. This is 1322 * needed to allow EAPOL-Key msg 2/4 reply to another 1323 * pending msg 1/4 to update the SNonce to work around 1324 * unexpected supplicant behavior. 1325 */ 1326 os_memcpy(sm->prev_key_replay, sm->key_replay, 1327 sizeof(sm->key_replay)); 1328 } else { 1329 os_memset(sm->prev_key_replay, 0, 1330 sizeof(sm->prev_key_replay)); 1331 } 1332 1333 /* 1334 * Make sure old valid counters are not accepted anymore and 1335 * do not get copied again. 1336 */ 1337 wpa_replay_counter_mark_invalid(sm->key_replay, NULL); 1338 } 1339 1340 os_free(sm->last_rx_eapol_key); 1341 sm->last_rx_eapol_key = os_memdup(data, data_len); 1342 if (sm->last_rx_eapol_key == NULL) 1343 return; 1344 sm->last_rx_eapol_key_len = data_len; 1345 1346 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE); 1347 sm->EAPOLKeyReceived = TRUE; 1348 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1349 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST); 1350 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN); 1351 wpa_sm_step(sm); 1352 } 1353 1354 1355 static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr, 1356 const u8 *gnonce, u8 *gtk, size_t gtk_len) 1357 { 1358 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + WPA_GTK_MAX_LEN]; 1359 u8 *pos; 1360 int ret = 0; 1361 1362 /* GTK = PRF-X(GMK, "Group key expansion", 1363 * AA || GNonce || Time || random data) 1364 * The example described in the IEEE 802.11 standard uses only AA and 1365 * GNonce as inputs here. Add some more entropy since this derivation 1366 * is done only at the Authenticator and as such, does not need to be 1367 * exactly same. 1368 */ 1369 os_memset(data, 0, sizeof(data)); 1370 os_memcpy(data, addr, ETH_ALEN); 1371 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN); 1372 pos = data + ETH_ALEN + WPA_NONCE_LEN; 1373 wpa_get_ntp_timestamp(pos); 1374 #ifdef TEST_FUZZ 1375 os_memset(pos, 0xef, 8); 1376 #endif /* TEST_FUZZ */ 1377 pos += 8; 1378 if (random_get_bytes(pos, gtk_len) < 0) 1379 ret = -1; 1380 1381 #ifdef CONFIG_SHA384 1382 if (sha384_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), 1383 gtk, gtk_len) < 0) 1384 ret = -1; 1385 #else /* CONFIG_SHA384 */ 1386 #ifdef CONFIG_SHA256 1387 if (sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), 1388 gtk, gtk_len) < 0) 1389 ret = -1; 1390 #else /* CONFIG_SHA256 */ 1391 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), 1392 gtk, gtk_len) < 0) 1393 ret = -1; 1394 #endif /* CONFIG_SHA256 */ 1395 #endif /* CONFIG_SHA384 */ 1396 1397 return ret; 1398 } 1399 1400 1401 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx) 1402 { 1403 struct wpa_authenticator *wpa_auth = eloop_ctx; 1404 struct wpa_state_machine *sm = timeout_ctx; 1405 1406 sm->pending_1_of_4_timeout = 0; 1407 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout"); 1408 sm->TimeoutEvt = TRUE; 1409 wpa_sm_step(sm); 1410 } 1411 1412 1413 void __wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1414 struct wpa_state_machine *sm, int key_info, 1415 const u8 *key_rsc, const u8 *nonce, 1416 const u8 *kde, size_t kde_len, 1417 int keyidx, int encr, int force_version) 1418 { 1419 struct ieee802_1x_hdr *hdr; 1420 struct wpa_eapol_key *key; 1421 size_t len, mic_len, keyhdrlen; 1422 int alg; 1423 int key_data_len, pad_len = 0; 1424 u8 *buf, *pos; 1425 int version, pairwise; 1426 int i; 1427 u8 *key_mic, *key_data; 1428 1429 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len); 1430 keyhdrlen = sizeof(*key) + mic_len + 2; 1431 1432 len = sizeof(struct ieee802_1x_hdr) + keyhdrlen; 1433 1434 if (force_version) 1435 version = force_version; 1436 else if (wpa_use_akm_defined(sm->wpa_key_mgmt)) 1437 version = WPA_KEY_INFO_TYPE_AKM_DEFINED; 1438 else if (wpa_use_cmac(sm->wpa_key_mgmt)) 1439 version = WPA_KEY_INFO_TYPE_AES_128_CMAC; 1440 else if (sm->pairwise != WPA_CIPHER_TKIP) 1441 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 1442 else 1443 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 1444 1445 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1446 1447 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d " 1448 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d " 1449 "encr=%d)", 1450 version, 1451 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0, 1452 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0, 1453 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0, 1454 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0, 1455 pairwise, (unsigned long) kde_len, keyidx, encr); 1456 1457 key_data_len = kde_len; 1458 1459 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1460 wpa_use_aes_key_wrap(sm->wpa_key_mgmt) || 1461 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) { 1462 pad_len = key_data_len % 8; 1463 if (pad_len) 1464 pad_len = 8 - pad_len; 1465 key_data_len += pad_len + 8; 1466 } 1467 1468 len += key_data_len; 1469 if (!mic_len && encr) 1470 len += AES_BLOCK_SIZE; 1471 1472 hdr = os_zalloc(len); 1473 if (hdr == NULL) 1474 return; 1475 hdr->version = wpa_auth->conf.eapol_version; 1476 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 1477 hdr->length = host_to_be16(len - sizeof(*hdr)); 1478 key = (struct wpa_eapol_key *) (hdr + 1); 1479 key_mic = (u8 *) (key + 1); 1480 key_data = ((u8 *) (hdr + 1)) + keyhdrlen; 1481 1482 key->type = sm->wpa == WPA_VERSION_WPA2 ? 1483 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1484 key_info |= version; 1485 if (encr && sm->wpa == WPA_VERSION_WPA2) 1486 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 1487 if (sm->wpa != WPA_VERSION_WPA2) 1488 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT; 1489 WPA_PUT_BE16(key->key_info, key_info); 1490 1491 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group; 1492 if (sm->wpa == WPA_VERSION_WPA2 && !pairwise) 1493 WPA_PUT_BE16(key->key_length, 0); 1494 else 1495 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg)); 1496 1497 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) { 1498 sm->key_replay[i].valid = sm->key_replay[i - 1].valid; 1499 os_memcpy(sm->key_replay[i].counter, 1500 sm->key_replay[i - 1].counter, 1501 WPA_REPLAY_COUNTER_LEN); 1502 } 1503 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN); 1504 os_memcpy(key->replay_counter, sm->key_replay[0].counter, 1505 WPA_REPLAY_COUNTER_LEN); 1506 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", 1507 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 1508 sm->key_replay[0].valid = TRUE; 1509 1510 if (nonce) 1511 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN); 1512 1513 if (key_rsc) 1514 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN); 1515 1516 if (kde && !encr) { 1517 os_memcpy(key_data, kde, kde_len); 1518 WPA_PUT_BE16(key_mic + mic_len, kde_len); 1519 #ifdef CONFIG_FILS 1520 } else if (!mic_len && kde) { 1521 const u8 *aad[1]; 1522 size_t aad_len[1]; 1523 1524 WPA_PUT_BE16(key_mic, AES_BLOCK_SIZE + kde_len); 1525 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data", 1526 kde, kde_len); 1527 1528 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", 1529 sm->PTK.kek, sm->PTK.kek_len); 1530 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to 1531 * to Key Data (exclusive). */ 1532 aad[0] = (u8 *) hdr; 1533 aad_len[0] = key_mic + 2 - (u8 *) hdr; 1534 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, kde, kde_len, 1535 1, aad, aad_len, key_mic + 2) < 0) { 1536 wpa_printf(MSG_DEBUG, "WPA: AES-SIV encryption failed"); 1537 return; 1538 } 1539 1540 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV", 1541 key_mic + 2, AES_BLOCK_SIZE + kde_len); 1542 #endif /* CONFIG_FILS */ 1543 } else if (encr && kde) { 1544 buf = os_zalloc(key_data_len); 1545 if (buf == NULL) { 1546 os_free(hdr); 1547 return; 1548 } 1549 pos = buf; 1550 os_memcpy(pos, kde, kde_len); 1551 pos += kde_len; 1552 1553 if (pad_len) 1554 *pos++ = 0xdd; 1555 1556 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data", 1557 buf, key_data_len); 1558 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1559 wpa_use_aes_key_wrap(sm->wpa_key_mgmt) || 1560 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) { 1561 wpa_printf(MSG_DEBUG, 1562 "WPA: Encrypt Key Data using AES-WRAP (KEK length %u)", 1563 (unsigned int) sm->PTK.kek_len); 1564 if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len, 1565 (key_data_len - 8) / 8, buf, key_data)) { 1566 os_free(hdr); 1567 os_free(buf); 1568 return; 1569 } 1570 WPA_PUT_BE16(key_mic + mic_len, key_data_len); 1571 #ifndef CONFIG_NO_RC4 1572 } else if (sm->PTK.kek_len == 16) { 1573 u8 ek[32]; 1574 1575 wpa_printf(MSG_DEBUG, 1576 "WPA: Encrypt Key Data using RC4"); 1577 os_memcpy(key->key_iv, 1578 sm->group->Counter + WPA_NONCE_LEN - 16, 16); 1579 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN); 1580 os_memcpy(ek, key->key_iv, 16); 1581 os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len); 1582 os_memcpy(key_data, buf, key_data_len); 1583 rc4_skip(ek, 32, 256, key_data, key_data_len); 1584 WPA_PUT_BE16(key_mic + mic_len, key_data_len); 1585 #endif /* CONFIG_NO_RC4 */ 1586 } else { 1587 os_free(hdr); 1588 os_free(buf); 1589 return; 1590 } 1591 os_free(buf); 1592 } 1593 1594 if (key_info & WPA_KEY_INFO_MIC) { 1595 if (!sm->PTK_valid || !mic_len) { 1596 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 1597 "PTK not valid when sending EAPOL-Key " 1598 "frame"); 1599 os_free(hdr); 1600 return; 1601 } 1602 1603 if (wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len, 1604 sm->wpa_key_mgmt, version, 1605 (u8 *) hdr, len, key_mic) < 0) { 1606 os_free(hdr); 1607 return; 1608 } 1609 #ifdef CONFIG_TESTING_OPTIONS 1610 if (!pairwise && 1611 wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0 && 1612 drand48() < 1613 wpa_auth->conf.corrupt_gtk_rekey_mic_probability) { 1614 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1615 "Corrupting group EAPOL-Key Key MIC"); 1616 key_mic[0]++; 1617 } 1618 #endif /* CONFIG_TESTING_OPTIONS */ 1619 } 1620 1621 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx, 1622 1); 1623 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len, 1624 sm->pairwise_set); 1625 os_free(hdr); 1626 } 1627 1628 1629 static void wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1630 struct wpa_state_machine *sm, int key_info, 1631 const u8 *key_rsc, const u8 *nonce, 1632 const u8 *kde, size_t kde_len, 1633 int keyidx, int encr) 1634 { 1635 int timeout_ms; 1636 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE; 1637 u32 ctr; 1638 1639 if (sm == NULL) 1640 return; 1641 1642 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len, 1643 keyidx, encr, 0); 1644 1645 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr; 1646 if (ctr == 1 && wpa_auth->conf.tx_status) 1647 timeout_ms = pairwise ? eapol_key_timeout_first : 1648 eapol_key_timeout_first_group; 1649 else 1650 timeout_ms = eapol_key_timeout_subseq; 1651 if (wpa_auth->conf.wpa_disable_eapol_key_retries && 1652 (!pairwise || (key_info & WPA_KEY_INFO_MIC))) 1653 timeout_ms = eapol_key_timeout_no_retrans; 1654 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC)) 1655 sm->pending_1_of_4_timeout = 1; 1656 #ifdef TEST_FUZZ 1657 timeout_ms = 1; 1658 #endif /* TEST_FUZZ */ 1659 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry " 1660 "counter %u)", timeout_ms, ctr); 1661 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000, 1662 wpa_send_eapol_timeout, wpa_auth, sm); 1663 } 1664 1665 1666 static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK, 1667 u8 *data, size_t data_len) 1668 { 1669 struct ieee802_1x_hdr *hdr; 1670 struct wpa_eapol_key *key; 1671 u16 key_info; 1672 int ret = 0; 1673 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN], *mic_pos; 1674 size_t mic_len = wpa_mic_len(akmp, pmk_len); 1675 1676 if (data_len < sizeof(*hdr) + sizeof(*key)) 1677 return -1; 1678 1679 hdr = (struct ieee802_1x_hdr *) data; 1680 key = (struct wpa_eapol_key *) (hdr + 1); 1681 mic_pos = (u8 *) (key + 1); 1682 key_info = WPA_GET_BE16(key->key_info); 1683 os_memcpy(mic, mic_pos, mic_len); 1684 os_memset(mic_pos, 0, mic_len); 1685 if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp, 1686 key_info & WPA_KEY_INFO_TYPE_MASK, 1687 data, data_len, mic_pos) || 1688 os_memcmp_const(mic, mic_pos, mic_len) != 0) 1689 ret = -1; 1690 os_memcpy(mic_pos, mic, mic_len); 1691 return ret; 1692 } 1693 1694 1695 void wpa_remove_ptk(struct wpa_state_machine *sm) 1696 { 1697 sm->PTK_valid = FALSE; 1698 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1699 if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 1700 0)) 1701 wpa_printf(MSG_DEBUG, 1702 "RSN: PTK removal from the driver failed"); 1703 sm->pairwise_set = FALSE; 1704 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 1705 } 1706 1707 1708 int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event) 1709 { 1710 int remove_ptk = 1; 1711 1712 if (sm == NULL) 1713 return -1; 1714 1715 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1716 "event %d notification", event); 1717 1718 switch (event) { 1719 case WPA_AUTH: 1720 #ifdef CONFIG_MESH 1721 /* PTKs are derived through AMPE */ 1722 if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) { 1723 /* not mesh */ 1724 break; 1725 } 1726 return 0; 1727 #endif /* CONFIG_MESH */ 1728 case WPA_ASSOC: 1729 break; 1730 case WPA_DEAUTH: 1731 case WPA_DISASSOC: 1732 sm->DeauthenticationRequest = TRUE; 1733 #ifdef CONFIG_IEEE80211R_AP 1734 os_memset(sm->PMK, 0, sizeof(sm->PMK)); 1735 sm->pmk_len = 0; 1736 os_memset(sm->xxkey, 0, sizeof(sm->xxkey)); 1737 sm->xxkey_len = 0; 1738 #endif /* CONFIG_IEEE80211R_AP */ 1739 break; 1740 case WPA_REAUTH: 1741 case WPA_REAUTH_EAPOL: 1742 if (!sm->started) { 1743 /* 1744 * When using WPS, we may end up here if the STA 1745 * manages to re-associate without the previous STA 1746 * entry getting removed. Consequently, we need to make 1747 * sure that the WPA state machines gets initialized 1748 * properly at this point. 1749 */ 1750 wpa_printf(MSG_DEBUG, "WPA state machine had not been " 1751 "started - initialize now"); 1752 sm->started = 1; 1753 sm->Init = TRUE; 1754 if (wpa_sm_step(sm) == 1) 1755 return 1; /* should not really happen */ 1756 sm->Init = FALSE; 1757 sm->AuthenticationRequest = TRUE; 1758 break; 1759 } 1760 if (sm->GUpdateStationKeys) { 1761 /* 1762 * Reauthentication cancels the pending group key 1763 * update for this STA. 1764 */ 1765 sm->group->GKeyDoneStations--; 1766 sm->GUpdateStationKeys = FALSE; 1767 sm->PtkGroupInit = TRUE; 1768 } 1769 sm->ReAuthenticationRequest = TRUE; 1770 break; 1771 case WPA_ASSOC_FT: 1772 #ifdef CONFIG_IEEE80211R_AP 1773 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration " 1774 "after association"); 1775 wpa_ft_install_ptk(sm); 1776 1777 /* Using FT protocol, not WPA auth state machine */ 1778 sm->ft_completed = 1; 1779 return 0; 1780 #else /* CONFIG_IEEE80211R_AP */ 1781 break; 1782 #endif /* CONFIG_IEEE80211R_AP */ 1783 case WPA_ASSOC_FILS: 1784 #ifdef CONFIG_FILS 1785 wpa_printf(MSG_DEBUG, 1786 "FILS: TK configuration after association"); 1787 fils_set_tk(sm); 1788 sm->fils_completed = 1; 1789 return 0; 1790 #else /* CONFIG_FILS */ 1791 break; 1792 #endif /* CONFIG_FILS */ 1793 case WPA_DRV_STA_REMOVED: 1794 sm->tk_already_set = FALSE; 1795 return 0; 1796 } 1797 1798 #ifdef CONFIG_IEEE80211R_AP 1799 sm->ft_completed = 0; 1800 #endif /* CONFIG_IEEE80211R_AP */ 1801 1802 #ifdef CONFIG_IEEE80211W 1803 if (sm->mgmt_frame_prot && event == WPA_AUTH) 1804 remove_ptk = 0; 1805 #endif /* CONFIG_IEEE80211W */ 1806 #ifdef CONFIG_FILS 1807 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) && 1808 (event == WPA_AUTH || event == WPA_ASSOC)) 1809 remove_ptk = 0; 1810 #endif /* CONFIG_FILS */ 1811 1812 if (remove_ptk) { 1813 sm->PTK_valid = FALSE; 1814 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1815 1816 if (event != WPA_REAUTH_EAPOL) 1817 wpa_remove_ptk(sm); 1818 } 1819 1820 if (sm->in_step_loop) { 1821 /* 1822 * wpa_sm_step() is already running - avoid recursive call to 1823 * it by making the existing loop process the new update. 1824 */ 1825 sm->changed = TRUE; 1826 return 0; 1827 } 1828 return wpa_sm_step(sm); 1829 } 1830 1831 1832 SM_STATE(WPA_PTK, INITIALIZE) 1833 { 1834 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk); 1835 if (sm->Init) { 1836 /* Init flag is not cleared here, so avoid busy 1837 * loop by claiming nothing changed. */ 1838 sm->changed = FALSE; 1839 } 1840 1841 sm->keycount = 0; 1842 if (sm->GUpdateStationKeys) 1843 sm->group->GKeyDoneStations--; 1844 sm->GUpdateStationKeys = FALSE; 1845 if (sm->wpa == WPA_VERSION_WPA) 1846 sm->PInitAKeys = FALSE; 1847 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and 1848 * Local AA > Remote AA)) */) { 1849 sm->Pair = TRUE; 1850 } 1851 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0); 1852 wpa_remove_ptk(sm); 1853 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0); 1854 sm->TimeoutCtr = 0; 1855 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) || 1856 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP || 1857 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) { 1858 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 1859 WPA_EAPOL_authorized, 0); 1860 } 1861 } 1862 1863 1864 SM_STATE(WPA_PTK, DISCONNECT) 1865 { 1866 u16 reason = sm->disconnect_reason; 1867 1868 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk); 1869 sm->Disconnect = FALSE; 1870 sm->disconnect_reason = 0; 1871 if (!reason) 1872 reason = WLAN_REASON_PREV_AUTH_NOT_VALID; 1873 wpa_sta_disconnect(sm->wpa_auth, sm->addr, reason); 1874 } 1875 1876 1877 SM_STATE(WPA_PTK, DISCONNECTED) 1878 { 1879 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk); 1880 sm->DeauthenticationRequest = FALSE; 1881 } 1882 1883 1884 SM_STATE(WPA_PTK, AUTHENTICATION) 1885 { 1886 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk); 1887 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1888 sm->PTK_valid = FALSE; 1889 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto, 1890 1); 1891 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1); 1892 sm->AuthenticationRequest = FALSE; 1893 } 1894 1895 1896 static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth, 1897 struct wpa_group *group) 1898 { 1899 if (group->first_sta_seen) 1900 return; 1901 /* 1902 * System has run bit further than at the time hostapd was started 1903 * potentially very early during boot up. This provides better chances 1904 * of collecting more randomness on embedded systems. Re-initialize the 1905 * GMK and Counter here to improve their strength if there was not 1906 * enough entropy available immediately after system startup. 1907 */ 1908 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first " 1909 "station"); 1910 if (random_pool_ready() != 1) { 1911 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 1912 "to proceed - reject first 4-way handshake"); 1913 group->reject_4way_hs_for_entropy = TRUE; 1914 } else { 1915 group->first_sta_seen = TRUE; 1916 group->reject_4way_hs_for_entropy = FALSE; 1917 } 1918 1919 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 || 1920 wpa_gtk_update(wpa_auth, group) < 0 || 1921 wpa_group_config_group_keys(wpa_auth, group) < 0) { 1922 wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed"); 1923 group->first_sta_seen = FALSE; 1924 group->reject_4way_hs_for_entropy = TRUE; 1925 } 1926 } 1927 1928 1929 SM_STATE(WPA_PTK, AUTHENTICATION2) 1930 { 1931 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk); 1932 1933 wpa_group_ensure_init(sm->wpa_auth, sm->group); 1934 sm->ReAuthenticationRequest = FALSE; 1935 1936 /* 1937 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat 1938 * ambiguous. The Authenticator state machine uses a counter that is 1939 * incremented by one for each 4-way handshake. However, the security 1940 * analysis of 4-way handshake points out that unpredictable nonces 1941 * help in preventing precomputation attacks. Instead of the state 1942 * machine definition, use an unpredictable nonce value here to provide 1943 * stronger protection against potential precomputation attacks. 1944 */ 1945 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { 1946 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for " 1947 "ANonce."); 1948 sm->Disconnect = TRUE; 1949 return; 1950 } 1951 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce, 1952 WPA_NONCE_LEN); 1953 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more 1954 * logical place than INITIALIZE since AUTHENTICATION2 can be 1955 * re-entered on ReAuthenticationRequest without going through 1956 * INITIALIZE. */ 1957 sm->TimeoutCtr = 0; 1958 } 1959 1960 1961 static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm) 1962 { 1963 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { 1964 wpa_printf(MSG_ERROR, 1965 "WPA: Failed to get random data for ANonce"); 1966 sm->Disconnect = TRUE; 1967 return -1; 1968 } 1969 wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce, 1970 WPA_NONCE_LEN); 1971 sm->TimeoutCtr = 0; 1972 return 0; 1973 } 1974 1975 1976 SM_STATE(WPA_PTK, INITPMK) 1977 { 1978 u8 msk[2 * PMK_LEN]; 1979 size_t len = 2 * PMK_LEN; 1980 1981 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk); 1982 #ifdef CONFIG_IEEE80211R_AP 1983 sm->xxkey_len = 0; 1984 #endif /* CONFIG_IEEE80211R_AP */ 1985 if (sm->pmksa) { 1986 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache"); 1987 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len); 1988 sm->pmk_len = sm->pmksa->pmk_len; 1989 #ifdef CONFIG_DPP 1990 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) { 1991 wpa_printf(MSG_DEBUG, 1992 "DPP: No PMKSA cache entry for STA - reject connection"); 1993 sm->Disconnect = TRUE; 1994 sm->disconnect_reason = WLAN_REASON_INVALID_PMKID; 1995 return; 1996 #endif /* CONFIG_DPP */ 1997 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) { 1998 unsigned int pmk_len; 1999 2000 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) 2001 pmk_len = PMK_LEN_SUITE_B_192; 2002 else 2003 pmk_len = PMK_LEN; 2004 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine " 2005 "(MSK len=%lu PMK len=%u)", (unsigned long) len, 2006 pmk_len); 2007 if (len < pmk_len) { 2008 wpa_printf(MSG_DEBUG, 2009 "WPA: MSK not long enough (%u) to create PMK (%u)", 2010 (unsigned int) len, (unsigned int) pmk_len); 2011 sm->Disconnect = TRUE; 2012 return; 2013 } 2014 os_memcpy(sm->PMK, msk, pmk_len); 2015 sm->pmk_len = pmk_len; 2016 #ifdef CONFIG_IEEE80211R_AP 2017 if (len >= 2 * PMK_LEN) { 2018 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) { 2019 os_memcpy(sm->xxkey, msk, SHA384_MAC_LEN); 2020 sm->xxkey_len = SHA384_MAC_LEN; 2021 } else { 2022 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN); 2023 sm->xxkey_len = PMK_LEN; 2024 } 2025 } 2026 #endif /* CONFIG_IEEE80211R_AP */ 2027 } else { 2028 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p", 2029 sm->wpa_auth->cb->get_msk); 2030 sm->Disconnect = TRUE; 2031 return; 2032 } 2033 os_memset(msk, 0, sizeof(msk)); 2034 2035 sm->req_replay_counter_used = 0; 2036 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this 2037 * will break reauthentication since EAPOL state machines may not be 2038 * get into AUTHENTICATING state that clears keyRun before WPA state 2039 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK 2040 * state and takes PMK from the previously used AAA Key. This will 2041 * eventually fail in 4-Way Handshake because Supplicant uses PMK 2042 * derived from the new AAA Key. Setting keyRun = FALSE here seems to 2043 * be good workaround for this issue. */ 2044 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0); 2045 } 2046 2047 2048 SM_STATE(WPA_PTK, INITPSK) 2049 { 2050 const u8 *psk; 2051 size_t psk_len; 2052 2053 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk); 2054 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL, 2055 &psk_len, NULL); 2056 if (psk) { 2057 os_memcpy(sm->PMK, psk, psk_len); 2058 sm->pmk_len = psk_len; 2059 #ifdef CONFIG_IEEE80211R_AP 2060 os_memcpy(sm->xxkey, psk, PMK_LEN); 2061 sm->xxkey_len = PMK_LEN; 2062 #endif /* CONFIG_IEEE80211R_AP */ 2063 } 2064 #ifdef CONFIG_SAE 2065 if (wpa_auth_uses_sae(sm) && sm->pmksa) { 2066 wpa_printf(MSG_DEBUG, "SAE: PMK from PMKSA cache"); 2067 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len); 2068 sm->pmk_len = sm->pmksa->pmk_len; 2069 #ifdef CONFIG_IEEE80211R_AP 2070 os_memcpy(sm->xxkey, sm->pmksa->pmk, sm->pmksa->pmk_len); 2071 sm->xxkey_len = sm->pmksa->pmk_len; 2072 #endif /* CONFIG_IEEE80211R_AP */ 2073 } 2074 #endif /* CONFIG_SAE */ 2075 sm->req_replay_counter_used = 0; 2076 } 2077 2078 2079 SM_STATE(WPA_PTK, PTKSTART) 2080 { 2081 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL; 2082 size_t pmkid_len = 0; 2083 2084 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk); 2085 sm->PTKRequest = FALSE; 2086 sm->TimeoutEvt = FALSE; 2087 sm->alt_snonce_valid = FALSE; 2088 2089 sm->TimeoutCtr++; 2090 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) { 2091 /* No point in sending the EAPOL-Key - we will disconnect 2092 * immediately following this. */ 2093 return; 2094 } 2095 2096 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2097 "sending 1/4 msg of 4-Way Handshake"); 2098 /* 2099 * For infrastructure BSS cases, it is better for the AP not to include 2100 * the PMKID KDE in EAPOL-Key msg 1/4 since it could be used to initiate 2101 * offline search for the passphrase/PSK without having to be able to 2102 * capture a 4-way handshake from a STA that has access to the network. 2103 * 2104 * For IBSS cases, addition of PMKID KDE could be considered even with 2105 * WPA2-PSK cases that use multiple PSKs, but only if there is a single 2106 * possible PSK for this STA. However, this should not be done unless 2107 * there is support for using that information on the supplicant side. 2108 * The concern about exposing PMKID unnecessarily in infrastructure BSS 2109 * cases would also apply here, but at least in the IBSS case, this 2110 * would cover a potential real use case. 2111 */ 2112 if (sm->wpa == WPA_VERSION_WPA2 && 2113 (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) || 2114 (sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE && sm->pmksa) || 2115 wpa_key_mgmt_sae(sm->wpa_key_mgmt)) && 2116 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) { 2117 pmkid = buf; 2118 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN; 2119 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC; 2120 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN; 2121 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID); 2122 if (sm->pmksa) { 2123 wpa_hexdump(MSG_DEBUG, 2124 "RSN: Message 1/4 PMKID from PMKSA entry", 2125 sm->pmksa->pmkid, PMKID_LEN); 2126 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN], 2127 sm->pmksa->pmkid, PMKID_LEN); 2128 } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) { 2129 /* No KCK available to derive PMKID */ 2130 wpa_printf(MSG_DEBUG, 2131 "RSN: No KCK available to derive PMKID for message 1/4"); 2132 pmkid = NULL; 2133 #ifdef CONFIG_SAE 2134 } else if (wpa_key_mgmt_sae(sm->wpa_key_mgmt)) { 2135 if (sm->pmkid_set) { 2136 wpa_hexdump(MSG_DEBUG, 2137 "RSN: Message 1/4 PMKID from SAE", 2138 sm->pmkid, PMKID_LEN); 2139 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN], 2140 sm->pmkid, PMKID_LEN); 2141 } else { 2142 /* No PMKID available */ 2143 wpa_printf(MSG_DEBUG, 2144 "RSN: No SAE PMKID available for message 1/4"); 2145 pmkid = NULL; 2146 } 2147 #endif /* CONFIG_SAE */ 2148 } else { 2149 /* 2150 * Calculate PMKID since no PMKSA cache entry was 2151 * available with pre-calculated PMKID. 2152 */ 2153 rsn_pmkid(sm->PMK, sm->pmk_len, sm->wpa_auth->addr, 2154 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN], 2155 sm->wpa_key_mgmt); 2156 wpa_hexdump(MSG_DEBUG, 2157 "RSN: Message 1/4 PMKID derived from PMK", 2158 &pmkid[2 + RSN_SELECTOR_LEN], PMKID_LEN); 2159 } 2160 } 2161 wpa_send_eapol(sm->wpa_auth, sm, 2162 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL, 2163 sm->ANonce, pmkid, pmkid_len, 0, 0); 2164 } 2165 2166 2167 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce, 2168 const u8 *pmk, unsigned int pmk_len, 2169 struct wpa_ptk *ptk) 2170 { 2171 const u8 *z = NULL; 2172 size_t z_len = 0; 2173 2174 #ifdef CONFIG_IEEE80211R_AP 2175 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 2176 return wpa_auth_derive_ptk_ft(sm, pmk, ptk); 2177 #endif /* CONFIG_IEEE80211R_AP */ 2178 2179 #ifdef CONFIG_DPP2 2180 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) { 2181 z = wpabuf_head(sm->dpp_z); 2182 z_len = wpabuf_len(sm->dpp_z); 2183 } 2184 #endif /* CONFIG_DPP2 */ 2185 2186 return wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion", 2187 sm->wpa_auth->addr, sm->addr, sm->ANonce, snonce, 2188 ptk, sm->wpa_key_mgmt, sm->pairwise, z, z_len); 2189 } 2190 2191 2192 #ifdef CONFIG_FILS 2193 2194 int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk, 2195 size_t pmk_len, const u8 *snonce, const u8 *anonce, 2196 const u8 *dhss, size_t dhss_len, 2197 struct wpabuf *g_sta, struct wpabuf *g_ap) 2198 { 2199 u8 ick[FILS_ICK_MAX_LEN]; 2200 size_t ick_len; 2201 int res; 2202 u8 fils_ft[FILS_FT_MAX_LEN]; 2203 size_t fils_ft_len = 0; 2204 2205 res = fils_pmk_to_ptk(pmk, pmk_len, sm->addr, sm->wpa_auth->addr, 2206 snonce, anonce, dhss, dhss_len, 2207 &sm->PTK, ick, &ick_len, 2208 sm->wpa_key_mgmt, sm->pairwise, 2209 fils_ft, &fils_ft_len); 2210 if (res < 0) 2211 return res; 2212 sm->PTK_valid = TRUE; 2213 sm->tk_already_set = FALSE; 2214 2215 #ifdef CONFIG_IEEE80211R_AP 2216 if (fils_ft_len) { 2217 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 2218 struct wpa_auth_config *conf = &wpa_auth->conf; 2219 u8 pmk_r0[PMK_LEN_MAX], pmk_r0_name[WPA_PMK_NAME_LEN]; 2220 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt); 2221 size_t pmk_r0_len = use_sha384 ? SHA384_MAC_LEN : PMK_LEN; 2222 2223 if (wpa_derive_pmk_r0(fils_ft, fils_ft_len, 2224 conf->ssid, conf->ssid_len, 2225 conf->mobility_domain, 2226 conf->r0_key_holder, 2227 conf->r0_key_holder_len, 2228 sm->addr, pmk_r0, pmk_r0_name, 2229 use_sha384) < 0) 2230 return -1; 2231 2232 wpa_hexdump_key(MSG_DEBUG, "FILS+FT: PMK-R0", 2233 pmk_r0, pmk_r0_len); 2234 wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR0Name", 2235 pmk_r0_name, WPA_PMK_NAME_LEN); 2236 wpa_ft_store_pmk_fils(sm, pmk_r0, pmk_r0_name); 2237 os_memset(fils_ft, 0, sizeof(fils_ft)); 2238 2239 res = wpa_derive_pmk_r1_name(pmk_r0_name, conf->r1_key_holder, 2240 sm->addr, sm->pmk_r1_name, 2241 use_sha384); 2242 os_memset(pmk_r0, 0, PMK_LEN_MAX); 2243 if (res < 0) 2244 return -1; 2245 wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR1Name", sm->pmk_r1_name, 2246 WPA_PMK_NAME_LEN); 2247 sm->pmk_r1_name_valid = 1; 2248 } 2249 #endif /* CONFIG_IEEE80211R_AP */ 2250 2251 res = fils_key_auth_sk(ick, ick_len, snonce, anonce, 2252 sm->addr, sm->wpa_auth->addr, 2253 g_sta ? wpabuf_head(g_sta) : NULL, 2254 g_sta ? wpabuf_len(g_sta) : 0, 2255 g_ap ? wpabuf_head(g_ap) : NULL, 2256 g_ap ? wpabuf_len(g_ap) : 0, 2257 sm->wpa_key_mgmt, sm->fils_key_auth_sta, 2258 sm->fils_key_auth_ap, 2259 &sm->fils_key_auth_len); 2260 os_memset(ick, 0, sizeof(ick)); 2261 2262 /* Store nonces for (Re)Association Request/Response frame processing */ 2263 os_memcpy(sm->SNonce, snonce, FILS_NONCE_LEN); 2264 os_memcpy(sm->ANonce, anonce, FILS_NONCE_LEN); 2265 2266 return res; 2267 } 2268 2269 2270 static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk, 2271 u8 *buf, size_t buf_len, u16 *_key_data_len) 2272 { 2273 struct ieee802_1x_hdr *hdr; 2274 struct wpa_eapol_key *key; 2275 u8 *pos; 2276 u16 key_data_len; 2277 u8 *tmp; 2278 const u8 *aad[1]; 2279 size_t aad_len[1]; 2280 2281 hdr = (struct ieee802_1x_hdr *) buf; 2282 key = (struct wpa_eapol_key *) (hdr + 1); 2283 pos = (u8 *) (key + 1); 2284 key_data_len = WPA_GET_BE16(pos); 2285 if (key_data_len < AES_BLOCK_SIZE || 2286 key_data_len > buf_len - sizeof(*hdr) - sizeof(*key) - 2) { 2287 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2288 "No room for AES-SIV data in the frame"); 2289 return -1; 2290 } 2291 pos += 2; /* Pointing at the Encrypted Key Data field */ 2292 2293 tmp = os_malloc(key_data_len); 2294 if (!tmp) 2295 return -1; 2296 2297 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to 2298 * to Key Data (exclusive). */ 2299 aad[0] = buf; 2300 aad_len[0] = pos - buf; 2301 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, key_data_len, 2302 1, aad, aad_len, tmp) < 0) { 2303 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2304 "Invalid AES-SIV data in the frame"); 2305 bin_clear_free(tmp, key_data_len); 2306 return -1; 2307 } 2308 2309 /* AEAD decryption and validation completed successfully */ 2310 key_data_len -= AES_BLOCK_SIZE; 2311 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data", 2312 tmp, key_data_len); 2313 2314 /* Replace Key Data field with the decrypted version */ 2315 os_memcpy(pos, tmp, key_data_len); 2316 pos -= 2; /* Key Data Length field */ 2317 WPA_PUT_BE16(pos, key_data_len); 2318 bin_clear_free(tmp, key_data_len); 2319 if (_key_data_len) 2320 *_key_data_len = key_data_len; 2321 return 0; 2322 } 2323 2324 2325 const u8 * wpa_fils_validate_fils_session(struct wpa_state_machine *sm, 2326 const u8 *ies, size_t ies_len, 2327 const u8 *fils_session) 2328 { 2329 const u8 *ie, *end; 2330 const u8 *session = NULL; 2331 2332 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) { 2333 wpa_printf(MSG_DEBUG, 2334 "FILS: Not a FILS AKM - reject association"); 2335 return NULL; 2336 } 2337 2338 /* Verify Session element */ 2339 ie = ies; 2340 end = ((const u8 *) ie) + ies_len; 2341 while (ie + 1 < end) { 2342 if (ie + 2 + ie[1] > end) 2343 break; 2344 if (ie[0] == WLAN_EID_EXTENSION && 2345 ie[1] >= 1 + FILS_SESSION_LEN && 2346 ie[2] == WLAN_EID_EXT_FILS_SESSION) { 2347 session = ie; 2348 break; 2349 } 2350 ie += 2 + ie[1]; 2351 } 2352 2353 if (!session) { 2354 wpa_printf(MSG_DEBUG, 2355 "FILS: %s: Could not find FILS Session element in Assoc Req - reject", 2356 __func__); 2357 return NULL; 2358 } 2359 2360 if (!fils_session) { 2361 wpa_printf(MSG_DEBUG, 2362 "FILS: %s: Could not find FILS Session element in STA entry - reject", 2363 __func__); 2364 return NULL; 2365 } 2366 2367 if (os_memcmp(fils_session, session + 3, FILS_SESSION_LEN) != 0) { 2368 wpa_printf(MSG_DEBUG, "FILS: Session mismatch"); 2369 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session", 2370 fils_session, FILS_SESSION_LEN); 2371 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session", 2372 session + 3, FILS_SESSION_LEN); 2373 return NULL; 2374 } 2375 return session; 2376 } 2377 2378 2379 int wpa_fils_validate_key_confirm(struct wpa_state_machine *sm, const u8 *ies, 2380 size_t ies_len) 2381 { 2382 struct ieee802_11_elems elems; 2383 2384 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) { 2385 wpa_printf(MSG_DEBUG, 2386 "FILS: Failed to parse decrypted elements"); 2387 return -1; 2388 } 2389 2390 if (!elems.fils_session) { 2391 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element"); 2392 return -1; 2393 } 2394 2395 if (!elems.fils_key_confirm) { 2396 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element"); 2397 return -1; 2398 } 2399 2400 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) { 2401 wpa_printf(MSG_DEBUG, 2402 "FILS: Unexpected Key-Auth length %d (expected %d)", 2403 elems.fils_key_confirm_len, 2404 (int) sm->fils_key_auth_len); 2405 return -1; 2406 } 2407 2408 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_sta, 2409 sm->fils_key_auth_len) != 0) { 2410 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch"); 2411 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth", 2412 elems.fils_key_confirm, elems.fils_key_confirm_len); 2413 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth", 2414 sm->fils_key_auth_sta, sm->fils_key_auth_len); 2415 return -1; 2416 } 2417 2418 return 0; 2419 } 2420 2421 2422 int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session, 2423 const struct ieee80211_mgmt *mgmt, size_t frame_len, 2424 u8 *pos, size_t left) 2425 { 2426 u16 fc, stype; 2427 const u8 *end, *ie_start, *ie, *session, *crypt; 2428 const u8 *aad[5]; 2429 size_t aad_len[5]; 2430 2431 if (!sm || !sm->PTK_valid) { 2432 wpa_printf(MSG_DEBUG, 2433 "FILS: No KEK to decrypt Assocication Request frame"); 2434 return -1; 2435 } 2436 2437 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) { 2438 wpa_printf(MSG_DEBUG, 2439 "FILS: Not a FILS AKM - reject association"); 2440 return -1; 2441 } 2442 2443 end = ((const u8 *) mgmt) + frame_len; 2444 fc = le_to_host16(mgmt->frame_control); 2445 stype = WLAN_FC_GET_STYPE(fc); 2446 if (stype == WLAN_FC_STYPE_REASSOC_REQ) 2447 ie_start = mgmt->u.reassoc_req.variable; 2448 else 2449 ie_start = mgmt->u.assoc_req.variable; 2450 ie = ie_start; 2451 2452 /* 2453 * Find FILS Session element which is the last unencrypted element in 2454 * the frame. 2455 */ 2456 session = wpa_fils_validate_fils_session(sm, ie, end - ie, 2457 fils_session); 2458 if (!session) { 2459 wpa_printf(MSG_DEBUG, "FILS: Session validation failed"); 2460 return -1; 2461 } 2462 2463 crypt = session + 2 + session[1]; 2464 2465 if (end - crypt < AES_BLOCK_SIZE) { 2466 wpa_printf(MSG_DEBUG, 2467 "FILS: Too short frame to include AES-SIV data"); 2468 return -1; 2469 } 2470 2471 /* AES-SIV AAD vectors */ 2472 2473 /* The STA's MAC address */ 2474 aad[0] = mgmt->sa; 2475 aad_len[0] = ETH_ALEN; 2476 /* The AP's BSSID */ 2477 aad[1] = mgmt->da; 2478 aad_len[1] = ETH_ALEN; 2479 /* The STA's nonce */ 2480 aad[2] = sm->SNonce; 2481 aad_len[2] = FILS_NONCE_LEN; 2482 /* The AP's nonce */ 2483 aad[3] = sm->ANonce; 2484 aad_len[3] = FILS_NONCE_LEN; 2485 /* 2486 * The (Re)Association Request frame from the Capability Information 2487 * field to the FILS Session element (both inclusive). 2488 */ 2489 aad[4] = (const u8 *) &mgmt->u.assoc_req.capab_info; 2490 aad_len[4] = crypt - aad[4]; 2491 2492 if (aes_siv_decrypt(sm->PTK.kek, sm->PTK.kek_len, crypt, end - crypt, 2493 5, aad, aad_len, pos + (crypt - ie_start)) < 0) { 2494 wpa_printf(MSG_DEBUG, 2495 "FILS: Invalid AES-SIV data in the frame"); 2496 return -1; 2497 } 2498 wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Request elements", 2499 pos, left - AES_BLOCK_SIZE); 2500 2501 if (wpa_fils_validate_key_confirm(sm, pos, left - AES_BLOCK_SIZE) < 0) { 2502 wpa_printf(MSG_DEBUG, "FILS: Key Confirm validation failed"); 2503 return -1; 2504 } 2505 2506 return left - AES_BLOCK_SIZE; 2507 } 2508 2509 2510 int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf, 2511 size_t current_len, size_t max_len, 2512 const struct wpabuf *hlp) 2513 { 2514 u8 *end = buf + max_len; 2515 u8 *pos = buf + current_len; 2516 struct ieee80211_mgmt *mgmt; 2517 struct wpabuf *plain; 2518 const u8 *aad[5]; 2519 size_t aad_len[5]; 2520 2521 if (!sm || !sm->PTK_valid) 2522 return -1; 2523 2524 wpa_hexdump(MSG_DEBUG, 2525 "FILS: Association Response frame before FILS processing", 2526 buf, current_len); 2527 2528 mgmt = (struct ieee80211_mgmt *) buf; 2529 2530 /* AES-SIV AAD vectors */ 2531 2532 /* The AP's BSSID */ 2533 aad[0] = mgmt->sa; 2534 aad_len[0] = ETH_ALEN; 2535 /* The STA's MAC address */ 2536 aad[1] = mgmt->da; 2537 aad_len[1] = ETH_ALEN; 2538 /* The AP's nonce */ 2539 aad[2] = sm->ANonce; 2540 aad_len[2] = FILS_NONCE_LEN; 2541 /* The STA's nonce */ 2542 aad[3] = sm->SNonce; 2543 aad_len[3] = FILS_NONCE_LEN; 2544 /* 2545 * The (Re)Association Response frame from the Capability Information 2546 * field (the same offset in both Association and Reassociation 2547 * Response frames) to the FILS Session element (both inclusive). 2548 */ 2549 aad[4] = (const u8 *) &mgmt->u.assoc_resp.capab_info; 2550 aad_len[4] = pos - aad[4]; 2551 2552 /* The following elements will be encrypted with AES-SIV */ 2553 plain = fils_prepare_plainbuf(sm, hlp); 2554 if (!plain) { 2555 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed"); 2556 return -1; 2557 } 2558 2559 if (pos + wpabuf_len(plain) + AES_BLOCK_SIZE > end) { 2560 wpa_printf(MSG_DEBUG, 2561 "FILS: Not enough room for FILS elements"); 2562 wpabuf_free(plain); 2563 return -1; 2564 } 2565 2566 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: Association Response plaintext", 2567 plain); 2568 2569 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, 2570 wpabuf_head(plain), wpabuf_len(plain), 2571 5, aad, aad_len, pos) < 0) { 2572 wpabuf_free(plain); 2573 return -1; 2574 } 2575 2576 wpa_hexdump(MSG_DEBUG, 2577 "FILS: Encrypted Association Response elements", 2578 pos, AES_BLOCK_SIZE + wpabuf_len(plain)); 2579 current_len += wpabuf_len(plain) + AES_BLOCK_SIZE; 2580 wpabuf_free(plain); 2581 2582 sm->fils_completed = 1; 2583 2584 return current_len; 2585 } 2586 2587 2588 static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm, 2589 const struct wpabuf *hlp) 2590 { 2591 struct wpabuf *plain; 2592 u8 *len, *tmp, *tmp2; 2593 u8 hdr[2]; 2594 u8 *gtk, dummy_gtk[32]; 2595 size_t gtk_len; 2596 struct wpa_group *gsm; 2597 2598 plain = wpabuf_alloc(1000); 2599 if (!plain) 2600 return NULL; 2601 2602 /* TODO: FILS Public Key */ 2603 2604 /* FILS Key Confirmation */ 2605 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */ 2606 wpabuf_put_u8(plain, 1 + sm->fils_key_auth_len); /* Length */ 2607 /* Element ID Extension */ 2608 wpabuf_put_u8(plain, WLAN_EID_EXT_FILS_KEY_CONFIRM); 2609 wpabuf_put_data(plain, sm->fils_key_auth_ap, sm->fils_key_auth_len); 2610 2611 /* FILS HLP Container */ 2612 if (hlp) 2613 wpabuf_put_buf(plain, hlp); 2614 2615 /* TODO: FILS IP Address Assignment */ 2616 2617 /* Key Delivery */ 2618 gsm = sm->group; 2619 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */ 2620 len = wpabuf_put(plain, 1); 2621 wpabuf_put_u8(plain, WLAN_EID_EXT_KEY_DELIVERY); 2622 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, 2623 wpabuf_put(plain, WPA_KEY_RSC_LEN)); 2624 /* GTK KDE */ 2625 gtk = gsm->GTK[gsm->GN - 1]; 2626 gtk_len = gsm->GTK_len; 2627 if (sm->wpa_auth->conf.disable_gtk || 2628 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) { 2629 /* 2630 * Provide unique random GTK to each STA to prevent use 2631 * of GTK in the BSS. 2632 */ 2633 if (random_get_bytes(dummy_gtk, gtk_len) < 0) { 2634 wpabuf_free(plain); 2635 return NULL; 2636 } 2637 gtk = dummy_gtk; 2638 } 2639 hdr[0] = gsm->GN & 0x03; 2640 hdr[1] = 0; 2641 tmp = wpabuf_put(plain, 0); 2642 tmp2 = wpa_add_kde(tmp, RSN_KEY_DATA_GROUPKEY, hdr, 2, 2643 gtk, gtk_len); 2644 wpabuf_put(plain, tmp2 - tmp); 2645 2646 /* IGTK KDE */ 2647 tmp = wpabuf_put(plain, 0); 2648 tmp2 = ieee80211w_kde_add(sm, tmp); 2649 wpabuf_put(plain, tmp2 - tmp); 2650 2651 *len = (u8 *) wpabuf_put(plain, 0) - len - 1; 2652 2653 #ifdef CONFIG_OCV 2654 if (wpa_auth_uses_ocv(sm)) { 2655 struct wpa_channel_info ci; 2656 u8 *pos; 2657 2658 if (wpa_channel_info(sm->wpa_auth, &ci) != 0) { 2659 wpa_printf(MSG_WARNING, 2660 "FILS: Failed to get channel info for OCI element"); 2661 wpabuf_free(plain); 2662 return NULL; 2663 } 2664 2665 pos = wpabuf_put(plain, OCV_OCI_EXTENDED_LEN); 2666 if (ocv_insert_extended_oci(&ci, pos) < 0) { 2667 wpabuf_free(plain); 2668 return NULL; 2669 } 2670 } 2671 #endif /* CONFIG_OCV */ 2672 2673 return plain; 2674 } 2675 2676 2677 int fils_set_tk(struct wpa_state_machine *sm) 2678 { 2679 enum wpa_alg alg; 2680 int klen; 2681 2682 if (!sm || !sm->PTK_valid) { 2683 wpa_printf(MSG_DEBUG, "FILS: No valid PTK available to set TK"); 2684 return -1; 2685 } 2686 if (sm->tk_already_set) { 2687 wpa_printf(MSG_DEBUG, "FILS: TK already set to the driver"); 2688 return -1; 2689 } 2690 2691 alg = wpa_cipher_to_alg(sm->pairwise); 2692 klen = wpa_cipher_key_len(sm->pairwise); 2693 2694 wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver"); 2695 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0, 2696 sm->PTK.tk, klen)) { 2697 wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver"); 2698 return -1; 2699 } 2700 sm->tk_already_set = TRUE; 2701 2702 return 0; 2703 } 2704 2705 2706 u8 * hostapd_eid_assoc_fils_session(struct wpa_state_machine *sm, u8 *buf, 2707 const u8 *fils_session, struct wpabuf *hlp) 2708 { 2709 struct wpabuf *plain; 2710 u8 *pos = buf; 2711 2712 /* FILS Session */ 2713 *pos++ = WLAN_EID_EXTENSION; /* Element ID */ 2714 *pos++ = 1 + FILS_SESSION_LEN; /* Length */ 2715 *pos++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */ 2716 os_memcpy(pos, fils_session, FILS_SESSION_LEN); 2717 pos += FILS_SESSION_LEN; 2718 2719 plain = fils_prepare_plainbuf(sm, hlp); 2720 if (!plain) { 2721 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed"); 2722 return NULL; 2723 } 2724 2725 os_memcpy(pos, wpabuf_head(plain), wpabuf_len(plain)); 2726 pos += wpabuf_len(plain); 2727 2728 wpa_printf(MSG_DEBUG, "%s: plain buf_len: %u", __func__, 2729 (unsigned int) wpabuf_len(plain)); 2730 wpabuf_free(plain); 2731 sm->fils_completed = 1; 2732 return pos; 2733 } 2734 2735 #endif /* CONFIG_FILS */ 2736 2737 2738 #ifdef CONFIG_OCV 2739 int get_sta_tx_parameters(struct wpa_state_machine *sm, int ap_max_chanwidth, 2740 int ap_seg1_idx, int *bandwidth, int *seg1_idx) 2741 { 2742 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 2743 2744 if (!wpa_auth->cb->get_sta_tx_params) 2745 return -1; 2746 return wpa_auth->cb->get_sta_tx_params(wpa_auth->cb_ctx, sm->addr, 2747 ap_max_chanwidth, ap_seg1_idx, 2748 bandwidth, seg1_idx); 2749 } 2750 #endif /* CONFIG_OCV */ 2751 2752 2753 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) 2754 { 2755 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 2756 struct wpa_ptk PTK; 2757 int ok = 0, psk_found = 0; 2758 const u8 *pmk = NULL; 2759 size_t pmk_len; 2760 int ft; 2761 const u8 *eapol_key_ie, *key_data, *mic; 2762 u16 key_data_length; 2763 size_t mic_len, eapol_key_ie_len; 2764 struct ieee802_1x_hdr *hdr; 2765 struct wpa_eapol_key *key; 2766 struct wpa_eapol_ie_parse kde; 2767 int vlan_id = 0; 2768 2769 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk); 2770 sm->EAPOLKeyReceived = FALSE; 2771 sm->update_snonce = FALSE; 2772 os_memset(&PTK, 0, sizeof(PTK)); 2773 2774 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len); 2775 2776 /* WPA with IEEE 802.1X: use the derived PMK from EAP 2777 * WPA-PSK: iterate through possible PSKs and select the one matching 2778 * the packet */ 2779 for (;;) { 2780 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) && 2781 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) { 2782 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, 2783 sm->p2p_dev_addr, pmk, &pmk_len, 2784 &vlan_id); 2785 if (pmk == NULL) 2786 break; 2787 psk_found = 1; 2788 #ifdef CONFIG_IEEE80211R_AP 2789 if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) { 2790 os_memcpy(sm->xxkey, pmk, pmk_len); 2791 sm->xxkey_len = pmk_len; 2792 } 2793 #endif /* CONFIG_IEEE80211R_AP */ 2794 } else { 2795 pmk = sm->PMK; 2796 pmk_len = sm->pmk_len; 2797 } 2798 2799 if (wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK) < 0) 2800 break; 2801 2802 if (mic_len && 2803 wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK, 2804 sm->last_rx_eapol_key, 2805 sm->last_rx_eapol_key_len) == 0) { 2806 if (sm->PMK != pmk) { 2807 os_memcpy(sm->PMK, pmk, pmk_len); 2808 sm->pmk_len = pmk_len; 2809 } 2810 ok = 1; 2811 break; 2812 } 2813 2814 #ifdef CONFIG_FILS 2815 if (!mic_len && 2816 wpa_aead_decrypt(sm, &PTK, sm->last_rx_eapol_key, 2817 sm->last_rx_eapol_key_len, NULL) == 0) { 2818 ok = 1; 2819 break; 2820 } 2821 #endif /* CONFIG_FILS */ 2822 2823 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) || 2824 wpa_key_mgmt_sae(sm->wpa_key_mgmt)) 2825 break; 2826 } 2827 2828 if (!ok) { 2829 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2830 "invalid MIC in msg 2/4 of 4-Way Handshake"); 2831 if (psk_found) 2832 wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr); 2833 return; 2834 } 2835 2836 /* 2837 * Note: last_rx_eapol_key length fields have already been validated in 2838 * wpa_receive(). 2839 */ 2840 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key; 2841 key = (struct wpa_eapol_key *) (hdr + 1); 2842 mic = (u8 *) (key + 1); 2843 key_data = mic + mic_len + 2; 2844 key_data_length = WPA_GET_BE16(mic + mic_len); 2845 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) - 2846 sizeof(*key) - mic_len - 2) 2847 return; 2848 2849 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) { 2850 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 2851 "received EAPOL-Key msg 2/4 with invalid Key Data contents"); 2852 return; 2853 } 2854 if (kde.rsn_ie) { 2855 eapol_key_ie = kde.rsn_ie; 2856 eapol_key_ie_len = kde.rsn_ie_len; 2857 } else if (kde.osen) { 2858 eapol_key_ie = kde.osen; 2859 eapol_key_ie_len = kde.osen_len; 2860 } else { 2861 eapol_key_ie = kde.wpa_ie; 2862 eapol_key_ie_len = kde.wpa_ie_len; 2863 } 2864 ft = sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt); 2865 if (sm->wpa_ie == NULL || 2866 wpa_compare_rsn_ie(ft, sm->wpa_ie, sm->wpa_ie_len, 2867 eapol_key_ie, eapol_key_ie_len)) { 2868 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 2869 "WPA IE from (Re)AssocReq did not match with msg 2/4"); 2870 if (sm->wpa_ie) { 2871 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq", 2872 sm->wpa_ie, sm->wpa_ie_len); 2873 } 2874 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4", 2875 eapol_key_ie, eapol_key_ie_len); 2876 /* MLME-DEAUTHENTICATE.request */ 2877 wpa_sta_disconnect(wpa_auth, sm->addr, 2878 WLAN_REASON_PREV_AUTH_NOT_VALID); 2879 return; 2880 } 2881 #ifdef CONFIG_OCV 2882 if (wpa_auth_uses_ocv(sm)) { 2883 struct wpa_channel_info ci; 2884 int tx_chanwidth; 2885 int tx_seg1_idx; 2886 2887 if (wpa_channel_info(wpa_auth, &ci) != 0) { 2888 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 2889 "Failed to get channel info to validate received OCI in EAPOL-Key 2/4"); 2890 return; 2891 } 2892 2893 if (get_sta_tx_parameters(sm, 2894 channel_width_to_int(ci.chanwidth), 2895 ci.seg1_idx, &tx_chanwidth, 2896 &tx_seg1_idx) < 0) 2897 return; 2898 2899 if (ocv_verify_tx_params(kde.oci, kde.oci_len, &ci, 2900 tx_chanwidth, tx_seg1_idx) != 0) { 2901 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 2902 ocv_errorstr); 2903 return; 2904 } 2905 } 2906 #endif /* CONFIG_OCV */ 2907 #ifdef CONFIG_IEEE80211R_AP 2908 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) { 2909 wpa_sta_disconnect(wpa_auth, sm->addr, 2910 WLAN_REASON_PREV_AUTH_NOT_VALID); 2911 return; 2912 } 2913 #endif /* CONFIG_IEEE80211R_AP */ 2914 #ifdef CONFIG_P2P 2915 if (kde.ip_addr_req && kde.ip_addr_req[0] && 2916 wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) { 2917 int idx; 2918 wpa_printf(MSG_DEBUG, 2919 "P2P: IP address requested in EAPOL-Key exchange"); 2920 idx = bitfield_get_first_zero(wpa_auth->ip_pool); 2921 if (idx >= 0) { 2922 u32 start = WPA_GET_BE32(wpa_auth->conf.ip_addr_start); 2923 bitfield_set(wpa_auth->ip_pool, idx); 2924 WPA_PUT_BE32(sm->ip_addr, start + idx); 2925 wpa_printf(MSG_DEBUG, 2926 "P2P: Assigned IP address %u.%u.%u.%u to " 2927 MACSTR, sm->ip_addr[0], sm->ip_addr[1], 2928 sm->ip_addr[2], sm->ip_addr[3], 2929 MAC2STR(sm->addr)); 2930 } 2931 } 2932 #endif /* CONFIG_P2P */ 2933 2934 #ifdef CONFIG_IEEE80211R_AP 2935 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2936 /* 2937 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches 2938 * with the value we derived. 2939 */ 2940 if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name, 2941 WPA_PMK_NAME_LEN) != 0) { 2942 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2943 "PMKR1Name mismatch in FT 4-way " 2944 "handshake"); 2945 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from " 2946 "Supplicant", 2947 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN); 2948 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name", 2949 sm->pmk_r1_name, WPA_PMK_NAME_LEN); 2950 return; 2951 } 2952 } 2953 #endif /* CONFIG_IEEE80211R_AP */ 2954 2955 if (vlan_id && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) && 2956 wpa_auth_update_vlan(wpa_auth, sm->addr, vlan_id) < 0) { 2957 wpa_sta_disconnect(wpa_auth, sm->addr, 2958 WLAN_REASON_PREV_AUTH_NOT_VALID); 2959 return; 2960 } 2961 2962 sm->pending_1_of_4_timeout = 0; 2963 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 2964 2965 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 2966 /* PSK may have changed from the previous choice, so update 2967 * state machine data based on whatever PSK was selected here. 2968 */ 2969 os_memcpy(sm->PMK, pmk, PMK_LEN); 2970 sm->pmk_len = PMK_LEN; 2971 } 2972 2973 sm->MICVerified = TRUE; 2974 2975 os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); 2976 sm->PTK_valid = TRUE; 2977 } 2978 2979 2980 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2) 2981 { 2982 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk); 2983 sm->TimeoutCtr = 0; 2984 } 2985 2986 2987 #ifdef CONFIG_IEEE80211W 2988 2989 static int ieee80211w_kde_len(struct wpa_state_machine *sm) 2990 { 2991 if (sm->mgmt_frame_prot) { 2992 size_t len; 2993 len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 2994 return 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN + len; 2995 } 2996 2997 return 0; 2998 } 2999 3000 3001 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 3002 { 3003 struct wpa_igtk_kde igtk; 3004 struct wpa_group *gsm = sm->group; 3005 u8 rsc[WPA_KEY_RSC_LEN]; 3006 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 3007 3008 if (!sm->mgmt_frame_prot) 3009 return pos; 3010 3011 igtk.keyid[0] = gsm->GN_igtk; 3012 igtk.keyid[1] = 0; 3013 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE || 3014 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0) 3015 os_memset(igtk.pn, 0, sizeof(igtk.pn)); 3016 else 3017 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn)); 3018 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len); 3019 if (sm->wpa_auth->conf.disable_gtk || 3020 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) { 3021 /* 3022 * Provide unique random IGTK to each STA to prevent use of 3023 * IGTK in the BSS. 3024 */ 3025 if (random_get_bytes(igtk.igtk, len) < 0) 3026 return pos; 3027 } 3028 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK, 3029 (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len, 3030 NULL, 0); 3031 3032 return pos; 3033 } 3034 3035 #else /* CONFIG_IEEE80211W */ 3036 3037 static int ieee80211w_kde_len(struct wpa_state_machine *sm) 3038 { 3039 return 0; 3040 } 3041 3042 3043 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 3044 { 3045 return pos; 3046 } 3047 3048 #endif /* CONFIG_IEEE80211W */ 3049 3050 3051 static int ocv_oci_len(struct wpa_state_machine *sm) 3052 { 3053 #ifdef CONFIG_OCV 3054 if (wpa_auth_uses_ocv(sm)) 3055 return OCV_OCI_KDE_LEN; 3056 #endif /* CONFIG_OCV */ 3057 return 0; 3058 } 3059 3060 static int ocv_oci_add(struct wpa_state_machine *sm, u8 **argpos) 3061 { 3062 #ifdef CONFIG_OCV 3063 struct wpa_channel_info ci; 3064 3065 if (!wpa_auth_uses_ocv(sm)) 3066 return 0; 3067 3068 if (wpa_channel_info(sm->wpa_auth, &ci) != 0) { 3069 wpa_printf(MSG_WARNING, 3070 "Failed to get channel info for OCI element"); 3071 return -1; 3072 } 3073 3074 return ocv_insert_oci_kde(&ci, argpos); 3075 #else /* CONFIG_OCV */ 3076 return 0; 3077 #endif /* CONFIG_OCV */ 3078 } 3079 3080 3081 SM_STATE(WPA_PTK, PTKINITNEGOTIATING) 3082 { 3083 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32]; 3084 size_t gtk_len, kde_len; 3085 struct wpa_group *gsm = sm->group; 3086 u8 *wpa_ie; 3087 int wpa_ie_len, secure, keyidx, encr = 0; 3088 3089 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk); 3090 sm->TimeoutEvt = FALSE; 3091 3092 sm->TimeoutCtr++; 3093 if (sm->wpa_auth->conf.wpa_disable_eapol_key_retries && 3094 sm->TimeoutCtr > 1) { 3095 /* Do not allow retransmission of EAPOL-Key msg 3/4 */ 3096 return; 3097 } 3098 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) { 3099 /* No point in sending the EAPOL-Key - we will disconnect 3100 * immediately following this. */ 3101 return; 3102 } 3103 3104 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE], 3105 GTK[GN], IGTK, [FTIE], [TIE * 2]) 3106 */ 3107 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 3108 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 3109 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */ 3110 wpa_ie = sm->wpa_auth->wpa_ie; 3111 wpa_ie_len = sm->wpa_auth->wpa_ie_len; 3112 if (sm->wpa == WPA_VERSION_WPA && 3113 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) && 3114 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) { 3115 /* WPA-only STA, remove RSN IE and possible MDIE */ 3116 wpa_ie = wpa_ie + wpa_ie[1] + 2; 3117 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN) 3118 wpa_ie = wpa_ie + wpa_ie[1] + 2; 3119 wpa_ie_len = wpa_ie[1] + 2; 3120 } 3121 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3122 "sending 3/4 msg of 4-Way Handshake"); 3123 if (sm->wpa == WPA_VERSION_WPA2) { 3124 /* WPA2 send GTK in the 4-way handshake */ 3125 secure = 1; 3126 gtk = gsm->GTK[gsm->GN - 1]; 3127 gtk_len = gsm->GTK_len; 3128 if (sm->wpa_auth->conf.disable_gtk || 3129 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) { 3130 /* 3131 * Provide unique random GTK to each STA to prevent use 3132 * of GTK in the BSS. 3133 */ 3134 if (random_get_bytes(dummy_gtk, gtk_len) < 0) 3135 return; 3136 gtk = dummy_gtk; 3137 } 3138 keyidx = gsm->GN; 3139 _rsc = rsc; 3140 encr = 1; 3141 } else { 3142 /* WPA does not include GTK in msg 3/4 */ 3143 secure = 0; 3144 gtk = NULL; 3145 gtk_len = 0; 3146 keyidx = 0; 3147 _rsc = NULL; 3148 if (sm->rx_eapol_key_secure) { 3149 /* 3150 * It looks like Windows 7 supplicant tries to use 3151 * Secure bit in msg 2/4 after having reported Michael 3152 * MIC failure and it then rejects the 4-way handshake 3153 * if msg 3/4 does not set Secure bit. Work around this 3154 * by setting the Secure bit here even in the case of 3155 * WPA if the supplicant used it first. 3156 */ 3157 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3158 "STA used Secure bit in WPA msg 2/4 - " 3159 "set Secure for 3/4 as workaround"); 3160 secure = 1; 3161 } 3162 } 3163 3164 kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm); 3165 if (gtk) 3166 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len; 3167 #ifdef CONFIG_IEEE80211R_AP 3168 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 3169 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */ 3170 kde_len += 300; /* FTIE + 2 * TIE */ 3171 } 3172 #endif /* CONFIG_IEEE80211R_AP */ 3173 #ifdef CONFIG_P2P 3174 if (WPA_GET_BE32(sm->ip_addr) > 0) 3175 kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4; 3176 #endif /* CONFIG_P2P */ 3177 kde = os_malloc(kde_len); 3178 if (kde == NULL) 3179 return; 3180 3181 pos = kde; 3182 os_memcpy(pos, wpa_ie, wpa_ie_len); 3183 pos += wpa_ie_len; 3184 #ifdef CONFIG_IEEE80211R_AP 3185 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 3186 int res; 3187 size_t elen; 3188 3189 elen = pos - kde; 3190 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name); 3191 if (res < 0) { 3192 wpa_printf(MSG_ERROR, "FT: Failed to insert " 3193 "PMKR1Name into RSN IE in EAPOL-Key data"); 3194 os_free(kde); 3195 return; 3196 } 3197 pos -= wpa_ie_len; 3198 pos += elen; 3199 } 3200 #endif /* CONFIG_IEEE80211R_AP */ 3201 if (gtk) { 3202 u8 hdr[2]; 3203 hdr[0] = keyidx & 0x03; 3204 hdr[1] = 0; 3205 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 3206 gtk, gtk_len); 3207 } 3208 pos = ieee80211w_kde_add(sm, pos); 3209 if (ocv_oci_add(sm, &pos) < 0) { 3210 os_free(kde); 3211 return; 3212 } 3213 3214 #ifdef CONFIG_IEEE80211R_AP 3215 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 3216 int res; 3217 struct wpa_auth_config *conf; 3218 3219 conf = &sm->wpa_auth->conf; 3220 if (sm->assoc_resp_ftie && 3221 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) { 3222 os_memcpy(pos, sm->assoc_resp_ftie, 3223 2 + sm->assoc_resp_ftie[1]); 3224 res = 2 + sm->assoc_resp_ftie[1]; 3225 } else { 3226 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt); 3227 3228 res = wpa_write_ftie(conf, use_sha384, 3229 conf->r0_key_holder, 3230 conf->r0_key_holder_len, 3231 NULL, NULL, pos, 3232 kde + kde_len - pos, 3233 NULL, 0); 3234 } 3235 if (res < 0) { 3236 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE " 3237 "into EAPOL-Key Key Data"); 3238 os_free(kde); 3239 return; 3240 } 3241 pos += res; 3242 3243 /* TIE[ReassociationDeadline] (TU) */ 3244 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 3245 *pos++ = 5; 3246 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE; 3247 WPA_PUT_LE32(pos, conf->reassociation_deadline); 3248 pos += 4; 3249 3250 /* TIE[KeyLifetime] (seconds) */ 3251 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 3252 *pos++ = 5; 3253 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME; 3254 WPA_PUT_LE32(pos, conf->r0_key_lifetime); 3255 pos += 4; 3256 } 3257 #endif /* CONFIG_IEEE80211R_AP */ 3258 #ifdef CONFIG_P2P 3259 if (WPA_GET_BE32(sm->ip_addr) > 0) { 3260 u8 addr[3 * 4]; 3261 os_memcpy(addr, sm->ip_addr, 4); 3262 os_memcpy(addr + 4, sm->wpa_auth->conf.ip_addr_mask, 4); 3263 os_memcpy(addr + 8, sm->wpa_auth->conf.ip_addr_go, 4); 3264 pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC, 3265 addr, sizeof(addr), NULL, 0); 3266 } 3267 #endif /* CONFIG_P2P */ 3268 3269 wpa_send_eapol(sm->wpa_auth, sm, 3270 (secure ? WPA_KEY_INFO_SECURE : 0) | 3271 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ? 3272 WPA_KEY_INFO_MIC : 0) | 3273 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL | 3274 WPA_KEY_INFO_KEY_TYPE, 3275 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr); 3276 os_free(kde); 3277 } 3278 3279 3280 SM_STATE(WPA_PTK, PTKINITDONE) 3281 { 3282 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk); 3283 sm->EAPOLKeyReceived = FALSE; 3284 if (sm->Pair) { 3285 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise); 3286 int klen = wpa_cipher_key_len(sm->pairwise); 3287 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0, 3288 sm->PTK.tk, klen)) { 3289 wpa_sta_disconnect(sm->wpa_auth, sm->addr, 3290 WLAN_REASON_PREV_AUTH_NOT_VALID); 3291 return; 3292 } 3293 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ 3294 sm->pairwise_set = TRUE; 3295 3296 if (sm->wpa_auth->conf.wpa_ptk_rekey) { 3297 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 3298 eloop_register_timeout(sm->wpa_auth->conf. 3299 wpa_ptk_rekey, 0, wpa_rekey_ptk, 3300 sm->wpa_auth, sm); 3301 } 3302 3303 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) || 3304 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP || 3305 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) { 3306 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 3307 WPA_EAPOL_authorized, 1); 3308 } 3309 } 3310 3311 if (0 /* IBSS == TRUE */) { 3312 sm->keycount++; 3313 if (sm->keycount == 2) { 3314 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 3315 WPA_EAPOL_portValid, 1); 3316 } 3317 } else { 3318 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 3319 1); 3320 } 3321 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0); 3322 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1); 3323 if (sm->wpa == WPA_VERSION_WPA) 3324 sm->PInitAKeys = TRUE; 3325 else 3326 sm->has_GTK = TRUE; 3327 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 3328 "pairwise key handshake completed (%s)", 3329 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 3330 3331 #ifdef CONFIG_IEEE80211R_AP 3332 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr); 3333 #endif /* CONFIG_IEEE80211R_AP */ 3334 } 3335 3336 3337 SM_STEP(WPA_PTK) 3338 { 3339 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 3340 3341 if (sm->Init) 3342 SM_ENTER(WPA_PTK, INITIALIZE); 3343 else if (sm->Disconnect 3344 /* || FIX: dot11RSNAConfigSALifetime timeout */) { 3345 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 3346 "WPA_PTK: sm->Disconnect"); 3347 SM_ENTER(WPA_PTK, DISCONNECT); 3348 } 3349 else if (sm->DeauthenticationRequest) 3350 SM_ENTER(WPA_PTK, DISCONNECTED); 3351 else if (sm->AuthenticationRequest) 3352 SM_ENTER(WPA_PTK, AUTHENTICATION); 3353 else if (sm->ReAuthenticationRequest) 3354 SM_ENTER(WPA_PTK, AUTHENTICATION2); 3355 else if (sm->PTKRequest) { 3356 if (wpa_auth_sm_ptk_update(sm) < 0) 3357 SM_ENTER(WPA_PTK, DISCONNECTED); 3358 else 3359 SM_ENTER(WPA_PTK, PTKSTART); 3360 } else switch (sm->wpa_ptk_state) { 3361 case WPA_PTK_INITIALIZE: 3362 break; 3363 case WPA_PTK_DISCONNECT: 3364 SM_ENTER(WPA_PTK, DISCONNECTED); 3365 break; 3366 case WPA_PTK_DISCONNECTED: 3367 SM_ENTER(WPA_PTK, INITIALIZE); 3368 break; 3369 case WPA_PTK_AUTHENTICATION: 3370 SM_ENTER(WPA_PTK, AUTHENTICATION2); 3371 break; 3372 case WPA_PTK_AUTHENTICATION2: 3373 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) && 3374 wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 3375 WPA_EAPOL_keyRun) > 0) 3376 SM_ENTER(WPA_PTK, INITPMK); 3377 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) || 3378 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE 3379 /* FIX: && 802.1X::keyRun */) 3380 SM_ENTER(WPA_PTK, INITPSK); 3381 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) 3382 SM_ENTER(WPA_PTK, INITPMK); 3383 break; 3384 case WPA_PTK_INITPMK: 3385 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 3386 WPA_EAPOL_keyAvailable) > 0) { 3387 SM_ENTER(WPA_PTK, PTKSTART); 3388 #ifdef CONFIG_DPP 3389 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->pmksa) { 3390 SM_ENTER(WPA_PTK, PTKSTART); 3391 #endif /* CONFIG_DPP */ 3392 } else { 3393 wpa_auth->dot11RSNA4WayHandshakeFailures++; 3394 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 3395 "INITPMK - keyAvailable = false"); 3396 SM_ENTER(WPA_PTK, DISCONNECT); 3397 } 3398 break; 3399 case WPA_PTK_INITPSK: 3400 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, 3401 NULL, NULL, NULL)) { 3402 SM_ENTER(WPA_PTK, PTKSTART); 3403 #ifdef CONFIG_SAE 3404 } else if (wpa_auth_uses_sae(sm) && sm->pmksa) { 3405 SM_ENTER(WPA_PTK, PTKSTART); 3406 #endif /* CONFIG_SAE */ 3407 } else { 3408 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 3409 "no PSK configured for the STA"); 3410 wpa_auth->dot11RSNA4WayHandshakeFailures++; 3411 SM_ENTER(WPA_PTK, DISCONNECT); 3412 } 3413 break; 3414 case WPA_PTK_PTKSTART: 3415 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 3416 sm->EAPOLKeyPairwise) 3417 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 3418 else if (sm->TimeoutCtr > 3419 sm->wpa_auth->conf.wpa_pairwise_update_count) { 3420 wpa_auth->dot11RSNA4WayHandshakeFailures++; 3421 wpa_auth_vlogger( 3422 sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3423 "PTKSTART: Retry limit %u reached", 3424 sm->wpa_auth->conf.wpa_pairwise_update_count); 3425 SM_ENTER(WPA_PTK, DISCONNECT); 3426 } else if (sm->TimeoutEvt) 3427 SM_ENTER(WPA_PTK, PTKSTART); 3428 break; 3429 case WPA_PTK_PTKCALCNEGOTIATING: 3430 if (sm->MICVerified) 3431 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2); 3432 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 3433 sm->EAPOLKeyPairwise) 3434 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 3435 else if (sm->TimeoutEvt) 3436 SM_ENTER(WPA_PTK, PTKSTART); 3437 break; 3438 case WPA_PTK_PTKCALCNEGOTIATING2: 3439 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 3440 break; 3441 case WPA_PTK_PTKINITNEGOTIATING: 3442 if (sm->update_snonce) 3443 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 3444 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 3445 sm->EAPOLKeyPairwise && sm->MICVerified) 3446 SM_ENTER(WPA_PTK, PTKINITDONE); 3447 else if (sm->TimeoutCtr > 3448 sm->wpa_auth->conf.wpa_pairwise_update_count || 3449 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries && 3450 sm->TimeoutCtr > 1)) { 3451 wpa_auth->dot11RSNA4WayHandshakeFailures++; 3452 wpa_auth_vlogger( 3453 sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3454 "PTKINITNEGOTIATING: Retry limit %u reached", 3455 sm->wpa_auth->conf.wpa_pairwise_update_count); 3456 SM_ENTER(WPA_PTK, DISCONNECT); 3457 } else if (sm->TimeoutEvt) 3458 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 3459 break; 3460 case WPA_PTK_PTKINITDONE: 3461 break; 3462 } 3463 } 3464 3465 3466 SM_STATE(WPA_PTK_GROUP, IDLE) 3467 { 3468 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group); 3469 if (sm->Init) { 3470 /* Init flag is not cleared here, so avoid busy 3471 * loop by claiming nothing changed. */ 3472 sm->changed = FALSE; 3473 } 3474 sm->GTimeoutCtr = 0; 3475 } 3476 3477 3478 SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING) 3479 { 3480 u8 rsc[WPA_KEY_RSC_LEN]; 3481 struct wpa_group *gsm = sm->group; 3482 const u8 *kde; 3483 u8 *kde_buf = NULL, *pos, hdr[2]; 3484 size_t kde_len; 3485 u8 *gtk, dummy_gtk[32]; 3486 3487 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group); 3488 3489 sm->GTimeoutCtr++; 3490 if (sm->wpa_auth->conf.wpa_disable_eapol_key_retries && 3491 sm->GTimeoutCtr > 1) { 3492 /* Do not allow retransmission of EAPOL-Key group msg 1/2 */ 3493 return; 3494 } 3495 if (sm->GTimeoutCtr > sm->wpa_auth->conf.wpa_group_update_count) { 3496 /* No point in sending the EAPOL-Key - we will disconnect 3497 * immediately following this. */ 3498 return; 3499 } 3500 3501 if (sm->wpa == WPA_VERSION_WPA) 3502 sm->PInitAKeys = FALSE; 3503 sm->TimeoutEvt = FALSE; 3504 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */ 3505 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 3506 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE) 3507 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 3508 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3509 "sending 1/2 msg of Group Key Handshake"); 3510 3511 gtk = gsm->GTK[gsm->GN - 1]; 3512 if (sm->wpa_auth->conf.disable_gtk || 3513 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) { 3514 /* 3515 * Provide unique random GTK to each STA to prevent use 3516 * of GTK in the BSS. 3517 */ 3518 if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0) 3519 return; 3520 gtk = dummy_gtk; 3521 } 3522 if (sm->wpa == WPA_VERSION_WPA2) { 3523 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len + 3524 ieee80211w_kde_len(sm) + ocv_oci_len(sm); 3525 kde_buf = os_malloc(kde_len); 3526 if (kde_buf == NULL) 3527 return; 3528 3529 kde = pos = kde_buf; 3530 hdr[0] = gsm->GN & 0x03; 3531 hdr[1] = 0; 3532 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 3533 gtk, gsm->GTK_len); 3534 pos = ieee80211w_kde_add(sm, pos); 3535 if (ocv_oci_add(sm, &pos) < 0) { 3536 os_free(kde_buf); 3537 return; 3538 } 3539 kde_len = pos - kde; 3540 } else { 3541 kde = gtk; 3542 kde_len = gsm->GTK_len; 3543 } 3544 3545 wpa_send_eapol(sm->wpa_auth, sm, 3546 WPA_KEY_INFO_SECURE | 3547 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ? 3548 WPA_KEY_INFO_MIC : 0) | 3549 WPA_KEY_INFO_ACK | 3550 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0), 3551 rsc, NULL, kde, kde_len, gsm->GN, 1); 3552 3553 os_free(kde_buf); 3554 } 3555 3556 3557 SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED) 3558 { 3559 #ifdef CONFIG_OCV 3560 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 3561 const u8 *key_data, *mic; 3562 struct ieee802_1x_hdr *hdr; 3563 struct wpa_eapol_key *key; 3564 struct wpa_eapol_ie_parse kde; 3565 size_t mic_len; 3566 u16 key_data_length; 3567 #endif /* CONFIG_OCV */ 3568 3569 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group); 3570 sm->EAPOLKeyReceived = FALSE; 3571 3572 #ifdef CONFIG_OCV 3573 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len); 3574 3575 /* 3576 * Note: last_rx_eapol_key length fields have already been validated in 3577 * wpa_receive(). 3578 */ 3579 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key; 3580 key = (struct wpa_eapol_key *) (hdr + 1); 3581 mic = (u8 *) (key + 1); 3582 key_data = mic + mic_len + 2; 3583 key_data_length = WPA_GET_BE16(mic + mic_len); 3584 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) - 3585 sizeof(*key) - mic_len - 2) 3586 return; 3587 3588 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) { 3589 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 3590 "received EAPOL-Key group msg 2/2 with invalid Key Data contents"); 3591 return; 3592 } 3593 3594 if (wpa_auth_uses_ocv(sm)) { 3595 struct wpa_channel_info ci; 3596 int tx_chanwidth; 3597 int tx_seg1_idx; 3598 3599 if (wpa_channel_info(wpa_auth, &ci) != 0) { 3600 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 3601 "Failed to get channel info to validate received OCI in EAPOL-Key group 1/2"); 3602 return; 3603 } 3604 3605 if (get_sta_tx_parameters(sm, 3606 channel_width_to_int(ci.chanwidth), 3607 ci.seg1_idx, &tx_chanwidth, 3608 &tx_seg1_idx) < 0) 3609 return; 3610 3611 if (ocv_verify_tx_params(kde.oci, kde.oci_len, &ci, 3612 tx_chanwidth, tx_seg1_idx) != 0) { 3613 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 3614 ocv_errorstr); 3615 return; 3616 } 3617 } 3618 #endif /* CONFIG_OCV */ 3619 3620 if (sm->GUpdateStationKeys) 3621 sm->group->GKeyDoneStations--; 3622 sm->GUpdateStationKeys = FALSE; 3623 sm->GTimeoutCtr = 0; 3624 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */ 3625 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 3626 "group key handshake completed (%s)", 3627 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 3628 sm->has_GTK = TRUE; 3629 } 3630 3631 3632 SM_STATE(WPA_PTK_GROUP, KEYERROR) 3633 { 3634 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group); 3635 if (sm->GUpdateStationKeys) 3636 sm->group->GKeyDoneStations--; 3637 sm->GUpdateStationKeys = FALSE; 3638 sm->Disconnect = TRUE; 3639 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 3640 "group key handshake failed (%s) after %u tries", 3641 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN", 3642 sm->wpa_auth->conf.wpa_group_update_count); 3643 } 3644 3645 3646 SM_STEP(WPA_PTK_GROUP) 3647 { 3648 if (sm->Init || sm->PtkGroupInit) { 3649 SM_ENTER(WPA_PTK_GROUP, IDLE); 3650 sm->PtkGroupInit = FALSE; 3651 } else switch (sm->wpa_ptk_group_state) { 3652 case WPA_PTK_GROUP_IDLE: 3653 if (sm->GUpdateStationKeys || 3654 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys)) 3655 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 3656 break; 3657 case WPA_PTK_GROUP_REKEYNEGOTIATING: 3658 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 3659 !sm->EAPOLKeyPairwise && sm->MICVerified) 3660 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED); 3661 else if (sm->GTimeoutCtr > 3662 sm->wpa_auth->conf.wpa_group_update_count || 3663 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries && 3664 sm->GTimeoutCtr > 1)) 3665 SM_ENTER(WPA_PTK_GROUP, KEYERROR); 3666 else if (sm->TimeoutEvt) 3667 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 3668 break; 3669 case WPA_PTK_GROUP_KEYERROR: 3670 SM_ENTER(WPA_PTK_GROUP, IDLE); 3671 break; 3672 case WPA_PTK_GROUP_REKEYESTABLISHED: 3673 SM_ENTER(WPA_PTK_GROUP, IDLE); 3674 break; 3675 } 3676 } 3677 3678 3679 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 3680 struct wpa_group *group) 3681 { 3682 int ret = 0; 3683 3684 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 3685 inc_byte_array(group->Counter, WPA_NONCE_LEN); 3686 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion", 3687 wpa_auth->addr, group->GNonce, 3688 group->GTK[group->GN - 1], group->GTK_len) < 0) 3689 ret = -1; 3690 wpa_hexdump_key(MSG_DEBUG, "GTK", 3691 group->GTK[group->GN - 1], group->GTK_len); 3692 3693 #ifdef CONFIG_IEEE80211W 3694 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) { 3695 size_t len; 3696 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher); 3697 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 3698 inc_byte_array(group->Counter, WPA_NONCE_LEN); 3699 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion", 3700 wpa_auth->addr, group->GNonce, 3701 group->IGTK[group->GN_igtk - 4], len) < 0) 3702 ret = -1; 3703 wpa_hexdump_key(MSG_DEBUG, "IGTK", 3704 group->IGTK[group->GN_igtk - 4], len); 3705 } 3706 #endif /* CONFIG_IEEE80211W */ 3707 3708 return ret; 3709 } 3710 3711 3712 static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth, 3713 struct wpa_group *group) 3714 { 3715 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 3716 "GTK_INIT (VLAN-ID %d)", group->vlan_id); 3717 group->changed = FALSE; /* GInit is not cleared here; avoid loop */ 3718 group->wpa_group_state = WPA_GROUP_GTK_INIT; 3719 3720 /* GTK[0..N] = 0 */ 3721 os_memset(group->GTK, 0, sizeof(group->GTK)); 3722 group->GN = 1; 3723 group->GM = 2; 3724 #ifdef CONFIG_IEEE80211W 3725 group->GN_igtk = 4; 3726 group->GM_igtk = 5; 3727 #endif /* CONFIG_IEEE80211W */ 3728 /* GTK[GN] = CalcGTK() */ 3729 wpa_gtk_update(wpa_auth, group); 3730 } 3731 3732 3733 static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx) 3734 { 3735 if (ctx != NULL && ctx != sm->group) 3736 return 0; 3737 3738 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) { 3739 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3740 "Not in PTKINITDONE; skip Group Key update"); 3741 sm->GUpdateStationKeys = FALSE; 3742 return 0; 3743 } 3744 if (sm->GUpdateStationKeys) { 3745 /* 3746 * This should not really happen, so add a debug log entry. 3747 * Since we clear the GKeyDoneStations before the loop, the 3748 * station needs to be counted here anyway. 3749 */ 3750 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3751 "GUpdateStationKeys was already set when " 3752 "marking station for GTK rekeying"); 3753 } 3754 3755 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */ 3756 if (sm->is_wnmsleep) 3757 return 0; 3758 3759 sm->group->GKeyDoneStations++; 3760 sm->GUpdateStationKeys = TRUE; 3761 3762 wpa_sm_step(sm); 3763 return 0; 3764 } 3765 3766 3767 #ifdef CONFIG_WNM_AP 3768 /* update GTK when exiting WNM-Sleep Mode */ 3769 void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm) 3770 { 3771 if (sm == NULL || sm->is_wnmsleep) 3772 return; 3773 3774 wpa_group_update_sta(sm, NULL); 3775 } 3776 3777 3778 void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag) 3779 { 3780 if (sm) 3781 sm->is_wnmsleep = !!flag; 3782 } 3783 3784 3785 int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos) 3786 { 3787 struct wpa_group *gsm = sm->group; 3788 u8 *start = pos; 3789 3790 /* 3791 * GTK subelement: 3792 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] | 3793 * Key[5..32] 3794 */ 3795 *pos++ = WNM_SLEEP_SUBELEM_GTK; 3796 *pos++ = 11 + gsm->GTK_len; 3797 /* Key ID in B0-B1 of Key Info */ 3798 WPA_PUT_LE16(pos, gsm->GN & 0x03); 3799 pos += 2; 3800 *pos++ = gsm->GTK_len; 3801 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0) 3802 return 0; 3803 pos += 8; 3804 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len); 3805 pos += gsm->GTK_len; 3806 3807 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit", 3808 gsm->GN); 3809 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit", 3810 gsm->GTK[gsm->GN - 1], gsm->GTK_len); 3811 3812 return pos - start; 3813 } 3814 3815 3816 #ifdef CONFIG_IEEE80211W 3817 int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos) 3818 { 3819 struct wpa_group *gsm = sm->group; 3820 u8 *start = pos; 3821 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 3822 3823 /* 3824 * IGTK subelement: 3825 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16] 3826 */ 3827 *pos++ = WNM_SLEEP_SUBELEM_IGTK; 3828 *pos++ = 2 + 6 + len; 3829 WPA_PUT_LE16(pos, gsm->GN_igtk); 3830 pos += 2; 3831 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0) 3832 return 0; 3833 pos += 6; 3834 3835 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len); 3836 pos += len; 3837 3838 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit", 3839 gsm->GN_igtk); 3840 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit", 3841 gsm->IGTK[gsm->GN_igtk - 4], len); 3842 3843 return pos - start; 3844 } 3845 #endif /* CONFIG_IEEE80211W */ 3846 #endif /* CONFIG_WNM_AP */ 3847 3848 3849 static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth, 3850 struct wpa_group *group) 3851 { 3852 int tmp; 3853 3854 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 3855 "SETKEYS (VLAN-ID %d)", group->vlan_id); 3856 group->changed = TRUE; 3857 group->wpa_group_state = WPA_GROUP_SETKEYS; 3858 group->GTKReKey = FALSE; 3859 tmp = group->GM; 3860 group->GM = group->GN; 3861 group->GN = tmp; 3862 #ifdef CONFIG_IEEE80211W 3863 tmp = group->GM_igtk; 3864 group->GM_igtk = group->GN_igtk; 3865 group->GN_igtk = tmp; 3866 #endif /* CONFIG_IEEE80211W */ 3867 /* "GKeyDoneStations = GNoStations" is done in more robust way by 3868 * counting the STAs that are marked with GUpdateStationKeys instead of 3869 * including all STAs that could be in not-yet-completed state. */ 3870 wpa_gtk_update(wpa_auth, group); 3871 3872 if (group->GKeyDoneStations) { 3873 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected " 3874 "GKeyDoneStations=%d when starting new GTK rekey", 3875 group->GKeyDoneStations); 3876 group->GKeyDoneStations = 0; 3877 } 3878 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group); 3879 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d", 3880 group->GKeyDoneStations); 3881 } 3882 3883 3884 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 3885 struct wpa_group *group) 3886 { 3887 int ret = 0; 3888 3889 if (wpa_auth_set_key(wpa_auth, group->vlan_id, 3890 wpa_cipher_to_alg(wpa_auth->conf.wpa_group), 3891 broadcast_ether_addr, group->GN, 3892 group->GTK[group->GN - 1], group->GTK_len) < 0) 3893 ret = -1; 3894 3895 #ifdef CONFIG_IEEE80211W 3896 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) { 3897 enum wpa_alg alg; 3898 size_t len; 3899 3900 alg = wpa_cipher_to_alg(wpa_auth->conf.group_mgmt_cipher); 3901 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher); 3902 3903 if (ret == 0 && 3904 wpa_auth_set_key(wpa_auth, group->vlan_id, alg, 3905 broadcast_ether_addr, group->GN_igtk, 3906 group->IGTK[group->GN_igtk - 4], len) < 0) 3907 ret = -1; 3908 } 3909 #endif /* CONFIG_IEEE80211W */ 3910 3911 return ret; 3912 } 3913 3914 3915 static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx) 3916 { 3917 if (sm->group == ctx) { 3918 wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR 3919 " for discconnection due to fatal failure", 3920 MAC2STR(sm->addr)); 3921 sm->Disconnect = TRUE; 3922 } 3923 3924 return 0; 3925 } 3926 3927 3928 static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth, 3929 struct wpa_group *group) 3930 { 3931 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state FATAL_FAILURE"); 3932 group->changed = TRUE; 3933 group->wpa_group_state = WPA_GROUP_FATAL_FAILURE; 3934 wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group); 3935 } 3936 3937 3938 static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth, 3939 struct wpa_group *group) 3940 { 3941 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 3942 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id); 3943 group->changed = TRUE; 3944 group->wpa_group_state = WPA_GROUP_SETKEYSDONE; 3945 3946 if (wpa_group_config_group_keys(wpa_auth, group) < 0) { 3947 wpa_group_fatal_failure(wpa_auth, group); 3948 return -1; 3949 } 3950 3951 return 0; 3952 } 3953 3954 3955 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 3956 struct wpa_group *group) 3957 { 3958 if (group->GInit) { 3959 wpa_group_gtk_init(wpa_auth, group); 3960 } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) { 3961 /* Do not allow group operations */ 3962 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT && 3963 group->GTKAuthenticator) { 3964 wpa_group_setkeysdone(wpa_auth, group); 3965 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE && 3966 group->GTKReKey) { 3967 wpa_group_setkeys(wpa_auth, group); 3968 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) { 3969 if (group->GKeyDoneStations == 0) 3970 wpa_group_setkeysdone(wpa_auth, group); 3971 else if (group->GTKReKey) 3972 wpa_group_setkeys(wpa_auth, group); 3973 } 3974 } 3975 3976 3977 static int wpa_sm_step(struct wpa_state_machine *sm) 3978 { 3979 if (sm == NULL) 3980 return 0; 3981 3982 if (sm->in_step_loop) { 3983 /* This should not happen, but if it does, make sure we do not 3984 * end up freeing the state machine too early by exiting the 3985 * recursive call. */ 3986 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively"); 3987 return 0; 3988 } 3989 3990 sm->in_step_loop = 1; 3991 do { 3992 if (sm->pending_deinit) 3993 break; 3994 3995 sm->changed = FALSE; 3996 sm->wpa_auth->group->changed = FALSE; 3997 3998 SM_STEP_RUN(WPA_PTK); 3999 if (sm->pending_deinit) 4000 break; 4001 SM_STEP_RUN(WPA_PTK_GROUP); 4002 if (sm->pending_deinit) 4003 break; 4004 wpa_group_sm_step(sm->wpa_auth, sm->group); 4005 } while (sm->changed || sm->wpa_auth->group->changed); 4006 sm->in_step_loop = 0; 4007 4008 if (sm->pending_deinit) { 4009 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state " 4010 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 4011 wpa_free_sta_sm(sm); 4012 return 1; 4013 } 4014 return 0; 4015 } 4016 4017 4018 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx) 4019 { 4020 struct wpa_state_machine *sm = eloop_ctx; 4021 wpa_sm_step(sm); 4022 } 4023 4024 4025 void wpa_auth_sm_notify(struct wpa_state_machine *sm) 4026 { 4027 if (sm == NULL) 4028 return; 4029 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL); 4030 } 4031 4032 4033 void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth) 4034 { 4035 int tmp, i; 4036 struct wpa_group *group; 4037 4038 if (wpa_auth == NULL) 4039 return; 4040 4041 group = wpa_auth->group; 4042 4043 for (i = 0; i < 2; i++) { 4044 tmp = group->GM; 4045 group->GM = group->GN; 4046 group->GN = tmp; 4047 #ifdef CONFIG_IEEE80211W 4048 tmp = group->GM_igtk; 4049 group->GM_igtk = group->GN_igtk; 4050 group->GN_igtk = tmp; 4051 #endif /* CONFIG_IEEE80211W */ 4052 wpa_gtk_update(wpa_auth, group); 4053 wpa_group_config_group_keys(wpa_auth, group); 4054 } 4055 } 4056 4057 4058 static const char * wpa_bool_txt(int val) 4059 { 4060 return val ? "TRUE" : "FALSE"; 4061 } 4062 4063 4064 #define RSN_SUITE "%02x-%02x-%02x-%d" 4065 #define RSN_SUITE_ARG(s) \ 4066 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff 4067 4068 int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen) 4069 { 4070 int len = 0, ret; 4071 char pmkid_txt[PMKID_LEN * 2 + 1]; 4072 #ifdef CONFIG_RSN_PREAUTH 4073 const int preauth = 1; 4074 #else /* CONFIG_RSN_PREAUTH */ 4075 const int preauth = 0; 4076 #endif /* CONFIG_RSN_PREAUTH */ 4077 4078 if (wpa_auth == NULL) 4079 return len; 4080 4081 ret = os_snprintf(buf + len, buflen - len, 4082 "dot11RSNAOptionImplemented=TRUE\n" 4083 "dot11RSNAPreauthenticationImplemented=%s\n" 4084 "dot11RSNAEnabled=%s\n" 4085 "dot11RSNAPreauthenticationEnabled=%s\n", 4086 wpa_bool_txt(preauth), 4087 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN), 4088 wpa_bool_txt(wpa_auth->conf.rsn_preauth)); 4089 if (os_snprintf_error(buflen - len, ret)) 4090 return len; 4091 len += ret; 4092 4093 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt), 4094 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN); 4095 4096 ret = os_snprintf( 4097 buf + len, buflen - len, 4098 "dot11RSNAConfigVersion=%u\n" 4099 "dot11RSNAConfigPairwiseKeysSupported=9999\n" 4100 /* FIX: dot11RSNAConfigGroupCipher */ 4101 /* FIX: dot11RSNAConfigGroupRekeyMethod */ 4102 /* FIX: dot11RSNAConfigGroupRekeyTime */ 4103 /* FIX: dot11RSNAConfigGroupRekeyPackets */ 4104 "dot11RSNAConfigGroupRekeyStrict=%u\n" 4105 "dot11RSNAConfigGroupUpdateCount=%u\n" 4106 "dot11RSNAConfigPairwiseUpdateCount=%u\n" 4107 "dot11RSNAConfigGroupCipherSize=%u\n" 4108 "dot11RSNAConfigPMKLifetime=%u\n" 4109 "dot11RSNAConfigPMKReauthThreshold=%u\n" 4110 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n" 4111 "dot11RSNAConfigSATimeout=%u\n" 4112 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n" 4113 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n" 4114 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n" 4115 "dot11RSNAPMKIDUsed=%s\n" 4116 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n" 4117 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n" 4118 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n" 4119 "dot11RSNATKIPCounterMeasuresInvoked=%u\n" 4120 "dot11RSNA4WayHandshakeFailures=%u\n" 4121 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n", 4122 RSN_VERSION, 4123 !!wpa_auth->conf.wpa_strict_rekey, 4124 wpa_auth->conf.wpa_group_update_count, 4125 wpa_auth->conf.wpa_pairwise_update_count, 4126 wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8, 4127 dot11RSNAConfigPMKLifetime, 4128 dot11RSNAConfigPMKReauthThreshold, 4129 dot11RSNAConfigSATimeout, 4130 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected), 4131 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected), 4132 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected), 4133 pmkid_txt, 4134 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested), 4135 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested), 4136 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested), 4137 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked, 4138 wpa_auth->dot11RSNA4WayHandshakeFailures); 4139 if (os_snprintf_error(buflen - len, ret)) 4140 return len; 4141 len += ret; 4142 4143 /* TODO: dot11RSNAConfigPairwiseCiphersTable */ 4144 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */ 4145 4146 /* Private MIB */ 4147 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n", 4148 wpa_auth->group->wpa_group_state); 4149 if (os_snprintf_error(buflen - len, ret)) 4150 return len; 4151 len += ret; 4152 4153 return len; 4154 } 4155 4156 4157 int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen) 4158 { 4159 int len = 0, ret; 4160 u32 pairwise = 0; 4161 4162 if (sm == NULL) 4163 return 0; 4164 4165 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */ 4166 4167 /* dot11RSNAStatsEntry */ 4168 4169 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ? 4170 WPA_PROTO_RSN : WPA_PROTO_WPA, 4171 sm->pairwise); 4172 if (pairwise == 0) 4173 return 0; 4174 4175 ret = os_snprintf( 4176 buf + len, buflen - len, 4177 /* TODO: dot11RSNAStatsIndex */ 4178 "dot11RSNAStatsSTAAddress=" MACSTR "\n" 4179 "dot11RSNAStatsVersion=1\n" 4180 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n" 4181 /* TODO: dot11RSNAStatsTKIPICVErrors */ 4182 "dot11RSNAStatsTKIPLocalMICFailures=%u\n" 4183 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n" 4184 /* TODO: dot11RSNAStatsCCMPReplays */ 4185 /* TODO: dot11RSNAStatsCCMPDecryptErrors */ 4186 /* TODO: dot11RSNAStatsTKIPReplays */, 4187 MAC2STR(sm->addr), 4188 RSN_SUITE_ARG(pairwise), 4189 sm->dot11RSNAStatsTKIPLocalMICFailures, 4190 sm->dot11RSNAStatsTKIPRemoteMICFailures); 4191 if (os_snprintf_error(buflen - len, ret)) 4192 return len; 4193 len += ret; 4194 4195 /* Private MIB */ 4196 ret = os_snprintf(buf + len, buflen - len, 4197 "hostapdWPAPTKState=%d\n" 4198 "hostapdWPAPTKGroupState=%d\n", 4199 sm->wpa_ptk_state, 4200 sm->wpa_ptk_group_state); 4201 if (os_snprintf_error(buflen - len, ret)) 4202 return len; 4203 len += ret; 4204 4205 return len; 4206 } 4207 4208 4209 void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth) 4210 { 4211 if (wpa_auth) 4212 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++; 4213 } 4214 4215 4216 int wpa_auth_pairwise_set(struct wpa_state_machine *sm) 4217 { 4218 return sm && sm->pairwise_set; 4219 } 4220 4221 4222 int wpa_auth_get_pairwise(struct wpa_state_machine *sm) 4223 { 4224 return sm->pairwise; 4225 } 4226 4227 4228 const u8 * wpa_auth_get_pmk(struct wpa_state_machine *sm, int *len) 4229 { 4230 if (!sm) 4231 return NULL; 4232 *len = sm->pmk_len; 4233 return sm->PMK; 4234 } 4235 4236 4237 int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm) 4238 { 4239 if (sm == NULL) 4240 return -1; 4241 return sm->wpa_key_mgmt; 4242 } 4243 4244 4245 int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm) 4246 { 4247 if (sm == NULL) 4248 return 0; 4249 return sm->wpa; 4250 } 4251 4252 4253 int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm) 4254 { 4255 if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 4256 return 0; 4257 return sm->tk_already_set; 4258 } 4259 4260 4261 int wpa_auth_sta_fils_tk_already_set(struct wpa_state_machine *sm) 4262 { 4263 if (!sm || !wpa_key_mgmt_fils(sm->wpa_key_mgmt)) 4264 return 0; 4265 return sm->tk_already_set; 4266 } 4267 4268 4269 int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, 4270 struct rsn_pmksa_cache_entry *entry) 4271 { 4272 if (sm == NULL || sm->pmksa != entry) 4273 return -1; 4274 sm->pmksa = NULL; 4275 return 0; 4276 } 4277 4278 4279 struct rsn_pmksa_cache_entry * 4280 wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm) 4281 { 4282 return sm ? sm->pmksa : NULL; 4283 } 4284 4285 4286 void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm) 4287 { 4288 if (sm) 4289 sm->dot11RSNAStatsTKIPLocalMICFailures++; 4290 } 4291 4292 4293 const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len) 4294 { 4295 if (wpa_auth == NULL) 4296 return NULL; 4297 *len = wpa_auth->wpa_ie_len; 4298 return wpa_auth->wpa_ie; 4299 } 4300 4301 4302 int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk, 4303 unsigned int pmk_len, 4304 int session_timeout, struct eapol_state_machine *eapol) 4305 { 4306 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 || 4307 sm->wpa_auth->conf.disable_pmksa_caching) 4308 return -1; 4309 4310 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) { 4311 if (pmk_len > PMK_LEN_SUITE_B_192) 4312 pmk_len = PMK_LEN_SUITE_B_192; 4313 } else if (pmk_len > PMK_LEN) { 4314 pmk_len = PMK_LEN; 4315 } 4316 4317 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL, 4318 sm->PTK.kck, sm->PTK.kck_len, 4319 sm->wpa_auth->addr, sm->addr, session_timeout, 4320 eapol, sm->wpa_key_mgmt)) 4321 return 0; 4322 4323 return -1; 4324 } 4325 4326 4327 int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth, 4328 const u8 *pmk, size_t len, const u8 *sta_addr, 4329 int session_timeout, 4330 struct eapol_state_machine *eapol) 4331 { 4332 if (wpa_auth == NULL) 4333 return -1; 4334 4335 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL, 4336 NULL, 0, 4337 wpa_auth->addr, 4338 sta_addr, session_timeout, eapol, 4339 WPA_KEY_MGMT_IEEE8021X)) 4340 return 0; 4341 4342 return -1; 4343 } 4344 4345 4346 int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr, 4347 const u8 *pmk, const u8 *pmkid) 4348 { 4349 if (wpa_auth->conf.disable_pmksa_caching) 4350 return -1; 4351 4352 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN, pmkid, 4353 NULL, 0, 4354 wpa_auth->addr, addr, 0, NULL, 4355 WPA_KEY_MGMT_SAE)) 4356 return 0; 4357 4358 return -1; 4359 } 4360 4361 4362 void wpa_auth_add_sae_pmkid(struct wpa_state_machine *sm, const u8 *pmkid) 4363 { 4364 os_memcpy(sm->pmkid, pmkid, PMKID_LEN); 4365 sm->pmkid_set = 1; 4366 } 4367 4368 4369 int wpa_auth_pmksa_add2(struct wpa_authenticator *wpa_auth, const u8 *addr, 4370 const u8 *pmk, size_t pmk_len, const u8 *pmkid, 4371 int session_timeout, int akmp) 4372 { 4373 if (wpa_auth->conf.disable_pmksa_caching) 4374 return -1; 4375 4376 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, pmk_len, pmkid, 4377 NULL, 0, wpa_auth->addr, addr, session_timeout, 4378 NULL, akmp)) 4379 return 0; 4380 4381 return -1; 4382 } 4383 4384 4385 void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth, 4386 const u8 *sta_addr) 4387 { 4388 struct rsn_pmksa_cache_entry *pmksa; 4389 4390 if (wpa_auth == NULL || wpa_auth->pmksa == NULL) 4391 return; 4392 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL); 4393 if (pmksa) { 4394 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for " 4395 MACSTR " based on request", MAC2STR(sta_addr)); 4396 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa); 4397 } 4398 } 4399 4400 4401 int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf, 4402 size_t len) 4403 { 4404 if (!wpa_auth || !wpa_auth->pmksa) 4405 return 0; 4406 return pmksa_cache_auth_list(wpa_auth->pmksa, buf, len); 4407 } 4408 4409 4410 void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth) 4411 { 4412 if (wpa_auth && wpa_auth->pmksa) 4413 pmksa_cache_auth_flush(wpa_auth->pmksa); 4414 } 4415 4416 4417 #ifdef CONFIG_PMKSA_CACHE_EXTERNAL 4418 #ifdef CONFIG_MESH 4419 4420 int wpa_auth_pmksa_list_mesh(struct wpa_authenticator *wpa_auth, const u8 *addr, 4421 char *buf, size_t len) 4422 { 4423 if (!wpa_auth || !wpa_auth->pmksa) 4424 return 0; 4425 4426 return pmksa_cache_auth_list_mesh(wpa_auth->pmksa, addr, buf, len); 4427 } 4428 4429 4430 struct rsn_pmksa_cache_entry * 4431 wpa_auth_pmksa_create_entry(const u8 *aa, const u8 *spa, const u8 *pmk, 4432 const u8 *pmkid, int expiration) 4433 { 4434 struct rsn_pmksa_cache_entry *entry; 4435 struct os_reltime now; 4436 4437 entry = pmksa_cache_auth_create_entry(pmk, PMK_LEN, pmkid, NULL, 0, aa, 4438 spa, 0, NULL, WPA_KEY_MGMT_SAE); 4439 if (!entry) 4440 return NULL; 4441 4442 os_get_reltime(&now); 4443 entry->expiration = now.sec + expiration; 4444 return entry; 4445 } 4446 4447 4448 int wpa_auth_pmksa_add_entry(struct wpa_authenticator *wpa_auth, 4449 struct rsn_pmksa_cache_entry *entry) 4450 { 4451 int ret; 4452 4453 if (!wpa_auth || !wpa_auth->pmksa) 4454 return -1; 4455 4456 ret = pmksa_cache_auth_add_entry(wpa_auth->pmksa, entry); 4457 if (ret < 0) 4458 wpa_printf(MSG_DEBUG, 4459 "RSN: Failed to store external PMKSA cache for " 4460 MACSTR, MAC2STR(entry->spa)); 4461 4462 return ret; 4463 } 4464 4465 #endif /* CONFIG_MESH */ 4466 #endif /* CONFIG_PMKSA_CACHE_EXTERNAL */ 4467 4468 4469 struct rsn_pmksa_cache_entry * 4470 wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr, 4471 const u8 *pmkid) 4472 { 4473 if (!wpa_auth || !wpa_auth->pmksa) 4474 return NULL; 4475 return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, pmkid); 4476 } 4477 4478 4479 void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa, 4480 struct wpa_state_machine *sm, 4481 struct wpa_authenticator *wpa_auth, 4482 u8 *pmkid, u8 *pmk) 4483 { 4484 if (!sm) 4485 return; 4486 4487 sm->pmksa = pmksa; 4488 os_memcpy(pmk, pmksa->pmk, PMK_LEN); 4489 os_memcpy(pmkid, pmksa->pmkid, PMKID_LEN); 4490 os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmksa->pmkid, PMKID_LEN); 4491 } 4492 4493 4494 /* 4495 * Remove and free the group from wpa_authenticator. This is triggered by a 4496 * callback to make sure nobody is currently iterating the group list while it 4497 * gets modified. 4498 */ 4499 static void wpa_group_free(struct wpa_authenticator *wpa_auth, 4500 struct wpa_group *group) 4501 { 4502 struct wpa_group *prev = wpa_auth->group; 4503 4504 wpa_printf(MSG_DEBUG, "WPA: Remove group state machine for VLAN-ID %d", 4505 group->vlan_id); 4506 4507 while (prev) { 4508 if (prev->next == group) { 4509 /* This never frees the special first group as needed */ 4510 prev->next = group->next; 4511 os_free(group); 4512 break; 4513 } 4514 prev = prev->next; 4515 } 4516 4517 } 4518 4519 4520 /* Increase the reference counter for group */ 4521 static void wpa_group_get(struct wpa_authenticator *wpa_auth, 4522 struct wpa_group *group) 4523 { 4524 /* Skip the special first group */ 4525 if (wpa_auth->group == group) 4526 return; 4527 4528 group->references++; 4529 } 4530 4531 4532 /* Decrease the reference counter and maybe free the group */ 4533 static void wpa_group_put(struct wpa_authenticator *wpa_auth, 4534 struct wpa_group *group) 4535 { 4536 /* Skip the special first group */ 4537 if (wpa_auth->group == group) 4538 return; 4539 4540 group->references--; 4541 if (group->references) 4542 return; 4543 wpa_group_free(wpa_auth, group); 4544 } 4545 4546 4547 /* 4548 * Add a group that has its references counter set to zero. Caller needs to 4549 * call wpa_group_get() on the return value to mark the entry in use. 4550 */ 4551 static struct wpa_group * 4552 wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id) 4553 { 4554 struct wpa_group *group; 4555 4556 if (wpa_auth == NULL || wpa_auth->group == NULL) 4557 return NULL; 4558 4559 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d", 4560 vlan_id); 4561 group = wpa_group_init(wpa_auth, vlan_id, 0); 4562 if (group == NULL) 4563 return NULL; 4564 4565 group->next = wpa_auth->group->next; 4566 wpa_auth->group->next = group; 4567 4568 return group; 4569 } 4570 4571 4572 /* 4573 * Enforce that the group state machine for the VLAN is running, increase 4574 * reference counter as interface is up. References might have been increased 4575 * even if a negative value is returned. 4576 * Returns: -1 on error (group missing, group already failed); otherwise, 0 4577 */ 4578 int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id) 4579 { 4580 struct wpa_group *group; 4581 4582 if (wpa_auth == NULL) 4583 return 0; 4584 4585 group = wpa_auth->group; 4586 while (group) { 4587 if (group->vlan_id == vlan_id) 4588 break; 4589 group = group->next; 4590 } 4591 4592 if (group == NULL) { 4593 group = wpa_auth_add_group(wpa_auth, vlan_id); 4594 if (group == NULL) 4595 return -1; 4596 } 4597 4598 wpa_printf(MSG_DEBUG, 4599 "WPA: Ensure group state machine running for VLAN ID %d", 4600 vlan_id); 4601 4602 wpa_group_get(wpa_auth, group); 4603 group->num_setup_iface++; 4604 4605 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 4606 return -1; 4607 4608 return 0; 4609 } 4610 4611 4612 /* 4613 * Decrease reference counter, expected to be zero afterwards. 4614 * returns: -1 on error (group not found, group in fail state) 4615 * -2 if wpa_group is still referenced 4616 * 0 else 4617 */ 4618 int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id) 4619 { 4620 struct wpa_group *group; 4621 int ret = 0; 4622 4623 if (wpa_auth == NULL) 4624 return 0; 4625 4626 group = wpa_auth->group; 4627 while (group) { 4628 if (group->vlan_id == vlan_id) 4629 break; 4630 group = group->next; 4631 } 4632 4633 if (group == NULL) 4634 return -1; 4635 4636 wpa_printf(MSG_DEBUG, 4637 "WPA: Try stopping group state machine for VLAN ID %d", 4638 vlan_id); 4639 4640 if (group->num_setup_iface <= 0) { 4641 wpa_printf(MSG_ERROR, 4642 "WPA: wpa_auth_release_group called more often than wpa_auth_ensure_group for VLAN ID %d, skipping.", 4643 vlan_id); 4644 return -1; 4645 } 4646 group->num_setup_iface--; 4647 4648 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 4649 ret = -1; 4650 4651 if (group->references > 1) { 4652 wpa_printf(MSG_DEBUG, 4653 "WPA: Cannot stop group state machine for VLAN ID %d as references are still hold", 4654 vlan_id); 4655 ret = -2; 4656 } 4657 4658 wpa_group_put(wpa_auth, group); 4659 4660 return ret; 4661 } 4662 4663 4664 int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id) 4665 { 4666 struct wpa_group *group; 4667 4668 if (sm == NULL || sm->wpa_auth == NULL) 4669 return 0; 4670 4671 group = sm->wpa_auth->group; 4672 while (group) { 4673 if (group->vlan_id == vlan_id) 4674 break; 4675 group = group->next; 4676 } 4677 4678 if (group == NULL) { 4679 group = wpa_auth_add_group(sm->wpa_auth, vlan_id); 4680 if (group == NULL) 4681 return -1; 4682 } 4683 4684 if (sm->group == group) 4685 return 0; 4686 4687 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 4688 return -1; 4689 4690 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state " 4691 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id); 4692 4693 wpa_group_get(sm->wpa_auth, group); 4694 wpa_group_put(sm->wpa_auth, sm->group); 4695 sm->group = group; 4696 4697 return 0; 4698 } 4699 4700 4701 void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth, 4702 struct wpa_state_machine *sm, int ack) 4703 { 4704 if (wpa_auth == NULL || sm == NULL) 4705 return; 4706 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR 4707 " ack=%d", MAC2STR(sm->addr), ack); 4708 if (sm->pending_1_of_4_timeout && ack) { 4709 /* 4710 * Some deployed supplicant implementations update their SNonce 4711 * for each EAPOL-Key 2/4 message even within the same 4-way 4712 * handshake and then fail to use the first SNonce when 4713 * deriving the PTK. This results in unsuccessful 4-way 4714 * handshake whenever the relatively short initial timeout is 4715 * reached and EAPOL-Key 1/4 is retransmitted. Try to work 4716 * around this by increasing the timeout now that we know that 4717 * the station has received the frame. 4718 */ 4719 int timeout_ms = eapol_key_timeout_subseq; 4720 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 " 4721 "timeout by %u ms because of acknowledged frame", 4722 timeout_ms); 4723 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 4724 eloop_register_timeout(timeout_ms / 1000, 4725 (timeout_ms % 1000) * 1000, 4726 wpa_send_eapol_timeout, wpa_auth, sm); 4727 } 4728 4729 #ifdef CONFIG_TESTING_OPTIONS 4730 if (sm->eapol_status_cb) { 4731 sm->eapol_status_cb(sm->eapol_status_cb_ctx1, 4732 sm->eapol_status_cb_ctx2); 4733 sm->eapol_status_cb = NULL; 4734 } 4735 #endif /* CONFIG_TESTING_OPTIONS */ 4736 } 4737 4738 4739 int wpa_auth_uses_sae(struct wpa_state_machine *sm) 4740 { 4741 if (sm == NULL) 4742 return 0; 4743 return wpa_key_mgmt_sae(sm->wpa_key_mgmt); 4744 } 4745 4746 4747 int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm) 4748 { 4749 if (sm == NULL) 4750 return 0; 4751 return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE; 4752 } 4753 4754 4755 #ifdef CONFIG_P2P 4756 int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr) 4757 { 4758 if (sm == NULL || WPA_GET_BE32(sm->ip_addr) == 0) 4759 return -1; 4760 os_memcpy(addr, sm->ip_addr, 4); 4761 return 0; 4762 } 4763 #endif /* CONFIG_P2P */ 4764 4765 4766 int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth, 4767 struct radius_das_attrs *attr) 4768 { 4769 return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr); 4770 } 4771 4772 4773 void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth) 4774 { 4775 struct wpa_group *group; 4776 4777 if (!wpa_auth) 4778 return; 4779 for (group = wpa_auth->group; group; group = group->next) 4780 wpa_group_config_group_keys(wpa_auth, group); 4781 } 4782 4783 4784 #ifdef CONFIG_FILS 4785 4786 struct wpa_auth_fils_iter_data { 4787 struct wpa_authenticator *auth; 4788 const u8 *cache_id; 4789 struct rsn_pmksa_cache_entry *pmksa; 4790 const u8 *spa; 4791 const u8 *pmkid; 4792 }; 4793 4794 4795 static int wpa_auth_fils_iter(struct wpa_authenticator *a, void *ctx) 4796 { 4797 struct wpa_auth_fils_iter_data *data = ctx; 4798 4799 if (a == data->auth || !a->conf.fils_cache_id_set || 4800 os_memcmp(a->conf.fils_cache_id, data->cache_id, 4801 FILS_CACHE_ID_LEN) != 0) 4802 return 0; 4803 data->pmksa = pmksa_cache_auth_get(a->pmksa, data->spa, data->pmkid); 4804 return data->pmksa != NULL; 4805 } 4806 4807 4808 struct rsn_pmksa_cache_entry * 4809 wpa_auth_pmksa_get_fils_cache_id(struct wpa_authenticator *wpa_auth, 4810 const u8 *sta_addr, const u8 *pmkid) 4811 { 4812 struct wpa_auth_fils_iter_data idata; 4813 4814 if (!wpa_auth->conf.fils_cache_id_set) 4815 return NULL; 4816 idata.auth = wpa_auth; 4817 idata.cache_id = wpa_auth->conf.fils_cache_id; 4818 idata.pmksa = NULL; 4819 idata.spa = sta_addr; 4820 idata.pmkid = pmkid; 4821 wpa_auth_for_each_auth(wpa_auth, wpa_auth_fils_iter, &idata); 4822 return idata.pmksa; 4823 } 4824 4825 4826 #ifdef CONFIG_IEEE80211R_AP 4827 int wpa_auth_write_fte(struct wpa_authenticator *wpa_auth, int use_sha384, 4828 u8 *buf, size_t len) 4829 { 4830 struct wpa_auth_config *conf = &wpa_auth->conf; 4831 4832 return wpa_write_ftie(conf, use_sha384, conf->r0_key_holder, 4833 conf->r0_key_holder_len, 4834 NULL, NULL, buf, len, NULL, 0); 4835 } 4836 #endif /* CONFIG_IEEE80211R_AP */ 4837 4838 4839 void wpa_auth_get_fils_aead_params(struct wpa_state_machine *sm, 4840 u8 *fils_anonce, u8 *fils_snonce, 4841 u8 *fils_kek, size_t *fils_kek_len) 4842 { 4843 os_memcpy(fils_anonce, sm->ANonce, WPA_NONCE_LEN); 4844 os_memcpy(fils_snonce, sm->SNonce, WPA_NONCE_LEN); 4845 os_memcpy(fils_kek, sm->PTK.kek, WPA_KEK_MAX_LEN); 4846 *fils_kek_len = sm->PTK.kek_len; 4847 } 4848 4849 #endif /* CONFIG_FILS */ 4850 4851 4852 void wpa_auth_set_auth_alg(struct wpa_state_machine *sm, u16 auth_alg) 4853 { 4854 if (sm) 4855 sm->auth_alg = auth_alg; 4856 } 4857 4858 4859 #ifdef CONFIG_DPP2 4860 void wpa_auth_set_dpp_z(struct wpa_state_machine *sm, const struct wpabuf *z) 4861 { 4862 if (sm) { 4863 wpabuf_clear_free(sm->dpp_z); 4864 sm->dpp_z = z ? wpabuf_dup(z) : NULL; 4865 } 4866 } 4867 #endif /* CONFIG_DPP2 */ 4868 4869 4870 #ifdef CONFIG_TESTING_OPTIONS 4871 4872 int wpa_auth_resend_m1(struct wpa_state_machine *sm, int change_anonce, 4873 void (*cb)(void *ctx1, void *ctx2), 4874 void *ctx1, void *ctx2) 4875 { 4876 const u8 *anonce = sm->ANonce; 4877 u8 anonce_buf[WPA_NONCE_LEN]; 4878 4879 if (change_anonce) { 4880 if (random_get_bytes(anonce_buf, WPA_NONCE_LEN)) 4881 return -1; 4882 anonce = anonce_buf; 4883 } 4884 4885 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 4886 "sending 1/4 msg of 4-Way Handshake (TESTING)"); 4887 wpa_send_eapol(sm->wpa_auth, sm, 4888 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL, 4889 anonce, NULL, 0, 0, 0); 4890 return 0; 4891 } 4892 4893 4894 int wpa_auth_resend_m3(struct wpa_state_machine *sm, 4895 void (*cb)(void *ctx1, void *ctx2), 4896 void *ctx1, void *ctx2) 4897 { 4898 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos; 4899 #ifdef CONFIG_IEEE80211W 4900 u8 *opos; 4901 #endif /* CONFIG_IEEE80211W */ 4902 size_t gtk_len, kde_len; 4903 struct wpa_group *gsm = sm->group; 4904 u8 *wpa_ie; 4905 int wpa_ie_len, secure, keyidx, encr = 0; 4906 4907 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE], 4908 GTK[GN], IGTK, [FTIE], [TIE * 2]) 4909 */ 4910 4911 /* Use 0 RSC */ 4912 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 4913 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */ 4914 wpa_ie = sm->wpa_auth->wpa_ie; 4915 wpa_ie_len = sm->wpa_auth->wpa_ie_len; 4916 if (sm->wpa == WPA_VERSION_WPA && 4917 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) && 4918 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) { 4919 /* WPA-only STA, remove RSN IE and possible MDIE */ 4920 wpa_ie = wpa_ie + wpa_ie[1] + 2; 4921 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN) 4922 wpa_ie = wpa_ie + wpa_ie[1] + 2; 4923 wpa_ie_len = wpa_ie[1] + 2; 4924 } 4925 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 4926 "sending 3/4 msg of 4-Way Handshake (TESTING)"); 4927 if (sm->wpa == WPA_VERSION_WPA2) { 4928 /* WPA2 send GTK in the 4-way handshake */ 4929 secure = 1; 4930 gtk = gsm->GTK[gsm->GN - 1]; 4931 gtk_len = gsm->GTK_len; 4932 keyidx = gsm->GN; 4933 _rsc = rsc; 4934 encr = 1; 4935 } else { 4936 /* WPA does not include GTK in msg 3/4 */ 4937 secure = 0; 4938 gtk = NULL; 4939 gtk_len = 0; 4940 keyidx = 0; 4941 _rsc = NULL; 4942 if (sm->rx_eapol_key_secure) { 4943 /* 4944 * It looks like Windows 7 supplicant tries to use 4945 * Secure bit in msg 2/4 after having reported Michael 4946 * MIC failure and it then rejects the 4-way handshake 4947 * if msg 3/4 does not set Secure bit. Work around this 4948 * by setting the Secure bit here even in the case of 4949 * WPA if the supplicant used it first. 4950 */ 4951 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 4952 "STA used Secure bit in WPA msg 2/4 - " 4953 "set Secure for 3/4 as workaround"); 4954 secure = 1; 4955 } 4956 } 4957 4958 kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm); 4959 if (gtk) 4960 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len; 4961 #ifdef CONFIG_IEEE80211R_AP 4962 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 4963 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */ 4964 kde_len += 300; /* FTIE + 2 * TIE */ 4965 } 4966 #endif /* CONFIG_IEEE80211R_AP */ 4967 kde = os_malloc(kde_len); 4968 if (kde == NULL) 4969 return -1; 4970 4971 pos = kde; 4972 os_memcpy(pos, wpa_ie, wpa_ie_len); 4973 pos += wpa_ie_len; 4974 #ifdef CONFIG_IEEE80211R_AP 4975 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 4976 int res; 4977 size_t elen; 4978 4979 elen = pos - kde; 4980 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name); 4981 if (res < 0) { 4982 wpa_printf(MSG_ERROR, "FT: Failed to insert " 4983 "PMKR1Name into RSN IE in EAPOL-Key data"); 4984 os_free(kde); 4985 return -1; 4986 } 4987 pos -= wpa_ie_len; 4988 pos += elen; 4989 } 4990 #endif /* CONFIG_IEEE80211R_AP */ 4991 if (gtk) { 4992 u8 hdr[2]; 4993 hdr[0] = keyidx & 0x03; 4994 hdr[1] = 0; 4995 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 4996 gtk, gtk_len); 4997 } 4998 #ifdef CONFIG_IEEE80211W 4999 opos = pos; 5000 pos = ieee80211w_kde_add(sm, pos); 5001 if (pos - opos >= 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) { 5002 /* skip KDE header and keyid */ 5003 opos += 2 + RSN_SELECTOR_LEN + 2; 5004 os_memset(opos, 0, 6); /* clear PN */ 5005 } 5006 #endif /* CONFIG_IEEE80211W */ 5007 if (ocv_oci_add(sm, &pos) < 0) { 5008 os_free(kde); 5009 return -1; 5010 } 5011 5012 #ifdef CONFIG_IEEE80211R_AP 5013 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 5014 int res; 5015 struct wpa_auth_config *conf; 5016 5017 conf = &sm->wpa_auth->conf; 5018 if (sm->assoc_resp_ftie && 5019 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) { 5020 os_memcpy(pos, sm->assoc_resp_ftie, 5021 2 + sm->assoc_resp_ftie[1]); 5022 res = 2 + sm->assoc_resp_ftie[1]; 5023 } else { 5024 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt); 5025 5026 res = wpa_write_ftie(conf, use_sha384, 5027 conf->r0_key_holder, 5028 conf->r0_key_holder_len, 5029 NULL, NULL, pos, 5030 kde + kde_len - pos, 5031 NULL, 0); 5032 } 5033 if (res < 0) { 5034 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE " 5035 "into EAPOL-Key Key Data"); 5036 os_free(kde); 5037 return -1; 5038 } 5039 pos += res; 5040 5041 /* TIE[ReassociationDeadline] (TU) */ 5042 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 5043 *pos++ = 5; 5044 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE; 5045 WPA_PUT_LE32(pos, conf->reassociation_deadline); 5046 pos += 4; 5047 5048 /* TIE[KeyLifetime] (seconds) */ 5049 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 5050 *pos++ = 5; 5051 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME; 5052 WPA_PUT_LE32(pos, conf->r0_key_lifetime); 5053 pos += 4; 5054 } 5055 #endif /* CONFIG_IEEE80211R_AP */ 5056 5057 wpa_send_eapol(sm->wpa_auth, sm, 5058 (secure ? WPA_KEY_INFO_SECURE : 0) | 5059 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ? 5060 WPA_KEY_INFO_MIC : 0) | 5061 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL | 5062 WPA_KEY_INFO_KEY_TYPE, 5063 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr); 5064 os_free(kde); 5065 return 0; 5066 } 5067 5068 5069 int wpa_auth_resend_group_m1(struct wpa_state_machine *sm, 5070 void (*cb)(void *ctx1, void *ctx2), 5071 void *ctx1, void *ctx2) 5072 { 5073 u8 rsc[WPA_KEY_RSC_LEN]; 5074 struct wpa_group *gsm = sm->group; 5075 const u8 *kde; 5076 u8 *kde_buf = NULL, *pos, hdr[2]; 5077 #ifdef CONFIG_IEEE80211W 5078 u8 *opos; 5079 #endif /* CONFIG_IEEE80211W */ 5080 size_t kde_len; 5081 u8 *gtk; 5082 5083 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */ 5084 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 5085 /* Use 0 RSC */ 5086 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 5087 "sending 1/2 msg of Group Key Handshake (TESTING)"); 5088 5089 gtk = gsm->GTK[gsm->GN - 1]; 5090 if (sm->wpa == WPA_VERSION_WPA2) { 5091 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len + 5092 ieee80211w_kde_len(sm) + ocv_oci_len(sm); 5093 kde_buf = os_malloc(kde_len); 5094 if (kde_buf == NULL) 5095 return -1; 5096 5097 kde = pos = kde_buf; 5098 hdr[0] = gsm->GN & 0x03; 5099 hdr[1] = 0; 5100 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 5101 gtk, gsm->GTK_len); 5102 #ifdef CONFIG_IEEE80211W 5103 opos = pos; 5104 pos = ieee80211w_kde_add(sm, pos); 5105 if (pos - opos >= 5106 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) { 5107 /* skip KDE header and keyid */ 5108 opos += 2 + RSN_SELECTOR_LEN + 2; 5109 os_memset(opos, 0, 6); /* clear PN */ 5110 } 5111 #endif /* CONFIG_IEEE80211W */ 5112 if (ocv_oci_add(sm, &pos) < 0) { 5113 os_free(kde_buf); 5114 return -1; 5115 } 5116 kde_len = pos - kde; 5117 } else { 5118 kde = gtk; 5119 kde_len = gsm->GTK_len; 5120 } 5121 5122 sm->eapol_status_cb = cb; 5123 sm->eapol_status_cb_ctx1 = ctx1; 5124 sm->eapol_status_cb_ctx2 = ctx2; 5125 5126 wpa_send_eapol(sm->wpa_auth, sm, 5127 WPA_KEY_INFO_SECURE | 5128 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ? 5129 WPA_KEY_INFO_MIC : 0) | 5130 WPA_KEY_INFO_ACK | 5131 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0), 5132 rsc, NULL, kde, kde_len, gsm->GN, 1); 5133 5134 os_free(kde_buf); 5135 return 0; 5136 } 5137 5138 5139 int wpa_auth_rekey_gtk(struct wpa_authenticator *wpa_auth) 5140 { 5141 if (!wpa_auth) 5142 return -1; 5143 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 5144 return eloop_register_timeout(0, 0, wpa_rekey_gtk, wpa_auth, NULL); 5145 } 5146 5147 #endif /* CONFIG_TESTING_OPTIONS */ 5148