1 /*
2 * IEEE 802.11 RSN / WPA Authenticator
3 * Copyright (c) 2004-2022, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "utils/state_machine.h"
14 #include "utils/bitfield.h"
15 #include "common/ieee802_11_defs.h"
16 #include "common/ocv.h"
17 #include "common/dpp.h"
18 #include "common/wpa_ctrl.h"
19 #include "crypto/aes.h"
20 #include "crypto/aes_wrap.h"
21 #include "crypto/aes_siv.h"
22 #include "crypto/crypto.h"
23 #include "crypto/sha1.h"
24 #include "crypto/sha256.h"
25 #include "crypto/sha384.h"
26 #include "crypto/sha512.h"
27 #include "crypto/random.h"
28 #include "eapol_auth/eapol_auth_sm.h"
29 #include "drivers/driver.h"
30 #include "ap_config.h"
31 #include "ieee802_11.h"
32 #include "sta_info.h"
33 #include "wpa_auth.h"
34 #include "pmksa_cache_auth.h"
35 #include "wpa_auth_i.h"
36 #include "wpa_auth_ie.h"
37 #ifdef CONFIG_VENDOR_EXT
38 #include "vendor_ext.h"
39 #endif
40
41 #ifdef CONFIG_P2P_CHR
42 #include "wpa_hw_p2p_chr.h"
43 #endif
44
45 #if defined(CONFIG_OPEN_HARMONY_PATCH) && defined(OPEN_HARMONY_MIRACAST_SINK_OPT)
46 #include "hm_miracast_sink.h"
47 #endif
48
49 #define STATE_MACHINE_DATA struct wpa_state_machine
50 #define STATE_MACHINE_DEBUG_PREFIX "WPA"
51 #define STATE_MACHINE_ADDR wpa_auth_get_spa(sm)
52
53
54 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx);
55 static int wpa_sm_step(struct wpa_state_machine *sm);
56 static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK,
57 u8 *data, size_t data_len);
58 #ifdef CONFIG_FILS
59 static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
60 u8 *buf, size_t buf_len, u16 *_key_data_len);
61 static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
62 const struct wpabuf *hlp);
63 #endif /* CONFIG_FILS */
64 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx);
65 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
66 struct wpa_group *group);
67 static void wpa_request_new_ptk(struct wpa_state_machine *sm);
68 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
69 struct wpa_group *group);
70 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
71 struct wpa_group *group);
72 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
73 const u8 *pmk, unsigned int pmk_len,
74 struct wpa_ptk *ptk, int force_sha256,
75 u8 *pmk_r0, u8 *pmk_r1, u8 *pmk_r0_name,
76 size_t *key_len, bool no_kdk);
77 static void wpa_group_free(struct wpa_authenticator *wpa_auth,
78 struct wpa_group *group);
79 static void wpa_group_get(struct wpa_authenticator *wpa_auth,
80 struct wpa_group *group);
81 static void wpa_group_put(struct wpa_authenticator *wpa_auth,
82 struct wpa_group *group);
83 static int ieee80211w_kde_len(struct wpa_state_machine *sm);
84 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
85 static void wpa_group_update_gtk(struct wpa_authenticator *wpa_auth,
86 struct wpa_group *group);
87
88
89 #ifdef OPEN_HARMONY_MIRACAST_SINK_OPT
90 /* hostapd send and recv packet more then 100ms */
91 static const u32 eapol_key_timeout_first = 1000; /* ms */
92 #else
93 static const u32 eapol_key_timeout_first = 100; /* ms */
94 #endif
95
96 static const u32 eapol_key_timeout_subseq = 1000; /* ms */
97 static const u32 eapol_key_timeout_first_group = 500; /* ms */
98 static const u32 eapol_key_timeout_no_retrans = 4000; /* ms */
99
100 /* TODO: make these configurable */
101 static const int dot11RSNAConfigPMKLifetime = 43200;
102 static const int dot11RSNAConfigPMKReauthThreshold = 70;
103 static const int dot11RSNAConfigSATimeout = 60;
104
105
wpa_auth_get_aa(const struct wpa_state_machine * sm)106 static const u8 * wpa_auth_get_aa(const struct wpa_state_machine *sm)
107 {
108 #ifdef CONFIG_IEEE80211BE
109 if (sm->mld_assoc_link_id >= 0)
110 return sm->wpa_auth->mld_addr;
111 #endif /* CONFIG_IEEE80211BE */
112 return sm->wpa_auth->addr;
113 }
114
115
wpa_auth_get_spa(const struct wpa_state_machine * sm)116 static const u8 * wpa_auth_get_spa(const struct wpa_state_machine *sm)
117 {
118 #ifdef CONFIG_IEEE80211BE
119 if (sm->mld_assoc_link_id >= 0)
120 return sm->peer_mld_addr;
121 #endif /* CONFIG_IEEE80211BE */
122 return sm->addr;
123 }
124
125
wpa_gkeydone_sta(struct wpa_state_machine * sm)126 static void wpa_gkeydone_sta(struct wpa_state_machine *sm)
127 {
128 #ifdef CONFIG_IEEE80211BE
129 int link_id;
130 #endif /* CONFIG_IEEE80211BE */
131
132 if (!sm->wpa_auth)
133 return;
134
135 sm->wpa_auth->group->GKeyDoneStations--;
136 sm->GUpdateStationKeys = false;
137
138 #ifdef CONFIG_IEEE80211BE
139 for_each_sm_auth(sm, link_id)
140 sm->mld_links[link_id].wpa_auth->group->GKeyDoneStations--;
141 #endif /* CONFIG_IEEE80211BE */
142 }
143
144
145 #ifdef CONFIG_IEEE80211BE
146
wpa_release_link_auth_ref(struct wpa_state_machine * sm,int release_link_id)147 void wpa_release_link_auth_ref(struct wpa_state_machine *sm,
148 int release_link_id)
149 {
150 int link_id;
151
152 if (!sm || release_link_id >= MAX_NUM_MLD_LINKS)
153 return;
154
155 for_each_sm_auth(sm, link_id) {
156 if (link_id == release_link_id) {
157 wpa_group_put(sm->mld_links[link_id].wpa_auth,
158 sm->mld_links[link_id].wpa_auth->group);
159 sm->mld_links[link_id].wpa_auth = NULL;
160 }
161 }
162 }
163
164
165 struct wpa_get_link_auth_ctx {
166 const u8 *addr;
167 const u8 *mld_addr;
168 int link_id;
169 struct wpa_authenticator *wpa_auth;
170 };
171
wpa_get_link_sta_auth(struct wpa_authenticator * wpa_auth,void * data)172 static int wpa_get_link_sta_auth(struct wpa_authenticator *wpa_auth, void *data)
173 {
174 struct wpa_get_link_auth_ctx *ctx = data;
175
176 if (!wpa_auth->is_ml)
177 return 0;
178
179 if (ctx->mld_addr &&
180 !ether_addr_equal(wpa_auth->mld_addr, ctx->mld_addr))
181 return 0;
182
183 if ((ctx->addr && ether_addr_equal(wpa_auth->addr, ctx->addr)) ||
184 (ctx->link_id > -1 && wpa_auth->is_ml &&
185 wpa_auth->link_id == ctx->link_id)) {
186 ctx->wpa_auth = wpa_auth;
187 return 1;
188
189 }
190 return 0;
191 }
192
193
194 static struct wpa_authenticator *
wpa_get_link_auth(struct wpa_authenticator * wpa_auth,int link_id)195 wpa_get_link_auth(struct wpa_authenticator *wpa_auth, int link_id)
196 {
197 struct wpa_get_link_auth_ctx ctx;
198
199 ctx.addr = NULL;
200 ctx.mld_addr = wpa_auth->mld_addr;
201 ctx.link_id = link_id;
202 ctx.wpa_auth = NULL;
203 wpa_auth_for_each_auth(wpa_auth, wpa_get_link_sta_auth, &ctx);
204 return ctx.wpa_auth;
205 }
206
207
wpa_get_primary_auth_cb(struct wpa_authenticator * wpa_auth,void * data)208 static int wpa_get_primary_auth_cb(struct wpa_authenticator *wpa_auth,
209 void *data)
210 {
211 struct wpa_get_link_auth_ctx *ctx = data;
212
213 if (!wpa_auth->is_ml ||
214 !ether_addr_equal(wpa_auth->mld_addr, ctx->addr) ||
215 !wpa_auth->primary_auth)
216 return 0;
217
218 ctx->wpa_auth = wpa_auth;
219 return 1;
220 }
221
222 #endif /* CONFIG_IEEE80211BE */
223
224
225 static struct wpa_authenticator *
wpa_get_primary_auth(struct wpa_authenticator * wpa_auth)226 wpa_get_primary_auth(struct wpa_authenticator *wpa_auth)
227 {
228 #ifdef CONFIG_IEEE80211BE
229 struct wpa_get_link_auth_ctx ctx;
230
231 if (!wpa_auth || !wpa_auth->is_ml || wpa_auth->primary_auth)
232 return wpa_auth;
233
234 ctx.addr = wpa_auth->mld_addr;
235 ctx.wpa_auth = NULL;
236 wpa_auth_for_each_auth(wpa_auth, wpa_get_primary_auth_cb, &ctx);
237
238 return ctx.wpa_auth;
239 #else /* CONFIG_IEEE80211BE */
240 return wpa_auth;
241 #endif /* CONFIG_IEEE80211BE */
242 }
243
244
wpa_auth_mic_failure_report(struct wpa_authenticator * wpa_auth,const u8 * addr)245 static inline int wpa_auth_mic_failure_report(
246 struct wpa_authenticator *wpa_auth, const u8 *addr)
247 {
248 if (wpa_auth->cb->mic_failure_report)
249 return wpa_auth->cb->mic_failure_report(wpa_auth->cb_ctx, addr);
250 return 0;
251 }
252
253
wpa_auth_psk_failure_report(struct wpa_authenticator * wpa_auth,const u8 * addr)254 static inline void wpa_auth_psk_failure_report(
255 struct wpa_authenticator *wpa_auth, const u8 *addr)
256 {
257 if (wpa_auth->cb->psk_failure_report)
258 wpa_auth->cb->psk_failure_report(wpa_auth->cb_ctx, addr);
259 }
260
261
wpa_auth_set_eapol(struct wpa_authenticator * wpa_auth,const u8 * addr,wpa_eapol_variable var,int value)262 static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth,
263 const u8 *addr, wpa_eapol_variable var,
264 int value)
265 {
266 if (wpa_auth->cb->set_eapol)
267 wpa_auth->cb->set_eapol(wpa_auth->cb_ctx, addr, var, value);
268 }
269
270
wpa_auth_get_eapol(struct wpa_authenticator * wpa_auth,const u8 * addr,wpa_eapol_variable var)271 static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth,
272 const u8 *addr, wpa_eapol_variable var)
273 {
274 if (!wpa_auth->cb->get_eapol)
275 return -1;
276 return wpa_auth->cb->get_eapol(wpa_auth->cb_ctx, addr, var);
277 }
278
279
wpa_auth_get_psk(struct wpa_authenticator * wpa_auth,const u8 * addr,const u8 * p2p_dev_addr,const u8 * prev_psk,size_t * psk_len,int * vlan_id)280 static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth,
281 const u8 *addr,
282 const u8 *p2p_dev_addr,
283 const u8 *prev_psk, size_t *psk_len,
284 int *vlan_id)
285 {
286 if (!wpa_auth->cb->get_psk)
287 return NULL;
288 return wpa_auth->cb->get_psk(wpa_auth->cb_ctx, addr, p2p_dev_addr,
289 prev_psk, psk_len, vlan_id);
290 }
291
292
wpa_auth_get_msk(struct wpa_authenticator * wpa_auth,const u8 * addr,u8 * msk,size_t * len)293 static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth,
294 const u8 *addr, u8 *msk, size_t *len)
295 {
296 if (!wpa_auth->cb->get_msk)
297 return -1;
298 return wpa_auth->cb->get_msk(wpa_auth->cb_ctx, addr, msk, len);
299 }
300
301
wpa_auth_set_key(struct wpa_authenticator * wpa_auth,int vlan_id,enum wpa_alg alg,const u8 * addr,int idx,u8 * key,size_t key_len,enum key_flag key_flag)302 int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
303 int vlan_id,
304 enum wpa_alg alg, const u8 *addr, int idx,
305 u8 *key, size_t key_len,
306 enum key_flag key_flag)
307 {
308 if (wpa_auth == NULL)
309 return -1;
310
311 if (wpa_auth->cb == NULL)
312 return -1;
313
314 if (!wpa_auth->cb->set_key)
315 return -1;
316 return wpa_auth->cb->set_key(wpa_auth->cb_ctx, vlan_id, alg, addr, idx,
317 key, key_len, key_flag);
318 }
319
320
321 #ifdef CONFIG_PASN
wpa_auth_set_ltf_keyseed(struct wpa_authenticator * wpa_auth,const u8 * peer_addr,const u8 * ltf_keyseed,size_t ltf_keyseed_len)322 static inline int wpa_auth_set_ltf_keyseed(struct wpa_authenticator *wpa_auth,
323 const u8 *peer_addr,
324 const u8 *ltf_keyseed,
325 size_t ltf_keyseed_len)
326 {
327 if (!wpa_auth->cb->set_ltf_keyseed)
328 return -1;
329 return wpa_auth->cb->set_ltf_keyseed(wpa_auth->cb_ctx, peer_addr,
330 ltf_keyseed, ltf_keyseed_len);
331 }
332 #endif /* CONFIG_PASN */
333
334
wpa_auth_get_seqnum(struct wpa_authenticator * wpa_auth,const u8 * addr,int idx,u8 * seq)335 static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth,
336 const u8 *addr, int idx, u8 *seq)
337 {
338 int res;
339
340 if (!wpa_auth->cb->get_seqnum)
341 return -1;
342 #ifdef CONFIG_TESTING_OPTIONS
343 os_memset(seq, 0, WPA_KEY_RSC_LEN);
344 #endif /* CONFIG_TESTING_OPTIONS */
345 res = wpa_auth->cb->get_seqnum(wpa_auth->cb_ctx, addr, idx, seq);
346 #ifdef CONFIG_TESTING_OPTIONS
347 if (!addr && idx < 4 && wpa_auth->conf.gtk_rsc_override_set) {
348 wpa_printf(MSG_DEBUG,
349 "TESTING: Override GTK RSC %016llx --> %016llx",
350 (long long unsigned) WPA_GET_LE64(seq),
351 (long long unsigned)
352 WPA_GET_LE64(wpa_auth->conf.gtk_rsc_override));
353 os_memcpy(seq, wpa_auth->conf.gtk_rsc_override,
354 WPA_KEY_RSC_LEN);
355 }
356 if (!addr && idx >= 4 && idx <= 5 &&
357 wpa_auth->conf.igtk_rsc_override_set) {
358 wpa_printf(MSG_DEBUG,
359 "TESTING: Override IGTK RSC %016llx --> %016llx",
360 (long long unsigned) WPA_GET_LE64(seq),
361 (long long unsigned)
362 WPA_GET_LE64(wpa_auth->conf.igtk_rsc_override));
363 os_memcpy(seq, wpa_auth->conf.igtk_rsc_override,
364 WPA_KEY_RSC_LEN);
365 }
366 #endif /* CONFIG_TESTING_OPTIONS */
367 return res;
368 }
369
370
371 static inline int
wpa_auth_send_eapol(struct wpa_authenticator * wpa_auth,const u8 * addr,const u8 * data,size_t data_len,int encrypt)372 wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr,
373 const u8 *data, size_t data_len, int encrypt)
374 {
375 if (!wpa_auth->cb->send_eapol)
376 return -1;
377 return wpa_auth->cb->send_eapol(wpa_auth->cb_ctx, addr, data, data_len,
378 encrypt);
379 }
380
381
382 #ifdef CONFIG_MESH
wpa_auth_start_ampe(struct wpa_authenticator * wpa_auth,const u8 * addr)383 static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth,
384 const u8 *addr)
385 {
386 if (!wpa_auth->cb->start_ampe)
387 return -1;
388 return wpa_auth->cb->start_ampe(wpa_auth->cb_ctx, addr);
389 }
390 #endif /* CONFIG_MESH */
391
392
wpa_auth_for_each_sta(struct wpa_authenticator * wpa_auth,int (* cb)(struct wpa_state_machine * sm,void * ctx),void * cb_ctx)393 int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
394 int (*cb)(struct wpa_state_machine *sm, void *ctx),
395 void *cb_ctx)
396 {
397 if (!wpa_auth->cb->for_each_sta)
398 return 0;
399 return wpa_auth->cb->for_each_sta(wpa_auth->cb_ctx, cb, cb_ctx);
400 }
401
402
wpa_auth_for_each_auth(struct wpa_authenticator * wpa_auth,int (* cb)(struct wpa_authenticator * a,void * ctx),void * cb_ctx)403 int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
404 int (*cb)(struct wpa_authenticator *a, void *ctx),
405 void *cb_ctx)
406 {
407 if (!wpa_auth->cb->for_each_auth)
408 return 0;
409 return wpa_auth->cb->for_each_auth(wpa_auth->cb_ctx, cb, cb_ctx);
410 }
411
412
wpa_auth_store_ptksa(struct wpa_authenticator * wpa_auth,const u8 * addr,int cipher,u32 life_time,const struct wpa_ptk * ptk)413 void wpa_auth_store_ptksa(struct wpa_authenticator *wpa_auth,
414 const u8 *addr, int cipher,
415 u32 life_time, const struct wpa_ptk *ptk)
416 {
417 if (wpa_auth->cb->store_ptksa)
418 wpa_auth->cb->store_ptksa(wpa_auth->cb_ctx, addr, cipher,
419 life_time, ptk);
420 }
421
422
wpa_auth_remove_ptksa(struct wpa_authenticator * wpa_auth,const u8 * addr,int cipher)423 static void wpa_auth_remove_ptksa(struct wpa_authenticator *wpa_auth,
424 const u8 *addr, int cipher)
425 {
426 if (wpa_auth->cb->clear_ptksa)
427 wpa_auth->cb->clear_ptksa(wpa_auth->cb_ctx, addr, cipher);
428 }
429
430
wpa_auth_logger(struct wpa_authenticator * wpa_auth,const u8 * addr,logger_level level,const char * txt)431 void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr,
432 logger_level level, const char *txt)
433 {
434 if (!wpa_auth->cb->logger)
435 return;
436 wpa_auth->cb->logger(wpa_auth->cb_ctx, addr, level, txt);
437 }
438
439
wpa_auth_vlogger(struct wpa_authenticator * wpa_auth,const u8 * addr,logger_level level,const char * fmt,...)440 void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr,
441 logger_level level, const char *fmt, ...)
442 {
443 char *format;
444 int maxlen;
445 va_list ap;
446
447 if (!wpa_auth->cb->logger)
448 return;
449
450 maxlen = os_strlen(fmt) + 100;
451 format = os_malloc(maxlen);
452 if (!format)
453 return;
454
455 va_start(ap, fmt);
456 vsnprintf(format, maxlen, fmt, ap);
457 va_end(ap);
458
459 wpa_auth_logger(wpa_auth, addr, level, format);
460
461 os_free(format);
462 }
463
464
wpa_sta_disconnect(struct wpa_authenticator * wpa_auth,const u8 * addr,u16 reason)465 static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth,
466 const u8 *addr, u16 reason)
467 {
468 if (!wpa_auth->cb->disconnect)
469 return;
470 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR_SEC " (reason %u)",
471 MAC2STR_SEC(addr), reason);
472 wpa_auth->cb->disconnect(wpa_auth->cb_ctx, addr, reason);
473 }
474
475
476 #ifdef CONFIG_OCV
wpa_channel_info(struct wpa_authenticator * wpa_auth,struct wpa_channel_info * ci)477 static int wpa_channel_info(struct wpa_authenticator *wpa_auth,
478 struct wpa_channel_info *ci)
479 {
480 if (!wpa_auth->cb->channel_info)
481 return -1;
482 return wpa_auth->cb->channel_info(wpa_auth->cb_ctx, ci);
483 }
484 #endif /* CONFIG_OCV */
485
486
wpa_auth_update_vlan(struct wpa_authenticator * wpa_auth,const u8 * addr,int vlan_id)487 static int wpa_auth_update_vlan(struct wpa_authenticator *wpa_auth,
488 const u8 *addr, int vlan_id)
489 {
490 if (!wpa_auth->cb->update_vlan)
491 return -1;
492 return wpa_auth->cb->update_vlan(wpa_auth->cb_ctx, addr, vlan_id);
493 }
494
495
wpa_rekey_gmk(void * eloop_ctx,void * timeout_ctx)496 static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx)
497 {
498 struct wpa_authenticator *wpa_auth = eloop_ctx;
499
500 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) {
501 wpa_printf(MSG_ERROR,
502 "Failed to get random data for WPA initialization.");
503 } else {
504 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd");
505 wpa_hexdump_key(MSG_DEBUG, "GMK",
506 wpa_auth->group->GMK, WPA_GMK_LEN);
507 }
508
509 if (wpa_auth->conf.wpa_gmk_rekey) {
510 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
511 wpa_rekey_gmk, wpa_auth, NULL);
512 }
513 }
514
515
wpa_rekey_all_groups(struct wpa_authenticator * wpa_auth)516 static void wpa_rekey_all_groups(struct wpa_authenticator *wpa_auth)
517 {
518 struct wpa_group *group, *next;
519
520 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK");
521 group = wpa_auth->group;
522 while (group) {
523 wpa_printf(MSG_DEBUG, "GTK rekey start for authenticator ("
524 MACSTR "), group vlan %d",
525 MAC2STR(wpa_auth->addr), group->vlan_id);
526 wpa_group_get(wpa_auth, group);
527
528 group->GTKReKey = true;
529 do {
530 group->changed = false;
531 wpa_group_sm_step(wpa_auth, group);
532 } while (group->changed);
533
534 next = group->next;
535 wpa_group_put(wpa_auth, group);
536 group = next;
537 }
538 }
539
540
541 #ifdef CONFIG_IEEE80211BE
542
wpa_update_all_gtks(struct wpa_authenticator * wpa_auth)543 static void wpa_update_all_gtks(struct wpa_authenticator *wpa_auth)
544 {
545 struct wpa_group *group, *next;
546
547 group = wpa_auth->group;
548 while (group) {
549 wpa_group_get(wpa_auth, group);
550
551 wpa_group_update_gtk(wpa_auth, group);
552 next = group->next;
553 wpa_group_put(wpa_auth, group);
554 group = next;
555 }
556 }
557
558
wpa_update_all_gtks_cb(struct wpa_authenticator * wpa_auth,void * ctx)559 static int wpa_update_all_gtks_cb(struct wpa_authenticator *wpa_auth, void *ctx)
560 {
561 const u8 *mld_addr = ctx;
562
563 if (!ether_addr_equal(wpa_auth->mld_addr, mld_addr))
564 return 0;
565
566 wpa_update_all_gtks(wpa_auth);
567 return 0;
568 }
569
570
wpa_rekey_all_groups_cb(struct wpa_authenticator * wpa_auth,void * ctx)571 static int wpa_rekey_all_groups_cb(struct wpa_authenticator *wpa_auth,
572 void *ctx)
573 {
574 const u8 *mld_addr = ctx;
575
576 if (!ether_addr_equal(wpa_auth->mld_addr, mld_addr))
577 return 0;
578
579 wpa_rekey_all_groups(wpa_auth);
580 return 0;
581 }
582
583 #endif /* CONFIG_IEEE80211BE */
584
585
wpa_rekey_gtk(void * eloop_ctx,void * timeout_ctx)586 static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx)
587 {
588 struct wpa_authenticator *wpa_auth = eloop_ctx;
589
590 #ifdef CONFIG_IEEE80211BE
591 if (wpa_auth->is_ml) {
592 /* Non-primary ML authenticator eloop timer for group rekey is
593 * never started and shouldn't fire. Check and warn just in
594 * case. */
595 if (!wpa_auth->primary_auth) {
596 wpa_printf(MSG_DEBUG,
597 "RSN: Cannot start GTK rekey on non-primary ML authenticator");
598 return;
599 }
600
601 /* Generate all the new group keys */
602 wpa_auth_for_each_auth(wpa_auth, wpa_update_all_gtks_cb,
603 wpa_auth->mld_addr);
604
605 /* Send all the generated group keys to the respective stations
606 * with group key handshake. */
607 wpa_auth_for_each_auth(wpa_auth, wpa_rekey_all_groups_cb,
608 wpa_auth->mld_addr);
609 } else {
610 wpa_rekey_all_groups(wpa_auth);
611 }
612 #else /* CONFIG_IEEE80211BE */
613 wpa_rekey_all_groups(wpa_auth);
614 #endif /* CONFIG_IEEE80211BE */
615
616 if (wpa_auth->conf.wpa_group_rekey) {
617 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey,
618 0, wpa_rekey_gtk, wpa_auth, NULL);
619 }
620 }
621
622
wpa_rekey_ptk(void * eloop_ctx,void * timeout_ctx)623 static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
624 {
625 struct wpa_authenticator *wpa_auth = eloop_ctx;
626 struct wpa_state_machine *sm = timeout_ctx;
627
628 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
629 "rekeying PTK");
630 wpa_request_new_ptk(sm);
631 wpa_sm_step(sm);
632 }
633
634
wpa_auth_set_ptk_rekey_timer(struct wpa_state_machine * sm)635 void wpa_auth_set_ptk_rekey_timer(struct wpa_state_machine *sm)
636 {
637 if (sm && sm->wpa_auth->conf.wpa_ptk_rekey) {
638 wpa_printf(MSG_DEBUG, "WPA: Start PTK rekeying timer for "
639 MACSTR_SEC " (%d seconds)",
640 MAC2STR_SEC(wpa_auth_get_spa(sm)),
641 sm->wpa_auth->conf.wpa_ptk_rekey);
642 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
643 eloop_register_timeout(sm->wpa_auth->conf.wpa_ptk_rekey, 0,
644 wpa_rekey_ptk, sm->wpa_auth, sm);
645 }
646 }
647
648
wpa_auth_pmksa_clear_cb(struct wpa_state_machine * sm,void * ctx)649 static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx)
650 {
651 if (sm->pmksa == ctx)
652 sm->pmksa = NULL;
653 return 0;
654 }
655
656
wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry * entry,void * ctx)657 static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
658 void *ctx)
659 {
660 struct wpa_authenticator *wpa_auth = ctx;
661 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry);
662 }
663
664
wpa_group_init_gmk_and_counter(struct wpa_authenticator * wpa_auth,struct wpa_group * group)665 static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth,
666 struct wpa_group *group)
667 {
668 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)];
669 u8 rkey[32];
670 unsigned long ptr;
671
672 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0)
673 return -1;
674 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN);
675
676 /*
677 * Counter = PRF-256(Random number, "Init Counter",
678 * Local MAC Address || Time)
679 */
680 os_memcpy(buf, wpa_auth->addr, ETH_ALEN);
681 wpa_get_ntp_timestamp(buf + ETH_ALEN);
682 ptr = (unsigned long) group;
683 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr));
684 #ifdef TEST_FUZZ
685 os_memset(buf + ETH_ALEN, 0xab, 8);
686 os_memset(buf + ETH_ALEN + 8, 0xcd, sizeof(ptr));
687 #endif /* TEST_FUZZ */
688 if (random_get_bytes(rkey, sizeof(rkey)) < 0)
689 return -1;
690
691 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf),
692 group->Counter, WPA_NONCE_LEN) < 0)
693 return -1;
694 wpa_hexdump_key(MSG_DEBUG, "Key Counter",
695 group->Counter, WPA_NONCE_LEN);
696
697 return 0;
698 }
699
700
wpa_group_init(struct wpa_authenticator * wpa_auth,int vlan_id,int delay_init)701 static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth,
702 int vlan_id, int delay_init)
703 {
704 struct wpa_group *group;
705
706 group = os_zalloc(sizeof(struct wpa_group));
707 if (!group)
708 return NULL;
709
710 group->GTKAuthenticator = true;
711 group->vlan_id = vlan_id;
712 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
713
714 if (random_pool_ready() != 1) {
715 wpa_printf(MSG_INFO,
716 "WPA: Not enough entropy in random pool for secure operations - update keys later when the first station connects");
717 }
718
719 /*
720 * Set initial GMK/Counter value here. The actual values that will be
721 * used in negotiations will be set once the first station tries to
722 * connect. This allows more time for collecting additional randomness
723 * on embedded devices.
724 */
725 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) {
726 wpa_printf(MSG_ERROR,
727 "Failed to get random data for WPA initialization.");
728 os_free(group);
729 return NULL;
730 }
731
732 group->GInit = true;
733 if (delay_init) {
734 wpa_printf(MSG_DEBUG,
735 "WPA: Delay group state machine start until Beacon frames have been configured");
736 /* Initialization is completed in wpa_init_keys(). */
737 } else {
738 wpa_group_sm_step(wpa_auth, group);
739 group->GInit = false;
740 wpa_group_sm_step(wpa_auth, group);
741 }
742
743 return group;
744 }
745
746
747 /**
748 * wpa_init - Initialize WPA authenticator
749 * @addr: Authenticator address
750 * @conf: Configuration for WPA authenticator
751 * @cb: Callback functions for WPA authenticator
752 * Returns: Pointer to WPA authenticator data or %NULL on failure
753 */
wpa_init(const u8 * addr,struct wpa_auth_config * conf,const struct wpa_auth_callbacks * cb,void * cb_ctx)754 struct wpa_authenticator * wpa_init(const u8 *addr,
755 struct wpa_auth_config *conf,
756 const struct wpa_auth_callbacks *cb,
757 void *cb_ctx)
758 {
759 struct wpa_authenticator *wpa_auth;
760
761 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator));
762 if (!wpa_auth)
763 return NULL;
764
765 os_memcpy(wpa_auth->addr, addr, ETH_ALEN);
766 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
767
768 #ifdef CONFIG_IEEE80211BE
769 if (conf->mld_addr) {
770 wpa_auth->is_ml = true;
771 wpa_auth->link_id = conf->link_id;
772 wpa_auth->primary_auth = !conf->first_link_auth;
773 os_memcpy(wpa_auth->mld_addr, conf->mld_addr, ETH_ALEN);
774 }
775 #endif /* CONFIG_IEEE80211BE */
776
777 wpa_auth->cb = cb;
778 wpa_auth->cb_ctx = cb_ctx;
779
780 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
781 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
782 os_free(wpa_auth);
783 return NULL;
784 }
785
786 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1);
787 if (!wpa_auth->group) {
788 os_free(wpa_auth->wpa_ie);
789 os_free(wpa_auth);
790 return NULL;
791 }
792
793 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb,
794 wpa_auth);
795 if (!wpa_auth->pmksa) {
796 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed.");
797 os_free(wpa_auth->group);
798 os_free(wpa_auth->wpa_ie);
799 os_free(wpa_auth);
800 return NULL;
801 }
802
803 #ifdef CONFIG_IEEE80211R_AP
804 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init();
805 if (!wpa_auth->ft_pmk_cache) {
806 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed.");
807 os_free(wpa_auth->group);
808 os_free(wpa_auth->wpa_ie);
809 pmksa_cache_auth_deinit(wpa_auth->pmksa);
810 os_free(wpa_auth);
811 return NULL;
812 }
813 #endif /* CONFIG_IEEE80211R_AP */
814
815 if (wpa_auth->conf.wpa_gmk_rekey) {
816 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
817 wpa_rekey_gmk, wpa_auth, NULL);
818 }
819
820 #ifdef CONFIG_IEEE80211BE
821 /* For AP MLD, run group rekey timer only on one link (first) and
822 * whenever it fires do rekey on all associated ML links in one shot.
823 */
824 if ((!wpa_auth->is_ml || !conf->first_link_auth) &&
825 wpa_auth->conf.wpa_group_rekey) {
826 #else /* CONFIG_IEEE80211BE */
827 if (wpa_auth->conf.wpa_group_rekey) {
828 #endif /* CONFIG_IEEE80211BE */
829 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0,
830 wpa_rekey_gtk, wpa_auth, NULL);
831 }
832
833 #ifdef CONFIG_P2P
834 if (WPA_GET_BE32(conf->ip_addr_start)) {
835 int count = WPA_GET_BE32(conf->ip_addr_end) -
836 WPA_GET_BE32(conf->ip_addr_start) + 1;
837 if (count > 1000)
838 count = 1000;
839 if (count > 0)
840 wpa_auth->ip_pool = bitfield_alloc(count);
841 }
842 #endif /* CONFIG_P2P */
843
844 if (conf->tx_bss_auth && conf->beacon_prot) {
845 conf->tx_bss_auth->non_tx_beacon_prot = true;
846 if (!conf->tx_bss_auth->conf.beacon_prot)
847 conf->tx_bss_auth->conf.beacon_prot = true;
848 if (!conf->tx_bss_auth->conf.group_mgmt_cipher)
849 conf->tx_bss_auth->conf.group_mgmt_cipher =
850 conf->group_mgmt_cipher;
851 }
852
853 return wpa_auth;
854 }
855
856
857 int wpa_init_keys(struct wpa_authenticator *wpa_auth)
858 {
859 struct wpa_group *group = wpa_auth->group;
860
861 wpa_printf(MSG_DEBUG,
862 "WPA: Start group state machine to set initial keys");
863 wpa_group_sm_step(wpa_auth, group);
864 group->GInit = false;
865 wpa_group_sm_step(wpa_auth, group);
866 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
867 return -1;
868 return 0;
869 }
870
871
872 static void wpa_auth_free_conf(struct wpa_auth_config *conf)
873 {
874 #ifdef CONFIG_TESTING_OPTIONS
875 wpabuf_free(conf->eapol_m1_elements);
876 conf->eapol_m1_elements = NULL;
877 wpabuf_free(conf->eapol_m3_elements);
878 conf->eapol_m3_elements = NULL;
879 #endif /* CONFIG_TESTING_OPTIONS */
880 }
881
882
883 /**
884 * wpa_deinit - Deinitialize WPA authenticator
885 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
886 */
887 void wpa_deinit(struct wpa_authenticator *wpa_auth)
888 {
889 struct wpa_group *group, *prev;
890
891 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL);
892
893 /* TODO: Assign ML primary authenticator to next link authenticator and
894 * start rekey timer. */
895 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
896
897 pmksa_cache_auth_deinit(wpa_auth->pmksa);
898
899 #ifdef CONFIG_IEEE80211R_AP
900 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache);
901 wpa_auth->ft_pmk_cache = NULL;
902 wpa_ft_deinit(wpa_auth);
903 #endif /* CONFIG_IEEE80211R_AP */
904
905 #ifdef CONFIG_P2P
906 bitfield_free(wpa_auth->ip_pool);
907 #endif /* CONFIG_P2P */
908
909
910 os_free(wpa_auth->wpa_ie);
911
912 group = wpa_auth->group;
913 while (group) {
914 prev = group;
915 group = group->next;
916 bin_clear_free(prev, sizeof(*prev));
917 }
918
919 wpa_auth_free_conf(&wpa_auth->conf);
920 os_free(wpa_auth);
921 }
922
923
924 /**
925 * wpa_reconfig - Update WPA authenticator configuration
926 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
927 * @conf: Configuration for WPA authenticator
928 */
929 int wpa_reconfig(struct wpa_authenticator *wpa_auth,
930 struct wpa_auth_config *conf)
931 {
932 struct wpa_group *group;
933
934 if (!wpa_auth)
935 return 0;
936
937 wpa_auth_free_conf(&wpa_auth->conf);
938 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
939 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
940 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
941 return -1;
942 }
943
944 /*
945 * Reinitialize GTK to make sure it is suitable for the new
946 * configuration.
947 */
948 group = wpa_auth->group;
949 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
950 group->GInit = true;
951 wpa_group_sm_step(wpa_auth, group);
952 group->GInit = false;
953 wpa_group_sm_step(wpa_auth, group);
954
955 return 0;
956 }
957
958
959 struct wpa_state_machine *
960 wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr,
961 const u8 *p2p_dev_addr)
962 {
963 struct wpa_state_machine *sm;
964
965 if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
966 return NULL;
967
968 sm = os_zalloc(sizeof(struct wpa_state_machine));
969 if (!sm)
970 return NULL;
971 os_memcpy(sm->addr, addr, ETH_ALEN);
972 if (p2p_dev_addr)
973 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN);
974
975 sm->wpa_auth = wpa_auth;
976 sm->group = wpa_auth->group;
977 wpa_group_get(sm->wpa_auth, sm->group);
978 #ifdef CONFIG_IEEE80211BE
979 sm->mld_assoc_link_id = -1;
980 #endif /* CONFIG_IEEE80211BE */
981
982 return sm;
983 }
984
985
986 int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
987 struct wpa_state_machine *sm)
988 {
989 if (!wpa_auth || !wpa_auth->conf.wpa || !sm)
990 return -1;
991
992 #ifdef CONFIG_IEEE80211R_AP
993 if (sm->ft_completed) {
994 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
995 "FT authentication already completed - do not start 4-way handshake");
996 /* Go to PTKINITDONE state to allow GTK rekeying */
997 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
998 sm->Pair = true;
999 return 0;
1000 }
1001 #endif /* CONFIG_IEEE80211R_AP */
1002
1003 #ifdef CONFIG_FILS
1004 if (sm->fils_completed) {
1005 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
1006 "FILS authentication already completed - do not start 4-way handshake");
1007 /* Go to PTKINITDONE state to allow GTK rekeying */
1008 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
1009 sm->Pair = true;
1010 return 0;
1011 }
1012 #endif /* CONFIG_FILS */
1013
1014 #ifdef CONFIG_VENDOR_EXT
1015 if (wpa_vendor_ext_wpa_auth_set_sm(wpa_auth, sm))
1016 return 0;
1017 #endif
1018 if (sm->started) {
1019 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay));
1020 sm->ReAuthenticationRequest = true;
1021 return wpa_sm_step(sm);
1022 }
1023
1024 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
1025 "start authentication");
1026 sm->started = 1;
1027
1028 sm->Init = true;
1029 if (wpa_sm_step(sm) == 1)
1030 return 1; /* should not really happen */
1031 sm->Init = false;
1032 sm->AuthenticationRequest = true;
1033 return wpa_sm_step(sm);
1034 }
1035
1036
1037 void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm)
1038 {
1039 /* WPA/RSN was not used - clear WPA state. This is needed if the STA
1040 * reassociates back to the same AP while the previous entry for the
1041 * STA has not yet been removed. */
1042 if (!sm)
1043 return;
1044
1045 sm->wpa_key_mgmt = 0;
1046 }
1047
1048
1049 static void wpa_free_sta_sm(struct wpa_state_machine *sm)
1050 {
1051 #ifdef CONFIG_IEEE80211BE
1052 int link_id;
1053 #endif /* CONFIG_IEEE80211BE */
1054
1055 #ifdef CONFIG_P2P
1056 if (WPA_GET_BE32(sm->ip_addr)) {
1057 wpa_printf(MSG_DEBUG,
1058 "P2P: Free assigned IP address %u.%u.%u.%u from "
1059 MACSTR_SEC " (bit %u)",
1060 sm->ip_addr[0], sm->ip_addr[1],
1061 sm->ip_addr[2], sm->ip_addr[3],
1062 MAC2STR_SEC(wpa_auth_get_spa(sm)),
1063 sm->ip_addr_bit);
1064 bitfield_clear(sm->wpa_auth->ip_pool, sm->ip_addr_bit);
1065 }
1066 #endif /* CONFIG_P2P */
1067 if (sm->GUpdateStationKeys)
1068 wpa_gkeydone_sta(sm);
1069 #ifdef CONFIG_IEEE80211R_AP
1070 os_free(sm->assoc_resp_ftie);
1071 wpabuf_free(sm->ft_pending_req_ies);
1072 #endif /* CONFIG_IEEE80211R_AP */
1073 os_free(sm->last_rx_eapol_key);
1074 os_free(sm->wpa_ie);
1075 os_free(sm->rsnxe);
1076 #ifdef CONFIG_IEEE80211BE
1077 for_each_sm_auth(sm, link_id) {
1078 wpa_group_put(sm->mld_links[link_id].wpa_auth,
1079 sm->mld_links[link_id].wpa_auth->group);
1080 sm->mld_links[link_id].wpa_auth = NULL;
1081 }
1082 #endif /* CONFIG_IEEE80211BE */
1083 wpa_group_put(sm->wpa_auth, sm->group);
1084 #ifdef CONFIG_DPP2
1085 wpabuf_clear_free(sm->dpp_z);
1086 #endif /* CONFIG_DPP2 */
1087 bin_clear_free(sm, sizeof(*sm));
1088 }
1089
1090
1091 void wpa_auth_sta_deinit(struct wpa_state_machine *sm)
1092 {
1093 struct wpa_authenticator *wpa_auth;
1094
1095 if (!sm)
1096 return;
1097
1098 wpa_auth = sm->wpa_auth;
1099 if (wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) {
1100 struct wpa_authenticator *primary_auth = wpa_auth;
1101
1102 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
1103 "strict rekeying - force GTK rekey since STA is leaving");
1104
1105 #ifdef CONFIG_IEEE80211BE
1106 if (wpa_auth->is_ml && !wpa_auth->primary_auth)
1107 primary_auth = wpa_get_primary_auth(wpa_auth);
1108 #endif /* CONFIG_IEEE80211BE */
1109
1110 if (eloop_deplete_timeout(0, 500000, wpa_rekey_gtk,
1111 primary_auth, NULL) == -1)
1112 eloop_register_timeout(0, 500000, wpa_rekey_gtk,
1113 primary_auth, NULL);
1114 }
1115
1116 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
1117 sm->pending_1_of_4_timeout = 0;
1118 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL);
1119 eloop_cancel_timeout(wpa_rekey_ptk, wpa_auth, sm);
1120 #ifdef CONFIG_IEEE80211R_AP
1121 wpa_ft_sta_deinit(sm);
1122 #endif /* CONFIG_IEEE80211R_AP */
1123 if (sm->in_step_loop) {
1124 /* Must not free state machine while wpa_sm_step() is running.
1125 * Freeing will be completed in the end of wpa_sm_step(). */
1126 wpa_printf(MSG_DEBUG,
1127 "WPA: Registering pending STA state machine deinit for "
1128 MACSTR_SEC, MAC2STR_SEC(wpa_auth_get_spa(sm)));
1129 sm->pending_deinit = 1;
1130 } else
1131 wpa_free_sta_sm(sm);
1132 }
1133
1134
1135 static void wpa_request_new_ptk(struct wpa_state_machine *sm)
1136 {
1137 if (!sm)
1138 return;
1139
1140 if (!sm->use_ext_key_id && sm->wpa_auth->conf.wpa_deny_ptk0_rekey) {
1141 wpa_printf(MSG_INFO,
1142 "WPA: PTK0 rekey not allowed, disconnect " MACSTR_SEC,
1143 MAC2STR_SEC(wpa_auth_get_spa(sm)));
1144 sm->Disconnect = true;
1145 /* Try to encourage the STA to reconnect */
1146 sm->disconnect_reason =
1147 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA;
1148 } else {
1149 if (sm->use_ext_key_id)
1150 sm->keyidx_active ^= 1; /* flip Key ID */
1151 sm->PTKRequest = true;
1152 sm->PTK_valid = 0;
1153 }
1154 }
1155
1156
1157 static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr,
1158 const u8 *replay_counter)
1159 {
1160 int i;
1161 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
1162 if (!ctr[i].valid)
1163 break;
1164 if (os_memcmp(replay_counter, ctr[i].counter,
1165 WPA_REPLAY_COUNTER_LEN) == 0)
1166 return 1;
1167 }
1168 return 0;
1169 }
1170
1171
1172 static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr,
1173 const u8 *replay_counter)
1174 {
1175 int i;
1176 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
1177 if (ctr[i].valid &&
1178 (!replay_counter ||
1179 os_memcmp(replay_counter, ctr[i].counter,
1180 WPA_REPLAY_COUNTER_LEN) == 0))
1181 ctr[i].valid = false;
1182 }
1183 }
1184
1185
1186 #ifdef CONFIG_IEEE80211R_AP
1187 static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth,
1188 struct wpa_state_machine *sm,
1189 struct wpa_eapol_ie_parse *kde)
1190 {
1191 struct wpa_ie_data ie, assoc_ie;
1192 struct rsn_mdie *mdie;
1193 unsigned int i, j;
1194 bool found = false;
1195
1196 /* Verify that PMKR1Name from EAPOL-Key message 2/4 matches the value
1197 * we derived. */
1198
1199 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 ||
1200 ie.num_pmkid < 1 || !ie.pmkid) {
1201 wpa_printf(MSG_DEBUG,
1202 "FT: No PMKR1Name in FT 4-way handshake message 2/4");
1203 return -1;
1204 }
1205
1206 if (wpa_parse_wpa_ie_rsn(sm->wpa_ie, sm->wpa_ie_len, &assoc_ie) < 0) {
1207 wpa_printf(MSG_DEBUG,
1208 "FT: Could not parse (Re)Association Request frame RSNE");
1209 os_memset(&assoc_ie, 0, sizeof(assoc_ie));
1210 /* Continue to allow PMKR1Name matching to be done to cover the
1211 * case where it is the only listed PMKID. */
1212 }
1213
1214 for (i = 0; i < ie.num_pmkid; i++) {
1215 const u8 *pmkid = ie.pmkid + i * PMKID_LEN;
1216
1217 if (os_memcmp_const(pmkid, sm->pmk_r1_name,
1218 WPA_PMK_NAME_LEN) == 0) {
1219 wpa_printf(MSG_DEBUG,
1220 "FT: RSNE[PMKID[%u]] from supplicant matches PMKR1Name",
1221 i);
1222 found = true;
1223 } else {
1224 for (j = 0; j < assoc_ie.num_pmkid; j++) {
1225 if (os_memcmp(pmkid,
1226 assoc_ie.pmkid + j * PMKID_LEN,
1227 PMKID_LEN) == 0)
1228 break;
1229 }
1230
1231 if (j == assoc_ie.num_pmkid) {
1232 wpa_printf(MSG_DEBUG,
1233 "FT: RSNE[PMKID[%u]] from supplicant is neither PMKR1Name nor included in AssocReq",
1234 i);
1235 found = false;
1236 break;
1237 }
1238 wpa_printf(MSG_DEBUG,
1239 "FT: RSNE[PMKID[%u]] from supplicant is not PMKR1Name, but matches a PMKID in AssocReq",
1240 i);
1241 }
1242 }
1243
1244 if (!found) {
1245 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm),
1246 LOGGER_DEBUG,
1247 "PMKR1Name mismatch in FT 4-way handshake");
1248 wpa_hexdump(MSG_DEBUG,
1249 "FT: PMKIDs/PMKR1Name from Supplicant",
1250 ie.pmkid, ie.num_pmkid * PMKID_LEN);
1251 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
1252 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
1253 return -1;
1254 }
1255
1256 if (!kde->mdie || !kde->ftie) {
1257 wpa_printf(MSG_DEBUG,
1258 "FT: No %s in FT 4-way handshake message 2/4",
1259 kde->mdie ? "FTIE" : "MDIE");
1260 return -1;
1261 }
1262
1263 mdie = (struct rsn_mdie *) (kde->mdie + 2);
1264 if (kde->mdie[1] < sizeof(struct rsn_mdie) ||
1265 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain,
1266 MOBILITY_DOMAIN_ID_LEN) != 0) {
1267 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch");
1268 return -1;
1269 }
1270
1271 if (sm->assoc_resp_ftie &&
1272 (kde->ftie[1] != sm->assoc_resp_ftie[1] ||
1273 os_memcmp(kde->ftie, sm->assoc_resp_ftie,
1274 2 + sm->assoc_resp_ftie[1]) != 0)) {
1275 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch");
1276 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4",
1277 kde->ftie, kde->ftie_len);
1278 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp",
1279 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]);
1280 return -1;
1281 }
1282
1283 return 0;
1284 }
1285 #endif /* CONFIG_IEEE80211R_AP */
1286
1287
1288 static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
1289 struct wpa_state_machine *sm, int group)
1290 {
1291 /* Supplicant reported a Michael MIC error */
1292 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
1293 "received EAPOL-Key Error Request (STA detected Michael MIC failure (group=%d))",
1294 group);
1295
1296 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
1297 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
1298 "ignore Michael MIC failure report since group cipher is not TKIP");
1299 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
1300 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
1301 "ignore Michael MIC failure report since pairwise cipher is not TKIP");
1302 } else {
1303 if (wpa_auth_mic_failure_report(wpa_auth,
1304 wpa_auth_get_spa(sm)) > 0)
1305 return 1; /* STA entry was removed */
1306 sm->dot11RSNAStatsTKIPRemoteMICFailures++;
1307 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
1308 }
1309
1310 /*
1311 * Error report is not a request for a new key handshake, but since
1312 * Authenticator may do it, let's change the keys now anyway.
1313 */
1314 wpa_request_new_ptk(sm);
1315 return 0;
1316 }
1317
1318
1319 static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data,
1320 size_t data_len)
1321 {
1322 struct wpa_ptk PTK;
1323 int ok = 0;
1324 const u8 *pmk = NULL;
1325 size_t pmk_len;
1326 int vlan_id = 0;
1327 u8 pmk_r0[PMK_LEN_MAX], pmk_r0_name[WPA_PMK_NAME_LEN];
1328 u8 pmk_r1[PMK_LEN_MAX];
1329 size_t key_len;
1330 int ret = -1;
1331
1332 os_memset(&PTK, 0, sizeof(PTK));
1333 for (;;) {
1334 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
1335 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
1336 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
1337 sm->p2p_dev_addr, pmk, &pmk_len,
1338 &vlan_id);
1339 if (!pmk)
1340 break;
1341 #ifdef CONFIG_IEEE80211R_AP
1342 if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) {
1343 os_memcpy(sm->xxkey, pmk, pmk_len);
1344 sm->xxkey_len = pmk_len;
1345 }
1346 #endif /* CONFIG_IEEE80211R_AP */
1347 } else {
1348 pmk = sm->PMK;
1349 pmk_len = sm->pmk_len;
1350 }
1351
1352 if (wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK, 0,
1353 pmk_r0, pmk_r1, pmk_r0_name, &key_len,
1354 false) < 0)
1355 break;
1356
1357 if (wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
1358 data, data_len) == 0) {
1359 if (sm->PMK != pmk) {
1360 os_memcpy(sm->PMK, pmk, pmk_len);
1361 sm->pmk_len = pmk_len;
1362 }
1363 ok = 1;
1364 break;
1365 }
1366
1367 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
1368 wpa_key_mgmt_sae(sm->wpa_key_mgmt))
1369 break;
1370 }
1371
1372 if (!ok) {
1373 wpa_printf(MSG_DEBUG,
1374 "WPA: Earlier SNonce did not result in matching MIC");
1375 goto fail;
1376 }
1377
1378 wpa_printf(MSG_DEBUG,
1379 "WPA: Earlier SNonce resulted in matching MIC");
1380 sm->alt_snonce_valid = 0;
1381
1382 if (vlan_id && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
1383 wpa_auth_update_vlan(sm->wpa_auth, sm->addr, vlan_id) < 0)
1384 goto fail;
1385
1386 #ifdef CONFIG_IEEE80211R_AP
1387 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt) && !sm->ft_completed) {
1388 wpa_printf(MSG_DEBUG, "FT: Store PMK-R0/PMK-R1");
1389 wpa_auth_ft_store_keys(sm, pmk_r0, pmk_r1, pmk_r0_name,
1390 key_len);
1391 }
1392 #endif /* CONFIG_IEEE80211R_AP */
1393
1394 os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN);
1395 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
1396 forced_memzero(&PTK, sizeof(PTK));
1397 sm->PTK_valid = true;
1398
1399 ret = 0;
1400 fail:
1401 forced_memzero(pmk_r0, sizeof(pmk_r0));
1402 forced_memzero(pmk_r1, sizeof(pmk_r1));
1403 return ret;
1404 }
1405
1406
1407 static bool wpa_auth_gtk_rekey_in_process(struct wpa_authenticator *wpa_auth)
1408 {
1409 struct wpa_group *group;
1410
1411 for (group = wpa_auth->group; group; group = group->next) {
1412 if (group->GKeyDoneStations)
1413 return true;
1414 }
1415 return false;
1416 }
1417
1418
1419 enum eapol_key_msg { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST };
1420
1421 static bool wpa_auth_valid_key_desc_ver(struct wpa_authenticator *wpa_auth,
1422 struct wpa_state_machine *sm, u16 ver)
1423 {
1424 if (ver > WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1425 wpa_printf(MSG_INFO, "RSN: " MACSTR
1426 " used undefined Key Descriptor Version %d",
1427 MAC2STR(wpa_auth_get_spa(sm)), ver);
1428 return false;
1429 }
1430
1431 if (!wpa_use_akm_defined(sm->wpa_key_mgmt) &&
1432 wpa_use_cmac(sm->wpa_key_mgmt) &&
1433 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1434 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1435 LOGGER_WARNING,
1436 "advertised support for AES-128-CMAC, but did not use it");
1437 #ifdef CONFIG_P2P_CHR
1438 wpa_supplicant_upload_go_p2p_state(wpa_auth->cb_ctx, sm->addr,
1439 P2P_INTERFACE_STATE_DISCONNECTED,
1440 DR_RX_EAPOL_FRAME_NOT_USE_AES_128_CMAC);
1441 #endif
1442 return false;
1443 }
1444
1445 if (sm->pairwise != WPA_CIPHER_TKIP &&
1446 !wpa_use_akm_defined(sm->wpa_key_mgmt) &&
1447 !wpa_use_cmac(sm->wpa_key_mgmt) &&
1448 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1449 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1450 LOGGER_WARNING,
1451 "did not use HMAC-SHA1-AES with CCMP/GCMP");
1452 #ifdef CONFIG_P2P_CHR
1453 wpa_supplicant_upload_go_p2p_state(wpa_auth->cb_ctx, sm->addr,
1454 P2P_INTERFACE_STATE_DISCONNECTED,
1455 DR_RX_EAPOL_FRAME_NOT_USE_HMAC_SHA1_AES);
1456 #endif
1457 return false;
1458 }
1459
1460 if (wpa_use_akm_defined(sm->wpa_key_mgmt) &&
1461 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
1462 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1463 LOGGER_WARNING,
1464 "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases");
1465 return false;
1466 }
1467
1468 return true;
1469 }
1470
1471
1472 static bool wpa_auth_valid_request_counter(struct wpa_authenticator *wpa_auth,
1473 struct wpa_state_machine *sm,
1474 const u8 *replay_counter)
1475 {
1476
1477 if (sm->req_replay_counter_used &&
1478 os_memcmp(replay_counter, sm->req_replay_counter,
1479 WPA_REPLAY_COUNTER_LEN) <= 0) {
1480 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1481 LOGGER_WARNING,
1482 "received EAPOL-Key request with replayed counter");
1483 return false;
1484 }
1485
1486 return true;
1487 }
1488
1489
1490 static bool wpa_auth_valid_counter(struct wpa_authenticator *wpa_auth,
1491 struct wpa_state_machine *sm,
1492 const struct wpa_eapol_key *key,
1493 enum eapol_key_msg msg,
1494 const char *msgtxt)
1495 {
1496 int i;
1497
1498 if (msg == REQUEST)
1499 return wpa_auth_valid_request_counter(wpa_auth, sm,
1500 key->replay_counter);
1501
1502 if (wpa_replay_counter_valid(sm->key_replay, key->replay_counter))
1503 return true;
1504
1505 if (msg == PAIRWISE_2 &&
1506 wpa_replay_counter_valid(sm->prev_key_replay,
1507 key->replay_counter) &&
1508 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1509 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
1510 /*
1511 * Some supplicant implementations (e.g., Windows XP
1512 * WZC) update SNonce for each EAPOL-Key 2/4. This
1513 * breaks the workaround on accepting any of the
1514 * pending requests, so allow the SNonce to be updated
1515 * even if we have already sent out EAPOL-Key 3/4.
1516 */
1517 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
1518 LOGGER_DEBUG,
1519 "Process SNonce update from STA based on retransmitted EAPOL-Key 1/4");
1520 sm->update_snonce = 1;
1521 os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN);
1522 sm->alt_snonce_valid = true;
1523 os_memcpy(sm->alt_replay_counter,
1524 sm->key_replay[0].counter,
1525 WPA_REPLAY_COUNTER_LEN);
1526 return true;
1527 }
1528
1529 if (msg == PAIRWISE_4 && sm->alt_snonce_valid &&
1530 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1531 os_memcmp(key->replay_counter, sm->alt_replay_counter,
1532 WPA_REPLAY_COUNTER_LEN) == 0) {
1533 /*
1534 * Supplicant may still be using the old SNonce since
1535 * there was two EAPOL-Key 2/4 messages and they had
1536 * different SNonce values.
1537 */
1538 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
1539 LOGGER_DEBUG,
1540 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4");
1541 return true;
1542 }
1543
1544 if (msg == PAIRWISE_2 &&
1545 wpa_replay_counter_valid(sm->prev_key_replay,
1546 key->replay_counter) &&
1547 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
1548 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
1549 LOGGER_DEBUG,
1550 "ignore retransmitted EAPOL-Key %s - SNonce did not change",
1551 msgtxt);
1552 } else {
1553 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
1554 LOGGER_DEBUG,
1555 "received EAPOL-Key %s with unexpected replay counter",
1556 msgtxt);
1557 }
1558 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
1559 if (!sm->key_replay[i].valid)
1560 break;
1561 wpa_hexdump(MSG_DEBUG, "pending replay counter",
1562 sm->key_replay[i].counter,
1563 WPA_REPLAY_COUNTER_LEN);
1564 }
1565 wpa_hexdump(MSG_DEBUG, "received replay counter",
1566 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1567 return false;
1568 }
1569
1570
1571 void wpa_receive(struct wpa_authenticator *wpa_auth,
1572 struct wpa_state_machine *sm,
1573 u8 *data, size_t data_len)
1574 {
1575 struct ieee802_1x_hdr *hdr;
1576 struct wpa_eapol_key *key;
1577 u16 key_info, ver, key_data_length;
1578 enum eapol_key_msg msg;
1579 const char *msgtxt;
1580 const u8 *key_data;
1581 size_t keyhdrlen, mic_len;
1582 u8 *mic;
1583 u8 *key_data_buf = NULL;
1584 size_t key_data_buf_len = 0;
1585
1586 if (!wpa_auth || !wpa_auth->conf.wpa || !sm)
1587 return;
1588
1589 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL data", data, data_len);
1590
1591 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
1592 keyhdrlen = sizeof(*key) + mic_len + 2;
1593
1594 if (data_len < sizeof(*hdr) + keyhdrlen) {
1595 wpa_printf(MSG_DEBUG, "WPA: Ignore too short EAPOL-Key frame");
1596 #ifdef CONFIG_P2P_CHR
1597 wpa_supplicant_upload_go_p2p_state(wpa_auth->cb_ctx, sm->addr,
1598 P2P_INTERFACE_STATE_DISCONNECTED,
1599 DR_RX_EAPOL_FRAME_TOO_SHORT);
1600 #endif
1601 return;
1602 }
1603
1604 hdr = (struct ieee802_1x_hdr *) data;
1605 key = (struct wpa_eapol_key *) (hdr + 1);
1606 mic = (u8 *) (key + 1);
1607 key_info = WPA_GET_BE16(key->key_info);
1608 key_data = mic + mic_len + 2;
1609 key_data_length = WPA_GET_BE16(mic + mic_len);
1610 wpa_printf(MSG_INFO, "WPA: Received EAPOL-Key from " MACSTR_SEC
1611 " key_info=0x%x type=%u mic_len=%zu key_data_length=%u",
1612 MAC2STR_SEC(wpa_auth_get_spa(sm)), key_info, key->type,
1613 mic_len, key_data_length);
1614 wpa_hexdump(MSG_MSGDUMP,
1615 "WPA: EAPOL-Key header (ending before Key MIC)",
1616 key, sizeof(*key));
1617 wpa_hexdump(MSG_MSGDUMP, "WPA: EAPOL-Key Key MIC",
1618 mic, mic_len);
1619 if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) {
1620 wpa_printf(MSG_INFO,
1621 "WPA: Invalid EAPOL-Key frame - key_data overflow (%d > %zu)",
1622 key_data_length,
1623 data_len - sizeof(*hdr) - keyhdrlen);
1624 return;
1625 }
1626
1627 if (sm->wpa == WPA_VERSION_WPA2) {
1628 if (key->type == EAPOL_KEY_TYPE_WPA) {
1629 /*
1630 * Some deployed station implementations seem to send
1631 * msg 4/4 with incorrect type value in WPA2 mode.
1632 */
1633 wpa_printf(MSG_DEBUG,
1634 "Workaround: Allow EAPOL-Key with unexpected WPA type in RSN mode");
1635 } else if (key->type != EAPOL_KEY_TYPE_RSN) {
1636 wpa_printf(MSG_DEBUG,
1637 "Ignore EAPOL-Key with unexpected type %d in RSN mode",
1638 key->type);
1639 #ifdef CONFIG_P2P_CHR
1640 wpa_supplicant_upload_go_p2p_state(wpa_auth->cb_ctx, sm->addr,
1641 P2P_INTERFACE_STATE_DISCONNECTED,
1642 DR_RX_EAPOL_FRAME_UNEXPECTED_TYPE_IN_RSN_MODE);
1643 #endif
1644 return;
1645 }
1646 } else {
1647 if (key->type != EAPOL_KEY_TYPE_WPA) {
1648 wpa_printf(MSG_DEBUG,
1649 "Ignore EAPOL-Key with unexpected type %d in WPA mode",
1650 key->type);
1651 #ifdef CONFIG_P2P_CHR
1652 wpa_supplicant_upload_go_p2p_state(wpa_auth->cb_ctx, sm->addr,
1653 P2P_INTERFACE_STATE_DISCONNECTED,
1654 DR_RX_EAPOL_FRAME_UNEXPECTED_TYPE_IN_RSN_MODE);
1655 #endif
1656 return;
1657 }
1658 }
1659
1660 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce,
1661 WPA_NONCE_LEN);
1662 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter",
1663 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1664
1665 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
1666 * are set */
1667
1668 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
1669 wpa_printf(MSG_DEBUG, "WPA: Ignore SMK message");
1670 return;
1671 }
1672
1673 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
1674 if (!wpa_auth_valid_key_desc_ver(wpa_auth, sm, ver))
1675 goto out;
1676 if (mic_len > 0 && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) &&
1677 sm->PTK_valid &&
1678 (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1679 ver == WPA_KEY_INFO_TYPE_AES_128_CMAC ||
1680 wpa_use_aes_key_wrap(sm->wpa_key_mgmt)) &&
1681 key_data_length >= 8 && key_data_length % 8 == 0) {
1682 key_data_length -= 8; /* AES-WRAP adds 8 bytes */
1683 key_data_buf = os_malloc(key_data_length);
1684 if (!key_data_buf)
1685 goto out;
1686 key_data_buf_len = key_data_length;
1687 if (aes_unwrap(sm->PTK.kek, sm->PTK.kek_len,
1688 key_data_length / 8, key_data, key_data_buf)) {
1689 wpa_printf(MSG_INFO,
1690 "RSN: AES unwrap failed - could not decrypt EAPOL-Key key data");
1691 goto out;
1692 }
1693 key_data = key_data_buf;
1694 wpa_hexdump_key(MSG_DEBUG, "RSN: Decrypted EAPOL-Key Key Data",
1695 key_data, key_data_length);
1696 }
1697
1698 if (key_info & WPA_KEY_INFO_REQUEST) {
1699 msg = REQUEST;
1700 msgtxt = "Request";
1701 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) {
1702 msg = GROUP_2;
1703 msgtxt = "2/2 Group";
1704 } else if (key_data_length == 0 ||
1705 (sm->wpa == WPA_VERSION_WPA2 &&
1706 (!(key_info & WPA_KEY_INFO_ENCR_KEY_DATA) ||
1707 key_data_buf) &&
1708 (key_info & WPA_KEY_INFO_SECURE) &&
1709 !get_ie(key_data, key_data_length, WLAN_EID_RSN)) ||
1710 (mic_len == 0 && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) &&
1711 key_data_length == AES_BLOCK_SIZE)) {
1712 msg = PAIRWISE_4;
1713 msgtxt = "4/4 Pairwise";
1714 } else {
1715 msg = PAIRWISE_2;
1716 msgtxt = "2/4 Pairwise";
1717 }
1718
1719 if (!wpa_auth_valid_counter(wpa_auth, sm, key, msg, msgtxt))
1720 goto out;
1721
1722 #ifdef CONFIG_FILS
1723 if (sm->wpa == WPA_VERSION_WPA2 && mic_len == 0 &&
1724 !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1725 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
1726 "WPA: Encr Key Data bit not set even though AEAD cipher is supposed to be used - drop frame");
1727 goto out;
1728 }
1729 #endif /* CONFIG_FILS */
1730
1731 switch (msg) {
1732 case PAIRWISE_2:
1733 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART &&
1734 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING &&
1735 (!sm->update_snonce ||
1736 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) {
1737 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
1738 LOGGER_INFO,
1739 "received EAPOL-Key msg 2/4 in invalid state (%d) - dropped",
1740 sm->wpa_ptk_state);
1741 #ifdef CONFIG_P2P_CHR
1742 wpa_supplicant_upload_go_p2p_state(wpa_auth->cb_ctx, sm->addr,
1743 P2P_INTERFACE_STATE_DISCONNECTED,
1744 DR_RX_EAPOL_FRAME_MSG_2_4_DROP_INVALID_STATE);
1745 #endif
1746 goto out;
1747 }
1748 random_add_randomness(key->key_nonce, WPA_NONCE_LEN);
1749 if (sm->group->reject_4way_hs_for_entropy) {
1750 /*
1751 * The system did not have enough entropy to generate
1752 * strong random numbers. Reject the first 4-way
1753 * handshake(s) and collect some entropy based on the
1754 * information from it. Once enough entropy is
1755 * available, the next atempt will trigger GMK/Key
1756 * Counter update and the station will be allowed to
1757 * continue.
1758 */
1759 wpa_printf(MSG_DEBUG,
1760 "WPA: Reject 4-way handshake to collect more entropy for random number generation");
1761 random_mark_pool_ready();
1762 #ifdef CONFIG_P2P_CHR
1763 wpa_supplicant_upload_go_p2p_state(wpa_auth->cb_ctx, sm->addr,
1764 P2P_INTERFACE_STATE_DISCONNECTED,
1765 DR_RX_EAPOL_REJECT_4WAY_HS_FOR_ENTROPY);
1766 #endif
1767 wpa_sta_disconnect(wpa_auth, sm->addr,
1768 WLAN_REASON_PREV_AUTH_NOT_VALID);
1769 goto out;
1770 }
1771 break;
1772 case PAIRWISE_4:
1773 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING ||
1774 !sm->PTK_valid) {
1775 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
1776 LOGGER_INFO,
1777 "received EAPOL-Key msg 4/4 in invalid state (%d) - dropped",
1778 sm->wpa_ptk_state);
1779 #ifdef CONFIG_P2P_CHR
1780 wpa_supplicant_upload_go_p2p_state(wpa_auth->cb_ctx, sm->addr,
1781 P2P_INTERFACE_STATE_DISCONNECTED,
1782 DR_RX_EAPOL_FRAME_MSG_4_4_DROP_INVALID_STATE);
1783 #endif
1784 goto out;
1785 }
1786 break;
1787 case GROUP_2:
1788 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING
1789 || !sm->PTK_valid) {
1790 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
1791 LOGGER_INFO,
1792 "received EAPOL-Key msg 2/2 in invalid state (%d) - dropped",
1793 sm->wpa_ptk_group_state);
1794 #ifdef CONFIG_P2P_CHR
1795 wpa_supplicant_upload_go_p2p_state(wpa_auth->cb_ctx, sm->addr,
1796 P2P_INTERFACE_STATE_DISCONNECTED,
1797 DR_RX_EAPOL_FRAME_MSG_2_2_DROP_INVALID_STATE);
1798 #endif
1799 goto out;
1800 }
1801 break;
1802 case REQUEST:
1803 if (sm->wpa_ptk_state == WPA_PTK_PTKSTART ||
1804 sm->wpa_ptk_state == WPA_PTK_PTKCALCNEGOTIATING ||
1805 sm->wpa_ptk_state == WPA_PTK_PTKCALCNEGOTIATING2 ||
1806 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
1807 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
1808 LOGGER_INFO,
1809 "received EAPOL-Key Request in invalid state (%d) - dropped",
1810 sm->wpa_ptk_state);
1811 goto out;
1812 }
1813 break;
1814 }
1815
1816 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
1817 "received EAPOL-Key frame (%s)", msgtxt);
1818 #ifdef CONFIG_P2P_CHR
1819 if (msg == PAIRWISE_2) {
1820 wpa_supplicant_upload_go_p2p_state(wpa_auth->cb_ctx, sm->addr,
1821 P2P_INTERFACE_STATE_4WAY_HANDSHAKE_2, P2P_CHR_DEFAULT_REASON_CODE);
1822 } else if (msg == PAIRWISE_4) {
1823 wpa_supplicant_upload_go_p2p_state(wpa_auth->cb_ctx, sm->addr,
1824 P2P_INTERFACE_STATE_GROUP_HANDSHAKE, P2P_CHR_DEFAULT_REASON_CODE);
1825 }
1826 #endif
1827 if (key_info & WPA_KEY_INFO_ACK) {
1828 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
1829 "received invalid EAPOL-Key: Key Ack set");
1830 #ifdef CONFIG_P2P_CHR
1831 wpa_supplicant_upload_go_p2p_state(wpa_auth->cb_ctx, sm->addr,
1832 P2P_INTERFACE_STATE_DISCONNECTED,
1833 DR_RX_EAPOL_FRAME_INVALID_KEY_ACK_SET);
1834 #endif
1835 goto out;
1836 }
1837
1838 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1839 !(key_info & WPA_KEY_INFO_MIC)) {
1840 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
1841 "received invalid EAPOL-Key: Key MIC not set");
1842 #ifdef CONFIG_P2P_CHR
1843 wpa_supplicant_upload_go_p2p_state(wpa_auth->cb_ctx, sm->addr,
1844 P2P_INTERFACE_STATE_DISCONNECTED,
1845 DR_RX_EAPOL_FRAME_INVALID_KEY_MIC_NOT_SET);
1846 #endif
1847 goto out;
1848 }
1849
1850 #ifdef CONFIG_FILS
1851 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1852 (key_info & WPA_KEY_INFO_MIC)) {
1853 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
1854 "received invalid EAPOL-Key: Key MIC set");
1855 #ifdef CONFIG_P2P_CHR
1856 wpa_supplicant_upload_go_p2p_state(wpa_auth->cb_ctx, sm->addr,
1857 P2P_INTERFACE_STATE_DISCONNECTED,
1858 DR_RX_EAPOL_FRAME_INVALID_KEY_MIC_SET);
1859 #endif
1860 goto out;
1861 }
1862 #endif /* CONFIG_FILS */
1863
1864 sm->MICVerified = false;
1865 if (sm->PTK_valid && !sm->update_snonce) {
1866 if (mic_len &&
1867 wpa_verify_key_mic(sm->wpa_key_mgmt, sm->pmk_len, &sm->PTK,
1868 data, data_len) &&
1869 (msg != PAIRWISE_4 || !sm->alt_snonce_valid ||
1870 wpa_try_alt_snonce(sm, data, data_len))) {
1871 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1872 LOGGER_INFO,
1873 "received EAPOL-Key with invalid MIC");
1874 #ifdef TEST_FUZZ
1875 wpa_printf(MSG_INFO,
1876 "TEST: Ignore Key MIC failure for fuzz testing");
1877 goto continue_fuzz;
1878 #endif /* TEST_FUZZ */
1879 goto out;
1880 }
1881 #ifdef CONFIG_FILS
1882 if (!mic_len &&
1883 wpa_aead_decrypt(sm, &sm->PTK, data, data_len,
1884 &key_data_length) < 0) {
1885 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1886 LOGGER_INFO,
1887 "received EAPOL-Key with invalid MIC");
1888 #ifdef TEST_FUZZ
1889 wpa_printf(MSG_INFO,
1890 "TEST: Ignore Key MIC failure for fuzz testing");
1891 goto continue_fuzz;
1892 #endif /* TEST_FUZZ */
1893 goto out;
1894 }
1895 #endif /* CONFIG_FILS */
1896 #ifdef TEST_FUZZ
1897 continue_fuzz:
1898 #endif /* TEST_FUZZ */
1899 sm->MICVerified = true;
1900 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
1901 sm->pending_1_of_4_timeout = 0;
1902 }
1903
1904 if (key_info & WPA_KEY_INFO_REQUEST) {
1905 if (!(key_info & WPA_KEY_INFO_SECURE)) {
1906 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1907 LOGGER_INFO,
1908 "received EAPOL-Key request without Secure=1");
1909 goto out;
1910 }
1911 if (sm->MICVerified) {
1912 sm->req_replay_counter_used = 1;
1913 os_memcpy(sm->req_replay_counter, key->replay_counter,
1914 WPA_REPLAY_COUNTER_LEN);
1915 } else {
1916 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1917 LOGGER_INFO,
1918 "received EAPOL-Key request with invalid MIC");
1919 goto out;
1920 }
1921
1922 if (key_info & WPA_KEY_INFO_ERROR) {
1923 if (wpa_receive_error_report(
1924 wpa_auth, sm,
1925 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0)
1926 goto out; /* STA entry was removed */
1927 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) {
1928 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1929 LOGGER_INFO,
1930 "received EAPOL-Key Request for new 4-Way Handshake");
1931 wpa_request_new_ptk(sm);
1932 } else {
1933 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1934 LOGGER_INFO,
1935 "received EAPOL-Key Request for GTK rekeying");
1936
1937 eloop_cancel_timeout(wpa_rekey_gtk,
1938 wpa_get_primary_auth(wpa_auth),
1939 NULL);
1940 if (wpa_auth_gtk_rekey_in_process(wpa_auth))
1941 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG,
1942 "skip new GTK rekey - already in process");
1943 else
1944 wpa_rekey_gtk(wpa_get_primary_auth(wpa_auth),
1945 NULL);
1946 }
1947 } else {
1948 /* Do not allow the same key replay counter to be reused. */
1949 wpa_replay_counter_mark_invalid(sm->key_replay,
1950 key->replay_counter);
1951
1952 if (msg == PAIRWISE_2) {
1953 /*
1954 * Maintain a copy of the pending EAPOL-Key frames in
1955 * case the EAPOL-Key frame was retransmitted. This is
1956 * needed to allow EAPOL-Key msg 2/4 reply to another
1957 * pending msg 1/4 to update the SNonce to work around
1958 * unexpected supplicant behavior.
1959 */
1960 os_memcpy(sm->prev_key_replay, sm->key_replay,
1961 sizeof(sm->key_replay));
1962 } else {
1963 os_memset(sm->prev_key_replay, 0,
1964 sizeof(sm->prev_key_replay));
1965 }
1966
1967 /*
1968 * Make sure old valid counters are not accepted anymore and
1969 * do not get copied again.
1970 */
1971 wpa_replay_counter_mark_invalid(sm->key_replay, NULL);
1972 }
1973
1974 os_free(sm->last_rx_eapol_key);
1975 sm->last_rx_eapol_key = os_memdup(data, data_len);
1976 if (!sm->last_rx_eapol_key)
1977 goto out;
1978 sm->last_rx_eapol_key_len = data_len;
1979
1980 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE);
1981 sm->EAPOLKeyReceived = true;
1982 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1983 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST);
1984 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN);
1985 wpa_sm_step(sm);
1986
1987 out:
1988 bin_clear_free(key_data_buf, key_data_buf_len);
1989 }
1990
1991
1992 static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr,
1993 const u8 *gnonce, u8 *gtk, size_t gtk_len)
1994 {
1995 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + WPA_GTK_MAX_LEN];
1996 u8 *pos;
1997 int ret = 0;
1998
1999 /* GTK = PRF-X(GMK, "Group key expansion",
2000 * AA || GNonce || Time || random data)
2001 * The example described in the IEEE 802.11 standard uses only AA and
2002 * GNonce as inputs here. Add some more entropy since this derivation
2003 * is done only at the Authenticator and as such, does not need to be
2004 * exactly same.
2005 */
2006 os_memset(data, 0, sizeof(data));
2007 os_memcpy(data, addr, ETH_ALEN);
2008 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN);
2009 pos = data + ETH_ALEN + WPA_NONCE_LEN;
2010 wpa_get_ntp_timestamp(pos);
2011 #ifdef TEST_FUZZ
2012 os_memset(pos, 0xef, 8);
2013 #endif /* TEST_FUZZ */
2014 pos += 8;
2015 if (random_get_bytes(pos, gtk_len) < 0)
2016 ret = -1;
2017
2018 #ifdef CONFIG_SHA384
2019 if (sha384_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
2020 gtk, gtk_len) < 0)
2021 ret = -1;
2022 #else /* CONFIG_SHA384 */
2023 #ifdef CONFIG_SHA256
2024 if (sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
2025 gtk, gtk_len) < 0)
2026 ret = -1;
2027 #else /* CONFIG_SHA256 */
2028 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
2029 gtk, gtk_len) < 0)
2030 ret = -1;
2031 #endif /* CONFIG_SHA256 */
2032 #endif /* CONFIG_SHA384 */
2033
2034 forced_memzero(data, sizeof(data));
2035
2036 return ret;
2037 }
2038
2039
2040 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx)
2041 {
2042 struct wpa_authenticator *wpa_auth = eloop_ctx;
2043 struct wpa_state_machine *sm = timeout_ctx;
2044
2045 if (sm->waiting_radius_psk) {
2046 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
2047 "Ignore EAPOL-Key timeout while waiting for RADIUS PSK");
2048 return;
2049 }
2050
2051 sm->pending_1_of_4_timeout = 0;
2052 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
2053 "EAPOL-Key timeout");
2054 sm->TimeoutEvt = true;
2055 wpa_sm_step(sm);
2056 }
2057
2058
2059 void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
2060 struct wpa_state_machine *sm, int key_info,
2061 const u8 *key_rsc, const u8 *nonce,
2062 const u8 *kde, size_t kde_len,
2063 int keyidx, int encr, int force_version)
2064 {
2065 struct wpa_auth_config *conf = &wpa_auth->conf;
2066 struct ieee802_1x_hdr *hdr;
2067 struct wpa_eapol_key *key;
2068 size_t len, mic_len, keyhdrlen;
2069 int alg;
2070 int key_data_len, pad_len = 0;
2071 u8 *buf, *pos;
2072 int version, pairwise;
2073 int i;
2074 u8 *key_mic, *key_data;
2075
2076 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
2077 keyhdrlen = sizeof(*key) + mic_len + 2;
2078
2079 len = sizeof(struct ieee802_1x_hdr) + keyhdrlen;
2080
2081 if (force_version)
2082 version = force_version;
2083 else if (wpa_use_akm_defined(sm->wpa_key_mgmt))
2084 version = WPA_KEY_INFO_TYPE_AKM_DEFINED;
2085 else if (wpa_use_cmac(sm->wpa_key_mgmt))
2086 version = WPA_KEY_INFO_TYPE_AES_128_CMAC;
2087 else if (sm->pairwise != WPA_CIPHER_TKIP)
2088 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
2089 else
2090 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
2091
2092 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
2093
2094 wpa_printf(MSG_DEBUG,
2095 "WPA: Send EAPOL(version=%d secure=%d mic=%d ack=%d install=%d pairwise=%d kde_len=%zu keyidx=%d encr=%d)",
2096 version,
2097 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0,
2098 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0,
2099 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0,
2100 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0,
2101 pairwise, kde_len, keyidx, encr);
2102
2103 key_data_len = kde_len;
2104
2105 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
2106 wpa_use_aes_key_wrap(sm->wpa_key_mgmt) ||
2107 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) {
2108 pad_len = key_data_len % 8;
2109 if (pad_len)
2110 pad_len = 8 - pad_len;
2111 key_data_len += pad_len + 8;
2112 }
2113
2114 len += key_data_len;
2115 if (!mic_len && encr)
2116 len += AES_BLOCK_SIZE;
2117
2118 hdr = os_zalloc(len);
2119 if (!hdr)
2120 return;
2121 hdr->version = conf->eapol_version;
2122 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
2123 hdr->length = host_to_be16(len - sizeof(*hdr));
2124 key = (struct wpa_eapol_key *) (hdr + 1);
2125 key_mic = (u8 *) (key + 1);
2126 key_data = ((u8 *) (hdr + 1)) + keyhdrlen;
2127
2128 key->type = sm->wpa == WPA_VERSION_WPA2 ?
2129 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
2130 key_info |= version;
2131 if (encr && sm->wpa == WPA_VERSION_WPA2)
2132 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
2133 if (sm->wpa != WPA_VERSION_WPA2)
2134 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT;
2135 WPA_PUT_BE16(key->key_info, key_info);
2136
2137 alg = pairwise ? sm->pairwise : conf->wpa_group;
2138 if (sm->wpa == WPA_VERSION_WPA2 && !pairwise)
2139 WPA_PUT_BE16(key->key_length, 0);
2140 else
2141 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg));
2142
2143 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) {
2144 sm->key_replay[i].valid = sm->key_replay[i - 1].valid;
2145 os_memcpy(sm->key_replay[i].counter,
2146 sm->key_replay[i - 1].counter,
2147 WPA_REPLAY_COUNTER_LEN);
2148 }
2149 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN);
2150 os_memcpy(key->replay_counter, sm->key_replay[0].counter,
2151 WPA_REPLAY_COUNTER_LEN);
2152 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter",
2153 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
2154 sm->key_replay[0].valid = true;
2155
2156 if (nonce)
2157 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN);
2158
2159 if (key_rsc)
2160 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN);
2161
2162 if (kde && !encr) {
2163 os_memcpy(key_data, kde, kde_len);
2164 WPA_PUT_BE16(key_mic + mic_len, kde_len);
2165 #ifdef CONFIG_FILS
2166 } else if (!mic_len && kde) {
2167 const u8 *aad[1];
2168 size_t aad_len[1];
2169
2170 WPA_PUT_BE16(key_mic, AES_BLOCK_SIZE + kde_len);
2171 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
2172 kde, kde_len);
2173
2174 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK",
2175 sm->PTK.kek, sm->PTK.kek_len);
2176 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
2177 * to Key Data (exclusive). */
2178 aad[0] = (u8 *) hdr;
2179 aad_len[0] = key_mic + 2 - (u8 *) hdr;
2180 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, kde, kde_len,
2181 1, aad, aad_len, key_mic + 2) < 0) {
2182 wpa_printf(MSG_DEBUG, "WPA: AES-SIV encryption failed");
2183 return;
2184 }
2185
2186 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
2187 key_mic + 2, AES_BLOCK_SIZE + kde_len);
2188 #endif /* CONFIG_FILS */
2189 } else if (encr && kde) {
2190 buf = os_zalloc(key_data_len);
2191 if (!buf) {
2192 os_free(hdr);
2193 return;
2194 }
2195 pos = buf;
2196 os_memcpy(pos, kde, kde_len);
2197 pos += kde_len;
2198
2199 if (pad_len)
2200 *pos++ = 0xdd;
2201
2202 wpa_hexdump_key(MSG_DEBUG,
2203 "Plaintext EAPOL-Key Key Data (+ padding)",
2204 buf, key_data_len);
2205 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
2206 wpa_use_aes_key_wrap(sm->wpa_key_mgmt) ||
2207 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
2208 wpa_hexdump_key(MSG_DEBUG, "RSN: AES-WRAP using KEK",
2209 sm->PTK.kek, sm->PTK.kek_len);
2210 if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len,
2211 (key_data_len - 8) / 8, buf, key_data)) {
2212 os_free(hdr);
2213 bin_clear_free(buf, key_data_len);
2214 return;
2215 }
2216 wpa_hexdump(MSG_DEBUG,
2217 "RSN: Encrypted Key Data from AES-WRAP",
2218 key_data, key_data_len);
2219 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
2220 #if !defined(CONFIG_NO_RC4) && !defined(CONFIG_FIPS)
2221 } else if (sm->PTK.kek_len == 16) {
2222 u8 ek[32];
2223
2224 wpa_printf(MSG_DEBUG,
2225 "WPA: Encrypt Key Data using RC4");
2226 os_memcpy(key->key_iv,
2227 sm->group->Counter + WPA_NONCE_LEN - 16, 16);
2228 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
2229 os_memcpy(ek, key->key_iv, 16);
2230 os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len);
2231 os_memcpy(key_data, buf, key_data_len);
2232 rc4_skip(ek, 32, 256, key_data, key_data_len);
2233 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
2234 #endif /* !(CONFIG_NO_RC4 || CONFIG_FIPS) */
2235 } else {
2236 os_free(hdr);
2237 bin_clear_free(buf, key_data_len);
2238 return;
2239 }
2240 bin_clear_free(buf, key_data_len);
2241 }
2242
2243 if (key_info & WPA_KEY_INFO_MIC) {
2244 if (!sm->PTK_valid || !mic_len) {
2245 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
2246 LOGGER_DEBUG,
2247 "PTK not valid when sending EAPOL-Key frame");
2248 os_free(hdr);
2249 return;
2250 }
2251
2252 if (wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len,
2253 sm->wpa_key_mgmt, version,
2254 (u8 *) hdr, len, key_mic) < 0) {
2255 os_free(hdr);
2256 return;
2257 }
2258 #ifdef CONFIG_TESTING_OPTIONS
2259 if (!pairwise &&
2260 conf->corrupt_gtk_rekey_mic_probability > 0.0 &&
2261 drand48() < conf->corrupt_gtk_rekey_mic_probability) {
2262 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
2263 LOGGER_INFO,
2264 "Corrupting group EAPOL-Key Key MIC");
2265 key_mic[0]++;
2266 }
2267 #endif /* CONFIG_TESTING_OPTIONS */
2268 }
2269
2270 wpa_auth_set_eapol(wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx, 1);
2271 wpa_hexdump(MSG_DEBUG, "Send EAPOL-Key msg", hdr, len);
2272 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len,
2273 sm->pairwise_set);
2274 os_free(hdr);
2275 }
2276
2277
2278 static int wpa_auth_get_sta_count(struct wpa_authenticator *wpa_auth)
2279 {
2280 if (!wpa_auth->cb->get_sta_count)
2281 return -1;
2282
2283 return wpa_auth->cb->get_sta_count(wpa_auth->cb_ctx);
2284 }
2285
2286
2287 static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
2288 struct wpa_state_machine *sm, int key_info,
2289 const u8 *key_rsc, const u8 *nonce,
2290 const u8 *kde, size_t kde_len,
2291 int keyidx, int encr)
2292 {
2293 int timeout_ms;
2294 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
2295 u32 ctr;
2296
2297 if (!sm)
2298 return;
2299
2300 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr;
2301
2302 #ifdef CONFIG_TESTING_OPTIONS
2303 /* When delay_eapol_tx is true, delay the EAPOL-Key transmission by
2304 * sending it only on the last attempt after all timeouts for the prior
2305 * skipped attemps. */
2306 if (wpa_auth->conf.delay_eapol_tx &&
2307 ctr != wpa_auth->conf.wpa_pairwise_update_count) {
2308 wpa_msg(sm->wpa_auth->conf.msg_ctx, MSG_INFO,
2309 "DELAY-EAPOL-TX-%d", ctr);
2310 goto skip_tx;
2311 }
2312 #endif /* CONFIG_TESTING_OPTIONS */
2313 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len,
2314 keyidx, encr, 0);
2315 #ifdef CONFIG_TESTING_OPTIONS
2316 skip_tx:
2317 #endif /* CONFIG_TESTING_OPTIONS */
2318
2319 if (ctr == 1 && wpa_auth->conf.tx_status) {
2320 #if defined(CONFIG_OPEN_HARMONY_PATCH) && defined(OPEN_HARMONY_MIRACAST_SINK_OPT)
2321 timeout_ms = pairwise ? HM_EAPOL_KEY_TIMEOUT_FIRST :
2322 eapol_key_timeout_first_group;
2323 #else
2324 if (pairwise)
2325 timeout_ms = eapol_key_timeout_first;
2326 else if (wpa_auth_get_sta_count(wpa_auth) > 100)
2327 timeout_ms = eapol_key_timeout_first_group * 2;
2328 else
2329 timeout_ms = eapol_key_timeout_first_group;
2330 #endif
2331 } else {
2332 timeout_ms = eapol_key_timeout_subseq;
2333 }
2334 if (wpa_auth->conf.wpa_disable_eapol_key_retries &&
2335 (!pairwise || (key_info & WPA_KEY_INFO_MIC)))
2336 timeout_ms = eapol_key_timeout_no_retrans;
2337 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
2338 sm->pending_1_of_4_timeout = 1;
2339 #ifdef TEST_FUZZ
2340 timeout_ms = 1;
2341 #endif /* TEST_FUZZ */
2342 wpa_printf(MSG_DEBUG,
2343 "WPA: Use EAPOL-Key timeout of %u ms (retry counter %u)",
2344 timeout_ms, ctr);
2345 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000,
2346 wpa_send_eapol_timeout, wpa_auth, sm);
2347 }
2348
2349
2350 static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK,
2351 u8 *data, size_t data_len)
2352 {
2353 struct ieee802_1x_hdr *hdr;
2354 struct wpa_eapol_key *key;
2355 u16 key_info;
2356 int ret = 0;
2357 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN], *mic_pos;
2358 size_t mic_len = wpa_mic_len(akmp, pmk_len);
2359
2360 if (data_len < sizeof(*hdr) + sizeof(*key))
2361 return -1;
2362
2363 hdr = (struct ieee802_1x_hdr *) data;
2364 key = (struct wpa_eapol_key *) (hdr + 1);
2365 mic_pos = (u8 *) (key + 1);
2366 key_info = WPA_GET_BE16(key->key_info);
2367 os_memcpy(mic, mic_pos, mic_len);
2368 os_memset(mic_pos, 0, mic_len);
2369 if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp,
2370 key_info & WPA_KEY_INFO_TYPE_MASK,
2371 data, data_len, mic_pos) ||
2372 os_memcmp_const(mic, mic_pos, mic_len) != 0)
2373 ret = -1;
2374 os_memcpy(mic_pos, mic, mic_len);
2375 return ret;
2376 }
2377
2378
2379 void wpa_remove_ptk(struct wpa_state_machine *sm)
2380 {
2381 if (sm == NULL)
2382 return;
2383
2384 sm->PTK_valid = false;
2385 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
2386
2387 wpa_auth_remove_ptksa(sm->wpa_auth, sm->addr, sm->pairwise);
2388
2389 if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL,
2390 0, KEY_FLAG_PAIRWISE))
2391 wpa_printf(MSG_DEBUG,
2392 "RSN: PTK removal from the driver failed");
2393 if (sm->use_ext_key_id &&
2394 wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 1, NULL,
2395 0, KEY_FLAG_PAIRWISE))
2396 wpa_printf(MSG_DEBUG,
2397 "RSN: PTK Key ID 1 removal from the driver failed");
2398 sm->pairwise_set = false;
2399 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
2400 }
2401
2402
2403 int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
2404 {
2405 int remove_ptk = 1;
2406
2407 if (!sm)
2408 return -1;
2409
2410 wpa_auth_vlogger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
2411 "event %d notification", event);
2412
2413 switch (event) {
2414 case WPA_AUTH:
2415 #ifdef CONFIG_MESH
2416 /* PTKs are derived through AMPE */
2417 if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) {
2418 /* not mesh */
2419 break;
2420 }
2421 return 0;
2422 #endif /* CONFIG_MESH */
2423 case WPA_ASSOC:
2424 break;
2425 case WPA_DEAUTH:
2426 case WPA_DISASSOC:
2427 sm->DeauthenticationRequest = true;
2428 os_memset(sm->PMK, 0, sizeof(sm->PMK));
2429 sm->pmk_len = 0;
2430 #ifdef CONFIG_IEEE80211R_AP
2431 os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
2432 sm->xxkey_len = 0;
2433 os_memset(sm->pmk_r1, 0, sizeof(sm->pmk_r1));
2434 sm->pmk_r1_len = 0;
2435 #endif /* CONFIG_IEEE80211R_AP */
2436 break;
2437 case WPA_REAUTH:
2438 case WPA_REAUTH_EAPOL:
2439 if (!sm->started) {
2440 /*
2441 * When using WPS, we may end up here if the STA
2442 * manages to re-associate without the previous STA
2443 * entry getting removed. Consequently, we need to make
2444 * sure that the WPA state machines gets initialized
2445 * properly at this point.
2446 */
2447 wpa_printf(MSG_DEBUG,
2448 "WPA state machine had not been started - initialize now");
2449 sm->started = 1;
2450 sm->Init = true;
2451 if (wpa_sm_step(sm) == 1)
2452 return 1; /* should not really happen */
2453 sm->Init = false;
2454 sm->AuthenticationRequest = true;
2455 break;
2456 }
2457
2458 if (sm->ptkstart_without_success > 3) {
2459 wpa_printf(MSG_INFO,
2460 "WPA: Multiple EAP reauth attempts without 4-way handshake completion, disconnect "
2461 MACSTR, MAC2STR(sm->addr));
2462 sm->Disconnect = true;
2463 break;
2464 }
2465
2466 if (!sm->use_ext_key_id &&
2467 sm->wpa_auth->conf.wpa_deny_ptk0_rekey) {
2468 wpa_printf(MSG_INFO,
2469 "WPA: PTK0 rekey not allowed, disconnect "
2470 MACSTR_SEC, MAC2STR_SEC(wpa_auth_get_spa(sm)));
2471 sm->Disconnect = true;
2472 /* Try to encourage the STA to reconnect */
2473 sm->disconnect_reason =
2474 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA;
2475 break;
2476 }
2477
2478 if (sm->use_ext_key_id)
2479 sm->keyidx_active ^= 1; /* flip Key ID */
2480
2481 if (sm->GUpdateStationKeys) {
2482 /*
2483 * Reauthentication cancels the pending group key
2484 * update for this STA.
2485 */
2486 wpa_gkeydone_sta(sm);
2487 sm->PtkGroupInit = true;
2488 }
2489 sm->ReAuthenticationRequest = true;
2490 break;
2491 case WPA_ASSOC_FT:
2492 #ifdef CONFIG_IEEE80211R_AP
2493 wpa_printf(MSG_DEBUG,
2494 "FT: Retry PTK configuration after association");
2495 wpa_ft_install_ptk(sm, 1);
2496
2497 /* Using FT protocol, not WPA auth state machine */
2498 sm->ft_completed = 1;
2499 wpa_auth_set_ptk_rekey_timer(sm);
2500 return 0;
2501 #else /* CONFIG_IEEE80211R_AP */
2502 break;
2503 #endif /* CONFIG_IEEE80211R_AP */
2504 case WPA_ASSOC_FILS:
2505 #ifdef CONFIG_FILS
2506 wpa_printf(MSG_DEBUG,
2507 "FILS: TK configuration after association");
2508 fils_set_tk(sm);
2509 sm->fils_completed = 1;
2510 return 0;
2511 #else /* CONFIG_FILS */
2512 break;
2513 #endif /* CONFIG_FILS */
2514 case WPA_DRV_STA_REMOVED:
2515 sm->tk_already_set = false;
2516 return 0;
2517 }
2518
2519 #ifdef CONFIG_IEEE80211R_AP
2520 sm->ft_completed = 0;
2521 #endif /* CONFIG_IEEE80211R_AP */
2522
2523 if (sm->mgmt_frame_prot && event == WPA_AUTH)
2524 remove_ptk = 0;
2525 #ifdef CONFIG_FILS
2526 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
2527 (event == WPA_AUTH || event == WPA_ASSOC))
2528 remove_ptk = 0;
2529 #endif /* CONFIG_FILS */
2530
2531 if (remove_ptk) {
2532 sm->PTK_valid = false;
2533 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
2534
2535 if (event != WPA_REAUTH_EAPOL)
2536 wpa_remove_ptk(sm);
2537 }
2538
2539 if (sm->in_step_loop) {
2540 /*
2541 * wpa_sm_step() is already running - avoid recursive call to
2542 * it by making the existing loop process the new update.
2543 */
2544 sm->changed = true;
2545 return 0;
2546 }
2547 return wpa_sm_step(sm);
2548 }
2549
2550
2551 SM_STATE(WPA_PTK, INITIALIZE)
2552 {
2553 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk);
2554 if (sm->Init) {
2555 /* Init flag is not cleared here, so avoid busy
2556 * loop by claiming nothing changed. */
2557 sm->changed = false;
2558 }
2559
2560 sm->keycount = 0;
2561 if (sm->GUpdateStationKeys)
2562 wpa_gkeydone_sta(sm);
2563 if (sm->wpa == WPA_VERSION_WPA)
2564 sm->PInitAKeys = false;
2565 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and
2566 * Local AA > Remote AA)) */) {
2567 sm->Pair = true;
2568 }
2569 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0);
2570 wpa_remove_ptk(sm);
2571 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0);
2572 sm->TimeoutCtr = 0;
2573 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
2574 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
2575 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
2576 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
2577 WPA_EAPOL_authorized, 0);
2578 }
2579 }
2580
2581
2582 SM_STATE(WPA_PTK, DISCONNECT)
2583 {
2584 u16 reason = sm->disconnect_reason;
2585
2586 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk);
2587 sm->Disconnect = false;
2588 sm->disconnect_reason = 0;
2589 if (!reason)
2590 reason = WLAN_REASON_PREV_AUTH_NOT_VALID;
2591 wpa_sta_disconnect(sm->wpa_auth, sm->addr, reason);
2592 }
2593
2594
2595 SM_STATE(WPA_PTK, DISCONNECTED)
2596 {
2597 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk);
2598 sm->DeauthenticationRequest = false;
2599 }
2600
2601
2602 SM_STATE(WPA_PTK, AUTHENTICATION)
2603 {
2604 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk);
2605 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
2606 sm->PTK_valid = false;
2607 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto,
2608 1);
2609 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1);
2610 sm->AuthenticationRequest = false;
2611 }
2612
2613
2614 static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth,
2615 struct wpa_group *group)
2616 {
2617 if (group->first_sta_seen)
2618 return;
2619 /*
2620 * System has run bit further than at the time hostapd was started
2621 * potentially very early during boot up. This provides better chances
2622 * of collecting more randomness on embedded systems. Re-initialize the
2623 * GMK and Counter here to improve their strength if there was not
2624 * enough entropy available immediately after system startup.
2625 */
2626 wpa_printf(MSG_DEBUG,
2627 "WPA: Re-initialize GMK/Counter on first station");
2628 if (random_pool_ready() != 1) {
2629 wpa_printf(MSG_INFO,
2630 "WPA: Not enough entropy in random pool to proceed - reject first 4-way handshake");
2631 group->reject_4way_hs_for_entropy = true;
2632 } else {
2633 group->first_sta_seen = true;
2634 group->reject_4way_hs_for_entropy = false;
2635 }
2636
2637 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 ||
2638 wpa_gtk_update(wpa_auth, group) < 0 ||
2639 wpa_group_config_group_keys(wpa_auth, group) < 0) {
2640 wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed");
2641 group->first_sta_seen = false;
2642 group->reject_4way_hs_for_entropy = true;
2643 }
2644 }
2645
2646
2647 SM_STATE(WPA_PTK, AUTHENTICATION2)
2648 {
2649 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk);
2650
2651 wpa_group_ensure_init(sm->wpa_auth, sm->group);
2652 sm->ReAuthenticationRequest = false;
2653
2654 /*
2655 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
2656 * ambiguous. The Authenticator state machine uses a counter that is
2657 * incremented by one for each 4-way handshake. However, the security
2658 * analysis of 4-way handshake points out that unpredictable nonces
2659 * help in preventing precomputation attacks. Instead of the state
2660 * machine definition, use an unpredictable nonce value here to provide
2661 * stronger protection against potential precomputation attacks.
2662 */
2663 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
2664 wpa_printf(MSG_ERROR,
2665 "WPA: Failed to get random data for ANonce.");
2666 sm->Disconnect = true;
2667 return;
2668 }
2669 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
2670 WPA_NONCE_LEN);
2671 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more
2672 * logical place than INITIALIZE since AUTHENTICATION2 can be
2673 * re-entered on ReAuthenticationRequest without going through
2674 * INITIALIZE. */
2675 sm->TimeoutCtr = 0;
2676 }
2677
2678
2679 static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm)
2680 {
2681 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
2682 wpa_printf(MSG_ERROR,
2683 "WPA: Failed to get random data for ANonce");
2684 sm->Disconnect = true;
2685 return -1;
2686 }
2687 wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce,
2688 WPA_NONCE_LEN);
2689 sm->TimeoutCtr = 0;
2690 return 0;
2691 }
2692
2693
2694 SM_STATE(WPA_PTK, INITPMK)
2695 {
2696 u8 msk[2 * PMK_LEN];
2697 size_t len = 2 * PMK_LEN;
2698
2699 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk);
2700 #ifdef CONFIG_IEEE80211R_AP
2701 sm->xxkey_len = 0;
2702 #endif /* CONFIG_IEEE80211R_AP */
2703 if (sm->pmksa) {
2704 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache");
2705 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
2706 sm->pmk_len = sm->pmksa->pmk_len;
2707 #ifdef CONFIG_DPP
2708 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) {
2709 wpa_printf(MSG_DEBUG,
2710 "DPP: No PMKSA cache entry for STA - reject connection");
2711 sm->Disconnect = true;
2712 sm->disconnect_reason = WLAN_REASON_INVALID_PMKID;
2713 return;
2714 #endif /* CONFIG_DPP */
2715 } else if (wpa_auth_get_msk(sm->wpa_auth, wpa_auth_get_spa(sm),
2716 msk, &len) == 0) {
2717 unsigned int pmk_len;
2718
2719 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt))
2720 pmk_len = PMK_LEN_SUITE_B_192;
2721 else
2722 pmk_len = PMK_LEN;
2723 wpa_printf(MSG_DEBUG,
2724 "WPA: PMK from EAPOL state machine (MSK len=%zu PMK len=%u)",
2725 len, pmk_len);
2726 if (len < pmk_len) {
2727 wpa_printf(MSG_DEBUG,
2728 "WPA: MSK not long enough (%zu) to create PMK (%u)",
2729 len, pmk_len);
2730 sm->Disconnect = true;
2731 return;
2732 }
2733 os_memcpy(sm->PMK, msk, pmk_len);
2734 sm->pmk_len = pmk_len;
2735 #ifdef CONFIG_IEEE80211R_AP
2736 if (len >= 2 * PMK_LEN) {
2737 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
2738 os_memcpy(sm->xxkey, msk, SHA384_MAC_LEN);
2739 sm->xxkey_len = SHA384_MAC_LEN;
2740 } else {
2741 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
2742 sm->xxkey_len = PMK_LEN;
2743 }
2744 }
2745 #endif /* CONFIG_IEEE80211R_AP */
2746 } else {
2747 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p",
2748 sm->wpa_auth->cb->get_msk);
2749 sm->Disconnect = true;
2750 return;
2751 }
2752 forced_memzero(msk, sizeof(msk));
2753
2754 sm->req_replay_counter_used = 0;
2755 /* IEEE 802.11i does not set keyRun to false, but not doing this
2756 * will break reauthentication since EAPOL state machines may not be
2757 * get into AUTHENTICATING state that clears keyRun before WPA state
2758 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK
2759 * state and takes PMK from the previously used AAA Key. This will
2760 * eventually fail in 4-Way Handshake because Supplicant uses PMK
2761 * derived from the new AAA Key. Setting keyRun = false here seems to
2762 * be good workaround for this issue. */
2763 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, false);
2764 }
2765
2766
2767 SM_STATE(WPA_PTK, INITPSK)
2768 {
2769 const u8 *psk;
2770 size_t psk_len;
2771
2772 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk);
2773 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL,
2774 &psk_len, NULL);
2775 if (psk) {
2776 os_memcpy(sm->PMK, psk, psk_len);
2777 sm->pmk_len = psk_len;
2778 #ifdef CONFIG_IEEE80211R_AP
2779 sm->xxkey_len = PMK_LEN;
2780 #ifdef CONFIG_SAE
2781 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY &&
2782 (psk_len == SHA512_MAC_LEN || psk_len == SHA384_MAC_LEN ||
2783 psk_len == SHA256_MAC_LEN))
2784 sm->xxkey_len = psk_len;
2785 #endif /* CONFIG_SAE */
2786 os_memcpy(sm->xxkey, psk, sm->xxkey_len);
2787 #endif /* CONFIG_IEEE80211R_AP */
2788 }
2789 #ifdef CONFIG_SAE
2790 if (wpa_auth_uses_sae(sm) && sm->pmksa) {
2791 wpa_printf(MSG_DEBUG, "SAE: PMK from PMKSA cache (len=%zu)",
2792 sm->pmksa->pmk_len);
2793 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
2794 sm->pmk_len = sm->pmksa->pmk_len;
2795 #ifdef CONFIG_IEEE80211R_AP
2796 os_memcpy(sm->xxkey, sm->pmksa->pmk, sm->pmksa->pmk_len);
2797 sm->xxkey_len = sm->pmksa->pmk_len;
2798 #endif /* CONFIG_IEEE80211R_AP */
2799 }
2800 #endif /* CONFIG_SAE */
2801 sm->req_replay_counter_used = 0;
2802 }
2803
2804
2805 SM_STATE(WPA_PTK, PTKSTART)
2806 {
2807 u8 *buf;
2808 size_t buf_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
2809 u8 *pmkid = NULL;
2810 size_t kde_len = 0;
2811 u16 key_info;
2812 #ifdef CONFIG_TESTING_OPTIONS
2813 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
2814 #endif /* CONFIG_TESTING_OPTIONS */
2815
2816 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk);
2817 sm->PTKRequest = false;
2818 sm->TimeoutEvt = false;
2819 sm->alt_snonce_valid = false;
2820 sm->ptkstart_without_success++;
2821
2822 sm->TimeoutCtr++;
2823 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
2824 /* No point in sending the EAPOL-Key - we will disconnect
2825 * immediately following this. */
2826 return;
2827 }
2828
2829 #ifdef CONFIG_IEEE80211BE
2830 if (sm->mld_assoc_link_id >= 0)
2831 buf_len += 2 + RSN_SELECTOR_LEN + ETH_ALEN;
2832 #endif /* CONFIG_IEEE80211BE */
2833 #ifdef CONFIG_TESTING_OPTIONS
2834 if (conf->eapol_m1_elements)
2835 buf_len += wpabuf_len(conf->eapol_m1_elements);
2836 #endif /* CONFIG_TESTING_OPTIONS */
2837
2838 buf = os_zalloc(buf_len);
2839 if (!buf)
2840 return;
2841
2842 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
2843 "sending 1/4 msg of 4-Way Handshake");
2844 /*
2845 * For infrastructure BSS cases, it is better for the AP not to include
2846 * the PMKID KDE in EAPOL-Key msg 1/4 since it could be used to initiate
2847 * offline search for the passphrase/PSK without having to be able to
2848 * capture a 4-way handshake from a STA that has access to the network.
2849 *
2850 * For IBSS cases, addition of PMKID KDE could be considered even with
2851 * WPA2-PSK cases that use multiple PSKs, but only if there is a single
2852 * possible PSK for this STA. However, this should not be done unless
2853 * there is support for using that information on the supplicant side.
2854 * The concern about exposing PMKID unnecessarily in infrastructure BSS
2855 * cases would also apply here, but at least in the IBSS case, this
2856 * would cover a potential real use case.
2857 */
2858 if (sm->wpa == WPA_VERSION_WPA2 &&
2859 (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) ||
2860 (sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE && sm->pmksa) ||
2861 wpa_key_mgmt_sae(sm->wpa_key_mgmt)) &&
2862 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) {
2863 pmkid = buf;
2864 kde_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
2865 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC;
2866 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN;
2867 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID);
2868 if (sm->pmksa) {
2869 wpa_hexdump(MSG_DEBUG,
2870 "RSN: Message 1/4 PMKID from PMKSA entry",
2871 sm->pmksa->pmkid, PMKID_LEN);
2872 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2873 sm->pmksa->pmkid, PMKID_LEN);
2874 } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) {
2875 /* No KCK available to derive PMKID */
2876 wpa_printf(MSG_DEBUG,
2877 "RSN: No KCK available to derive PMKID for message 1/4");
2878 pmkid = NULL;
2879 #ifdef CONFIG_FILS
2880 } else if (wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2881 if (sm->pmkid_set) {
2882 wpa_hexdump(MSG_DEBUG,
2883 "RSN: Message 1/4 PMKID from FILS/ERP",
2884 sm->pmkid, PMKID_LEN);
2885 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2886 sm->pmkid, PMKID_LEN);
2887 } else {
2888 /* No PMKID available */
2889 wpa_printf(MSG_DEBUG,
2890 "RSN: No FILS/ERP PMKID available for message 1/4");
2891 pmkid = NULL;
2892 }
2893 #endif /* CONFIG_FILS */
2894 #ifdef CONFIG_IEEE80211R_AP
2895 } else if (wpa_key_mgmt_ft(sm->wpa_key_mgmt) &&
2896 sm->ft_completed) {
2897 wpa_printf(MSG_DEBUG,
2898 "FT: No PMKID in message 1/4 when using FT protocol");
2899 pmkid = NULL;
2900 #endif /* CONFIG_IEEE80211R_AP */
2901 #ifdef CONFIG_SAE
2902 } else if (wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
2903 if (sm->pmkid_set) {
2904 wpa_hexdump(MSG_DEBUG,
2905 "RSN: Message 1/4 PMKID from SAE",
2906 sm->pmkid, PMKID_LEN);
2907 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2908 sm->pmkid, PMKID_LEN);
2909 } else {
2910 /* No PMKID available */
2911 wpa_printf(MSG_DEBUG,
2912 "RSN: No SAE PMKID available for message 1/4");
2913 pmkid = NULL;
2914 }
2915 #endif /* CONFIG_SAE */
2916 } else {
2917 /*
2918 * Calculate PMKID since no PMKSA cache entry was
2919 * available with pre-calculated PMKID.
2920 */
2921 rsn_pmkid(sm->PMK, sm->pmk_len,
2922 wpa_auth_get_aa(sm),
2923 wpa_auth_get_spa(sm),
2924 &pmkid[2 + RSN_SELECTOR_LEN],
2925 sm->wpa_key_mgmt);
2926 wpa_hexdump(MSG_DEBUG,
2927 "RSN: Message 1/4 PMKID derived from PMK",
2928 &pmkid[2 + RSN_SELECTOR_LEN], PMKID_LEN);
2929 }
2930 }
2931 if (!pmkid)
2932 kde_len = 0;
2933
2934 #ifdef CONFIG_IEEE80211BE
2935 if (sm->mld_assoc_link_id >= 0) {
2936 wpa_printf(MSG_DEBUG,
2937 "RSN: MLD: Add MAC Address KDE: kde_len=%zu",
2938 kde_len);
2939 wpa_add_kde(buf + kde_len, RSN_KEY_DATA_MAC_ADDR,
2940 sm->wpa_auth->mld_addr, ETH_ALEN, NULL, 0);
2941 kde_len += 2 + RSN_SELECTOR_LEN + ETH_ALEN;
2942 }
2943 #endif /* CONFIG_IEEE80211BE */
2944
2945 #ifdef CONFIG_TESTING_OPTIONS
2946 if (conf->eapol_m1_elements) {
2947 os_memcpy(buf + kde_len, wpabuf_head(conf->eapol_m1_elements),
2948 wpabuf_len(conf->eapol_m1_elements));
2949 kde_len += wpabuf_len(conf->eapol_m1_elements);
2950 }
2951 #endif /* CONFIG_TESTING_OPTIONS */
2952
2953 key_info = WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE;
2954 if (sm->pairwise_set && sm->wpa != WPA_VERSION_WPA)
2955 key_info |= WPA_KEY_INFO_SECURE;
2956 wpa_send_eapol(sm->wpa_auth, sm, key_info, NULL,
2957 sm->ANonce, kde_len ? buf : NULL, kde_len, 0, 0);
2958 os_free(buf);
2959 #ifdef CONFIG_P2P_CHR
2960 wpa_supplicant_upload_go_p2p_state(sm->wpa_auth->cb_ctx, sm->addr,
2961 P2P_INTERFACE_STATE_4WAY_HANDSHAKE_1, P2P_CHR_DEFAULT_REASON_CODE);
2962 #endif
2963 }
2964
2965
2966 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
2967 const u8 *pmk, unsigned int pmk_len,
2968 struct wpa_ptk *ptk, int force_sha256,
2969 u8 *pmk_r0, u8 *pmk_r1, u8 *pmk_r0_name,
2970 size_t *key_len, bool no_kdk)
2971 {
2972 const u8 *z = NULL;
2973 size_t z_len = 0, kdk_len;
2974 int akmp;
2975 int ret;
2976
2977 if (sm->wpa_auth->conf.force_kdk_derivation ||
2978 (!no_kdk && sm->wpa_auth->conf.secure_ltf &&
2979 ieee802_11_rsnx_capab(sm->rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)))
2980 kdk_len = WPA_KDK_MAX_LEN;
2981 else
2982 kdk_len = 0;
2983
2984 #ifdef CONFIG_IEEE80211R_AP
2985 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2986 if (sm->ft_completed) {
2987 u8 ptk_name[WPA_PMK_NAME_LEN];
2988
2989 ret = wpa_pmk_r1_to_ptk(sm->pmk_r1, sm->pmk_r1_len,
2990 sm->SNonce, sm->ANonce,
2991 wpa_auth_get_spa(sm),
2992 wpa_auth_get_aa(sm),
2993 sm->pmk_r1_name, ptk,
2994 ptk_name, sm->wpa_key_mgmt,
2995 sm->pairwise, kdk_len);
2996 } else {
2997 ret = wpa_auth_derive_ptk_ft(sm, ptk, pmk_r0, pmk_r1,
2998 pmk_r0_name, key_len,
2999 kdk_len);
3000 }
3001 if (ret) {
3002 wpa_printf(MSG_ERROR, "FT: PTK derivation failed");
3003 return ret;
3004 }
3005
3006 #ifdef CONFIG_PASN
3007 if (!no_kdk && sm->wpa_auth->conf.secure_ltf &&
3008 ieee802_11_rsnx_capab(sm->rsnxe,
3009 WLAN_RSNX_CAPAB_SECURE_LTF)) {
3010 ret = wpa_ltf_keyseed(ptk, sm->wpa_key_mgmt,
3011 sm->pairwise);
3012 if (ret) {
3013 wpa_printf(MSG_ERROR,
3014 "FT: LTF keyseed derivation failed");
3015 }
3016 }
3017 #endif /* CONFIG_PASN */
3018 return ret;
3019 }
3020 #endif /* CONFIG_IEEE80211R_AP */
3021
3022 #ifdef CONFIG_DPP2
3023 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
3024 z = wpabuf_head(sm->dpp_z);
3025 z_len = wpabuf_len(sm->dpp_z);
3026 }
3027 #endif /* CONFIG_DPP2 */
3028
3029 akmp = sm->wpa_key_mgmt;
3030 if (force_sha256)
3031 akmp |= WPA_KEY_MGMT_PSK_SHA256;
3032 ret = wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion",
3033 wpa_auth_get_aa(sm), wpa_auth_get_spa(sm),
3034 sm->ANonce, snonce, ptk, akmp,
3035 sm->pairwise, z, z_len, kdk_len);
3036 if (ret) {
3037 wpa_printf(MSG_DEBUG,
3038 "WPA: PTK derivation failed");
3039 return ret;
3040 }
3041
3042 #ifdef CONFIG_PASN
3043 if (!no_kdk && sm->wpa_auth->conf.secure_ltf &&
3044 ieee802_11_rsnx_capab(sm->rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)) {
3045 ret = wpa_ltf_keyseed(ptk, sm->wpa_key_mgmt, sm->pairwise);
3046 if (ret) {
3047 wpa_printf(MSG_DEBUG,
3048 "WPA: LTF keyseed derivation failed");
3049 }
3050 }
3051 #endif /* CONFIG_PASN */
3052 return ret;
3053 }
3054
3055
3056 #ifdef CONFIG_FILS
3057
3058 int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk,
3059 size_t pmk_len, const u8 *snonce, const u8 *anonce,
3060 const u8 *dhss, size_t dhss_len,
3061 struct wpabuf *g_sta, struct wpabuf *g_ap)
3062 {
3063 u8 ick[FILS_ICK_MAX_LEN];
3064 size_t ick_len;
3065 int res;
3066 u8 fils_ft[FILS_FT_MAX_LEN];
3067 size_t fils_ft_len = 0, kdk_len;
3068
3069 if (sm->wpa_auth->conf.force_kdk_derivation ||
3070 (sm->wpa_auth->conf.secure_ltf &&
3071 ieee802_11_rsnx_capab(sm->rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)))
3072 kdk_len = WPA_KDK_MAX_LEN;
3073 else
3074 kdk_len = 0;
3075
3076 res = fils_pmk_to_ptk(pmk, pmk_len, wpa_auth_get_spa(sm),
3077 wpa_auth_get_aa(sm),
3078 snonce, anonce, dhss, dhss_len,
3079 &sm->PTK, ick, &ick_len,
3080 sm->wpa_key_mgmt, sm->pairwise,
3081 fils_ft, &fils_ft_len, kdk_len);
3082 if (res < 0)
3083 return res;
3084
3085 #ifdef CONFIG_PASN
3086 if (sm->wpa_auth->conf.secure_ltf &&
3087 ieee802_11_rsnx_capab(sm->rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)) {
3088 res = wpa_ltf_keyseed(&sm->PTK, sm->wpa_key_mgmt, sm->pairwise);
3089 if (res) {
3090 wpa_printf(MSG_ERROR,
3091 "FILS: LTF keyseed derivation failed");
3092 return res;
3093 }
3094 }
3095 #endif /* CONFIG_PASN */
3096
3097 sm->PTK_valid = true;
3098 sm->tk_already_set = false;
3099
3100 #ifdef CONFIG_IEEE80211R_AP
3101 if (fils_ft_len) {
3102 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
3103 struct wpa_auth_config *conf = &wpa_auth->conf;
3104 u8 pmk_r0[PMK_LEN_MAX], pmk_r0_name[WPA_PMK_NAME_LEN];
3105
3106 if (wpa_derive_pmk_r0(fils_ft, fils_ft_len,
3107 conf->ssid, conf->ssid_len,
3108 conf->mobility_domain,
3109 conf->r0_key_holder,
3110 conf->r0_key_holder_len,
3111 wpa_auth_get_spa(sm), pmk_r0, pmk_r0_name,
3112 sm->wpa_key_mgmt) < 0)
3113 return -1;
3114
3115 wpa_ft_store_pmk_fils(sm, pmk_r0, pmk_r0_name);
3116 forced_memzero(fils_ft, sizeof(fils_ft));
3117
3118 res = wpa_derive_pmk_r1_name(pmk_r0_name, conf->r1_key_holder,
3119 wpa_auth_get_spa(sm),
3120 sm->pmk_r1_name,
3121 fils_ft_len);
3122 forced_memzero(pmk_r0, PMK_LEN_MAX);
3123 if (res < 0)
3124 return -1;
3125 wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR1Name", sm->pmk_r1_name,
3126 WPA_PMK_NAME_LEN);
3127 sm->pmk_r1_name_valid = 1;
3128 }
3129 #endif /* CONFIG_IEEE80211R_AP */
3130
3131 res = fils_key_auth_sk(ick, ick_len, snonce, anonce,
3132 wpa_auth_get_spa(sm),
3133 wpa_auth_get_aa(sm),
3134 g_sta ? wpabuf_head(g_sta) : NULL,
3135 g_sta ? wpabuf_len(g_sta) : 0,
3136 g_ap ? wpabuf_head(g_ap) : NULL,
3137 g_ap ? wpabuf_len(g_ap) : 0,
3138 sm->wpa_key_mgmt, sm->fils_key_auth_sta,
3139 sm->fils_key_auth_ap,
3140 &sm->fils_key_auth_len);
3141 forced_memzero(ick, sizeof(ick));
3142
3143 /* Store nonces for (Re)Association Request/Response frame processing */
3144 os_memcpy(sm->SNonce, snonce, FILS_NONCE_LEN);
3145 os_memcpy(sm->ANonce, anonce, FILS_NONCE_LEN);
3146
3147 return res;
3148 }
3149
3150
3151 static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
3152 u8 *buf, size_t buf_len, u16 *_key_data_len)
3153 {
3154 struct ieee802_1x_hdr *hdr;
3155 struct wpa_eapol_key *key;
3156 u8 *pos;
3157 u16 key_data_len;
3158 u8 *tmp;
3159 const u8 *aad[1];
3160 size_t aad_len[1];
3161
3162 hdr = (struct ieee802_1x_hdr *) buf;
3163 key = (struct wpa_eapol_key *) (hdr + 1);
3164 pos = (u8 *) (key + 1);
3165 key_data_len = WPA_GET_BE16(pos);
3166 if (key_data_len < AES_BLOCK_SIZE ||
3167 key_data_len > buf_len - sizeof(*hdr) - sizeof(*key) - 2) {
3168 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
3169 "No room for AES-SIV data in the frame");
3170 return -1;
3171 }
3172 pos += 2; /* Pointing at the Encrypted Key Data field */
3173
3174 tmp = os_malloc(key_data_len);
3175 if (!tmp)
3176 return -1;
3177
3178 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
3179 * to Key Data (exclusive). */
3180 aad[0] = buf;
3181 aad_len[0] = pos - buf;
3182 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, key_data_len,
3183 1, aad, aad_len, tmp) < 0) {
3184 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
3185 "Invalid AES-SIV data in the frame");
3186 bin_clear_free(tmp, key_data_len);
3187 return -1;
3188 }
3189
3190 /* AEAD decryption and validation completed successfully */
3191 key_data_len -= AES_BLOCK_SIZE;
3192 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
3193 tmp, key_data_len);
3194
3195 /* Replace Key Data field with the decrypted version */
3196 os_memcpy(pos, tmp, key_data_len);
3197 pos -= 2; /* Key Data Length field */
3198 WPA_PUT_BE16(pos, key_data_len);
3199 bin_clear_free(tmp, key_data_len);
3200 if (_key_data_len)
3201 *_key_data_len = key_data_len;
3202 return 0;
3203 }
3204
3205
3206 const u8 * wpa_fils_validate_fils_session(struct wpa_state_machine *sm,
3207 const u8 *ies, size_t ies_len,
3208 const u8 *fils_session)
3209 {
3210 const u8 *ie, *end;
3211 const u8 *session = NULL;
3212
3213 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
3214 wpa_printf(MSG_DEBUG,
3215 "FILS: Not a FILS AKM - reject association");
3216 return NULL;
3217 }
3218
3219 /* Verify Session element */
3220 ie = ies;
3221 end = ((const u8 *) ie) + ies_len;
3222 while (ie + 1 < end) {
3223 if (ie + 2 + ie[1] > end)
3224 break;
3225 if (ie[0] == WLAN_EID_EXTENSION &&
3226 ie[1] >= 1 + FILS_SESSION_LEN &&
3227 ie[2] == WLAN_EID_EXT_FILS_SESSION) {
3228 session = ie;
3229 break;
3230 }
3231 ie += 2 + ie[1];
3232 }
3233
3234 if (!session) {
3235 wpa_printf(MSG_DEBUG,
3236 "FILS: %s: Could not find FILS Session element in Assoc Req - reject",
3237 __func__);
3238 return NULL;
3239 }
3240
3241 if (!fils_session) {
3242 wpa_printf(MSG_DEBUG,
3243 "FILS: %s: Could not find FILS Session element in STA entry - reject",
3244 __func__);
3245 return NULL;
3246 }
3247
3248 if (os_memcmp(fils_session, session + 3, FILS_SESSION_LEN) != 0) {
3249 wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
3250 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
3251 fils_session, FILS_SESSION_LEN);
3252 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
3253 session + 3, FILS_SESSION_LEN);
3254 return NULL;
3255 }
3256 return session;
3257 }
3258
3259
3260 int wpa_fils_validate_key_confirm(struct wpa_state_machine *sm, const u8 *ies,
3261 size_t ies_len)
3262 {
3263 struct ieee802_11_elems elems;
3264
3265 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
3266 wpa_printf(MSG_DEBUG,
3267 "FILS: Failed to parse decrypted elements");
3268 return -1;
3269 }
3270
3271 if (!elems.fils_session) {
3272 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
3273 return -1;
3274 }
3275
3276 if (!elems.fils_key_confirm) {
3277 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
3278 return -1;
3279 }
3280
3281 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
3282 wpa_printf(MSG_DEBUG,
3283 "FILS: Unexpected Key-Auth length %d (expected %zu)",
3284 elems.fils_key_confirm_len,
3285 sm->fils_key_auth_len);
3286 return -1;
3287 }
3288
3289 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_sta,
3290 sm->fils_key_auth_len) != 0) {
3291 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
3292 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
3293 elems.fils_key_confirm, elems.fils_key_confirm_len);
3294 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
3295 sm->fils_key_auth_sta, sm->fils_key_auth_len);
3296 return -1;
3297 }
3298
3299 return 0;
3300 }
3301
3302
3303 int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session,
3304 const struct ieee80211_mgmt *mgmt, size_t frame_len,
3305 u8 *pos, size_t left)
3306 {
3307 u16 fc, stype;
3308 const u8 *end, *ie_start, *ie, *session, *crypt;
3309 const u8 *aad[5];
3310 size_t aad_len[5];
3311
3312 if (!sm || !sm->PTK_valid) {
3313 wpa_printf(MSG_DEBUG,
3314 "FILS: No KEK to decrypt Assocication Request frame");
3315 return -1;
3316 }
3317
3318 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
3319 wpa_printf(MSG_DEBUG,
3320 "FILS: Not a FILS AKM - reject association");
3321 return -1;
3322 }
3323
3324 end = ((const u8 *) mgmt) + frame_len;
3325 fc = le_to_host16(mgmt->frame_control);
3326 stype = WLAN_FC_GET_STYPE(fc);
3327 if (stype == WLAN_FC_STYPE_REASSOC_REQ)
3328 ie_start = mgmt->u.reassoc_req.variable;
3329 else
3330 ie_start = mgmt->u.assoc_req.variable;
3331 ie = ie_start;
3332
3333 /*
3334 * Find FILS Session element which is the last unencrypted element in
3335 * the frame.
3336 */
3337 session = wpa_fils_validate_fils_session(sm, ie, end - ie,
3338 fils_session);
3339 if (!session) {
3340 wpa_printf(MSG_DEBUG, "FILS: Session validation failed");
3341 return -1;
3342 }
3343
3344 crypt = session + 2 + session[1];
3345
3346 if (end - crypt < AES_BLOCK_SIZE) {
3347 wpa_printf(MSG_DEBUG,
3348 "FILS: Too short frame to include AES-SIV data");
3349 return -1;
3350 }
3351
3352 /* AES-SIV AAD vectors */
3353
3354 /* The STA's MAC address */
3355 aad[0] = mgmt->sa;
3356 aad_len[0] = ETH_ALEN;
3357 /* The AP's BSSID */
3358 aad[1] = mgmt->da;
3359 aad_len[1] = ETH_ALEN;
3360 /* The STA's nonce */
3361 aad[2] = sm->SNonce;
3362 aad_len[2] = FILS_NONCE_LEN;
3363 /* The AP's nonce */
3364 aad[3] = sm->ANonce;
3365 aad_len[3] = FILS_NONCE_LEN;
3366 /*
3367 * The (Re)Association Request frame from the Capability Information
3368 * field to the FILS Session element (both inclusive).
3369 */
3370 aad[4] = (const u8 *) &mgmt->u.assoc_req.capab_info;
3371 aad_len[4] = crypt - aad[4];
3372
3373 if (aes_siv_decrypt(sm->PTK.kek, sm->PTK.kek_len, crypt, end - crypt,
3374 5, aad, aad_len, pos + (crypt - ie_start)) < 0) {
3375 wpa_printf(MSG_DEBUG,
3376 "FILS: Invalid AES-SIV data in the frame");
3377 return -1;
3378 }
3379 wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Request elements",
3380 pos, left - AES_BLOCK_SIZE);
3381
3382 if (wpa_fils_validate_key_confirm(sm, pos, left - AES_BLOCK_SIZE) < 0) {
3383 wpa_printf(MSG_DEBUG, "FILS: Key Confirm validation failed");
3384 return -1;
3385 }
3386
3387 return left - AES_BLOCK_SIZE;
3388 }
3389
3390
3391 int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf,
3392 size_t current_len, size_t max_len,
3393 const struct wpabuf *hlp)
3394 {
3395 u8 *end = buf + max_len;
3396 u8 *pos = buf + current_len;
3397 struct ieee80211_mgmt *mgmt;
3398 struct wpabuf *plain;
3399 const u8 *aad[5];
3400 size_t aad_len[5];
3401
3402 if (!sm || !sm->PTK_valid)
3403 return -1;
3404
3405 wpa_hexdump(MSG_DEBUG,
3406 "FILS: Association Response frame before FILS processing",
3407 buf, current_len);
3408
3409 mgmt = (struct ieee80211_mgmt *) buf;
3410
3411 /* AES-SIV AAD vectors */
3412
3413 /* The AP's BSSID */
3414 aad[0] = mgmt->sa;
3415 aad_len[0] = ETH_ALEN;
3416 /* The STA's MAC address */
3417 aad[1] = mgmt->da;
3418 aad_len[1] = ETH_ALEN;
3419 /* The AP's nonce */
3420 aad[2] = sm->ANonce;
3421 aad_len[2] = FILS_NONCE_LEN;
3422 /* The STA's nonce */
3423 aad[3] = sm->SNonce;
3424 aad_len[3] = FILS_NONCE_LEN;
3425 /*
3426 * The (Re)Association Response frame from the Capability Information
3427 * field (the same offset in both Association and Reassociation
3428 * Response frames) to the FILS Session element (both inclusive).
3429 */
3430 aad[4] = (const u8 *) &mgmt->u.assoc_resp.capab_info;
3431 aad_len[4] = pos - aad[4];
3432
3433 /* The following elements will be encrypted with AES-SIV */
3434 plain = fils_prepare_plainbuf(sm, hlp);
3435 if (!plain) {
3436 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed");
3437 return -1;
3438 }
3439
3440 if (pos + wpabuf_len(plain) + AES_BLOCK_SIZE > end) {
3441 wpa_printf(MSG_DEBUG,
3442 "FILS: Not enough room for FILS elements");
3443 wpabuf_clear_free(plain);
3444 return -1;
3445 }
3446
3447 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: Association Response plaintext",
3448 plain);
3449
3450 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len,
3451 wpabuf_head(plain), wpabuf_len(plain),
3452 5, aad, aad_len, pos) < 0) {
3453 wpabuf_clear_free(plain);
3454 return -1;
3455 }
3456
3457 wpa_hexdump(MSG_DEBUG,
3458 "FILS: Encrypted Association Response elements",
3459 pos, AES_BLOCK_SIZE + wpabuf_len(plain));
3460 current_len += wpabuf_len(plain) + AES_BLOCK_SIZE;
3461 wpabuf_clear_free(plain);
3462
3463 sm->fils_completed = 1;
3464
3465 return current_len;
3466 }
3467
3468
3469 static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
3470 const struct wpabuf *hlp)
3471 {
3472 struct wpabuf *plain;
3473 u8 *len, *tmp, *tmp2;
3474 u8 hdr[2];
3475 u8 *gtk, stub_gtk[32];
3476 size_t gtk_len;
3477 struct wpa_group *gsm;
3478 size_t plain_len;
3479 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
3480
3481 plain_len = 1000 + ieee80211w_kde_len(sm);
3482 if (conf->transition_disable)
3483 plain_len += 2 + RSN_SELECTOR_LEN + 1;
3484 plain = wpabuf_alloc(plain_len);
3485 if (!plain)
3486 return NULL;
3487
3488 /* TODO: FILS Public Key */
3489
3490 /* FILS Key Confirmation */
3491 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
3492 wpabuf_put_u8(plain, 1 + sm->fils_key_auth_len); /* Length */
3493 /* Element ID Extension */
3494 wpabuf_put_u8(plain, WLAN_EID_EXT_FILS_KEY_CONFIRM);
3495 wpabuf_put_data(plain, sm->fils_key_auth_ap, sm->fils_key_auth_len);
3496
3497 /* FILS HLP Container */
3498 if (hlp)
3499 wpabuf_put_buf(plain, hlp);
3500
3501 /* TODO: FILS IP Address Assignment */
3502
3503 /* Key Delivery */
3504 gsm = sm->group;
3505 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
3506 len = wpabuf_put(plain, 1);
3507 wpabuf_put_u8(plain, WLAN_EID_EXT_KEY_DELIVERY);
3508 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN,
3509 wpabuf_put(plain, WPA_KEY_RSC_LEN));
3510 /* GTK KDE */
3511 gtk = gsm->GTK[gsm->GN - 1];
3512 gtk_len = gsm->GTK_len;
3513 if (conf->disable_gtk || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
3514 /*
3515 * Provide unique random GTK to each STA to prevent use
3516 * of GTK in the BSS.
3517 */
3518 if (random_get_bytes(stub_gtk, gtk_len) < 0) {
3519 wpabuf_clear_free(plain);
3520 return NULL;
3521 }
3522 gtk = stub_gtk;
3523 }
3524 hdr[0] = gsm->GN & 0x03;
3525 hdr[1] = 0;
3526 tmp = wpabuf_put(plain, 0);
3527 tmp2 = wpa_add_kde(tmp, RSN_KEY_DATA_GROUPKEY, hdr, 2,
3528 gtk, gtk_len);
3529 wpabuf_put(plain, tmp2 - tmp);
3530
3531 /* IGTK KDE and BIGTK KDE */
3532 tmp = wpabuf_put(plain, 0);
3533 tmp2 = ieee80211w_kde_add(sm, tmp);
3534 wpabuf_put(plain, tmp2 - tmp);
3535
3536 if (conf->transition_disable) {
3537 tmp = wpabuf_put(plain, 0);
3538 tmp2 = wpa_add_kde(tmp, WFA_KEY_DATA_TRANSITION_DISABLE,
3539 &conf->transition_disable, 1, NULL, 0);
3540 wpabuf_put(plain, tmp2 - tmp);
3541 }
3542
3543 *len = (u8 *) wpabuf_put(plain, 0) - len - 1;
3544
3545 #ifdef CONFIG_OCV
3546 if (wpa_auth_uses_ocv(sm)) {
3547 struct wpa_channel_info ci;
3548 u8 *pos;
3549
3550 if (wpa_channel_info(sm->wpa_auth, &ci) != 0) {
3551 wpa_printf(MSG_WARNING,
3552 "FILS: Failed to get channel info for OCI element");
3553 wpabuf_clear_free(plain);
3554 return NULL;
3555 }
3556 #ifdef CONFIG_TESTING_OPTIONS
3557 if (conf->oci_freq_override_fils_assoc) {
3558 wpa_printf(MSG_INFO,
3559 "TEST: Override OCI frequency %d -> %u MHz",
3560 ci.frequency,
3561 conf->oci_freq_override_fils_assoc);
3562 ci.frequency = conf->oci_freq_override_fils_assoc;
3563 }
3564 #endif /* CONFIG_TESTING_OPTIONS */
3565
3566 pos = wpabuf_put(plain, OCV_OCI_EXTENDED_LEN);
3567 if (ocv_insert_extended_oci(&ci, pos) < 0) {
3568 wpabuf_clear_free(plain);
3569 return NULL;
3570 }
3571 }
3572 #endif /* CONFIG_OCV */
3573
3574 return plain;
3575 }
3576
3577
3578 int fils_set_tk(struct wpa_state_machine *sm)
3579 {
3580 enum wpa_alg alg;
3581 int klen;
3582
3583 if (!sm || !sm->PTK_valid) {
3584 wpa_printf(MSG_DEBUG, "FILS: No valid PTK available to set TK");
3585 return -1;
3586 }
3587 if (sm->tk_already_set) {
3588 wpa_printf(MSG_DEBUG, "FILS: TK already set to the driver");
3589 return -1;
3590 }
3591
3592 alg = wpa_cipher_to_alg(sm->pairwise);
3593 klen = wpa_cipher_key_len(sm->pairwise);
3594
3595 wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver");
3596 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
3597 sm->PTK.tk, klen, KEY_FLAG_PAIRWISE_RX_TX)) {
3598 wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver");
3599 return -1;
3600 }
3601
3602 #ifdef CONFIG_PASN
3603 if (sm->wpa_auth->conf.secure_ltf &&
3604 ieee802_11_rsnx_capab(sm->rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF) &&
3605 wpa_auth_set_ltf_keyseed(sm->wpa_auth, sm->addr,
3606 sm->PTK.ltf_keyseed,
3607 sm->PTK.ltf_keyseed_len)) {
3608 wpa_printf(MSG_ERROR,
3609 "FILS: Failed to set LTF keyseed to driver");
3610 return -1;
3611 }
3612 #endif /* CONFIG_PASN */
3613
3614 sm->pairwise_set = true;
3615 sm->tk_already_set = true;
3616
3617 wpa_auth_store_ptksa(sm->wpa_auth, sm->addr, sm->pairwise,
3618 dot11RSNAConfigPMKLifetime, &sm->PTK);
3619
3620 return 0;
3621 }
3622
3623
3624 u8 * hostapd_eid_assoc_fils_session(struct wpa_state_machine *sm, u8 *buf,
3625 const u8 *fils_session, struct wpabuf *hlp)
3626 {
3627 struct wpabuf *plain;
3628 u8 *pos = buf;
3629
3630 /* FILS Session */
3631 *pos++ = WLAN_EID_EXTENSION; /* Element ID */
3632 *pos++ = 1 + FILS_SESSION_LEN; /* Length */
3633 *pos++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
3634 os_memcpy(pos, fils_session, FILS_SESSION_LEN);
3635 pos += FILS_SESSION_LEN;
3636
3637 plain = fils_prepare_plainbuf(sm, hlp);
3638 if (!plain) {
3639 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed");
3640 return NULL;
3641 }
3642
3643 os_memcpy(pos, wpabuf_head(plain), wpabuf_len(plain));
3644 pos += wpabuf_len(plain);
3645
3646 wpa_printf(MSG_DEBUG, "%s: plain buf_len: %zu", __func__,
3647 wpabuf_len(plain));
3648 wpabuf_clear_free(plain);
3649 sm->fils_completed = 1;
3650 return pos;
3651 }
3652
3653 #endif /* CONFIG_FILS */
3654
3655
3656 #ifdef CONFIG_OCV
3657 int get_sta_tx_parameters(struct wpa_state_machine *sm, int ap_max_chanwidth,
3658 int ap_seg1_idx, int *bandwidth, int *seg1_idx)
3659 {
3660 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
3661
3662 if (!wpa_auth->cb->get_sta_tx_params)
3663 return -1;
3664 return wpa_auth->cb->get_sta_tx_params(wpa_auth->cb_ctx, sm->addr,
3665 ap_max_chanwidth, ap_seg1_idx,
3666 bandwidth, seg1_idx);
3667 }
3668 #endif /* CONFIG_OCV */
3669
3670
3671 static int wpa_auth_validate_ml_kdes_m2(struct wpa_state_machine *sm,
3672 struct wpa_eapol_ie_parse *kde)
3673 {
3674 #ifdef CONFIG_IEEE80211BE
3675 int i;
3676 unsigned int n_links = 0;
3677
3678 if (sm->mld_assoc_link_id < 0)
3679 return 0;
3680
3681 /* MLD MAC address must be the same */
3682 if (!kde->mac_addr ||
3683 !ether_addr_equal(kde->mac_addr, sm->peer_mld_addr)) {
3684 wpa_printf(MSG_DEBUG, "RSN: MLD: Invalid MLD address");
3685 return -1;
3686 }
3687
3688 /* Find matching link ID and the MAC address for each link */
3689 for_each_link(kde->valid_mlo_links, i) {
3690 /*
3691 * Each entry should contain the link information and the MAC
3692 * address.
3693 */
3694 if (kde->mlo_link_len[i] != 1 + ETH_ALEN) {
3695 wpa_printf(MSG_DEBUG,
3696 "RSN: MLD: Invalid MLO Link (ID %u) KDE len=%zu",
3697 i, kde->mlo_link_len[i]);
3698 return -1;
3699 }
3700
3701 if (!sm->mld_links[i].valid || i == sm->mld_assoc_link_id) {
3702 wpa_printf(MSG_DEBUG,
3703 "RSN: MLD: Invalid link ID=%u", i);
3704 return -1;
3705 }
3706
3707 if (!ether_addr_equal(sm->mld_links[i].peer_addr,
3708 kde->mlo_link[i] + 1)) {
3709 wpa_printf(MSG_DEBUG,
3710 "RSN: MLD: invalid MAC address=" MACSTR
3711 " expected " MACSTR " (link ID %u)",
3712 MAC2STR(kde->mlo_link[i] + 1),
3713 MAC2STR(sm->mld_links[i].peer_addr), i);
3714 return -1;
3715 }
3716
3717 n_links++;
3718 }
3719
3720 /* Must have the same number of MLO links (excluding the local one) */
3721 if (n_links != sm->n_mld_affiliated_links) {
3722 wpa_printf(MSG_DEBUG,
3723 "RSN: MLD: Expecting %u MLD links in msg 2, but got %u",
3724 sm->n_mld_affiliated_links, n_links);
3725 return -1;
3726 }
3727 #endif /* CONFIG_IEEE80211BE */
3728
3729 return 0;
3730 }
3731
3732
3733 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
3734 {
3735 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
3736 struct wpa_ptk PTK;
3737 int ok = 0, psk_found = 0;
3738 const u8 *pmk = NULL;
3739 size_t pmk_len;
3740 int ft;
3741 const u8 *eapol_key_ie, *key_data, *mic;
3742 u16 key_info, ver, key_data_length;
3743 size_t mic_len, eapol_key_ie_len;
3744 struct ieee802_1x_hdr *hdr;
3745 struct wpa_eapol_key *key;
3746 struct wpa_eapol_ie_parse kde;
3747 int vlan_id = 0;
3748 int owe_ptk_workaround = !!wpa_auth->conf.owe_ptk_workaround;
3749 u8 pmk_r0[PMK_LEN_MAX], pmk_r0_name[WPA_PMK_NAME_LEN];
3750 u8 pmk_r1[PMK_LEN_MAX];
3751 size_t key_len;
3752 u8 *key_data_buf = NULL;
3753 size_t key_data_buf_len = 0;
3754 bool derive_kdk, no_kdk = false;
3755
3756 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
3757 sm->EAPOLKeyReceived = false;
3758 sm->update_snonce = false;
3759 os_memset(&PTK, 0, sizeof(PTK));
3760
3761 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
3762
3763 derive_kdk = sm->wpa_auth->conf.secure_ltf &&
3764 ieee802_11_rsnx_capab(sm->rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF);
3765
3766 /* WPA with IEEE 802.1X: use the derived PMK from EAP
3767 * WPA-PSK: iterate through possible PSKs and select the one matching
3768 * the packet */
3769 for (;;) {
3770 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
3771 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
3772 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
3773 sm->p2p_dev_addr, pmk, &pmk_len,
3774 &vlan_id);
3775 if (!pmk)
3776 break;
3777 psk_found = 1;
3778 #ifdef CONFIG_IEEE80211R_AP
3779 if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) {
3780 os_memcpy(sm->xxkey, pmk, pmk_len);
3781 sm->xxkey_len = pmk_len;
3782 }
3783 #endif /* CONFIG_IEEE80211R_AP */
3784 } else {
3785 pmk = sm->PMK;
3786 pmk_len = sm->pmk_len;
3787 }
3788
3789 if ((!pmk || !pmk_len) && sm->pmksa) {
3790 wpa_printf(MSG_DEBUG, "WPA: Use PMK from PMKSA cache");
3791 pmk = sm->pmksa->pmk;
3792 pmk_len = sm->pmksa->pmk_len;
3793 }
3794
3795 no_kdk = false;
3796 try_without_kdk:
3797 if (wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK,
3798 owe_ptk_workaround == 2, pmk_r0, pmk_r1,
3799 pmk_r0_name, &key_len, no_kdk) < 0)
3800 break;
3801
3802 if (mic_len &&
3803 wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
3804 sm->last_rx_eapol_key,
3805 sm->last_rx_eapol_key_len) == 0) {
3806 if (sm->PMK != pmk) {
3807 os_memcpy(sm->PMK, pmk, pmk_len);
3808 sm->pmk_len = pmk_len;
3809 }
3810 ok = 1;
3811 break;
3812 }
3813
3814 #ifdef CONFIG_FILS
3815 if (!mic_len &&
3816 wpa_aead_decrypt(sm, &PTK, sm->last_rx_eapol_key,
3817 sm->last_rx_eapol_key_len, NULL) == 0) {
3818 ok = 1;
3819 break;
3820 }
3821 #endif /* CONFIG_FILS */
3822
3823 #ifdef CONFIG_OWE
3824 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE && pmk_len > 32 &&
3825 owe_ptk_workaround == 1) {
3826 wpa_printf(MSG_DEBUG,
3827 "OWE: Try PTK derivation workaround with SHA256");
3828 owe_ptk_workaround = 2;
3829 continue;
3830 }
3831 #endif /* CONFIG_OWE */
3832
3833 /* Some deployed STAs that advertise SecureLTF support in the
3834 * RSNXE in (Re)Association Request frames, do not derive KDK
3835 * during PTK generation. Try to work around this by checking if
3836 * a PTK derived without KDK would result in a matching MIC. */
3837 if (!sm->wpa_auth->conf.force_kdk_derivation &&
3838 derive_kdk && !no_kdk) {
3839 wpa_printf(MSG_DEBUG,
3840 "Try new PTK derivation without KDK as a workaround");
3841 no_kdk = true;
3842 goto try_without_kdk;
3843 }
3844
3845 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
3846 wpa_key_mgmt_sae(sm->wpa_key_mgmt))
3847 break;
3848 }
3849
3850 if (no_kdk && ok) {
3851 /* The workaround worked, so allow the 4-way handshake to be
3852 * completed with the PTK that was derived without the KDK. */
3853 wpa_printf(MSG_DEBUG,
3854 "PTK without KDK worked - misbehaving STA "
3855 MACSTR, MAC2STR(sm->addr));
3856 }
3857
3858 if (!ok && wpa_key_mgmt_wpa_psk_no_sae(sm->wpa_key_mgmt) &&
3859 wpa_auth->conf.radius_psk && wpa_auth->cb->request_radius_psk &&
3860 !sm->waiting_radius_psk) {
3861 wpa_printf(MSG_DEBUG, "No PSK available - ask RADIUS server");
3862 wpa_auth->cb->request_radius_psk(wpa_auth->cb_ctx, sm->addr,
3863 sm->wpa_key_mgmt,
3864 sm->ANonce,
3865 sm->last_rx_eapol_key,
3866 sm->last_rx_eapol_key_len);
3867 sm->waiting_radius_psk = 1;
3868 goto out;
3869 }
3870
3871 if (!ok) {
3872 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm),
3873 LOGGER_DEBUG,
3874 "invalid MIC in msg 2/4 of 4-Way Handshake");
3875 if (psk_found) {
3876 #ifdef CONFIG_P2P_CHR
3877 wpa_supplicant_upload_go_p2p_state(sm->wpa_auth->cb_ctx, sm->addr,
3878 P2P_INTERFACE_STATE_DISCONNECTED,
3879 DR_MSG_2_4_INVALID_MIC);
3880 #endif
3881 wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr);
3882 }
3883 goto out;
3884 }
3885
3886 /*
3887 * Note: last_rx_eapol_key length fields have already been validated in
3888 * wpa_receive().
3889 */
3890 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
3891 key = (struct wpa_eapol_key *) (hdr + 1);
3892 mic = (u8 *) (key + 1);
3893 key_info = WPA_GET_BE16(key->key_info);
3894 key_data = mic + mic_len + 2;
3895 key_data_length = WPA_GET_BE16(mic + mic_len);
3896 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
3897 sizeof(*key) - mic_len - 2)
3898 goto out;
3899
3900 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
3901 if (mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
3902 if (ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES &&
3903 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
3904 !wpa_use_aes_key_wrap(sm->wpa_key_mgmt)) {
3905 wpa_printf(MSG_INFO,
3906 "Unsupported EAPOL-Key Key Data field encryption");
3907 goto out;
3908 }
3909
3910 if (key_data_length < 8 || key_data_length % 8) {
3911 wpa_printf(MSG_INFO,
3912 "RSN: Unsupported AES-WRAP len %u",
3913 key_data_length);
3914 goto out;
3915 }
3916 key_data_length -= 8; /* AES-WRAP adds 8 bytes */
3917 key_data_buf = os_malloc(key_data_length);
3918 if (!key_data_buf)
3919 goto out;
3920 key_data_buf_len = key_data_length;
3921 if (aes_unwrap(PTK.kek, PTK.kek_len, key_data_length / 8,
3922 key_data, key_data_buf)) {
3923 bin_clear_free(key_data_buf, key_data_buf_len);
3924 wpa_printf(MSG_INFO,
3925 "RSN: AES unwrap failed - could not decrypt EAPOL-Key key data");
3926 goto out;
3927 }
3928 key_data = key_data_buf;
3929 wpa_hexdump_key(MSG_DEBUG, "RSN: Decrypted EAPOL-Key Key Data",
3930 key_data, key_data_length);
3931 }
3932
3933 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
3934 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
3935 "received EAPOL-Key msg 2/4 with invalid Key Data contents");
3936 #ifdef CONFIG_P2P_CHR
3937 wpa_supplicant_upload_go_p2p_state(sm->wpa_auth->cb_ctx, sm->addr,
3938 P2P_INTERFACE_STATE_DISCONNECTED,
3939 DR_MSG_2_4_INVALID_KEY_DATA_CONTENTS);
3940 #endif
3941 goto out;
3942 }
3943 if (kde.rsn_ie) {
3944 eapol_key_ie = kde.rsn_ie;
3945 eapol_key_ie_len = kde.rsn_ie_len;
3946 } else if (kde.osen) {
3947 eapol_key_ie = kde.osen;
3948 eapol_key_ie_len = kde.osen_len;
3949 } else {
3950 eapol_key_ie = kde.wpa_ie;
3951 eapol_key_ie_len = kde.wpa_ie_len;
3952 }
3953 ft = sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt);
3954 if (!sm->wpa_ie ||
3955 wpa_compare_rsn_ie(ft, sm->wpa_ie, sm->wpa_ie_len,
3956 eapol_key_ie, eapol_key_ie_len)) {
3957 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
3958 "WPA IE from (Re)AssocReq did not match with msg 2/4");
3959 if (sm->wpa_ie) {
3960 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq",
3961 sm->wpa_ie, sm->wpa_ie_len);
3962 }
3963 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4",
3964 eapol_key_ie, eapol_key_ie_len);
3965 #ifdef CONFIG_P2P_CHR
3966 wpa_supplicant_upload_go_p2p_state(sm->wpa_auth->cb_ctx, sm->addr,
3967 P2P_INTERFACE_STATE_DISCONNECTED,
3968 DR_MSG_2_4_WPA_IE_MISMATCH_ASSOCREQ);
3969 #endif
3970 /* MLME-DEAUTHENTICATE.request */
3971 wpa_sta_disconnect(wpa_auth, sm->addr,
3972 WLAN_REASON_PREV_AUTH_NOT_VALID);
3973 goto out;
3974 }
3975 if ((!sm->rsnxe && kde.rsnxe) ||
3976 (sm->rsnxe && !kde.rsnxe) ||
3977 (sm->rsnxe && kde.rsnxe &&
3978 (sm->rsnxe_len != kde.rsnxe_len ||
3979 os_memcmp(sm->rsnxe, kde.rsnxe, sm->rsnxe_len) != 0))) {
3980 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
3981 "RSNXE from (Re)AssocReq did not match the one in EAPOL-Key msg 2/4");
3982 wpa_hexdump(MSG_DEBUG, "RSNXE in AssocReq",
3983 sm->rsnxe, sm->rsnxe_len);
3984 wpa_hexdump(MSG_DEBUG, "RSNXE in EAPOL-Key msg 2/4",
3985 kde.rsnxe, kde.rsnxe_len);
3986 /* MLME-DEAUTHENTICATE.request */
3987 wpa_sta_disconnect(wpa_auth, sm->addr,
3988 WLAN_REASON_PREV_AUTH_NOT_VALID);
3989 goto out;
3990 }
3991 #ifdef CONFIG_OCV
3992 if (wpa_auth_uses_ocv(sm)) {
3993 struct wpa_channel_info ci;
3994 int tx_chanwidth;
3995 int tx_seg1_idx;
3996 enum oci_verify_result res;
3997
3998 if (wpa_channel_info(wpa_auth, &ci) != 0) {
3999 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
4000 LOGGER_INFO,
4001 "Failed to get channel info to validate received OCI in EAPOL-Key 2/4");
4002 goto out;
4003 }
4004
4005 if (get_sta_tx_parameters(sm,
4006 channel_width_to_int(ci.chanwidth),
4007 ci.seg1_idx, &tx_chanwidth,
4008 &tx_seg1_idx) < 0)
4009 goto out;
4010
4011 res = ocv_verify_tx_params(kde.oci, kde.oci_len, &ci,
4012 tx_chanwidth, tx_seg1_idx);
4013 if (wpa_auth_uses_ocv(sm) == 2 && res == OCI_NOT_FOUND) {
4014 /* Work around misbehaving STAs */
4015 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
4016 LOGGER_INFO,
4017 "Disable OCV with a STA that does not send OCI");
4018 wpa_auth_set_ocv(sm, 0);
4019 } else if (res != OCI_SUCCESS) {
4020 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
4021 LOGGER_INFO,
4022 "OCV failed: %s", ocv_errorstr);
4023 if (wpa_auth->conf.msg_ctx)
4024 wpa_msg(wpa_auth->conf.msg_ctx, MSG_INFO,
4025 OCV_FAILURE "addr=" MACSTR
4026 " frame=eapol-key-m2 error=%s",
4027 MAC2STR(wpa_auth_get_spa(sm)),
4028 ocv_errorstr);
4029 goto out;
4030 }
4031 }
4032 #endif /* CONFIG_OCV */
4033 #ifdef CONFIG_IEEE80211R_AP
4034 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
4035 wpa_sta_disconnect(wpa_auth, sm->addr,
4036 WLAN_REASON_PREV_AUTH_NOT_VALID);
4037 goto out;
4038 }
4039 #endif /* CONFIG_IEEE80211R_AP */
4040 #ifdef CONFIG_P2P
4041 if (kde.ip_addr_req && kde.ip_addr_req[0] &&
4042 wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) {
4043 int idx;
4044 wpa_printf(MSG_DEBUG,
4045 "P2P: IP address requested in EAPOL-Key exchange");
4046 idx = bitfield_get_first_zero(wpa_auth->ip_pool);
4047 if (idx >= 0) {
4048 u32 start = WPA_GET_BE32(wpa_auth->conf.ip_addr_start);
4049 bitfield_set(wpa_auth->ip_pool, idx);
4050 sm->ip_addr_bit = idx;
4051 WPA_PUT_BE32(sm->ip_addr, start + idx);
4052 wpa_printf(MSG_DEBUG,
4053 "P2P: Assigned IP address %u.%u.%u.%u to "
4054 MACSTR_SEC " (bit %u)",
4055 sm->ip_addr[0], sm->ip_addr[1],
4056 sm->ip_addr[2], sm->ip_addr[3],
4057 MAC2STR_SEC(wpa_auth_get_spa(sm)),
4058 sm->ip_addr_bit);
4059 }
4060 }
4061 #endif /* CONFIG_P2P */
4062
4063 #ifdef CONFIG_DPP2
4064 if (DPP_VERSION > 1 && kde.dpp_kde) {
4065 wpa_printf(MSG_DEBUG,
4066 "DPP: peer Protocol Version %u Flags 0x%x",
4067 kde.dpp_kde[0], kde.dpp_kde[1]);
4068 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP &&
4069 wpa_auth->conf.dpp_pfs != 2 &&
4070 (kde.dpp_kde[1] & DPP_KDE_PFS_ALLOWED) &&
4071 !sm->dpp_z) {
4072 wpa_printf(MSG_INFO,
4073 "DPP: Peer indicated it supports PFS and local configuration allows this, but PFS was not negotiated for the association");
4074 wpa_sta_disconnect(wpa_auth, sm->addr,
4075 WLAN_REASON_PREV_AUTH_NOT_VALID);
4076 goto out;
4077 }
4078 }
4079 #endif /* CONFIG_DPP2 */
4080
4081 if (wpa_auth_validate_ml_kdes_m2(sm, &kde) < 0) {
4082 wpa_sta_disconnect(wpa_auth, sm->addr,
4083 WLAN_REASON_PREV_AUTH_NOT_VALID);
4084 return;
4085 }
4086
4087 if (vlan_id && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
4088 wpa_auth_update_vlan(wpa_auth, sm->addr, vlan_id) < 0) {
4089 #ifdef CONFIG_P2P_CHR
4090 wpa_supplicant_upload_go_p2p_state(sm->wpa_auth->cb_ctx, sm->addr,
4091 P2P_INTERFACE_STATE_DISCONNECTED,
4092 DR_MSG_2_4_INVALID_VLAN_ID);
4093 #endif
4094 wpa_sta_disconnect(wpa_auth, sm->addr,
4095 WLAN_REASON_PREV_AUTH_NOT_VALID);
4096 goto out;
4097 }
4098
4099 sm->pending_1_of_4_timeout = 0;
4100 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
4101
4102 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) && sm->PMK != pmk) {
4103 /* PSK may have changed from the previous choice, so update
4104 * state machine data based on whatever PSK was selected here.
4105 */
4106 os_memcpy(sm->PMK, pmk, PMK_LEN);
4107 sm->pmk_len = PMK_LEN;
4108 }
4109
4110 sm->MICVerified = true;
4111
4112 #ifdef CONFIG_IEEE80211R_AP
4113 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt) && !sm->ft_completed) {
4114 wpa_printf(MSG_DEBUG, "FT: Store PMK-R0/PMK-R1");
4115 wpa_auth_ft_store_keys(sm, pmk_r0, pmk_r1, pmk_r0_name,
4116 key_len);
4117 }
4118 #endif /* CONFIG_IEEE80211R_AP */
4119
4120 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
4121 forced_memzero(&PTK, sizeof(PTK));
4122 sm->PTK_valid = true;
4123 out:
4124 forced_memzero(pmk_r0, sizeof(pmk_r0));
4125 forced_memzero(pmk_r1, sizeof(pmk_r1));
4126 bin_clear_free(key_data_buf, key_data_buf_len);
4127 }
4128
4129
4130 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2)
4131 {
4132 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk);
4133 sm->TimeoutCtr = 0;
4134 }
4135
4136
4137 static int ieee80211w_kde_len(struct wpa_state_machine *sm)
4138 {
4139 size_t len = 0;
4140 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
4141
4142 if (sm->mgmt_frame_prot) {
4143 len += 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN;
4144 len += wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
4145 }
4146
4147 if (wpa_auth->conf.tx_bss_auth)
4148 wpa_auth = wpa_auth->conf.tx_bss_auth;
4149 if (sm->mgmt_frame_prot && sm->wpa_auth->conf.beacon_prot) {
4150 len += 2 + RSN_SELECTOR_LEN + WPA_BIGTK_KDE_PREFIX_LEN;
4151 len += wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
4152 }
4153
4154 return len;
4155 }
4156
4157
4158 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
4159 {
4160 struct wpa_igtk_kde igtk;
4161 struct wpa_bigtk_kde bigtk;
4162 struct wpa_group *gsm = sm->group;
4163 u8 rsc[WPA_KEY_RSC_LEN];
4164 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
4165 struct wpa_auth_config *conf = &wpa_auth->conf;
4166 size_t len = wpa_cipher_key_len(conf->group_mgmt_cipher);
4167
4168 if (!sm->mgmt_frame_prot)
4169 return pos;
4170
4171 #ifdef CONFIG_IEEE80211BE
4172 if (sm->mld_assoc_link_id >= 0)
4173 return pos; /* Use per-link MLO KDEs instead */
4174 #endif /* CONFIG_IEEE80211BE */
4175
4176 igtk.keyid[0] = gsm->GN_igtk;
4177 igtk.keyid[1] = 0;
4178 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
4179 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0)
4180 os_memset(igtk.pn, 0, sizeof(igtk.pn));
4181 else
4182 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn));
4183 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len);
4184 if (conf->disable_gtk || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
4185 /*
4186 * Provide unique random IGTK to each STA to prevent use of
4187 * IGTK in the BSS.
4188 */
4189 if (random_get_bytes(igtk.igtk, len) < 0)
4190 return pos;
4191 }
4192 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK,
4193 (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len,
4194 NULL, 0);
4195 forced_memzero(&igtk, sizeof(igtk));
4196
4197 if (wpa_auth->conf.tx_bss_auth) {
4198 wpa_auth = wpa_auth->conf.tx_bss_auth;
4199 conf = &wpa_auth->conf;
4200 len = wpa_cipher_key_len(conf->group_mgmt_cipher);
4201 gsm = wpa_auth->group;
4202 }
4203
4204 if (!sm->wpa_auth->conf.beacon_prot)
4205 return pos;
4206
4207 bigtk.keyid[0] = gsm->GN_bigtk;
4208 bigtk.keyid[1] = 0;
4209 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
4210 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_bigtk, rsc) < 0)
4211 os_memset(bigtk.pn, 0, sizeof(bigtk.pn));
4212 else
4213 os_memcpy(bigtk.pn, rsc, sizeof(bigtk.pn));
4214 os_memcpy(bigtk.bigtk, gsm->BIGTK[gsm->GN_bigtk - 6], len);
4215 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
4216 /*
4217 * Provide unique random BIGTK to each OSEN STA to prevent use
4218 * of BIGTK in the BSS.
4219 */
4220 if (random_get_bytes(bigtk.bigtk, len) < 0)
4221 return pos;
4222 }
4223 pos = wpa_add_kde(pos, RSN_KEY_DATA_BIGTK,
4224 (const u8 *) &bigtk, WPA_BIGTK_KDE_PREFIX_LEN + len,
4225 NULL, 0);
4226 forced_memzero(&bigtk, sizeof(bigtk));
4227
4228 return pos;
4229 }
4230
4231
4232 static int ocv_oci_len(struct wpa_state_machine *sm)
4233 {
4234 #ifdef CONFIG_OCV
4235 if (wpa_auth_uses_ocv(sm))
4236 return OCV_OCI_KDE_LEN;
4237 #endif /* CONFIG_OCV */
4238 return 0;
4239 }
4240
4241
4242 static int ocv_oci_add(struct wpa_state_machine *sm, u8 **argpos,
4243 unsigned int freq)
4244 {
4245 #ifdef CONFIG_OCV
4246 struct wpa_channel_info ci;
4247
4248 if (!wpa_auth_uses_ocv(sm))
4249 return 0;
4250
4251 if (wpa_channel_info(sm->wpa_auth, &ci) != 0) {
4252 wpa_printf(MSG_WARNING,
4253 "Failed to get channel info for OCI element");
4254 return -1;
4255 }
4256 #ifdef CONFIG_TESTING_OPTIONS
4257 if (freq) {
4258 wpa_printf(MSG_INFO,
4259 "TEST: Override OCI KDE frequency %d -> %u MHz",
4260 ci.frequency, freq);
4261 ci.frequency = freq;
4262 }
4263 #endif /* CONFIG_TESTING_OPTIONS */
4264
4265 return ocv_insert_oci_kde(&ci, argpos);
4266 #else /* CONFIG_OCV */
4267 return 0;
4268 #endif /* CONFIG_OCV */
4269 }
4270
4271
4272 #ifdef CONFIG_TESTING_OPTIONS
4273 static u8 * replace_ie(const char *name, const u8 *old_buf, size_t *len, u8 eid,
4274 const u8 *ie, size_t ie_len)
4275 {
4276 const u8 *elem;
4277 u8 *buf;
4278
4279 wpa_printf(MSG_DEBUG, "TESTING: %s EAPOL override", name);
4280 wpa_hexdump(MSG_DEBUG, "TESTING: wpa_ie before override",
4281 old_buf, *len);
4282 buf = os_malloc(*len + ie_len);
4283 if (!buf)
4284 return NULL;
4285 os_memcpy(buf, old_buf, *len);
4286 elem = get_ie(buf, *len, eid);
4287 if (elem) {
4288 u8 elem_len = 2 + elem[1];
4289
4290 os_memmove((void *) elem, elem + elem_len,
4291 *len - (elem - buf) - elem_len);
4292 *len -= elem_len;
4293 }
4294 os_memcpy(buf + *len, ie, ie_len);
4295 *len += ie_len;
4296 wpa_hexdump(MSG_DEBUG, "TESTING: wpa_ie after EAPOL override",
4297 buf, *len);
4298
4299 return buf;
4300 }
4301 #endif /* CONFIG_TESTING_OPTIONS */
4302
4303
4304 #ifdef CONFIG_IEEE80211BE
4305
4306 void wpa_auth_ml_get_key_info(struct wpa_authenticator *a,
4307 struct wpa_auth_ml_link_key_info *info,
4308 bool mgmt_frame_prot, bool beacon_prot)
4309 {
4310 struct wpa_group *gsm = a->group;
4311 u8 rsc[WPA_KEY_RSC_LEN];
4312
4313 wpa_printf(MSG_DEBUG,
4314 "MLD: Get group key info: link_id=%u, IGTK=%u, BIGTK=%u",
4315 info->link_id, mgmt_frame_prot, beacon_prot);
4316
4317 info->gtkidx = gsm->GN & 0x03;
4318 info->gtk = gsm->GTK[gsm->GN - 1];
4319 info->gtk_len = gsm->GTK_len;
4320
4321 if (wpa_auth_get_seqnum(a, NULL, gsm->GN, rsc) < 0)
4322 os_memset(info->pn, 0, sizeof(info->pn));
4323 else
4324 os_memcpy(info->pn, rsc, sizeof(info->pn));
4325
4326 if (!mgmt_frame_prot)
4327 return;
4328
4329 info->igtkidx = gsm->GN_igtk;
4330 info->igtk = gsm->IGTK[gsm->GN_igtk - 4];
4331 info->igtk_len = wpa_cipher_key_len(a->conf.group_mgmt_cipher);
4332
4333 if (wpa_auth_get_seqnum(a, NULL, gsm->GN_igtk, rsc) < 0)
4334 os_memset(info->ipn, 0, sizeof(info->ipn));
4335 else
4336 os_memcpy(info->ipn, rsc, sizeof(info->ipn));
4337
4338 if (!beacon_prot)
4339 return;
4340
4341 if (a->conf.tx_bss_auth) {
4342 a = a->conf.tx_bss_auth;
4343 gsm = a->group;
4344 }
4345
4346 info->bigtkidx = gsm->GN_bigtk;
4347 info->bigtk = gsm->BIGTK[gsm->GN_bigtk - 6];
4348
4349 if (wpa_auth_get_seqnum(a, NULL, gsm->GN_bigtk, rsc) < 0)
4350 os_memset(info->bipn, 0, sizeof(info->bipn));
4351 else
4352 os_memcpy(info->bipn, rsc, sizeof(info->bipn));
4353 }
4354
4355
4356 static void wpa_auth_get_ml_key_info(struct wpa_authenticator *wpa_auth,
4357 struct wpa_auth_ml_key_info *info)
4358 {
4359 if (!wpa_auth->cb->get_ml_key_info)
4360 return;
4361
4362 wpa_auth->cb->get_ml_key_info(wpa_auth->cb_ctx, info);
4363 }
4364
4365
4366 static size_t wpa_auth_ml_group_kdes_len(struct wpa_state_machine *sm)
4367 {
4368 struct wpa_authenticator *wpa_auth;
4369 size_t kde_len = 0;
4370 int link_id;
4371
4372 if (sm->mld_assoc_link_id < 0)
4373 return 0;
4374
4375 for (link_id = 0; link_id < MAX_NUM_MLD_LINKS; link_id++) {
4376 if (!sm->mld_links[link_id].valid)
4377 continue;
4378
4379 wpa_auth = sm->mld_links[link_id].wpa_auth;
4380 if (!wpa_auth || !wpa_auth->group)
4381 continue;
4382
4383 /* MLO GTK KDE
4384 * Header + Key ID + Tx + LinkID + PN + GTK */
4385 kde_len += KDE_HDR_LEN + 1 + RSN_PN_LEN;
4386 kde_len += wpa_auth->group->GTK_len;
4387
4388 if (!sm->mgmt_frame_prot)
4389 continue;
4390
4391 if (wpa_auth->conf.tx_bss_auth)
4392 wpa_auth = wpa_auth->conf.tx_bss_auth;
4393
4394 /* MLO IGTK KDE
4395 * Header + Key ID + IPN + LinkID + IGTK */
4396 kde_len += KDE_HDR_LEN + WPA_IGTK_KDE_PREFIX_LEN + 1;
4397 kde_len += wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
4398
4399 if (!wpa_auth->conf.beacon_prot)
4400 continue;
4401
4402 /* MLO BIGTK KDE
4403 * Header + Key ID + BIPN + LinkID + BIGTK */
4404 kde_len += KDE_HDR_LEN + WPA_BIGTK_KDE_PREFIX_LEN + 1;
4405 kde_len += wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
4406 }
4407
4408 wpa_printf(MSG_DEBUG, "MLO Group KDEs len = %zu", kde_len);
4409
4410 return kde_len;
4411 }
4412
4413
4414 static u8 * wpa_auth_ml_group_kdes(struct wpa_state_machine *sm, u8 *pos)
4415 {
4416 struct wpa_auth_ml_key_info ml_key_info;
4417 unsigned int i, link_id;
4418 u8 *start = pos;
4419
4420 /* First fetch the key information from all the authenticators */
4421 os_memset(&ml_key_info, 0, sizeof(ml_key_info));
4422 ml_key_info.n_mld_links = sm->n_mld_affiliated_links + 1;
4423
4424 /*
4425 * Assume that management frame protection and beacon protection are the
4426 * same on all links.
4427 */
4428 ml_key_info.mgmt_frame_prot = sm->mgmt_frame_prot;
4429 ml_key_info.beacon_prot = sm->wpa_auth->conf.beacon_prot;
4430
4431 for (i = 0, link_id = 0; link_id < MAX_NUM_MLD_LINKS; link_id++) {
4432 if (!sm->mld_links[link_id].valid)
4433 continue;
4434
4435 ml_key_info.links[i++].link_id = link_id;
4436 }
4437
4438 wpa_auth_get_ml_key_info(sm->wpa_auth, &ml_key_info);
4439
4440 /* Add MLO GTK KDEs */
4441 for (i = 0, link_id = 0; link_id < MAX_NUM_MLD_LINKS; link_id++) {
4442 if (!sm->mld_links[link_id].valid ||
4443 !ml_key_info.links[i].gtk_len)
4444 continue;
4445
4446 wpa_printf(MSG_DEBUG, "RSN: MLO GTK: link=%u", link_id);
4447 wpa_hexdump_key(MSG_DEBUG, "RSN: MLO GTK",
4448 ml_key_info.links[i].gtk,
4449 ml_key_info.links[i].gtk_len);
4450
4451 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
4452 *pos++ = RSN_SELECTOR_LEN + 1 + 6 +
4453 ml_key_info.links[i].gtk_len;
4454
4455 RSN_SELECTOR_PUT(pos, RSN_KEY_DATA_MLO_GTK);
4456 pos += RSN_SELECTOR_LEN;
4457
4458 *pos++ = (ml_key_info.links[i].gtkidx & 0x3) | (link_id << 4);
4459
4460 os_memcpy(pos, ml_key_info.links[i].pn, 6);
4461 pos += 6;
4462
4463 os_memcpy(pos, ml_key_info.links[i].gtk,
4464 ml_key_info.links[i].gtk_len);
4465 pos += ml_key_info.links[i].gtk_len;
4466
4467 i++;
4468 }
4469
4470 if (!sm->mgmt_frame_prot) {
4471 wpa_printf(MSG_DEBUG, "RSN: MLO Group KDE len = %ld",
4472 (long)(pos - start));
4473 return pos;
4474 }
4475
4476 /* Add MLO IGTK KDEs */
4477 for (i = 0, link_id = 0; link_id < MAX_NUM_MLD_LINKS; link_id++) {
4478 if (!sm->mld_links[link_id].valid ||
4479 !ml_key_info.links[i].igtk_len)
4480 continue;
4481
4482 wpa_printf(MSG_DEBUG, "RSN: MLO IGTK: link=%u", link_id);
4483 wpa_hexdump_key(MSG_DEBUG, "RSN: MLO IGTK",
4484 ml_key_info.links[i].igtk,
4485 ml_key_info.links[i].igtk_len);
4486
4487 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
4488 *pos++ = RSN_SELECTOR_LEN + 2 + 1 +
4489 sizeof(ml_key_info.links[i].ipn) +
4490 ml_key_info.links[i].igtk_len;
4491
4492 RSN_SELECTOR_PUT(pos, RSN_KEY_DATA_MLO_IGTK);
4493 pos += RSN_SELECTOR_LEN;
4494
4495 /* Add the Key ID */
4496 *pos++ = ml_key_info.links[i].igtkidx;
4497 *pos++ = 0;
4498
4499 /* Add the IPN */
4500 os_memcpy(pos, ml_key_info.links[i].ipn,
4501 sizeof(ml_key_info.links[i].ipn));
4502 pos += sizeof(ml_key_info.links[i].ipn);
4503
4504 *pos++ = ml_key_info.links[i].link_id << 4;
4505
4506 os_memcpy(pos, ml_key_info.links[i].igtk,
4507 ml_key_info.links[i].igtk_len);
4508 pos += ml_key_info.links[i].igtk_len;
4509
4510 i++;
4511 }
4512
4513 if (!sm->wpa_auth->conf.beacon_prot) {
4514 wpa_printf(MSG_DEBUG, "RSN: MLO Group KDE len = %ld",
4515 (long)(pos - start));
4516 return pos;
4517 }
4518
4519 /* Add MLO BIGTK KDEs */
4520 for (i = 0, link_id = 0; link_id < MAX_NUM_MLD_LINKS; link_id++) {
4521 if (!sm->mld_links[link_id].valid ||
4522 !ml_key_info.links[i].bigtk ||
4523 !ml_key_info.links[i].igtk_len)
4524 continue;
4525
4526 wpa_printf(MSG_DEBUG, "RSN: MLO BIGTK: link=%u", link_id);
4527 wpa_hexdump_key(MSG_DEBUG, "RSN: MLO BIGTK",
4528 ml_key_info.links[i].bigtk,
4529 ml_key_info.links[i].igtk_len);
4530
4531 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
4532 *pos++ = RSN_SELECTOR_LEN + 2 + 1 +
4533 sizeof(ml_key_info.links[i].bipn) +
4534 ml_key_info.links[i].igtk_len;
4535
4536 RSN_SELECTOR_PUT(pos, RSN_KEY_DATA_MLO_BIGTK);
4537 pos += RSN_SELECTOR_LEN;
4538
4539 /* Add the Key ID */
4540 *pos++ = ml_key_info.links[i].bigtkidx;
4541 *pos++ = 0;
4542
4543 /* Add the BIPN */
4544 os_memcpy(pos, ml_key_info.links[i].bipn,
4545 sizeof(ml_key_info.links[i].bipn));
4546 pos += sizeof(ml_key_info.links[i].bipn);
4547
4548 *pos++ = ml_key_info.links[i].link_id << 4;
4549
4550 os_memcpy(pos, ml_key_info.links[i].bigtk,
4551 ml_key_info.links[i].igtk_len);
4552 pos += ml_key_info.links[i].igtk_len;
4553
4554 i++;
4555 }
4556
4557 wpa_printf(MSG_DEBUG, "RSN: MLO Group KDE len = %ld", (long)(pos - start));
4558 return pos;
4559 }
4560
4561 #endif /* CONFIG_IEEE80211BE */
4562
4563
4564 static size_t wpa_auth_ml_kdes_len(struct wpa_state_machine *sm)
4565 {
4566 size_t kde_len = 0;
4567
4568 #ifdef CONFIG_IEEE80211BE
4569 unsigned int link_id;
4570
4571 if (sm->mld_assoc_link_id < 0)
4572 return 0;
4573
4574 /* For the MAC Address KDE */
4575 kde_len = 2 + RSN_SELECTOR_LEN + ETH_ALEN;
4576
4577 /* MLO Link KDE for each link */
4578 for (link_id = 0; link_id < MAX_NUM_MLD_LINKS; link_id++) {
4579 struct wpa_authenticator *wpa_auth;
4580 const u8 *ie;
4581
4582 wpa_auth = wpa_get_link_auth(sm->wpa_auth, link_id);
4583 if (!wpa_auth)
4584 continue;
4585
4586 kde_len += 2 + RSN_SELECTOR_LEN + 1 + ETH_ALEN;
4587 ie = get_ie(wpa_auth->wpa_ie, wpa_auth->wpa_ie_len,
4588 WLAN_EID_RSN);
4589 if (ie)
4590 kde_len += 2 + ie[1];
4591 ie = get_ie(wpa_auth->wpa_ie, wpa_auth->wpa_ie_len,
4592 WLAN_EID_RSNX);
4593 if (ie)
4594 kde_len += 2 + ie[1];
4595 }
4596
4597 kde_len += wpa_auth_ml_group_kdes_len(sm);
4598 #endif /* CONFIG_IEEE80211BE */
4599
4600 return kde_len;
4601 }
4602
4603
4604 static u8 * wpa_auth_ml_kdes(struct wpa_state_machine *sm, u8 *pos)
4605 {
4606 #ifdef CONFIG_IEEE80211BE
4607 u8 link_id;
4608 u8 *start = pos;
4609
4610 if (sm->mld_assoc_link_id < 0)
4611 return pos;
4612
4613 wpa_printf(MSG_DEBUG, "RSN: MLD: Adding MAC Address KDE");
4614 pos = wpa_add_kde(pos, RSN_KEY_DATA_MAC_ADDR,
4615 sm->wpa_auth->mld_addr, ETH_ALEN, NULL, 0);
4616
4617 for (link_id = 0; link_id < MAX_NUM_MLD_LINKS; link_id++) {
4618 struct wpa_authenticator *wpa_auth;
4619 const u8 *rsne, *rsnxe;
4620 size_t rsne_len, rsnxe_len;
4621
4622 wpa_auth = wpa_get_link_auth(sm->wpa_auth, link_id);
4623 if (!wpa_auth)
4624 continue;
4625
4626 rsne = get_ie(wpa_auth->wpa_ie, wpa_auth->wpa_ie_len,
4627 WLAN_EID_RSN);
4628 rsne_len = rsne ? 2 + rsne[1] : 0;
4629
4630 rsnxe = get_ie(wpa_auth->wpa_ie, wpa_auth->wpa_ie_len,
4631 WLAN_EID_RSNX);
4632 rsnxe_len = rsnxe ? 2 + rsnxe[1] : 0;
4633
4634 wpa_printf(MSG_DEBUG,
4635 "RSN: MLO Link: link=%u, len=%zu", link_id,
4636 RSN_SELECTOR_LEN + 1 + ETH_ALEN +
4637 rsne_len + rsnxe_len);
4638
4639 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
4640 *pos++ = RSN_SELECTOR_LEN + 1 + ETH_ALEN +
4641 rsne_len + rsnxe_len;
4642
4643 RSN_SELECTOR_PUT(pos, RSN_KEY_DATA_MLO_LINK);
4644 pos += RSN_SELECTOR_LEN;
4645
4646 /* Add the Link Information */
4647 *pos = link_id;
4648 if (rsne_len)
4649 *pos |= RSN_MLO_LINK_KDE_LI_RSNE_INFO;
4650 if (rsnxe_len)
4651 *pos |= RSN_MLO_LINK_KDE_LI_RSNXE_INFO;
4652
4653 pos++;
4654 os_memcpy(pos, wpa_auth->addr, ETH_ALEN);
4655 pos += ETH_ALEN;
4656
4657 if (rsne_len) {
4658 os_memcpy(pos, rsne, rsne_len);
4659 pos += rsne_len;
4660 }
4661
4662 if (rsnxe_len) {
4663 os_memcpy(pos, rsnxe, rsnxe_len);
4664 pos += rsnxe_len;
4665 }
4666 }
4667
4668 wpa_printf(MSG_DEBUG, "RSN: MLO Link KDE len = %ld", (long)(pos - start));
4669 pos = wpa_auth_ml_group_kdes(sm, pos);
4670 #endif /* CONFIG_IEEE80211BE */
4671
4672 return pos;
4673 }
4674
4675
4676 SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
4677 {
4678 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde = NULL, *pos, stub_gtk[32];
4679 size_t gtk_len, kde_len = 0, wpa_ie_len;
4680 struct wpa_group *gsm = sm->group;
4681 u8 *wpa_ie;
4682 int secure, gtkidx, encr = 0;
4683 u8 *wpa_ie_buf = NULL, *wpa_ie_buf2 = NULL;
4684 u8 hdr[2];
4685 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
4686 #ifdef CONFIG_IEEE80211BE
4687 bool is_mld = sm->mld_assoc_link_id >= 0;
4688 #else /* CONFIG_IEEE80211BE */
4689 bool is_mld = false;
4690 #endif /* CONFIG_IEEE80211BE */
4691
4692 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk);
4693 sm->TimeoutEvt = false;
4694
4695 sm->TimeoutCtr++;
4696 if (conf->wpa_disable_eapol_key_retries && sm->TimeoutCtr > 1) {
4697 /* Do not allow retransmission of EAPOL-Key msg 3/4 */
4698 return;
4699 }
4700 if (sm->TimeoutCtr > conf->wpa_pairwise_update_count) {
4701 /* No point in sending the EAPOL-Key - we will disconnect
4702 * immediately following this. */
4703 return;
4704 }
4705
4706 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
4707 GTK[GN], IGTK, [BIGTK], [FTIE], [TIE * 2])
4708 */
4709 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
4710 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
4711 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
4712 wpa_ie = sm->wpa_auth->wpa_ie;
4713 wpa_ie_len = sm->wpa_auth->wpa_ie_len;
4714 if (sm->wpa == WPA_VERSION_WPA && (conf->wpa & WPA_PROTO_RSN) &&
4715 wpa_ie_len > wpa_ie[1] + 2U && wpa_ie[0] == WLAN_EID_RSN) {
4716 /* WPA-only STA, remove RSN IE and possible MDIE */
4717 wpa_ie = wpa_ie + wpa_ie[1] + 2;
4718 if (wpa_ie[0] == WLAN_EID_RSNX)
4719 wpa_ie = wpa_ie + wpa_ie[1] + 2;
4720 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
4721 wpa_ie = wpa_ie + wpa_ie[1] + 2;
4722 wpa_ie_len = wpa_ie[1] + 2;
4723 }
4724 #ifdef CONFIG_TESTING_OPTIONS
4725 if (conf->rsne_override_eapol_set) {
4726 wpa_ie_buf2 = replace_ie(
4727 "RSNE", wpa_ie, &wpa_ie_len, WLAN_EID_RSN,
4728 conf->rsne_override_eapol,
4729 conf->rsne_override_eapol_len);
4730 if (!wpa_ie_buf2)
4731 goto done;
4732 wpa_ie = wpa_ie_buf2;
4733 }
4734 if (conf->rsnxe_override_eapol_set) {
4735 wpa_ie_buf = replace_ie(
4736 "RSNXE", wpa_ie, &wpa_ie_len, WLAN_EID_RSNX,
4737 conf->rsnxe_override_eapol,
4738 conf->rsnxe_override_eapol_len);
4739 if (!wpa_ie_buf)
4740 goto done;
4741 wpa_ie = wpa_ie_buf;
4742 }
4743 #endif /* CONFIG_TESTING_OPTIONS */
4744 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
4745 "sending 3/4 msg of 4-Way Handshake");
4746 if (sm->wpa == WPA_VERSION_WPA2) {
4747 if (sm->use_ext_key_id && sm->TimeoutCtr == 1 &&
4748 wpa_auth_set_key(sm->wpa_auth, 0,
4749 wpa_cipher_to_alg(sm->pairwise),
4750 sm->addr,
4751 sm->keyidx_active, sm->PTK.tk,
4752 wpa_cipher_key_len(sm->pairwise),
4753 KEY_FLAG_PAIRWISE_RX)) {
4754 wpa_sta_disconnect(sm->wpa_auth, sm->addr,
4755 WLAN_REASON_PREV_AUTH_NOT_VALID);
4756 return;
4757 }
4758
4759 #ifdef CONFIG_PASN
4760 if (sm->wpa_auth->conf.secure_ltf &&
4761 ieee802_11_rsnx_capab(sm->rsnxe,
4762 WLAN_RSNX_CAPAB_SECURE_LTF) &&
4763 wpa_auth_set_ltf_keyseed(sm->wpa_auth, sm->addr,
4764 sm->PTK.ltf_keyseed,
4765 sm->PTK.ltf_keyseed_len)) {
4766 wpa_printf(MSG_ERROR,
4767 "WPA: Failed to set LTF keyseed to driver");
4768 wpa_sta_disconnect(sm->wpa_auth, sm->addr,
4769 WLAN_REASON_PREV_AUTH_NOT_VALID);
4770 return;
4771 }
4772 #endif /* CONFIG_PASN */
4773
4774 /* WPA2 send GTK in the 4-way handshake */
4775 secure = 1;
4776 gtk = gsm->GTK[gsm->GN - 1];
4777 gtk_len = gsm->GTK_len;
4778 if (conf->disable_gtk ||
4779 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
4780 /*
4781 * Provide unique random GTK to each STA to prevent use
4782 * of GTK in the BSS.
4783 */
4784 if (random_get_bytes(stub_gtk, gtk_len) < 0)
4785 goto done;
4786 gtk = stub_gtk;
4787 }
4788 gtkidx = gsm->GN;
4789 _rsc = rsc;
4790 encr = 1;
4791 } else {
4792 /* WPA does not include GTK in msg 3/4 */
4793 secure = 0;
4794 gtk = NULL;
4795 gtk_len = 0;
4796 gtkidx = 0;
4797 _rsc = NULL;
4798 if (sm->rx_eapol_key_secure) {
4799 /*
4800 * It looks like Windows 7 supplicant tries to use
4801 * Secure bit in msg 2/4 after having reported Michael
4802 * MIC failure and it then rejects the 4-way handshake
4803 * if msg 3/4 does not set Secure bit. Work around this
4804 * by setting the Secure bit here even in the case of
4805 * WPA if the supplicant used it first.
4806 */
4807 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm),
4808 LOGGER_DEBUG,
4809 "STA used Secure bit in WPA msg 2/4 - set Secure for 3/4 as workaround");
4810 secure = 1;
4811 }
4812 }
4813
4814 kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm);
4815
4816 if (sm->use_ext_key_id)
4817 kde_len += 2 + RSN_SELECTOR_LEN + 2;
4818
4819 if (gtk)
4820 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
4821 #ifdef CONFIG_IEEE80211R_AP
4822 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
4823 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
4824 kde_len += 300; /* FTIE + 2 * TIE */
4825 }
4826 #endif /* CONFIG_IEEE80211R_AP */
4827 #ifdef CONFIG_P2P
4828 if (WPA_GET_BE32(sm->ip_addr) > 0)
4829 kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4;
4830 #endif /* CONFIG_P2P */
4831
4832 if (conf->transition_disable)
4833 kde_len += 2 + RSN_SELECTOR_LEN + 1;
4834
4835 #ifdef CONFIG_DPP2
4836 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP)
4837 kde_len += 2 + RSN_SELECTOR_LEN + 2;
4838 #endif /* CONFIG_DPP2 */
4839
4840 kde_len += wpa_auth_ml_kdes_len(sm);
4841
4842 if (sm->ssid_protection)
4843 kde_len += 2 + conf->ssid_len;
4844
4845 #ifdef CONFIG_TESTING_OPTIONS
4846 if (conf->eapol_m3_elements)
4847 kde_len += wpabuf_len(conf->eapol_m3_elements);
4848 #endif /* CONFIG_TESTING_OPTIONS */
4849
4850 kde = os_malloc(kde_len);
4851 if (!kde)
4852 goto done;
4853
4854 pos = kde;
4855 if (!is_mld) {
4856 os_memcpy(pos, wpa_ie, wpa_ie_len);
4857 pos += wpa_ie_len;
4858 }
4859 #ifdef CONFIG_IEEE80211R_AP
4860 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
4861 int res;
4862 size_t elen;
4863
4864 elen = pos - kde;
4865 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name, true);
4866 if (res < 0) {
4867 wpa_printf(MSG_ERROR,
4868 "FT: Failed to insert PMKR1Name into RSN IE in EAPOL-Key data");
4869 goto done;
4870 }
4871 pos -= wpa_ie_len;
4872 pos += elen;
4873 }
4874 #endif /* CONFIG_IEEE80211R_AP */
4875 hdr[1] = 0;
4876
4877 if (sm->use_ext_key_id) {
4878 hdr[0] = sm->keyidx_active & 0x01;
4879 pos = wpa_add_kde(pos, RSN_KEY_DATA_KEYID, hdr, 2, NULL, 0);
4880 }
4881
4882 if (gtk && !is_mld) {
4883 hdr[0] = gtkidx & 0x03;
4884 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
4885 gtk, gtk_len);
4886 }
4887 pos = ieee80211w_kde_add(sm, pos);
4888 if (ocv_oci_add(sm, &pos, conf->oci_freq_override_eapol_m3) < 0)
4889 goto done;
4890
4891 #ifdef CONFIG_IEEE80211R_AP
4892 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
4893 int res;
4894
4895 if (sm->assoc_resp_ftie &&
4896 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) {
4897 os_memcpy(pos, sm->assoc_resp_ftie,
4898 2 + sm->assoc_resp_ftie[1]);
4899 res = 2 + sm->assoc_resp_ftie[1];
4900 } else {
4901 res = wpa_write_ftie(conf, sm->wpa_key_mgmt,
4902 sm->xxkey_len,
4903 conf->r0_key_holder,
4904 conf->r0_key_holder_len,
4905 NULL, NULL, pos,
4906 kde + kde_len - pos,
4907 NULL, 0, 0);
4908 }
4909 if (res < 0) {
4910 wpa_printf(MSG_ERROR,
4911 "FT: Failed to insert FTIE into EAPOL-Key Key Data");
4912 goto done;
4913 }
4914 pos += res;
4915
4916 /* TIE[ReassociationDeadline] (TU) */
4917 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
4918 *pos++ = 5;
4919 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
4920 WPA_PUT_LE32(pos, conf->reassociation_deadline);
4921 pos += 4;
4922
4923 /* TIE[KeyLifetime] (seconds) */
4924 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
4925 *pos++ = 5;
4926 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
4927 WPA_PUT_LE32(pos, conf->r0_key_lifetime);
4928 pos += 4;
4929 }
4930 #endif /* CONFIG_IEEE80211R_AP */
4931 #ifdef CONFIG_P2P
4932 if (WPA_GET_BE32(sm->ip_addr) > 0) {
4933 u8 addr[3 * 4];
4934 os_memcpy(addr, sm->ip_addr, 4);
4935 os_memcpy(addr + 4, conf->ip_addr_mask, 4);
4936 os_memcpy(addr + 8, conf->ip_addr_go, 4);
4937 pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC,
4938 addr, sizeof(addr), NULL, 0);
4939 }
4940 #endif /* CONFIG_P2P */
4941
4942 if (conf->transition_disable)
4943 pos = wpa_add_kde(pos, WFA_KEY_DATA_TRANSITION_DISABLE,
4944 &conf->transition_disable, 1, NULL, 0);
4945
4946 #ifdef CONFIG_DPP2
4947 if (DPP_VERSION > 1 && sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) {
4948 u8 payload[2];
4949
4950 payload[0] = DPP_VERSION; /* Protocol Version */
4951 payload[1] = 0; /* Flags */
4952 if (conf->dpp_pfs == 0)
4953 payload[1] |= DPP_KDE_PFS_ALLOWED;
4954 else if (conf->dpp_pfs == 1)
4955 payload[1] |= DPP_KDE_PFS_ALLOWED |
4956 DPP_KDE_PFS_REQUIRED;
4957 pos = wpa_add_kde(pos, WFA_KEY_DATA_DPP,
4958 payload, sizeof(payload), NULL, 0);
4959 }
4960 #endif /* CONFIG_DPP2 */
4961
4962 pos = wpa_auth_ml_kdes(sm, pos);
4963
4964 if (sm->ssid_protection) {
4965 *pos++ = WLAN_EID_SSID;
4966 *pos++ = conf->ssid_len;
4967 os_memcpy(pos, conf->ssid, conf->ssid_len);
4968 pos += conf->ssid_len;
4969 }
4970
4971 #ifdef CONFIG_TESTING_OPTIONS
4972 if (conf->eapol_m3_elements) {
4973 os_memcpy(pos, wpabuf_head(conf->eapol_m3_elements),
4974 wpabuf_len(conf->eapol_m3_elements));
4975 pos += wpabuf_len(conf->eapol_m3_elements);
4976 }
4977
4978 if (conf->eapol_m3_no_encrypt)
4979 encr = 0;
4980 #endif /* CONFIG_TESTING_OPTIONS */
4981
4982 wpa_send_eapol(sm->wpa_auth, sm,
4983 (secure ? WPA_KEY_INFO_SECURE : 0) |
4984 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
4985 WPA_KEY_INFO_MIC : 0) |
4986 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
4987 WPA_KEY_INFO_KEY_TYPE,
4988 _rsc, sm->ANonce, kde, pos - kde, 0, encr);
4989 #ifdef CONFIG_P2P_CHR
4990 wpa_supplicant_upload_go_p2p_state(sm->wpa_auth->cb_ctx, sm->addr,
4991 P2P_INTERFACE_STATE_4WAY_HANDSHAKE_3, P2P_CHR_DEFAULT_REASON_CODE);
4992 #endif
4993 done:
4994 bin_clear_free(kde, kde_len);
4995 os_free(wpa_ie_buf);
4996 os_free(wpa_ie_buf2);
4997 }
4998
4999
5000 static int wpa_auth_validate_ml_kdes_m4(struct wpa_state_machine *sm)
5001 {
5002 #ifdef CONFIG_IEEE80211BE
5003 const struct ieee802_1x_hdr *hdr;
5004 const struct wpa_eapol_key *key;
5005 struct wpa_eapol_ie_parse kde;
5006 const u8 *key_data, *mic;
5007 u16 key_data_length;
5008 size_t mic_len;
5009
5010 if (sm->mld_assoc_link_id < 0)
5011 return 0;
5012
5013 /*
5014 * Note: last_rx_eapol_key length fields have already been validated in
5015 * wpa_receive().
5016 */
5017 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
5018
5019 hdr = (const struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
5020 key = (const struct wpa_eapol_key *) (hdr + 1);
5021 mic = (const u8 *) (key + 1);
5022 key_data = mic + mic_len + 2;
5023 key_data_length = WPA_GET_BE16(mic + mic_len);
5024 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
5025 sizeof(*key) - mic_len - 2)
5026 return -1;
5027
5028 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
5029 wpa_auth_vlogger(sm->wpa_auth, wpa_auth_get_spa(sm),
5030 LOGGER_INFO,
5031 "received EAPOL-Key msg 4/4 with invalid Key Data contents");
5032 return -1;
5033 }
5034
5035 /* MLD MAC address must be the same */
5036 if (!kde.mac_addr ||
5037 !ether_addr_equal(kde.mac_addr, sm->peer_mld_addr)) {
5038 wpa_printf(MSG_DEBUG,
5039 "MLD: Mismatching or missing MLD address in EAPOL-Key msg 4/4");
5040 return -1;
5041 }
5042
5043 wpa_printf(MSG_DEBUG, "MLD: MLD address in EAPOL-Key msg 4/4: " MACSTR,
5044 MAC2STR(kde.mac_addr));
5045 #endif /* CONFIG_IEEE80211BE */
5046
5047 return 0;
5048 }
5049
5050
5051 SM_STATE(WPA_PTK, PTKINITDONE)
5052 {
5053 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk);
5054 sm->EAPOLKeyReceived = false;
5055
5056 if (wpa_auth_validate_ml_kdes_m4(sm) < 0) {
5057 wpa_sta_disconnect(sm->wpa_auth, sm->addr,
5058 WLAN_REASON_PREV_AUTH_NOT_VALID);
5059 return;
5060 }
5061
5062 if (sm->Pair) {
5063 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
5064 int klen = wpa_cipher_key_len(sm->pairwise);
5065 int res;
5066
5067 if (sm->use_ext_key_id)
5068 res = wpa_auth_set_key(sm->wpa_auth, 0, 0, sm->addr,
5069 sm->keyidx_active, NULL, 0,
5070 KEY_FLAG_PAIRWISE_RX_TX_MODIFY);
5071 else
5072 res = wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr,
5073 0, sm->PTK.tk, klen,
5074 KEY_FLAG_PAIRWISE_RX_TX);
5075 if (res) {
5076 #ifdef CONFIG_P2P_CHR
5077 wpa_supplicant_upload_go_p2p_state(sm->wpa_auth->cb_ctx, sm->addr,
5078 P2P_INTERFACE_STATE_DISCONNECTED,
5079 DR_MSG_4_4_WPA_SET_KEY_FAIL);
5080 #endif
5081 wpa_sta_disconnect(sm->wpa_auth, sm->addr,
5082 WLAN_REASON_PREV_AUTH_NOT_VALID);
5083 return;
5084 }
5085
5086 #ifdef CONFIG_PASN
5087 if (sm->wpa_auth->conf.secure_ltf &&
5088 ieee802_11_rsnx_capab(sm->rsnxe,
5089 WLAN_RSNX_CAPAB_SECURE_LTF) &&
5090 wpa_auth_set_ltf_keyseed(sm->wpa_auth, sm->addr,
5091 sm->PTK.ltf_keyseed,
5092 sm->PTK.ltf_keyseed_len)) {
5093 wpa_printf(MSG_ERROR,
5094 "WPA: Failed to set LTF keyseed to driver");
5095 wpa_sta_disconnect(sm->wpa_auth, sm->addr,
5096 WLAN_REASON_PREV_AUTH_NOT_VALID);
5097 return;
5098 }
5099 #endif /* CONFIG_PASN */
5100
5101 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
5102 sm->pairwise_set = true;
5103
5104 wpa_auth_set_ptk_rekey_timer(sm);
5105 wpa_auth_store_ptksa(sm->wpa_auth, sm->addr, sm->pairwise,
5106 dot11RSNAConfigPMKLifetime, &sm->PTK);
5107
5108 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
5109 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
5110 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
5111 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
5112 WPA_EAPOL_authorized, 1);
5113 }
5114 }
5115
5116 if (0 /* IBSS == TRUE */) {
5117 sm->keycount++;
5118 if (sm->keycount == 2) {
5119 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
5120 WPA_EAPOL_portValid, 1);
5121 }
5122 } else {
5123 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid,
5124 1);
5125 }
5126 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable,
5127 false);
5128 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, true);
5129 if (sm->wpa == WPA_VERSION_WPA)
5130 sm->PInitAKeys = true;
5131 else
5132 sm->has_GTK = true;
5133 wpa_auth_vlogger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
5134 "pairwise key handshake completed (%s)",
5135 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
5136 wpa_msg(sm->wpa_auth->conf.msg_ctx, MSG_INFO, "EAPOL-4WAY-HS-COMPLETED "
5137 MACSTR, MAC2STR(sm->addr));
5138
5139 #ifdef CONFIG_IEEE80211R_AP
5140 wpa_ft_push_pmk_r1(sm->wpa_auth, wpa_auth_get_spa(sm));
5141 #endif /* CONFIG_IEEE80211R_AP */
5142
5143 sm->ptkstart_without_success = 0;
5144 }
5145
5146
5147 SM_STEP(WPA_PTK)
5148 {
5149 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
5150 struct wpa_auth_config *conf = &wpa_auth->conf;
5151
5152 if (sm->Init)
5153 SM_ENTER(WPA_PTK, INITIALIZE);
5154 else if (sm->Disconnect
5155 /* || FIX: dot11RSNAConfigSALifetime timeout */) {
5156 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
5157 "WPA_PTK: sm->Disconnect");
5158 SM_ENTER(WPA_PTK, DISCONNECT);
5159 }
5160 else if (sm->DeauthenticationRequest)
5161 SM_ENTER(WPA_PTK, DISCONNECTED);
5162 else if (sm->AuthenticationRequest)
5163 SM_ENTER(WPA_PTK, AUTHENTICATION);
5164 else if (sm->ReAuthenticationRequest)
5165 SM_ENTER(WPA_PTK, AUTHENTICATION2);
5166 else if (sm->PTKRequest) {
5167 if (wpa_auth_sm_ptk_update(sm) < 0)
5168 SM_ENTER(WPA_PTK, DISCONNECTED);
5169 else
5170 SM_ENTER(WPA_PTK, PTKSTART);
5171 } else switch (sm->wpa_ptk_state) {
5172 case WPA_PTK_INITIALIZE:
5173 break;
5174 case WPA_PTK_DISCONNECT:
5175 SM_ENTER(WPA_PTK, DISCONNECTED);
5176 break;
5177 case WPA_PTK_DISCONNECTED:
5178 SM_ENTER(WPA_PTK, INITIALIZE);
5179 break;
5180 case WPA_PTK_AUTHENTICATION:
5181 SM_ENTER(WPA_PTK, AUTHENTICATION2);
5182 break;
5183 case WPA_PTK_AUTHENTICATION2:
5184 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
5185 wpa_auth_get_eapol(wpa_auth, sm->addr,
5186 WPA_EAPOL_keyRun))
5187 SM_ENTER(WPA_PTK, INITPMK);
5188 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
5189 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE
5190 /* FIX: && 802.1X::keyRun */)
5191 SM_ENTER(WPA_PTK, INITPSK);
5192 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP)
5193 SM_ENTER(WPA_PTK, INITPMK);
5194 break;
5195 case WPA_PTK_INITPMK:
5196 if (wpa_auth_get_eapol(wpa_auth, sm->addr,
5197 WPA_EAPOL_keyAvailable)) {
5198 SM_ENTER(WPA_PTK, PTKSTART);
5199 #ifdef CONFIG_DPP
5200 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->pmksa) {
5201 SM_ENTER(WPA_PTK, PTKSTART);
5202 #endif /* CONFIG_DPP */
5203 } else {
5204 wpa_auth->dot11RSNA4WayHandshakeFailures++;
5205 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
5206 LOGGER_INFO,
5207 "INITPMK - keyAvailable = false");
5208 SM_ENTER(WPA_PTK, DISCONNECT);
5209 }
5210 break;
5211 case WPA_PTK_INITPSK:
5212 if (wpa_auth_get_psk(wpa_auth, sm->addr, sm->p2p_dev_addr,
5213 NULL, NULL, NULL)) {
5214 SM_ENTER(WPA_PTK, PTKSTART);
5215 #ifdef CONFIG_SAE
5216 } else if (wpa_auth_uses_sae(sm) && sm->pmksa) {
5217 SM_ENTER(WPA_PTK, PTKSTART);
5218 #endif /* CONFIG_SAE */
5219 } else if (wpa_key_mgmt_wpa_psk_no_sae(sm->wpa_key_mgmt) &&
5220 wpa_auth->conf.radius_psk) {
5221 wpa_printf(MSG_DEBUG,
5222 "INITPSK: No PSK yet available for STA - use RADIUS later");
5223 SM_ENTER(WPA_PTK, PTKSTART);
5224 } else {
5225 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
5226 LOGGER_INFO,
5227 "no PSK configured for the STA");
5228 wpa_auth->dot11RSNA4WayHandshakeFailures++;
5229 SM_ENTER(WPA_PTK, DISCONNECT);
5230 }
5231 break;
5232 case WPA_PTK_PTKSTART:
5233 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
5234 sm->EAPOLKeyPairwise)
5235 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
5236 else if (sm->TimeoutCtr > conf->wpa_pairwise_update_count) {
5237 wpa_auth->dot11RSNA4WayHandshakeFailures++;
5238 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
5239 LOGGER_DEBUG,
5240 "PTKSTART: Retry limit %u reached",
5241 conf->wpa_pairwise_update_count);
5242 sm->disconnect_reason =
5243 WLAN_REASON_4WAY_HANDSHAKE_TIMEOUT;
5244 SM_ENTER(WPA_PTK, DISCONNECT);
5245 } else if (sm->TimeoutEvt)
5246 SM_ENTER(WPA_PTK, PTKSTART);
5247 break;
5248 case WPA_PTK_PTKCALCNEGOTIATING:
5249 if (sm->MICVerified)
5250 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2);
5251 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
5252 sm->EAPOLKeyPairwise)
5253 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
5254 else if (sm->TimeoutEvt)
5255 SM_ENTER(WPA_PTK, PTKSTART);
5256 break;
5257 case WPA_PTK_PTKCALCNEGOTIATING2:
5258 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
5259 break;
5260 case WPA_PTK_PTKINITNEGOTIATING:
5261 if (sm->update_snonce)
5262 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
5263 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
5264 sm->EAPOLKeyPairwise && sm->MICVerified)
5265 SM_ENTER(WPA_PTK, PTKINITDONE);
5266 else if (sm->TimeoutCtr >
5267 conf->wpa_pairwise_update_count ||
5268 (conf->wpa_disable_eapol_key_retries &&
5269 sm->TimeoutCtr > 1)) {
5270 wpa_auth->dot11RSNA4WayHandshakeFailures++;
5271 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
5272 LOGGER_DEBUG,
5273 "PTKINITNEGOTIATING: Retry limit %u reached",
5274 conf->wpa_pairwise_update_count);
5275 sm->disconnect_reason =
5276 WLAN_REASON_4WAY_HANDSHAKE_TIMEOUT;
5277 SM_ENTER(WPA_PTK, DISCONNECT);
5278 } else if (sm->TimeoutEvt)
5279 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
5280 break;
5281 case WPA_PTK_PTKINITDONE:
5282 break;
5283 }
5284 }
5285
5286
5287 SM_STATE(WPA_PTK_GROUP, IDLE)
5288 {
5289 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group);
5290 if (sm->Init) {
5291 /* Init flag is not cleared here, so avoid busy
5292 * loop by claiming nothing changed. */
5293 sm->changed = false;
5294 }
5295 sm->GTimeoutCtr = 0;
5296 }
5297
5298
5299 SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
5300 {
5301 u8 rsc[WPA_KEY_RSC_LEN];
5302 struct wpa_group *gsm = sm->group;
5303 const u8 *kde = NULL;
5304 u8 *kde_buf = NULL, *pos, hdr[2];
5305 size_t kde_len = 0;
5306 u8 *gtk, stub_gtk[32];
5307 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
5308 bool is_mld = false;
5309
5310 #ifdef CONFIG_IEEE80211BE
5311 is_mld = sm->mld_assoc_link_id >= 0;
5312 #endif /* CONFIG_IEEE80211BE */
5313
5314 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
5315
5316 sm->GTimeoutCtr++;
5317 if (conf->wpa_disable_eapol_key_retries && sm->GTimeoutCtr > 1) {
5318 /* Do not allow retransmission of EAPOL-Key group msg 1/2 */
5319 return;
5320 }
5321 if (sm->GTimeoutCtr > conf->wpa_group_update_count) {
5322 /* No point in sending the EAPOL-Key - we will disconnect
5323 * immediately following this. */
5324 return;
5325 }
5326
5327 if (sm->wpa == WPA_VERSION_WPA)
5328 sm->PInitAKeys = false;
5329 sm->TimeoutEvt = false;
5330 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
5331 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
5332 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE)
5333 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
5334 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
5335 "sending 1/2 msg of Group Key Handshake");
5336
5337 gtk = gsm->GTK[gsm->GN - 1];
5338 if (conf->disable_gtk || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
5339 /*
5340 * Provide unique random GTK to each STA to prevent use
5341 * of GTK in the BSS.
5342 */
5343 if (random_get_bytes(stub_gtk, gsm->GTK_len) < 0)
5344 return;
5345 gtk = stub_gtk;
5346 }
5347
5348 if (sm->wpa == WPA_VERSION_WPA2 && !is_mld) {
5349 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
5350 ieee80211w_kde_len(sm) + ocv_oci_len(sm);
5351 kde_buf = os_malloc(kde_len);
5352 if (!kde_buf)
5353 return;
5354
5355 kde = pos = kde_buf;
5356 hdr[0] = gsm->GN & 0x03;
5357 hdr[1] = 0;
5358 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
5359 gtk, gsm->GTK_len);
5360 pos = ieee80211w_kde_add(sm, pos);
5361 if (ocv_oci_add(sm, &pos,
5362 conf->oci_freq_override_eapol_g1) < 0) {
5363 os_free(kde_buf);
5364 return;
5365 }
5366 kde_len = pos - kde;
5367 #ifdef CONFIG_IEEE80211BE
5368 } else if (sm->wpa == WPA_VERSION_WPA2 && is_mld) {
5369 kde_len = wpa_auth_ml_group_kdes_len(sm);
5370 if (kde_len) {
5371 kde_buf = os_malloc(kde_len);
5372 if (!kde_buf)
5373 return;
5374
5375 kde = pos = kde_buf;
5376 pos = wpa_auth_ml_group_kdes(sm, pos);
5377 kde_len = pos - kde_buf;
5378 }
5379 #endif /* CONFIG_IEEE80211BE */
5380 } else {
5381 kde = gtk;
5382 kde_len = gsm->GTK_len;
5383 }
5384
5385 wpa_send_eapol(sm->wpa_auth, sm,
5386 WPA_KEY_INFO_SECURE |
5387 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
5388 WPA_KEY_INFO_MIC : 0) |
5389 WPA_KEY_INFO_ACK |
5390 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
5391 rsc, NULL, kde, kde_len, gsm->GN, 1);
5392
5393 bin_clear_free(kde_buf, kde_len);
5394 }
5395
5396
5397 SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED)
5398 {
5399 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
5400 #ifdef CONFIG_OCV
5401 const u8 *key_data, *mic;
5402 struct ieee802_1x_hdr *hdr;
5403 struct wpa_eapol_key *key;
5404 struct wpa_eapol_ie_parse kde;
5405 size_t mic_len;
5406 u16 key_data_length;
5407 #endif /* CONFIG_OCV */
5408
5409 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group);
5410 sm->EAPOLKeyReceived = false;
5411
5412 #ifdef CONFIG_OCV
5413 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
5414
5415 /*
5416 * Note: last_rx_eapol_key length fields have already been validated in
5417 * wpa_receive().
5418 */
5419 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
5420 key = (struct wpa_eapol_key *) (hdr + 1);
5421 mic = (u8 *) (key + 1);
5422 key_data = mic + mic_len + 2;
5423 key_data_length = WPA_GET_BE16(mic + mic_len);
5424 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
5425 sizeof(*key) - mic_len - 2)
5426 return;
5427
5428 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
5429 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
5430 "received EAPOL-Key group msg 2/2 with invalid Key Data contents");
5431 return;
5432 }
5433
5434 if (wpa_auth_uses_ocv(sm)) {
5435 struct wpa_channel_info ci;
5436 int tx_chanwidth;
5437 int tx_seg1_idx;
5438
5439 if (wpa_channel_info(wpa_auth, &ci) != 0) {
5440 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
5441 LOGGER_INFO,
5442 "Failed to get channel info to validate received OCI in EAPOL-Key group 2/2");
5443 return;
5444 }
5445
5446 if (get_sta_tx_parameters(sm,
5447 channel_width_to_int(ci.chanwidth),
5448 ci.seg1_idx, &tx_chanwidth,
5449 &tx_seg1_idx) < 0)
5450 return;
5451
5452 if (ocv_verify_tx_params(kde.oci, kde.oci_len, &ci,
5453 tx_chanwidth, tx_seg1_idx) !=
5454 OCI_SUCCESS) {
5455 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
5456 LOGGER_INFO,
5457 "OCV failed: %s", ocv_errorstr);
5458 if (wpa_auth->conf.msg_ctx)
5459 wpa_msg(wpa_auth->conf.msg_ctx, MSG_INFO,
5460 OCV_FAILURE "addr=" MACSTR
5461 " frame=eapol-key-g2 error=%s",
5462 MAC2STR(wpa_auth_get_spa(sm)),
5463 ocv_errorstr);
5464 return;
5465 }
5466 }
5467 #endif /* CONFIG_OCV */
5468
5469 if (sm->GUpdateStationKeys)
5470 wpa_gkeydone_sta(sm);
5471 sm->GTimeoutCtr = 0;
5472 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */
5473 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
5474 "group key handshake completed (%s)",
5475 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
5476 sm->has_GTK = true;
5477 }
5478
5479
5480 SM_STATE(WPA_PTK_GROUP, KEYERROR)
5481 {
5482 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group);
5483 if (sm->GUpdateStationKeys)
5484 wpa_gkeydone_sta(sm);
5485 if (sm->wpa_auth->conf.no_disconnect_on_group_keyerror &&
5486 sm->wpa == WPA_VERSION_WPA2) {
5487 wpa_auth_vlogger(sm->wpa_auth, wpa_auth_get_spa(sm),
5488 LOGGER_DEBUG,
5489 "group key handshake failed after %u tries - allow STA to remain connected",
5490 sm->wpa_auth->conf.wpa_group_update_count);
5491 return;
5492 }
5493 sm->Disconnect = true;
5494 sm->disconnect_reason = WLAN_REASON_GROUP_KEY_UPDATE_TIMEOUT;
5495 wpa_auth_vlogger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
5496 "group key handshake failed (%s) after %u tries",
5497 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN",
5498 sm->wpa_auth->conf.wpa_group_update_count);
5499 }
5500
5501
5502 SM_STEP(WPA_PTK_GROUP)
5503 {
5504 if (sm->Init || sm->PtkGroupInit) {
5505 SM_ENTER(WPA_PTK_GROUP, IDLE);
5506 sm->PtkGroupInit = false;
5507 } else switch (sm->wpa_ptk_group_state) {
5508 case WPA_PTK_GROUP_IDLE:
5509 if (sm->GUpdateStationKeys ||
5510 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys))
5511 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
5512 break;
5513 case WPA_PTK_GROUP_REKEYNEGOTIATING:
5514 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
5515 !sm->EAPOLKeyPairwise && sm->MICVerified)
5516 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
5517 else if (sm->GTimeoutCtr >
5518 sm->wpa_auth->conf.wpa_group_update_count ||
5519 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
5520 sm->GTimeoutCtr > 1))
5521 SM_ENTER(WPA_PTK_GROUP, KEYERROR);
5522 else if (sm->TimeoutEvt)
5523 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
5524 break;
5525 case WPA_PTK_GROUP_KEYERROR:
5526 SM_ENTER(WPA_PTK_GROUP, IDLE);
5527 break;
5528 case WPA_PTK_GROUP_REKEYESTABLISHED:
5529 SM_ENTER(WPA_PTK_GROUP, IDLE);
5530 break;
5531 }
5532 }
5533
5534
5535 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
5536 struct wpa_group *group)
5537 {
5538 struct wpa_auth_config *conf = &wpa_auth->conf;
5539 int ret = 0;
5540 size_t len;
5541
5542 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
5543 inc_byte_array(group->Counter, WPA_NONCE_LEN);
5544 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion",
5545 wpa_auth->addr, group->GNonce,
5546 group->GTK[group->GN - 1], group->GTK_len) < 0)
5547 ret = -1;
5548 wpa_hexdump_key(MSG_DEBUG, "GTK",
5549 group->GTK[group->GN - 1], group->GTK_len);
5550
5551 if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
5552 len = wpa_cipher_key_len(conf->group_mgmt_cipher);
5553 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
5554 inc_byte_array(group->Counter, WPA_NONCE_LEN);
5555 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion",
5556 wpa_auth->addr, group->GNonce,
5557 group->IGTK[group->GN_igtk - 4], len) < 0)
5558 ret = -1;
5559 wpa_hexdump_key(MSG_DEBUG, "IGTK",
5560 group->IGTK[group->GN_igtk - 4], len);
5561 }
5562
5563 if (!wpa_auth->non_tx_beacon_prot &&
5564 conf->ieee80211w == NO_MGMT_FRAME_PROTECTION)
5565 return ret;
5566 if (!conf->beacon_prot)
5567 return ret;
5568
5569 if (wpa_auth->conf.tx_bss_auth) {
5570 group = wpa_auth->conf.tx_bss_auth->group;
5571 if (group->bigtk_set)
5572 return ret;
5573 wpa_printf(MSG_DEBUG, "Set up BIGTK for TX BSS");
5574 }
5575
5576 len = wpa_cipher_key_len(conf->group_mgmt_cipher);
5577 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
5578 inc_byte_array(group->Counter, WPA_NONCE_LEN);
5579 if (wpa_gmk_to_gtk(group->GMK, "BIGTK key expansion",
5580 wpa_auth->addr, group->GNonce,
5581 group->BIGTK[group->GN_bigtk - 6], len) < 0)
5582 return -1;
5583 group->bigtk_set = true;
5584 wpa_hexdump_key(MSG_DEBUG, "BIGTK",
5585 group->BIGTK[group->GN_bigtk - 6], len);
5586
5587 return ret;
5588 }
5589
5590
5591 static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth,
5592 struct wpa_group *group)
5593 {
5594 wpa_printf(MSG_DEBUG,
5595 "WPA: group state machine entering state GTK_INIT (VLAN-ID %d)",
5596 group->vlan_id);
5597 group->changed = false; /* GInit is not cleared here; avoid loop */
5598 group->wpa_group_state = WPA_GROUP_GTK_INIT;
5599
5600 /* GTK[0..N] = 0 */
5601 os_memset(group->GTK, 0, sizeof(group->GTK));
5602 group->GN = 1;
5603 group->GM = 2;
5604 group->GN_igtk = 4;
5605 group->GM_igtk = 5;
5606 group->GN_bigtk = 6;
5607 group->GM_bigtk = 7;
5608 /* GTK[GN] = CalcGTK() */
5609 wpa_gtk_update(wpa_auth, group);
5610 }
5611
5612
5613 static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
5614 {
5615 if (ctx != NULL && ctx != sm->group)
5616 return 0;
5617
5618 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) {
5619 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm),
5620 LOGGER_DEBUG,
5621 "Not in PTKINITDONE; skip Group Key update");
5622 sm->GUpdateStationKeys = false;
5623 return 0;
5624 }
5625 if (sm->GUpdateStationKeys) {
5626 /*
5627 * This should not really happen, so add a debug log entry.
5628 * Since we clear the GKeyDoneStations before the loop, the
5629 * station needs to be counted here anyway.
5630 */
5631 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm),
5632 LOGGER_DEBUG,
5633 "GUpdateStationKeys was already set when marking station for GTK rekeying");
5634 }
5635
5636 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */
5637 if (sm->is_wnmsleep)
5638 return 0;
5639
5640 sm->group->GKeyDoneStations++;
5641 sm->GUpdateStationKeys = true;
5642
5643 wpa_sm_step(sm);
5644 return 0;
5645 }
5646
5647
5648 #ifdef CONFIG_WNM_AP
5649 /* update GTK when exiting WNM-Sleep Mode */
5650 void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm)
5651 {
5652 if (!sm || sm->is_wnmsleep)
5653 return;
5654
5655 wpa_group_update_sta(sm, NULL);
5656 }
5657
5658
5659 void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag)
5660 {
5661 if (sm)
5662 sm->is_wnmsleep = !!flag;
5663 }
5664
5665
5666 int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos)
5667 {
5668 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
5669 struct wpa_group *gsm = sm->group;
5670 u8 *start = pos;
5671
5672 /*
5673 * GTK subelement:
5674 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] |
5675 * Key[5..32]
5676 */
5677 *pos++ = WNM_SLEEP_SUBELEM_GTK;
5678 *pos++ = 11 + gsm->GTK_len;
5679 /* Key ID in B0-B1 of Key Info */
5680 WPA_PUT_LE16(pos, gsm->GN & 0x03);
5681 pos += 2;
5682 *pos++ = gsm->GTK_len;
5683 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0)
5684 return 0;
5685 pos += 8;
5686 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len);
5687 if (conf->disable_gtk || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
5688 /*
5689 * Provide unique random GTK to each STA to prevent use
5690 * of GTK in the BSS.
5691 */
5692 if (random_get_bytes(pos, gsm->GTK_len) < 0)
5693 return 0;
5694 }
5695 pos += gsm->GTK_len;
5696
5697 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit",
5698 gsm->GN);
5699 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit",
5700 gsm->GTK[gsm->GN - 1], gsm->GTK_len);
5701
5702 return pos - start;
5703 }
5704
5705
5706 int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos)
5707 {
5708 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
5709 struct wpa_group *gsm = sm->group;
5710 u8 *start = pos;
5711 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
5712
5713 /*
5714 * IGTK subelement:
5715 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16]
5716 */
5717 *pos++ = WNM_SLEEP_SUBELEM_IGTK;
5718 *pos++ = 2 + 6 + len;
5719 WPA_PUT_LE16(pos, gsm->GN_igtk);
5720 pos += 2;
5721 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0)
5722 return 0;
5723 pos += 6;
5724
5725 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len);
5726 if (conf->disable_gtk || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
5727 /*
5728 * Provide unique random IGTK to each STA to prevent use
5729 * of IGTK in the BSS.
5730 */
5731 if (random_get_bytes(pos, len) < 0)
5732 return 0;
5733 }
5734 pos += len;
5735
5736 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit",
5737 gsm->GN_igtk);
5738 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit",
5739 gsm->IGTK[gsm->GN_igtk - 4], len);
5740
5741 return pos - start;
5742 }
5743
5744
5745 int wpa_wnmsleep_bigtk_subelem(struct wpa_state_machine *sm, u8 *pos)
5746 {
5747 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
5748 struct wpa_group *gsm = wpa_auth->group;
5749 u8 *start = pos;
5750 size_t len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
5751
5752 /*
5753 * BIGTK subelement:
5754 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16]
5755 */
5756 *pos++ = WNM_SLEEP_SUBELEM_BIGTK;
5757 *pos++ = 2 + 6 + len;
5758 WPA_PUT_LE16(pos, gsm->GN_bigtk);
5759 pos += 2;
5760 if (wpa_auth_get_seqnum(wpa_auth, NULL, gsm->GN_bigtk, pos) != 0)
5761 return 0;
5762 pos += 6;
5763
5764 os_memcpy(pos, gsm->BIGTK[gsm->GN_bigtk - 6], len);
5765 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
5766 /*
5767 * Provide unique random BIGTK to each STA to prevent use
5768 * of BIGTK in the BSS.
5769 */
5770 if (random_get_bytes(pos, len) < 0)
5771 return 0;
5772 }
5773 pos += len;
5774
5775 wpa_printf(MSG_DEBUG, "WNM: BIGTK Key ID %u in WNM-Sleep Mode exit",
5776 gsm->GN_bigtk);
5777 wpa_hexdump_key(MSG_DEBUG, "WNM: BIGTK in WNM-Sleep Mode exit",
5778 gsm->BIGTK[gsm->GN_bigtk - 6], len);
5779
5780 return pos - start;
5781 }
5782
5783 #endif /* CONFIG_WNM_AP */
5784
5785
5786 static void wpa_group_update_gtk(struct wpa_authenticator *wpa_auth,
5787 struct wpa_group *group)
5788 {
5789 int tmp;
5790
5791 tmp = group->GM;
5792 group->GM = group->GN;
5793 group->GN = tmp;
5794 tmp = group->GM_igtk;
5795 group->GM_igtk = group->GN_igtk;
5796 group->GN_igtk = tmp;
5797 tmp = group->GM_bigtk;
5798 group->GM_bigtk = group->GN_bigtk;
5799 group->GN_bigtk = tmp;
5800 /* "GKeyDoneStations = GNoStations" is done in more robust way by
5801 * counting the STAs that are marked with GUpdateStationKeys instead of
5802 * including all STAs that could be in not-yet-completed state. */
5803 wpa_gtk_update(wpa_auth, group);
5804 }
5805
5806
5807 static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth,
5808 struct wpa_group *group)
5809 {
5810 wpa_printf(MSG_EXCESSIVE,
5811 "WPA: group state machine entering state SETKEYS (VLAN-ID %d)",
5812 group->vlan_id);
5813 group->changed = true;
5814 group->wpa_group_state = WPA_GROUP_SETKEYS;
5815 group->GTKReKey = false;
5816
5817 #ifdef CONFIG_IEEE80211BE
5818 if (wpa_auth->is_ml)
5819 goto skip_update;
5820 #endif /* CONFIG_IEEE80211BE */
5821
5822 wpa_group_update_gtk(wpa_auth, group);
5823
5824 if (group->GKeyDoneStations) {
5825 wpa_printf(MSG_DEBUG,
5826 "wpa_group_setkeys: Unexpected GKeyDoneStations=%d when starting new GTK rekey",
5827 group->GKeyDoneStations);
5828 group->GKeyDoneStations = 0;
5829 }
5830
5831 #ifdef CONFIG_IEEE80211BE
5832 skip_update:
5833 #endif /* CONFIG_IEEE80211BE */
5834 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group);
5835 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d",
5836 group->GKeyDoneStations);
5837 }
5838
5839
5840 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
5841 struct wpa_group *group)
5842 {
5843 struct wpa_auth_config *conf = &wpa_auth->conf;
5844 int ret = 0;
5845
5846 if (wpa_auth_set_key(wpa_auth, group->vlan_id,
5847 wpa_cipher_to_alg(conf->wpa_group),
5848 broadcast_ether_addr, group->GN,
5849 group->GTK[group->GN - 1], group->GTK_len,
5850 KEY_FLAG_GROUP_TX_DEFAULT) < 0)
5851 ret = -1;
5852
5853 if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
5854 enum wpa_alg alg;
5855 size_t len;
5856
5857 alg = wpa_cipher_to_alg(conf->group_mgmt_cipher);
5858 len = wpa_cipher_key_len(conf->group_mgmt_cipher);
5859
5860 if (ret == 0 &&
5861 wpa_auth_set_key(wpa_auth, group->vlan_id, alg,
5862 broadcast_ether_addr, group->GN_igtk,
5863 group->IGTK[group->GN_igtk - 4], len,
5864 KEY_FLAG_GROUP_TX_DEFAULT) < 0)
5865 ret = -1;
5866
5867 if (ret || !conf->beacon_prot)
5868 return ret;
5869 if (wpa_auth->conf.tx_bss_auth) {
5870 wpa_auth = wpa_auth->conf.tx_bss_auth;
5871 group = wpa_auth->group;
5872 if (!group->bigtk_set || group->bigtk_configured)
5873 return ret;
5874 }
5875 if (wpa_auth_set_key(wpa_auth, group->vlan_id, alg,
5876 broadcast_ether_addr, group->GN_bigtk,
5877 group->BIGTK[group->GN_bigtk - 6], len,
5878 KEY_FLAG_GROUP_TX_DEFAULT) < 0)
5879 ret = -1;
5880 else
5881 group->bigtk_configured = true;
5882 }
5883
5884 return ret;
5885 }
5886
5887
5888 static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx)
5889 {
5890 if (sm->group == ctx) {
5891 wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR_SEC
5892 " for disconnection due to fatal failure",
5893 MAC2STR_SEC(wpa_auth_get_spa(sm)));
5894 sm->Disconnect = true;
5895 }
5896
5897 return 0;
5898 }
5899
5900
5901 static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth,
5902 struct wpa_group *group)
5903 {
5904 wpa_printf(MSG_DEBUG,
5905 "WPA: group state machine entering state FATAL_FAILURE");
5906 group->changed = true;
5907 group->wpa_group_state = WPA_GROUP_FATAL_FAILURE;
5908 wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group);
5909 }
5910
5911
5912 static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
5913 struct wpa_group *group)
5914 {
5915 wpa_printf(MSG_DEBUG,
5916 "WPA: group state machine entering state SETKEYSDONE (VLAN-ID %d)",
5917 group->vlan_id);
5918 group->changed = true;
5919 group->wpa_group_state = WPA_GROUP_SETKEYSDONE;
5920
5921 if (wpa_group_config_group_keys(wpa_auth, group) < 0) {
5922 wpa_group_fatal_failure(wpa_auth, group);
5923 return -1;
5924 }
5925
5926 return 0;
5927 }
5928
5929
5930 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
5931 struct wpa_group *group)
5932 {
5933 if (group->GInit) {
5934 wpa_group_gtk_init(wpa_auth, group);
5935 } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) {
5936 /* Do not allow group operations */
5937 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT &&
5938 group->GTKAuthenticator) {
5939 wpa_group_setkeysdone(wpa_auth, group);
5940 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE &&
5941 group->GTKReKey) {
5942 wpa_group_setkeys(wpa_auth, group);
5943 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) {
5944 if (group->GKeyDoneStations == 0)
5945 wpa_group_setkeysdone(wpa_auth, group);
5946 else if (group->GTKReKey)
5947 wpa_group_setkeys(wpa_auth, group);
5948 }
5949 }
5950
5951
5952 static void wpa_clear_changed(struct wpa_state_machine *sm)
5953 {
5954 #ifdef CONFIG_IEEE80211BE
5955 int link_id;
5956 #endif /* CONFIG_IEEE80211BE */
5957
5958 sm->changed = false;
5959 sm->wpa_auth->group->changed = false;
5960
5961 #ifdef CONFIG_IEEE80211BE
5962 for_each_sm_auth(sm, link_id)
5963 sm->mld_links[link_id].wpa_auth->group->changed = false;
5964 #endif /* CONFIG_IEEE80211BE */
5965 }
5966
5967
5968 static void wpa_group_sm_step_links(struct wpa_state_machine *sm)
5969 {
5970 #ifdef CONFIG_IEEE80211BE
5971 int link_id;
5972 #endif /* CONFIG_IEEE80211BE */
5973
5974 if (!sm || !sm->wpa_auth)
5975 return;
5976 wpa_group_sm_step(sm->wpa_auth, sm->wpa_auth->group);
5977
5978 #ifdef CONFIG_IEEE80211BE
5979 for_each_sm_auth(sm, link_id) {
5980 wpa_group_sm_step(sm->mld_links[link_id].wpa_auth,
5981 sm->mld_links[link_id].wpa_auth->group);
5982 }
5983 #endif /* CONFIG_IEEE80211BE */
5984 }
5985
5986
5987 static bool wpa_group_sm_changed(struct wpa_state_machine *sm)
5988 {
5989 #ifdef CONFIG_IEEE80211BE
5990 int link_id;
5991 #endif /* CONFIG_IEEE80211BE */
5992 bool changed;
5993
5994 if (!sm || !sm->wpa_auth)
5995 return false;
5996 changed = sm->wpa_auth->group->changed;
5997
5998 #ifdef CONFIG_IEEE80211BE
5999 for_each_sm_auth(sm, link_id)
6000 changed |= sm->mld_links[link_id].wpa_auth->group->changed;
6001 #endif /* CONFIG_IEEE80211BE */
6002
6003 return changed;
6004 }
6005
6006
6007 static int wpa_sm_step(struct wpa_state_machine *sm)
6008 {
6009 if (!sm)
6010 return 0;
6011
6012 if (sm->in_step_loop) {
6013 /* This should not happen, but if it does, make sure we do not
6014 * end up freeing the state machine too early by exiting the
6015 * recursive call. */
6016 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively");
6017 return 0;
6018 }
6019
6020 sm->in_step_loop = 1;
6021 do {
6022 if (sm->pending_deinit)
6023 break;
6024
6025 wpa_clear_changed(sm);
6026
6027 SM_STEP_RUN(WPA_PTK);
6028 if (sm->pending_deinit)
6029 break;
6030 SM_STEP_RUN(WPA_PTK_GROUP);
6031 if (sm->pending_deinit)
6032 break;
6033 wpa_group_sm_step_links(sm);
6034 } while (sm->changed || wpa_group_sm_changed(sm));
6035 sm->in_step_loop = 0;
6036
6037 if (sm->pending_deinit) {
6038 wpa_printf(MSG_DEBUG,
6039 "WPA: Completing pending STA state machine deinit for "
6040 MACSTR_SEC, MAC2STR_SEC(wpa_auth_get_spa(sm)));
6041 wpa_free_sta_sm(sm);
6042 return 1;
6043 }
6044 return 0;
6045 }
6046
6047
6048 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx)
6049 {
6050 struct wpa_state_machine *sm = eloop_ctx;
6051 wpa_sm_step(sm);
6052 }
6053
6054
6055 void wpa_auth_sm_notify(struct wpa_state_machine *sm)
6056 {
6057 if (!sm)
6058 return;
6059 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
6060 }
6061
6062
6063 void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth)
6064 {
6065 int tmp, i;
6066 struct wpa_group *group;
6067
6068 if (!wpa_auth)
6069 return;
6070
6071 group = wpa_auth->group;
6072
6073 for (i = 0; i < 2; i++) {
6074 tmp = group->GM;
6075 group->GM = group->GN;
6076 group->GN = tmp;
6077 tmp = group->GM_igtk;
6078 group->GM_igtk = group->GN_igtk;
6079 group->GN_igtk = tmp;
6080 if (!wpa_auth->conf.tx_bss_auth) {
6081 tmp = group->GM_bigtk;
6082 group->GM_bigtk = group->GN_bigtk;
6083 group->GN_bigtk = tmp;
6084 }
6085 wpa_gtk_update(wpa_auth, group);
6086 wpa_group_config_group_keys(wpa_auth, group);
6087 }
6088 }
6089
6090
6091 static const char * wpa_bool_txt(int val)
6092 {
6093 return val ? "TRUE" : "FALSE";
6094 }
6095
6096
6097 #define RSN_SUITE "%02x-%02x-%02x-%d"
6098 #define RSN_SUITE_ARG(s) \
6099 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
6100
6101 int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen)
6102 {
6103 struct wpa_auth_config *conf;
6104 int len = 0, ret;
6105 char pmkid_txt[PMKID_LEN * 2 + 1];
6106 #ifdef CONFIG_RSN_PREAUTH
6107 const int preauth = 1;
6108 #else /* CONFIG_RSN_PREAUTH */
6109 const int preauth = 0;
6110 #endif /* CONFIG_RSN_PREAUTH */
6111
6112 if (!wpa_auth)
6113 return len;
6114 conf = &wpa_auth->conf;
6115
6116 ret = os_snprintf(buf + len, buflen - len,
6117 "dot11RSNAOptionImplemented=TRUE\n"
6118 "dot11RSNAPreauthenticationImplemented=%s\n"
6119 "dot11RSNAEnabled=%s\n"
6120 "dot11RSNAPreauthenticationEnabled=%s\n",
6121 wpa_bool_txt(preauth),
6122 wpa_bool_txt(conf->wpa & WPA_PROTO_RSN),
6123 wpa_bool_txt(conf->rsn_preauth));
6124 if (os_snprintf_error(buflen - len, ret))
6125 return len;
6126 len += ret;
6127
6128 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
6129 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN);
6130
6131 ret = os_snprintf(
6132 buf + len, buflen - len,
6133 "dot11RSNAConfigVersion=%u\n"
6134 "dot11RSNAConfigPairwiseKeysSupported=9999\n"
6135 /* FIX: dot11RSNAConfigGroupCipher */
6136 /* FIX: dot11RSNAConfigGroupRekeyMethod */
6137 /* FIX: dot11RSNAConfigGroupRekeyTime */
6138 /* FIX: dot11RSNAConfigGroupRekeyPackets */
6139 "dot11RSNAConfigGroupRekeyStrict=%u\n"
6140 "dot11RSNAConfigGroupUpdateCount=%u\n"
6141 "dot11RSNAConfigPairwiseUpdateCount=%u\n"
6142 "dot11RSNAConfigGroupCipherSize=%u\n"
6143 "dot11RSNAConfigPMKLifetime=%u\n"
6144 "dot11RSNAConfigPMKReauthThreshold=%u\n"
6145 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n"
6146 "dot11RSNAConfigSATimeout=%u\n"
6147 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
6148 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
6149 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
6150 "dot11RSNAPMKIDUsed=%s\n"
6151 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
6152 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
6153 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
6154 "dot11RSNATKIPCounterMeasuresInvoked=%u\n"
6155 "dot11RSNA4WayHandshakeFailures=%u\n"
6156 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n",
6157 RSN_VERSION,
6158 !!conf->wpa_strict_rekey,
6159 conf->wpa_group_update_count,
6160 conf->wpa_pairwise_update_count,
6161 wpa_cipher_key_len(conf->wpa_group) * 8,
6162 dot11RSNAConfigPMKLifetime,
6163 dot11RSNAConfigPMKReauthThreshold,
6164 dot11RSNAConfigSATimeout,
6165 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected),
6166 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected),
6167 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected),
6168 pmkid_txt,
6169 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested),
6170 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested),
6171 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested),
6172 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked,
6173 wpa_auth->dot11RSNA4WayHandshakeFailures);
6174 if (os_snprintf_error(buflen - len, ret))
6175 return len;
6176 len += ret;
6177
6178 /* TODO: dot11RSNAConfigPairwiseCiphersTable */
6179 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */
6180
6181 /* Private MIB */
6182 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n",
6183 wpa_auth->group->wpa_group_state);
6184 if (os_snprintf_error(buflen - len, ret))
6185 return len;
6186 len += ret;
6187
6188 return len;
6189 }
6190
6191
6192 int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen)
6193 {
6194 int len = 0, ret;
6195 u32 pairwise = 0;
6196
6197 if (!sm)
6198 return 0;
6199
6200 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */
6201
6202 /* dot11RSNAStatsEntry */
6203
6204 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ?
6205 WPA_PROTO_RSN : WPA_PROTO_WPA,
6206 sm->pairwise);
6207 if (pairwise == 0)
6208 return 0;
6209
6210 ret = os_snprintf(
6211 buf + len, buflen - len,
6212 /* TODO: dot11RSNAStatsIndex */
6213 "dot11RSNAStatsSTAAddress=" MACSTR "\n"
6214 "dot11RSNAStatsVersion=1\n"
6215 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n"
6216 /* TODO: dot11RSNAStatsTKIPICVErrors */
6217 "dot11RSNAStatsTKIPLocalMICFailures=%u\n"
6218 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n"
6219 /* TODO: dot11RSNAStatsCCMPReplays */
6220 /* TODO: dot11RSNAStatsCCMPDecryptErrors */
6221 /* TODO: dot11RSNAStatsTKIPReplays */,
6222 MAC2STR(sm->addr),
6223 RSN_SUITE_ARG(pairwise),
6224 sm->dot11RSNAStatsTKIPLocalMICFailures,
6225 sm->dot11RSNAStatsTKIPRemoteMICFailures);
6226 if (os_snprintf_error(buflen - len, ret))
6227 return len;
6228 len += ret;
6229
6230 /* Private MIB */
6231 ret = os_snprintf(buf + len, buflen - len,
6232 "wpa=%d\n"
6233 "AKMSuiteSelector=" RSN_SUITE "\n"
6234 "hostapdWPAPTKState=%d\n"
6235 "hostapdWPAPTKGroupState=%d\n"
6236 "hostapdMFPR=%d\n",
6237 sm->wpa,
6238 RSN_SUITE_ARG(wpa_akm_to_suite(sm->wpa_key_mgmt)),
6239 sm->wpa_ptk_state,
6240 sm->wpa_ptk_group_state,
6241 sm->mfpr);
6242 if (os_snprintf_error(buflen - len, ret))
6243 return len;
6244 len += ret;
6245
6246 return len;
6247 }
6248
6249
6250 void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth)
6251 {
6252 if (wpa_auth)
6253 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++;
6254 }
6255
6256
6257 int wpa_auth_pairwise_set(struct wpa_state_machine *sm)
6258 {
6259 return sm && sm->pairwise_set;
6260 }
6261
6262
6263 int wpa_auth_get_pairwise(struct wpa_state_machine *sm)
6264 {
6265 return sm->pairwise;
6266 }
6267
6268
6269 const u8 * wpa_auth_get_pmk(struct wpa_state_machine *sm, int *len)
6270 {
6271 if (!sm)
6272 return NULL;
6273 *len = sm->pmk_len;
6274 return sm->PMK;
6275 }
6276
6277
6278 const u8 * wpa_auth_get_dpp_pkhash(struct wpa_state_machine *sm)
6279 {
6280 if (!sm || !sm->pmksa)
6281 return NULL;
6282 return sm->pmksa->dpp_pkhash;
6283 }
6284
6285
6286 int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm)
6287 {
6288 if (!sm)
6289 return -1;
6290 return sm->wpa_key_mgmt;
6291 }
6292
6293
6294 int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
6295 {
6296 if (!sm)
6297 return 0;
6298 return sm->wpa;
6299 }
6300
6301
6302 int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm)
6303 {
6304 if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt))
6305 return 0;
6306 return sm->tk_already_set;
6307 }
6308
6309
6310 int wpa_auth_sta_fils_tk_already_set(struct wpa_state_machine *sm)
6311 {
6312 if (!sm || !wpa_key_mgmt_fils(sm->wpa_key_mgmt))
6313 return 0;
6314 return sm->tk_already_set;
6315 }
6316
6317
6318 int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
6319 struct rsn_pmksa_cache_entry *entry)
6320 {
6321 if (!sm || sm->pmksa != entry)
6322 return -1;
6323 sm->pmksa = NULL;
6324 return 0;
6325 }
6326
6327
6328 struct rsn_pmksa_cache_entry *
6329 wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm)
6330 {
6331 return sm ? sm->pmksa : NULL;
6332 }
6333
6334
6335 void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm)
6336 {
6337 if (sm)
6338 sm->dot11RSNAStatsTKIPLocalMICFailures++;
6339 }
6340
6341
6342 const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
6343 {
6344 if (!wpa_auth)
6345 return NULL;
6346 *len = wpa_auth->wpa_ie_len;
6347 return wpa_auth->wpa_ie;
6348 }
6349
6350
6351 int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
6352 unsigned int pmk_len,
6353 int session_timeout, struct eapol_state_machine *eapol)
6354 {
6355 if (!sm || sm->wpa != WPA_VERSION_WPA2 ||
6356 sm->wpa_auth->conf.disable_pmksa_caching)
6357 return -1;
6358
6359 #ifdef CONFIG_IEEE80211R_AP
6360 if (pmk_len >= 2 * PMK_LEN && wpa_key_mgmt_ft(sm->wpa_key_mgmt) &&
6361 wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
6362 !wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
6363 /* Cache MPMK/XXKey instead of initial part from MSK */
6364 pmk = pmk + PMK_LEN;
6365 pmk_len = PMK_LEN;
6366 } else
6367 #endif /* CONFIG_IEEE80211R_AP */
6368 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
6369 if (pmk_len > PMK_LEN_SUITE_B_192)
6370 pmk_len = PMK_LEN_SUITE_B_192;
6371 } else if (pmk_len > PMK_LEN) {
6372 pmk_len = PMK_LEN;
6373 }
6374
6375 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK", pmk, pmk_len);
6376 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL,
6377 sm->PTK.kck, sm->PTK.kck_len,
6378 wpa_auth_get_aa(sm),
6379 wpa_auth_get_spa(sm), session_timeout,
6380 eapol, sm->wpa_key_mgmt))
6381 return 0;
6382
6383 return -1;
6384 }
6385
6386
6387 int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
6388 const u8 *pmk, size_t len, const u8 *sta_addr,
6389 int session_timeout,
6390 struct eapol_state_machine *eapol)
6391 {
6392 if (!wpa_auth)
6393 return -1;
6394
6395 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK from preauth", pmk, len);
6396 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL,
6397 NULL, 0,
6398 wpa_auth->addr,
6399 sta_addr, session_timeout, eapol,
6400 WPA_KEY_MGMT_IEEE8021X))
6401 return 0;
6402
6403 return -1;
6404 }
6405
6406
6407 int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr,
6408 const u8 *pmk, size_t pmk_len, const u8 *pmkid,
6409 int akmp)
6410 {
6411 if (wpa_auth->conf.disable_pmksa_caching)
6412 return -1;
6413
6414 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK from SAE", pmk, pmk_len);
6415 if (!akmp)
6416 akmp = WPA_KEY_MGMT_SAE;
6417 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, pmk_len, pmkid,
6418 NULL, 0, wpa_auth->addr, addr, 0, NULL, akmp))
6419 return 0;
6420
6421 return -1;
6422 }
6423
6424
6425 void wpa_auth_add_sae_pmkid(struct wpa_state_machine *sm, const u8 *pmkid)
6426 {
6427 os_memcpy(sm->pmkid, pmkid, PMKID_LEN);
6428 sm->pmkid_set = 1;
6429 }
6430
6431
6432 int wpa_auth_pmksa_add2(struct wpa_authenticator *wpa_auth, const u8 *addr,
6433 const u8 *pmk, size_t pmk_len, const u8 *pmkid,
6434 int session_timeout, int akmp, const u8 *dpp_pkhash)
6435 {
6436 struct rsn_pmksa_cache_entry *entry;
6437
6438 if (!wpa_auth || wpa_auth->conf.disable_pmksa_caching)
6439 return -1;
6440
6441 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK (3)", pmk, PMK_LEN);
6442 entry = pmksa_cache_auth_add(wpa_auth->pmksa, pmk, pmk_len, pmkid,
6443 NULL, 0, wpa_auth->addr, addr, session_timeout,
6444 NULL, akmp);
6445 if (!entry)
6446 return -1;
6447
6448 if (dpp_pkhash)
6449 entry->dpp_pkhash = os_memdup(dpp_pkhash, SHA256_MAC_LEN);
6450
6451 return 0;
6452 }
6453
6454
6455 void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
6456 const u8 *sta_addr)
6457 {
6458 struct rsn_pmksa_cache_entry *pmksa;
6459
6460 if (!wpa_auth || !wpa_auth->pmksa)
6461 return;
6462 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL);
6463 if (pmksa) {
6464 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for "
6465 MACSTR_SEC " based on request", MAC2STR_SEC(sta_addr));
6466 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa);
6467 }
6468 }
6469
6470
6471 int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf,
6472 size_t len)
6473 {
6474 if (!wpa_auth || !wpa_auth->pmksa)
6475 return 0;
6476 return pmksa_cache_auth_list(wpa_auth->pmksa, buf, len);
6477 }
6478
6479
6480 void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth)
6481 {
6482 if (wpa_auth && wpa_auth->pmksa)
6483 pmksa_cache_auth_flush(wpa_auth->pmksa);
6484 }
6485
6486
6487 #ifdef CONFIG_PMKSA_CACHE_EXTERNAL
6488 #ifdef CONFIG_MESH
6489
6490 int wpa_auth_pmksa_list_mesh(struct wpa_authenticator *wpa_auth, const u8 *addr,
6491 char *buf, size_t len)
6492 {
6493 if (!wpa_auth || !wpa_auth->pmksa)
6494 return 0;
6495
6496 return pmksa_cache_auth_list_mesh(wpa_auth->pmksa, addr, buf, len);
6497 }
6498
6499
6500 struct rsn_pmksa_cache_entry *
6501 wpa_auth_pmksa_create_entry(const u8 *aa, const u8 *spa, const u8 *pmk,
6502 size_t pmk_len, int akmp,
6503 const u8 *pmkid, int expiration)
6504 {
6505 struct rsn_pmksa_cache_entry *entry;
6506 struct os_reltime now;
6507
6508 entry = pmksa_cache_auth_create_entry(pmk, pmk_len, pmkid, NULL, 0, aa,
6509 spa, 0, NULL, akmp);
6510 if (!entry)
6511 return NULL;
6512
6513 os_get_reltime(&now);
6514 entry->expiration = now.sec + expiration;
6515 return entry;
6516 }
6517
6518
6519 int wpa_auth_pmksa_add_entry(struct wpa_authenticator *wpa_auth,
6520 struct rsn_pmksa_cache_entry *entry)
6521 {
6522 int ret;
6523
6524 if (!wpa_auth || !wpa_auth->pmksa)
6525 return -1;
6526
6527 ret = pmksa_cache_auth_add_entry(wpa_auth->pmksa, entry);
6528 if (ret < 0)
6529 wpa_printf(MSG_DEBUG,
6530 "RSN: Failed to store external PMKSA cache for "
6531 MACSTR_SEC, MAC2STR_SEC(entry->spa));
6532
6533 return ret;
6534 }
6535
6536 #endif /* CONFIG_MESH */
6537 #endif /* CONFIG_PMKSA_CACHE_EXTERNAL */
6538
6539
6540 struct rsn_pmksa_cache *
6541 wpa_auth_get_pmksa_cache(struct wpa_authenticator *wpa_auth)
6542 {
6543 if (!wpa_auth || !wpa_auth->pmksa)
6544 return NULL;
6545 return wpa_auth->pmksa;
6546 }
6547
6548
6549 struct rsn_pmksa_cache_entry *
6550 wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
6551 const u8 *pmkid)
6552 {
6553 if (!wpa_auth || !wpa_auth->pmksa)
6554 return NULL;
6555 return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, pmkid);
6556 }
6557
6558
6559 void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa,
6560 struct wpa_state_machine *sm,
6561 struct wpa_authenticator *wpa_auth,
6562 u8 *pmkid, u8 *pmk, size_t *pmk_len)
6563 {
6564 if (!sm)
6565 return;
6566
6567 sm->pmksa = pmksa;
6568 os_memcpy(pmk, pmksa->pmk, pmksa->pmk_len);
6569 *pmk_len = pmksa->pmk_len;
6570 os_memcpy(pmkid, pmksa->pmkid, PMKID_LEN);
6571 os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmksa->pmkid, PMKID_LEN);
6572 }
6573
6574
6575 /*
6576 * Remove and free the group from wpa_authenticator. This is triggered by a
6577 * callback to make sure nobody is currently iterating the group list while it
6578 * gets modified.
6579 */
6580 static void wpa_group_free(struct wpa_authenticator *wpa_auth,
6581 struct wpa_group *group)
6582 {
6583 struct wpa_group *prev = wpa_auth->group;
6584
6585 wpa_printf(MSG_DEBUG, "WPA: Remove group state machine for VLAN-ID %d",
6586 group->vlan_id);
6587
6588 while (prev) {
6589 if (prev->next == group) {
6590 /* This never frees the special first group as needed */
6591 prev->next = group->next;
6592 os_free(group);
6593 break;
6594 }
6595 prev = prev->next;
6596 }
6597
6598 }
6599
6600
6601 /* Increase the reference counter for group */
6602 static void wpa_group_get(struct wpa_authenticator *wpa_auth,
6603 struct wpa_group *group)
6604 {
6605 /* Skip the special first group */
6606 if (wpa_auth->group == group)
6607 return;
6608
6609 group->references++;
6610 }
6611
6612
6613 /* Decrease the reference counter and maybe free the group */
6614 static void wpa_group_put(struct wpa_authenticator *wpa_auth,
6615 struct wpa_group *group)
6616 {
6617 /* Skip the special first group */
6618 if (wpa_auth->group == group)
6619 return;
6620
6621 group->references--;
6622 if (group->references)
6623 return;
6624 wpa_group_free(wpa_auth, group);
6625 }
6626
6627
6628 /*
6629 * Add a group that has its references counter set to zero. Caller needs to
6630 * call wpa_group_get() on the return value to mark the entry in use.
6631 */
6632 static struct wpa_group *
6633 wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id)
6634 {
6635 struct wpa_group *group;
6636
6637 if (!wpa_auth || !wpa_auth->group)
6638 return NULL;
6639
6640 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d",
6641 vlan_id);
6642 group = wpa_group_init(wpa_auth, vlan_id, 0);
6643 if (!group)
6644 return NULL;
6645
6646 group->next = wpa_auth->group->next;
6647 wpa_auth->group->next = group;
6648
6649 return group;
6650 }
6651
6652
6653 /*
6654 * Enforce that the group state machine for the VLAN is running, increase
6655 * reference counter as interface is up. References might have been increased
6656 * even if a negative value is returned.
6657 * Returns: -1 on error (group missing, group already failed); otherwise, 0
6658 */
6659 int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id)
6660 {
6661 struct wpa_group *group;
6662
6663 if (!wpa_auth)
6664 return 0;
6665
6666 group = wpa_auth->group;
6667 while (group) {
6668 if (group->vlan_id == vlan_id)
6669 break;
6670 group = group->next;
6671 }
6672
6673 if (!group) {
6674 group = wpa_auth_add_group(wpa_auth, vlan_id);
6675 if (!group)
6676 return -1;
6677 }
6678
6679 wpa_printf(MSG_DEBUG,
6680 "WPA: Ensure group state machine running for VLAN ID %d",
6681 vlan_id);
6682
6683 wpa_group_get(wpa_auth, group);
6684 group->num_setup_iface++;
6685
6686 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
6687 return -1;
6688
6689 return 0;
6690 }
6691
6692
6693 /*
6694 * Decrease reference counter, expected to be zero afterwards.
6695 * returns: -1 on error (group not found, group in fail state)
6696 * -2 if wpa_group is still referenced
6697 * 0 else
6698 */
6699 int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id)
6700 {
6701 struct wpa_group *group;
6702 int ret = 0;
6703
6704 if (!wpa_auth)
6705 return 0;
6706
6707 group = wpa_auth->group;
6708 while (group) {
6709 if (group->vlan_id == vlan_id)
6710 break;
6711 group = group->next;
6712 }
6713
6714 if (!group)
6715 return -1;
6716
6717 wpa_printf(MSG_DEBUG,
6718 "WPA: Try stopping group state machine for VLAN ID %d",
6719 vlan_id);
6720
6721 if (group->num_setup_iface <= 0) {
6722 wpa_printf(MSG_ERROR,
6723 "WPA: wpa_auth_release_group called more often than wpa_auth_ensure_group for VLAN ID %d, skipping.",
6724 vlan_id);
6725 return -1;
6726 }
6727 group->num_setup_iface--;
6728
6729 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
6730 ret = -1;
6731
6732 if (group->references > 1) {
6733 wpa_printf(MSG_DEBUG,
6734 "WPA: Cannot stop group state machine for VLAN ID %d as references are still hold",
6735 vlan_id);
6736 ret = -2;
6737 }
6738
6739 wpa_group_put(wpa_auth, group);
6740
6741 return ret;
6742 }
6743
6744
6745 int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id)
6746 {
6747 struct wpa_group *group;
6748
6749 if (!sm || !sm->wpa_auth)
6750 return 0;
6751
6752 group = sm->wpa_auth->group;
6753 while (group) {
6754 if (group->vlan_id == vlan_id)
6755 break;
6756 group = group->next;
6757 }
6758
6759 if (!group) {
6760 group = wpa_auth_add_group(sm->wpa_auth, vlan_id);
6761 if (!group)
6762 return -1;
6763 }
6764
6765 if (sm->group == group)
6766 return 0;
6767
6768 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
6769 return -1;
6770
6771 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR_SEC
6772 " to use group state machine for VLAN ID %d",
6773 MAC2STR_SEC(wpa_auth_get_spa(sm)), vlan_id);
6774
6775 wpa_group_get(sm->wpa_auth, group);
6776 wpa_group_put(sm->wpa_auth, sm->group);
6777 sm->group = group;
6778
6779 return 0;
6780 }
6781
6782
6783 void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
6784 struct wpa_state_machine *sm, int ack)
6785 {
6786 if (!wpa_auth || !sm)
6787 return;
6788 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR_SEC
6789 " ack=%d", MAC2STR_SEC(wpa_auth_get_spa(sm)), ack);
6790 if (sm->pending_1_of_4_timeout && ack) {
6791 /*
6792 * Some deployed supplicant implementations update their SNonce
6793 * for each EAPOL-Key 2/4 message even within the same 4-way
6794 * handshake and then fail to use the first SNonce when
6795 * deriving the PTK. This results in unsuccessful 4-way
6796 * handshake whenever the relatively short initial timeout is
6797 * reached and EAPOL-Key 1/4 is retransmitted. Try to work
6798 * around this by increasing the timeout now that we know that
6799 * the station has received the frame.
6800 */
6801 int timeout_ms = eapol_key_timeout_subseq;
6802 wpa_printf(MSG_DEBUG,
6803 "WPA: Increase initial EAPOL-Key 1/4 timeout by %u ms because of acknowledged frame",
6804 timeout_ms);
6805 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
6806 eloop_register_timeout(timeout_ms / 1000,
6807 (timeout_ms % 1000) * 1000,
6808 wpa_send_eapol_timeout, wpa_auth, sm);
6809 }
6810
6811 #ifdef CONFIG_TESTING_OPTIONS
6812 if (sm->eapol_status_cb) {
6813 sm->eapol_status_cb(sm->eapol_status_cb_ctx1,
6814 sm->eapol_status_cb_ctx2);
6815 sm->eapol_status_cb = NULL;
6816 }
6817 #endif /* CONFIG_TESTING_OPTIONS */
6818 }
6819
6820
6821 int wpa_auth_uses_sae(struct wpa_state_machine *sm)
6822 {
6823 if (!sm)
6824 return 0;
6825 return wpa_key_mgmt_sae(sm->wpa_key_mgmt);
6826 }
6827
6828
6829 int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm)
6830 {
6831 if (!sm)
6832 return 0;
6833 return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE ||
6834 sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY;
6835 }
6836
6837
6838 #ifdef CONFIG_P2P
6839 int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr)
6840 {
6841 if (!sm || WPA_GET_BE32(sm->ip_addr) == 0)
6842 return -1;
6843 os_memcpy(addr, sm->ip_addr, 4);
6844 return 0;
6845 }
6846 #endif /* CONFIG_P2P */
6847
6848
6849 int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth,
6850 struct radius_das_attrs *attr)
6851 {
6852 return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr);
6853 }
6854
6855
6856 void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth)
6857 {
6858 struct wpa_group *group;
6859
6860 if (!wpa_auth)
6861 return;
6862 for (group = wpa_auth->group; group; group = group->next)
6863 wpa_group_config_group_keys(wpa_auth, group);
6864 }
6865
6866
6867 #ifdef CONFIG_FILS
6868
6869 struct wpa_auth_fils_iter_data {
6870 struct wpa_authenticator *auth;
6871 const u8 *cache_id;
6872 struct rsn_pmksa_cache_entry *pmksa;
6873 const u8 *spa;
6874 const u8 *pmkid;
6875 };
6876
6877
6878 static int wpa_auth_fils_iter(struct wpa_authenticator *a, void *ctx)
6879 {
6880 struct wpa_auth_fils_iter_data *data = ctx;
6881
6882 if (a == data->auth || !a->conf.fils_cache_id_set ||
6883 os_memcmp(a->conf.fils_cache_id, data->cache_id,
6884 FILS_CACHE_ID_LEN) != 0)
6885 return 0;
6886 data->pmksa = pmksa_cache_auth_get(a->pmksa, data->spa, data->pmkid);
6887 return data->pmksa != NULL;
6888 }
6889
6890
6891 struct rsn_pmksa_cache_entry *
6892 wpa_auth_pmksa_get_fils_cache_id(struct wpa_authenticator *wpa_auth,
6893 const u8 *sta_addr, const u8 *pmkid)
6894 {
6895 struct wpa_auth_fils_iter_data idata;
6896
6897 if (!wpa_auth->conf.fils_cache_id_set)
6898 return NULL;
6899 idata.auth = wpa_auth;
6900 idata.cache_id = wpa_auth->conf.fils_cache_id;
6901 idata.pmksa = NULL;
6902 idata.spa = sta_addr;
6903 idata.pmkid = pmkid;
6904 wpa_auth_for_each_auth(wpa_auth, wpa_auth_fils_iter, &idata);
6905 return idata.pmksa;
6906 }
6907
6908
6909 #ifdef CONFIG_IEEE80211R_AP
6910 int wpa_auth_write_fte(struct wpa_authenticator *wpa_auth,
6911 struct wpa_state_machine *sm,
6912 u8 *buf, size_t len)
6913 {
6914 struct wpa_auth_config *conf = &wpa_auth->conf;
6915
6916 return wpa_write_ftie(conf, sm->wpa_key_mgmt, sm->xxkey_len,
6917 conf->r0_key_holder, conf->r0_key_holder_len,
6918 NULL, NULL, buf, len, NULL, 0, 0);
6919 }
6920 #endif /* CONFIG_IEEE80211R_AP */
6921
6922
6923 void wpa_auth_get_fils_aead_params(struct wpa_state_machine *sm,
6924 u8 *fils_anonce, u8 *fils_snonce,
6925 u8 *fils_kek, size_t *fils_kek_len)
6926 {
6927 os_memcpy(fils_anonce, sm->ANonce, WPA_NONCE_LEN);
6928 os_memcpy(fils_snonce, sm->SNonce, WPA_NONCE_LEN);
6929 os_memcpy(fils_kek, sm->PTK.kek, WPA_KEK_MAX_LEN);
6930 *fils_kek_len = sm->PTK.kek_len;
6931 }
6932
6933
6934 void wpa_auth_add_fils_pmk_pmkid(struct wpa_state_machine *sm, const u8 *pmk,
6935 size_t pmk_len, const u8 *pmkid)
6936 {
6937 os_memcpy(sm->PMK, pmk, pmk_len);
6938 sm->pmk_len = pmk_len;
6939 os_memcpy(sm->pmkid, pmkid, PMKID_LEN);
6940 sm->pmkid_set = 1;
6941 }
6942
6943 #endif /* CONFIG_FILS */
6944
6945
6946 void wpa_auth_set_auth_alg(struct wpa_state_machine *sm, u16 auth_alg)
6947 {
6948 if (sm)
6949 sm->auth_alg = auth_alg;
6950 }
6951
6952
6953 #ifdef CONFIG_DPP2
6954 void wpa_auth_set_dpp_z(struct wpa_state_machine *sm, const struct wpabuf *z)
6955 {
6956 if (sm) {
6957 wpabuf_clear_free(sm->dpp_z);
6958 sm->dpp_z = z ? wpabuf_dup(z) : NULL;
6959 }
6960 }
6961 #endif /* CONFIG_DPP2 */
6962
6963
6964 void wpa_auth_set_ssid_protection(struct wpa_state_machine *sm, bool val)
6965 {
6966 if (sm)
6967 sm->ssid_protection = val;
6968 }
6969
6970
6971 void wpa_auth_set_transition_disable(struct wpa_authenticator *wpa_auth,
6972 u8 val)
6973 {
6974 if (wpa_auth)
6975 wpa_auth->conf.transition_disable = val;
6976 }
6977
6978
6979 #ifdef CONFIG_TESTING_OPTIONS
6980
6981 int wpa_auth_resend_m1(struct wpa_state_machine *sm, int change_anonce,
6982 void (*cb)(void *ctx1, void *ctx2),
6983 void *ctx1, void *ctx2)
6984 {
6985 const u8 *anonce = sm->ANonce;
6986 u8 anonce_buf[WPA_NONCE_LEN];
6987
6988 if (change_anonce) {
6989 if (random_get_bytes(anonce_buf, WPA_NONCE_LEN))
6990 return -1;
6991 anonce = anonce_buf;
6992 }
6993
6994 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
6995 "sending 1/4 msg of 4-Way Handshake (TESTING)");
6996 wpa_send_eapol(sm->wpa_auth, sm,
6997 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
6998 anonce, NULL, 0, 0, 0);
6999 return 0;
7000 }
7001
7002
7003 int wpa_auth_resend_m3(struct wpa_state_machine *sm,
7004 void (*cb)(void *ctx1, void *ctx2),
7005 void *ctx1, void *ctx2)
7006 {
7007 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos;
7008 u8 *opos;
7009 size_t gtk_len, kde_len;
7010 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
7011 struct wpa_group *gsm = sm->group;
7012 u8 *wpa_ie;
7013 int wpa_ie_len, secure, gtkidx, encr = 0;
7014 u8 hdr[2];
7015
7016 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
7017 GTK[GN], IGTK, [BIGTK], [FTIE], [TIE * 2])
7018 */
7019
7020 /* Use 0 RSC */
7021 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
7022 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
7023 wpa_ie = sm->wpa_auth->wpa_ie;
7024 wpa_ie_len = sm->wpa_auth->wpa_ie_len;
7025 if (sm->wpa == WPA_VERSION_WPA &&
7026 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
7027 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
7028 /* WPA-only STA, remove RSN IE and possible MDIE */
7029 wpa_ie = wpa_ie + wpa_ie[1] + 2;
7030 if (wpa_ie[0] == WLAN_EID_RSNX)
7031 wpa_ie = wpa_ie + wpa_ie[1] + 2;
7032 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
7033 wpa_ie = wpa_ie + wpa_ie[1] + 2;
7034 wpa_ie_len = wpa_ie[1] + 2;
7035 }
7036 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
7037 "sending 3/4 msg of 4-Way Handshake (TESTING)");
7038 if (sm->wpa == WPA_VERSION_WPA2) {
7039 /* WPA2 send GTK in the 4-way handshake */
7040 secure = 1;
7041 gtk = gsm->GTK[gsm->GN - 1];
7042 gtk_len = gsm->GTK_len;
7043 gtkidx = gsm->GN;
7044 _rsc = rsc;
7045 encr = 1;
7046 } else {
7047 /* WPA does not include GTK in msg 3/4 */
7048 secure = 0;
7049 gtk = NULL;
7050 gtk_len = 0;
7051 _rsc = NULL;
7052 if (sm->rx_eapol_key_secure) {
7053 /*
7054 * It looks like Windows 7 supplicant tries to use
7055 * Secure bit in msg 2/4 after having reported Michael
7056 * MIC failure and it then rejects the 4-way handshake
7057 * if msg 3/4 does not set Secure bit. Work around this
7058 * by setting the Secure bit here even in the case of
7059 * WPA if the supplicant used it first.
7060 */
7061 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm),
7062 LOGGER_DEBUG,
7063 "STA used Secure bit in WPA msg 2/4 - set Secure for 3/4 as workaround");
7064 secure = 1;
7065 }
7066 }
7067
7068 kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm);
7069
7070 if (sm->use_ext_key_id)
7071 kde_len += 2 + RSN_SELECTOR_LEN + 2;
7072
7073 if (gtk)
7074 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
7075 #ifdef CONFIG_IEEE80211R_AP
7076 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
7077 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
7078 kde_len += 300; /* FTIE + 2 * TIE */
7079 }
7080 #endif /* CONFIG_IEEE80211R_AP */
7081 kde = os_malloc(kde_len);
7082 if (!kde)
7083 return -1;
7084
7085 pos = kde;
7086 os_memcpy(pos, wpa_ie, wpa_ie_len);
7087 pos += wpa_ie_len;
7088 #ifdef CONFIG_IEEE80211R_AP
7089 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
7090 int res;
7091 size_t elen;
7092
7093 elen = pos - kde;
7094 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name, true);
7095 if (res < 0) {
7096 wpa_printf(MSG_ERROR,
7097 "FT: Failed to insert PMKR1Name into RSN IE in EAPOL-Key data");
7098 os_free(kde);
7099 return -1;
7100 }
7101 pos -= wpa_ie_len;
7102 pos += elen;
7103 }
7104 #endif /* CONFIG_IEEE80211R_AP */
7105 hdr[1] = 0;
7106
7107 if (sm->use_ext_key_id) {
7108 hdr[0] = sm->keyidx_active & 0x01;
7109 pos = wpa_add_kde(pos, RSN_KEY_DATA_KEYID, hdr, 2, NULL, 0);
7110 }
7111
7112 if (gtk) {
7113 hdr[0] = gtkidx & 0x03;
7114 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
7115 gtk, gtk_len);
7116 }
7117 opos = pos;
7118 pos = ieee80211w_kde_add(sm, pos);
7119 if (pos - opos >= 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) {
7120 /* skip KDE header and keyid */
7121 opos += 2 + RSN_SELECTOR_LEN + 2;
7122 os_memset(opos, 0, 6); /* clear PN */
7123 }
7124 if (ocv_oci_add(sm, &pos, conf->oci_freq_override_eapol_m3) < 0) {
7125 os_free(kde);
7126 return -1;
7127 }
7128
7129 #ifdef CONFIG_IEEE80211R_AP
7130 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
7131 int res;
7132
7133 if (sm->assoc_resp_ftie &&
7134 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) {
7135 os_memcpy(pos, sm->assoc_resp_ftie,
7136 2 + sm->assoc_resp_ftie[1]);
7137 res = 2 + sm->assoc_resp_ftie[1];
7138 } else {
7139 res = wpa_write_ftie(conf, sm->wpa_key_mgmt,
7140 sm->xxkey_len,
7141 conf->r0_key_holder,
7142 conf->r0_key_holder_len,
7143 NULL, NULL, pos,
7144 kde + kde_len - pos,
7145 NULL, 0, 0);
7146 }
7147 if (res < 0) {
7148 wpa_printf(MSG_ERROR,
7149 "FT: Failed to insert FTIE into EAPOL-Key Key Data");
7150 os_free(kde);
7151 return -1;
7152 }
7153 pos += res;
7154
7155 /* TIE[ReassociationDeadline] (TU) */
7156 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
7157 *pos++ = 5;
7158 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
7159 WPA_PUT_LE32(pos, conf->reassociation_deadline);
7160 pos += 4;
7161
7162 /* TIE[KeyLifetime] (seconds) */
7163 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
7164 *pos++ = 5;
7165 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
7166 WPA_PUT_LE32(pos, conf->r0_key_lifetime);
7167 pos += 4;
7168 }
7169 #endif /* CONFIG_IEEE80211R_AP */
7170
7171 wpa_send_eapol(sm->wpa_auth, sm,
7172 (secure ? WPA_KEY_INFO_SECURE : 0) |
7173 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
7174 WPA_KEY_INFO_MIC : 0) |
7175 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
7176 WPA_KEY_INFO_KEY_TYPE,
7177 _rsc, sm->ANonce, kde, pos - kde, 0, encr);
7178 bin_clear_free(kde, kde_len);
7179 return 0;
7180 }
7181
7182
7183 int wpa_auth_resend_group_m1(struct wpa_state_machine *sm,
7184 void (*cb)(void *ctx1, void *ctx2),
7185 void *ctx1, void *ctx2)
7186 {
7187 u8 rsc[WPA_KEY_RSC_LEN];
7188 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
7189 struct wpa_group *gsm = sm->group;
7190 const u8 *kde;
7191 u8 *kde_buf = NULL, *pos, hdr[2];
7192 u8 *opos;
7193 size_t kde_len;
7194 u8 *gtk;
7195
7196 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
7197 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
7198 /* Use 0 RSC */
7199 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
7200 "sending 1/2 msg of Group Key Handshake (TESTING)");
7201
7202 gtk = gsm->GTK[gsm->GN - 1];
7203 if (sm->wpa == WPA_VERSION_WPA2) {
7204 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
7205 ieee80211w_kde_len(sm) + ocv_oci_len(sm);
7206 kde_buf = os_malloc(kde_len);
7207 if (!kde_buf)
7208 return -1;
7209
7210 kde = pos = kde_buf;
7211 hdr[0] = gsm->GN & 0x03;
7212 hdr[1] = 0;
7213 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
7214 gtk, gsm->GTK_len);
7215 opos = pos;
7216 pos = ieee80211w_kde_add(sm, pos);
7217 if (pos - opos >=
7218 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) {
7219 /* skip KDE header and keyid */
7220 opos += 2 + RSN_SELECTOR_LEN + 2;
7221 os_memset(opos, 0, 6); /* clear PN */
7222 }
7223 if (ocv_oci_add(sm, &pos,
7224 conf->oci_freq_override_eapol_g1) < 0) {
7225 os_free(kde_buf);
7226 return -1;
7227 }
7228 kde_len = pos - kde;
7229 } else {
7230 kde = gtk;
7231 kde_len = gsm->GTK_len;
7232 }
7233
7234 sm->eapol_status_cb = cb;
7235 sm->eapol_status_cb_ctx1 = ctx1;
7236 sm->eapol_status_cb_ctx2 = ctx2;
7237
7238 wpa_send_eapol(sm->wpa_auth, sm,
7239 WPA_KEY_INFO_SECURE |
7240 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
7241 WPA_KEY_INFO_MIC : 0) |
7242 WPA_KEY_INFO_ACK |
7243 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
7244 rsc, NULL, kde, kde_len, gsm->GN, 1);
7245
7246 bin_clear_free(kde_buf, kde_len);
7247 return 0;
7248 }
7249
7250
7251 int wpa_auth_rekey_gtk(struct wpa_authenticator *wpa_auth)
7252 {
7253 if (!wpa_auth)
7254 return -1;
7255 eloop_cancel_timeout(wpa_rekey_gtk,
7256 wpa_get_primary_auth(wpa_auth), NULL);
7257 return eloop_register_timeout(0, 0, wpa_rekey_gtk,
7258 wpa_get_primary_auth(wpa_auth), NULL);
7259 }
7260
7261
7262 int wpa_auth_rekey_ptk(struct wpa_authenticator *wpa_auth,
7263 struct wpa_state_machine *sm)
7264 {
7265 if (!wpa_auth || !sm)
7266 return -1;
7267 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK");
7268 wpa_request_new_ptk(sm);
7269 wpa_sm_step(sm);
7270 return 0;
7271 }
7272
7273
7274 void wpa_auth_set_ft_rsnxe_used(struct wpa_authenticator *wpa_auth, int val)
7275 {
7276 if (wpa_auth)
7277 wpa_auth->conf.ft_rsnxe_used = val;
7278 }
7279
7280
7281 void wpa_auth_set_ocv_override_freq(struct wpa_authenticator *wpa_auth,
7282 enum wpa_auth_ocv_override_frame frame,
7283 unsigned int freq)
7284 {
7285 if (!wpa_auth)
7286 return;
7287 switch (frame) {
7288 case WPA_AUTH_OCV_OVERRIDE_EAPOL_M3:
7289 wpa_auth->conf.oci_freq_override_eapol_m3 = freq;
7290 break;
7291 case WPA_AUTH_OCV_OVERRIDE_EAPOL_G1:
7292 wpa_auth->conf.oci_freq_override_eapol_g1 = freq;
7293 break;
7294 case WPA_AUTH_OCV_OVERRIDE_FT_ASSOC:
7295 wpa_auth->conf.oci_freq_override_ft_assoc = freq;
7296 break;
7297 case WPA_AUTH_OCV_OVERRIDE_FILS_ASSOC:
7298 wpa_auth->conf.oci_freq_override_fils_assoc = freq;
7299 break;
7300 }
7301 }
7302
7303 #endif /* CONFIG_TESTING_OPTIONS */
7304
7305
7306 void wpa_auth_sta_radius_psk_resp(struct wpa_state_machine *sm, bool success)
7307 {
7308 if (!sm->waiting_radius_psk) {
7309 wpa_printf(MSG_DEBUG,
7310 "Ignore RADIUS PSK response for " MACSTR
7311 " that did not wait one",
7312 MAC2STR(sm->addr));
7313 return;
7314 }
7315
7316 wpa_printf(MSG_DEBUG, "RADIUS PSK response for " MACSTR " (%s)",
7317 MAC2STR(sm->addr), success ? "success" : "fail");
7318 sm->waiting_radius_psk = 0;
7319
7320 if (success) {
7321 /* Try to process the EAPOL-Key msg 2/4 again */
7322 sm->EAPOLKeyReceived = true;
7323 } else {
7324 sm->Disconnect = true;
7325 }
7326
7327 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
7328 }
7329
7330
7331 void wpa_auth_set_ml_info(struct wpa_state_machine *sm,
7332 u8 mld_assoc_link_id, struct mld_info *info)
7333 {
7334 #ifdef CONFIG_IEEE80211BE
7335 unsigned int link_id;
7336
7337 if (!info)
7338 return;
7339
7340 os_memset(sm->mld_links, 0, sizeof(sm->mld_links));
7341 sm->n_mld_affiliated_links = 0;
7342
7343 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
7344 "MLD: Initialization");
7345
7346 os_memcpy(sm->peer_mld_addr, info->common_info.mld_addr, ETH_ALEN);
7347
7348 sm->mld_assoc_link_id = mld_assoc_link_id;
7349
7350 for (link_id = 0; link_id < MAX_NUM_MLD_LINKS; link_id++) {
7351 struct mld_link_info *link = &info->links[link_id];
7352 struct mld_link *sm_link = &sm->mld_links[link_id];
7353 struct wpa_get_link_auth_ctx ctx;
7354
7355 sm_link->valid = link->valid;
7356 if (!link->valid)
7357 continue;
7358
7359 os_memcpy(sm_link->peer_addr, link->peer_addr, ETH_ALEN);
7360
7361 wpa_printf(MSG_DEBUG,
7362 "WPA_AUTH: MLD: id=%u, peer=" MACSTR,
7363 link_id,
7364 MAC2STR(sm_link->peer_addr));
7365
7366 if (link_id != mld_assoc_link_id) {
7367 sm->n_mld_affiliated_links++;
7368 ctx.addr = link->local_addr;
7369 ctx.mld_addr = NULL;
7370 ctx.link_id = -1;
7371 ctx.wpa_auth = NULL;
7372 wpa_auth_for_each_auth(sm->wpa_auth,
7373 wpa_get_link_sta_auth, &ctx);
7374 if (ctx.wpa_auth) {
7375 sm_link->wpa_auth = ctx.wpa_auth;
7376 wpa_group_get(sm_link->wpa_auth,
7377 sm_link->wpa_auth->group);
7378 }
7379 } else {
7380 sm_link->wpa_auth = sm->wpa_auth;
7381 }
7382
7383 if (!sm_link->wpa_auth)
7384 wpa_printf(MSG_ERROR,
7385 "Unable to find authenticator object for ML STA "
7386 MACSTR " on link id %d",
7387 MAC2STR(sm->wpa_auth->mld_addr),
7388 link_id);
7389 }
7390 #endif /* CONFIG_IEEE80211BE */
7391 }
7392