1 /* 2 * WPA Supplicant - WPA state machine and EAPOL-Key processing 3 * Copyright (c) 2003-2017, Jouni Malinen <j (at) w1.fi> 4 * Copyright(c) 2015 Intel Deutschland GmbH 5 * 6 * This software may be distributed under the terms of the BSD license. 7 * See README for more details. 8 */ 9 10 #include "includes.h" 11 12 #include "common.h" 13 #include "crypto/aes.h" 14 #include "crypto/aes_wrap.h" 15 #include "crypto/crypto.h" 16 #include "crypto/random.h" 17 #include "crypto/aes_siv.h" 18 #include "crypto/sha256.h" 19 #include "crypto/sha384.h" 20 #include "crypto/sha512.h" 21 #include "common/ieee802_11_defs.h" 22 #include "common/ieee802_11_common.h" 23 #include "eap_common/eap_defs.h" 24 #include "eapol_supp/eapol_supp_sm.h" 25 #include "wpa.h" 26 #include "eloop.h" 27 #include "preauth.h" 28 #include "pmksa_cache.h" 29 #include "wpa_i.h" 30 #include "wpa_ie.h" 31 32 33 static const u8 null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 }; 34 35 36 /** 37 * wpa_eapol_key_send - Send WPA/RSN EAPOL-Key message 38 * @sm: Pointer to WPA state machine data from wpa_sm_init() 39 * @ptk: PTK for Key Confirmation/Encryption Key 40 * @ver: Version field from Key Info 41 * @dest: Destination address for the frame 42 * @proto: Ethertype (usually ETH_P_EAPOL) 43 * @msg: EAPOL-Key message 44 * @msg_len: Length of message 45 * @key_mic: Pointer to the buffer to which the EAPOL-Key MIC is written 46 * Returns: >= 0 on success, < 0 on failure 47 */ 48 int wpa_eapol_key_send(struct wpa_sm *sm, struct wpa_ptk *ptk, 49 int ver, const u8 *dest, u16 proto, 50 u8 *msg, size_t msg_len, u8 *key_mic) 51 { 52 int ret = -1; 53 size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len); 54 55 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL-Key frame to " MACSTR 56 " ver=%d mic_len=%d key_mgmt=0x%x", 57 MAC2STR(dest), ver, (int) mic_len, sm->key_mgmt); 58 if (is_zero_ether_addr(dest) && is_zero_ether_addr(sm->bssid)) { 59 /* 60 * Association event was not yet received; try to fetch 61 * BSSID from the driver. 62 */ 63 if (wpa_sm_get_bssid(sm, sm->bssid) < 0) { 64 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 65 "WPA: Failed to read BSSID for " 66 "EAPOL-Key destination address"); 67 } else { 68 dest = sm->bssid; 69 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 70 "WPA: Use BSSID (" MACSTR 71 ") as the destination for EAPOL-Key", 72 MAC2STR(dest)); 73 } 74 } 75 76 if (mic_len) { 77 if (key_mic && (!ptk || !ptk->kck_len)) 78 goto out; 79 80 if (key_mic && 81 wpa_eapol_key_mic(ptk->kck, ptk->kck_len, sm->key_mgmt, ver, 82 msg, msg_len, key_mic)) { 83 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR, 84 "WPA: Failed to generate EAPOL-Key version %d key_mgmt 0x%x MIC", 85 ver, sm->key_mgmt); 86 goto out; 87 } 88 if (ptk) 89 wpa_hexdump_key(MSG_DEBUG, "WPA: KCK", 90 ptk->kck, ptk->kck_len); 91 wpa_hexdump(MSG_DEBUG, "WPA: Derived Key MIC", 92 key_mic, mic_len); 93 } else { 94 #ifdef CONFIG_FILS 95 /* AEAD cipher - Key MIC field not used */ 96 struct ieee802_1x_hdr *s_hdr, *hdr; 97 struct wpa_eapol_key *s_key, *key; 98 u8 *buf, *s_key_data, *key_data; 99 size_t buf_len = msg_len + AES_BLOCK_SIZE; 100 size_t key_data_len; 101 u16 eapol_len; 102 const u8 *aad[1]; 103 size_t aad_len[1]; 104 105 if (!ptk || !ptk->kek_len) 106 goto out; 107 108 key_data_len = msg_len - sizeof(struct ieee802_1x_hdr) - 109 sizeof(struct wpa_eapol_key) - 2; 110 111 buf = os_malloc(buf_len); 112 if (!buf) 113 goto out; 114 115 os_memcpy(buf, msg, msg_len); 116 hdr = (struct ieee802_1x_hdr *) buf; 117 key = (struct wpa_eapol_key *) (hdr + 1); 118 key_data = ((u8 *) (key + 1)) + 2; 119 120 /* Update EAPOL header to include AES-SIV overhead */ 121 eapol_len = be_to_host16(hdr->length); 122 eapol_len += AES_BLOCK_SIZE; 123 hdr->length = host_to_be16(eapol_len); 124 125 /* Update Key Data Length field to include AES-SIV overhead */ 126 WPA_PUT_BE16((u8 *) (key + 1), AES_BLOCK_SIZE + key_data_len); 127 128 s_hdr = (struct ieee802_1x_hdr *) msg; 129 s_key = (struct wpa_eapol_key *) (s_hdr + 1); 130 s_key_data = ((u8 *) (s_key + 1)) + 2; 131 132 wpa_hexdump_key(MSG_DEBUG, "WPA: Plaintext Key Data", 133 s_key_data, key_data_len); 134 135 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len); 136 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to 137 * to Key Data (exclusive). */ 138 aad[0] = buf; 139 aad_len[0] = key_data - buf; 140 if (aes_siv_encrypt(ptk->kek, ptk->kek_len, 141 s_key_data, key_data_len, 142 1, aad, aad_len, key_data) < 0) { 143 os_free(buf); 144 goto out; 145 } 146 147 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV", 148 key_data, AES_BLOCK_SIZE + key_data_len); 149 150 os_free(msg); 151 msg = buf; 152 msg_len = buf_len; 153 #else /* CONFIG_FILS */ 154 goto out; 155 #endif /* CONFIG_FILS */ 156 } 157 158 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key", msg, msg_len); 159 ret = wpa_sm_ether_send(sm, dest, proto, msg, msg_len); 160 eapol_sm_notify_tx_eapol_key(sm->eapol); 161 out: 162 os_free(msg); 163 return ret; 164 } 165 166 167 /** 168 * wpa_sm_key_request - Send EAPOL-Key Request 169 * @sm: Pointer to WPA state machine data from wpa_sm_init() 170 * @error: Indicate whether this is an Michael MIC error report 171 * @pairwise: 1 = error report for pairwise packet, 0 = for group packet 172 * 173 * Send an EAPOL-Key Request to the current authenticator. This function is 174 * used to request rekeying and it is usually called when a local Michael MIC 175 * failure is detected. 176 */ 177 void wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise) 178 { 179 size_t mic_len, hdrlen, rlen; 180 struct wpa_eapol_key *reply; 181 int key_info, ver; 182 u8 bssid[ETH_ALEN], *rbuf, *key_mic, *mic; 183 184 if (sm->key_mgmt == WPA_KEY_MGMT_OSEN || 185 wpa_key_mgmt_suite_b(sm->key_mgmt)) 186 ver = WPA_KEY_INFO_TYPE_AKM_DEFINED; 187 else if (wpa_key_mgmt_ft(sm->key_mgmt) || 188 wpa_key_mgmt_sha256(sm->key_mgmt)) 189 ver = WPA_KEY_INFO_TYPE_AES_128_CMAC; 190 else if (sm->pairwise_cipher != WPA_CIPHER_TKIP) 191 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 192 else 193 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 194 195 if (wpa_sm_get_bssid(sm, bssid) < 0) { 196 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 197 "Failed to read BSSID for EAPOL-Key request"); 198 return; 199 } 200 201 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len); 202 hdrlen = sizeof(*reply) + mic_len + 2; 203 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL, 204 hdrlen, &rlen, (void *) &reply); 205 if (rbuf == NULL) 206 return; 207 208 reply->type = (sm->proto == WPA_PROTO_RSN || 209 sm->proto == WPA_PROTO_OSEN) ? 210 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 211 key_info = WPA_KEY_INFO_REQUEST | ver; 212 if (sm->ptk_set) 213 key_info |= WPA_KEY_INFO_SECURE; 214 if (sm->ptk_set && mic_len) 215 key_info |= WPA_KEY_INFO_MIC; 216 if (error) 217 key_info |= WPA_KEY_INFO_ERROR; 218 if (pairwise) 219 key_info |= WPA_KEY_INFO_KEY_TYPE; 220 WPA_PUT_BE16(reply->key_info, key_info); 221 WPA_PUT_BE16(reply->key_length, 0); 222 os_memcpy(reply->replay_counter, sm->request_counter, 223 WPA_REPLAY_COUNTER_LEN); 224 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN); 225 226 mic = (u8 *) (reply + 1); 227 WPA_PUT_BE16(mic + mic_len, 0); 228 if (!(key_info & WPA_KEY_INFO_MIC)) 229 key_mic = NULL; 230 else 231 key_mic = mic; 232 233 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 234 "WPA: Sending EAPOL-Key Request (error=%d " 235 "pairwise=%d ptk_set=%d len=%lu)", 236 error, pairwise, sm->ptk_set, (unsigned long) rlen); 237 wpa_eapol_key_send(sm, &sm->ptk, ver, bssid, ETH_P_EAPOL, rbuf, rlen, 238 key_mic); 239 } 240 241 242 static void wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm *sm) 243 { 244 #ifdef CONFIG_IEEE80211R 245 if (sm->key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X) { 246 if (wpa_sm_key_mgmt_set_pmk(sm, sm->xxkey, sm->xxkey_len)) 247 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 248 "RSN: Cannot set low order 256 bits of MSK for key management offload"); 249 } else { 250 #endif /* CONFIG_IEEE80211R */ 251 if (wpa_sm_key_mgmt_set_pmk(sm, sm->pmk, sm->pmk_len)) 252 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 253 "RSN: Cannot set PMK for key management offload"); 254 #ifdef CONFIG_IEEE80211R 255 } 256 #endif /* CONFIG_IEEE80211R */ 257 } 258 259 260 static int wpa_supplicant_get_pmk(struct wpa_sm *sm, 261 const unsigned char *src_addr, 262 const u8 *pmkid) 263 { 264 int abort_cached = 0; 265 266 if (pmkid && !sm->cur_pmksa) { 267 /* When using drivers that generate RSN IE, wpa_supplicant may 268 * not have enough time to get the association information 269 * event before receiving this 1/4 message, so try to find a 270 * matching PMKSA cache entry here. */ 271 sm->cur_pmksa = pmksa_cache_get(sm->pmksa, src_addr, pmkid, 272 NULL); 273 if (sm->cur_pmksa) { 274 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 275 "RSN: found matching PMKID from PMKSA cache"); 276 } else { 277 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 278 "RSN: no matching PMKID found"); 279 abort_cached = 1; 280 } 281 } 282 283 if (pmkid && sm->cur_pmksa && 284 os_memcmp_const(pmkid, sm->cur_pmksa->pmkid, PMKID_LEN) == 0) { 285 wpa_hexdump(MSG_DEBUG, "RSN: matched PMKID", pmkid, PMKID_LEN); 286 wpa_sm_set_pmk_from_pmksa(sm); 287 wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from PMKSA cache", 288 sm->pmk, sm->pmk_len); 289 eapol_sm_notify_cached(sm->eapol); 290 #ifdef CONFIG_IEEE80211R 291 sm->xxkey_len = 0; 292 #endif /* CONFIG_IEEE80211R */ 293 } else if (wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && sm->eapol) { 294 int res, pmk_len; 295 296 if (wpa_key_mgmt_sha384(sm->key_mgmt)) 297 pmk_len = PMK_LEN_SUITE_B_192; 298 else 299 pmk_len = PMK_LEN; 300 res = eapol_sm_get_key(sm->eapol, sm->pmk, pmk_len); 301 if (res) { 302 if (pmk_len == PMK_LEN) { 303 /* 304 * EAP-LEAP is an exception from other EAP 305 * methods: it uses only 16-byte PMK. 306 */ 307 res = eapol_sm_get_key(sm->eapol, sm->pmk, 16); 308 pmk_len = 16; 309 } 310 } else { 311 #ifdef CONFIG_IEEE80211R 312 u8 buf[2 * PMK_LEN]; 313 if (eapol_sm_get_key(sm->eapol, buf, 2 * PMK_LEN) == 0) 314 { 315 os_memcpy(sm->xxkey, buf + PMK_LEN, PMK_LEN); 316 sm->xxkey_len = PMK_LEN; 317 os_memset(buf, 0, sizeof(buf)); 318 } 319 #endif /* CONFIG_IEEE80211R */ 320 } 321 if (res == 0) { 322 struct rsn_pmksa_cache_entry *sa = NULL; 323 const u8 *fils_cache_id = NULL; 324 325 #ifdef CONFIG_FILS 326 if (sm->fils_cache_id_set) 327 fils_cache_id = sm->fils_cache_id; 328 #endif /* CONFIG_FILS */ 329 330 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK from EAPOL state " 331 "machines", sm->pmk, pmk_len); 332 sm->pmk_len = pmk_len; 333 wpa_supplicant_key_mgmt_set_pmk(sm); 334 if (sm->proto == WPA_PROTO_RSN && 335 !wpa_key_mgmt_suite_b(sm->key_mgmt) && 336 !wpa_key_mgmt_ft(sm->key_mgmt)) { 337 sa = pmksa_cache_add(sm->pmksa, 338 sm->pmk, pmk_len, NULL, 339 NULL, 0, 340 src_addr, sm->own_addr, 341 sm->network_ctx, 342 sm->key_mgmt, 343 fils_cache_id); 344 } 345 if (!sm->cur_pmksa && pmkid && 346 pmksa_cache_get(sm->pmksa, src_addr, pmkid, NULL)) 347 { 348 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 349 "RSN: the new PMK matches with the " 350 "PMKID"); 351 abort_cached = 0; 352 } else if (sa && !sm->cur_pmksa && pmkid) { 353 /* 354 * It looks like the authentication server 355 * derived mismatching MSK. This should not 356 * really happen, but bugs happen.. There is not 357 * much we can do here without knowing what 358 * exactly caused the server to misbehave. 359 */ 360 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 361 "RSN: PMKID mismatch - authentication server may have derived different MSK?!"); 362 return -1; 363 } 364 365 if (!sm->cur_pmksa) 366 sm->cur_pmksa = sa; 367 } else { 368 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 369 "WPA: Failed to get master session key from " 370 "EAPOL state machines - key handshake " 371 "aborted"); 372 if (sm->cur_pmksa) { 373 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 374 "RSN: Cancelled PMKSA caching " 375 "attempt"); 376 sm->cur_pmksa = NULL; 377 abort_cached = 1; 378 } else if (!abort_cached) { 379 return -1; 380 } 381 } 382 } 383 384 if (abort_cached && wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && 385 !wpa_key_mgmt_suite_b(sm->key_mgmt) && 386 !wpa_key_mgmt_ft(sm->key_mgmt) && sm->key_mgmt != WPA_KEY_MGMT_OSEN) 387 { 388 /* Send EAPOL-Start to trigger full EAP authentication. */ 389 u8 *buf; 390 size_t buflen; 391 392 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 393 "RSN: no PMKSA entry found - trigger " 394 "full EAP authentication"); 395 buf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_START, 396 NULL, 0, &buflen, NULL); 397 if (buf) { 398 wpa_sm_ether_send(sm, sm->bssid, ETH_P_EAPOL, 399 buf, buflen); 400 os_free(buf); 401 return -2; 402 } 403 404 return -1; 405 } 406 407 return 0; 408 } 409 410 411 /** 412 * wpa_supplicant_send_2_of_4 - Send message 2 of WPA/RSN 4-Way Handshake 413 * @sm: Pointer to WPA state machine data from wpa_sm_init() 414 * @dst: Destination address for the frame 415 * @key: Pointer to the EAPOL-Key frame header 416 * @ver: Version bits from EAPOL-Key Key Info 417 * @nonce: Nonce value for the EAPOL-Key frame 418 * @wpa_ie: WPA/RSN IE 419 * @wpa_ie_len: Length of the WPA/RSN IE 420 * @ptk: PTK to use for keyed hash and encryption 421 * Returns: >= 0 on success, < 0 on failure 422 */ 423 int wpa_supplicant_send_2_of_4(struct wpa_sm *sm, const unsigned char *dst, 424 const struct wpa_eapol_key *key, 425 int ver, const u8 *nonce, 426 const u8 *wpa_ie, size_t wpa_ie_len, 427 struct wpa_ptk *ptk) 428 { 429 size_t mic_len, hdrlen, rlen; 430 struct wpa_eapol_key *reply; 431 u8 *rbuf, *key_mic; 432 u8 *rsn_ie_buf = NULL; 433 u16 key_info; 434 435 if (wpa_ie == NULL) { 436 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No wpa_ie set - " 437 "cannot generate msg 2/4"); 438 return -1; 439 } 440 441 #ifdef CONFIG_IEEE80211R 442 if (wpa_key_mgmt_ft(sm->key_mgmt)) { 443 int res; 444 445 /* 446 * Add PMKR1Name into RSN IE (PMKID-List) and add MDIE and 447 * FTIE from (Re)Association Response. 448 */ 449 rsn_ie_buf = os_malloc(wpa_ie_len + 2 + 2 + PMKID_LEN + 450 sm->assoc_resp_ies_len); 451 if (rsn_ie_buf == NULL) 452 return -1; 453 os_memcpy(rsn_ie_buf, wpa_ie, wpa_ie_len); 454 res = wpa_insert_pmkid(rsn_ie_buf, &wpa_ie_len, 455 sm->pmk_r1_name); 456 if (res < 0) { 457 os_free(rsn_ie_buf); 458 return -1; 459 } 460 461 if (sm->assoc_resp_ies) { 462 os_memcpy(rsn_ie_buf + wpa_ie_len, sm->assoc_resp_ies, 463 sm->assoc_resp_ies_len); 464 wpa_ie_len += sm->assoc_resp_ies_len; 465 } 466 467 wpa_ie = rsn_ie_buf; 468 } 469 #endif /* CONFIG_IEEE80211R */ 470 471 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE for msg 2/4", wpa_ie, wpa_ie_len); 472 473 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len); 474 hdrlen = sizeof(*reply) + mic_len + 2; 475 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, 476 NULL, hdrlen + wpa_ie_len, 477 &rlen, (void *) &reply); 478 if (rbuf == NULL) { 479 os_free(rsn_ie_buf); 480 return -1; 481 } 482 483 reply->type = (sm->proto == WPA_PROTO_RSN || 484 sm->proto == WPA_PROTO_OSEN) ? 485 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 486 key_info = ver | WPA_KEY_INFO_KEY_TYPE; 487 if (mic_len) 488 key_info |= WPA_KEY_INFO_MIC; 489 else 490 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 491 WPA_PUT_BE16(reply->key_info, key_info); 492 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) 493 WPA_PUT_BE16(reply->key_length, 0); 494 else 495 os_memcpy(reply->key_length, key->key_length, 2); 496 os_memcpy(reply->replay_counter, key->replay_counter, 497 WPA_REPLAY_COUNTER_LEN); 498 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", reply->replay_counter, 499 WPA_REPLAY_COUNTER_LEN); 500 501 key_mic = (u8 *) (reply + 1); 502 WPA_PUT_BE16(key_mic + mic_len, wpa_ie_len); /* Key Data Length */ 503 os_memcpy(key_mic + mic_len + 2, wpa_ie, wpa_ie_len); /* Key Data */ 504 os_free(rsn_ie_buf); 505 506 os_memcpy(reply->key_nonce, nonce, WPA_NONCE_LEN); 507 508 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Sending EAPOL-Key 2/4"); 509 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen, 510 key_mic); 511 } 512 513 514 static int wpa_derive_ptk(struct wpa_sm *sm, const unsigned char *src_addr, 515 const struct wpa_eapol_key *key, struct wpa_ptk *ptk) 516 { 517 #ifdef CONFIG_IEEE80211R 518 if (wpa_key_mgmt_ft(sm->key_mgmt)) 519 return wpa_derive_ptk_ft(sm, src_addr, key, ptk); 520 #endif /* CONFIG_IEEE80211R */ 521 522 return wpa_pmk_to_ptk(sm->pmk, sm->pmk_len, "Pairwise key expansion", 523 sm->own_addr, sm->bssid, sm->snonce, 524 key->key_nonce, ptk, sm->key_mgmt, 525 sm->pairwise_cipher); 526 } 527 528 529 static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm, 530 const unsigned char *src_addr, 531 const struct wpa_eapol_key *key, 532 u16 ver, const u8 *key_data, 533 size_t key_data_len) 534 { 535 struct wpa_eapol_ie_parse ie; 536 struct wpa_ptk *ptk; 537 int res; 538 u8 *kde, *kde_buf = NULL; 539 size_t kde_len; 540 541 if (wpa_sm_get_network_ctx(sm) == NULL) { 542 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No SSID info " 543 "found (msg 1 of 4)"); 544 return; 545 } 546 547 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE); 548 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO, "WPA: RX message 1 of 4-Way " 549 "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver); 550 551 os_memset(&ie, 0, sizeof(ie)); 552 553 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) { 554 /* RSN: msg 1/4 should contain PMKID for the selected PMK */ 555 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data", 556 key_data, key_data_len); 557 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0) 558 goto failed; 559 if (ie.pmkid) { 560 wpa_hexdump(MSG_DEBUG, "RSN: PMKID from " 561 "Authenticator", ie.pmkid, PMKID_LEN); 562 } 563 } 564 565 res = wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid); 566 if (res == -2) { 567 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: Do not reply to " 568 "msg 1/4 - requesting full EAP authentication"); 569 return; 570 } 571 if (res) 572 goto failed; 573 574 if (sm->renew_snonce) { 575 if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) { 576 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 577 "WPA: Failed to get random data for SNonce"); 578 goto failed; 579 } 580 sm->renew_snonce = 0; 581 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce", 582 sm->snonce, WPA_NONCE_LEN); 583 } 584 585 /* Calculate PTK which will be stored as a temporary PTK until it has 586 * been verified when processing message 3/4. */ 587 ptk = &sm->tptk; 588 if (wpa_derive_ptk(sm, src_addr, key, ptk) < 0) 589 goto failed; 590 if (sm->pairwise_cipher == WPA_CIPHER_TKIP) { 591 u8 buf[8]; 592 /* Supplicant: swap tx/rx Mic keys */ 593 os_memcpy(buf, &ptk->tk[16], 8); 594 os_memcpy(&ptk->tk[16], &ptk->tk[24], 8); 595 os_memcpy(&ptk->tk[24], buf, 8); 596 os_memset(buf, 0, sizeof(buf)); 597 } 598 sm->tptk_set = 1; 599 600 kde = sm->assoc_wpa_ie; 601 kde_len = sm->assoc_wpa_ie_len; 602 603 #ifdef CONFIG_P2P 604 if (sm->p2p) { 605 kde_buf = os_malloc(kde_len + 2 + RSN_SELECTOR_LEN + 1); 606 if (kde_buf) { 607 u8 *pos; 608 wpa_printf(MSG_DEBUG, "P2P: Add IP Address Request KDE " 609 "into EAPOL-Key 2/4"); 610 os_memcpy(kde_buf, kde, kde_len); 611 kde = kde_buf; 612 pos = kde + kde_len; 613 *pos++ = WLAN_EID_VENDOR_SPECIFIC; 614 *pos++ = RSN_SELECTOR_LEN + 1; 615 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_IP_ADDR_REQ); 616 pos += RSN_SELECTOR_LEN; 617 *pos++ = 0x01; 618 kde_len = pos - kde; 619 } 620 } 621 #endif /* CONFIG_P2P */ 622 623 if (wpa_supplicant_send_2_of_4(sm, sm->bssid, key, ver, sm->snonce, 624 kde, kde_len, ptk) < 0) 625 goto failed; 626 627 os_free(kde_buf); 628 os_memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN); 629 return; 630 631 failed: 632 os_free(kde_buf); 633 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED); 634 } 635 636 637 static void wpa_sm_start_preauth(void *eloop_ctx, void *timeout_ctx) 638 { 639 struct wpa_sm *sm = eloop_ctx; 640 rsn_preauth_candidate_process(sm); 641 } 642 643 644 static void wpa_supplicant_key_neg_complete(struct wpa_sm *sm, 645 const u8 *addr, int secure) 646 { 647 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 648 "WPA: Key negotiation completed with " 649 MACSTR " [PTK=%s GTK=%s]", MAC2STR(addr), 650 wpa_cipher_txt(sm->pairwise_cipher), 651 wpa_cipher_txt(sm->group_cipher)); 652 wpa_sm_cancel_auth_timeout(sm); 653 wpa_sm_set_state(sm, WPA_COMPLETED); 654 655 if (secure) { 656 wpa_sm_mlme_setprotection( 657 sm, addr, MLME_SETPROTECTION_PROTECT_TYPE_RX_TX, 658 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE); 659 eapol_sm_notify_portValid(sm->eapol, TRUE); 660 if (wpa_key_mgmt_wpa_psk(sm->key_mgmt) || 661 sm->key_mgmt == WPA_KEY_MGMT_DPP || 662 sm->key_mgmt == WPA_KEY_MGMT_OWE) 663 eapol_sm_notify_eap_success(sm->eapol, TRUE); 664 /* 665 * Start preauthentication after a short wait to avoid a 666 * possible race condition between the data receive and key 667 * configuration after the 4-Way Handshake. This increases the 668 * likelihood of the first preauth EAPOL-Start frame getting to 669 * the target AP. 670 */ 671 eloop_register_timeout(1, 0, wpa_sm_start_preauth, sm, NULL); 672 } 673 674 if (sm->cur_pmksa && sm->cur_pmksa->opportunistic) { 675 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 676 "RSN: Authenticator accepted " 677 "opportunistic PMKSA entry - marking it valid"); 678 sm->cur_pmksa->opportunistic = 0; 679 } 680 681 #ifdef CONFIG_IEEE80211R 682 if (wpa_key_mgmt_ft(sm->key_mgmt)) { 683 /* Prepare for the next transition */ 684 wpa_ft_prepare_auth_request(sm, NULL); 685 } 686 #endif /* CONFIG_IEEE80211R */ 687 } 688 689 690 static void wpa_sm_rekey_ptk(void *eloop_ctx, void *timeout_ctx) 691 { 692 struct wpa_sm *sm = eloop_ctx; 693 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Request PTK rekeying"); 694 wpa_sm_key_request(sm, 0, 1); 695 } 696 697 698 static int wpa_supplicant_install_ptk(struct wpa_sm *sm, 699 const struct wpa_eapol_key *key) 700 { 701 int keylen, rsclen; 702 enum wpa_alg alg; 703 const u8 *key_rsc; 704 705 if (sm->ptk.installed) { 706 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 707 "WPA: Do not re-install same PTK to the driver"); 708 return 0; 709 } 710 711 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 712 "WPA: Installing PTK to the driver"); 713 714 if (sm->pairwise_cipher == WPA_CIPHER_NONE) { 715 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Pairwise Cipher " 716 "Suite: NONE - do not use pairwise keys"); 717 return 0; 718 } 719 720 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) { 721 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 722 "WPA: Unsupported pairwise cipher %d", 723 sm->pairwise_cipher); 724 return -1; 725 } 726 727 alg = wpa_cipher_to_alg(sm->pairwise_cipher); 728 keylen = wpa_cipher_key_len(sm->pairwise_cipher); 729 if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) { 730 wpa_printf(MSG_DEBUG, "WPA: TK length mismatch: %d != %lu", 731 keylen, (long unsigned int) sm->ptk.tk_len); 732 return -1; 733 } 734 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher); 735 736 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) { 737 key_rsc = null_rsc; 738 } else { 739 key_rsc = key->key_rsc; 740 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen); 741 } 742 743 if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, key_rsc, rsclen, 744 sm->ptk.tk, keylen) < 0) { 745 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 746 "WPA: Failed to set PTK to the " 747 "driver (alg=%d keylen=%d bssid=" MACSTR ")", 748 alg, keylen, MAC2STR(sm->bssid)); 749 return -1; 750 } 751 752 /* TK is not needed anymore in supplicant */ 753 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN); 754 sm->ptk.tk_len = 0; 755 sm->ptk.installed = 1; 756 757 if (sm->wpa_ptk_rekey) { 758 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL); 759 eloop_register_timeout(sm->wpa_ptk_rekey, 0, wpa_sm_rekey_ptk, 760 sm, NULL); 761 } 762 763 return 0; 764 } 765 766 767 static int wpa_supplicant_check_group_cipher(struct wpa_sm *sm, 768 int group_cipher, 769 int keylen, int maxkeylen, 770 int *key_rsc_len, 771 enum wpa_alg *alg) 772 { 773 int klen; 774 775 *alg = wpa_cipher_to_alg(group_cipher); 776 if (*alg == WPA_ALG_NONE) { 777 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 778 "WPA: Unsupported Group Cipher %d", 779 group_cipher); 780 return -1; 781 } 782 *key_rsc_len = wpa_cipher_rsc_len(group_cipher); 783 784 klen = wpa_cipher_key_len(group_cipher); 785 if (keylen != klen || maxkeylen < klen) { 786 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 787 "WPA: Unsupported %s Group Cipher key length %d (%d)", 788 wpa_cipher_txt(group_cipher), keylen, maxkeylen); 789 return -1; 790 } 791 return 0; 792 } 793 794 795 struct wpa_gtk_data { 796 enum wpa_alg alg; 797 int tx, key_rsc_len, keyidx; 798 u8 gtk[32]; 799 int gtk_len; 800 }; 801 802 803 static int wpa_supplicant_install_gtk(struct wpa_sm *sm, 804 const struct wpa_gtk_data *gd, 805 const u8 *key_rsc, int wnm_sleep) 806 { 807 const u8 *_gtk = gd->gtk; 808 u8 gtk_buf[32]; 809 810 /* Detect possible key reinstallation */ 811 if ((sm->gtk.gtk_len == (size_t) gd->gtk_len && 812 os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) || 813 (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len && 814 os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk, 815 sm->gtk_wnm_sleep.gtk_len) == 0)) { 816 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 817 "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)", 818 gd->keyidx, gd->tx, gd->gtk_len); 819 return 0; 820 } 821 822 wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len); 823 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 824 "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)", 825 gd->keyidx, gd->tx, gd->gtk_len); 826 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, gd->key_rsc_len); 827 if (sm->group_cipher == WPA_CIPHER_TKIP) { 828 /* Swap Tx/Rx keys for Michael MIC */ 829 os_memcpy(gtk_buf, gd->gtk, 16); 830 os_memcpy(gtk_buf + 16, gd->gtk + 24, 8); 831 os_memcpy(gtk_buf + 24, gd->gtk + 16, 8); 832 _gtk = gtk_buf; 833 } 834 if (sm->pairwise_cipher == WPA_CIPHER_NONE) { 835 if (wpa_sm_set_key(sm, gd->alg, NULL, 836 gd->keyidx, 1, key_rsc, gd->key_rsc_len, 837 _gtk, gd->gtk_len) < 0) { 838 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 839 "WPA: Failed to set GTK to the driver " 840 "(Group only)"); 841 os_memset(gtk_buf, 0, sizeof(gtk_buf)); 842 return -1; 843 } 844 } else if (wpa_sm_set_key(sm, gd->alg, broadcast_ether_addr, 845 gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len, 846 _gtk, gd->gtk_len) < 0) { 847 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 848 "WPA: Failed to set GTK to " 849 "the driver (alg=%d keylen=%d keyidx=%d)", 850 gd->alg, gd->gtk_len, gd->keyidx); 851 os_memset(gtk_buf, 0, sizeof(gtk_buf)); 852 return -1; 853 } 854 os_memset(gtk_buf, 0, sizeof(gtk_buf)); 855 856 if (wnm_sleep) { 857 sm->gtk_wnm_sleep.gtk_len = gd->gtk_len; 858 os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk, 859 sm->gtk_wnm_sleep.gtk_len); 860 } else { 861 sm->gtk.gtk_len = gd->gtk_len; 862 os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); 863 } 864 865 return 0; 866 } 867 868 869 static int wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm *sm, 870 int tx) 871 { 872 if (tx && sm->pairwise_cipher != WPA_CIPHER_NONE) { 873 /* Ignore Tx bit for GTK if a pairwise key is used. One AP 874 * seemed to set this bit (incorrectly, since Tx is only when 875 * doing Group Key only APs) and without this workaround, the 876 * data connection does not work because wpa_supplicant 877 * configured non-zero keyidx to be used for unicast. */ 878 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 879 "WPA: Tx bit set for GTK, but pairwise " 880 "keys are used - ignore Tx bit"); 881 return 0; 882 } 883 return tx; 884 } 885 886 887 static int wpa_supplicant_rsc_relaxation(const struct wpa_sm *sm, 888 const u8 *rsc) 889 { 890 int rsclen; 891 892 if (!sm->wpa_rsc_relaxation) 893 return 0; 894 895 rsclen = wpa_cipher_rsc_len(sm->group_cipher); 896 897 /* 898 * Try to detect RSC (endian) corruption issue where the AP sends 899 * the RSC bytes in EAPOL-Key message in the wrong order, both if 900 * it's actually a 6-byte field (as it should be) and if it treats 901 * it as an 8-byte field. 902 * An AP model known to have this bug is the Sapido RB-1632. 903 */ 904 if (rsclen == 6 && ((rsc[5] && !rsc[0]) || rsc[6] || rsc[7])) { 905 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 906 "RSC %02x%02x%02x%02x%02x%02x%02x%02x is likely bogus, using 0", 907 rsc[0], rsc[1], rsc[2], rsc[3], 908 rsc[4], rsc[5], rsc[6], rsc[7]); 909 910 return 1; 911 } 912 913 return 0; 914 } 915 916 917 static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, 918 const struct wpa_eapol_key *key, 919 const u8 *gtk, size_t gtk_len, 920 int key_info) 921 { 922 struct wpa_gtk_data gd; 923 const u8 *key_rsc; 924 925 /* 926 * IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames - Figure 43x 927 * GTK KDE format: 928 * KeyID[bits 0-1], Tx [bit 2], Reserved [bits 3-7] 929 * Reserved [bits 0-7] 930 * GTK 931 */ 932 933 os_memset(&gd, 0, sizeof(gd)); 934 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in pairwise handshake", 935 gtk, gtk_len); 936 937 if (gtk_len < 2 || gtk_len - 2 > sizeof(gd.gtk)) 938 return -1; 939 940 gd.keyidx = gtk[0] & 0x3; 941 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm, 942 !!(gtk[0] & BIT(2))); 943 gtk += 2; 944 gtk_len -= 2; 945 946 os_memcpy(gd.gtk, gtk, gtk_len); 947 gd.gtk_len = gtk_len; 948 949 key_rsc = key->key_rsc; 950 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc)) 951 key_rsc = null_rsc; 952 953 if (sm->group_cipher != WPA_CIPHER_GTK_NOT_USED && 954 (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, 955 gtk_len, gtk_len, 956 &gd.key_rsc_len, &gd.alg) || 957 wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) { 958 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 959 "RSN: Failed to install GTK"); 960 os_memset(&gd, 0, sizeof(gd)); 961 return -1; 962 } 963 os_memset(&gd, 0, sizeof(gd)); 964 965 wpa_supplicant_key_neg_complete(sm, sm->bssid, 966 key_info & WPA_KEY_INFO_SECURE); 967 return 0; 968 } 969 970 971 #ifdef CONFIG_IEEE80211W 972 static int wpa_supplicant_install_igtk(struct wpa_sm *sm, 973 const struct wpa_igtk_kde *igtk, 974 int wnm_sleep) 975 { 976 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher); 977 u16 keyidx = WPA_GET_LE16(igtk->keyid); 978 979 /* Detect possible key reinstallation */ 980 if ((sm->igtk.igtk_len == len && 981 os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) || 982 (sm->igtk_wnm_sleep.igtk_len == len && 983 os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk, 984 sm->igtk_wnm_sleep.igtk_len) == 0)) { 985 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 986 "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)", 987 keyidx); 988 return 0; 989 } 990 991 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 992 "WPA: IGTK keyid %d pn %02x%02x%02x%02x%02x%02x", 993 keyidx, MAC2STR(igtk->pn)); 994 wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len); 995 if (keyidx > 4095) { 996 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 997 "WPA: Invalid IGTK KeyID %d", keyidx); 998 return -1; 999 } 1000 if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), 1001 broadcast_ether_addr, 1002 keyidx, 0, igtk->pn, sizeof(igtk->pn), 1003 igtk->igtk, len) < 0) { 1004 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1005 "WPA: Failed to configure IGTK to the driver"); 1006 return -1; 1007 } 1008 1009 if (wnm_sleep) { 1010 sm->igtk_wnm_sleep.igtk_len = len; 1011 os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk, 1012 sm->igtk_wnm_sleep.igtk_len); 1013 } else { 1014 sm->igtk.igtk_len = len; 1015 os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); 1016 } 1017 1018 return 0; 1019 } 1020 #endif /* CONFIG_IEEE80211W */ 1021 1022 1023 static int ieee80211w_set_keys(struct wpa_sm *sm, 1024 struct wpa_eapol_ie_parse *ie) 1025 { 1026 #ifdef CONFIG_IEEE80211W 1027 if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher)) 1028 return 0; 1029 1030 if (ie->igtk) { 1031 size_t len; 1032 const struct wpa_igtk_kde *igtk; 1033 1034 len = wpa_cipher_key_len(sm->mgmt_group_cipher); 1035 if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len) 1036 return -1; 1037 1038 igtk = (const struct wpa_igtk_kde *) ie->igtk; 1039 if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0) 1040 return -1; 1041 } 1042 1043 return 0; 1044 #else /* CONFIG_IEEE80211W */ 1045 return 0; 1046 #endif /* CONFIG_IEEE80211W */ 1047 } 1048 1049 1050 static void wpa_report_ie_mismatch(struct wpa_sm *sm, 1051 const char *reason, const u8 *src_addr, 1052 const u8 *wpa_ie, size_t wpa_ie_len, 1053 const u8 *rsn_ie, size_t rsn_ie_len) 1054 { 1055 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: %s (src=" MACSTR ")", 1056 reason, MAC2STR(src_addr)); 1057 1058 if (sm->ap_wpa_ie) { 1059 wpa_hexdump(MSG_INFO, "WPA: WPA IE in Beacon/ProbeResp", 1060 sm->ap_wpa_ie, sm->ap_wpa_ie_len); 1061 } 1062 if (wpa_ie) { 1063 if (!sm->ap_wpa_ie) { 1064 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1065 "WPA: No WPA IE in Beacon/ProbeResp"); 1066 } 1067 wpa_hexdump(MSG_INFO, "WPA: WPA IE in 3/4 msg", 1068 wpa_ie, wpa_ie_len); 1069 } 1070 1071 if (sm->ap_rsn_ie) { 1072 wpa_hexdump(MSG_INFO, "WPA: RSN IE in Beacon/ProbeResp", 1073 sm->ap_rsn_ie, sm->ap_rsn_ie_len); 1074 } 1075 if (rsn_ie) { 1076 if (!sm->ap_rsn_ie) { 1077 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1078 "WPA: No RSN IE in Beacon/ProbeResp"); 1079 } 1080 wpa_hexdump(MSG_INFO, "WPA: RSN IE in 3/4 msg", 1081 rsn_ie, rsn_ie_len); 1082 } 1083 1084 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS); 1085 } 1086 1087 1088 #ifdef CONFIG_IEEE80211R 1089 1090 static int ft_validate_mdie(struct wpa_sm *sm, 1091 const unsigned char *src_addr, 1092 struct wpa_eapol_ie_parse *ie, 1093 const u8 *assoc_resp_mdie) 1094 { 1095 struct rsn_mdie *mdie; 1096 1097 mdie = (struct rsn_mdie *) (ie->mdie + 2); 1098 if (ie->mdie == NULL || ie->mdie_len < 2 + sizeof(*mdie) || 1099 os_memcmp(mdie->mobility_domain, sm->mobility_domain, 1100 MOBILITY_DOMAIN_ID_LEN) != 0) { 1101 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE in msg 3/4 did " 1102 "not match with the current mobility domain"); 1103 return -1; 1104 } 1105 1106 if (assoc_resp_mdie && 1107 (assoc_resp_mdie[1] != ie->mdie[1] || 1108 os_memcmp(assoc_resp_mdie, ie->mdie, 2 + ie->mdie[1]) != 0)) { 1109 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE mismatch"); 1110 wpa_hexdump(MSG_DEBUG, "FT: MDIE in EAPOL-Key msg 3/4", 1111 ie->mdie, 2 + ie->mdie[1]); 1112 wpa_hexdump(MSG_DEBUG, "FT: MDIE in (Re)Association Response", 1113 assoc_resp_mdie, 2 + assoc_resp_mdie[1]); 1114 return -1; 1115 } 1116 1117 return 0; 1118 } 1119 1120 1121 static int ft_validate_ftie(struct wpa_sm *sm, 1122 const unsigned char *src_addr, 1123 struct wpa_eapol_ie_parse *ie, 1124 const u8 *assoc_resp_ftie) 1125 { 1126 if (ie->ftie == NULL) { 1127 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1128 "FT: No FTIE in EAPOL-Key msg 3/4"); 1129 return -1; 1130 } 1131 1132 if (assoc_resp_ftie == NULL) 1133 return 0; 1134 1135 if (assoc_resp_ftie[1] != ie->ftie[1] || 1136 os_memcmp(assoc_resp_ftie, ie->ftie, 2 + ie->ftie[1]) != 0) { 1137 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: FTIE mismatch"); 1138 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 3/4", 1139 ie->ftie, 2 + ie->ftie[1]); 1140 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)Association Response", 1141 assoc_resp_ftie, 2 + assoc_resp_ftie[1]); 1142 return -1; 1143 } 1144 1145 return 0; 1146 } 1147 1148 1149 static int ft_validate_rsnie(struct wpa_sm *sm, 1150 const unsigned char *src_addr, 1151 struct wpa_eapol_ie_parse *ie) 1152 { 1153 struct wpa_ie_data rsn; 1154 1155 if (!ie->rsn_ie) 1156 return 0; 1157 1158 /* 1159 * Verify that PMKR1Name from EAPOL-Key message 3/4 1160 * matches with the value we derived. 1161 */ 1162 if (wpa_parse_wpa_ie_rsn(ie->rsn_ie, ie->rsn_ie_len, &rsn) < 0 || 1163 rsn.num_pmkid != 1 || rsn.pmkid == NULL) { 1164 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: No PMKR1Name in " 1165 "FT 4-way handshake message 3/4"); 1166 return -1; 1167 } 1168 1169 if (os_memcmp_const(rsn.pmkid, sm->pmk_r1_name, WPA_PMK_NAME_LEN) != 0) 1170 { 1171 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1172 "FT: PMKR1Name mismatch in " 1173 "FT 4-way handshake message 3/4"); 1174 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Authenticator", 1175 rsn.pmkid, WPA_PMK_NAME_LEN); 1176 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name", 1177 sm->pmk_r1_name, WPA_PMK_NAME_LEN); 1178 return -1; 1179 } 1180 1181 return 0; 1182 } 1183 1184 1185 static int wpa_supplicant_validate_ie_ft(struct wpa_sm *sm, 1186 const unsigned char *src_addr, 1187 struct wpa_eapol_ie_parse *ie) 1188 { 1189 const u8 *pos, *end, *mdie = NULL, *ftie = NULL; 1190 1191 if (sm->assoc_resp_ies) { 1192 pos = sm->assoc_resp_ies; 1193 end = pos + sm->assoc_resp_ies_len; 1194 while (end - pos > 2) { 1195 if (2 + pos[1] > end - pos) 1196 break; 1197 switch (*pos) { 1198 case WLAN_EID_MOBILITY_DOMAIN: 1199 mdie = pos; 1200 break; 1201 case WLAN_EID_FAST_BSS_TRANSITION: 1202 ftie = pos; 1203 break; 1204 } 1205 pos += 2 + pos[1]; 1206 } 1207 } 1208 1209 if (ft_validate_mdie(sm, src_addr, ie, mdie) < 0 || 1210 ft_validate_ftie(sm, src_addr, ie, ftie) < 0 || 1211 ft_validate_rsnie(sm, src_addr, ie) < 0) 1212 return -1; 1213 1214 return 0; 1215 } 1216 1217 #endif /* CONFIG_IEEE80211R */ 1218 1219 1220 static int wpa_supplicant_validate_ie(struct wpa_sm *sm, 1221 const unsigned char *src_addr, 1222 struct wpa_eapol_ie_parse *ie) 1223 { 1224 if (sm->ap_wpa_ie == NULL && sm->ap_rsn_ie == NULL) { 1225 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1226 "WPA: No WPA/RSN IE for this AP known. " 1227 "Trying to get from scan results"); 1228 if (wpa_sm_get_beacon_ie(sm) < 0) { 1229 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1230 "WPA: Could not find AP from " 1231 "the scan results"); 1232 } else { 1233 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG, 1234 "WPA: Found the current AP from " 1235 "updated scan results"); 1236 } 1237 } 1238 1239 if (ie->wpa_ie == NULL && ie->rsn_ie == NULL && 1240 (sm->ap_wpa_ie || sm->ap_rsn_ie)) { 1241 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match " 1242 "with IE in Beacon/ProbeResp (no IE?)", 1243 src_addr, ie->wpa_ie, ie->wpa_ie_len, 1244 ie->rsn_ie, ie->rsn_ie_len); 1245 return -1; 1246 } 1247 1248 if ((ie->wpa_ie && sm->ap_wpa_ie && 1249 (ie->wpa_ie_len != sm->ap_wpa_ie_len || 1250 os_memcmp(ie->wpa_ie, sm->ap_wpa_ie, ie->wpa_ie_len) != 0)) || 1251 (ie->rsn_ie && sm->ap_rsn_ie && 1252 wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt), 1253 sm->ap_rsn_ie, sm->ap_rsn_ie_len, 1254 ie->rsn_ie, ie->rsn_ie_len))) { 1255 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match " 1256 "with IE in Beacon/ProbeResp", 1257 src_addr, ie->wpa_ie, ie->wpa_ie_len, 1258 ie->rsn_ie, ie->rsn_ie_len); 1259 return -1; 1260 } 1261 1262 if (sm->proto == WPA_PROTO_WPA && 1263 ie->rsn_ie && sm->ap_rsn_ie == NULL && sm->rsn_enabled) { 1264 wpa_report_ie_mismatch(sm, "Possible downgrade attack " 1265 "detected - RSN was enabled and RSN IE " 1266 "was in msg 3/4, but not in " 1267 "Beacon/ProbeResp", 1268 src_addr, ie->wpa_ie, ie->wpa_ie_len, 1269 ie->rsn_ie, ie->rsn_ie_len); 1270 return -1; 1271 } 1272 1273 #ifdef CONFIG_IEEE80211R 1274 if (wpa_key_mgmt_ft(sm->key_mgmt) && 1275 wpa_supplicant_validate_ie_ft(sm, src_addr, ie) < 0) 1276 return -1; 1277 #endif /* CONFIG_IEEE80211R */ 1278 1279 return 0; 1280 } 1281 1282 1283 /** 1284 * wpa_supplicant_send_4_of_4 - Send message 4 of WPA/RSN 4-Way Handshake 1285 * @sm: Pointer to WPA state machine data from wpa_sm_init() 1286 * @dst: Destination address for the frame 1287 * @key: Pointer to the EAPOL-Key frame header 1288 * @ver: Version bits from EAPOL-Key Key Info 1289 * @key_info: Key Info 1290 * @ptk: PTK to use for keyed hash and encryption 1291 * Returns: >= 0 on success, < 0 on failure 1292 */ 1293 int wpa_supplicant_send_4_of_4(struct wpa_sm *sm, const unsigned char *dst, 1294 const struct wpa_eapol_key *key, 1295 u16 ver, u16 key_info, 1296 struct wpa_ptk *ptk) 1297 { 1298 size_t mic_len, hdrlen, rlen; 1299 struct wpa_eapol_key *reply; 1300 u8 *rbuf, *key_mic; 1301 1302 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len); 1303 hdrlen = sizeof(*reply) + mic_len + 2; 1304 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL, 1305 hdrlen, &rlen, (void *) &reply); 1306 if (rbuf == NULL) 1307 return -1; 1308 1309 reply->type = (sm->proto == WPA_PROTO_RSN || 1310 sm->proto == WPA_PROTO_OSEN) ? 1311 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1312 key_info &= WPA_KEY_INFO_SECURE; 1313 key_info |= ver | WPA_KEY_INFO_KEY_TYPE; 1314 if (mic_len) 1315 key_info |= WPA_KEY_INFO_MIC; 1316 else 1317 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 1318 WPA_PUT_BE16(reply->key_info, key_info); 1319 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) 1320 WPA_PUT_BE16(reply->key_length, 0); 1321 else 1322 os_memcpy(reply->key_length, key->key_length, 2); 1323 os_memcpy(reply->replay_counter, key->replay_counter, 1324 WPA_REPLAY_COUNTER_LEN); 1325 1326 key_mic = (u8 *) (reply + 1); 1327 WPA_PUT_BE16(key_mic + mic_len, 0); 1328 1329 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Sending EAPOL-Key 4/4"); 1330 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen, 1331 key_mic); 1332 } 1333 1334 1335 static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm, 1336 const struct wpa_eapol_key *key, 1337 u16 ver, const u8 *key_data, 1338 size_t key_data_len) 1339 { 1340 u16 key_info, keylen; 1341 struct wpa_eapol_ie_parse ie; 1342 1343 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE); 1344 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO, "WPA: RX message 3 of 4-Way " 1345 "Handshake from " MACSTR " (ver=%d)", MAC2STR(sm->bssid), ver); 1346 1347 key_info = WPA_GET_BE16(key->key_info); 1348 1349 wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", key_data, key_data_len); 1350 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0) 1351 goto failed; 1352 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 1353 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1354 "WPA: GTK IE in unencrypted key data"); 1355 goto failed; 1356 } 1357 #ifdef CONFIG_IEEE80211W 1358 if (ie.igtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 1359 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1360 "WPA: IGTK KDE in unencrypted key data"); 1361 goto failed; 1362 } 1363 1364 if (ie.igtk && 1365 wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) && 1366 ie.igtk_len != WPA_IGTK_KDE_PREFIX_LEN + 1367 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) { 1368 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1369 "WPA: Invalid IGTK KDE length %lu", 1370 (unsigned long) ie.igtk_len); 1371 goto failed; 1372 } 1373 #endif /* CONFIG_IEEE80211W */ 1374 1375 if (wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0) 1376 goto failed; 1377 1378 if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) { 1379 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1380 "WPA: ANonce from message 1 of 4-Way Handshake " 1381 "differs from 3 of 4-Way Handshake - drop packet (src=" 1382 MACSTR ")", MAC2STR(sm->bssid)); 1383 goto failed; 1384 } 1385 1386 keylen = WPA_GET_BE16(key->key_length); 1387 if (keylen != wpa_cipher_key_len(sm->pairwise_cipher)) { 1388 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1389 "WPA: Invalid %s key length %d (src=" MACSTR 1390 ")", wpa_cipher_txt(sm->pairwise_cipher), keylen, 1391 MAC2STR(sm->bssid)); 1392 goto failed; 1393 } 1394 1395 #ifdef CONFIG_P2P 1396 if (ie.ip_addr_alloc) { 1397 os_memcpy(sm->p2p_ip_addr, ie.ip_addr_alloc, 3 * 4); 1398 wpa_hexdump(MSG_DEBUG, "P2P: IP address info", 1399 sm->p2p_ip_addr, sizeof(sm->p2p_ip_addr)); 1400 } 1401 #endif /* CONFIG_P2P */ 1402 1403 if (wpa_supplicant_send_4_of_4(sm, sm->bssid, key, ver, key_info, 1404 &sm->ptk) < 0) { 1405 goto failed; 1406 } 1407 1408 /* SNonce was successfully used in msg 3/4, so mark it to be renewed 1409 * for the next 4-Way Handshake. If msg 3 is received again, the old 1410 * SNonce will still be used to avoid changing PTK. */ 1411 sm->renew_snonce = 1; 1412 1413 if (key_info & WPA_KEY_INFO_INSTALL) { 1414 if (wpa_supplicant_install_ptk(sm, key)) 1415 goto failed; 1416 } 1417 1418 if (key_info & WPA_KEY_INFO_SECURE) { 1419 wpa_sm_mlme_setprotection( 1420 sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX, 1421 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE); 1422 eapol_sm_notify_portValid(sm->eapol, TRUE); 1423 } 1424 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE); 1425 1426 if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED) { 1427 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1428 key_info & WPA_KEY_INFO_SECURE); 1429 } else if (ie.gtk && 1430 wpa_supplicant_pairwise_gtk(sm, key, 1431 ie.gtk, ie.gtk_len, key_info) < 0) { 1432 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1433 "RSN: Failed to configure GTK"); 1434 goto failed; 1435 } 1436 1437 if (ieee80211w_set_keys(sm, &ie) < 0) { 1438 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1439 "RSN: Failed to configure IGTK"); 1440 goto failed; 1441 } 1442 1443 if (ie.gtk) 1444 wpa_sm_set_rekey_offload(sm); 1445 1446 if (sm->proto == WPA_PROTO_RSN && wpa_key_mgmt_suite_b(sm->key_mgmt)) { 1447 struct rsn_pmksa_cache_entry *sa; 1448 1449 sa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, NULL, 1450 sm->ptk.kck, sm->ptk.kck_len, 1451 sm->bssid, sm->own_addr, 1452 sm->network_ctx, sm->key_mgmt, NULL); 1453 if (!sm->cur_pmksa) 1454 sm->cur_pmksa = sa; 1455 } 1456 1457 sm->msg_3_of_4_ok = 1; 1458 return; 1459 1460 failed: 1461 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED); 1462 } 1463 1464 1465 static int wpa_supplicant_process_1_of_2_rsn(struct wpa_sm *sm, 1466 const u8 *keydata, 1467 size_t keydatalen, 1468 u16 key_info, 1469 struct wpa_gtk_data *gd) 1470 { 1471 int maxkeylen; 1472 struct wpa_eapol_ie_parse ie; 1473 1474 wpa_hexdump_key(MSG_DEBUG, "RSN: msg 1/2 key data", 1475 keydata, keydatalen); 1476 if (wpa_supplicant_parse_ies(keydata, keydatalen, &ie) < 0) 1477 return -1; 1478 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 1479 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1480 "WPA: GTK IE in unencrypted key data"); 1481 return -1; 1482 } 1483 if (ie.gtk == NULL) { 1484 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1485 "WPA: No GTK IE in Group Key msg 1/2"); 1486 return -1; 1487 } 1488 maxkeylen = gd->gtk_len = ie.gtk_len - 2; 1489 1490 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, 1491 gd->gtk_len, maxkeylen, 1492 &gd->key_rsc_len, &gd->alg)) 1493 return -1; 1494 1495 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in group key handshake", 1496 ie.gtk, ie.gtk_len); 1497 gd->keyidx = ie.gtk[0] & 0x3; 1498 gd->tx = wpa_supplicant_gtk_tx_bit_workaround(sm, 1499 !!(ie.gtk[0] & BIT(2))); 1500 if (ie.gtk_len - 2 > sizeof(gd->gtk)) { 1501 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1502 "RSN: Too long GTK in GTK IE (len=%lu)", 1503 (unsigned long) ie.gtk_len - 2); 1504 return -1; 1505 } 1506 os_memcpy(gd->gtk, ie.gtk + 2, ie.gtk_len - 2); 1507 1508 if (ieee80211w_set_keys(sm, &ie) < 0) 1509 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1510 "RSN: Failed to configure IGTK"); 1511 1512 return 0; 1513 } 1514 1515 1516 static int wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm, 1517 const struct wpa_eapol_key *key, 1518 const u8 *key_data, 1519 size_t key_data_len, u16 key_info, 1520 u16 ver, struct wpa_gtk_data *gd) 1521 { 1522 size_t maxkeylen; 1523 u16 gtk_len; 1524 1525 gtk_len = WPA_GET_BE16(key->key_length); 1526 maxkeylen = key_data_len; 1527 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1528 if (maxkeylen < 8) { 1529 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1530 "WPA: Too short maxkeylen (%lu)", 1531 (unsigned long) maxkeylen); 1532 return -1; 1533 } 1534 maxkeylen -= 8; 1535 } 1536 1537 if (gtk_len > maxkeylen || 1538 wpa_supplicant_check_group_cipher(sm, sm->group_cipher, 1539 gtk_len, maxkeylen, 1540 &gd->key_rsc_len, &gd->alg)) 1541 return -1; 1542 1543 gd->gtk_len = gtk_len; 1544 gd->keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >> 1545 WPA_KEY_INFO_KEY_INDEX_SHIFT; 1546 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) { 1547 #ifdef CONFIG_NO_RC4 1548 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1549 "WPA: RC4 not supported in the build"); 1550 return -1; 1551 #else /* CONFIG_NO_RC4 */ 1552 u8 ek[32]; 1553 if (key_data_len > sizeof(gd->gtk)) { 1554 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1555 "WPA: RC4 key data too long (%lu)", 1556 (unsigned long) key_data_len); 1557 return -1; 1558 } 1559 os_memcpy(ek, key->key_iv, 16); 1560 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len); 1561 os_memcpy(gd->gtk, key_data, key_data_len); 1562 if (rc4_skip(ek, 32, 256, gd->gtk, key_data_len)) { 1563 os_memset(ek, 0, sizeof(ek)); 1564 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR, 1565 "WPA: RC4 failed"); 1566 return -1; 1567 } 1568 os_memset(ek, 0, sizeof(ek)); 1569 #endif /* CONFIG_NO_RC4 */ 1570 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1571 if (maxkeylen % 8) { 1572 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1573 "WPA: Unsupported AES-WRAP len %lu", 1574 (unsigned long) maxkeylen); 1575 return -1; 1576 } 1577 if (maxkeylen > sizeof(gd->gtk)) { 1578 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1579 "WPA: AES-WRAP key data " 1580 "too long (keydatalen=%lu maxkeylen=%lu)", 1581 (unsigned long) key_data_len, 1582 (unsigned long) maxkeylen); 1583 return -1; 1584 } 1585 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, maxkeylen / 8, 1586 key_data, gd->gtk)) { 1587 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1588 "WPA: AES unwrap failed - could not decrypt " 1589 "GTK"); 1590 return -1; 1591 } 1592 } else { 1593 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1594 "WPA: Unsupported key_info type %d", ver); 1595 return -1; 1596 } 1597 gd->tx = wpa_supplicant_gtk_tx_bit_workaround( 1598 sm, !!(key_info & WPA_KEY_INFO_TXRX)); 1599 return 0; 1600 } 1601 1602 1603 static int wpa_supplicant_send_2_of_2(struct wpa_sm *sm, 1604 const struct wpa_eapol_key *key, 1605 int ver, u16 key_info) 1606 { 1607 size_t mic_len, hdrlen, rlen; 1608 struct wpa_eapol_key *reply; 1609 u8 *rbuf, *key_mic; 1610 1611 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len); 1612 hdrlen = sizeof(*reply) + mic_len + 2; 1613 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL, 1614 hdrlen, &rlen, (void *) &reply); 1615 if (rbuf == NULL) 1616 return -1; 1617 1618 reply->type = (sm->proto == WPA_PROTO_RSN || 1619 sm->proto == WPA_PROTO_OSEN) ? 1620 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1621 key_info &= WPA_KEY_INFO_KEY_INDEX_MASK; 1622 key_info |= ver | WPA_KEY_INFO_SECURE; 1623 if (mic_len) 1624 key_info |= WPA_KEY_INFO_MIC; 1625 else 1626 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 1627 WPA_PUT_BE16(reply->key_info, key_info); 1628 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) 1629 WPA_PUT_BE16(reply->key_length, 0); 1630 else 1631 os_memcpy(reply->key_length, key->key_length, 2); 1632 os_memcpy(reply->replay_counter, key->replay_counter, 1633 WPA_REPLAY_COUNTER_LEN); 1634 1635 key_mic = (u8 *) (reply + 1); 1636 WPA_PUT_BE16(key_mic + mic_len, 0); 1637 1638 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/2"); 1639 return wpa_eapol_key_send(sm, &sm->ptk, ver, sm->bssid, ETH_P_EAPOL, 1640 rbuf, rlen, key_mic); 1641 } 1642 1643 1644 static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm, 1645 const unsigned char *src_addr, 1646 const struct wpa_eapol_key *key, 1647 const u8 *key_data, 1648 size_t key_data_len, u16 ver) 1649 { 1650 u16 key_info; 1651 int rekey, ret; 1652 struct wpa_gtk_data gd; 1653 const u8 *key_rsc; 1654 1655 if (!sm->msg_3_of_4_ok && !wpa_fils_is_completed(sm)) { 1656 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1657 "WPA: Group Key Handshake started prior to completion of 4-way handshake"); 1658 goto failed; 1659 } 1660 1661 os_memset(&gd, 0, sizeof(gd)); 1662 1663 rekey = wpa_sm_get_state(sm) == WPA_COMPLETED; 1664 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of Group Key " 1665 "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver); 1666 1667 key_info = WPA_GET_BE16(key->key_info); 1668 1669 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) { 1670 ret = wpa_supplicant_process_1_of_2_rsn(sm, key_data, 1671 key_data_len, key_info, 1672 &gd); 1673 } else { 1674 ret = wpa_supplicant_process_1_of_2_wpa(sm, key, key_data, 1675 key_data_len, 1676 key_info, ver, &gd); 1677 } 1678 1679 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE); 1680 1681 if (ret) 1682 goto failed; 1683 1684 key_rsc = key->key_rsc; 1685 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc)) 1686 key_rsc = null_rsc; 1687 1688 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) || 1689 wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0) 1690 goto failed; 1691 os_memset(&gd, 0, sizeof(gd)); 1692 1693 if (rekey) { 1694 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Group rekeying " 1695 "completed with " MACSTR " [GTK=%s]", 1696 MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher)); 1697 wpa_sm_cancel_auth_timeout(sm); 1698 wpa_sm_set_state(sm, WPA_COMPLETED); 1699 } else { 1700 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1701 key_info & 1702 WPA_KEY_INFO_SECURE); 1703 } 1704 1705 wpa_sm_set_rekey_offload(sm); 1706 1707 return; 1708 1709 failed: 1710 os_memset(&gd, 0, sizeof(gd)); 1711 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED); 1712 } 1713 1714 1715 static int wpa_supplicant_verify_eapol_key_mic(struct wpa_sm *sm, 1716 struct wpa_eapol_key *key, 1717 u16 ver, 1718 const u8 *buf, size_t len) 1719 { 1720 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN]; 1721 int ok = 0; 1722 size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len); 1723 1724 os_memcpy(mic, key + 1, mic_len); 1725 if (sm->tptk_set) { 1726 os_memset(key + 1, 0, mic_len); 1727 if (wpa_eapol_key_mic(sm->tptk.kck, sm->tptk.kck_len, 1728 sm->key_mgmt, 1729 ver, buf, len, (u8 *) (key + 1)) < 0 || 1730 os_memcmp_const(mic, key + 1, mic_len) != 0) { 1731 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1732 "WPA: Invalid EAPOL-Key MIC " 1733 "when using TPTK - ignoring TPTK"); 1734 } else { 1735 ok = 1; 1736 sm->tptk_set = 0; 1737 sm->ptk_set = 1; 1738 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk)); 1739 os_memset(&sm->tptk, 0, sizeof(sm->tptk)); 1740 /* 1741 * This assures the same TPTK in sm->tptk can never be 1742 * copied twice to sm->pkt as the new PTK. In 1743 * combination with the installed flag in the wpa_ptk 1744 * struct, this assures the same PTK is only installed 1745 * once. 1746 */ 1747 sm->renew_snonce = 1; 1748 } 1749 } 1750 1751 if (!ok && sm->ptk_set) { 1752 os_memset(key + 1, 0, mic_len); 1753 if (wpa_eapol_key_mic(sm->ptk.kck, sm->ptk.kck_len, 1754 sm->key_mgmt, 1755 ver, buf, len, (u8 *) (key + 1)) < 0 || 1756 os_memcmp_const(mic, key + 1, mic_len) != 0) { 1757 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1758 "WPA: Invalid EAPOL-Key MIC - " 1759 "dropping packet"); 1760 return -1; 1761 } 1762 ok = 1; 1763 } 1764 1765 if (!ok) { 1766 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1767 "WPA: Could not verify EAPOL-Key MIC - " 1768 "dropping packet"); 1769 return -1; 1770 } 1771 1772 os_memcpy(sm->rx_replay_counter, key->replay_counter, 1773 WPA_REPLAY_COUNTER_LEN); 1774 sm->rx_replay_counter_set = 1; 1775 return 0; 1776 } 1777 1778 1779 /* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */ 1780 static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm, 1781 struct wpa_eapol_key *key, 1782 size_t mic_len, u16 ver, 1783 u8 *key_data, size_t *key_data_len) 1784 { 1785 wpa_hexdump(MSG_DEBUG, "RSN: encrypted key data", 1786 key_data, *key_data_len); 1787 if (!sm->ptk_set) { 1788 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1789 "WPA: PTK not available, cannot decrypt EAPOL-Key Key " 1790 "Data"); 1791 return -1; 1792 } 1793 1794 /* Decrypt key data here so that this operation does not need 1795 * to be implemented separately for each message type. */ 1796 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) { 1797 #ifdef CONFIG_NO_RC4 1798 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1799 "WPA: RC4 not supported in the build"); 1800 return -1; 1801 #else /* CONFIG_NO_RC4 */ 1802 u8 ek[32]; 1803 1804 wpa_printf(MSG_DEBUG, "WPA: Decrypt Key Data using RC4"); 1805 os_memcpy(ek, key->key_iv, 16); 1806 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len); 1807 if (rc4_skip(ek, 32, 256, key_data, *key_data_len)) { 1808 os_memset(ek, 0, sizeof(ek)); 1809 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR, 1810 "WPA: RC4 failed"); 1811 return -1; 1812 } 1813 os_memset(ek, 0, sizeof(ek)); 1814 #endif /* CONFIG_NO_RC4 */ 1815 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1816 ver == WPA_KEY_INFO_TYPE_AES_128_CMAC || 1817 sm->key_mgmt == WPA_KEY_MGMT_OWE || 1818 sm->key_mgmt == WPA_KEY_MGMT_DPP || 1819 sm->key_mgmt == WPA_KEY_MGMT_OSEN || 1820 wpa_key_mgmt_suite_b(sm->key_mgmt)) { 1821 u8 *buf; 1822 1823 wpa_printf(MSG_DEBUG, 1824 "WPA: Decrypt Key Data using AES-UNWRAP (KEK length %u)", 1825 (unsigned int) sm->ptk.kek_len); 1826 if (*key_data_len < 8 || *key_data_len % 8) { 1827 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1828 "WPA: Unsupported AES-WRAP len %u", 1829 (unsigned int) *key_data_len); 1830 return -1; 1831 } 1832 *key_data_len -= 8; /* AES-WRAP adds 8 bytes */ 1833 buf = os_malloc(*key_data_len); 1834 if (buf == NULL) { 1835 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1836 "WPA: No memory for AES-UNWRAP buffer"); 1837 return -1; 1838 } 1839 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, *key_data_len / 8, 1840 key_data, buf)) { 1841 bin_clear_free(buf, *key_data_len); 1842 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1843 "WPA: AES unwrap failed - " 1844 "could not decrypt EAPOL-Key key data"); 1845 return -1; 1846 } 1847 os_memcpy(key_data, buf, *key_data_len); 1848 bin_clear_free(buf, *key_data_len); 1849 WPA_PUT_BE16(((u8 *) (key + 1)) + mic_len, *key_data_len); 1850 } else { 1851 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1852 "WPA: Unsupported key_info type %d", ver); 1853 return -1; 1854 } 1855 wpa_hexdump_key(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data", 1856 key_data, *key_data_len); 1857 return 0; 1858 } 1859 1860 1861 /** 1862 * wpa_sm_aborted_cached - Notify WPA that PMKSA caching was aborted 1863 * @sm: Pointer to WPA state machine data from wpa_sm_init() 1864 */ 1865 void wpa_sm_aborted_cached(struct wpa_sm *sm) 1866 { 1867 if (sm && sm->cur_pmksa) { 1868 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1869 "RSN: Cancelling PMKSA caching attempt"); 1870 sm->cur_pmksa = NULL; 1871 } 1872 } 1873 1874 1875 static void wpa_eapol_key_dump(struct wpa_sm *sm, 1876 const struct wpa_eapol_key *key, 1877 unsigned int key_data_len, 1878 const u8 *mic, unsigned int mic_len) 1879 { 1880 #ifndef CONFIG_NO_STDOUT_DEBUG 1881 u16 key_info = WPA_GET_BE16(key->key_info); 1882 1883 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, " EAPOL-Key type=%d", key->type); 1884 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1885 " key_info 0x%x (ver=%d keyidx=%d rsvd=%d %s%s%s%s%s%s%s%s)", 1886 key_info, key_info & WPA_KEY_INFO_TYPE_MASK, 1887 (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >> 1888 WPA_KEY_INFO_KEY_INDEX_SHIFT, 1889 (key_info & (BIT(13) | BIT(14) | BIT(15))) >> 13, 1890 key_info & WPA_KEY_INFO_KEY_TYPE ? "Pairwise" : "Group", 1891 key_info & WPA_KEY_INFO_INSTALL ? " Install" : "", 1892 key_info & WPA_KEY_INFO_ACK ? " Ack" : "", 1893 key_info & WPA_KEY_INFO_MIC ? " MIC" : "", 1894 key_info & WPA_KEY_INFO_SECURE ? " Secure" : "", 1895 key_info & WPA_KEY_INFO_ERROR ? " Error" : "", 1896 key_info & WPA_KEY_INFO_REQUEST ? " Request" : "", 1897 key_info & WPA_KEY_INFO_ENCR_KEY_DATA ? " Encr" : ""); 1898 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1899 " key_length=%u key_data_length=%u", 1900 WPA_GET_BE16(key->key_length), key_data_len); 1901 wpa_hexdump(MSG_DEBUG, " replay_counter", 1902 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 1903 wpa_hexdump(MSG_DEBUG, " key_nonce", key->key_nonce, WPA_NONCE_LEN); 1904 wpa_hexdump(MSG_DEBUG, " key_iv", key->key_iv, 16); 1905 wpa_hexdump(MSG_DEBUG, " key_rsc", key->key_rsc, 8); 1906 wpa_hexdump(MSG_DEBUG, " key_id (reserved)", key->key_id, 8); 1907 wpa_hexdump(MSG_DEBUG, " key_mic", mic, mic_len); 1908 #endif /* CONFIG_NO_STDOUT_DEBUG */ 1909 } 1910 1911 1912 #ifdef CONFIG_FILS 1913 static int wpa_supp_aead_decrypt(struct wpa_sm *sm, u8 *buf, size_t buf_len, 1914 size_t *key_data_len) 1915 { 1916 struct wpa_ptk *ptk; 1917 struct ieee802_1x_hdr *hdr; 1918 struct wpa_eapol_key *key; 1919 u8 *pos, *tmp; 1920 const u8 *aad[1]; 1921 size_t aad_len[1]; 1922 1923 if (*key_data_len < AES_BLOCK_SIZE) { 1924 wpa_printf(MSG_INFO, "No room for AES-SIV data in the frame"); 1925 return -1; 1926 } 1927 1928 if (sm->tptk_set) 1929 ptk = &sm->tptk; 1930 else if (sm->ptk_set) 1931 ptk = &sm->ptk; 1932 else 1933 return -1; 1934 1935 hdr = (struct ieee802_1x_hdr *) buf; 1936 key = (struct wpa_eapol_key *) (hdr + 1); 1937 pos = (u8 *) (key + 1); 1938 pos += 2; /* Pointing at the Encrypted Key Data field */ 1939 1940 tmp = os_malloc(*key_data_len); 1941 if (!tmp) 1942 return -1; 1943 1944 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to 1945 * to Key Data (exclusive). */ 1946 aad[0] = buf; 1947 aad_len[0] = pos - buf; 1948 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, *key_data_len, 1949 1, aad, aad_len, tmp) < 0) { 1950 wpa_printf(MSG_INFO, "Invalid AES-SIV data in the frame"); 1951 bin_clear_free(tmp, *key_data_len); 1952 return -1; 1953 } 1954 1955 /* AEAD decryption and validation completed successfully */ 1956 (*key_data_len) -= AES_BLOCK_SIZE; 1957 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data", 1958 tmp, *key_data_len); 1959 1960 /* Replace Key Data field with the decrypted version */ 1961 os_memcpy(pos, tmp, *key_data_len); 1962 pos -= 2; /* Key Data Length field */ 1963 WPA_PUT_BE16(pos, *key_data_len); 1964 bin_clear_free(tmp, *key_data_len); 1965 1966 if (sm->tptk_set) { 1967 sm->tptk_set = 0; 1968 sm->ptk_set = 1; 1969 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk)); 1970 os_memset(&sm->tptk, 0, sizeof(sm->tptk)); 1971 } 1972 1973 os_memcpy(sm->rx_replay_counter, key->replay_counter, 1974 WPA_REPLAY_COUNTER_LEN); 1975 sm->rx_replay_counter_set = 1; 1976 1977 return 0; 1978 } 1979 #endif /* CONFIG_FILS */ 1980 1981 1982 /** 1983 * wpa_sm_rx_eapol - Process received WPA EAPOL frames 1984 * @sm: Pointer to WPA state machine data from wpa_sm_init() 1985 * @src_addr: Source MAC address of the EAPOL packet 1986 * @buf: Pointer to the beginning of the EAPOL data (EAPOL header) 1987 * @len: Length of the EAPOL frame 1988 * Returns: 1 = WPA EAPOL-Key processed, 0 = not a WPA EAPOL-Key, -1 failure 1989 * 1990 * This function is called for each received EAPOL frame. Other than EAPOL-Key 1991 * frames can be skipped if filtering is done elsewhere. wpa_sm_rx_eapol() is 1992 * only processing WPA and WPA2 EAPOL-Key frames. 1993 * 1994 * The received EAPOL-Key packets are validated and valid packets are replied 1995 * to. In addition, key material (PTK, GTK) is configured at the end of a 1996 * successful key handshake. 1997 */ 1998 int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr, 1999 const u8 *buf, size_t len) 2000 { 2001 size_t plen, data_len, key_data_len; 2002 const struct ieee802_1x_hdr *hdr; 2003 struct wpa_eapol_key *key; 2004 u16 key_info, ver; 2005 u8 *tmp = NULL; 2006 int ret = -1; 2007 u8 *mic, *key_data; 2008 size_t mic_len, keyhdrlen; 2009 2010 #ifdef CONFIG_IEEE80211R 2011 sm->ft_completed = 0; 2012 #endif /* CONFIG_IEEE80211R */ 2013 2014 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len); 2015 keyhdrlen = sizeof(*key) + mic_len + 2; 2016 2017 if (len < sizeof(*hdr) + keyhdrlen) { 2018 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2019 "WPA: EAPOL frame too short to be a WPA " 2020 "EAPOL-Key (len %lu, expecting at least %lu)", 2021 (unsigned long) len, 2022 (unsigned long) sizeof(*hdr) + keyhdrlen); 2023 return 0; 2024 } 2025 2026 hdr = (const struct ieee802_1x_hdr *) buf; 2027 plen = be_to_host16(hdr->length); 2028 data_len = plen + sizeof(*hdr); 2029 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2030 "IEEE 802.1X RX: version=%d type=%d length=%lu", 2031 hdr->version, hdr->type, (unsigned long) plen); 2032 2033 if (hdr->version < EAPOL_VERSION) { 2034 /* TODO: backwards compatibility */ 2035 } 2036 if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) { 2037 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2038 "WPA: EAPOL frame (type %u) discarded, " 2039 "not a Key frame", hdr->type); 2040 ret = 0; 2041 goto out; 2042 } 2043 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", buf, len); 2044 if (plen > len - sizeof(*hdr) || plen < keyhdrlen) { 2045 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2046 "WPA: EAPOL frame payload size %lu " 2047 "invalid (frame size %lu)", 2048 (unsigned long) plen, (unsigned long) len); 2049 ret = 0; 2050 goto out; 2051 } 2052 if (data_len < len) { 2053 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2054 "WPA: ignoring %lu bytes after the IEEE 802.1X data", 2055 (unsigned long) len - data_len); 2056 } 2057 2058 /* 2059 * Make a copy of the frame since we need to modify the buffer during 2060 * MAC validation and Key Data decryption. 2061 */ 2062 tmp = os_memdup(buf, data_len); 2063 if (tmp == NULL) 2064 goto out; 2065 key = (struct wpa_eapol_key *) (tmp + sizeof(struct ieee802_1x_hdr)); 2066 mic = (u8 *) (key + 1); 2067 key_data = mic + mic_len + 2; 2068 2069 if (key->type != EAPOL_KEY_TYPE_WPA && key->type != EAPOL_KEY_TYPE_RSN) 2070 { 2071 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2072 "WPA: EAPOL-Key type (%d) unknown, discarded", 2073 key->type); 2074 ret = 0; 2075 goto out; 2076 } 2077 2078 key_data_len = WPA_GET_BE16(mic + mic_len); 2079 wpa_eapol_key_dump(sm, key, key_data_len, mic, mic_len); 2080 2081 if (key_data_len > plen - keyhdrlen) { 2082 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Invalid EAPOL-Key " 2083 "frame - key_data overflow (%u > %u)", 2084 (unsigned int) key_data_len, 2085 (unsigned int) (plen - keyhdrlen)); 2086 goto out; 2087 } 2088 2089 eapol_sm_notify_lower_layer_success(sm->eapol, 0); 2090 key_info = WPA_GET_BE16(key->key_info); 2091 ver = key_info & WPA_KEY_INFO_TYPE_MASK; 2092 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && 2093 #if defined(CONFIG_IEEE80211R) || defined(CONFIG_IEEE80211W) 2094 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC && 2095 #endif /* CONFIG_IEEE80211R || CONFIG_IEEE80211W */ 2096 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES && 2097 !wpa_key_mgmt_suite_b(sm->key_mgmt) && 2098 !wpa_key_mgmt_fils(sm->key_mgmt) && 2099 sm->key_mgmt != WPA_KEY_MGMT_OWE && 2100 sm->key_mgmt != WPA_KEY_MGMT_DPP && 2101 sm->key_mgmt != WPA_KEY_MGMT_OSEN) { 2102 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2103 "WPA: Unsupported EAPOL-Key descriptor version %d", 2104 ver); 2105 goto out; 2106 } 2107 2108 if (sm->key_mgmt == WPA_KEY_MGMT_OSEN && 2109 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) { 2110 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2111 "OSEN: Unsupported EAPOL-Key descriptor version %d", 2112 ver); 2113 goto out; 2114 } 2115 2116 if ((wpa_key_mgmt_suite_b(sm->key_mgmt) || 2117 wpa_key_mgmt_fils(sm->key_mgmt) || 2118 sm->key_mgmt == WPA_KEY_MGMT_DPP || 2119 sm->key_mgmt == WPA_KEY_MGMT_OWE) && 2120 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) { 2121 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2122 "RSN: Unsupported EAPOL-Key descriptor version %d (expected AKM defined = 0)", 2123 ver); 2124 goto out; 2125 } 2126 2127 #ifdef CONFIG_IEEE80211R 2128 if (wpa_key_mgmt_ft(sm->key_mgmt)) { 2129 /* IEEE 802.11r uses a new key_info type (AES-128-CMAC). */ 2130 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) { 2131 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2132 "FT: AP did not use AES-128-CMAC"); 2133 goto out; 2134 } 2135 } else 2136 #endif /* CONFIG_IEEE80211R */ 2137 #ifdef CONFIG_IEEE80211W 2138 if (wpa_key_mgmt_sha256(sm->key_mgmt)) { 2139 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC && 2140 sm->key_mgmt != WPA_KEY_MGMT_OSEN && 2141 !wpa_key_mgmt_fils(sm->key_mgmt) && 2142 !wpa_key_mgmt_suite_b(sm->key_mgmt)) { 2143 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2144 "WPA: AP did not use the " 2145 "negotiated AES-128-CMAC"); 2146 goto out; 2147 } 2148 } else 2149 #endif /* CONFIG_IEEE80211W */ 2150 if (sm->pairwise_cipher == WPA_CIPHER_CCMP && 2151 !wpa_key_mgmt_suite_b(sm->key_mgmt) && 2152 !wpa_key_mgmt_fils(sm->key_mgmt) && 2153 sm->key_mgmt != WPA_KEY_MGMT_OWE && 2154 sm->key_mgmt != WPA_KEY_MGMT_DPP && 2155 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 2156 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2157 "WPA: CCMP is used, but EAPOL-Key " 2158 "descriptor version (%d) is not 2", ver); 2159 if (sm->group_cipher != WPA_CIPHER_CCMP && 2160 !(key_info & WPA_KEY_INFO_KEY_TYPE)) { 2161 /* Earlier versions of IEEE 802.11i did not explicitly 2162 * require version 2 descriptor for all EAPOL-Key 2163 * packets, so allow group keys to use version 1 if 2164 * CCMP is not used for them. */ 2165 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2166 "WPA: Backwards compatibility: allow invalid " 2167 "version for non-CCMP group keys"); 2168 } else if (ver == WPA_KEY_INFO_TYPE_AES_128_CMAC) { 2169 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2170 "WPA: Interoperability workaround: allow incorrect (should have been HMAC-SHA1), but stronger (is AES-128-CMAC), descriptor version to be used"); 2171 } else 2172 goto out; 2173 } else if (sm->pairwise_cipher == WPA_CIPHER_GCMP && 2174 !wpa_key_mgmt_suite_b(sm->key_mgmt) && 2175 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 2176 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2177 "WPA: GCMP is used, but EAPOL-Key " 2178 "descriptor version (%d) is not 2", ver); 2179 goto out; 2180 } 2181 2182 if (sm->rx_replay_counter_set && 2183 os_memcmp(key->replay_counter, sm->rx_replay_counter, 2184 WPA_REPLAY_COUNTER_LEN) <= 0) { 2185 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2186 "WPA: EAPOL-Key Replay Counter did not increase - " 2187 "dropping packet"); 2188 goto out; 2189 } 2190 2191 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) { 2192 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2193 "WPA: Unsupported SMK bit in key_info"); 2194 goto out; 2195 } 2196 2197 if (!(key_info & WPA_KEY_INFO_ACK)) { 2198 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2199 "WPA: No Ack bit in key_info"); 2200 goto out; 2201 } 2202 2203 if (key_info & WPA_KEY_INFO_REQUEST) { 2204 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2205 "WPA: EAPOL-Key with Request bit - dropped"); 2206 goto out; 2207 } 2208 2209 if ((key_info & WPA_KEY_INFO_MIC) && 2210 wpa_supplicant_verify_eapol_key_mic(sm, key, ver, tmp, data_len)) 2211 goto out; 2212 2213 #ifdef CONFIG_FILS 2214 if (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 2215 if (wpa_supp_aead_decrypt(sm, tmp, data_len, &key_data_len)) 2216 goto out; 2217 } 2218 #endif /* CONFIG_FILS */ 2219 2220 if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) && 2221 (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && mic_len) { 2222 if (wpa_supplicant_decrypt_key_data(sm, key, mic_len, 2223 ver, key_data, 2224 &key_data_len)) 2225 goto out; 2226 } 2227 2228 if (key_info & WPA_KEY_INFO_KEY_TYPE) { 2229 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) { 2230 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2231 "WPA: Ignored EAPOL-Key (Pairwise) with " 2232 "non-zero key index"); 2233 goto out; 2234 } 2235 if (key_info & (WPA_KEY_INFO_MIC | 2236 WPA_KEY_INFO_ENCR_KEY_DATA)) { 2237 /* 3/4 4-Way Handshake */ 2238 wpa_supplicant_process_3_of_4(sm, key, ver, key_data, 2239 key_data_len); 2240 } else { 2241 /* 1/4 4-Way Handshake */ 2242 wpa_supplicant_process_1_of_4(sm, src_addr, key, 2243 ver, key_data, 2244 key_data_len); 2245 } 2246 } else { 2247 if ((mic_len && (key_info & WPA_KEY_INFO_MIC)) || 2248 (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA))) { 2249 /* 1/2 Group Key Handshake */ 2250 wpa_supplicant_process_1_of_2(sm, src_addr, key, 2251 key_data, key_data_len, 2252 ver); 2253 } else { 2254 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2255 "WPA: EAPOL-Key (Group) without Mic/Encr bit - " 2256 "dropped"); 2257 } 2258 } 2259 2260 ret = 1; 2261 2262 out: 2263 bin_clear_free(tmp, data_len); 2264 return ret; 2265 } 2266 2267 2268 #ifdef CONFIG_CTRL_IFACE 2269 static u32 wpa_key_mgmt_suite(struct wpa_sm *sm) 2270 { 2271 switch (sm->key_mgmt) { 2272 case WPA_KEY_MGMT_IEEE8021X: 2273 return ((sm->proto == WPA_PROTO_RSN || 2274 sm->proto == WPA_PROTO_OSEN) ? 2275 RSN_AUTH_KEY_MGMT_UNSPEC_802_1X : 2276 WPA_AUTH_KEY_MGMT_UNSPEC_802_1X); 2277 case WPA_KEY_MGMT_PSK: 2278 return (sm->proto == WPA_PROTO_RSN ? 2279 RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X : 2280 WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X); 2281 #ifdef CONFIG_IEEE80211R 2282 case WPA_KEY_MGMT_FT_IEEE8021X: 2283 return RSN_AUTH_KEY_MGMT_FT_802_1X; 2284 case WPA_KEY_MGMT_FT_PSK: 2285 return RSN_AUTH_KEY_MGMT_FT_PSK; 2286 #endif /* CONFIG_IEEE80211R */ 2287 #ifdef CONFIG_IEEE80211W 2288 case WPA_KEY_MGMT_IEEE8021X_SHA256: 2289 return RSN_AUTH_KEY_MGMT_802_1X_SHA256; 2290 case WPA_KEY_MGMT_PSK_SHA256: 2291 return RSN_AUTH_KEY_MGMT_PSK_SHA256; 2292 #endif /* CONFIG_IEEE80211W */ 2293 case WPA_KEY_MGMT_CCKM: 2294 return (sm->proto == WPA_PROTO_RSN ? 2295 RSN_AUTH_KEY_MGMT_CCKM: 2296 WPA_AUTH_KEY_MGMT_CCKM); 2297 case WPA_KEY_MGMT_WPA_NONE: 2298 return WPA_AUTH_KEY_MGMT_NONE; 2299 case WPA_KEY_MGMT_IEEE8021X_SUITE_B: 2300 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B; 2301 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192: 2302 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192; 2303 default: 2304 return 0; 2305 } 2306 } 2307 2308 2309 #define RSN_SUITE "%02x-%02x-%02x-%d" 2310 #define RSN_SUITE_ARG(s) \ 2311 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff 2312 2313 /** 2314 * wpa_sm_get_mib - Dump text list of MIB entries 2315 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2316 * @buf: Buffer for the list 2317 * @buflen: Length of the buffer 2318 * Returns: Number of bytes written to buffer 2319 * 2320 * This function is used fetch dot11 MIB variables. 2321 */ 2322 int wpa_sm_get_mib(struct wpa_sm *sm, char *buf, size_t buflen) 2323 { 2324 char pmkid_txt[PMKID_LEN * 2 + 1]; 2325 int rsna, ret; 2326 size_t len; 2327 2328 if (sm->cur_pmksa) { 2329 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt), 2330 sm->cur_pmksa->pmkid, PMKID_LEN); 2331 } else 2332 pmkid_txt[0] = '\0'; 2333 2334 if ((wpa_key_mgmt_wpa_psk(sm->key_mgmt) || 2335 wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt)) && 2336 sm->proto == WPA_PROTO_RSN) 2337 rsna = 1; 2338 else 2339 rsna = 0; 2340 2341 ret = os_snprintf(buf, buflen, 2342 "dot11RSNAOptionImplemented=TRUE\n" 2343 "dot11RSNAPreauthenticationImplemented=TRUE\n" 2344 "dot11RSNAEnabled=%s\n" 2345 "dot11RSNAPreauthenticationEnabled=%s\n" 2346 "dot11RSNAConfigVersion=%d\n" 2347 "dot11RSNAConfigPairwiseKeysSupported=5\n" 2348 "dot11RSNAConfigGroupCipherSize=%d\n" 2349 "dot11RSNAConfigPMKLifetime=%d\n" 2350 "dot11RSNAConfigPMKReauthThreshold=%d\n" 2351 "dot11RSNAConfigNumberOfPTKSAReplayCounters=1\n" 2352 "dot11RSNAConfigSATimeout=%d\n", 2353 rsna ? "TRUE" : "FALSE", 2354 rsna ? "TRUE" : "FALSE", 2355 RSN_VERSION, 2356 wpa_cipher_key_len(sm->group_cipher) * 8, 2357 sm->dot11RSNAConfigPMKLifetime, 2358 sm->dot11RSNAConfigPMKReauthThreshold, 2359 sm->dot11RSNAConfigSATimeout); 2360 if (os_snprintf_error(buflen, ret)) 2361 return 0; 2362 len = ret; 2363 2364 ret = os_snprintf( 2365 buf + len, buflen - len, 2366 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n" 2367 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n" 2368 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n" 2369 "dot11RSNAPMKIDUsed=%s\n" 2370 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n" 2371 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n" 2372 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n" 2373 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n" 2374 "dot11RSNA4WayHandshakeFailures=%u\n", 2375 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)), 2376 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto, 2377 sm->pairwise_cipher)), 2378 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto, 2379 sm->group_cipher)), 2380 pmkid_txt, 2381 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)), 2382 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto, 2383 sm->pairwise_cipher)), 2384 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto, 2385 sm->group_cipher)), 2386 sm->dot11RSNA4WayHandshakeFailures); 2387 if (!os_snprintf_error(buflen - len, ret)) 2388 len += ret; 2389 2390 return (int) len; 2391 } 2392 #endif /* CONFIG_CTRL_IFACE */ 2393 2394 2395 static void wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry, 2396 void *ctx, enum pmksa_free_reason reason) 2397 { 2398 struct wpa_sm *sm = ctx; 2399 int deauth = 0; 2400 2401 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: PMKSA cache entry free_cb: " 2402 MACSTR " reason=%d", MAC2STR(entry->aa), reason); 2403 2404 if (sm->cur_pmksa == entry) { 2405 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2406 "RSN: %s current PMKSA entry", 2407 reason == PMKSA_REPLACE ? "replaced" : "removed"); 2408 pmksa_cache_clear_current(sm); 2409 2410 /* 2411 * If an entry is simply being replaced, there's no need to 2412 * deauthenticate because it will be immediately re-added. 2413 * This happens when EAP authentication is completed again 2414 * (reauth or failed PMKSA caching attempt). 2415 */ 2416 if (reason != PMKSA_REPLACE) 2417 deauth = 1; 2418 } 2419 2420 if (reason == PMKSA_EXPIRE && 2421 (sm->pmk_len == entry->pmk_len && 2422 os_memcmp(sm->pmk, entry->pmk, sm->pmk_len) == 0)) { 2423 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2424 "RSN: deauthenticating due to expired PMK"); 2425 pmksa_cache_clear_current(sm); 2426 deauth = 1; 2427 } 2428 2429 if (deauth) { 2430 os_memset(sm->pmk, 0, sizeof(sm->pmk)); 2431 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED); 2432 } 2433 } 2434 2435 2436 /** 2437 * wpa_sm_init - Initialize WPA state machine 2438 * @ctx: Context pointer for callbacks; this needs to be an allocated buffer 2439 * Returns: Pointer to the allocated WPA state machine data 2440 * 2441 * This function is used to allocate a new WPA state machine and the returned 2442 * value is passed to all WPA state machine calls. 2443 */ 2444 struct wpa_sm * wpa_sm_init(struct wpa_sm_ctx *ctx) 2445 { 2446 struct wpa_sm *sm; 2447 2448 sm = os_zalloc(sizeof(*sm)); 2449 if (sm == NULL) 2450 return NULL; 2451 dl_list_init(&sm->pmksa_candidates); 2452 sm->renew_snonce = 1; 2453 sm->ctx = ctx; 2454 2455 sm->dot11RSNAConfigPMKLifetime = 43200; 2456 sm->dot11RSNAConfigPMKReauthThreshold = 70; 2457 sm->dot11RSNAConfigSATimeout = 60; 2458 2459 sm->pmksa = pmksa_cache_init(wpa_sm_pmksa_free_cb, sm, sm); 2460 if (sm->pmksa == NULL) { 2461 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR, 2462 "RSN: PMKSA cache initialization failed"); 2463 os_free(sm); 2464 return NULL; 2465 } 2466 2467 return sm; 2468 } 2469 2470 2471 /** 2472 * wpa_sm_deinit - Deinitialize WPA state machine 2473 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2474 */ 2475 void wpa_sm_deinit(struct wpa_sm *sm) 2476 { 2477 if (sm == NULL) 2478 return; 2479 pmksa_cache_deinit(sm->pmksa); 2480 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL); 2481 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL); 2482 os_free(sm->assoc_wpa_ie); 2483 os_free(sm->ap_wpa_ie); 2484 os_free(sm->ap_rsn_ie); 2485 wpa_sm_drop_sa(sm); 2486 os_free(sm->ctx); 2487 #ifdef CONFIG_IEEE80211R 2488 os_free(sm->assoc_resp_ies); 2489 #endif /* CONFIG_IEEE80211R */ 2490 #ifdef CONFIG_TESTING_OPTIONS 2491 wpabuf_free(sm->test_assoc_ie); 2492 #endif /* CONFIG_TESTING_OPTIONS */ 2493 #ifdef CONFIG_FILS_SK_PFS 2494 crypto_ecdh_deinit(sm->fils_ecdh); 2495 #endif /* CONFIG_FILS_SK_PFS */ 2496 #ifdef CONFIG_FILS 2497 wpabuf_free(sm->fils_ft_ies); 2498 #endif /* CONFIG_FILS */ 2499 #ifdef CONFIG_OWE 2500 crypto_ecdh_deinit(sm->owe_ecdh); 2501 #endif /* CONFIG_OWE */ 2502 os_free(sm); 2503 } 2504 2505 2506 /** 2507 * wpa_sm_notify_assoc - Notify WPA state machine about association 2508 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2509 * @bssid: The BSSID of the new association 2510 * 2511 * This function is called to let WPA state machine know that the connection 2512 * was established. 2513 */ 2514 void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) 2515 { 2516 int clear_keys = 1; 2517 2518 if (sm == NULL) 2519 return; 2520 2521 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2522 "WPA: Association event - clear replay counter"); 2523 os_memcpy(sm->bssid, bssid, ETH_ALEN); 2524 os_memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN); 2525 sm->rx_replay_counter_set = 0; 2526 sm->renew_snonce = 1; 2527 if (os_memcmp(sm->preauth_bssid, bssid, ETH_ALEN) == 0) 2528 rsn_preauth_deinit(sm); 2529 2530 #ifdef CONFIG_IEEE80211R 2531 if (wpa_ft_is_completed(sm)) { 2532 /* 2533 * Clear portValid to kick EAPOL state machine to re-enter 2534 * AUTHENTICATED state to get the EAPOL port Authorized. 2535 */ 2536 eapol_sm_notify_portValid(sm->eapol, FALSE); 2537 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1); 2538 2539 /* Prepare for the next transition */ 2540 wpa_ft_prepare_auth_request(sm, NULL); 2541 2542 clear_keys = 0; 2543 } 2544 #endif /* CONFIG_IEEE80211R */ 2545 #ifdef CONFIG_FILS 2546 if (sm->fils_completed) { 2547 /* 2548 * Clear portValid to kick EAPOL state machine to re-enter 2549 * AUTHENTICATED state to get the EAPOL port Authorized. 2550 */ 2551 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1); 2552 clear_keys = 0; 2553 } 2554 #endif /* CONFIG_FILS */ 2555 2556 if (clear_keys) { 2557 /* 2558 * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if 2559 * this is not part of a Fast BSS Transition. 2560 */ 2561 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PTK"); 2562 sm->ptk_set = 0; 2563 os_memset(&sm->ptk, 0, sizeof(sm->ptk)); 2564 sm->tptk_set = 0; 2565 os_memset(&sm->tptk, 0, sizeof(sm->tptk)); 2566 os_memset(&sm->gtk, 0, sizeof(sm->gtk)); 2567 os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep)); 2568 #ifdef CONFIG_IEEE80211W 2569 os_memset(&sm->igtk, 0, sizeof(sm->igtk)); 2570 os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep)); 2571 #endif /* CONFIG_IEEE80211W */ 2572 } 2573 2574 #ifdef CONFIG_TDLS 2575 wpa_tdls_assoc(sm); 2576 #endif /* CONFIG_TDLS */ 2577 2578 #ifdef CONFIG_P2P 2579 os_memset(sm->p2p_ip_addr, 0, sizeof(sm->p2p_ip_addr)); 2580 #endif /* CONFIG_P2P */ 2581 } 2582 2583 2584 /** 2585 * wpa_sm_notify_disassoc - Notify WPA state machine about disassociation 2586 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2587 * 2588 * This function is called to let WPA state machine know that the connection 2589 * was lost. This will abort any existing pre-authentication session. 2590 */ 2591 void wpa_sm_notify_disassoc(struct wpa_sm *sm) 2592 { 2593 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL); 2594 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL); 2595 rsn_preauth_deinit(sm); 2596 pmksa_cache_clear_current(sm); 2597 if (wpa_sm_get_state(sm) == WPA_4WAY_HANDSHAKE) 2598 sm->dot11RSNA4WayHandshakeFailures++; 2599 #ifdef CONFIG_TDLS 2600 wpa_tdls_disassoc(sm); 2601 #endif /* CONFIG_TDLS */ 2602 #ifdef CONFIG_FILS 2603 sm->fils_completed = 0; 2604 #endif /* CONFIG_FILS */ 2605 #ifdef CONFIG_IEEE80211R 2606 sm->ft_reassoc_completed = 0; 2607 #endif /* CONFIG_IEEE80211R */ 2608 2609 /* Keys are not needed in the WPA state machine anymore */ 2610 wpa_sm_drop_sa(sm); 2611 2612 sm->msg_3_of_4_ok = 0; 2613 os_memset(sm->bssid, 0, ETH_ALEN); 2614 } 2615 2616 2617 /** 2618 * wpa_sm_set_pmk - Set PMK 2619 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2620 * @pmk: The new PMK 2621 * @pmk_len: The length of the new PMK in bytes 2622 * @pmkid: Calculated PMKID 2623 * @bssid: AA to add into PMKSA cache or %NULL to not cache the PMK 2624 * 2625 * Configure the PMK for WPA state machine. 2626 */ 2627 void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len, 2628 const u8 *pmkid, const u8 *bssid) 2629 { 2630 if (sm == NULL) 2631 return; 2632 2633 wpa_hexdump_key(MSG_DEBUG, "WPA: Set PMK based on external data", 2634 pmk, pmk_len); 2635 sm->pmk_len = pmk_len; 2636 os_memcpy(sm->pmk, pmk, pmk_len); 2637 2638 #ifdef CONFIG_IEEE80211R 2639 /* Set XXKey to be PSK for FT key derivation */ 2640 sm->xxkey_len = pmk_len; 2641 os_memcpy(sm->xxkey, pmk, pmk_len); 2642 #endif /* CONFIG_IEEE80211R */ 2643 2644 if (bssid) { 2645 pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0, 2646 bssid, sm->own_addr, 2647 sm->network_ctx, sm->key_mgmt, NULL); 2648 } 2649 } 2650 2651 2652 /** 2653 * wpa_sm_set_pmk_from_pmksa - Set PMK based on the current PMKSA 2654 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2655 * 2656 * Take the PMK from the current PMKSA into use. If no PMKSA is active, the PMK 2657 * will be cleared. 2658 */ 2659 void wpa_sm_set_pmk_from_pmksa(struct wpa_sm *sm) 2660 { 2661 if (sm == NULL) 2662 return; 2663 2664 if (sm->cur_pmksa) { 2665 wpa_hexdump_key(MSG_DEBUG, 2666 "WPA: Set PMK based on current PMKSA", 2667 sm->cur_pmksa->pmk, sm->cur_pmksa->pmk_len); 2668 sm->pmk_len = sm->cur_pmksa->pmk_len; 2669 os_memcpy(sm->pmk, sm->cur_pmksa->pmk, sm->pmk_len); 2670 } else { 2671 wpa_printf(MSG_DEBUG, "WPA: No current PMKSA - clear PMK"); 2672 sm->pmk_len = 0; 2673 os_memset(sm->pmk, 0, PMK_LEN_MAX); 2674 } 2675 } 2676 2677 2678 /** 2679 * wpa_sm_set_fast_reauth - Set fast reauthentication (EAP) enabled/disabled 2680 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2681 * @fast_reauth: Whether fast reauthentication (EAP) is allowed 2682 */ 2683 void wpa_sm_set_fast_reauth(struct wpa_sm *sm, int fast_reauth) 2684 { 2685 if (sm) 2686 sm->fast_reauth = fast_reauth; 2687 } 2688 2689 2690 /** 2691 * wpa_sm_set_scard_ctx - Set context pointer for smartcard callbacks 2692 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2693 * @scard_ctx: Context pointer for smartcard related callback functions 2694 */ 2695 void wpa_sm_set_scard_ctx(struct wpa_sm *sm, void *scard_ctx) 2696 { 2697 if (sm == NULL) 2698 return; 2699 sm->scard_ctx = scard_ctx; 2700 if (sm->preauth_eapol) 2701 eapol_sm_register_scard_ctx(sm->preauth_eapol, scard_ctx); 2702 } 2703 2704 2705 /** 2706 * wpa_sm_set_config - Notification of current configration change 2707 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2708 * @config: Pointer to current network configuration 2709 * 2710 * Notify WPA state machine that configuration has changed. config will be 2711 * stored as a backpointer to network configuration. This can be %NULL to clear 2712 * the stored pointed. 2713 */ 2714 void wpa_sm_set_config(struct wpa_sm *sm, struct rsn_supp_config *config) 2715 { 2716 if (!sm) 2717 return; 2718 2719 if (config) { 2720 sm->network_ctx = config->network_ctx; 2721 sm->allowed_pairwise_cipher = config->allowed_pairwise_cipher; 2722 sm->proactive_key_caching = config->proactive_key_caching; 2723 sm->eap_workaround = config->eap_workaround; 2724 sm->eap_conf_ctx = config->eap_conf_ctx; 2725 if (config->ssid) { 2726 os_memcpy(sm->ssid, config->ssid, config->ssid_len); 2727 sm->ssid_len = config->ssid_len; 2728 } else 2729 sm->ssid_len = 0; 2730 sm->wpa_ptk_rekey = config->wpa_ptk_rekey; 2731 sm->p2p = config->p2p; 2732 sm->wpa_rsc_relaxation = config->wpa_rsc_relaxation; 2733 #ifdef CONFIG_FILS 2734 if (config->fils_cache_id) { 2735 sm->fils_cache_id_set = 1; 2736 os_memcpy(sm->fils_cache_id, config->fils_cache_id, 2737 FILS_CACHE_ID_LEN); 2738 } else { 2739 sm->fils_cache_id_set = 0; 2740 } 2741 #endif /* CONFIG_FILS */ 2742 } else { 2743 sm->network_ctx = NULL; 2744 sm->allowed_pairwise_cipher = 0; 2745 sm->proactive_key_caching = 0; 2746 sm->eap_workaround = 0; 2747 sm->eap_conf_ctx = NULL; 2748 sm->ssid_len = 0; 2749 sm->wpa_ptk_rekey = 0; 2750 sm->p2p = 0; 2751 sm->wpa_rsc_relaxation = 0; 2752 } 2753 } 2754 2755 2756 /** 2757 * wpa_sm_set_own_addr - Set own MAC address 2758 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2759 * @addr: Own MAC address 2760 */ 2761 void wpa_sm_set_own_addr(struct wpa_sm *sm, const u8 *addr) 2762 { 2763 if (sm) 2764 os_memcpy(sm->own_addr, addr, ETH_ALEN); 2765 } 2766 2767 2768 /** 2769 * wpa_sm_set_ifname - Set network interface name 2770 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2771 * @ifname: Interface name 2772 * @bridge_ifname: Optional bridge interface name (for pre-auth) 2773 */ 2774 void wpa_sm_set_ifname(struct wpa_sm *sm, const char *ifname, 2775 const char *bridge_ifname) 2776 { 2777 if (sm) { 2778 sm->ifname = ifname; 2779 sm->bridge_ifname = bridge_ifname; 2780 } 2781 } 2782 2783 2784 /** 2785 * wpa_sm_set_eapol - Set EAPOL state machine pointer 2786 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2787 * @eapol: Pointer to EAPOL state machine allocated with eapol_sm_init() 2788 */ 2789 void wpa_sm_set_eapol(struct wpa_sm *sm, struct eapol_sm *eapol) 2790 { 2791 if (sm) 2792 sm->eapol = eapol; 2793 } 2794 2795 2796 /** 2797 * wpa_sm_set_param - Set WPA state machine parameters 2798 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2799 * @param: Parameter field 2800 * @value: Parameter value 2801 * Returns: 0 on success, -1 on failure 2802 */ 2803 int wpa_sm_set_param(struct wpa_sm *sm, enum wpa_sm_conf_params param, 2804 unsigned int value) 2805 { 2806 int ret = 0; 2807 2808 if (sm == NULL) 2809 return -1; 2810 2811 switch (param) { 2812 case RSNA_PMK_LIFETIME: 2813 if (value > 0) 2814 sm->dot11RSNAConfigPMKLifetime = value; 2815 else 2816 ret = -1; 2817 break; 2818 case RSNA_PMK_REAUTH_THRESHOLD: 2819 if (value > 0 && value <= 100) 2820 sm->dot11RSNAConfigPMKReauthThreshold = value; 2821 else 2822 ret = -1; 2823 break; 2824 case RSNA_SA_TIMEOUT: 2825 if (value > 0) 2826 sm->dot11RSNAConfigSATimeout = value; 2827 else 2828 ret = -1; 2829 break; 2830 case WPA_PARAM_PROTO: 2831 sm->proto = value; 2832 break; 2833 case WPA_PARAM_PAIRWISE: 2834 sm->pairwise_cipher = value; 2835 break; 2836 case WPA_PARAM_GROUP: 2837 sm->group_cipher = value; 2838 break; 2839 case WPA_PARAM_KEY_MGMT: 2840 sm->key_mgmt = value; 2841 break; 2842 #ifdef CONFIG_IEEE80211W 2843 case WPA_PARAM_MGMT_GROUP: 2844 sm->mgmt_group_cipher = value; 2845 break; 2846 #endif /* CONFIG_IEEE80211W */ 2847 case WPA_PARAM_RSN_ENABLED: 2848 sm->rsn_enabled = value; 2849 break; 2850 case WPA_PARAM_MFP: 2851 sm->mfp = value; 2852 break; 2853 default: 2854 break; 2855 } 2856 2857 return ret; 2858 } 2859 2860 2861 /** 2862 * wpa_sm_get_status - Get WPA state machine 2863 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2864 * @buf: Buffer for status information 2865 * @buflen: Maximum buffer length 2866 * @verbose: Whether to include verbose status information 2867 * Returns: Number of bytes written to buf. 2868 * 2869 * Query WPA state machine for status information. This function fills in 2870 * a text area with current status information. If the buffer (buf) is not 2871 * large enough, status information will be truncated to fit the buffer. 2872 */ 2873 int wpa_sm_get_status(struct wpa_sm *sm, char *buf, size_t buflen, 2874 int verbose) 2875 { 2876 char *pos = buf, *end = buf + buflen; 2877 int ret; 2878 2879 ret = os_snprintf(pos, end - pos, 2880 "pairwise_cipher=%s\n" 2881 "group_cipher=%s\n" 2882 "key_mgmt=%s\n", 2883 wpa_cipher_txt(sm->pairwise_cipher), 2884 wpa_cipher_txt(sm->group_cipher), 2885 wpa_key_mgmt_txt(sm->key_mgmt, sm->proto)); 2886 if (os_snprintf_error(end - pos, ret)) 2887 return pos - buf; 2888 pos += ret; 2889 2890 if (sm->mfp != NO_MGMT_FRAME_PROTECTION && sm->ap_rsn_ie) { 2891 struct wpa_ie_data rsn; 2892 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn) 2893 >= 0 && 2894 rsn.capabilities & (WPA_CAPABILITY_MFPR | 2895 WPA_CAPABILITY_MFPC)) { 2896 ret = os_snprintf(pos, end - pos, "pmf=%d\n" 2897 "mgmt_group_cipher=%s\n", 2898 (rsn.capabilities & 2899 WPA_CAPABILITY_MFPR) ? 2 : 1, 2900 wpa_cipher_txt( 2901 sm->mgmt_group_cipher)); 2902 if (os_snprintf_error(end - pos, ret)) 2903 return pos - buf; 2904 pos += ret; 2905 } 2906 } 2907 2908 return pos - buf; 2909 } 2910 2911 2912 int wpa_sm_pmf_enabled(struct wpa_sm *sm) 2913 { 2914 struct wpa_ie_data rsn; 2915 2916 if (sm->mfp == NO_MGMT_FRAME_PROTECTION || !sm->ap_rsn_ie) 2917 return 0; 2918 2919 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn) >= 0 && 2920 rsn.capabilities & (WPA_CAPABILITY_MFPR | WPA_CAPABILITY_MFPC)) 2921 return 1; 2922 2923 return 0; 2924 } 2925 2926 2927 /** 2928 * wpa_sm_set_assoc_wpa_ie_default - Generate own WPA/RSN IE from configuration 2929 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2930 * @wpa_ie: Pointer to buffer for WPA/RSN IE 2931 * @wpa_ie_len: Pointer to the length of the wpa_ie buffer 2932 * Returns: 0 on success, -1 on failure 2933 */ 2934 int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm *sm, u8 *wpa_ie, 2935 size_t *wpa_ie_len) 2936 { 2937 int res; 2938 2939 if (sm == NULL) 2940 return -1; 2941 2942 #ifdef CONFIG_TESTING_OPTIONS 2943 if (sm->test_assoc_ie) { 2944 wpa_printf(MSG_DEBUG, 2945 "TESTING: Replace association WPA/RSN IE"); 2946 if (*wpa_ie_len < wpabuf_len(sm->test_assoc_ie)) 2947 return -1; 2948 os_memcpy(wpa_ie, wpabuf_head(sm->test_assoc_ie), 2949 wpabuf_len(sm->test_assoc_ie)); 2950 res = wpabuf_len(sm->test_assoc_ie); 2951 } else 2952 #endif /* CONFIG_TESTING_OPTIONS */ 2953 res = wpa_gen_wpa_ie(sm, wpa_ie, *wpa_ie_len); 2954 if (res < 0) 2955 return -1; 2956 *wpa_ie_len = res; 2957 2958 wpa_hexdump(MSG_DEBUG, "WPA: Set own WPA IE default", 2959 wpa_ie, *wpa_ie_len); 2960 2961 if (sm->assoc_wpa_ie == NULL) { 2962 /* 2963 * Make a copy of the WPA/RSN IE so that 4-Way Handshake gets 2964 * the correct version of the IE even if PMKSA caching is 2965 * aborted (which would remove PMKID from IE generation). 2966 */ 2967 sm->assoc_wpa_ie = os_memdup(wpa_ie, *wpa_ie_len); 2968 if (sm->assoc_wpa_ie == NULL) 2969 return -1; 2970 2971 sm->assoc_wpa_ie_len = *wpa_ie_len; 2972 } else { 2973 wpa_hexdump(MSG_DEBUG, 2974 "WPA: Leave previously set WPA IE default", 2975 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len); 2976 } 2977 2978 return 0; 2979 } 2980 2981 2982 /** 2983 * wpa_sm_set_assoc_wpa_ie - Set own WPA/RSN IE from (Re)AssocReq 2984 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2985 * @ie: Pointer to IE data (starting from id) 2986 * @len: IE length 2987 * Returns: 0 on success, -1 on failure 2988 * 2989 * Inform WPA state machine about the WPA/RSN IE used in (Re)Association 2990 * Request frame. The IE will be used to override the default value generated 2991 * with wpa_sm_set_assoc_wpa_ie_default(). 2992 */ 2993 int wpa_sm_set_assoc_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len) 2994 { 2995 if (sm == NULL) 2996 return -1; 2997 2998 os_free(sm->assoc_wpa_ie); 2999 if (ie == NULL || len == 0) { 3000 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 3001 "WPA: clearing own WPA/RSN IE"); 3002 sm->assoc_wpa_ie = NULL; 3003 sm->assoc_wpa_ie_len = 0; 3004 } else { 3005 wpa_hexdump(MSG_DEBUG, "WPA: set own WPA/RSN IE", ie, len); 3006 sm->assoc_wpa_ie = os_memdup(ie, len); 3007 if (sm->assoc_wpa_ie == NULL) 3008 return -1; 3009 3010 sm->assoc_wpa_ie_len = len; 3011 } 3012 3013 return 0; 3014 } 3015 3016 3017 /** 3018 * wpa_sm_set_ap_wpa_ie - Set AP WPA IE from Beacon/ProbeResp 3019 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3020 * @ie: Pointer to IE data (starting from id) 3021 * @len: IE length 3022 * Returns: 0 on success, -1 on failure 3023 * 3024 * Inform WPA state machine about the WPA IE used in Beacon / Probe Response 3025 * frame. 3026 */ 3027 int wpa_sm_set_ap_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len) 3028 { 3029 if (sm == NULL) 3030 return -1; 3031 3032 os_free(sm->ap_wpa_ie); 3033 if (ie == NULL || len == 0) { 3034 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 3035 "WPA: clearing AP WPA IE"); 3036 sm->ap_wpa_ie = NULL; 3037 sm->ap_wpa_ie_len = 0; 3038 } else { 3039 wpa_hexdump(MSG_DEBUG, "WPA: set AP WPA IE", ie, len); 3040 sm->ap_wpa_ie = os_memdup(ie, len); 3041 if (sm->ap_wpa_ie == NULL) 3042 return -1; 3043 3044 sm->ap_wpa_ie_len = len; 3045 } 3046 3047 return 0; 3048 } 3049 3050 3051 /** 3052 * wpa_sm_set_ap_rsn_ie - Set AP RSN IE from Beacon/ProbeResp 3053 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3054 * @ie: Pointer to IE data (starting from id) 3055 * @len: IE length 3056 * Returns: 0 on success, -1 on failure 3057 * 3058 * Inform WPA state machine about the RSN IE used in Beacon / Probe Response 3059 * frame. 3060 */ 3061 int wpa_sm_set_ap_rsn_ie(struct wpa_sm *sm, const u8 *ie, size_t len) 3062 { 3063 if (sm == NULL) 3064 return -1; 3065 3066 os_free(sm->ap_rsn_ie); 3067 if (ie == NULL || len == 0) { 3068 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 3069 "WPA: clearing AP RSN IE"); 3070 sm->ap_rsn_ie = NULL; 3071 sm->ap_rsn_ie_len = 0; 3072 } else { 3073 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSN IE", ie, len); 3074 sm->ap_rsn_ie = os_memdup(ie, len); 3075 if (sm->ap_rsn_ie == NULL) 3076 return -1; 3077 3078 sm->ap_rsn_ie_len = len; 3079 } 3080 3081 return 0; 3082 } 3083 3084 3085 /** 3086 * wpa_sm_parse_own_wpa_ie - Parse own WPA/RSN IE 3087 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3088 * @data: Pointer to data area for parsing results 3089 * Returns: 0 on success, -1 if IE is not known, or -2 on parsing failure 3090 * 3091 * Parse the contents of the own WPA or RSN IE from (Re)AssocReq and write the 3092 * parsed data into data. 3093 */ 3094 int wpa_sm_parse_own_wpa_ie(struct wpa_sm *sm, struct wpa_ie_data *data) 3095 { 3096 if (sm == NULL) 3097 return -1; 3098 3099 if (sm->assoc_wpa_ie == NULL) { 3100 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 3101 "WPA: No WPA/RSN IE available from association info"); 3102 return -1; 3103 } 3104 if (wpa_parse_wpa_ie(sm->assoc_wpa_ie, sm->assoc_wpa_ie_len, data)) 3105 return -2; 3106 return 0; 3107 } 3108 3109 3110 int wpa_sm_pmksa_cache_list(struct wpa_sm *sm, char *buf, size_t len) 3111 { 3112 return pmksa_cache_list(sm->pmksa, buf, len); 3113 } 3114 3115 3116 struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_head(struct wpa_sm *sm) 3117 { 3118 return pmksa_cache_head(sm->pmksa); 3119 } 3120 3121 3122 struct rsn_pmksa_cache_entry * 3123 wpa_sm_pmksa_cache_add_entry(struct wpa_sm *sm, 3124 struct rsn_pmksa_cache_entry * entry) 3125 { 3126 return pmksa_cache_add_entry(sm->pmksa, entry); 3127 } 3128 3129 3130 void wpa_sm_pmksa_cache_add(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len, 3131 const u8 *pmkid, const u8 *bssid, 3132 const u8 *fils_cache_id) 3133 { 3134 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0, 3135 bssid, sm->own_addr, sm->network_ctx, 3136 sm->key_mgmt, fils_cache_id); 3137 } 3138 3139 3140 int wpa_sm_pmksa_exists(struct wpa_sm *sm, const u8 *bssid, 3141 const void *network_ctx) 3142 { 3143 return pmksa_cache_get(sm->pmksa, bssid, NULL, network_ctx) != NULL; 3144 } 3145 3146 3147 void wpa_sm_drop_sa(struct wpa_sm *sm) 3148 { 3149 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PMK and PTK"); 3150 sm->ptk_set = 0; 3151 sm->tptk_set = 0; 3152 os_memset(sm->pmk, 0, sizeof(sm->pmk)); 3153 os_memset(&sm->ptk, 0, sizeof(sm->ptk)); 3154 os_memset(&sm->tptk, 0, sizeof(sm->tptk)); 3155 os_memset(&sm->gtk, 0, sizeof(sm->gtk)); 3156 os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep)); 3157 #ifdef CONFIG_IEEE80211W 3158 os_memset(&sm->igtk, 0, sizeof(sm->igtk)); 3159 os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep)); 3160 #endif /* CONFIG_IEEE80211W */ 3161 #ifdef CONFIG_IEEE80211R 3162 os_memset(sm->xxkey, 0, sizeof(sm->xxkey)); 3163 os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0)); 3164 os_memset(sm->pmk_r1, 0, sizeof(sm->pmk_r1)); 3165 #endif /* CONFIG_IEEE80211R */ 3166 } 3167 3168 3169 int wpa_sm_has_ptk(struct wpa_sm *sm) 3170 { 3171 if (sm == NULL) 3172 return 0; 3173 return sm->ptk_set; 3174 } 3175 3176 3177 void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr) 3178 { 3179 os_memcpy(sm->rx_replay_counter, replay_ctr, WPA_REPLAY_COUNTER_LEN); 3180 } 3181 3182 3183 void wpa_sm_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx) 3184 { 3185 pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0); 3186 } 3187 3188 3189 #ifdef CONFIG_WNM 3190 int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) 3191 { 3192 u16 keyinfo; 3193 u8 keylen; /* plaintext key len */ 3194 u8 *key_rsc; 3195 3196 if (subelem_id == WNM_SLEEP_SUBELEM_GTK) { 3197 struct wpa_gtk_data gd; 3198 3199 os_memset(&gd, 0, sizeof(gd)); 3200 keylen = wpa_cipher_key_len(sm->group_cipher); 3201 gd.key_rsc_len = wpa_cipher_rsc_len(sm->group_cipher); 3202 gd.alg = wpa_cipher_to_alg(sm->group_cipher); 3203 if (gd.alg == WPA_ALG_NONE) { 3204 wpa_printf(MSG_DEBUG, "Unsupported group cipher suite"); 3205 return -1; 3206 } 3207 3208 key_rsc = buf + 5; 3209 keyinfo = WPA_GET_LE16(buf + 2); 3210 gd.gtk_len = keylen; 3211 if (gd.gtk_len != buf[4]) { 3212 wpa_printf(MSG_DEBUG, "GTK len mismatch len %d vs %d", 3213 gd.gtk_len, buf[4]); 3214 return -1; 3215 } 3216 gd.keyidx = keyinfo & 0x03; /* B0 - B1 */ 3217 gd.tx = wpa_supplicant_gtk_tx_bit_workaround( 3218 sm, !!(keyinfo & WPA_KEY_INFO_TXRX)); 3219 3220 os_memcpy(gd.gtk, buf + 13, gd.gtk_len); 3221 3222 wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)", 3223 gd.gtk, gd.gtk_len); 3224 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) { 3225 os_memset(&gd, 0, sizeof(gd)); 3226 wpa_printf(MSG_DEBUG, "Failed to install the GTK in " 3227 "WNM mode"); 3228 return -1; 3229 } 3230 os_memset(&gd, 0, sizeof(gd)); 3231 #ifdef CONFIG_IEEE80211W 3232 } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) { 3233 const struct wpa_igtk_kde *igtk; 3234 3235 igtk = (const struct wpa_igtk_kde *) (buf + 2); 3236 if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0) 3237 return -1; 3238 #endif /* CONFIG_IEEE80211W */ 3239 } else { 3240 wpa_printf(MSG_DEBUG, "Unknown element id"); 3241 return -1; 3242 } 3243 3244 return 0; 3245 } 3246 #endif /* CONFIG_WNM */ 3247 3248 3249 #ifdef CONFIG_P2P 3250 3251 int wpa_sm_get_p2p_ip_addr(struct wpa_sm *sm, u8 *buf) 3252 { 3253 if (sm == NULL || WPA_GET_BE32(sm->p2p_ip_addr) == 0) 3254 return -1; 3255 os_memcpy(buf, sm->p2p_ip_addr, 3 * 4); 3256 return 0; 3257 } 3258 3259 #endif /* CONFIG_P2P */ 3260 3261 3262 void wpa_sm_set_rx_replay_ctr(struct wpa_sm *sm, const u8 *rx_replay_counter) 3263 { 3264 if (rx_replay_counter == NULL) 3265 return; 3266 3267 os_memcpy(sm->rx_replay_counter, rx_replay_counter, 3268 WPA_REPLAY_COUNTER_LEN); 3269 sm->rx_replay_counter_set = 1; 3270 wpa_printf(MSG_DEBUG, "Updated key replay counter"); 3271 } 3272 3273 3274 void wpa_sm_set_ptk_kck_kek(struct wpa_sm *sm, 3275 const u8 *ptk_kck, size_t ptk_kck_len, 3276 const u8 *ptk_kek, size_t ptk_kek_len) 3277 { 3278 if (ptk_kck && ptk_kck_len <= WPA_KCK_MAX_LEN) { 3279 os_memcpy(sm->ptk.kck, ptk_kck, ptk_kck_len); 3280 sm->ptk.kck_len = ptk_kck_len; 3281 wpa_printf(MSG_DEBUG, "Updated PTK KCK"); 3282 } 3283 if (ptk_kek && ptk_kek_len <= WPA_KEK_MAX_LEN) { 3284 os_memcpy(sm->ptk.kek, ptk_kek, ptk_kek_len); 3285 sm->ptk.kek_len = ptk_kek_len; 3286 wpa_printf(MSG_DEBUG, "Updated PTK KEK"); 3287 } 3288 sm->ptk_set = 1; 3289 } 3290 3291 3292 #ifdef CONFIG_TESTING_OPTIONS 3293 3294 void wpa_sm_set_test_assoc_ie(struct wpa_sm *sm, struct wpabuf *buf) 3295 { 3296 wpabuf_free(sm->test_assoc_ie); 3297 sm->test_assoc_ie = buf; 3298 } 3299 3300 3301 const u8 * wpa_sm_get_anonce(struct wpa_sm *sm) 3302 { 3303 return sm->anonce; 3304 } 3305 3306 #endif /* CONFIG_TESTING_OPTIONS */ 3307 3308 3309 #ifdef CONFIG_FILS 3310 3311 struct wpabuf * fils_build_auth(struct wpa_sm *sm, int dh_group, const u8 *md) 3312 { 3313 struct wpabuf *buf = NULL; 3314 struct wpabuf *erp_msg; 3315 struct wpabuf *pub = NULL; 3316 3317 erp_msg = eapol_sm_build_erp_reauth_start(sm->eapol); 3318 if (!erp_msg && !sm->cur_pmksa) { 3319 wpa_printf(MSG_DEBUG, 3320 "FILS: Neither ERP EAP-Initiate/Re-auth nor PMKSA cache entry is available - skip FILS"); 3321 goto fail; 3322 } 3323 3324 wpa_printf(MSG_DEBUG, "FILS: Try to use FILS (erp=%d pmksa_cache=%d)", 3325 erp_msg != NULL, sm->cur_pmksa != NULL); 3326 3327 sm->fils_completed = 0; 3328 3329 if (!sm->assoc_wpa_ie) { 3330 wpa_printf(MSG_INFO, "FILS: No own RSN IE set for FILS"); 3331 goto fail; 3332 } 3333 3334 if (random_get_bytes(sm->fils_nonce, FILS_NONCE_LEN) < 0 || 3335 random_get_bytes(sm->fils_session, FILS_SESSION_LEN) < 0) 3336 goto fail; 3337 3338 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Nonce", 3339 sm->fils_nonce, FILS_NONCE_LEN); 3340 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Session", 3341 sm->fils_session, FILS_SESSION_LEN); 3342 3343 #ifdef CONFIG_FILS_SK_PFS 3344 sm->fils_dh_group = dh_group; 3345 if (dh_group) { 3346 crypto_ecdh_deinit(sm->fils_ecdh); 3347 sm->fils_ecdh = crypto_ecdh_init(dh_group); 3348 if (!sm->fils_ecdh) { 3349 wpa_printf(MSG_INFO, 3350 "FILS: Could not initialize ECDH with group %d", 3351 dh_group); 3352 goto fail; 3353 } 3354 pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1); 3355 if (!pub) 3356 goto fail; 3357 wpa_hexdump_buf(MSG_DEBUG, "FILS: Element (DH public key)", 3358 pub); 3359 sm->fils_dh_elem_len = wpabuf_len(pub); 3360 } 3361 #endif /* CONFIG_FILS_SK_PFS */ 3362 3363 buf = wpabuf_alloc(1000 + sm->assoc_wpa_ie_len + 3364 (pub ? wpabuf_len(pub) : 0)); 3365 if (!buf) 3366 goto fail; 3367 3368 /* Fields following the Authentication algorithm number field */ 3369 3370 /* Authentication Transaction seq# */ 3371 wpabuf_put_le16(buf, 1); 3372 3373 /* Status Code */ 3374 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS); 3375 3376 /* TODO: FILS PK */ 3377 #ifdef CONFIG_FILS_SK_PFS 3378 if (dh_group) { 3379 /* Finite Cyclic Group */ 3380 wpabuf_put_le16(buf, dh_group); 3381 /* Element */ 3382 wpabuf_put_buf(buf, pub); 3383 } 3384 #endif /* CONFIG_FILS_SK_PFS */ 3385 3386 /* RSNE */ 3387 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in FILS Authentication frame", 3388 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len); 3389 wpabuf_put_data(buf, sm->assoc_wpa_ie, sm->assoc_wpa_ie_len); 3390 3391 if (md) { 3392 /* MDE when using FILS for FT initial association */ 3393 struct rsn_mdie *mdie; 3394 3395 wpabuf_put_u8(buf, WLAN_EID_MOBILITY_DOMAIN); 3396 wpabuf_put_u8(buf, sizeof(*mdie)); 3397 mdie = wpabuf_put(buf, sizeof(*mdie)); 3398 os_memcpy(mdie->mobility_domain, md, MOBILITY_DOMAIN_ID_LEN); 3399 mdie->ft_capab = 0; 3400 } 3401 3402 /* FILS Nonce */ 3403 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */ 3404 wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN); /* Length */ 3405 /* Element ID Extension */ 3406 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE); 3407 wpabuf_put_data(buf, sm->fils_nonce, FILS_NONCE_LEN); 3408 3409 /* FILS Session */ 3410 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */ 3411 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */ 3412 /* Element ID Extension */ 3413 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION); 3414 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN); 3415 3416 /* FILS Wrapped Data */ 3417 sm->fils_erp_pmkid_set = 0; 3418 if (erp_msg) { 3419 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */ 3420 wpabuf_put_u8(buf, 1 + wpabuf_len(erp_msg)); /* Length */ 3421 /* Element ID Extension */ 3422 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_WRAPPED_DATA); 3423 wpabuf_put_buf(buf, erp_msg); 3424 /* Calculate pending PMKID here so that we do not need to 3425 * maintain a copy of the EAP-Initiate/Reauth message. */ 3426 if (fils_pmkid_erp(sm->key_mgmt, wpabuf_head(erp_msg), 3427 wpabuf_len(erp_msg), 3428 sm->fils_erp_pmkid) == 0) 3429 sm->fils_erp_pmkid_set = 1; 3430 } 3431 3432 wpa_hexdump_buf(MSG_DEBUG, "RSN: FILS fields for Authentication frame", 3433 buf); 3434 3435 fail: 3436 wpabuf_free(erp_msg); 3437 wpabuf_free(pub); 3438 return buf; 3439 } 3440 3441 3442 int fils_process_auth(struct wpa_sm *sm, const u8 *bssid, const u8 *data, 3443 size_t len) 3444 { 3445 const u8 *pos, *end; 3446 struct ieee802_11_elems elems; 3447 struct wpa_ie_data rsn; 3448 int pmkid_match = 0; 3449 u8 ick[FILS_ICK_MAX_LEN]; 3450 size_t ick_len; 3451 int res; 3452 struct wpabuf *dh_ss = NULL; 3453 const u8 *g_sta = NULL; 3454 size_t g_sta_len = 0; 3455 const u8 *g_ap = NULL; 3456 size_t g_ap_len = 0; 3457 struct wpabuf *pub = NULL; 3458 3459 os_memcpy(sm->bssid, bssid, ETH_ALEN); 3460 3461 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields", 3462 data, len); 3463 pos = data; 3464 end = data + len; 3465 3466 /* TODO: FILS PK */ 3467 #ifdef CONFIG_FILS_SK_PFS 3468 if (sm->fils_dh_group) { 3469 u16 group; 3470 3471 /* Using FILS PFS */ 3472 3473 /* Finite Cyclic Group */ 3474 if (end - pos < 2) { 3475 wpa_printf(MSG_DEBUG, 3476 "FILS: No room for Finite Cyclic Group"); 3477 goto fail; 3478 } 3479 group = WPA_GET_LE16(pos); 3480 pos += 2; 3481 if (group != sm->fils_dh_group) { 3482 wpa_printf(MSG_DEBUG, 3483 "FILS: Unexpected change in Finite Cyclic Group: %u (expected %u)", 3484 group, sm->fils_dh_group); 3485 goto fail; 3486 } 3487 3488 /* Element */ 3489 if ((size_t) (end - pos) < sm->fils_dh_elem_len) { 3490 wpa_printf(MSG_DEBUG, "FILS: No room for Element"); 3491 goto fail; 3492 } 3493 3494 if (!sm->fils_ecdh) { 3495 wpa_printf(MSG_DEBUG, "FILS: No ECDH state available"); 3496 goto fail; 3497 } 3498 dh_ss = crypto_ecdh_set_peerkey(sm->fils_ecdh, 1, pos, 3499 sm->fils_dh_elem_len); 3500 if (!dh_ss) { 3501 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed"); 3502 goto fail; 3503 } 3504 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", dh_ss); 3505 g_ap = pos; 3506 g_ap_len = sm->fils_dh_elem_len; 3507 pos += sm->fils_dh_elem_len; 3508 } 3509 #endif /* CONFIG_FILS_SK_PFS */ 3510 3511 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos); 3512 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) { 3513 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements"); 3514 goto fail; 3515 } 3516 3517 /* RSNE */ 3518 wpa_hexdump(MSG_DEBUG, "FILS: RSN element", elems.rsn_ie, 3519 elems.rsn_ie_len); 3520 if (!elems.rsn_ie || 3521 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2, 3522 &rsn) < 0) { 3523 wpa_printf(MSG_DEBUG, "FILS: No RSN element"); 3524 goto fail; 3525 } 3526 3527 if (!elems.fils_nonce) { 3528 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field"); 3529 goto fail; 3530 } 3531 os_memcpy(sm->fils_anonce, elems.fils_nonce, FILS_NONCE_LEN); 3532 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", sm->fils_anonce, FILS_NONCE_LEN); 3533 3534 if (wpa_key_mgmt_ft(sm->key_mgmt)) { 3535 struct wpa_ft_ies parse; 3536 3537 if (!elems.mdie || !elems.ftie) { 3538 wpa_printf(MSG_DEBUG, "FILS+FT: No MDE or FTE"); 3539 goto fail; 3540 } 3541 3542 if (wpa_ft_parse_ies(pos, end - pos, &parse) < 0) { 3543 wpa_printf(MSG_DEBUG, "FILS+FT: Failed to parse IEs"); 3544 goto fail; 3545 } 3546 3547 if (!parse.r0kh_id) { 3548 wpa_printf(MSG_DEBUG, 3549 "FILS+FT: No R0KH-ID subelem in FTE"); 3550 goto fail; 3551 } 3552 os_memcpy(sm->r0kh_id, parse.r0kh_id, parse.r0kh_id_len); 3553 sm->r0kh_id_len = parse.r0kh_id_len; 3554 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID", 3555 sm->r0kh_id, sm->r0kh_id_len); 3556 3557 if (!parse.r1kh_id) { 3558 wpa_printf(MSG_DEBUG, 3559 "FILS+FT: No R1KH-ID subelem in FTE"); 3560 goto fail; 3561 } 3562 os_memcpy(sm->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN); 3563 wpa_hexdump(MSG_DEBUG, "FILS+FT: R1KH-ID", 3564 sm->r1kh_id, FT_R1KH_ID_LEN); 3565 3566 /* TODO: Check MDE and FTE payload */ 3567 3568 wpabuf_free(sm->fils_ft_ies); 3569 sm->fils_ft_ies = wpabuf_alloc(2 + elems.mdie_len + 3570 2 + elems.ftie_len); 3571 if (!sm->fils_ft_ies) 3572 goto fail; 3573 wpabuf_put_data(sm->fils_ft_ies, elems.mdie - 2, 3574 2 + elems.mdie_len); 3575 wpabuf_put_data(sm->fils_ft_ies, elems.ftie - 2, 3576 2 + elems.ftie_len); 3577 } else { 3578 wpabuf_free(sm->fils_ft_ies); 3579 sm->fils_ft_ies = NULL; 3580 } 3581 3582 /* PMKID List */ 3583 if (rsn.pmkid && rsn.num_pmkid > 0) { 3584 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List", 3585 rsn.pmkid, rsn.num_pmkid * PMKID_LEN); 3586 3587 if (rsn.num_pmkid != 1) { 3588 wpa_printf(MSG_DEBUG, "FILS: Invalid PMKID selection"); 3589 goto fail; 3590 } 3591 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", rsn.pmkid, PMKID_LEN); 3592 if (os_memcmp(sm->cur_pmksa->pmkid, rsn.pmkid, PMKID_LEN) != 0) 3593 { 3594 wpa_printf(MSG_DEBUG, "FILS: PMKID mismatch"); 3595 wpa_hexdump(MSG_DEBUG, "FILS: Expected PMKID", 3596 sm->cur_pmksa->pmkid, PMKID_LEN); 3597 goto fail; 3598 } 3599 wpa_printf(MSG_DEBUG, 3600 "FILS: Matching PMKID - continue using PMKSA caching"); 3601 pmkid_match = 1; 3602 } 3603 if (!pmkid_match && sm->cur_pmksa) { 3604 wpa_printf(MSG_DEBUG, 3605 "FILS: No PMKID match - cannot use cached PMKSA entry"); 3606 sm->cur_pmksa = NULL; 3607 } 3608 3609 /* FILS Session */ 3610 if (!elems.fils_session) { 3611 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element"); 3612 goto fail; 3613 } 3614 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session, 3615 FILS_SESSION_LEN); 3616 if (os_memcmp(sm->fils_session, elems.fils_session, FILS_SESSION_LEN) 3617 != 0) { 3618 wpa_printf(MSG_DEBUG, "FILS: Session mismatch"); 3619 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session", 3620 sm->fils_session, FILS_SESSION_LEN); 3621 goto fail; 3622 } 3623 3624 /* FILS Wrapped Data */ 3625 if (!sm->cur_pmksa && elems.fils_wrapped_data) { 3626 u8 rmsk[ERP_MAX_KEY_LEN]; 3627 size_t rmsk_len; 3628 3629 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data", 3630 elems.fils_wrapped_data, 3631 elems.fils_wrapped_data_len); 3632 eapol_sm_process_erp_finish(sm->eapol, elems.fils_wrapped_data, 3633 elems.fils_wrapped_data_len); 3634 if (eapol_sm_failed(sm->eapol)) 3635 goto fail; 3636 3637 rmsk_len = ERP_MAX_KEY_LEN; 3638 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len); 3639 if (res == PMK_LEN) { 3640 rmsk_len = PMK_LEN; 3641 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len); 3642 } 3643 if (res) 3644 goto fail; 3645 3646 res = fils_rmsk_to_pmk(sm->key_mgmt, rmsk, rmsk_len, 3647 sm->fils_nonce, sm->fils_anonce, 3648 dh_ss ? wpabuf_head(dh_ss) : NULL, 3649 dh_ss ? wpabuf_len(dh_ss) : 0, 3650 sm->pmk, &sm->pmk_len); 3651 os_memset(rmsk, 0, sizeof(rmsk)); 3652 3653 /* Don't use DHss in PTK derivation if PMKSA caching is not 3654 * used. */ 3655 wpabuf_clear_free(dh_ss); 3656 dh_ss = NULL; 3657 3658 if (res) 3659 goto fail; 3660 3661 if (!sm->fils_erp_pmkid_set) { 3662 wpa_printf(MSG_DEBUG, "FILS: PMKID not available"); 3663 goto fail; 3664 } 3665 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", sm->fils_erp_pmkid, 3666 PMKID_LEN); 3667 wpa_printf(MSG_DEBUG, "FILS: ERP processing succeeded - add PMKSA cache entry for the result"); 3668 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, 3669 sm->fils_erp_pmkid, NULL, 0, 3670 sm->bssid, sm->own_addr, 3671 sm->network_ctx, sm->key_mgmt, 3672 NULL); 3673 } 3674 3675 if (!sm->cur_pmksa) { 3676 wpa_printf(MSG_DEBUG, 3677 "FILS: No remaining options to continue FILS authentication"); 3678 goto fail; 3679 } 3680 3681 if (fils_pmk_to_ptk(sm->pmk, sm->pmk_len, sm->own_addr, sm->bssid, 3682 sm->fils_nonce, sm->fils_anonce, 3683 dh_ss ? wpabuf_head(dh_ss) : NULL, 3684 dh_ss ? wpabuf_len(dh_ss) : 0, 3685 &sm->ptk, ick, &ick_len, 3686 sm->key_mgmt, sm->pairwise_cipher, 3687 sm->fils_ft, &sm->fils_ft_len) < 0) { 3688 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PTK"); 3689 goto fail; 3690 } 3691 3692 wpabuf_clear_free(dh_ss); 3693 dh_ss = NULL; 3694 3695 sm->ptk_set = 1; 3696 sm->tptk_set = 0; 3697 os_memset(&sm->tptk, 0, sizeof(sm->tptk)); 3698 3699 #ifdef CONFIG_FILS_SK_PFS 3700 if (sm->fils_dh_group) { 3701 if (!sm->fils_ecdh) { 3702 wpa_printf(MSG_INFO, "FILS: ECDH not initialized"); 3703 goto fail; 3704 } 3705 pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1); 3706 if (!pub) 3707 goto fail; 3708 wpa_hexdump_buf(MSG_DEBUG, "FILS: gSTA", pub); 3709 g_sta = wpabuf_head(pub); 3710 g_sta_len = wpabuf_len(pub); 3711 if (!g_ap) { 3712 wpa_printf(MSG_INFO, "FILS: gAP not available"); 3713 goto fail; 3714 } 3715 wpa_hexdump(MSG_DEBUG, "FILS: gAP", g_ap, g_ap_len); 3716 } 3717 #endif /* CONFIG_FILS_SK_PFS */ 3718 3719 res = fils_key_auth_sk(ick, ick_len, sm->fils_nonce, 3720 sm->fils_anonce, sm->own_addr, sm->bssid, 3721 g_sta, g_sta_len, g_ap, g_ap_len, 3722 sm->key_mgmt, sm->fils_key_auth_sta, 3723 sm->fils_key_auth_ap, 3724 &sm->fils_key_auth_len); 3725 wpabuf_free(pub); 3726 os_memset(ick, 0, sizeof(ick)); 3727 return res; 3728 fail: 3729 wpabuf_free(pub); 3730 wpabuf_clear_free(dh_ss); 3731 return -1; 3732 } 3733 3734 3735 #ifdef CONFIG_IEEE80211R 3736 static int fils_ft_build_assoc_req_rsne(struct wpa_sm *sm, struct wpabuf *buf) 3737 { 3738 struct rsn_ie_hdr *rsnie; 3739 u16 capab; 3740 u8 *pos; 3741 3742 /* RSNIE[PMKR0Name/PMKR1Name] */ 3743 rsnie = wpabuf_put(buf, sizeof(*rsnie)); 3744 rsnie->elem_id = WLAN_EID_RSN; 3745 WPA_PUT_LE16(rsnie->version, RSN_VERSION); 3746 3747 /* Group Suite Selector */ 3748 if (!wpa_cipher_valid_group(sm->group_cipher)) { 3749 wpa_printf(MSG_WARNING, "FT: Invalid group cipher (%d)", 3750 sm->group_cipher); 3751 return -1; 3752 } 3753 pos = wpabuf_put(buf, RSN_SELECTOR_LEN); 3754 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN, 3755 sm->group_cipher)); 3756 3757 /* Pairwise Suite Count */ 3758 wpabuf_put_le16(buf, 1); 3759 3760 /* Pairwise Suite List */ 3761 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) { 3762 wpa_printf(MSG_WARNING, "FT: Invalid pairwise cipher (%d)", 3763 sm->pairwise_cipher); 3764 return -1; 3765 } 3766 pos = wpabuf_put(buf, RSN_SELECTOR_LEN); 3767 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN, 3768 sm->pairwise_cipher)); 3769 3770 /* Authenticated Key Management Suite Count */ 3771 wpabuf_put_le16(buf, 1); 3772 3773 /* Authenticated Key Management Suite List */ 3774 pos = wpabuf_put(buf, RSN_SELECTOR_LEN); 3775 if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA256) 3776 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA256); 3777 else if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA384) 3778 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA384); 3779 else { 3780 wpa_printf(MSG_WARNING, 3781 "FILS+FT: Invalid key management type (%d)", 3782 sm->key_mgmt); 3783 return -1; 3784 } 3785 3786 /* RSN Capabilities */ 3787 capab = 0; 3788 #ifdef CONFIG_IEEE80211W 3789 if (sm->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC) 3790 capab |= WPA_CAPABILITY_MFPC; 3791 #endif /* CONFIG_IEEE80211W */ 3792 wpabuf_put_le16(buf, capab); 3793 3794 /* PMKID Count */ 3795 wpabuf_put_le16(buf, 1); 3796 3797 /* PMKID List [PMKR1Name] */ 3798 wpa_hexdump_key(MSG_DEBUG, "FILS+FT: XXKey (FILS-FT)", 3799 sm->fils_ft, sm->fils_ft_len); 3800 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: SSID", sm->ssid, sm->ssid_len); 3801 wpa_hexdump(MSG_DEBUG, "FILS+FT: MDID", 3802 sm->mobility_domain, MOBILITY_DOMAIN_ID_LEN); 3803 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID", 3804 sm->r0kh_id, sm->r0kh_id_len); 3805 if (wpa_derive_pmk_r0(sm->fils_ft, sm->fils_ft_len, sm->ssid, 3806 sm->ssid_len, sm->mobility_domain, 3807 sm->r0kh_id, sm->r0kh_id_len, sm->own_addr, 3808 sm->pmk_r0, sm->pmk_r0_name) < 0) { 3809 wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMK-R0"); 3810 return -1; 3811 } 3812 wpa_hexdump_key(MSG_DEBUG, "FILS+FT: PMK-R0", sm->pmk_r0, PMK_LEN); 3813 wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR0Name", 3814 sm->pmk_r0_name, WPA_PMK_NAME_LEN); 3815 wpa_printf(MSG_DEBUG, "FILS+FT: R1KH-ID: " MACSTR, 3816 MAC2STR(sm->r1kh_id)); 3817 pos = wpabuf_put(buf, WPA_PMK_NAME_LEN); 3818 if (wpa_derive_pmk_r1_name(sm->pmk_r0_name, sm->r1kh_id, sm->own_addr, 3819 pos) < 0) { 3820 wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMKR1Name"); 3821 return -1; 3822 } 3823 wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR1Name", pos, WPA_PMK_NAME_LEN); 3824 3825 #ifdef CONFIG_IEEE80211W 3826 if (sm->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC) { 3827 /* Management Group Cipher Suite */ 3828 pos = wpabuf_put(buf, RSN_SELECTOR_LEN); 3829 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_AES_128_CMAC); 3830 } 3831 #endif /* CONFIG_IEEE80211W */ 3832 3833 rsnie->len = ((u8 *) wpabuf_put(buf, 0) - (u8 *) rsnie) - 2; 3834 return 0; 3835 } 3836 #endif /* CONFIG_IEEE80211R */ 3837 3838 3839 struct wpabuf * fils_build_assoc_req(struct wpa_sm *sm, const u8 **kek, 3840 size_t *kek_len, const u8 **snonce, 3841 const u8 **anonce, 3842 const struct wpabuf **hlp, 3843 unsigned int num_hlp) 3844 { 3845 struct wpabuf *buf; 3846 size_t len; 3847 unsigned int i; 3848 3849 len = 1000; 3850 #ifdef CONFIG_IEEE80211R 3851 if (sm->fils_ft_ies) 3852 len += wpabuf_len(sm->fils_ft_ies); 3853 if (wpa_key_mgmt_ft(sm->key_mgmt)) 3854 len += 256; 3855 #endif /* CONFIG_IEEE80211R */ 3856 for (i = 0; hlp && i < num_hlp; i++) 3857 len += 10 + wpabuf_len(hlp[i]); 3858 buf = wpabuf_alloc(len); 3859 if (!buf) 3860 return NULL; 3861 3862 #ifdef CONFIG_IEEE80211R 3863 if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) { 3864 /* MDE and FTE when using FILS+FT */ 3865 wpabuf_put_buf(buf, sm->fils_ft_ies); 3866 /* RSNE with PMKR1Name in PMKID field */ 3867 if (fils_ft_build_assoc_req_rsne(sm, buf) < 0) { 3868 wpabuf_free(buf); 3869 return NULL; 3870 } 3871 } 3872 #endif /* CONFIG_IEEE80211R */ 3873 3874 /* FILS Session */ 3875 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */ 3876 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */ 3877 /* Element ID Extension */ 3878 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION); 3879 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN); 3880 3881 /* Everything after FILS Session element gets encrypted in the driver 3882 * with KEK. The buffer returned from here is the plaintext version. */ 3883 3884 /* TODO: FILS Public Key */ 3885 3886 /* FILS Key Confirm */ 3887 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */ 3888 wpabuf_put_u8(buf, 1 + sm->fils_key_auth_len); /* Length */ 3889 /* Element ID Extension */ 3890 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_KEY_CONFIRM); 3891 wpabuf_put_data(buf, sm->fils_key_auth_sta, sm->fils_key_auth_len); 3892 3893 /* FILS HLP Container */ 3894 for (i = 0; hlp && i < num_hlp; i++) { 3895 const u8 *pos = wpabuf_head(hlp[i]); 3896 size_t left = wpabuf_len(hlp[i]); 3897 3898 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */ 3899 if (left <= 254) 3900 len = 1 + left; 3901 else 3902 len = 255; 3903 wpabuf_put_u8(buf, len); /* Length */ 3904 /* Element ID Extension */ 3905 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_HLP_CONTAINER); 3906 /* Destination MAC Address, Source MAC Address, HLP Packet. 3907 * HLP Packet is in MSDU format (i.e., included the LLC/SNAP 3908 * header when LPD is used). */ 3909 wpabuf_put_data(buf, pos, len - 1); 3910 pos += len - 1; 3911 left -= len - 1; 3912 while (left) { 3913 wpabuf_put_u8(buf, WLAN_EID_FRAGMENT); 3914 len = left > 255 ? 255 : left; 3915 wpabuf_put_u8(buf, len); 3916 wpabuf_put_data(buf, pos, len); 3917 pos += len; 3918 left -= len; 3919 } 3920 } 3921 3922 /* TODO: FILS IP Address Assignment */ 3923 3924 wpa_hexdump_buf(MSG_DEBUG, "FILS: Association Request plaintext", buf); 3925 3926 *kek = sm->ptk.kek; 3927 *kek_len = sm->ptk.kek_len; 3928 wpa_hexdump_key(MSG_DEBUG, "FILS: KEK for AEAD", *kek, *kek_len); 3929 *snonce = sm->fils_nonce; 3930 wpa_hexdump(MSG_DEBUG, "FILS: SNonce for AEAD AAD", 3931 *snonce, FILS_NONCE_LEN); 3932 *anonce = sm->fils_anonce; 3933 wpa_hexdump(MSG_DEBUG, "FILS: ANonce for AEAD AAD", 3934 *anonce, FILS_NONCE_LEN); 3935 3936 return buf; 3937 } 3938 3939 3940 static void fils_process_hlp_resp(struct wpa_sm *sm, const u8 *resp, size_t len) 3941 { 3942 const u8 *pos, *end; 3943 3944 wpa_hexdump(MSG_MSGDUMP, "FILS: HLP response", resp, len); 3945 if (len < 2 * ETH_ALEN) 3946 return; 3947 pos = resp + 2 * ETH_ALEN; 3948 end = resp + len; 3949 if (end - pos >= 6 && 3950 os_memcmp(pos, "\xaa\xaa\x03\x00\x00\x00", 6) == 0) 3951 pos += 6; /* Remove SNAP/LLC header */ 3952 wpa_sm_fils_hlp_rx(sm, resp, resp + ETH_ALEN, pos, end - pos); 3953 } 3954 3955 3956 static void fils_process_hlp_container(struct wpa_sm *sm, const u8 *pos, 3957 size_t len) 3958 { 3959 const u8 *end = pos + len; 3960 u8 *tmp, *tmp_pos; 3961 3962 /* Check if there are any FILS HLP Container elements */ 3963 while (end - pos >= 2) { 3964 if (2 + pos[1] > end - pos) 3965 return; 3966 if (pos[0] == WLAN_EID_EXTENSION && 3967 pos[1] >= 1 + 2 * ETH_ALEN && 3968 pos[2] == WLAN_EID_EXT_FILS_HLP_CONTAINER) 3969 break; 3970 pos += 2 + pos[1]; 3971 } 3972 if (end - pos < 2) 3973 return; /* No FILS HLP Container elements */ 3974 3975 tmp = os_malloc(end - pos); 3976 if (!tmp) 3977 return; 3978 3979 while (end - pos >= 2) { 3980 if (2 + pos[1] > end - pos || 3981 pos[0] != WLAN_EID_EXTENSION || 3982 pos[1] < 1 + 2 * ETH_ALEN || 3983 pos[2] != WLAN_EID_EXT_FILS_HLP_CONTAINER) 3984 break; 3985 tmp_pos = tmp; 3986 os_memcpy(tmp_pos, pos + 3, pos[1] - 1); 3987 tmp_pos += pos[1] - 1; 3988 pos += 2 + pos[1]; 3989 3990 /* Add possible fragments */ 3991 while (end - pos >= 2 && pos[0] == WLAN_EID_FRAGMENT && 3992 2 + pos[1] <= end - pos) { 3993 os_memcpy(tmp_pos, pos + 2, pos[1]); 3994 tmp_pos += pos[1]; 3995 pos += 2 + pos[1]; 3996 } 3997 3998 fils_process_hlp_resp(sm, tmp, tmp_pos - tmp); 3999 } 4000 4001 os_free(tmp); 4002 } 4003 4004 4005 int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len) 4006 { 4007 const struct ieee80211_mgmt *mgmt; 4008 const u8 *end, *ie_start; 4009 struct ieee802_11_elems elems; 4010 int keylen, rsclen; 4011 enum wpa_alg alg; 4012 struct wpa_gtk_data gd; 4013 int maxkeylen; 4014 struct wpa_eapol_ie_parse kde; 4015 4016 if (!sm || !sm->ptk_set) { 4017 wpa_printf(MSG_DEBUG, "FILS: No KEK available"); 4018 return -1; 4019 } 4020 4021 if (!wpa_key_mgmt_fils(sm->key_mgmt)) { 4022 wpa_printf(MSG_DEBUG, "FILS: Not a FILS AKM"); 4023 return -1; 4024 } 4025 4026 if (sm->fils_completed) { 4027 wpa_printf(MSG_DEBUG, 4028 "FILS: Association has already been completed for this FILS authentication - ignore unexpected retransmission"); 4029 return -1; 4030 } 4031 4032 wpa_hexdump(MSG_DEBUG, "FILS: (Re)Association Response frame", 4033 resp, len); 4034 4035 mgmt = (const struct ieee80211_mgmt *) resp; 4036 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_resp)) 4037 return -1; 4038 4039 end = resp + len; 4040 /* Same offset for Association Response and Reassociation Response */ 4041 ie_start = mgmt->u.assoc_resp.variable; 4042 4043 if (ieee802_11_parse_elems(ie_start, end - ie_start, &elems, 1) == 4044 ParseFailed) { 4045 wpa_printf(MSG_DEBUG, 4046 "FILS: Failed to parse decrypted elements"); 4047 goto fail; 4048 } 4049 4050 if (!elems.fils_session) { 4051 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element"); 4052 return -1; 4053 } 4054 if (os_memcmp(elems.fils_session, sm->fils_session, 4055 FILS_SESSION_LEN) != 0) { 4056 wpa_printf(MSG_DEBUG, "FILS: FILS Session mismatch"); 4057 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session", 4058 elems.fils_session, FILS_SESSION_LEN); 4059 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session", 4060 sm->fils_session, FILS_SESSION_LEN); 4061 } 4062 4063 /* TODO: FILS Public Key */ 4064 4065 if (!elems.fils_key_confirm) { 4066 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element"); 4067 goto fail; 4068 } 4069 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) { 4070 wpa_printf(MSG_DEBUG, 4071 "FILS: Unexpected Key-Auth length %d (expected %d)", 4072 elems.fils_key_confirm_len, 4073 (int) sm->fils_key_auth_len); 4074 goto fail; 4075 } 4076 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_ap, 4077 sm->fils_key_auth_len) != 0) { 4078 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch"); 4079 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth", 4080 elems.fils_key_confirm, 4081 elems.fils_key_confirm_len); 4082 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth", 4083 sm->fils_key_auth_ap, sm->fils_key_auth_len); 4084 goto fail; 4085 } 4086 4087 /* Key Delivery */ 4088 if (!elems.key_delivery) { 4089 wpa_printf(MSG_DEBUG, "FILS: No Key Delivery element"); 4090 goto fail; 4091 } 4092 4093 /* Parse GTK and set the key to the driver */ 4094 os_memset(&gd, 0, sizeof(gd)); 4095 if (wpa_supplicant_parse_ies(elems.key_delivery + WPA_KEY_RSC_LEN, 4096 elems.key_delivery_len - WPA_KEY_RSC_LEN, 4097 &kde) < 0) { 4098 wpa_printf(MSG_DEBUG, "FILS: Failed to parse KDEs"); 4099 goto fail; 4100 } 4101 if (!kde.gtk) { 4102 wpa_printf(MSG_DEBUG, "FILS: No GTK KDE"); 4103 goto fail; 4104 } 4105 maxkeylen = gd.gtk_len = kde.gtk_len - 2; 4106 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, 4107 gd.gtk_len, maxkeylen, 4108 &gd.key_rsc_len, &gd.alg)) 4109 goto fail; 4110 4111 wpa_hexdump_key(MSG_DEBUG, "FILS: Received GTK", kde.gtk, kde.gtk_len); 4112 gd.keyidx = kde.gtk[0] & 0x3; 4113 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm, 4114 !!(kde.gtk[0] & BIT(2))); 4115 if (kde.gtk_len - 2 > sizeof(gd.gtk)) { 4116 wpa_printf(MSG_DEBUG, "FILS: Too long GTK in GTK KDE (len=%lu)", 4117 (unsigned long) kde.gtk_len - 2); 4118 goto fail; 4119 } 4120 os_memcpy(gd.gtk, kde.gtk + 2, kde.gtk_len - 2); 4121 4122 wpa_printf(MSG_DEBUG, "FILS: Set GTK to driver"); 4123 if (wpa_supplicant_install_gtk(sm, &gd, elems.key_delivery, 0) < 0) { 4124 wpa_printf(MSG_DEBUG, "FILS: Failed to set GTK"); 4125 goto fail; 4126 } 4127 4128 if (ieee80211w_set_keys(sm, &kde) < 0) { 4129 wpa_printf(MSG_DEBUG, "FILS: Failed to set IGTK"); 4130 goto fail; 4131 } 4132 4133 alg = wpa_cipher_to_alg(sm->pairwise_cipher); 4134 keylen = wpa_cipher_key_len(sm->pairwise_cipher); 4135 if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) { 4136 wpa_printf(MSG_DEBUG, "FILS: TK length mismatch: %u != %lu", 4137 keylen, (long unsigned int) sm->ptk.tk_len); 4138 goto fail; 4139 } 4140 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher); 4141 wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver", 4142 sm->ptk.tk, keylen); 4143 if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, null_rsc, rsclen, 4144 sm->ptk.tk, keylen) < 0) { 4145 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 4146 "FILS: Failed to set PTK to the driver (alg=%d keylen=%d bssid=" 4147 MACSTR ")", 4148 alg, keylen, MAC2STR(sm->bssid)); 4149 goto fail; 4150 } 4151 4152 /* TODO: TK could be cleared after auth frame exchange now that driver 4153 * takes care of association frame encryption/decryption. */ 4154 /* TK is not needed anymore in supplicant */ 4155 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN); 4156 sm->ptk.tk_len = 0; 4157 sm->ptk.installed = 1; 4158 4159 /* FILS HLP Container */ 4160 fils_process_hlp_container(sm, ie_start, end - ie_start); 4161 4162 /* TODO: FILS IP Address Assignment */ 4163 4164 wpa_printf(MSG_DEBUG, "FILS: Auth+Assoc completed successfully"); 4165 sm->fils_completed = 1; 4166 4167 return 0; 4168 fail: 4169 return -1; 4170 } 4171 4172 4173 void wpa_sm_set_reset_fils_completed(struct wpa_sm *sm, int set) 4174 { 4175 if (sm) 4176 sm->fils_completed = !!set; 4177 } 4178 4179 #endif /* CONFIG_FILS */ 4180 4181 4182 int wpa_fils_is_completed(struct wpa_sm *sm) 4183 { 4184 #ifdef CONFIG_FILS 4185 return sm && sm->fils_completed; 4186 #else /* CONFIG_FILS */ 4187 return 0; 4188 #endif /* CONFIG_FILS */ 4189 } 4190 4191 4192 #ifdef CONFIG_OWE 4193 4194 struct wpabuf * owe_build_assoc_req(struct wpa_sm *sm, u16 group) 4195 { 4196 struct wpabuf *ie = NULL, *pub = NULL; 4197 size_t prime_len; 4198 4199 if (group == 19) 4200 prime_len = 32; 4201 else if (group == 20) 4202 prime_len = 48; 4203 else if (group == 21) 4204 prime_len = 66; 4205 else 4206 return NULL; 4207 4208 crypto_ecdh_deinit(sm->owe_ecdh); 4209 sm->owe_ecdh = crypto_ecdh_init(group); 4210 if (!sm->owe_ecdh) 4211 goto fail; 4212 sm->owe_group = group; 4213 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0); 4214 pub = wpabuf_zeropad(pub, prime_len); 4215 if (!pub) 4216 goto fail; 4217 4218 ie = wpabuf_alloc(5 + wpabuf_len(pub)); 4219 if (!ie) 4220 goto fail; 4221 wpabuf_put_u8(ie, WLAN_EID_EXTENSION); 4222 wpabuf_put_u8(ie, 1 + 2 + wpabuf_len(pub)); 4223 wpabuf_put_u8(ie, WLAN_EID_EXT_OWE_DH_PARAM); 4224 wpabuf_put_le16(ie, group); 4225 wpabuf_put_buf(ie, pub); 4226 wpabuf_free(pub); 4227 wpa_hexdump_buf(MSG_DEBUG, "OWE: Diffie-Hellman Parameter element", 4228 ie); 4229 4230 return ie; 4231 fail: 4232 wpabuf_free(pub); 4233 crypto_ecdh_deinit(sm->owe_ecdh); 4234 sm->owe_ecdh = NULL; 4235 return NULL; 4236 } 4237 4238 4239 int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *bssid, 4240 const u8 *resp_ies, size_t resp_ies_len) 4241 { 4242 struct ieee802_11_elems elems; 4243 u16 group; 4244 struct wpabuf *secret, *pub, *hkey; 4245 int res; 4246 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN]; 4247 const char *info = "OWE Key Generation"; 4248 const u8 *addr[2]; 4249 size_t len[2]; 4250 size_t hash_len, prime_len; 4251 struct wpa_ie_data data; 4252 4253 if (!resp_ies || 4254 ieee802_11_parse_elems(resp_ies, resp_ies_len, &elems, 1) == 4255 ParseFailed) { 4256 wpa_printf(MSG_INFO, 4257 "OWE: Could not parse Association Response frame elements"); 4258 return -1; 4259 } 4260 4261 if (sm->cur_pmksa && elems.rsn_ie && 4262 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, 2 + elems.rsn_ie_len, 4263 &data) == 0 && 4264 data.num_pmkid == 1 && data.pmkid && 4265 os_memcmp(sm->cur_pmksa->pmkid, data.pmkid, PMKID_LEN) == 0) { 4266 wpa_printf(MSG_DEBUG, "OWE: Use PMKSA caching"); 4267 wpa_sm_set_pmk_from_pmksa(sm); 4268 return 0; 4269 } 4270 4271 if (!elems.owe_dh) { 4272 wpa_printf(MSG_INFO, 4273 "OWE: No Diffie-Hellman Parameter element found in Association Response frame"); 4274 return -1; 4275 } 4276 4277 group = WPA_GET_LE16(elems.owe_dh); 4278 if (group != sm->owe_group) { 4279 wpa_printf(MSG_INFO, 4280 "OWE: Unexpected Diffie-Hellman group in response: %u", 4281 group); 4282 return -1; 4283 } 4284 4285 if (!sm->owe_ecdh) { 4286 wpa_printf(MSG_INFO, "OWE: No ECDH state available"); 4287 return -1; 4288 } 4289 4290 if (group == 19) 4291 prime_len = 32; 4292 else if (group == 20) 4293 prime_len = 48; 4294 else if (group == 21) 4295 prime_len = 66; 4296 else 4297 return -1; 4298 4299 secret = crypto_ecdh_set_peerkey(sm->owe_ecdh, 0, 4300 elems.owe_dh + 2, 4301 elems.owe_dh_len - 2); 4302 secret = wpabuf_zeropad(secret, prime_len); 4303 if (!secret) { 4304 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key"); 4305 return -1; 4306 } 4307 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret); 4308 4309 /* prk = HKDF-extract(C | A | group, z) */ 4310 4311 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0); 4312 if (!pub) { 4313 wpabuf_clear_free(secret); 4314 return -1; 4315 } 4316 4317 /* PMKID = Truncate-128(Hash(C | A)) */ 4318 addr[0] = wpabuf_head(pub); 4319 len[0] = wpabuf_len(pub); 4320 addr[1] = elems.owe_dh + 2; 4321 len[1] = elems.owe_dh_len - 2; 4322 if (group == 19) { 4323 res = sha256_vector(2, addr, len, pmkid); 4324 hash_len = SHA256_MAC_LEN; 4325 } else if (group == 20) { 4326 res = sha384_vector(2, addr, len, pmkid); 4327 hash_len = SHA384_MAC_LEN; 4328 } else if (group == 21) { 4329 res = sha512_vector(2, addr, len, pmkid); 4330 hash_len = SHA512_MAC_LEN; 4331 } else { 4332 res = -1; 4333 hash_len = 0; 4334 } 4335 pub = wpabuf_zeropad(pub, prime_len); 4336 if (res < 0 || !pub) { 4337 wpabuf_free(pub); 4338 wpabuf_clear_free(secret); 4339 return -1; 4340 } 4341 4342 hkey = wpabuf_alloc(wpabuf_len(pub) + elems.owe_dh_len - 2 + 2); 4343 if (!hkey) { 4344 wpabuf_free(pub); 4345 wpabuf_clear_free(secret); 4346 return -1; 4347 } 4348 4349 wpabuf_put_buf(hkey, pub); /* C */ 4350 wpabuf_free(pub); 4351 wpabuf_put_data(hkey, elems.owe_dh + 2, elems.owe_dh_len - 2); /* A */ 4352 wpabuf_put_le16(hkey, sm->owe_group); /* group */ 4353 if (group == 19) 4354 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey), 4355 wpabuf_head(secret), wpabuf_len(secret), prk); 4356 else if (group == 20) 4357 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey), 4358 wpabuf_head(secret), wpabuf_len(secret), prk); 4359 else if (group == 21) 4360 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey), 4361 wpabuf_head(secret), wpabuf_len(secret), prk); 4362 wpabuf_clear_free(hkey); 4363 wpabuf_clear_free(secret); 4364 if (res < 0) 4365 return -1; 4366 4367 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len); 4368 4369 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */ 4370 4371 if (group == 19) 4372 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info, 4373 os_strlen(info), sm->pmk, hash_len); 4374 else if (group == 20) 4375 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info, 4376 os_strlen(info), sm->pmk, hash_len); 4377 else if (group == 21) 4378 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info, 4379 os_strlen(info), sm->pmk, hash_len); 4380 os_memset(prk, 0, SHA512_MAC_LEN); 4381 if (res < 0) 4382 return -1; 4383 sm->pmk_len = hash_len; 4384 4385 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sm->pmk, sm->pmk_len); 4386 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN); 4387 pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, pmkid, NULL, 0, 4388 bssid, sm->own_addr, sm->network_ctx, sm->key_mgmt, 4389 NULL); 4390 4391 return 0; 4392 } 4393 4394 #endif /* CONFIG_OWE */ 4395 4396 4397 void wpa_sm_set_fils_cache_id(struct wpa_sm *sm, const u8 *fils_cache_id) 4398 { 4399 #ifdef CONFIG_FILS 4400 if (sm && fils_cache_id) { 4401 sm->fils_cache_id_set = 1; 4402 os_memcpy(sm->fils_cache_id, fils_cache_id, FILS_CACHE_ID_LEN); 4403 } 4404 #endif /* CONFIG_FILS */ 4405 } 4406
