1 /* 2 * IEEE 802.11 RSN / WPA Authenticator 3 * Copyright (c) 2004-2015, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "utils/eloop.h" 13 #include "utils/state_machine.h" 14 #include "utils/bitfield.h" 15 #include "common/ieee802_11_defs.h" 16 #include "crypto/aes.h" 17 #include "crypto/aes_wrap.h" 18 #include "crypto/aes_siv.h" 19 #include "crypto/crypto.h" 20 #include "crypto/sha1.h" 21 #include "crypto/sha256.h" 22 #include "crypto/random.h" 23 #include "eapol_auth/eapol_auth_sm.h" 24 #include "ap_config.h" 25 #include "ieee802_11.h" 26 #include "wpa_auth.h" 27 #include "pmksa_cache_auth.h" 28 #include "wpa_auth_i.h" 29 #include "wpa_auth_ie.h" 30 31 #define STATE_MACHINE_DATA struct wpa_state_machine 32 #define STATE_MACHINE_DEBUG_PREFIX "WPA" 33 #define STATE_MACHINE_ADDR sm->addr 34 35 36 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx); 37 static int wpa_sm_step(struct wpa_state_machine *sm); 38 static int wpa_verify_key_mic(int akmp, struct wpa_ptk *PTK, u8 *data, 39 size_t data_len); 40 #ifdef CONFIG_FILS 41 static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk, 42 u8 *buf, size_t buf_len, u16 *_key_data_len); 43 #endif /* CONFIG_FILS */ 44 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx); 45 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 46 struct wpa_group *group); 47 static void wpa_request_new_ptk(struct wpa_state_machine *sm); 48 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 49 struct wpa_group *group); 50 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 51 struct wpa_group *group); 52 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce, 53 const u8 *pmk, unsigned int pmk_len, 54 struct wpa_ptk *ptk); 55 static void wpa_group_free(struct wpa_authenticator *wpa_auth, 56 struct wpa_group *group); 57 static void wpa_group_get(struct wpa_authenticator *wpa_auth, 58 struct wpa_group *group); 59 static void wpa_group_put(struct wpa_authenticator *wpa_auth, 60 struct wpa_group *group); 61 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos); 62 63 static const u32 eapol_key_timeout_first = 100; /* ms */ 64 static const u32 eapol_key_timeout_subseq = 1000; /* ms */ 65 static const u32 eapol_key_timeout_first_group = 500; /* ms */ 66 67 /* TODO: make these configurable */ 68 static const int dot11RSNAConfigPMKLifetime = 43200; 69 static const int dot11RSNAConfigPMKReauthThreshold = 70; 70 static const int dot11RSNAConfigSATimeout = 60; 71 72 73 static inline int wpa_auth_mic_failure_report( 74 struct wpa_authenticator *wpa_auth, const u8 *addr) 75 { 76 if (wpa_auth->cb->mic_failure_report) 77 return wpa_auth->cb->mic_failure_report(wpa_auth->cb_ctx, addr); 78 return 0; 79 } 80 81 82 static inline void wpa_auth_psk_failure_report( 83 struct wpa_authenticator *wpa_auth, const u8 *addr) 84 { 85 if (wpa_auth->cb->psk_failure_report) 86 wpa_auth->cb->psk_failure_report(wpa_auth->cb_ctx, addr); 87 } 88 89 90 static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth, 91 const u8 *addr, wpa_eapol_variable var, 92 int value) 93 { 94 if (wpa_auth->cb->set_eapol) 95 wpa_auth->cb->set_eapol(wpa_auth->cb_ctx, addr, var, value); 96 } 97 98 99 static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth, 100 const u8 *addr, wpa_eapol_variable var) 101 { 102 if (wpa_auth->cb->get_eapol == NULL) 103 return -1; 104 return wpa_auth->cb->get_eapol(wpa_auth->cb_ctx, addr, var); 105 } 106 107 108 static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth, 109 const u8 *addr, 110 const u8 *p2p_dev_addr, 111 const u8 *prev_psk) 112 { 113 if (wpa_auth->cb->get_psk == NULL) 114 return NULL; 115 return wpa_auth->cb->get_psk(wpa_auth->cb_ctx, addr, p2p_dev_addr, 116 prev_psk); 117 } 118 119 120 static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth, 121 const u8 *addr, u8 *msk, size_t *len) 122 { 123 if (wpa_auth->cb->get_msk == NULL) 124 return -1; 125 return wpa_auth->cb->get_msk(wpa_auth->cb_ctx, addr, msk, len); 126 } 127 128 129 static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth, 130 int vlan_id, 131 enum wpa_alg alg, const u8 *addr, int idx, 132 u8 *key, size_t key_len) 133 { 134 if (wpa_auth->cb->set_key == NULL) 135 return -1; 136 return wpa_auth->cb->set_key(wpa_auth->cb_ctx, vlan_id, alg, addr, idx, 137 key, key_len); 138 } 139 140 141 static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth, 142 const u8 *addr, int idx, u8 *seq) 143 { 144 if (wpa_auth->cb->get_seqnum == NULL) 145 return -1; 146 return wpa_auth->cb->get_seqnum(wpa_auth->cb_ctx, addr, idx, seq); 147 } 148 149 150 static inline int 151 wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr, 152 const u8 *data, size_t data_len, int encrypt) 153 { 154 if (wpa_auth->cb->send_eapol == NULL) 155 return -1; 156 return wpa_auth->cb->send_eapol(wpa_auth->cb_ctx, addr, data, data_len, 157 encrypt); 158 } 159 160 161 #ifdef CONFIG_MESH 162 static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth, 163 const u8 *addr) 164 { 165 if (wpa_auth->cb->start_ampe == NULL) 166 return -1; 167 return wpa_auth->cb->start_ampe(wpa_auth->cb_ctx, addr); 168 } 169 #endif /* CONFIG_MESH */ 170 171 172 int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth, 173 int (*cb)(struct wpa_state_machine *sm, void *ctx), 174 void *cb_ctx) 175 { 176 if (wpa_auth->cb->for_each_sta == NULL) 177 return 0; 178 return wpa_auth->cb->for_each_sta(wpa_auth->cb_ctx, cb, cb_ctx); 179 } 180 181 182 int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth, 183 int (*cb)(struct wpa_authenticator *a, void *ctx), 184 void *cb_ctx) 185 { 186 if (wpa_auth->cb->for_each_auth == NULL) 187 return 0; 188 return wpa_auth->cb->for_each_auth(wpa_auth->cb_ctx, cb, cb_ctx); 189 } 190 191 192 void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr, 193 logger_level level, const char *txt) 194 { 195 if (wpa_auth->cb->logger == NULL) 196 return; 197 wpa_auth->cb->logger(wpa_auth->cb_ctx, addr, level, txt); 198 } 199 200 201 void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr, 202 logger_level level, const char *fmt, ...) 203 { 204 char *format; 205 int maxlen; 206 va_list ap; 207 208 if (wpa_auth->cb->logger == NULL) 209 return; 210 211 maxlen = os_strlen(fmt) + 100; 212 format = os_malloc(maxlen); 213 if (!format) 214 return; 215 216 va_start(ap, fmt); 217 vsnprintf(format, maxlen, fmt, ap); 218 va_end(ap); 219 220 wpa_auth_logger(wpa_auth, addr, level, format); 221 222 os_free(format); 223 } 224 225 226 static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth, 227 const u8 *addr) 228 { 229 if (wpa_auth->cb->disconnect == NULL) 230 return; 231 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR, MAC2STR(addr)); 232 wpa_auth->cb->disconnect(wpa_auth->cb_ctx, addr, 233 WLAN_REASON_PREV_AUTH_NOT_VALID); 234 } 235 236 237 static int wpa_use_aes_cmac(struct wpa_state_machine *sm) 238 { 239 int ret = 0; 240 #ifdef CONFIG_IEEE80211R_AP 241 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 242 ret = 1; 243 #endif /* CONFIG_IEEE80211R_AP */ 244 #ifdef CONFIG_IEEE80211W 245 if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt)) 246 ret = 1; 247 #endif /* CONFIG_IEEE80211W */ 248 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) 249 ret = 1; 250 return ret; 251 } 252 253 254 static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx) 255 { 256 struct wpa_authenticator *wpa_auth = eloop_ctx; 257 258 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) { 259 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 260 "initialization."); 261 } else { 262 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd"); 263 wpa_hexdump_key(MSG_DEBUG, "GMK", 264 wpa_auth->group->GMK, WPA_GMK_LEN); 265 } 266 267 if (wpa_auth->conf.wpa_gmk_rekey) { 268 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 269 wpa_rekey_gmk, wpa_auth, NULL); 270 } 271 } 272 273 274 static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx) 275 { 276 struct wpa_authenticator *wpa_auth = eloop_ctx; 277 struct wpa_group *group, *next; 278 279 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK"); 280 group = wpa_auth->group; 281 while (group) { 282 wpa_group_get(wpa_auth, group); 283 284 group->GTKReKey = TRUE; 285 do { 286 group->changed = FALSE; 287 wpa_group_sm_step(wpa_auth, group); 288 } while (group->changed); 289 290 next = group->next; 291 wpa_group_put(wpa_auth, group); 292 group = next; 293 } 294 295 if (wpa_auth->conf.wpa_group_rekey) { 296 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 297 0, wpa_rekey_gtk, wpa_auth, NULL); 298 } 299 } 300 301 302 static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx) 303 { 304 struct wpa_authenticator *wpa_auth = eloop_ctx; 305 struct wpa_state_machine *sm = timeout_ctx; 306 307 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK"); 308 wpa_request_new_ptk(sm); 309 wpa_sm_step(sm); 310 } 311 312 313 static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx) 314 { 315 if (sm->pmksa == ctx) 316 sm->pmksa = NULL; 317 return 0; 318 } 319 320 321 static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry, 322 void *ctx) 323 { 324 struct wpa_authenticator *wpa_auth = ctx; 325 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry); 326 } 327 328 329 static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth, 330 struct wpa_group *group) 331 { 332 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)]; 333 u8 rkey[32]; 334 unsigned long ptr; 335 336 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0) 337 return -1; 338 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN); 339 340 /* 341 * Counter = PRF-256(Random number, "Init Counter", 342 * Local MAC Address || Time) 343 */ 344 os_memcpy(buf, wpa_auth->addr, ETH_ALEN); 345 wpa_get_ntp_timestamp(buf + ETH_ALEN); 346 ptr = (unsigned long) group; 347 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr)); 348 if (random_get_bytes(rkey, sizeof(rkey)) < 0) 349 return -1; 350 351 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf), 352 group->Counter, WPA_NONCE_LEN) < 0) 353 return -1; 354 wpa_hexdump_key(MSG_DEBUG, "Key Counter", 355 group->Counter, WPA_NONCE_LEN); 356 357 return 0; 358 } 359 360 361 static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth, 362 int vlan_id, int delay_init) 363 { 364 struct wpa_group *group; 365 366 group = os_zalloc(sizeof(struct wpa_group)); 367 if (group == NULL) 368 return NULL; 369 370 group->GTKAuthenticator = TRUE; 371 group->vlan_id = vlan_id; 372 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 373 374 if (random_pool_ready() != 1) { 375 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 376 "for secure operations - update keys later when " 377 "the first station connects"); 378 } 379 380 /* 381 * Set initial GMK/Counter value here. The actual values that will be 382 * used in negotiations will be set once the first station tries to 383 * connect. This allows more time for collecting additional randomness 384 * on embedded devices. 385 */ 386 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) { 387 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 388 "initialization."); 389 os_free(group); 390 return NULL; 391 } 392 393 group->GInit = TRUE; 394 if (delay_init) { 395 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start " 396 "until Beacon frames have been configured"); 397 /* Initialization is completed in wpa_init_keys(). */ 398 } else { 399 wpa_group_sm_step(wpa_auth, group); 400 group->GInit = FALSE; 401 wpa_group_sm_step(wpa_auth, group); 402 } 403 404 return group; 405 } 406 407 408 /** 409 * wpa_init - Initialize WPA authenticator 410 * @addr: Authenticator address 411 * @conf: Configuration for WPA authenticator 412 * @cb: Callback functions for WPA authenticator 413 * Returns: Pointer to WPA authenticator data or %NULL on failure 414 */ 415 struct wpa_authenticator * wpa_init(const u8 *addr, 416 struct wpa_auth_config *conf, 417 const struct wpa_auth_callbacks *cb, 418 void *cb_ctx) 419 { 420 struct wpa_authenticator *wpa_auth; 421 422 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator)); 423 if (wpa_auth == NULL) 424 return NULL; 425 os_memcpy(wpa_auth->addr, addr, ETH_ALEN); 426 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 427 wpa_auth->cb = cb; 428 wpa_auth->cb_ctx = cb_ctx; 429 430 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 431 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 432 os_free(wpa_auth); 433 return NULL; 434 } 435 436 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1); 437 if (wpa_auth->group == NULL) { 438 os_free(wpa_auth->wpa_ie); 439 os_free(wpa_auth); 440 return NULL; 441 } 442 443 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb, 444 wpa_auth); 445 if (wpa_auth->pmksa == NULL) { 446 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed."); 447 os_free(wpa_auth->group); 448 os_free(wpa_auth->wpa_ie); 449 os_free(wpa_auth); 450 return NULL; 451 } 452 453 #ifdef CONFIG_IEEE80211R_AP 454 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init(); 455 if (wpa_auth->ft_pmk_cache == NULL) { 456 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed."); 457 os_free(wpa_auth->group); 458 os_free(wpa_auth->wpa_ie); 459 pmksa_cache_auth_deinit(wpa_auth->pmksa); 460 os_free(wpa_auth); 461 return NULL; 462 } 463 #endif /* CONFIG_IEEE80211R_AP */ 464 465 if (wpa_auth->conf.wpa_gmk_rekey) { 466 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 467 wpa_rekey_gmk, wpa_auth, NULL); 468 } 469 470 if (wpa_auth->conf.wpa_group_rekey) { 471 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0, 472 wpa_rekey_gtk, wpa_auth, NULL); 473 } 474 475 #ifdef CONFIG_P2P 476 if (WPA_GET_BE32(conf->ip_addr_start)) { 477 int count = WPA_GET_BE32(conf->ip_addr_end) - 478 WPA_GET_BE32(conf->ip_addr_start) + 1; 479 if (count > 1000) 480 count = 1000; 481 if (count > 0) 482 wpa_auth->ip_pool = bitfield_alloc(count); 483 } 484 #endif /* CONFIG_P2P */ 485 486 return wpa_auth; 487 } 488 489 490 int wpa_init_keys(struct wpa_authenticator *wpa_auth) 491 { 492 struct wpa_group *group = wpa_auth->group; 493 494 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial " 495 "keys"); 496 wpa_group_sm_step(wpa_auth, group); 497 group->GInit = FALSE; 498 wpa_group_sm_step(wpa_auth, group); 499 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 500 return -1; 501 return 0; 502 } 503 504 505 /** 506 * wpa_deinit - Deinitialize WPA authenticator 507 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 508 */ 509 void wpa_deinit(struct wpa_authenticator *wpa_auth) 510 { 511 struct wpa_group *group, *prev; 512 513 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL); 514 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 515 516 pmksa_cache_auth_deinit(wpa_auth->pmksa); 517 518 #ifdef CONFIG_IEEE80211R_AP 519 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache); 520 wpa_auth->ft_pmk_cache = NULL; 521 #endif /* CONFIG_IEEE80211R_AP */ 522 523 #ifdef CONFIG_P2P 524 bitfield_free(wpa_auth->ip_pool); 525 #endif /* CONFIG_P2P */ 526 527 528 os_free(wpa_auth->wpa_ie); 529 530 group = wpa_auth->group; 531 while (group) { 532 prev = group; 533 group = group->next; 534 os_free(prev); 535 } 536 537 os_free(wpa_auth); 538 } 539 540 541 /** 542 * wpa_reconfig - Update WPA authenticator configuration 543 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 544 * @conf: Configuration for WPA authenticator 545 */ 546 int wpa_reconfig(struct wpa_authenticator *wpa_auth, 547 struct wpa_auth_config *conf) 548 { 549 struct wpa_group *group; 550 if (wpa_auth == NULL) 551 return 0; 552 553 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 554 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 555 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 556 return -1; 557 } 558 559 /* 560 * Reinitialize GTK to make sure it is suitable for the new 561 * configuration. 562 */ 563 group = wpa_auth->group; 564 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 565 group->GInit = TRUE; 566 wpa_group_sm_step(wpa_auth, group); 567 group->GInit = FALSE; 568 wpa_group_sm_step(wpa_auth, group); 569 570 return 0; 571 } 572 573 574 struct wpa_state_machine * 575 wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr, 576 const u8 *p2p_dev_addr) 577 { 578 struct wpa_state_machine *sm; 579 580 if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 581 return NULL; 582 583 sm = os_zalloc(sizeof(struct wpa_state_machine)); 584 if (sm == NULL) 585 return NULL; 586 os_memcpy(sm->addr, addr, ETH_ALEN); 587 if (p2p_dev_addr) 588 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN); 589 590 sm->wpa_auth = wpa_auth; 591 sm->group = wpa_auth->group; 592 wpa_group_get(sm->wpa_auth, sm->group); 593 594 return sm; 595 } 596 597 598 int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth, 599 struct wpa_state_machine *sm) 600 { 601 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 602 return -1; 603 604 #ifdef CONFIG_IEEE80211R_AP 605 if (sm->ft_completed) { 606 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 607 "FT authentication already completed - do not " 608 "start 4-way handshake"); 609 /* Go to PTKINITDONE state to allow GTK rekeying */ 610 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE; 611 sm->Pair = TRUE; 612 return 0; 613 } 614 #endif /* CONFIG_IEEE80211R_AP */ 615 616 #ifdef CONFIG_FILS 617 if (sm->fils_completed) { 618 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 619 "FILS authentication already completed - do not start 4-way handshake"); 620 /* Go to PTKINITDONE state to allow GTK rekeying */ 621 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE; 622 sm->Pair = TRUE; 623 return 0; 624 } 625 #endif /* CONFIG_FILS */ 626 627 if (sm->started) { 628 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay)); 629 sm->ReAuthenticationRequest = TRUE; 630 return wpa_sm_step(sm); 631 } 632 633 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 634 "start authentication"); 635 sm->started = 1; 636 637 sm->Init = TRUE; 638 if (wpa_sm_step(sm) == 1) 639 return 1; /* should not really happen */ 640 sm->Init = FALSE; 641 sm->AuthenticationRequest = TRUE; 642 return wpa_sm_step(sm); 643 } 644 645 646 void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm) 647 { 648 /* WPA/RSN was not used - clear WPA state. This is needed if the STA 649 * reassociates back to the same AP while the previous entry for the 650 * STA has not yet been removed. */ 651 if (sm == NULL) 652 return; 653 654 sm->wpa_key_mgmt = 0; 655 } 656 657 658 static void wpa_free_sta_sm(struct wpa_state_machine *sm) 659 { 660 #ifdef CONFIG_P2P 661 if (WPA_GET_BE32(sm->ip_addr)) { 662 u32 start; 663 wpa_printf(MSG_DEBUG, "P2P: Free assigned IP " 664 "address %u.%u.%u.%u from " MACSTR, 665 sm->ip_addr[0], sm->ip_addr[1], 666 sm->ip_addr[2], sm->ip_addr[3], 667 MAC2STR(sm->addr)); 668 start = WPA_GET_BE32(sm->wpa_auth->conf.ip_addr_start); 669 bitfield_clear(sm->wpa_auth->ip_pool, 670 WPA_GET_BE32(sm->ip_addr) - start); 671 } 672 #endif /* CONFIG_P2P */ 673 if (sm->GUpdateStationKeys) { 674 sm->group->GKeyDoneStations--; 675 sm->GUpdateStationKeys = FALSE; 676 } 677 #ifdef CONFIG_IEEE80211R_AP 678 os_free(sm->assoc_resp_ftie); 679 wpabuf_free(sm->ft_pending_req_ies); 680 #endif /* CONFIG_IEEE80211R_AP */ 681 os_free(sm->last_rx_eapol_key); 682 os_free(sm->wpa_ie); 683 wpa_group_put(sm->wpa_auth, sm->group); 684 os_free(sm); 685 } 686 687 688 void wpa_auth_sta_deinit(struct wpa_state_machine *sm) 689 { 690 if (sm == NULL) 691 return; 692 693 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) { 694 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 695 "strict rekeying - force GTK rekey since STA " 696 "is leaving"); 697 eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL); 698 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth, 699 NULL); 700 } 701 702 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 703 sm->pending_1_of_4_timeout = 0; 704 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL); 705 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 706 if (sm->in_step_loop) { 707 /* Must not free state machine while wpa_sm_step() is running. 708 * Freeing will be completed in the end of wpa_sm_step(). */ 709 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state " 710 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 711 sm->pending_deinit = 1; 712 } else 713 wpa_free_sta_sm(sm); 714 } 715 716 717 static void wpa_request_new_ptk(struct wpa_state_machine *sm) 718 { 719 if (sm == NULL) 720 return; 721 722 sm->PTKRequest = TRUE; 723 sm->PTK_valid = 0; 724 } 725 726 727 static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr, 728 const u8 *replay_counter) 729 { 730 int i; 731 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 732 if (!ctr[i].valid) 733 break; 734 if (os_memcmp(replay_counter, ctr[i].counter, 735 WPA_REPLAY_COUNTER_LEN) == 0) 736 return 1; 737 } 738 return 0; 739 } 740 741 742 static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr, 743 const u8 *replay_counter) 744 { 745 int i; 746 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 747 if (ctr[i].valid && 748 (replay_counter == NULL || 749 os_memcmp(replay_counter, ctr[i].counter, 750 WPA_REPLAY_COUNTER_LEN) == 0)) 751 ctr[i].valid = FALSE; 752 } 753 } 754 755 756 #ifdef CONFIG_IEEE80211R_AP 757 static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth, 758 struct wpa_state_machine *sm, 759 struct wpa_eapol_ie_parse *kde) 760 { 761 struct wpa_ie_data ie; 762 struct rsn_mdie *mdie; 763 764 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 || 765 ie.num_pmkid != 1 || ie.pmkid == NULL) { 766 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in " 767 "FT 4-way handshake message 2/4"); 768 return -1; 769 } 770 771 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN); 772 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant", 773 sm->sup_pmk_r1_name, PMKID_LEN); 774 775 if (!kde->mdie || !kde->ftie) { 776 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake " 777 "message 2/4", kde->mdie ? "FTIE" : "MDIE"); 778 return -1; 779 } 780 781 mdie = (struct rsn_mdie *) (kde->mdie + 2); 782 if (kde->mdie[1] < sizeof(struct rsn_mdie) || 783 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain, 784 MOBILITY_DOMAIN_ID_LEN) != 0) { 785 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch"); 786 return -1; 787 } 788 789 if (sm->assoc_resp_ftie && 790 (kde->ftie[1] != sm->assoc_resp_ftie[1] || 791 os_memcmp(kde->ftie, sm->assoc_resp_ftie, 792 2 + sm->assoc_resp_ftie[1]) != 0)) { 793 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch"); 794 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4", 795 kde->ftie, kde->ftie_len); 796 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp", 797 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]); 798 return -1; 799 } 800 801 return 0; 802 } 803 #endif /* CONFIG_IEEE80211R_AP */ 804 805 806 static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth, 807 struct wpa_state_machine *sm, int group) 808 { 809 /* Supplicant reported a Michael MIC error */ 810 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 811 "received EAPOL-Key Error Request " 812 "(STA detected Michael MIC failure (group=%d))", 813 group); 814 815 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) { 816 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 817 "ignore Michael MIC failure report since " 818 "group cipher is not TKIP"); 819 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) { 820 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 821 "ignore Michael MIC failure report since " 822 "pairwise cipher is not TKIP"); 823 } else { 824 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0) 825 return 1; /* STA entry was removed */ 826 sm->dot11RSNAStatsTKIPRemoteMICFailures++; 827 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++; 828 } 829 830 /* 831 * Error report is not a request for a new key handshake, but since 832 * Authenticator may do it, let's change the keys now anyway. 833 */ 834 wpa_request_new_ptk(sm); 835 return 0; 836 } 837 838 839 static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data, 840 size_t data_len) 841 { 842 struct wpa_ptk PTK; 843 int ok = 0; 844 const u8 *pmk = NULL; 845 unsigned int pmk_len; 846 847 os_memset(&PTK, 0, sizeof(PTK)); 848 for (;;) { 849 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 850 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, 851 sm->p2p_dev_addr, pmk); 852 if (pmk == NULL) 853 break; 854 pmk_len = PMK_LEN; 855 } else { 856 pmk = sm->PMK; 857 pmk_len = sm->pmk_len; 858 } 859 860 if (wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK) < 0) 861 break; 862 863 if (wpa_verify_key_mic(sm->wpa_key_mgmt, &PTK, data, data_len) 864 == 0) { 865 ok = 1; 866 break; 867 } 868 869 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) 870 break; 871 } 872 873 if (!ok) { 874 wpa_printf(MSG_DEBUG, 875 "WPA: Earlier SNonce did not result in matching MIC"); 876 return -1; 877 } 878 879 wpa_printf(MSG_DEBUG, 880 "WPA: Earlier SNonce resulted in matching MIC"); 881 sm->alt_snonce_valid = 0; 882 os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN); 883 os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); 884 sm->PTK_valid = TRUE; 885 886 return 0; 887 } 888 889 890 void wpa_receive(struct wpa_authenticator *wpa_auth, 891 struct wpa_state_machine *sm, 892 u8 *data, size_t data_len) 893 { 894 struct ieee802_1x_hdr *hdr; 895 struct wpa_eapol_key *key; 896 u16 key_info, key_data_length; 897 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST, 898 SMK_M1, SMK_M3, SMK_ERROR } msg; 899 char *msgtxt; 900 struct wpa_eapol_ie_parse kde; 901 const u8 *key_data; 902 size_t keyhdrlen, mic_len; 903 u8 *mic; 904 905 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 906 return; 907 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL data", data, data_len); 908 909 mic_len = wpa_mic_len(sm->wpa_key_mgmt); 910 keyhdrlen = sizeof(*key) + mic_len + 2; 911 912 if (data_len < sizeof(*hdr) + keyhdrlen) { 913 wpa_printf(MSG_DEBUG, "WPA: Ignore too short EAPOL-Key frame"); 914 return; 915 } 916 917 hdr = (struct ieee802_1x_hdr *) data; 918 key = (struct wpa_eapol_key *) (hdr + 1); 919 mic = (u8 *) (key + 1); 920 key_info = WPA_GET_BE16(key->key_info); 921 key_data = mic + mic_len + 2; 922 key_data_length = WPA_GET_BE16(mic + mic_len); 923 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR 924 " key_info=0x%x type=%u mic_len=%u key_data_length=%u", 925 MAC2STR(sm->addr), key_info, key->type, 926 (unsigned int) mic_len, key_data_length); 927 wpa_hexdump(MSG_MSGDUMP, 928 "WPA: EAPOL-Key header (ending before Key MIC)", 929 key, sizeof(*key)); 930 wpa_hexdump(MSG_MSGDUMP, "WPA: EAPOL-Key Key MIC", 931 mic, mic_len); 932 if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) { 933 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - " 934 "key_data overflow (%d > %lu)", 935 key_data_length, 936 (unsigned long) (data_len - sizeof(*hdr) - 937 keyhdrlen)); 938 return; 939 } 940 941 if (sm->wpa == WPA_VERSION_WPA2) { 942 if (key->type == EAPOL_KEY_TYPE_WPA) { 943 /* 944 * Some deployed station implementations seem to send 945 * msg 4/4 with incorrect type value in WPA2 mode. 946 */ 947 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key " 948 "with unexpected WPA type in RSN mode"); 949 } else if (key->type != EAPOL_KEY_TYPE_RSN) { 950 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 951 "unexpected type %d in RSN mode", 952 key->type); 953 return; 954 } 955 } else { 956 if (key->type != EAPOL_KEY_TYPE_WPA) { 957 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 958 "unexpected type %d in WPA mode", 959 key->type); 960 return; 961 } 962 } 963 964 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce, 965 WPA_NONCE_LEN); 966 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter", 967 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 968 969 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys 970 * are set */ 971 972 if ((key_info & (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) == 973 (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) { 974 if (key_info & WPA_KEY_INFO_ERROR) { 975 msg = SMK_ERROR; 976 msgtxt = "SMK Error"; 977 } else { 978 msg = SMK_M1; 979 msgtxt = "SMK M1"; 980 } 981 } else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) { 982 msg = SMK_M3; 983 msgtxt = "SMK M3"; 984 } else if (key_info & WPA_KEY_INFO_REQUEST) { 985 msg = REQUEST; 986 msgtxt = "Request"; 987 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) { 988 msg = GROUP_2; 989 msgtxt = "2/2 Group"; 990 } else if (key_data_length == 0 || 991 (mic_len == 0 && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && 992 key_data_length == AES_BLOCK_SIZE)) { 993 msg = PAIRWISE_4; 994 msgtxt = "4/4 Pairwise"; 995 } else { 996 msg = PAIRWISE_2; 997 msgtxt = "2/4 Pairwise"; 998 } 999 1000 /* TODO: key_info type validation for PeerKey */ 1001 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 || 1002 msg == GROUP_2) { 1003 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK; 1004 if (sm->pairwise == WPA_CIPHER_CCMP || 1005 sm->pairwise == WPA_CIPHER_GCMP) { 1006 if (wpa_use_aes_cmac(sm) && 1007 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN && 1008 !wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) && 1009 !wpa_key_mgmt_fils(sm->wpa_key_mgmt) && 1010 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) { 1011 wpa_auth_logger(wpa_auth, sm->addr, 1012 LOGGER_WARNING, 1013 "advertised support for " 1014 "AES-128-CMAC, but did not " 1015 "use it"); 1016 return; 1017 } 1018 1019 if (!wpa_use_aes_cmac(sm) && 1020 !wpa_key_mgmt_fils(sm->wpa_key_mgmt) && 1021 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1022 wpa_auth_logger(wpa_auth, sm->addr, 1023 LOGGER_WARNING, 1024 "did not use HMAC-SHA1-AES " 1025 "with CCMP/GCMP"); 1026 return; 1027 } 1028 } 1029 1030 if ((wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) || 1031 wpa_key_mgmt_fils(sm->wpa_key_mgmt)) && 1032 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) { 1033 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, 1034 "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases"); 1035 return; 1036 } 1037 } 1038 1039 if (key_info & WPA_KEY_INFO_REQUEST) { 1040 if (sm->req_replay_counter_used && 1041 os_memcmp(key->replay_counter, sm->req_replay_counter, 1042 WPA_REPLAY_COUNTER_LEN) <= 0) { 1043 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, 1044 "received EAPOL-Key request with " 1045 "replayed counter"); 1046 return; 1047 } 1048 } 1049 1050 if (!(key_info & WPA_KEY_INFO_REQUEST) && 1051 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) { 1052 int i; 1053 1054 if (msg == PAIRWISE_2 && 1055 wpa_replay_counter_valid(sm->prev_key_replay, 1056 key->replay_counter) && 1057 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING && 1058 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0) 1059 { 1060 /* 1061 * Some supplicant implementations (e.g., Windows XP 1062 * WZC) update SNonce for each EAPOL-Key 2/4. This 1063 * breaks the workaround on accepting any of the 1064 * pending requests, so allow the SNonce to be updated 1065 * even if we have already sent out EAPOL-Key 3/4. 1066 */ 1067 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1068 "Process SNonce update from STA " 1069 "based on retransmitted EAPOL-Key " 1070 "1/4"); 1071 sm->update_snonce = 1; 1072 os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN); 1073 sm->alt_snonce_valid = TRUE; 1074 os_memcpy(sm->alt_replay_counter, 1075 sm->key_replay[0].counter, 1076 WPA_REPLAY_COUNTER_LEN); 1077 goto continue_processing; 1078 } 1079 1080 if (msg == PAIRWISE_4 && sm->alt_snonce_valid && 1081 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING && 1082 os_memcmp(key->replay_counter, sm->alt_replay_counter, 1083 WPA_REPLAY_COUNTER_LEN) == 0) { 1084 /* 1085 * Supplicant may still be using the old SNonce since 1086 * there was two EAPOL-Key 2/4 messages and they had 1087 * different SNonce values. 1088 */ 1089 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1090 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4"); 1091 goto continue_processing; 1092 } 1093 1094 if (msg == PAIRWISE_2 && 1095 wpa_replay_counter_valid(sm->prev_key_replay, 1096 key->replay_counter) && 1097 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) { 1098 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1099 "ignore retransmitted EAPOL-Key %s - " 1100 "SNonce did not change", msgtxt); 1101 } else { 1102 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1103 "received EAPOL-Key %s with " 1104 "unexpected replay counter", msgtxt); 1105 } 1106 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 1107 if (!sm->key_replay[i].valid) 1108 break; 1109 wpa_hexdump(MSG_DEBUG, "pending replay counter", 1110 sm->key_replay[i].counter, 1111 WPA_REPLAY_COUNTER_LEN); 1112 } 1113 wpa_hexdump(MSG_DEBUG, "received replay counter", 1114 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 1115 return; 1116 } 1117 1118 continue_processing: 1119 #ifdef CONFIG_FILS 1120 if (sm->wpa == WPA_VERSION_WPA2 && mic_len == 0 && 1121 !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 1122 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1123 "WPA: Encr Key Data bit not set even though AEAD cipher is supposed to be used - drop frame"); 1124 return; 1125 } 1126 #endif /* CONFIG_FILS */ 1127 1128 switch (msg) { 1129 case PAIRWISE_2: 1130 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART && 1131 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING && 1132 (!sm->update_snonce || 1133 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) { 1134 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1135 "received EAPOL-Key msg 2/4 in " 1136 "invalid state (%d) - dropped", 1137 sm->wpa_ptk_state); 1138 return; 1139 } 1140 random_add_randomness(key->key_nonce, WPA_NONCE_LEN); 1141 if (sm->group->reject_4way_hs_for_entropy) { 1142 /* 1143 * The system did not have enough entropy to generate 1144 * strong random numbers. Reject the first 4-way 1145 * handshake(s) and collect some entropy based on the 1146 * information from it. Once enough entropy is 1147 * available, the next atempt will trigger GMK/Key 1148 * Counter update and the station will be allowed to 1149 * continue. 1150 */ 1151 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to " 1152 "collect more entropy for random number " 1153 "generation"); 1154 random_mark_pool_ready(); 1155 wpa_sta_disconnect(wpa_auth, sm->addr); 1156 return; 1157 } 1158 break; 1159 case PAIRWISE_4: 1160 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING || 1161 !sm->PTK_valid) { 1162 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1163 "received EAPOL-Key msg 4/4 in " 1164 "invalid state (%d) - dropped", 1165 sm->wpa_ptk_state); 1166 return; 1167 } 1168 break; 1169 case GROUP_2: 1170 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING 1171 || !sm->PTK_valid) { 1172 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1173 "received EAPOL-Key msg 2/2 in " 1174 "invalid state (%d) - dropped", 1175 sm->wpa_ptk_group_state); 1176 return; 1177 } 1178 break; 1179 #ifdef CONFIG_PEERKEY 1180 case SMK_M1: 1181 case SMK_M3: 1182 case SMK_ERROR: 1183 if (!wpa_auth->conf.peerkey) { 1184 wpa_printf(MSG_DEBUG, "RSN: SMK M1/M3/Error, but " 1185 "PeerKey use disabled - ignoring message"); 1186 return; 1187 } 1188 if (!sm->PTK_valid) { 1189 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1190 "received EAPOL-Key msg SMK in " 1191 "invalid state - dropped"); 1192 return; 1193 } 1194 break; 1195 #else /* CONFIG_PEERKEY */ 1196 case SMK_M1: 1197 case SMK_M3: 1198 case SMK_ERROR: 1199 return; /* STSL disabled - ignore SMK messages */ 1200 #endif /* CONFIG_PEERKEY */ 1201 case REQUEST: 1202 break; 1203 } 1204 1205 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1206 "received EAPOL-Key frame (%s)", msgtxt); 1207 1208 if (key_info & WPA_KEY_INFO_ACK) { 1209 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1210 "received invalid EAPOL-Key: Key Ack set"); 1211 return; 1212 } 1213 1214 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt) && 1215 !(key_info & WPA_KEY_INFO_MIC)) { 1216 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1217 "received invalid EAPOL-Key: Key MIC not set"); 1218 return; 1219 } 1220 1221 #ifdef CONFIG_FILS 1222 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) && 1223 (key_info & WPA_KEY_INFO_MIC)) { 1224 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1225 "received invalid EAPOL-Key: Key MIC set"); 1226 return; 1227 } 1228 #endif /* CONFIG_FILS */ 1229 1230 sm->MICVerified = FALSE; 1231 if (sm->PTK_valid && !sm->update_snonce) { 1232 if (mic_len && 1233 wpa_verify_key_mic(sm->wpa_key_mgmt, &sm->PTK, data, 1234 data_len) && 1235 (msg != PAIRWISE_4 || !sm->alt_snonce_valid || 1236 wpa_try_alt_snonce(sm, data, data_len))) { 1237 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1238 "received EAPOL-Key with invalid MIC"); 1239 return; 1240 } 1241 #ifdef CONFIG_FILS 1242 if (!mic_len && 1243 wpa_aead_decrypt(sm, &sm->PTK, data, data_len, 1244 &key_data_length) < 0) { 1245 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1246 "received EAPOL-Key with invalid MIC"); 1247 return; 1248 } 1249 #endif /* CONFIG_FILS */ 1250 sm->MICVerified = TRUE; 1251 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 1252 sm->pending_1_of_4_timeout = 0; 1253 } 1254 1255 if (key_info & WPA_KEY_INFO_REQUEST) { 1256 if (sm->MICVerified) { 1257 sm->req_replay_counter_used = 1; 1258 os_memcpy(sm->req_replay_counter, key->replay_counter, 1259 WPA_REPLAY_COUNTER_LEN); 1260 } else { 1261 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1262 "received EAPOL-Key request with " 1263 "invalid MIC"); 1264 return; 1265 } 1266 1267 /* 1268 * TODO: should decrypt key data field if encryption was used; 1269 * even though MAC address KDE is not normally encrypted, 1270 * supplicant is allowed to encrypt it. 1271 */ 1272 if (msg == SMK_ERROR) { 1273 #ifdef CONFIG_PEERKEY 1274 wpa_smk_error(wpa_auth, sm, key_data, key_data_length); 1275 #endif /* CONFIG_PEERKEY */ 1276 return; 1277 } else if (key_info & WPA_KEY_INFO_ERROR) { 1278 if (wpa_receive_error_report( 1279 wpa_auth, sm, 1280 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0) 1281 return; /* STA entry was removed */ 1282 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) { 1283 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1284 "received EAPOL-Key Request for new " 1285 "4-Way Handshake"); 1286 wpa_request_new_ptk(sm); 1287 #ifdef CONFIG_PEERKEY 1288 } else if (msg == SMK_M1) { 1289 wpa_smk_m1(wpa_auth, sm, key, key_data, 1290 key_data_length); 1291 #endif /* CONFIG_PEERKEY */ 1292 } else if (key_data_length > 0 && 1293 wpa_parse_kde_ies(key_data, key_data_length, 1294 &kde) == 0 && 1295 kde.mac_addr) { 1296 } else { 1297 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1298 "received EAPOL-Key Request for GTK " 1299 "rekeying"); 1300 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 1301 wpa_rekey_gtk(wpa_auth, NULL); 1302 } 1303 } else { 1304 /* Do not allow the same key replay counter to be reused. */ 1305 wpa_replay_counter_mark_invalid(sm->key_replay, 1306 key->replay_counter); 1307 1308 if (msg == PAIRWISE_2) { 1309 /* 1310 * Maintain a copy of the pending EAPOL-Key frames in 1311 * case the EAPOL-Key frame was retransmitted. This is 1312 * needed to allow EAPOL-Key msg 2/4 reply to another 1313 * pending msg 1/4 to update the SNonce to work around 1314 * unexpected supplicant behavior. 1315 */ 1316 os_memcpy(sm->prev_key_replay, sm->key_replay, 1317 sizeof(sm->key_replay)); 1318 } else { 1319 os_memset(sm->prev_key_replay, 0, 1320 sizeof(sm->prev_key_replay)); 1321 } 1322 1323 /* 1324 * Make sure old valid counters are not accepted anymore and 1325 * do not get copied again. 1326 */ 1327 wpa_replay_counter_mark_invalid(sm->key_replay, NULL); 1328 } 1329 1330 #ifdef CONFIG_PEERKEY 1331 if (msg == SMK_M3) { 1332 wpa_smk_m3(wpa_auth, sm, key, key_data, key_data_length); 1333 return; 1334 } 1335 #endif /* CONFIG_PEERKEY */ 1336 1337 os_free(sm->last_rx_eapol_key); 1338 sm->last_rx_eapol_key = os_malloc(data_len); 1339 if (sm->last_rx_eapol_key == NULL) 1340 return; 1341 os_memcpy(sm->last_rx_eapol_key, data, data_len); 1342 sm->last_rx_eapol_key_len = data_len; 1343 1344 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE); 1345 sm->EAPOLKeyReceived = TRUE; 1346 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1347 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST); 1348 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN); 1349 wpa_sm_step(sm); 1350 } 1351 1352 1353 static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr, 1354 const u8 *gnonce, u8 *gtk, size_t gtk_len) 1355 { 1356 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16]; 1357 u8 *pos; 1358 int ret = 0; 1359 1360 /* GTK = PRF-X(GMK, "Group key expansion", 1361 * AA || GNonce || Time || random data) 1362 * The example described in the IEEE 802.11 standard uses only AA and 1363 * GNonce as inputs here. Add some more entropy since this derivation 1364 * is done only at the Authenticator and as such, does not need to be 1365 * exactly same. 1366 */ 1367 os_memcpy(data, addr, ETH_ALEN); 1368 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN); 1369 pos = data + ETH_ALEN + WPA_NONCE_LEN; 1370 wpa_get_ntp_timestamp(pos); 1371 pos += 8; 1372 if (random_get_bytes(pos, 16) < 0) 1373 ret = -1; 1374 1375 #ifdef CONFIG_IEEE80211W 1376 sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len); 1377 #else /* CONFIG_IEEE80211W */ 1378 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len) 1379 < 0) 1380 ret = -1; 1381 #endif /* CONFIG_IEEE80211W */ 1382 1383 return ret; 1384 } 1385 1386 1387 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx) 1388 { 1389 struct wpa_authenticator *wpa_auth = eloop_ctx; 1390 struct wpa_state_machine *sm = timeout_ctx; 1391 1392 sm->pending_1_of_4_timeout = 0; 1393 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout"); 1394 sm->TimeoutEvt = TRUE; 1395 wpa_sm_step(sm); 1396 } 1397 1398 1399 void __wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1400 struct wpa_state_machine *sm, int key_info, 1401 const u8 *key_rsc, const u8 *nonce, 1402 const u8 *kde, size_t kde_len, 1403 int keyidx, int encr, int force_version) 1404 { 1405 struct ieee802_1x_hdr *hdr; 1406 struct wpa_eapol_key *key; 1407 size_t len, mic_len, keyhdrlen; 1408 int alg; 1409 int key_data_len, pad_len = 0; 1410 u8 *buf, *pos; 1411 int version, pairwise; 1412 int i; 1413 u8 *key_mic, *key_data; 1414 1415 mic_len = wpa_mic_len(sm->wpa_key_mgmt); 1416 keyhdrlen = sizeof(*key) + mic_len + 2; 1417 1418 len = sizeof(struct ieee802_1x_hdr) + keyhdrlen; 1419 1420 if (force_version) 1421 version = force_version; 1422 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN || 1423 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) || 1424 wpa_key_mgmt_fils(sm->wpa_key_mgmt)) 1425 version = WPA_KEY_INFO_TYPE_AKM_DEFINED; 1426 else if (wpa_use_aes_cmac(sm)) 1427 version = WPA_KEY_INFO_TYPE_AES_128_CMAC; 1428 else if (sm->pairwise != WPA_CIPHER_TKIP) 1429 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 1430 else 1431 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 1432 1433 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1434 1435 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d " 1436 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d " 1437 "encr=%d)", 1438 version, 1439 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0, 1440 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0, 1441 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0, 1442 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0, 1443 pairwise, (unsigned long) kde_len, keyidx, encr); 1444 1445 key_data_len = kde_len; 1446 1447 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1448 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN || 1449 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) || 1450 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) { 1451 pad_len = key_data_len % 8; 1452 if (pad_len) 1453 pad_len = 8 - pad_len; 1454 key_data_len += pad_len + 8; 1455 } 1456 1457 len += key_data_len; 1458 if (!mic_len && encr) 1459 len += AES_BLOCK_SIZE; 1460 1461 hdr = os_zalloc(len); 1462 if (hdr == NULL) 1463 return; 1464 hdr->version = wpa_auth->conf.eapol_version; 1465 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 1466 hdr->length = host_to_be16(len - sizeof(*hdr)); 1467 key = (struct wpa_eapol_key *) (hdr + 1); 1468 key_mic = (u8 *) (key + 1); 1469 key_data = ((u8 *) (hdr + 1)) + keyhdrlen; 1470 1471 key->type = sm->wpa == WPA_VERSION_WPA2 ? 1472 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1473 key_info |= version; 1474 if (encr && sm->wpa == WPA_VERSION_WPA2) 1475 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 1476 if (sm->wpa != WPA_VERSION_WPA2) 1477 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT; 1478 WPA_PUT_BE16(key->key_info, key_info); 1479 1480 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group; 1481 if ((key_info & WPA_KEY_INFO_SMK_MESSAGE) || 1482 (sm->wpa == WPA_VERSION_WPA2 && !pairwise)) 1483 WPA_PUT_BE16(key->key_length, 0); 1484 else 1485 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg)); 1486 1487 /* FIX: STSL: what to use as key_replay_counter? */ 1488 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) { 1489 sm->key_replay[i].valid = sm->key_replay[i - 1].valid; 1490 os_memcpy(sm->key_replay[i].counter, 1491 sm->key_replay[i - 1].counter, 1492 WPA_REPLAY_COUNTER_LEN); 1493 } 1494 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN); 1495 os_memcpy(key->replay_counter, sm->key_replay[0].counter, 1496 WPA_REPLAY_COUNTER_LEN); 1497 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", 1498 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 1499 sm->key_replay[0].valid = TRUE; 1500 1501 if (nonce) 1502 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN); 1503 1504 if (key_rsc) 1505 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN); 1506 1507 if (kde && !encr) { 1508 os_memcpy(key_data, kde, kde_len); 1509 WPA_PUT_BE16(key_mic + mic_len, kde_len); 1510 #ifdef CONFIG_FILS 1511 } else if (!mic_len) { 1512 const u8 *aad[1]; 1513 size_t aad_len[1]; 1514 1515 WPA_PUT_BE16(key_mic, AES_BLOCK_SIZE + kde_len); 1516 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data", 1517 kde, kde_len); 1518 1519 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", 1520 sm->PTK.kek, sm->PTK.kek_len); 1521 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to 1522 * to Key Data (exclusive). */ 1523 aad[0] = (u8 *) hdr; 1524 aad_len[0] = key_mic + 2 - (u8 *) hdr; 1525 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, kde, kde_len, 1526 1, aad, aad_len, key_mic + 2) < 0) { 1527 wpa_printf(MSG_DEBUG, "WPA: AES-SIV encryption failed"); 1528 return; 1529 } 1530 1531 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV", 1532 key_mic + 2, AES_BLOCK_SIZE + kde_len); 1533 #endif /* CONFIG_FILS */ 1534 } else if (encr && kde) { 1535 buf = os_zalloc(key_data_len); 1536 if (buf == NULL) { 1537 os_free(hdr); 1538 return; 1539 } 1540 pos = buf; 1541 os_memcpy(pos, kde, kde_len); 1542 pos += kde_len; 1543 1544 if (pad_len) 1545 *pos++ = 0xdd; 1546 1547 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data", 1548 buf, key_data_len); 1549 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1550 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN || 1551 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) || 1552 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) { 1553 if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len, 1554 (key_data_len - 8) / 8, buf, key_data)) { 1555 os_free(hdr); 1556 os_free(buf); 1557 return; 1558 } 1559 WPA_PUT_BE16(key_mic + mic_len, key_data_len); 1560 #ifndef CONFIG_NO_RC4 1561 } else if (sm->PTK.kek_len == 16) { 1562 u8 ek[32]; 1563 os_memcpy(key->key_iv, 1564 sm->group->Counter + WPA_NONCE_LEN - 16, 16); 1565 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN); 1566 os_memcpy(ek, key->key_iv, 16); 1567 os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len); 1568 os_memcpy(key_data, buf, key_data_len); 1569 rc4_skip(ek, 32, 256, key_data, key_data_len); 1570 WPA_PUT_BE16(key_mic + mic_len, key_data_len); 1571 #endif /* CONFIG_NO_RC4 */ 1572 } else { 1573 os_free(hdr); 1574 os_free(buf); 1575 return; 1576 } 1577 os_free(buf); 1578 } 1579 1580 if (key_info & WPA_KEY_INFO_MIC) { 1581 if (!sm->PTK_valid || !mic_len) { 1582 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 1583 "PTK not valid when sending EAPOL-Key " 1584 "frame"); 1585 os_free(hdr); 1586 return; 1587 } 1588 1589 wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len, 1590 sm->wpa_key_mgmt, version, 1591 (u8 *) hdr, len, key_mic); 1592 #ifdef CONFIG_TESTING_OPTIONS 1593 if (!pairwise && 1594 wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0 && 1595 drand48() < 1596 wpa_auth->conf.corrupt_gtk_rekey_mic_probability) { 1597 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1598 "Corrupting group EAPOL-Key Key MIC"); 1599 key_mic[0]++; 1600 } 1601 #endif /* CONFIG_TESTING_OPTIONS */ 1602 } 1603 1604 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx, 1605 1); 1606 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len, 1607 sm->pairwise_set); 1608 os_free(hdr); 1609 } 1610 1611 1612 static void wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1613 struct wpa_state_machine *sm, int key_info, 1614 const u8 *key_rsc, const u8 *nonce, 1615 const u8 *kde, size_t kde_len, 1616 int keyidx, int encr) 1617 { 1618 int timeout_ms; 1619 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE; 1620 u32 ctr; 1621 1622 if (sm == NULL) 1623 return; 1624 1625 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len, 1626 keyidx, encr, 0); 1627 1628 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr; 1629 if (ctr == 1 && wpa_auth->conf.tx_status) 1630 timeout_ms = pairwise ? eapol_key_timeout_first : 1631 eapol_key_timeout_first_group; 1632 else 1633 timeout_ms = eapol_key_timeout_subseq; 1634 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC)) 1635 sm->pending_1_of_4_timeout = 1; 1636 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry " 1637 "counter %u)", timeout_ms, ctr); 1638 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000, 1639 wpa_send_eapol_timeout, wpa_auth, sm); 1640 } 1641 1642 1643 static int wpa_verify_key_mic(int akmp, struct wpa_ptk *PTK, u8 *data, 1644 size_t data_len) 1645 { 1646 struct ieee802_1x_hdr *hdr; 1647 struct wpa_eapol_key *key; 1648 u16 key_info; 1649 int ret = 0; 1650 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN], *mic_pos; 1651 size_t mic_len = wpa_mic_len(akmp); 1652 1653 if (data_len < sizeof(*hdr) + sizeof(*key)) 1654 return -1; 1655 1656 hdr = (struct ieee802_1x_hdr *) data; 1657 key = (struct wpa_eapol_key *) (hdr + 1); 1658 mic_pos = (u8 *) (key + 1); 1659 key_info = WPA_GET_BE16(key->key_info); 1660 os_memcpy(mic, mic_pos, mic_len); 1661 os_memset(mic_pos, 0, mic_len); 1662 if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp, 1663 key_info & WPA_KEY_INFO_TYPE_MASK, 1664 data, data_len, mic_pos) || 1665 os_memcmp_const(mic, mic_pos, mic_len) != 0) 1666 ret = -1; 1667 os_memcpy(mic_pos, mic, mic_len); 1668 return ret; 1669 } 1670 1671 1672 void wpa_remove_ptk(struct wpa_state_machine *sm) 1673 { 1674 sm->PTK_valid = FALSE; 1675 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1676 if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 1677 0)) 1678 wpa_printf(MSG_DEBUG, 1679 "RSN: PTK removal from the driver failed"); 1680 sm->pairwise_set = FALSE; 1681 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 1682 } 1683 1684 1685 int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event) 1686 { 1687 int remove_ptk = 1; 1688 1689 if (sm == NULL) 1690 return -1; 1691 1692 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1693 "event %d notification", event); 1694 1695 switch (event) { 1696 case WPA_AUTH: 1697 #ifdef CONFIG_MESH 1698 /* PTKs are derived through AMPE */ 1699 if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) { 1700 /* not mesh */ 1701 break; 1702 } 1703 return 0; 1704 #endif /* CONFIG_MESH */ 1705 case WPA_ASSOC: 1706 break; 1707 case WPA_DEAUTH: 1708 case WPA_DISASSOC: 1709 sm->DeauthenticationRequest = TRUE; 1710 break; 1711 case WPA_REAUTH: 1712 case WPA_REAUTH_EAPOL: 1713 if (!sm->started) { 1714 /* 1715 * When using WPS, we may end up here if the STA 1716 * manages to re-associate without the previous STA 1717 * entry getting removed. Consequently, we need to make 1718 * sure that the WPA state machines gets initialized 1719 * properly at this point. 1720 */ 1721 wpa_printf(MSG_DEBUG, "WPA state machine had not been " 1722 "started - initialize now"); 1723 sm->started = 1; 1724 sm->Init = TRUE; 1725 if (wpa_sm_step(sm) == 1) 1726 return 1; /* should not really happen */ 1727 sm->Init = FALSE; 1728 sm->AuthenticationRequest = TRUE; 1729 break; 1730 } 1731 if (sm->GUpdateStationKeys) { 1732 /* 1733 * Reauthentication cancels the pending group key 1734 * update for this STA. 1735 */ 1736 sm->group->GKeyDoneStations--; 1737 sm->GUpdateStationKeys = FALSE; 1738 sm->PtkGroupInit = TRUE; 1739 } 1740 sm->ReAuthenticationRequest = TRUE; 1741 break; 1742 case WPA_ASSOC_FT: 1743 #ifdef CONFIG_IEEE80211R_AP 1744 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration " 1745 "after association"); 1746 wpa_ft_install_ptk(sm); 1747 1748 /* Using FT protocol, not WPA auth state machine */ 1749 sm->ft_completed = 1; 1750 return 0; 1751 #else /* CONFIG_IEEE80211R_AP */ 1752 break; 1753 #endif /* CONFIG_IEEE80211R_AP */ 1754 case WPA_DRV_STA_REMOVED: 1755 sm->tk_already_set = FALSE; 1756 return 0; 1757 } 1758 1759 #ifdef CONFIG_IEEE80211R_AP 1760 sm->ft_completed = 0; 1761 #endif /* CONFIG_IEEE80211R_AP */ 1762 1763 #ifdef CONFIG_IEEE80211W 1764 if (sm->mgmt_frame_prot && event == WPA_AUTH) 1765 remove_ptk = 0; 1766 #endif /* CONFIG_IEEE80211W */ 1767 #ifdef CONFIG_FILS 1768 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) && 1769 (event == WPA_AUTH || event == WPA_ASSOC)) 1770 remove_ptk = 0; 1771 #endif /* CONFIG_FILS */ 1772 1773 if (remove_ptk) { 1774 sm->PTK_valid = FALSE; 1775 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1776 1777 if (event != WPA_REAUTH_EAPOL) 1778 wpa_remove_ptk(sm); 1779 } 1780 1781 if (sm->in_step_loop) { 1782 /* 1783 * wpa_sm_step() is already running - avoid recursive call to 1784 * it by making the existing loop process the new update. 1785 */ 1786 sm->changed = TRUE; 1787 return 0; 1788 } 1789 return wpa_sm_step(sm); 1790 } 1791 1792 1793 SM_STATE(WPA_PTK, INITIALIZE) 1794 { 1795 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk); 1796 if (sm->Init) { 1797 /* Init flag is not cleared here, so avoid busy 1798 * loop by claiming nothing changed. */ 1799 sm->changed = FALSE; 1800 } 1801 1802 sm->keycount = 0; 1803 if (sm->GUpdateStationKeys) 1804 sm->group->GKeyDoneStations--; 1805 sm->GUpdateStationKeys = FALSE; 1806 if (sm->wpa == WPA_VERSION_WPA) 1807 sm->PInitAKeys = FALSE; 1808 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and 1809 * Local AA > Remote AA)) */) { 1810 sm->Pair = TRUE; 1811 } 1812 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0); 1813 wpa_remove_ptk(sm); 1814 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0); 1815 sm->TimeoutCtr = 0; 1816 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 1817 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 1818 WPA_EAPOL_authorized, 0); 1819 } 1820 } 1821 1822 1823 SM_STATE(WPA_PTK, DISCONNECT) 1824 { 1825 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk); 1826 sm->Disconnect = FALSE; 1827 wpa_sta_disconnect(sm->wpa_auth, sm->addr); 1828 } 1829 1830 1831 SM_STATE(WPA_PTK, DISCONNECTED) 1832 { 1833 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk); 1834 sm->DeauthenticationRequest = FALSE; 1835 } 1836 1837 1838 SM_STATE(WPA_PTK, AUTHENTICATION) 1839 { 1840 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk); 1841 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1842 sm->PTK_valid = FALSE; 1843 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto, 1844 1); 1845 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1); 1846 sm->AuthenticationRequest = FALSE; 1847 } 1848 1849 1850 static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth, 1851 struct wpa_group *group) 1852 { 1853 if (group->first_sta_seen) 1854 return; 1855 /* 1856 * System has run bit further than at the time hostapd was started 1857 * potentially very early during boot up. This provides better chances 1858 * of collecting more randomness on embedded systems. Re-initialize the 1859 * GMK and Counter here to improve their strength if there was not 1860 * enough entropy available immediately after system startup. 1861 */ 1862 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first " 1863 "station"); 1864 if (random_pool_ready() != 1) { 1865 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 1866 "to proceed - reject first 4-way handshake"); 1867 group->reject_4way_hs_for_entropy = TRUE; 1868 } else { 1869 group->first_sta_seen = TRUE; 1870 group->reject_4way_hs_for_entropy = FALSE; 1871 } 1872 1873 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 || 1874 wpa_gtk_update(wpa_auth, group) < 0 || 1875 wpa_group_config_group_keys(wpa_auth, group) < 0) { 1876 wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed"); 1877 group->first_sta_seen = FALSE; 1878 group->reject_4way_hs_for_entropy = TRUE; 1879 } 1880 } 1881 1882 1883 SM_STATE(WPA_PTK, AUTHENTICATION2) 1884 { 1885 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk); 1886 1887 wpa_group_ensure_init(sm->wpa_auth, sm->group); 1888 sm->ReAuthenticationRequest = FALSE; 1889 1890 /* 1891 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat 1892 * ambiguous. The Authenticator state machine uses a counter that is 1893 * incremented by one for each 4-way handshake. However, the security 1894 * analysis of 4-way handshake points out that unpredictable nonces 1895 * help in preventing precomputation attacks. Instead of the state 1896 * machine definition, use an unpredictable nonce value here to provide 1897 * stronger protection against potential precomputation attacks. 1898 */ 1899 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { 1900 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for " 1901 "ANonce."); 1902 sm->Disconnect = TRUE; 1903 return; 1904 } 1905 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce, 1906 WPA_NONCE_LEN); 1907 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more 1908 * logical place than INITIALIZE since AUTHENTICATION2 can be 1909 * re-entered on ReAuthenticationRequest without going through 1910 * INITIALIZE. */ 1911 sm->TimeoutCtr = 0; 1912 } 1913 1914 1915 static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm) 1916 { 1917 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { 1918 wpa_printf(MSG_ERROR, 1919 "WPA: Failed to get random data for ANonce"); 1920 sm->Disconnect = TRUE; 1921 return -1; 1922 } 1923 wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce, 1924 WPA_NONCE_LEN); 1925 sm->TimeoutCtr = 0; 1926 return 0; 1927 } 1928 1929 1930 SM_STATE(WPA_PTK, INITPMK) 1931 { 1932 u8 msk[2 * PMK_LEN]; 1933 size_t len = 2 * PMK_LEN; 1934 1935 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk); 1936 #ifdef CONFIG_IEEE80211R_AP 1937 sm->xxkey_len = 0; 1938 #endif /* CONFIG_IEEE80211R_AP */ 1939 if (sm->pmksa) { 1940 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache"); 1941 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len); 1942 sm->pmk_len = sm->pmksa->pmk_len; 1943 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) { 1944 unsigned int pmk_len; 1945 1946 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) 1947 pmk_len = PMK_LEN_SUITE_B_192; 1948 else 1949 pmk_len = PMK_LEN; 1950 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine " 1951 "(MSK len=%lu PMK len=%u)", (unsigned long) len, 1952 pmk_len); 1953 if (len < pmk_len) { 1954 wpa_printf(MSG_DEBUG, 1955 "WPA: MSK not long enough (%u) to create PMK (%u)", 1956 (unsigned int) len, (unsigned int) pmk_len); 1957 sm->Disconnect = TRUE; 1958 return; 1959 } 1960 os_memcpy(sm->PMK, msk, pmk_len); 1961 sm->pmk_len = pmk_len; 1962 #ifdef CONFIG_IEEE80211R_AP 1963 if (len >= 2 * PMK_LEN) { 1964 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN); 1965 sm->xxkey_len = PMK_LEN; 1966 } 1967 #endif /* CONFIG_IEEE80211R_AP */ 1968 } else { 1969 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p", 1970 sm->wpa_auth->cb->get_msk); 1971 sm->Disconnect = TRUE; 1972 return; 1973 } 1974 os_memset(msk, 0, sizeof(msk)); 1975 1976 sm->req_replay_counter_used = 0; 1977 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this 1978 * will break reauthentication since EAPOL state machines may not be 1979 * get into AUTHENTICATING state that clears keyRun before WPA state 1980 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK 1981 * state and takes PMK from the previously used AAA Key. This will 1982 * eventually fail in 4-Way Handshake because Supplicant uses PMK 1983 * derived from the new AAA Key. Setting keyRun = FALSE here seems to 1984 * be good workaround for this issue. */ 1985 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0); 1986 } 1987 1988 1989 SM_STATE(WPA_PTK, INITPSK) 1990 { 1991 const u8 *psk; 1992 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk); 1993 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL); 1994 if (psk) { 1995 os_memcpy(sm->PMK, psk, PMK_LEN); 1996 sm->pmk_len = PMK_LEN; 1997 #ifdef CONFIG_IEEE80211R_AP 1998 os_memcpy(sm->xxkey, psk, PMK_LEN); 1999 sm->xxkey_len = PMK_LEN; 2000 #endif /* CONFIG_IEEE80211R_AP */ 2001 } 2002 sm->req_replay_counter_used = 0; 2003 } 2004 2005 2006 SM_STATE(WPA_PTK, PTKSTART) 2007 { 2008 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL; 2009 size_t pmkid_len = 0; 2010 2011 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk); 2012 sm->PTKRequest = FALSE; 2013 sm->TimeoutEvt = FALSE; 2014 sm->alt_snonce_valid = FALSE; 2015 2016 sm->TimeoutCtr++; 2017 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) { 2018 /* No point in sending the EAPOL-Key - we will disconnect 2019 * immediately following this. */ 2020 return; 2021 } 2022 2023 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2024 "sending 1/4 msg of 4-Way Handshake"); 2025 /* 2026 * TODO: Could add PMKID even with WPA2-PSK, but only if there is only 2027 * one possible PSK for this STA. 2028 */ 2029 if (sm->wpa == WPA_VERSION_WPA2 && 2030 wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) && 2031 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) { 2032 pmkid = buf; 2033 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN; 2034 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC; 2035 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN; 2036 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID); 2037 if (sm->pmksa) { 2038 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN], 2039 sm->pmksa->pmkid, PMKID_LEN); 2040 } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) { 2041 /* No KCK available to derive PMKID */ 2042 pmkid = NULL; 2043 } else { 2044 /* 2045 * Calculate PMKID since no PMKSA cache entry was 2046 * available with pre-calculated PMKID. 2047 */ 2048 rsn_pmkid(sm->PMK, sm->pmk_len, sm->wpa_auth->addr, 2049 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN], 2050 wpa_key_mgmt_sha256(sm->wpa_key_mgmt)); 2051 } 2052 } 2053 wpa_send_eapol(sm->wpa_auth, sm, 2054 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL, 2055 sm->ANonce, pmkid, pmkid_len, 0, 0); 2056 } 2057 2058 2059 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce, 2060 const u8 *pmk, unsigned int pmk_len, 2061 struct wpa_ptk *ptk) 2062 { 2063 #ifdef CONFIG_IEEE80211R_AP 2064 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 2065 return wpa_auth_derive_ptk_ft(sm, pmk, ptk); 2066 #endif /* CONFIG_IEEE80211R_AP */ 2067 2068 return wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion", 2069 sm->wpa_auth->addr, sm->addr, sm->ANonce, snonce, 2070 ptk, sm->wpa_key_mgmt, sm->pairwise); 2071 } 2072 2073 2074 #ifdef CONFIG_FILS 2075 2076 int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk, 2077 size_t pmk_len, const u8 *snonce, const u8 *anonce) 2078 { 2079 u8 ick[FILS_ICK_MAX_LEN]; 2080 size_t ick_len; 2081 int res; 2082 2083 res = fils_pmk_to_ptk(pmk, pmk_len, sm->addr, sm->wpa_auth->addr, 2084 snonce, anonce, &sm->PTK, ick, &ick_len, 2085 sm->wpa_key_mgmt, sm->pairwise); 2086 if (res < 0) 2087 return res; 2088 sm->PTK_valid = TRUE; 2089 2090 res = fils_key_auth_sk(ick, ick_len, snonce, anonce, 2091 sm->addr, sm->wpa_auth->addr, 2092 NULL, 0, NULL, 0, /* TODO: SK+PFS */ 2093 sm->wpa_key_mgmt, sm->fils_key_auth_sta, 2094 sm->fils_key_auth_ap, 2095 &sm->fils_key_auth_len); 2096 os_memset(ick, 0, sizeof(ick)); 2097 2098 /* Store nonces for (Re)Association Request/Response frame processing */ 2099 os_memcpy(sm->SNonce, snonce, FILS_NONCE_LEN); 2100 os_memcpy(sm->ANonce, anonce, FILS_NONCE_LEN); 2101 2102 return res; 2103 } 2104 2105 2106 static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk, 2107 u8 *buf, size_t buf_len, u16 *_key_data_len) 2108 { 2109 struct ieee802_1x_hdr *hdr; 2110 struct wpa_eapol_key *key; 2111 u8 *pos; 2112 u16 key_data_len; 2113 u8 *tmp; 2114 const u8 *aad[1]; 2115 size_t aad_len[1]; 2116 2117 hdr = (struct ieee802_1x_hdr *) buf; 2118 key = (struct wpa_eapol_key *) (hdr + 1); 2119 pos = (u8 *) (key + 1); 2120 key_data_len = WPA_GET_BE16(pos); 2121 if (key_data_len < AES_BLOCK_SIZE || 2122 key_data_len > buf_len - sizeof(*hdr) - sizeof(*key) - 2) { 2123 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2124 "No room for AES-SIV data in the frame"); 2125 return -1; 2126 } 2127 pos += 2; /* Pointing at the Encrypted Key Data field */ 2128 2129 tmp = os_malloc(key_data_len); 2130 if (!tmp) 2131 return -1; 2132 2133 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to 2134 * to Key Data (exclusive). */ 2135 aad[0] = buf; 2136 aad_len[0] = pos - buf; 2137 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, key_data_len, 2138 1, aad, aad_len, tmp) < 0) { 2139 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2140 "Invalid AES-SIV data in the frame"); 2141 bin_clear_free(tmp, key_data_len); 2142 return -1; 2143 } 2144 2145 /* AEAD decryption and validation completed successfully */ 2146 key_data_len -= AES_BLOCK_SIZE; 2147 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data", 2148 tmp, key_data_len); 2149 2150 /* Replace Key Data field with the decrypted version */ 2151 os_memcpy(pos, tmp, key_data_len); 2152 pos -= 2; /* Key Data Length field */ 2153 WPA_PUT_BE16(pos, key_data_len); 2154 bin_clear_free(tmp, key_data_len); 2155 if (_key_data_len) 2156 *_key_data_len = key_data_len; 2157 return 0; 2158 } 2159 2160 2161 int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session, 2162 const struct ieee80211_mgmt *mgmt, size_t frame_len, 2163 u8 *pos, size_t left) 2164 { 2165 u16 fc, stype; 2166 const u8 *end, *ie_start, *ie, *session, *crypt; 2167 struct ieee802_11_elems elems; 2168 const u8 *aad[5]; 2169 size_t aad_len[5]; 2170 2171 if (!sm || !sm->PTK_valid) { 2172 wpa_printf(MSG_DEBUG, 2173 "FILS: No KEK to decrypt Assocication Request frame"); 2174 return -1; 2175 } 2176 2177 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) { 2178 wpa_printf(MSG_DEBUG, 2179 "FILS: Not a FILS AKM - reject association"); 2180 return -1; 2181 } 2182 2183 end = ((const u8 *) mgmt) + frame_len; 2184 fc = le_to_host16(mgmt->frame_control); 2185 stype = WLAN_FC_GET_STYPE(fc); 2186 if (stype == WLAN_FC_STYPE_REASSOC_REQ) 2187 ie_start = mgmt->u.reassoc_req.variable; 2188 else 2189 ie_start = mgmt->u.assoc_req.variable; 2190 ie = ie_start; 2191 2192 /* 2193 * Find FILS Session element which is the last unencrypted element in 2194 * the frame. 2195 */ 2196 session = NULL; 2197 while (ie + 1 < end) { 2198 if (ie + 2 + ie[1] > end) 2199 break; 2200 if (ie[0] == WLAN_EID_EXTENSION && 2201 ie[1] >= 1 + FILS_SESSION_LEN && 2202 ie[2] == WLAN_EID_EXT_FILS_SESSION) { 2203 session = ie; 2204 break; 2205 } 2206 ie += 2 + ie[1]; 2207 } 2208 2209 if (!session) { 2210 wpa_printf(MSG_DEBUG, 2211 "FILS: Could not find FILS Session element in Association Request frame - reject"); 2212 return -1; 2213 } 2214 if (os_memcmp(fils_session, session + 3, FILS_SESSION_LEN) != 0) { 2215 wpa_printf(MSG_DEBUG, "FILS: Session mismatch"); 2216 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session", 2217 fils_session, FILS_SESSION_LEN); 2218 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session", 2219 session + 3, FILS_SESSION_LEN); 2220 return -1; 2221 } 2222 crypt = session + 2 + session[1]; 2223 2224 if (end - crypt < AES_BLOCK_SIZE) { 2225 wpa_printf(MSG_DEBUG, 2226 "FILS: Too short frame to include AES-SIV data"); 2227 return -1; 2228 } 2229 2230 /* AES-SIV AAD vectors */ 2231 2232 /* The STA's MAC address */ 2233 aad[0] = mgmt->sa; 2234 aad_len[0] = ETH_ALEN; 2235 /* The AP's BSSID */ 2236 aad[1] = mgmt->da; 2237 aad_len[1] = ETH_ALEN; 2238 /* The STA's nonce */ 2239 aad[2] = sm->SNonce; 2240 aad_len[2] = FILS_NONCE_LEN; 2241 /* The AP's nonce */ 2242 aad[3] = sm->ANonce; 2243 aad_len[3] = FILS_NONCE_LEN; 2244 /* 2245 * The (Re)Association Request frame from the Capability Information 2246 * field to the FILS Session element (both inclusive). 2247 */ 2248 aad[4] = (const u8 *) &mgmt->u.assoc_req.capab_info; 2249 aad_len[4] = crypt - aad[4]; 2250 2251 if (aes_siv_decrypt(sm->PTK.kek, sm->PTK.kek_len, crypt, end - crypt, 2252 5, aad, aad_len, pos + (crypt - ie_start)) < 0) { 2253 wpa_printf(MSG_DEBUG, 2254 "FILS: Invalid AES-SIV data in the frame"); 2255 return -1; 2256 } 2257 wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Request elements", 2258 pos, left - AES_BLOCK_SIZE); 2259 2260 if (ieee802_11_parse_elems(pos, left - AES_BLOCK_SIZE, &elems, 1) == 2261 ParseFailed) { 2262 wpa_printf(MSG_DEBUG, 2263 "FILS: Failed to parse decrypted elements"); 2264 return -1; 2265 } 2266 if (!elems.fils_key_confirm) { 2267 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element"); 2268 return -1; 2269 } 2270 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) { 2271 wpa_printf(MSG_DEBUG, 2272 "FILS: Unexpected Key-Auth length %d (expected %d)", 2273 elems.fils_key_confirm_len, 2274 (int) sm->fils_key_auth_len); 2275 return -1; 2276 } 2277 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_sta, 2278 sm->fils_key_auth_len) != 0) { 2279 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch"); 2280 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth", 2281 elems.fils_key_confirm, 2282 elems.fils_key_confirm_len); 2283 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth", 2284 sm->fils_key_auth_sta, sm->fils_key_auth_len); 2285 return -1; 2286 } 2287 2288 return left - AES_BLOCK_SIZE; 2289 } 2290 2291 2292 int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf, 2293 size_t current_len, size_t max_len, 2294 const struct wpabuf *hlp) 2295 { 2296 u8 *end = buf + max_len; 2297 u8 *pos = buf + current_len; 2298 struct ieee80211_mgmt *mgmt; 2299 struct wpabuf *plain; 2300 u8 *len, *tmp, *tmp2; 2301 u8 hdr[2]; 2302 u8 *gtk, dummy_gtk[32]; 2303 size_t gtk_len; 2304 struct wpa_group *gsm; 2305 const u8 *aad[5]; 2306 size_t aad_len[5]; 2307 2308 if (!sm || !sm->PTK_valid) 2309 return -1; 2310 2311 wpa_hexdump(MSG_DEBUG, 2312 "FILS: Association Response frame before FILS processing", 2313 buf, current_len); 2314 2315 mgmt = (struct ieee80211_mgmt *) buf; 2316 2317 /* AES-SIV AAD vectors */ 2318 2319 /* The AP's BSSID */ 2320 aad[0] = mgmt->sa; 2321 aad_len[0] = ETH_ALEN; 2322 /* The STA's MAC address */ 2323 aad[1] = mgmt->da; 2324 aad_len[1] = ETH_ALEN; 2325 /* The AP's nonce */ 2326 aad[2] = sm->ANonce; 2327 aad_len[2] = FILS_NONCE_LEN; 2328 /* The STA's nonce */ 2329 aad[3] = sm->SNonce; 2330 aad_len[3] = FILS_NONCE_LEN; 2331 /* 2332 * The (Re)Association Response frame from the Capability Information 2333 * field (the same offset in both Association and Reassociation 2334 * Response frames) to the FILS Session element (both inclusive). 2335 */ 2336 aad[4] = (const u8 *) &mgmt->u.assoc_resp.capab_info; 2337 aad_len[4] = pos - aad[4]; 2338 2339 /* The following elements will be encrypted with AES-SIV */ 2340 2341 plain = wpabuf_alloc(1000); 2342 if (!plain) 2343 return -1; 2344 2345 /* TODO: FILS Public Key */ 2346 2347 /* FILS Key Confirmation */ 2348 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */ 2349 wpabuf_put_u8(plain, 1 + sm->fils_key_auth_len); /* Length */ 2350 /* Element ID Extension */ 2351 wpabuf_put_u8(plain, WLAN_EID_EXT_FILS_KEY_CONFIRM); 2352 wpabuf_put_data(plain, sm->fils_key_auth_ap, sm->fils_key_auth_len); 2353 2354 /* FILS HLP Container */ 2355 if (hlp) 2356 wpabuf_put_buf(plain, hlp); 2357 2358 /* TODO: FILS IP Address Assignment */ 2359 2360 /* Key Delivery */ 2361 gsm = sm->group; 2362 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */ 2363 len = wpabuf_put(plain, 1); 2364 wpabuf_put_u8(plain, WLAN_EID_EXT_KEY_DELIVERY); 2365 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, 2366 wpabuf_put(plain, WPA_KEY_RSC_LEN)); 2367 /* GTK KDE */ 2368 gtk = gsm->GTK[gsm->GN - 1]; 2369 gtk_len = gsm->GTK_len; 2370 if (sm->wpa_auth->conf.disable_gtk) { 2371 /* 2372 * Provide unique random GTK to each STA to prevent use 2373 * of GTK in the BSS. 2374 */ 2375 if (random_get_bytes(dummy_gtk, gtk_len) < 0) { 2376 wpabuf_free(plain); 2377 return -1; 2378 } 2379 gtk = dummy_gtk; 2380 } 2381 hdr[0] = gsm->GN & 0x03; 2382 hdr[1] = 0; 2383 tmp = wpabuf_put(plain, 0); 2384 tmp2 = wpa_add_kde(tmp, RSN_KEY_DATA_GROUPKEY, hdr, 2, 2385 gtk, gtk_len); 2386 wpabuf_put(plain, tmp2 - tmp); 2387 2388 /* IGTK KDE */ 2389 tmp = wpabuf_put(plain, 0); 2390 tmp2 = ieee80211w_kde_add(sm, tmp); 2391 wpabuf_put(plain, tmp2 - tmp); 2392 2393 *len = (u8 *) wpabuf_put(plain, 0) - len - 1; 2394 2395 if (pos + wpabuf_len(plain) + AES_BLOCK_SIZE > end) { 2396 wpa_printf(MSG_DEBUG, 2397 "FILS: Not enough room for FILS elements"); 2398 wpabuf_free(plain); 2399 return -1; 2400 } 2401 2402 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: Association Response plaintext", 2403 plain); 2404 2405 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, 2406 wpabuf_head(plain), wpabuf_len(plain), 2407 5, aad, aad_len, pos) < 0) { 2408 wpabuf_free(plain); 2409 return -1; 2410 } 2411 2412 wpa_hexdump(MSG_DEBUG, 2413 "FILS: Encrypted Association Response elements", 2414 pos, AES_BLOCK_SIZE + wpabuf_len(plain)); 2415 current_len += wpabuf_len(plain) + AES_BLOCK_SIZE; 2416 wpabuf_free(plain); 2417 2418 sm->fils_completed = 1; 2419 2420 return current_len; 2421 } 2422 2423 2424 int fils_set_tk(struct wpa_state_machine *sm) 2425 { 2426 enum wpa_alg alg; 2427 int klen; 2428 2429 if (!sm || !sm->PTK_valid) 2430 return -1; 2431 2432 alg = wpa_cipher_to_alg(sm->pairwise); 2433 klen = wpa_cipher_key_len(sm->pairwise); 2434 2435 wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver"); 2436 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0, 2437 sm->PTK.tk, klen)) { 2438 wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver"); 2439 return -1; 2440 } 2441 2442 return 0; 2443 } 2444 2445 #endif /* CONFIG_FILS */ 2446 2447 2448 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) 2449 { 2450 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 2451 struct wpa_ptk PTK; 2452 int ok = 0, psk_found = 0; 2453 const u8 *pmk = NULL; 2454 unsigned int pmk_len; 2455 int ft; 2456 const u8 *eapol_key_ie, *key_data, *mic; 2457 u16 key_data_length; 2458 size_t mic_len, eapol_key_ie_len; 2459 struct ieee802_1x_hdr *hdr; 2460 struct wpa_eapol_key *key; 2461 struct wpa_eapol_ie_parse kde; 2462 2463 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk); 2464 sm->EAPOLKeyReceived = FALSE; 2465 sm->update_snonce = FALSE; 2466 os_memset(&PTK, 0, sizeof(PTK)); 2467 2468 mic_len = wpa_mic_len(sm->wpa_key_mgmt); 2469 2470 /* WPA with IEEE 802.1X: use the derived PMK from EAP 2471 * WPA-PSK: iterate through possible PSKs and select the one matching 2472 * the packet */ 2473 for (;;) { 2474 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 2475 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, 2476 sm->p2p_dev_addr, pmk); 2477 if (pmk == NULL) 2478 break; 2479 psk_found = 1; 2480 pmk_len = PMK_LEN; 2481 } else { 2482 pmk = sm->PMK; 2483 pmk_len = sm->pmk_len; 2484 } 2485 2486 if (wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK) < 0) 2487 break; 2488 2489 if (mic_len && 2490 wpa_verify_key_mic(sm->wpa_key_mgmt, &PTK, 2491 sm->last_rx_eapol_key, 2492 sm->last_rx_eapol_key_len) == 0) { 2493 ok = 1; 2494 break; 2495 } 2496 2497 #ifdef CONFIG_FILS 2498 if (!mic_len && 2499 wpa_aead_decrypt(sm, &PTK, sm->last_rx_eapol_key, 2500 sm->last_rx_eapol_key_len, NULL) == 0) { 2501 ok = 1; 2502 break; 2503 } 2504 #endif /* CONFIG_FILS */ 2505 2506 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) 2507 break; 2508 } 2509 2510 if (!ok) { 2511 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2512 "invalid MIC in msg 2/4 of 4-Way Handshake"); 2513 if (psk_found) 2514 wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr); 2515 return; 2516 } 2517 2518 /* 2519 * Note: last_rx_eapol_key length fields have already been validated in 2520 * wpa_receive(). 2521 */ 2522 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key; 2523 key = (struct wpa_eapol_key *) (hdr + 1); 2524 mic = (u8 *) (key + 1); 2525 key_data = mic + mic_len + 2; 2526 key_data_length = WPA_GET_BE16(mic + mic_len); 2527 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) - 2528 sizeof(*key) - mic_len - 2) 2529 return; 2530 2531 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) { 2532 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 2533 "received EAPOL-Key msg 2/4 with invalid Key Data contents"); 2534 return; 2535 } 2536 if (kde.rsn_ie) { 2537 eapol_key_ie = kde.rsn_ie; 2538 eapol_key_ie_len = kde.rsn_ie_len; 2539 } else if (kde.osen) { 2540 eapol_key_ie = kde.osen; 2541 eapol_key_ie_len = kde.osen_len; 2542 } else { 2543 eapol_key_ie = kde.wpa_ie; 2544 eapol_key_ie_len = kde.wpa_ie_len; 2545 } 2546 ft = sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt); 2547 if (sm->wpa_ie == NULL || 2548 wpa_compare_rsn_ie(ft, sm->wpa_ie, sm->wpa_ie_len, 2549 eapol_key_ie, eapol_key_ie_len)) { 2550 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 2551 "WPA IE from (Re)AssocReq did not match with msg 2/4"); 2552 if (sm->wpa_ie) { 2553 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq", 2554 sm->wpa_ie, sm->wpa_ie_len); 2555 } 2556 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4", 2557 eapol_key_ie, eapol_key_ie_len); 2558 /* MLME-DEAUTHENTICATE.request */ 2559 wpa_sta_disconnect(wpa_auth, sm->addr); 2560 return; 2561 } 2562 #ifdef CONFIG_IEEE80211R_AP 2563 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) { 2564 wpa_sta_disconnect(wpa_auth, sm->addr); 2565 return; 2566 } 2567 #endif /* CONFIG_IEEE80211R_AP */ 2568 #ifdef CONFIG_P2P 2569 if (kde.ip_addr_req && kde.ip_addr_req[0] && 2570 wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) { 2571 int idx; 2572 wpa_printf(MSG_DEBUG, 2573 "P2P: IP address requested in EAPOL-Key exchange"); 2574 idx = bitfield_get_first_zero(wpa_auth->ip_pool); 2575 if (idx >= 0) { 2576 u32 start = WPA_GET_BE32(wpa_auth->conf.ip_addr_start); 2577 bitfield_set(wpa_auth->ip_pool, idx); 2578 WPA_PUT_BE32(sm->ip_addr, start + idx); 2579 wpa_printf(MSG_DEBUG, 2580 "P2P: Assigned IP address %u.%u.%u.%u to " 2581 MACSTR, sm->ip_addr[0], sm->ip_addr[1], 2582 sm->ip_addr[2], sm->ip_addr[3], 2583 MAC2STR(sm->addr)); 2584 } 2585 } 2586 #endif /* CONFIG_P2P */ 2587 2588 #ifdef CONFIG_IEEE80211R_AP 2589 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2590 /* 2591 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches 2592 * with the value we derived. 2593 */ 2594 if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name, 2595 WPA_PMK_NAME_LEN) != 0) { 2596 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2597 "PMKR1Name mismatch in FT 4-way " 2598 "handshake"); 2599 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from " 2600 "Supplicant", 2601 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN); 2602 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name", 2603 sm->pmk_r1_name, WPA_PMK_NAME_LEN); 2604 return; 2605 } 2606 } 2607 #endif /* CONFIG_IEEE80211R_AP */ 2608 2609 sm->pending_1_of_4_timeout = 0; 2610 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 2611 2612 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 2613 /* PSK may have changed from the previous choice, so update 2614 * state machine data based on whatever PSK was selected here. 2615 */ 2616 os_memcpy(sm->PMK, pmk, PMK_LEN); 2617 sm->pmk_len = PMK_LEN; 2618 } 2619 2620 sm->MICVerified = TRUE; 2621 2622 os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); 2623 sm->PTK_valid = TRUE; 2624 } 2625 2626 2627 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2) 2628 { 2629 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk); 2630 sm->TimeoutCtr = 0; 2631 } 2632 2633 2634 #ifdef CONFIG_IEEE80211W 2635 2636 static int ieee80211w_kde_len(struct wpa_state_machine *sm) 2637 { 2638 if (sm->mgmt_frame_prot) { 2639 size_t len; 2640 len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 2641 return 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN + len; 2642 } 2643 2644 return 0; 2645 } 2646 2647 2648 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 2649 { 2650 struct wpa_igtk_kde igtk; 2651 struct wpa_group *gsm = sm->group; 2652 u8 rsc[WPA_KEY_RSC_LEN]; 2653 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 2654 2655 if (!sm->mgmt_frame_prot) 2656 return pos; 2657 2658 igtk.keyid[0] = gsm->GN_igtk; 2659 igtk.keyid[1] = 0; 2660 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE || 2661 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0) 2662 os_memset(igtk.pn, 0, sizeof(igtk.pn)); 2663 else 2664 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn)); 2665 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len); 2666 if (sm->wpa_auth->conf.disable_gtk) { 2667 /* 2668 * Provide unique random IGTK to each STA to prevent use of 2669 * IGTK in the BSS. 2670 */ 2671 if (random_get_bytes(igtk.igtk, len) < 0) 2672 return pos; 2673 } 2674 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK, 2675 (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len, 2676 NULL, 0); 2677 2678 return pos; 2679 } 2680 2681 #else /* CONFIG_IEEE80211W */ 2682 2683 static int ieee80211w_kde_len(struct wpa_state_machine *sm) 2684 { 2685 return 0; 2686 } 2687 2688 2689 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 2690 { 2691 return pos; 2692 } 2693 2694 #endif /* CONFIG_IEEE80211W */ 2695 2696 2697 SM_STATE(WPA_PTK, PTKINITNEGOTIATING) 2698 { 2699 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32]; 2700 size_t gtk_len, kde_len; 2701 struct wpa_group *gsm = sm->group; 2702 u8 *wpa_ie; 2703 int wpa_ie_len, secure, keyidx, encr = 0; 2704 2705 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk); 2706 sm->TimeoutEvt = FALSE; 2707 2708 sm->TimeoutCtr++; 2709 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) { 2710 /* No point in sending the EAPOL-Key - we will disconnect 2711 * immediately following this. */ 2712 return; 2713 } 2714 2715 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE], 2716 GTK[GN], IGTK, [FTIE], [TIE * 2]) 2717 */ 2718 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 2719 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 2720 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */ 2721 wpa_ie = sm->wpa_auth->wpa_ie; 2722 wpa_ie_len = sm->wpa_auth->wpa_ie_len; 2723 if (sm->wpa == WPA_VERSION_WPA && 2724 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) && 2725 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) { 2726 /* WPA-only STA, remove RSN IE and possible MDIE */ 2727 wpa_ie = wpa_ie + wpa_ie[1] + 2; 2728 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN) 2729 wpa_ie = wpa_ie + wpa_ie[1] + 2; 2730 wpa_ie_len = wpa_ie[1] + 2; 2731 } 2732 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2733 "sending 3/4 msg of 4-Way Handshake"); 2734 if (sm->wpa == WPA_VERSION_WPA2) { 2735 /* WPA2 send GTK in the 4-way handshake */ 2736 secure = 1; 2737 gtk = gsm->GTK[gsm->GN - 1]; 2738 gtk_len = gsm->GTK_len; 2739 if (sm->wpa_auth->conf.disable_gtk) { 2740 /* 2741 * Provide unique random GTK to each STA to prevent use 2742 * of GTK in the BSS. 2743 */ 2744 if (random_get_bytes(dummy_gtk, gtk_len) < 0) 2745 return; 2746 gtk = dummy_gtk; 2747 } 2748 keyidx = gsm->GN; 2749 _rsc = rsc; 2750 encr = 1; 2751 } else { 2752 /* WPA does not include GTK in msg 3/4 */ 2753 secure = 0; 2754 gtk = NULL; 2755 gtk_len = 0; 2756 keyidx = 0; 2757 _rsc = NULL; 2758 if (sm->rx_eapol_key_secure) { 2759 /* 2760 * It looks like Windows 7 supplicant tries to use 2761 * Secure bit in msg 2/4 after having reported Michael 2762 * MIC failure and it then rejects the 4-way handshake 2763 * if msg 3/4 does not set Secure bit. Work around this 2764 * by setting the Secure bit here even in the case of 2765 * WPA if the supplicant used it first. 2766 */ 2767 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2768 "STA used Secure bit in WPA msg 2/4 - " 2769 "set Secure for 3/4 as workaround"); 2770 secure = 1; 2771 } 2772 } 2773 2774 kde_len = wpa_ie_len + ieee80211w_kde_len(sm); 2775 if (gtk) 2776 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len; 2777 #ifdef CONFIG_IEEE80211R_AP 2778 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2779 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */ 2780 kde_len += 300; /* FTIE + 2 * TIE */ 2781 } 2782 #endif /* CONFIG_IEEE80211R_AP */ 2783 #ifdef CONFIG_P2P 2784 if (WPA_GET_BE32(sm->ip_addr) > 0) 2785 kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4; 2786 #endif /* CONFIG_P2P */ 2787 kde = os_malloc(kde_len); 2788 if (kde == NULL) 2789 return; 2790 2791 pos = kde; 2792 os_memcpy(pos, wpa_ie, wpa_ie_len); 2793 pos += wpa_ie_len; 2794 #ifdef CONFIG_IEEE80211R_AP 2795 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2796 int res; 2797 size_t elen; 2798 2799 elen = pos - kde; 2800 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name); 2801 if (res < 0) { 2802 wpa_printf(MSG_ERROR, "FT: Failed to insert " 2803 "PMKR1Name into RSN IE in EAPOL-Key data"); 2804 os_free(kde); 2805 return; 2806 } 2807 pos -= wpa_ie_len; 2808 pos += elen; 2809 } 2810 #endif /* CONFIG_IEEE80211R_AP */ 2811 if (gtk) { 2812 u8 hdr[2]; 2813 hdr[0] = keyidx & 0x03; 2814 hdr[1] = 0; 2815 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 2816 gtk, gtk_len); 2817 } 2818 pos = ieee80211w_kde_add(sm, pos); 2819 2820 #ifdef CONFIG_IEEE80211R_AP 2821 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2822 int res; 2823 struct wpa_auth_config *conf; 2824 2825 conf = &sm->wpa_auth->conf; 2826 if (sm->assoc_resp_ftie && 2827 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) { 2828 os_memcpy(pos, sm->assoc_resp_ftie, 2829 2 + sm->assoc_resp_ftie[1]); 2830 res = 2 + sm->assoc_resp_ftie[1]; 2831 } else { 2832 res = wpa_write_ftie(conf, conf->r0_key_holder, 2833 conf->r0_key_holder_len, 2834 NULL, NULL, pos, 2835 kde + kde_len - pos, 2836 NULL, 0); 2837 } 2838 if (res < 0) { 2839 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE " 2840 "into EAPOL-Key Key Data"); 2841 os_free(kde); 2842 return; 2843 } 2844 pos += res; 2845 2846 /* TIE[ReassociationDeadline] (TU) */ 2847 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 2848 *pos++ = 5; 2849 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE; 2850 WPA_PUT_LE32(pos, conf->reassociation_deadline); 2851 pos += 4; 2852 2853 /* TIE[KeyLifetime] (seconds) */ 2854 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 2855 *pos++ = 5; 2856 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME; 2857 WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60); 2858 pos += 4; 2859 } 2860 #endif /* CONFIG_IEEE80211R_AP */ 2861 #ifdef CONFIG_P2P 2862 if (WPA_GET_BE32(sm->ip_addr) > 0) { 2863 u8 addr[3 * 4]; 2864 os_memcpy(addr, sm->ip_addr, 4); 2865 os_memcpy(addr + 4, sm->wpa_auth->conf.ip_addr_mask, 4); 2866 os_memcpy(addr + 8, sm->wpa_auth->conf.ip_addr_go, 4); 2867 pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC, 2868 addr, sizeof(addr), NULL, 0); 2869 } 2870 #endif /* CONFIG_P2P */ 2871 2872 wpa_send_eapol(sm->wpa_auth, sm, 2873 (secure ? WPA_KEY_INFO_SECURE : 0) | 2874 (wpa_mic_len(sm->wpa_key_mgmt) ? WPA_KEY_INFO_MIC : 0) | 2875 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL | 2876 WPA_KEY_INFO_KEY_TYPE, 2877 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr); 2878 os_free(kde); 2879 } 2880 2881 2882 SM_STATE(WPA_PTK, PTKINITDONE) 2883 { 2884 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk); 2885 sm->EAPOLKeyReceived = FALSE; 2886 if (sm->Pair) { 2887 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise); 2888 int klen = wpa_cipher_key_len(sm->pairwise); 2889 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0, 2890 sm->PTK.tk, klen)) { 2891 wpa_sta_disconnect(sm->wpa_auth, sm->addr); 2892 return; 2893 } 2894 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ 2895 sm->pairwise_set = TRUE; 2896 2897 if (sm->wpa_auth->conf.wpa_ptk_rekey) { 2898 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 2899 eloop_register_timeout(sm->wpa_auth->conf. 2900 wpa_ptk_rekey, 0, wpa_rekey_ptk, 2901 sm->wpa_auth, sm); 2902 } 2903 2904 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 2905 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 2906 WPA_EAPOL_authorized, 1); 2907 } 2908 } 2909 2910 if (0 /* IBSS == TRUE */) { 2911 sm->keycount++; 2912 if (sm->keycount == 2) { 2913 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 2914 WPA_EAPOL_portValid, 1); 2915 } 2916 } else { 2917 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 2918 1); 2919 } 2920 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0); 2921 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1); 2922 if (sm->wpa == WPA_VERSION_WPA) 2923 sm->PInitAKeys = TRUE; 2924 else 2925 sm->has_GTK = TRUE; 2926 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2927 "pairwise key handshake completed (%s)", 2928 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 2929 2930 #ifdef CONFIG_IEEE80211R_AP 2931 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr); 2932 #endif /* CONFIG_IEEE80211R_AP */ 2933 } 2934 2935 2936 SM_STEP(WPA_PTK) 2937 { 2938 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 2939 2940 if (sm->Init) 2941 SM_ENTER(WPA_PTK, INITIALIZE); 2942 else if (sm->Disconnect 2943 /* || FIX: dot11RSNAConfigSALifetime timeout */) { 2944 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 2945 "WPA_PTK: sm->Disconnect"); 2946 SM_ENTER(WPA_PTK, DISCONNECT); 2947 } 2948 else if (sm->DeauthenticationRequest) 2949 SM_ENTER(WPA_PTK, DISCONNECTED); 2950 else if (sm->AuthenticationRequest) 2951 SM_ENTER(WPA_PTK, AUTHENTICATION); 2952 else if (sm->ReAuthenticationRequest) 2953 SM_ENTER(WPA_PTK, AUTHENTICATION2); 2954 else if (sm->PTKRequest) { 2955 if (wpa_auth_sm_ptk_update(sm) < 0) 2956 SM_ENTER(WPA_PTK, DISCONNECTED); 2957 else 2958 SM_ENTER(WPA_PTK, PTKSTART); 2959 } else switch (sm->wpa_ptk_state) { 2960 case WPA_PTK_INITIALIZE: 2961 break; 2962 case WPA_PTK_DISCONNECT: 2963 SM_ENTER(WPA_PTK, DISCONNECTED); 2964 break; 2965 case WPA_PTK_DISCONNECTED: 2966 SM_ENTER(WPA_PTK, INITIALIZE); 2967 break; 2968 case WPA_PTK_AUTHENTICATION: 2969 SM_ENTER(WPA_PTK, AUTHENTICATION2); 2970 break; 2971 case WPA_PTK_AUTHENTICATION2: 2972 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) && 2973 wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 2974 WPA_EAPOL_keyRun) > 0) 2975 SM_ENTER(WPA_PTK, INITPMK); 2976 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) 2977 /* FIX: && 802.1X::keyRun */) 2978 SM_ENTER(WPA_PTK, INITPSK); 2979 break; 2980 case WPA_PTK_INITPMK: 2981 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 2982 WPA_EAPOL_keyAvailable) > 0) 2983 SM_ENTER(WPA_PTK, PTKSTART); 2984 else { 2985 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2986 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2987 "INITPMK - keyAvailable = false"); 2988 SM_ENTER(WPA_PTK, DISCONNECT); 2989 } 2990 break; 2991 case WPA_PTK_INITPSK: 2992 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, 2993 NULL)) 2994 SM_ENTER(WPA_PTK, PTKSTART); 2995 else { 2996 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2997 "no PSK configured for the STA"); 2998 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2999 SM_ENTER(WPA_PTK, DISCONNECT); 3000 } 3001 break; 3002 case WPA_PTK_PTKSTART: 3003 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 3004 sm->EAPOLKeyPairwise) 3005 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 3006 else if (sm->TimeoutCtr > 3007 sm->wpa_auth->conf.wpa_pairwise_update_count) { 3008 wpa_auth->dot11RSNA4WayHandshakeFailures++; 3009 wpa_auth_vlogger( 3010 sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3011 "PTKSTART: Retry limit %u reached", 3012 sm->wpa_auth->conf.wpa_pairwise_update_count); 3013 SM_ENTER(WPA_PTK, DISCONNECT); 3014 } else if (sm->TimeoutEvt) 3015 SM_ENTER(WPA_PTK, PTKSTART); 3016 break; 3017 case WPA_PTK_PTKCALCNEGOTIATING: 3018 if (sm->MICVerified) 3019 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2); 3020 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 3021 sm->EAPOLKeyPairwise) 3022 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 3023 else if (sm->TimeoutEvt) 3024 SM_ENTER(WPA_PTK, PTKSTART); 3025 break; 3026 case WPA_PTK_PTKCALCNEGOTIATING2: 3027 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 3028 break; 3029 case WPA_PTK_PTKINITNEGOTIATING: 3030 if (sm->update_snonce) 3031 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 3032 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 3033 sm->EAPOLKeyPairwise && sm->MICVerified) 3034 SM_ENTER(WPA_PTK, PTKINITDONE); 3035 else if (sm->TimeoutCtr > 3036 sm->wpa_auth->conf.wpa_pairwise_update_count) { 3037 wpa_auth->dot11RSNA4WayHandshakeFailures++; 3038 wpa_auth_vlogger( 3039 sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3040 "PTKINITNEGOTIATING: Retry limit %u reached", 3041 sm->wpa_auth->conf.wpa_pairwise_update_count); 3042 SM_ENTER(WPA_PTK, DISCONNECT); 3043 } else if (sm->TimeoutEvt) 3044 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 3045 break; 3046 case WPA_PTK_PTKINITDONE: 3047 break; 3048 } 3049 } 3050 3051 3052 SM_STATE(WPA_PTK_GROUP, IDLE) 3053 { 3054 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group); 3055 if (sm->Init) { 3056 /* Init flag is not cleared here, so avoid busy 3057 * loop by claiming nothing changed. */ 3058 sm->changed = FALSE; 3059 } 3060 sm->GTimeoutCtr = 0; 3061 } 3062 3063 3064 SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING) 3065 { 3066 u8 rsc[WPA_KEY_RSC_LEN]; 3067 struct wpa_group *gsm = sm->group; 3068 const u8 *kde; 3069 u8 *kde_buf = NULL, *pos, hdr[2]; 3070 size_t kde_len; 3071 u8 *gtk, dummy_gtk[32]; 3072 3073 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group); 3074 3075 sm->GTimeoutCtr++; 3076 if (sm->GTimeoutCtr > sm->wpa_auth->conf.wpa_group_update_count) { 3077 /* No point in sending the EAPOL-Key - we will disconnect 3078 * immediately following this. */ 3079 return; 3080 } 3081 3082 if (sm->wpa == WPA_VERSION_WPA) 3083 sm->PInitAKeys = FALSE; 3084 sm->TimeoutEvt = FALSE; 3085 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */ 3086 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 3087 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE) 3088 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 3089 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3090 "sending 1/2 msg of Group Key Handshake"); 3091 3092 gtk = gsm->GTK[gsm->GN - 1]; 3093 if (sm->wpa_auth->conf.disable_gtk) { 3094 /* 3095 * Provide unique random GTK to each STA to prevent use 3096 * of GTK in the BSS. 3097 */ 3098 if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0) 3099 return; 3100 gtk = dummy_gtk; 3101 } 3102 if (sm->wpa == WPA_VERSION_WPA2) { 3103 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len + 3104 ieee80211w_kde_len(sm); 3105 kde_buf = os_malloc(kde_len); 3106 if (kde_buf == NULL) 3107 return; 3108 3109 kde = pos = kde_buf; 3110 hdr[0] = gsm->GN & 0x03; 3111 hdr[1] = 0; 3112 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 3113 gtk, gsm->GTK_len); 3114 pos = ieee80211w_kde_add(sm, pos); 3115 kde_len = pos - kde; 3116 } else { 3117 kde = gtk; 3118 kde_len = gsm->GTK_len; 3119 } 3120 3121 wpa_send_eapol(sm->wpa_auth, sm, 3122 WPA_KEY_INFO_SECURE | 3123 (wpa_mic_len(sm->wpa_key_mgmt) ? WPA_KEY_INFO_MIC : 0) | 3124 WPA_KEY_INFO_ACK | 3125 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0), 3126 rsc, NULL, kde, kde_len, gsm->GN, 1); 3127 3128 os_free(kde_buf); 3129 } 3130 3131 3132 SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED) 3133 { 3134 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group); 3135 sm->EAPOLKeyReceived = FALSE; 3136 if (sm->GUpdateStationKeys) 3137 sm->group->GKeyDoneStations--; 3138 sm->GUpdateStationKeys = FALSE; 3139 sm->GTimeoutCtr = 0; 3140 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */ 3141 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 3142 "group key handshake completed (%s)", 3143 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 3144 sm->has_GTK = TRUE; 3145 } 3146 3147 3148 SM_STATE(WPA_PTK_GROUP, KEYERROR) 3149 { 3150 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group); 3151 if (sm->GUpdateStationKeys) 3152 sm->group->GKeyDoneStations--; 3153 sm->GUpdateStationKeys = FALSE; 3154 sm->Disconnect = TRUE; 3155 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 3156 "group key handshake failed (%s) after %u tries", 3157 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN", 3158 sm->wpa_auth->conf.wpa_group_update_count); 3159 } 3160 3161 3162 SM_STEP(WPA_PTK_GROUP) 3163 { 3164 if (sm->Init || sm->PtkGroupInit) { 3165 SM_ENTER(WPA_PTK_GROUP, IDLE); 3166 sm->PtkGroupInit = FALSE; 3167 } else switch (sm->wpa_ptk_group_state) { 3168 case WPA_PTK_GROUP_IDLE: 3169 if (sm->GUpdateStationKeys || 3170 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys)) 3171 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 3172 break; 3173 case WPA_PTK_GROUP_REKEYNEGOTIATING: 3174 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 3175 !sm->EAPOLKeyPairwise && sm->MICVerified) 3176 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED); 3177 else if (sm->GTimeoutCtr > 3178 sm->wpa_auth->conf.wpa_group_update_count) 3179 SM_ENTER(WPA_PTK_GROUP, KEYERROR); 3180 else if (sm->TimeoutEvt) 3181 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 3182 break; 3183 case WPA_PTK_GROUP_KEYERROR: 3184 SM_ENTER(WPA_PTK_GROUP, IDLE); 3185 break; 3186 case WPA_PTK_GROUP_REKEYESTABLISHED: 3187 SM_ENTER(WPA_PTK_GROUP, IDLE); 3188 break; 3189 } 3190 } 3191 3192 3193 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 3194 struct wpa_group *group) 3195 { 3196 int ret = 0; 3197 3198 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 3199 inc_byte_array(group->Counter, WPA_NONCE_LEN); 3200 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion", 3201 wpa_auth->addr, group->GNonce, 3202 group->GTK[group->GN - 1], group->GTK_len) < 0) 3203 ret = -1; 3204 wpa_hexdump_key(MSG_DEBUG, "GTK", 3205 group->GTK[group->GN - 1], group->GTK_len); 3206 3207 #ifdef CONFIG_IEEE80211W 3208 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) { 3209 size_t len; 3210 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher); 3211 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 3212 inc_byte_array(group->Counter, WPA_NONCE_LEN); 3213 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion", 3214 wpa_auth->addr, group->GNonce, 3215 group->IGTK[group->GN_igtk - 4], len) < 0) 3216 ret = -1; 3217 wpa_hexdump_key(MSG_DEBUG, "IGTK", 3218 group->IGTK[group->GN_igtk - 4], len); 3219 } 3220 #endif /* CONFIG_IEEE80211W */ 3221 3222 return ret; 3223 } 3224 3225 3226 static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth, 3227 struct wpa_group *group) 3228 { 3229 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 3230 "GTK_INIT (VLAN-ID %d)", group->vlan_id); 3231 group->changed = FALSE; /* GInit is not cleared here; avoid loop */ 3232 group->wpa_group_state = WPA_GROUP_GTK_INIT; 3233 3234 /* GTK[0..N] = 0 */ 3235 os_memset(group->GTK, 0, sizeof(group->GTK)); 3236 group->GN = 1; 3237 group->GM = 2; 3238 #ifdef CONFIG_IEEE80211W 3239 group->GN_igtk = 4; 3240 group->GM_igtk = 5; 3241 #endif /* CONFIG_IEEE80211W */ 3242 /* GTK[GN] = CalcGTK() */ 3243 wpa_gtk_update(wpa_auth, group); 3244 } 3245 3246 3247 static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx) 3248 { 3249 if (ctx != NULL && ctx != sm->group) 3250 return 0; 3251 3252 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) { 3253 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3254 "Not in PTKINITDONE; skip Group Key update"); 3255 sm->GUpdateStationKeys = FALSE; 3256 return 0; 3257 } 3258 if (sm->GUpdateStationKeys) { 3259 /* 3260 * This should not really happen, so add a debug log entry. 3261 * Since we clear the GKeyDoneStations before the loop, the 3262 * station needs to be counted here anyway. 3263 */ 3264 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3265 "GUpdateStationKeys was already set when " 3266 "marking station for GTK rekeying"); 3267 } 3268 3269 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */ 3270 if (sm->is_wnmsleep) 3271 return 0; 3272 3273 sm->group->GKeyDoneStations++; 3274 sm->GUpdateStationKeys = TRUE; 3275 3276 wpa_sm_step(sm); 3277 return 0; 3278 } 3279 3280 3281 #ifdef CONFIG_WNM 3282 /* update GTK when exiting WNM-Sleep Mode */ 3283 void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm) 3284 { 3285 if (sm == NULL || sm->is_wnmsleep) 3286 return; 3287 3288 wpa_group_update_sta(sm, NULL); 3289 } 3290 3291 3292 void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag) 3293 { 3294 if (sm) 3295 sm->is_wnmsleep = !!flag; 3296 } 3297 3298 3299 int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos) 3300 { 3301 struct wpa_group *gsm = sm->group; 3302 u8 *start = pos; 3303 3304 /* 3305 * GTK subelement: 3306 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] | 3307 * Key[5..32] 3308 */ 3309 *pos++ = WNM_SLEEP_SUBELEM_GTK; 3310 *pos++ = 11 + gsm->GTK_len; 3311 /* Key ID in B0-B1 of Key Info */ 3312 WPA_PUT_LE16(pos, gsm->GN & 0x03); 3313 pos += 2; 3314 *pos++ = gsm->GTK_len; 3315 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0) 3316 return 0; 3317 pos += 8; 3318 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len); 3319 pos += gsm->GTK_len; 3320 3321 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit", 3322 gsm->GN); 3323 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit", 3324 gsm->GTK[gsm->GN - 1], gsm->GTK_len); 3325 3326 return pos - start; 3327 } 3328 3329 3330 #ifdef CONFIG_IEEE80211W 3331 int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos) 3332 { 3333 struct wpa_group *gsm = sm->group; 3334 u8 *start = pos; 3335 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 3336 3337 /* 3338 * IGTK subelement: 3339 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16] 3340 */ 3341 *pos++ = WNM_SLEEP_SUBELEM_IGTK; 3342 *pos++ = 2 + 6 + len; 3343 WPA_PUT_LE16(pos, gsm->GN_igtk); 3344 pos += 2; 3345 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0) 3346 return 0; 3347 pos += 6; 3348 3349 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len); 3350 pos += len; 3351 3352 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit", 3353 gsm->GN_igtk); 3354 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit", 3355 gsm->IGTK[gsm->GN_igtk - 4], len); 3356 3357 return pos - start; 3358 } 3359 #endif /* CONFIG_IEEE80211W */ 3360 #endif /* CONFIG_WNM */ 3361 3362 3363 static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth, 3364 struct wpa_group *group) 3365 { 3366 int tmp; 3367 3368 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 3369 "SETKEYS (VLAN-ID %d)", group->vlan_id); 3370 group->changed = TRUE; 3371 group->wpa_group_state = WPA_GROUP_SETKEYS; 3372 group->GTKReKey = FALSE; 3373 tmp = group->GM; 3374 group->GM = group->GN; 3375 group->GN = tmp; 3376 #ifdef CONFIG_IEEE80211W 3377 tmp = group->GM_igtk; 3378 group->GM_igtk = group->GN_igtk; 3379 group->GN_igtk = tmp; 3380 #endif /* CONFIG_IEEE80211W */ 3381 /* "GKeyDoneStations = GNoStations" is done in more robust way by 3382 * counting the STAs that are marked with GUpdateStationKeys instead of 3383 * including all STAs that could be in not-yet-completed state. */ 3384 wpa_gtk_update(wpa_auth, group); 3385 3386 if (group->GKeyDoneStations) { 3387 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected " 3388 "GKeyDoneStations=%d when starting new GTK rekey", 3389 group->GKeyDoneStations); 3390 group->GKeyDoneStations = 0; 3391 } 3392 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group); 3393 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d", 3394 group->GKeyDoneStations); 3395 } 3396 3397 3398 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 3399 struct wpa_group *group) 3400 { 3401 int ret = 0; 3402 3403 if (wpa_auth_set_key(wpa_auth, group->vlan_id, 3404 wpa_cipher_to_alg(wpa_auth->conf.wpa_group), 3405 broadcast_ether_addr, group->GN, 3406 group->GTK[group->GN - 1], group->GTK_len) < 0) 3407 ret = -1; 3408 3409 #ifdef CONFIG_IEEE80211W 3410 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) { 3411 enum wpa_alg alg; 3412 size_t len; 3413 3414 alg = wpa_cipher_to_alg(wpa_auth->conf.group_mgmt_cipher); 3415 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher); 3416 3417 if (ret == 0 && 3418 wpa_auth_set_key(wpa_auth, group->vlan_id, alg, 3419 broadcast_ether_addr, group->GN_igtk, 3420 group->IGTK[group->GN_igtk - 4], len) < 0) 3421 ret = -1; 3422 } 3423 #endif /* CONFIG_IEEE80211W */ 3424 3425 return ret; 3426 } 3427 3428 3429 static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx) 3430 { 3431 if (sm->group == ctx) { 3432 wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR 3433 " for discconnection due to fatal failure", 3434 MAC2STR(sm->addr)); 3435 sm->Disconnect = TRUE; 3436 } 3437 3438 return 0; 3439 } 3440 3441 3442 static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth, 3443 struct wpa_group *group) 3444 { 3445 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state FATAL_FAILURE"); 3446 group->changed = TRUE; 3447 group->wpa_group_state = WPA_GROUP_FATAL_FAILURE; 3448 wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group); 3449 } 3450 3451 3452 static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth, 3453 struct wpa_group *group) 3454 { 3455 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 3456 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id); 3457 group->changed = TRUE; 3458 group->wpa_group_state = WPA_GROUP_SETKEYSDONE; 3459 3460 if (wpa_group_config_group_keys(wpa_auth, group) < 0) { 3461 wpa_group_fatal_failure(wpa_auth, group); 3462 return -1; 3463 } 3464 3465 return 0; 3466 } 3467 3468 3469 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 3470 struct wpa_group *group) 3471 { 3472 if (group->GInit) { 3473 wpa_group_gtk_init(wpa_auth, group); 3474 } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) { 3475 /* Do not allow group operations */ 3476 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT && 3477 group->GTKAuthenticator) { 3478 wpa_group_setkeysdone(wpa_auth, group); 3479 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE && 3480 group->GTKReKey) { 3481 wpa_group_setkeys(wpa_auth, group); 3482 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) { 3483 if (group->GKeyDoneStations == 0) 3484 wpa_group_setkeysdone(wpa_auth, group); 3485 else if (group->GTKReKey) 3486 wpa_group_setkeys(wpa_auth, group); 3487 } 3488 } 3489 3490 3491 static int wpa_sm_step(struct wpa_state_machine *sm) 3492 { 3493 if (sm == NULL) 3494 return 0; 3495 3496 if (sm->in_step_loop) { 3497 /* This should not happen, but if it does, make sure we do not 3498 * end up freeing the state machine too early by exiting the 3499 * recursive call. */ 3500 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively"); 3501 return 0; 3502 } 3503 3504 sm->in_step_loop = 1; 3505 do { 3506 if (sm->pending_deinit) 3507 break; 3508 3509 sm->changed = FALSE; 3510 sm->wpa_auth->group->changed = FALSE; 3511 3512 SM_STEP_RUN(WPA_PTK); 3513 if (sm->pending_deinit) 3514 break; 3515 SM_STEP_RUN(WPA_PTK_GROUP); 3516 if (sm->pending_deinit) 3517 break; 3518 wpa_group_sm_step(sm->wpa_auth, sm->group); 3519 } while (sm->changed || sm->wpa_auth->group->changed); 3520 sm->in_step_loop = 0; 3521 3522 if (sm->pending_deinit) { 3523 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state " 3524 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 3525 wpa_free_sta_sm(sm); 3526 return 1; 3527 } 3528 return 0; 3529 } 3530 3531 3532 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx) 3533 { 3534 struct wpa_state_machine *sm = eloop_ctx; 3535 wpa_sm_step(sm); 3536 } 3537 3538 3539 void wpa_auth_sm_notify(struct wpa_state_machine *sm) 3540 { 3541 if (sm == NULL) 3542 return; 3543 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL); 3544 } 3545 3546 3547 void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth) 3548 { 3549 int tmp, i; 3550 struct wpa_group *group; 3551 3552 if (wpa_auth == NULL) 3553 return; 3554 3555 group = wpa_auth->group; 3556 3557 for (i = 0; i < 2; i++) { 3558 tmp = group->GM; 3559 group->GM = group->GN; 3560 group->GN = tmp; 3561 #ifdef CONFIG_IEEE80211W 3562 tmp = group->GM_igtk; 3563 group->GM_igtk = group->GN_igtk; 3564 group->GN_igtk = tmp; 3565 #endif /* CONFIG_IEEE80211W */ 3566 wpa_gtk_update(wpa_auth, group); 3567 wpa_group_config_group_keys(wpa_auth, group); 3568 } 3569 } 3570 3571 3572 static const char * wpa_bool_txt(int val) 3573 { 3574 return val ? "TRUE" : "FALSE"; 3575 } 3576 3577 3578 #define RSN_SUITE "%02x-%02x-%02x-%d" 3579 #define RSN_SUITE_ARG(s) \ 3580 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff 3581 3582 int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen) 3583 { 3584 int len = 0, ret; 3585 char pmkid_txt[PMKID_LEN * 2 + 1]; 3586 #ifdef CONFIG_RSN_PREAUTH 3587 const int preauth = 1; 3588 #else /* CONFIG_RSN_PREAUTH */ 3589 const int preauth = 0; 3590 #endif /* CONFIG_RSN_PREAUTH */ 3591 3592 if (wpa_auth == NULL) 3593 return len; 3594 3595 ret = os_snprintf(buf + len, buflen - len, 3596 "dot11RSNAOptionImplemented=TRUE\n" 3597 "dot11RSNAPreauthenticationImplemented=%s\n" 3598 "dot11RSNAEnabled=%s\n" 3599 "dot11RSNAPreauthenticationEnabled=%s\n", 3600 wpa_bool_txt(preauth), 3601 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN), 3602 wpa_bool_txt(wpa_auth->conf.rsn_preauth)); 3603 if (os_snprintf_error(buflen - len, ret)) 3604 return len; 3605 len += ret; 3606 3607 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt), 3608 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN); 3609 3610 ret = os_snprintf( 3611 buf + len, buflen - len, 3612 "dot11RSNAConfigVersion=%u\n" 3613 "dot11RSNAConfigPairwiseKeysSupported=9999\n" 3614 /* FIX: dot11RSNAConfigGroupCipher */ 3615 /* FIX: dot11RSNAConfigGroupRekeyMethod */ 3616 /* FIX: dot11RSNAConfigGroupRekeyTime */ 3617 /* FIX: dot11RSNAConfigGroupRekeyPackets */ 3618 "dot11RSNAConfigGroupRekeyStrict=%u\n" 3619 "dot11RSNAConfigGroupUpdateCount=%u\n" 3620 "dot11RSNAConfigPairwiseUpdateCount=%u\n" 3621 "dot11RSNAConfigGroupCipherSize=%u\n" 3622 "dot11RSNAConfigPMKLifetime=%u\n" 3623 "dot11RSNAConfigPMKReauthThreshold=%u\n" 3624 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n" 3625 "dot11RSNAConfigSATimeout=%u\n" 3626 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n" 3627 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n" 3628 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n" 3629 "dot11RSNAPMKIDUsed=%s\n" 3630 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n" 3631 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n" 3632 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n" 3633 "dot11RSNATKIPCounterMeasuresInvoked=%u\n" 3634 "dot11RSNA4WayHandshakeFailures=%u\n" 3635 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n", 3636 RSN_VERSION, 3637 !!wpa_auth->conf.wpa_strict_rekey, 3638 wpa_auth->conf.wpa_group_update_count, 3639 wpa_auth->conf.wpa_pairwise_update_count, 3640 wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8, 3641 dot11RSNAConfigPMKLifetime, 3642 dot11RSNAConfigPMKReauthThreshold, 3643 dot11RSNAConfigSATimeout, 3644 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected), 3645 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected), 3646 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected), 3647 pmkid_txt, 3648 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested), 3649 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested), 3650 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested), 3651 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked, 3652 wpa_auth->dot11RSNA4WayHandshakeFailures); 3653 if (os_snprintf_error(buflen - len, ret)) 3654 return len; 3655 len += ret; 3656 3657 /* TODO: dot11RSNAConfigPairwiseCiphersTable */ 3658 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */ 3659 3660 /* Private MIB */ 3661 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n", 3662 wpa_auth->group->wpa_group_state); 3663 if (os_snprintf_error(buflen - len, ret)) 3664 return len; 3665 len += ret; 3666 3667 return len; 3668 } 3669 3670 3671 int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen) 3672 { 3673 int len = 0, ret; 3674 u32 pairwise = 0; 3675 3676 if (sm == NULL) 3677 return 0; 3678 3679 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */ 3680 3681 /* dot11RSNAStatsEntry */ 3682 3683 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ? 3684 WPA_PROTO_RSN : WPA_PROTO_WPA, 3685 sm->pairwise); 3686 if (pairwise == 0) 3687 return 0; 3688 3689 ret = os_snprintf( 3690 buf + len, buflen - len, 3691 /* TODO: dot11RSNAStatsIndex */ 3692 "dot11RSNAStatsSTAAddress=" MACSTR "\n" 3693 "dot11RSNAStatsVersion=1\n" 3694 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n" 3695 /* TODO: dot11RSNAStatsTKIPICVErrors */ 3696 "dot11RSNAStatsTKIPLocalMICFailures=%u\n" 3697 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n" 3698 /* TODO: dot11RSNAStatsCCMPReplays */ 3699 /* TODO: dot11RSNAStatsCCMPDecryptErrors */ 3700 /* TODO: dot11RSNAStatsTKIPReplays */, 3701 MAC2STR(sm->addr), 3702 RSN_SUITE_ARG(pairwise), 3703 sm->dot11RSNAStatsTKIPLocalMICFailures, 3704 sm->dot11RSNAStatsTKIPRemoteMICFailures); 3705 if (os_snprintf_error(buflen - len, ret)) 3706 return len; 3707 len += ret; 3708 3709 /* Private MIB */ 3710 ret = os_snprintf(buf + len, buflen - len, 3711 "hostapdWPAPTKState=%d\n" 3712 "hostapdWPAPTKGroupState=%d\n", 3713 sm->wpa_ptk_state, 3714 sm->wpa_ptk_group_state); 3715 if (os_snprintf_error(buflen - len, ret)) 3716 return len; 3717 len += ret; 3718 3719 return len; 3720 } 3721 3722 3723 void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth) 3724 { 3725 if (wpa_auth) 3726 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++; 3727 } 3728 3729 3730 int wpa_auth_pairwise_set(struct wpa_state_machine *sm) 3731 { 3732 return sm && sm->pairwise_set; 3733 } 3734 3735 3736 int wpa_auth_get_pairwise(struct wpa_state_machine *sm) 3737 { 3738 return sm->pairwise; 3739 } 3740 3741 3742 int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm) 3743 { 3744 if (sm == NULL) 3745 return -1; 3746 return sm->wpa_key_mgmt; 3747 } 3748 3749 3750 int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm) 3751 { 3752 if (sm == NULL) 3753 return 0; 3754 return sm->wpa; 3755 } 3756 3757 3758 int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm) 3759 { 3760 if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 3761 return 0; 3762 return sm->tk_already_set; 3763 } 3764 3765 3766 int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, 3767 struct rsn_pmksa_cache_entry *entry) 3768 { 3769 if (sm == NULL || sm->pmksa != entry) 3770 return -1; 3771 sm->pmksa = NULL; 3772 return 0; 3773 } 3774 3775 3776 struct rsn_pmksa_cache_entry * 3777 wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm) 3778 { 3779 return sm ? sm->pmksa : NULL; 3780 } 3781 3782 3783 void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm) 3784 { 3785 if (sm) 3786 sm->dot11RSNAStatsTKIPLocalMICFailures++; 3787 } 3788 3789 3790 const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len) 3791 { 3792 if (wpa_auth == NULL) 3793 return NULL; 3794 *len = wpa_auth->wpa_ie_len; 3795 return wpa_auth->wpa_ie; 3796 } 3797 3798 3799 int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk, 3800 unsigned int pmk_len, 3801 int session_timeout, struct eapol_state_machine *eapol) 3802 { 3803 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 || 3804 sm->wpa_auth->conf.disable_pmksa_caching) 3805 return -1; 3806 3807 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) { 3808 if (pmk_len > PMK_LEN_SUITE_B_192) 3809 pmk_len = PMK_LEN_SUITE_B_192; 3810 } else if (pmk_len > PMK_LEN) { 3811 pmk_len = PMK_LEN; 3812 } 3813 3814 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL, 3815 sm->PTK.kck, sm->PTK.kck_len, 3816 sm->wpa_auth->addr, sm->addr, session_timeout, 3817 eapol, sm->wpa_key_mgmt)) 3818 return 0; 3819 3820 return -1; 3821 } 3822 3823 3824 int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth, 3825 const u8 *pmk, size_t len, const u8 *sta_addr, 3826 int session_timeout, 3827 struct eapol_state_machine *eapol) 3828 { 3829 if (wpa_auth == NULL) 3830 return -1; 3831 3832 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL, 3833 NULL, 0, 3834 wpa_auth->addr, 3835 sta_addr, session_timeout, eapol, 3836 WPA_KEY_MGMT_IEEE8021X)) 3837 return 0; 3838 3839 return -1; 3840 } 3841 3842 3843 int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr, 3844 const u8 *pmk, const u8 *pmkid) 3845 { 3846 if (wpa_auth->conf.disable_pmksa_caching) 3847 return -1; 3848 3849 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN, pmkid, 3850 NULL, 0, 3851 wpa_auth->addr, addr, 0, NULL, 3852 WPA_KEY_MGMT_SAE)) 3853 return 0; 3854 3855 return -1; 3856 } 3857 3858 3859 void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth, 3860 const u8 *sta_addr) 3861 { 3862 struct rsn_pmksa_cache_entry *pmksa; 3863 3864 if (wpa_auth == NULL || wpa_auth->pmksa == NULL) 3865 return; 3866 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL); 3867 if (pmksa) { 3868 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for " 3869 MACSTR " based on request", MAC2STR(sta_addr)); 3870 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa); 3871 } 3872 } 3873 3874 3875 int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf, 3876 size_t len) 3877 { 3878 if (!wpa_auth || !wpa_auth->pmksa) 3879 return 0; 3880 return pmksa_cache_auth_list(wpa_auth->pmksa, buf, len); 3881 } 3882 3883 3884 void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth) 3885 { 3886 if (wpa_auth && wpa_auth->pmksa) 3887 pmksa_cache_auth_flush(wpa_auth->pmksa); 3888 } 3889 3890 3891 #ifdef CONFIG_PMKSA_CACHE_EXTERNAL 3892 #ifdef CONFIG_MESH 3893 3894 int wpa_auth_pmksa_list_mesh(struct wpa_authenticator *wpa_auth, const u8 *addr, 3895 char *buf, size_t len) 3896 { 3897 if (!wpa_auth || !wpa_auth->pmksa) 3898 return 0; 3899 3900 return pmksa_cache_auth_list_mesh(wpa_auth->pmksa, addr, buf, len); 3901 } 3902 3903 3904 struct rsn_pmksa_cache_entry * 3905 wpa_auth_pmksa_create_entry(const u8 *aa, const u8 *spa, const u8 *pmk, 3906 const u8 *pmkid, int expiration) 3907 { 3908 struct rsn_pmksa_cache_entry *entry; 3909 struct os_reltime now; 3910 3911 entry = pmksa_cache_auth_create_entry(pmk, PMK_LEN, pmkid, NULL, 0, aa, 3912 spa, 0, NULL, WPA_KEY_MGMT_SAE); 3913 if (!entry) 3914 return NULL; 3915 3916 os_get_reltime(&now); 3917 entry->expiration = now.sec + expiration; 3918 return entry; 3919 } 3920 3921 3922 int wpa_auth_pmksa_add_entry(struct wpa_authenticator *wpa_auth, 3923 struct rsn_pmksa_cache_entry *entry) 3924 { 3925 int ret; 3926 3927 if (!wpa_auth || !wpa_auth->pmksa) 3928 return -1; 3929 3930 ret = pmksa_cache_auth_add_entry(wpa_auth->pmksa, entry); 3931 if (ret < 0) 3932 wpa_printf(MSG_DEBUG, 3933 "RSN: Failed to store external PMKSA cache for " 3934 MACSTR, MAC2STR(entry->spa)); 3935 3936 return ret; 3937 } 3938 3939 #endif /* CONFIG_MESH */ 3940 #endif /* CONFIG_PMKSA_CACHE_EXTERNAL */ 3941 3942 3943 struct rsn_pmksa_cache_entry * 3944 wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr, 3945 const u8 *pmkid) 3946 { 3947 if (!wpa_auth || !wpa_auth->pmksa) 3948 return NULL; 3949 return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, pmkid); 3950 } 3951 3952 3953 void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa, 3954 struct wpa_state_machine *sm, 3955 struct wpa_authenticator *wpa_auth, 3956 u8 *pmkid, u8 *pmk) 3957 { 3958 if (!sm) 3959 return; 3960 3961 sm->pmksa = pmksa; 3962 os_memcpy(pmk, pmksa->pmk, PMK_LEN); 3963 os_memcpy(pmkid, pmksa->pmkid, PMKID_LEN); 3964 os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmksa->pmkid, PMKID_LEN); 3965 } 3966 3967 3968 /* 3969 * Remove and free the group from wpa_authenticator. This is triggered by a 3970 * callback to make sure nobody is currently iterating the group list while it 3971 * gets modified. 3972 */ 3973 static void wpa_group_free(struct wpa_authenticator *wpa_auth, 3974 struct wpa_group *group) 3975 { 3976 struct wpa_group *prev = wpa_auth->group; 3977 3978 wpa_printf(MSG_DEBUG, "WPA: Remove group state machine for VLAN-ID %d", 3979 group->vlan_id); 3980 3981 while (prev) { 3982 if (prev->next == group) { 3983 /* This never frees the special first group as needed */ 3984 prev->next = group->next; 3985 os_free(group); 3986 break; 3987 } 3988 prev = prev->next; 3989 } 3990 3991 } 3992 3993 3994 /* Increase the reference counter for group */ 3995 static void wpa_group_get(struct wpa_authenticator *wpa_auth, 3996 struct wpa_group *group) 3997 { 3998 /* Skip the special first group */ 3999 if (wpa_auth->group == group) 4000 return; 4001 4002 group->references++; 4003 } 4004 4005 4006 /* Decrease the reference counter and maybe free the group */ 4007 static void wpa_group_put(struct wpa_authenticator *wpa_auth, 4008 struct wpa_group *group) 4009 { 4010 /* Skip the special first group */ 4011 if (wpa_auth->group == group) 4012 return; 4013 4014 group->references--; 4015 if (group->references) 4016 return; 4017 wpa_group_free(wpa_auth, group); 4018 } 4019 4020 4021 /* 4022 * Add a group that has its references counter set to zero. Caller needs to 4023 * call wpa_group_get() on the return value to mark the entry in use. 4024 */ 4025 static struct wpa_group * 4026 wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id) 4027 { 4028 struct wpa_group *group; 4029 4030 if (wpa_auth == NULL || wpa_auth->group == NULL) 4031 return NULL; 4032 4033 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d", 4034 vlan_id); 4035 group = wpa_group_init(wpa_auth, vlan_id, 0); 4036 if (group == NULL) 4037 return NULL; 4038 4039 group->next = wpa_auth->group->next; 4040 wpa_auth->group->next = group; 4041 4042 return group; 4043 } 4044 4045 4046 /* 4047 * Enforce that the group state machine for the VLAN is running, increase 4048 * reference counter as interface is up. References might have been increased 4049 * even if a negative value is returned. 4050 * Returns: -1 on error (group missing, group already failed); otherwise, 0 4051 */ 4052 int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id) 4053 { 4054 struct wpa_group *group; 4055 4056 if (wpa_auth == NULL) 4057 return 0; 4058 4059 group = wpa_auth->group; 4060 while (group) { 4061 if (group->vlan_id == vlan_id) 4062 break; 4063 group = group->next; 4064 } 4065 4066 if (group == NULL) { 4067 group = wpa_auth_add_group(wpa_auth, vlan_id); 4068 if (group == NULL) 4069 return -1; 4070 } 4071 4072 wpa_printf(MSG_DEBUG, 4073 "WPA: Ensure group state machine running for VLAN ID %d", 4074 vlan_id); 4075 4076 wpa_group_get(wpa_auth, group); 4077 group->num_setup_iface++; 4078 4079 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 4080 return -1; 4081 4082 return 0; 4083 } 4084 4085 4086 /* 4087 * Decrease reference counter, expected to be zero afterwards. 4088 * returns: -1 on error (group not found, group in fail state) 4089 * -2 if wpa_group is still referenced 4090 * 0 else 4091 */ 4092 int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id) 4093 { 4094 struct wpa_group *group; 4095 int ret = 0; 4096 4097 if (wpa_auth == NULL) 4098 return 0; 4099 4100 group = wpa_auth->group; 4101 while (group) { 4102 if (group->vlan_id == vlan_id) 4103 break; 4104 group = group->next; 4105 } 4106 4107 if (group == NULL) 4108 return -1; 4109 4110 wpa_printf(MSG_DEBUG, 4111 "WPA: Try stopping group state machine for VLAN ID %d", 4112 vlan_id); 4113 4114 if (group->num_setup_iface <= 0) { 4115 wpa_printf(MSG_ERROR, 4116 "WPA: wpa_auth_release_group called more often than wpa_auth_ensure_group for VLAN ID %d, skipping.", 4117 vlan_id); 4118 return -1; 4119 } 4120 group->num_setup_iface--; 4121 4122 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 4123 ret = -1; 4124 4125 if (group->references > 1) { 4126 wpa_printf(MSG_DEBUG, 4127 "WPA: Cannot stop group state machine for VLAN ID %d as references are still hold", 4128 vlan_id); 4129 ret = -2; 4130 } 4131 4132 wpa_group_put(wpa_auth, group); 4133 4134 return ret; 4135 } 4136 4137 4138 int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id) 4139 { 4140 struct wpa_group *group; 4141 4142 if (sm == NULL || sm->wpa_auth == NULL) 4143 return 0; 4144 4145 group = sm->wpa_auth->group; 4146 while (group) { 4147 if (group->vlan_id == vlan_id) 4148 break; 4149 group = group->next; 4150 } 4151 4152 if (group == NULL) { 4153 group = wpa_auth_add_group(sm->wpa_auth, vlan_id); 4154 if (group == NULL) 4155 return -1; 4156 } 4157 4158 if (sm->group == group) 4159 return 0; 4160 4161 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 4162 return -1; 4163 4164 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state " 4165 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id); 4166 4167 wpa_group_get(sm->wpa_auth, group); 4168 wpa_group_put(sm->wpa_auth, sm->group); 4169 sm->group = group; 4170 4171 return 0; 4172 } 4173 4174 4175 void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth, 4176 struct wpa_state_machine *sm, int ack) 4177 { 4178 if (wpa_auth == NULL || sm == NULL) 4179 return; 4180 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR 4181 " ack=%d", MAC2STR(sm->addr), ack); 4182 if (sm->pending_1_of_4_timeout && ack) { 4183 /* 4184 * Some deployed supplicant implementations update their SNonce 4185 * for each EAPOL-Key 2/4 message even within the same 4-way 4186 * handshake and then fail to use the first SNonce when 4187 * deriving the PTK. This results in unsuccessful 4-way 4188 * handshake whenever the relatively short initial timeout is 4189 * reached and EAPOL-Key 1/4 is retransmitted. Try to work 4190 * around this by increasing the timeout now that we know that 4191 * the station has received the frame. 4192 */ 4193 int timeout_ms = eapol_key_timeout_subseq; 4194 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 " 4195 "timeout by %u ms because of acknowledged frame", 4196 timeout_ms); 4197 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 4198 eloop_register_timeout(timeout_ms / 1000, 4199 (timeout_ms % 1000) * 1000, 4200 wpa_send_eapol_timeout, wpa_auth, sm); 4201 } 4202 } 4203 4204 4205 int wpa_auth_uses_sae(struct wpa_state_machine *sm) 4206 { 4207 if (sm == NULL) 4208 return 0; 4209 return wpa_key_mgmt_sae(sm->wpa_key_mgmt); 4210 } 4211 4212 4213 int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm) 4214 { 4215 if (sm == NULL) 4216 return 0; 4217 return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE; 4218 } 4219 4220 4221 #ifdef CONFIG_P2P 4222 int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr) 4223 { 4224 if (sm == NULL || WPA_GET_BE32(sm->ip_addr) == 0) 4225 return -1; 4226 os_memcpy(addr, sm->ip_addr, 4); 4227 return 0; 4228 } 4229 #endif /* CONFIG_P2P */ 4230 4231 4232 int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth, 4233 struct radius_das_attrs *attr) 4234 { 4235 return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr); 4236 } 4237 4238 4239 void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth) 4240 { 4241 struct wpa_group *group; 4242 4243 if (!wpa_auth) 4244 return; 4245 for (group = wpa_auth->group; group; group = group->next) 4246 wpa_group_config_group_keys(wpa_auth, group); 4247 } 4248
