1 /*
2 * WPA Supplicant - WPA state machine and EAPOL-Key processing
3 * Copyright (c) 2003-2018, Jouni Malinen <j@w1.fi>
4 * Copyright(c) 2015 Intel Deutschland GmbH
5 *
6 * This software may be distributed under the terms of the BSD license.
7 * See README for more details.
8 */
9
10 #include "includes.h"
11
12 #include "common.h"
13 #include "crypto/aes.h"
14 #include "crypto/aes_wrap.h"
15 #include "crypto/crypto.h"
16 #include "crypto/random.h"
17 #include "crypto/aes_siv.h"
18 #include "crypto/sha256.h"
19 #include "crypto/sha384.h"
20 #include "crypto/sha512.h"
21 #include "common/ieee802_11_defs.h"
22 #include "common/ieee802_11_common.h"
23 #include "common/ocv.h"
24 #include "common/dpp.h"
25 #include "common/wpa_ctrl.h"
26 #include "eap_common/eap_defs.h"
27 #include "eapol_supp/eapol_supp_sm.h"
28 #include "drivers/driver.h"
29 #include "wpa.h"
30 #include "eloop.h"
31 #include "preauth.h"
32 #include "pmksa_cache.h"
33 #include "wpa_i.h"
34 #include "wpa_ie.h"
35 #ifdef CONFIG_VENDOR_EXT
36 #include "vendor_ext.h"
37 #endif
38 #ifdef CONFIG_DRIVER_NL80211_HISI
39 #include "driver_nl80211.h"
40 #include "wpa_supplicant_i.h"
41 #endif
42 #ifdef CONFIG_P2P_CHR
43 #include "wpa_hw_p2p_chr.h"
44 #endif
45
46 static const u8 null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
47
48
_wpa_hexdump_link(int level,u8 link_id,const char * title,const void * buf,size_t len,bool key)49 static void _wpa_hexdump_link(int level, u8 link_id, const char *title,
50 const void *buf, size_t len, bool key)
51 {
52 char *link_title = NULL;
53
54 if (link_id >= MAX_NUM_MLD_LINKS)
55 goto out;
56
57 link_title = os_malloc(os_strlen(title) + 20);
58 if (!link_title)
59 goto out;
60
61 os_snprintf(link_title, os_strlen(title) + 20, "MLO link[%u]: %s",
62 link_id, title);
63
64 out:
65 if (key)
66 wpa_hexdump_key(level, link_title ? link_title : title, buf,
67 len);
68 else
69 wpa_hexdump(level, link_title ? link_title : title, buf, len);
70 os_free(link_title);
71 }
72
73
wpa_hexdump_link(int level,u8 link_id,const char * title,const void * buf,size_t len)74 static void wpa_hexdump_link(int level, u8 link_id, const char *title,
75 const void *buf, size_t len)
76 {
77 _wpa_hexdump_link(level, link_id, title, buf, len, false);
78 }
79
80
wpa_hexdump_link_key(int level,u8 link_id,const char * title,const void * buf,size_t len)81 static void wpa_hexdump_link_key(int level, u8 link_id, const char *title,
82 const void *buf, size_t len)
83 {
84 _wpa_hexdump_link(level, link_id, title, buf, len, true);
85 }
86
87
88 /**
89 * wpa_eapol_key_send - Send WPA/RSN EAPOL-Key message
90 * @sm: Pointer to WPA state machine data from wpa_sm_init()
91 * @ptk: PTK for Key Confirmation/Encryption Key
92 * @ver: Version field from Key Info
93 * @dest: Destination address for the frame
94 * @proto: Ethertype (usually ETH_P_EAPOL)
95 * @msg: EAPOL-Key message
96 * @msg_len: Length of message
97 * @key_mic: Pointer to the buffer to which the EAPOL-Key MIC is written
98 * Returns: >= 0 on success, < 0 on failure
99 */
wpa_eapol_key_send(struct wpa_sm * sm,struct wpa_ptk * ptk,int ver,const u8 * dest,u16 proto,u8 * msg,size_t msg_len,u8 * key_mic)100 int wpa_eapol_key_send(struct wpa_sm *sm, struct wpa_ptk *ptk,
101 int ver, const u8 *dest, u16 proto,
102 u8 *msg, size_t msg_len, u8 *key_mic)
103 {
104 int ret = -1;
105 size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
106
107 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL-Key frame to " MACSTR_SEC
108 " ver=%d mic_len=%d key_mgmt=0x%x",
109 MAC2STR_SEC(dest), ver, (int) mic_len, sm->key_mgmt);
110 if (is_zero_ether_addr(dest) && is_zero_ether_addr(sm->bssid)) {
111 /*
112 * Association event was not yet received; try to fetch
113 * BSSID from the driver.
114 */
115 if (wpa_sm_get_bssid(sm, sm->bssid) < 0) {
116 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
117 "WPA: Failed to read BSSID for "
118 "EAPOL-Key destination address");
119 } else {
120 dest = sm->bssid;
121 wpa_msg_only_for_cb(sm->ctx->msg_ctx, MSG_DEBUG,
122 "WPA: Use BSSID (" MACSTR
123 ") as the destination for EAPOL-Key",
124 MAC2STR(dest));
125 wpa_printf(MSG_DEBUG, "WPA: Use BSSID (" MACSTR_SEC
126 ") as the destination for EAPOL-Key",
127 MAC2STR_SEC(dest));
128 }
129 }
130
131 if (mic_len) {
132 if (key_mic && (!ptk || !ptk->kck_len))
133 goto out;
134
135 if (key_mic &&
136 wpa_eapol_key_mic(ptk->kck, ptk->kck_len, sm->key_mgmt, ver,
137 msg, msg_len, key_mic)) {
138 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
139 "WPA: Failed to generate EAPOL-Key version %d key_mgmt 0x%x MIC",
140 ver, sm->key_mgmt);
141 goto out;
142 }
143 if (ptk)
144 wpa_hexdump_key(MSG_DEBUG, "WPA: KCK",
145 ptk->kck, ptk->kck_len);
146 wpa_hexdump(MSG_DEBUG, "WPA: Derived Key MIC",
147 key_mic, mic_len);
148 } else {
149 #ifdef CONFIG_FILS
150 /* AEAD cipher - Key MIC field not used */
151 struct ieee802_1x_hdr *s_hdr, *hdr;
152 struct wpa_eapol_key *s_key, *key;
153 u8 *buf, *s_key_data, *key_data;
154 size_t buf_len = msg_len + AES_BLOCK_SIZE;
155 size_t key_data_len;
156 u16 eapol_len;
157 const u8 *aad[1];
158 size_t aad_len[1];
159
160 if (!ptk || !ptk->kek_len)
161 goto out;
162
163 key_data_len = msg_len - sizeof(struct ieee802_1x_hdr) -
164 sizeof(struct wpa_eapol_key) - 2;
165
166 buf = os_malloc(buf_len);
167 if (!buf)
168 goto out;
169
170 os_memcpy(buf, msg, msg_len);
171 hdr = (struct ieee802_1x_hdr *) buf;
172 key = (struct wpa_eapol_key *) (hdr + 1);
173 key_data = ((u8 *) (key + 1)) + 2;
174
175 /* Update EAPOL header to include AES-SIV overhead */
176 eapol_len = be_to_host16(hdr->length);
177 eapol_len += AES_BLOCK_SIZE;
178 hdr->length = host_to_be16(eapol_len);
179
180 /* Update Key Data Length field to include AES-SIV overhead */
181 WPA_PUT_BE16((u8 *) (key + 1), AES_BLOCK_SIZE + key_data_len);
182
183 s_hdr = (struct ieee802_1x_hdr *) msg;
184 s_key = (struct wpa_eapol_key *) (s_hdr + 1);
185 s_key_data = ((u8 *) (s_key + 1)) + 2;
186
187 wpa_hexdump_key(MSG_DEBUG, "WPA: Plaintext Key Data",
188 s_key_data, key_data_len);
189
190 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len);
191 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
192 * to Key Data (exclusive). */
193 aad[0] = buf;
194 aad_len[0] = key_data - buf;
195 if (aes_siv_encrypt(ptk->kek, ptk->kek_len,
196 s_key_data, key_data_len,
197 1, aad, aad_len, key_data) < 0) {
198 os_free(buf);
199 goto out;
200 }
201
202 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
203 key_data, AES_BLOCK_SIZE + key_data_len);
204
205 os_free(msg);
206 msg = buf;
207 msg_len = buf_len;
208 #else /* CONFIG_FILS */
209 goto out;
210 #endif /* CONFIG_FILS */
211 }
212
213 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key", msg, msg_len);
214 ret = wpa_sm_ether_send(sm, dest, proto, msg, msg_len);
215 eapol_sm_notify_tx_eapol_key(sm->eapol);
216 out:
217 os_free(msg);
218 return ret;
219 }
220
221
222 /**
223 * wpa_sm_key_request - Send EAPOL-Key Request
224 * @sm: Pointer to WPA state machine data from wpa_sm_init()
225 * @error: Indicate whether this is an Michael MIC error report
226 * @pairwise: 1 = error report for pairwise packet, 0 = for group packet
227 *
228 * Send an EAPOL-Key Request to the current authenticator. This function is
229 * used to request rekeying and it is usually called when a local Michael MIC
230 * failure is detected.
231 */
wpa_sm_key_request(struct wpa_sm * sm,int error,int pairwise)232 void wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise)
233 {
234 size_t mic_len, hdrlen, rlen;
235 struct wpa_eapol_key *reply;
236 int key_info, ver;
237 u8 *rbuf, *key_mic, *mic;
238
239 if (pairwise && sm->wpa_deny_ptk0_rekey && !sm->use_ext_key_id &&
240 wpa_sm_get_state(sm) == WPA_COMPLETED && !error) {
241 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
242 "WPA: PTK0 rekey not allowed, reconnecting");
243 wpa_sm_reconnect(sm);
244 return;
245 }
246
247 if (!sm->ptk_set) {
248 wpa_printf(MSG_INFO,
249 "WPA: No PTK derived yet - cannot send EAPOL-Key Request");
250 return;
251 }
252
253 if (wpa_use_akm_defined(sm->key_mgmt))
254 ver = WPA_KEY_INFO_TYPE_AKM_DEFINED;
255 else if (wpa_key_mgmt_ft(sm->key_mgmt) ||
256 wpa_key_mgmt_sha256(sm->key_mgmt))
257 ver = WPA_KEY_INFO_TYPE_AES_128_CMAC;
258 else if (sm->pairwise_cipher != WPA_CIPHER_TKIP)
259 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
260 else
261 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
262
263 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
264 hdrlen = sizeof(*reply) + mic_len + 2;
265 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
266 hdrlen, &rlen, (void *) &reply);
267 if (rbuf == NULL)
268 return;
269
270 reply->type = (sm->proto == WPA_PROTO_RSN ||
271 sm->proto == WPA_PROTO_OSEN) ?
272 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
273 key_info = WPA_KEY_INFO_REQUEST | ver;
274 key_info |= WPA_KEY_INFO_SECURE;
275 if (mic_len)
276 key_info |= WPA_KEY_INFO_MIC;
277 else
278 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
279 if (error)
280 key_info |= WPA_KEY_INFO_ERROR;
281 if (pairwise)
282 key_info |= WPA_KEY_INFO_KEY_TYPE;
283 WPA_PUT_BE16(reply->key_info, key_info);
284 WPA_PUT_BE16(reply->key_length, 0);
285 os_memcpy(reply->replay_counter, sm->request_counter,
286 WPA_REPLAY_COUNTER_LEN);
287 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
288
289 mic = (u8 *) (reply + 1);
290 WPA_PUT_BE16(mic + mic_len, 0);
291 if (!(key_info & WPA_KEY_INFO_MIC))
292 key_mic = NULL;
293 else
294 key_mic = mic;
295
296 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
297 "WPA: Sending EAPOL-Key Request (error=%d "
298 "pairwise=%d ptk_set=%d len=%lu)",
299 error, pairwise, sm->ptk_set, (unsigned long) rlen);
300 wpa_eapol_key_send(sm, &sm->ptk, ver, wpa_sm_get_auth_addr(sm),
301 ETH_P_EAPOL, rbuf, rlen, key_mic);
302 }
303
304
wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm * sm)305 static void wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm *sm)
306 {
307 #ifdef CONFIG_IEEE80211R
308 if (sm->key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X) {
309 if (wpa_sm_key_mgmt_set_pmk(sm, sm->xxkey, sm->xxkey_len))
310 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
311 "RSN: Cannot set low order 256 bits of MSK for key management offload");
312 } else {
313 #endif /* CONFIG_IEEE80211R */
314 if (wpa_sm_key_mgmt_set_pmk(sm, sm->pmk, sm->pmk_len))
315 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
316 "RSN: Cannot set PMK for key management offload");
317 #ifdef CONFIG_IEEE80211R
318 }
319 #endif /* CONFIG_IEEE80211R */
320 }
321
322
wpa_supplicant_get_pmk(struct wpa_sm * sm,const unsigned char * src_addr,const u8 * pmkid)323 static int wpa_supplicant_get_pmk(struct wpa_sm *sm,
324 const unsigned char *src_addr,
325 const u8 *pmkid)
326 {
327 int abort_cached = 0;
328
329 if (pmkid && !sm->cur_pmksa) {
330 /* When using drivers that generate RSN IE, wpa_supplicant may
331 * not have enough time to get the association information
332 * event before receiving this 1/4 message, so try to find a
333 * matching PMKSA cache entry here. */
334 sm->cur_pmksa = pmksa_cache_get(sm->pmksa, src_addr,
335 sm->own_addr, pmkid,
336 NULL, 0);
337 if (sm->cur_pmksa) {
338 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
339 "RSN: found matching PMKID from PMKSA cache");
340 } else {
341 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
342 "RSN: no matching PMKID found");
343 abort_cached = 1;
344 }
345 }
346
347 if (pmkid && sm->cur_pmksa &&
348 os_memcmp_const(pmkid, sm->cur_pmksa->pmkid, PMKID_LEN) == 0) {
349 wpa_hexdump(MSG_DEBUG, "RSN: matched PMKID", pmkid, PMKID_LEN);
350 wpa_sm_set_pmk_from_pmksa(sm);
351 wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from PMKSA cache",
352 sm->pmk, sm->pmk_len);
353 eapol_sm_notify_cached(sm->eapol);
354 #ifdef CONFIG_IEEE80211R
355 sm->xxkey_len = 0;
356 #ifdef CONFIG_SAE
357 if ((sm->key_mgmt == WPA_KEY_MGMT_FT_SAE ||
358 sm->key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY) &&
359 sm->pmk_len == PMK_LEN) {
360 /* Need to allow FT key derivation to proceed with
361 * PMK from SAE being used as the XXKey in cases where
362 * the PMKID in msg 1/4 matches the PMKSA entry that was
363 * just added based on SAE authentication for the
364 * initial mobility domain association. */
365 os_memcpy(sm->xxkey, sm->pmk, sm->pmk_len);
366 sm->xxkey_len = sm->pmk_len;
367 }
368 #endif /* CONFIG_SAE */
369 #endif /* CONFIG_IEEE80211R */
370 } else if (wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && sm->eapol) {
371 int res, pmk_len;
372 #ifdef CONFIG_IEEE80211R
373 u8 buf[2 * PMK_LEN];
374 #endif /* CONFIG_IEEE80211R */
375
376 if (wpa_key_mgmt_sha384(sm->key_mgmt))
377 pmk_len = PMK_LEN_SUITE_B_192;
378 else
379 pmk_len = PMK_LEN;
380 res = eapol_sm_get_key(sm->eapol, sm->pmk, pmk_len);
381 if (res) {
382 if (pmk_len == PMK_LEN) {
383 /*
384 * EAP-LEAP is an exception from other EAP
385 * methods: it uses only 16-byte PMK.
386 */
387 res = eapol_sm_get_key(sm->eapol, sm->pmk, 16);
388 pmk_len = 16;
389 }
390 }
391 #ifdef CONFIG_IEEE80211R
392 if (res == 0 &&
393 eapol_sm_get_key(sm->eapol, buf, 2 * PMK_LEN) == 0) {
394 if (wpa_key_mgmt_sha384(sm->key_mgmt)) {
395 os_memcpy(sm->xxkey, buf, SHA384_MAC_LEN);
396 sm->xxkey_len = SHA384_MAC_LEN;
397 } else {
398 os_memcpy(sm->xxkey, buf + PMK_LEN, PMK_LEN);
399 sm->xxkey_len = PMK_LEN;
400 }
401 forced_memzero(buf, sizeof(buf));
402 if (sm->proto == WPA_PROTO_RSN &&
403 wpa_key_mgmt_ft(sm->key_mgmt)) {
404 struct rsn_pmksa_cache_entry *sa = NULL;
405 const u8 *fils_cache_id = NULL;
406
407 #ifdef CONFIG_FILS
408 if (sm->fils_cache_id_set)
409 fils_cache_id = sm->fils_cache_id;
410 #endif /* CONFIG_FILS */
411 wpa_hexdump_key(MSG_DEBUG,
412 "FT: Cache XXKey/MPMK",
413 sm->xxkey, sm->xxkey_len);
414 sa = pmksa_cache_add(sm->pmksa,
415 sm->xxkey, sm->xxkey_len,
416 NULL, NULL, 0,
417 src_addr, sm->own_addr,
418 sm->network_ctx,
419 sm->key_mgmt,
420 fils_cache_id);
421 if (!sm->cur_pmksa)
422 sm->cur_pmksa = sa;
423 }
424 }
425 #endif /* CONFIG_IEEE80211R */
426 if (res == 0) {
427 struct rsn_pmksa_cache_entry *sa = NULL;
428 const u8 *fils_cache_id = NULL;
429
430 #ifdef CONFIG_FILS
431 if (sm->fils_cache_id_set)
432 fils_cache_id = sm->fils_cache_id;
433 #endif /* CONFIG_FILS */
434
435 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK from EAPOL state "
436 "machines", sm->pmk, pmk_len);
437 sm->pmk_len = pmk_len;
438 wpa_supplicant_key_mgmt_set_pmk(sm);
439 if (sm->proto == WPA_PROTO_RSN &&
440 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
441 !wpa_key_mgmt_ft(sm->key_mgmt)) {
442 sa = pmksa_cache_add(sm->pmksa,
443 sm->pmk, pmk_len, NULL,
444 NULL, 0,
445 src_addr, sm->own_addr,
446 sm->network_ctx,
447 sm->key_mgmt,
448 fils_cache_id);
449 }
450 if (!sm->cur_pmksa && pmkid &&
451 pmksa_cache_get(sm->pmksa, src_addr, sm->own_addr,
452 pmkid, NULL, 0)) {
453 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
454 "RSN: the new PMK matches with the "
455 "PMKID");
456 abort_cached = 0;
457 } else if (sa && !sm->cur_pmksa && pmkid) {
458 /*
459 * It looks like the authentication server
460 * derived mismatching MSK. This should not
461 * really happen, but bugs happen.. There is not
462 * much we can do here without knowing what
463 * exactly caused the server to misbehave.
464 */
465 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
466 "RSN: PMKID mismatch - authentication server may have derived different MSK?!");
467 return -1;
468 }
469
470 if (!sm->cur_pmksa)
471 sm->cur_pmksa = sa;
472 #ifdef CONFIG_IEEE80211R
473 } else if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->ft_protocol) {
474 wpa_printf(MSG_DEBUG,
475 "FT: Continue 4-way handshake without PMK/PMKID for association using FT protocol");
476 #endif /* CONFIG_IEEE80211R */
477 } else {
478 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
479 "WPA: Failed to get master session key from "
480 "EAPOL state machines - key handshake "
481 "aborted");
482 if (sm->cur_pmksa) {
483 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
484 "RSN: Cancelled PMKSA caching "
485 "attempt");
486 sm->cur_pmksa = NULL;
487 abort_cached = 1;
488 } else if (!abort_cached) {
489 return -1;
490 }
491 }
492 }
493
494 if (abort_cached && wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) &&
495 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
496 !wpa_key_mgmt_ft(sm->key_mgmt) && sm->key_mgmt != WPA_KEY_MGMT_OSEN)
497 {
498 /* Send EAPOL-Start to trigger full EAP authentication. */
499 u8 *buf;
500 size_t buflen;
501
502 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
503 "RSN: no PMKSA entry found - trigger "
504 "full EAP authentication");
505 buf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_START,
506 NULL, 0, &buflen, NULL);
507 if (buf) {
508 /* Set and reset eapFail to allow EAP state machine to
509 * proceed with new authentication. */
510 eapol_sm_notify_eap_fail(sm->eapol, true);
511 eapol_sm_notify_eap_fail(sm->eapol, false);
512 wpa_sm_ether_send(sm, sm->bssid, ETH_P_EAPOL,
513 buf, buflen);
514 os_free(buf);
515 return -2;
516 }
517
518 return -1;
519 }
520
521 return 0;
522 }
523
524
525 /**
526 * wpa_supplicant_send_2_of_4 - Send message 2 of WPA/RSN 4-Way Handshake
527 * @sm: Pointer to WPA state machine data from wpa_sm_init()
528 * @dst: Destination address for the frame
529 * @key: Pointer to the EAPOL-Key frame header
530 * @ver: Version bits from EAPOL-Key Key Info
531 * @nonce: Nonce value for the EAPOL-Key frame
532 * @wpa_ie: WPA/RSN IE
533 * @wpa_ie_len: Length of the WPA/RSN IE
534 * @ptk: PTK to use for keyed hash and encryption
535 * Returns: >= 0 on success, < 0 on failure
536 */
wpa_supplicant_send_2_of_4(struct wpa_sm * sm,const unsigned char * dst,const struct wpa_eapol_key * key,int ver,const u8 * nonce,const u8 * wpa_ie,size_t wpa_ie_len,struct wpa_ptk * ptk)537 int wpa_supplicant_send_2_of_4(struct wpa_sm *sm, const unsigned char *dst,
538 const struct wpa_eapol_key *key,
539 int ver, const u8 *nonce,
540 const u8 *wpa_ie, size_t wpa_ie_len,
541 struct wpa_ptk *ptk)
542 {
543 size_t mic_len, hdrlen, rlen, extra_len = 0;
544 struct wpa_eapol_key *reply;
545 u8 *rbuf, *key_mic;
546 u8 *rsn_ie_buf = NULL;
547 u16 key_info;
548 #ifdef CONFIG_TESTING_OPTIONS
549 size_t pad_len = 0;
550 #endif /* CONFIG_TESTING_OPTIONS */
551
552 if (wpa_ie == NULL) {
553 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No wpa_ie set - "
554 "cannot generate msg 2/4");
555 return -1;
556 }
557
558 #ifdef CONFIG_IEEE80211R
559 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
560 int res;
561
562 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE before FT processing",
563 wpa_ie, wpa_ie_len);
564 /*
565 * Add PMKR1Name into RSN IE (PMKID-List) and add MDIE and
566 * FTIE from (Re)Association Response.
567 */
568 rsn_ie_buf = os_malloc(wpa_ie_len + 2 + 2 + PMKID_LEN +
569 sm->assoc_resp_ies_len);
570 if (rsn_ie_buf == NULL)
571 return -1;
572 os_memcpy(rsn_ie_buf, wpa_ie, wpa_ie_len);
573 res = wpa_insert_pmkid(rsn_ie_buf, &wpa_ie_len,
574 sm->pmk_r1_name, !sm->ft_prepend_pmkid);
575 if (res < 0) {
576 os_free(rsn_ie_buf);
577 return -1;
578 }
579 wpa_hexdump(MSG_DEBUG,
580 "WPA: WPA IE after PMKID[PMKR1Name] addition into RSNE",
581 rsn_ie_buf, wpa_ie_len);
582
583 if (sm->assoc_resp_ies) {
584 wpa_hexdump(MSG_DEBUG, "WPA: Add assoc_resp_ies",
585 sm->assoc_resp_ies,
586 sm->assoc_resp_ies_len);
587 os_memcpy(rsn_ie_buf + wpa_ie_len, sm->assoc_resp_ies,
588 sm->assoc_resp_ies_len);
589 wpa_ie_len += sm->assoc_resp_ies_len;
590 }
591
592 wpa_ie = rsn_ie_buf;
593 }
594 #endif /* CONFIG_IEEE80211R */
595
596 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE for msg 2/4", wpa_ie, wpa_ie_len);
597
598 #ifdef CONFIG_TESTING_OPTIONS
599 if (sm->test_eapol_m2_elems)
600 extra_len = wpabuf_len(sm->test_eapol_m2_elems);
601 if (sm->encrypt_eapol_m2) {
602 pad_len = (wpa_ie_len + extra_len) % 8;
603 if (pad_len)
604 pad_len = 8 - pad_len;
605 extra_len += pad_len + 8;
606 }
607 #endif /* CONFIG_TESTING_OPTIONS */
608
609 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
610 hdrlen = sizeof(*reply) + mic_len + 2;
611 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY,
612 NULL, hdrlen + wpa_ie_len + extra_len,
613 &rlen, (void *) &reply);
614 if (rbuf == NULL) {
615 os_free(rsn_ie_buf);
616 return -1;
617 }
618
619 reply->type = (sm->proto == WPA_PROTO_RSN ||
620 sm->proto == WPA_PROTO_OSEN) ?
621 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
622 key_info = ver | WPA_KEY_INFO_KEY_TYPE;
623 if (sm->ptk_set && sm->proto != WPA_PROTO_WPA)
624 key_info |= WPA_KEY_INFO_SECURE;
625 if (mic_len)
626 key_info |= WPA_KEY_INFO_MIC;
627 else
628 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
629 #ifdef CONFIG_TESTING_OPTIONS
630 if (sm->encrypt_eapol_m2)
631 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
632 #endif /* CONFIG_TESTING_OPTIONS */
633 WPA_PUT_BE16(reply->key_info, key_info);
634 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
635 WPA_PUT_BE16(reply->key_length, 0);
636 else
637 os_memcpy(reply->key_length, key->key_length, 2);
638 os_memcpy(reply->replay_counter, key->replay_counter,
639 WPA_REPLAY_COUNTER_LEN);
640 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", reply->replay_counter,
641 WPA_REPLAY_COUNTER_LEN);
642
643 key_mic = (u8 *) (reply + 1);
644 /* Key Data Length */
645 WPA_PUT_BE16(key_mic + mic_len, wpa_ie_len + extra_len);
646 os_memcpy(key_mic + mic_len + 2, wpa_ie, wpa_ie_len); /* Key Data */
647 os_free(rsn_ie_buf);
648 #ifdef CONFIG_TESTING_OPTIONS
649 if (sm->test_eapol_m2_elems) {
650 os_memcpy(key_mic + mic_len + 2 + wpa_ie_len,
651 wpabuf_head(sm->test_eapol_m2_elems),
652 wpabuf_len(sm->test_eapol_m2_elems));
653 }
654
655 if (sm->encrypt_eapol_m2) {
656 u8 *plain;
657 size_t plain_len;
658
659 if (sm->test_eapol_m2_elems)
660 extra_len = wpabuf_len(sm->test_eapol_m2_elems);
661 else
662 extra_len = 0;
663 plain_len = wpa_ie_len + extra_len + pad_len;
664 plain = os_memdup(key_mic + mic_len + 2, plain_len);
665 if (!plain) {
666 os_free(rbuf);
667 return -1;
668 }
669 if (pad_len)
670 plain[plain_len - pad_len] = 0xdd;
671
672 wpa_hexdump_key(MSG_DEBUG, "RSN: AES-WRAP using KEK",
673 ptk->kek, ptk->kek_len);
674 if (aes_wrap(ptk->kek, ptk->kek_len, plain_len / 8, plain,
675 key_mic + mic_len + 2)) {
676 os_free(plain);
677 os_free(rbuf);
678 return -1;
679 }
680 wpa_hexdump(MSG_DEBUG,
681 "RSN: Encrypted Key Data from AES-WRAP",
682 key_mic + mic_len + 2, plain_len + 8);
683 os_free(plain);
684 }
685 #endif /* CONFIG_TESTING_OPTIONS */
686
687 os_memcpy(reply->key_nonce, nonce, WPA_NONCE_LEN);
688
689 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/4");
690 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
691 key_mic);
692 }
693
694
wpa_derive_ptk(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,struct wpa_ptk * ptk)695 static int wpa_derive_ptk(struct wpa_sm *sm, const unsigned char *src_addr,
696 const struct wpa_eapol_key *key, struct wpa_ptk *ptk)
697 {
698 int ret;
699 const u8 *z = NULL;
700 size_t z_len = 0, kdk_len;
701 int akmp;
702
703 #ifdef CONFIG_IEEE80211R
704 if (wpa_key_mgmt_ft(sm->key_mgmt))
705 return wpa_derive_ptk_ft(sm, src_addr, key, ptk);
706 #endif /* CONFIG_IEEE80211R */
707
708 #ifdef CONFIG_DPP2
709 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
710 z = wpabuf_head(sm->dpp_z);
711 z_len = wpabuf_len(sm->dpp_z);
712 }
713 #endif /* CONFIG_DPP2 */
714
715 akmp = sm->key_mgmt;
716 #ifdef CONFIG_OWE
717 if (sm->owe_ptk_workaround && akmp == WPA_KEY_MGMT_OWE &&
718 sm->pmk_len > 32) {
719 wpa_printf(MSG_DEBUG,
720 "OWE: Force SHA256 for PTK derivation");
721 akmp |= WPA_KEY_MGMT_PSK_SHA256;
722 }
723 #endif /* CONFIG_OWE */
724
725 if (sm->force_kdk_derivation ||
726 (sm->secure_ltf &&
727 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)))
728 kdk_len = WPA_KDK_MAX_LEN;
729 else
730 kdk_len = 0;
731
732 ret = wpa_pmk_to_ptk(sm->pmk, sm->pmk_len, "Pairwise key expansion",
733 sm->own_addr, wpa_sm_get_auth_addr(sm), sm->snonce,
734 key->key_nonce, ptk, akmp,
735 sm->pairwise_cipher, z, z_len,
736 kdk_len);
737 if (ret) {
738 wpa_printf(MSG_ERROR, "WPA: PTK derivation failed");
739 return ret;
740 }
741
742 #ifdef CONFIG_PASN
743 if (sm->secure_ltf &&
744 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF))
745 ret = wpa_ltf_keyseed(ptk, akmp, sm->pairwise_cipher);
746 #endif /* CONFIG_PASN */
747
748 return ret;
749 }
750
751
wpa_handle_ext_key_id(struct wpa_sm * sm,struct wpa_eapol_ie_parse * kde)752 static int wpa_handle_ext_key_id(struct wpa_sm *sm,
753 struct wpa_eapol_ie_parse *kde)
754 {
755 if (sm->ext_key_id) {
756 u16 key_id;
757
758 if (!kde->key_id) {
759 wpa_msg(sm->ctx->msg_ctx,
760 sm->use_ext_key_id ? MSG_INFO : MSG_DEBUG,
761 "RSN: No Key ID in Extended Key ID handshake");
762 sm->keyidx_active = 0;
763 return sm->use_ext_key_id ? -1 : 0;
764 }
765
766 key_id = kde->key_id[0] & 0x03;
767 if (key_id > 1) {
768 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
769 "RSN: Invalid Extended Key ID: %d", key_id);
770 return -1;
771 }
772 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
773 "RSN: Using Extended Key ID %d", key_id);
774 sm->keyidx_active = key_id;
775 sm->use_ext_key_id = 1;
776 } else {
777 if (kde->key_id && (kde->key_id[0] & 0x03)) {
778 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
779 "RSN: Non-zero Extended Key ID Key ID in PTK0 handshake");
780 return -1;
781 }
782
783 if (kde->key_id) {
784 /* This is not supposed to be included here, but ignore
785 * the case of matching Key ID 0 just in case. */
786 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
787 "RSN: Extended Key ID Key ID 0 in PTK0 handshake");
788 }
789 sm->keyidx_active = 0;
790 sm->use_ext_key_id = 0;
791 }
792
793 return 0;
794 }
795
796
rsn_add_kde(u8 * pos,u32 kde,const u8 * data,size_t data_len)797 static u8 * rsn_add_kde(u8 *pos, u32 kde, const u8 *data, size_t data_len)
798 {
799 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
800 *pos++ = RSN_SELECTOR_LEN + data_len;
801 RSN_SELECTOR_PUT(pos, kde);
802 pos += RSN_SELECTOR_LEN;
803 os_memcpy(pos, data, data_len);
804 pos += data_len;
805
806 return pos;
807 }
808
809
wpa_mlo_link_kde_len(struct wpa_sm * sm)810 static size_t wpa_mlo_link_kde_len(struct wpa_sm *sm)
811 {
812 int i;
813 unsigned int num_links = 0;
814
815 for_each_link(sm->mlo.req_links, i) {
816 if (sm->mlo.assoc_link_id != i)
817 num_links++;
818 }
819
820 return num_links * (RSN_SELECTOR_LEN + 1 + ETH_ALEN + 2);
821 }
822
823
wpa_mlo_link_kde(struct wpa_sm * sm,u8 * pos)824 static u8 * wpa_mlo_link_kde(struct wpa_sm *sm, u8 *pos)
825 {
826 int i;
827 u8 hdr[1 + ETH_ALEN];
828
829 for_each_link(sm->mlo.req_links, i) {
830 if (sm->mlo.assoc_link_id == i)
831 continue;
832
833 wpa_printf(MSG_DEBUG,
834 "MLO: Add MLO Link %d KDE in EAPOL-Key 2/4", i);
835 hdr[0] = i & 0xF; /* LinkID; no RSNE or RSNXE */
836 os_memcpy(&hdr[1], sm->mlo.links[i].addr, ETH_ALEN);
837 pos = rsn_add_kde(pos, RSN_KEY_DATA_MLO_LINK, hdr, sizeof(hdr));
838 }
839
840 return pos;
841 }
842
843
is_valid_ap_mld_mac_kde(struct wpa_sm * sm,const u8 * mac_kde)844 static bool is_valid_ap_mld_mac_kde(struct wpa_sm *sm, const u8 *mac_kde)
845 {
846 return mac_kde &&
847 ether_addr_equal(mac_kde, sm->mlo.ap_mld_addr);
848 }
849
850
wpas_swap_tkip_mic_keys(struct wpa_ptk * ptk)851 static void wpas_swap_tkip_mic_keys(struct wpa_ptk *ptk)
852 {
853 u8 buf[8];
854
855 /* Supplicant: swap tx/rx Mic keys */
856 os_memcpy(buf, &ptk->tk[16], 8);
857 os_memcpy(&ptk->tk[16], &ptk->tk[24], 8);
858 os_memcpy(&ptk->tk[24], buf, 8);
859 forced_memzero(buf, sizeof(buf));
860 }
861
862
wpa_supplicant_process_1_of_4_wpa(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len,enum frame_encryption encrypted)863 static void wpa_supplicant_process_1_of_4_wpa(struct wpa_sm *sm,
864 const unsigned char *src_addr,
865 const struct wpa_eapol_key *key,
866 u16 ver, const u8 *key_data,
867 size_t key_data_len,
868 enum frame_encryption encrypted)
869 {
870 struct wpa_eapol_ie_parse ie;
871 struct wpa_ptk *ptk;
872 int res;
873
874 if (wpa_sm_get_network_ctx(sm) == NULL) {
875 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
876 "WPA: No SSID info found (msg 1 of 4)");
877 return;
878 }
879
880 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
881 "WPA: RX message 1 of 4-Way Handshake from " MACSTR
882 " (ver=%d)", MAC2STR(src_addr), ver);
883
884 os_memset(&ie, 0, sizeof(ie));
885
886 res = wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid);
887 if (res == -2) {
888 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
889 "WPA: Do not reply to msg 1/4 - requesting full EAP authentication");
890 return;
891 }
892 if (res)
893 goto failed;
894
895 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
896
897 if (sm->renew_snonce) {
898 if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) {
899 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
900 "WPA: Failed to get random data for SNonce");
901 goto failed;
902 }
903 sm->renew_snonce = 0;
904 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce",
905 sm->snonce, WPA_NONCE_LEN);
906 }
907
908 /* Calculate PTK which will be stored as a temporary PTK until it has
909 * been verified when processing message 3/4. */
910 ptk = &sm->tptk;
911 if (wpa_derive_ptk(sm, src_addr, key, ptk) < 0)
912 goto failed;
913 if (sm->pairwise_cipher == WPA_CIPHER_TKIP)
914 wpas_swap_tkip_mic_keys(ptk);
915 sm->tptk_set = 1;
916
917 if (wpa_supplicant_send_2_of_4(sm, wpa_sm_get_auth_addr(sm), key, ver,
918 sm->snonce, sm->assoc_wpa_ie,
919 sm->assoc_wpa_ie_len, ptk) < 0)
920 goto failed;
921
922 os_memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN);
923 return;
924
925 failed:
926 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
927 }
928
929
wpa_supplicant_process_1_of_4(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len,enum frame_encryption encrypted)930 static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
931 const unsigned char *src_addr,
932 const struct wpa_eapol_key *key,
933 u16 ver, const u8 *key_data,
934 size_t key_data_len,
935 enum frame_encryption encrypted)
936 {
937 struct wpa_eapol_ie_parse ie;
938 struct wpa_ptk *ptk;
939 int res;
940 u8 *kde, *kde_buf = NULL;
941 size_t kde_len;
942 size_t mlo_kde_len = 0;
943
944 if (encrypted == FRAME_NOT_ENCRYPTED && sm->tk_set &&
945 wpa_sm_pmf_enabled(sm)) {
946 wpa_printf(MSG_DEBUG,
947 "RSN: Discard unencrypted EAPOL-Key msg 1/4 when TK is set and PMF is enabled");
948 return;
949 }
950
951 if (wpa_sm_get_network_ctx(sm) == NULL) {
952 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No SSID info "
953 "found (msg 1 of 4)");
954 return;
955 }
956
957 if (sm->wpa_deny_ptk0_rekey && !sm->use_ext_key_id &&
958 wpa_sm_get_state(sm) == WPA_COMPLETED) {
959 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
960 "WPA: PTK0 rekey not allowed, reconnecting");
961 wpa_sm_reconnect(sm);
962 return;
963 }
964
965 #ifdef CONFIG_P2P_CHR
966 wpa_supplicant_upload_p2p_state(sm->ctx->ctx, P2P_INTERFACE_STATE_4WAY_HANDSHAKE_1,
967 P2P_CHR_DEFAULT_REASON_CODE, P2P_CHR_DEFAULT_REASON_CODE);
968 #endif
969 wpa_msg_only_for_cb(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of 4-Way "
970 "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
971 wpa_printf(MSG_DEBUG, "WPA: RX message 1 of 4-Way "
972 "Handshake from " MACSTR_SEC " (ver=%d)", MAC2STR_SEC(src_addr), ver);
973
974 os_memset(&ie, 0, sizeof(ie));
975
976 /* RSN: msg 1/4 should contain PMKID for the selected PMK */
977 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data", key_data, key_data_len);
978 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0) {
979 wpa_printf(MSG_DEBUG,
980 "RSN: Discard EAPOL-Key msg 1/4 with invalid IEs/KDEs");
981 return;
982 }
983 if (ie.pmkid) {
984 wpa_hexdump(MSG_DEBUG, "RSN: PMKID from Authenticator",
985 ie.pmkid, PMKID_LEN);
986 }
987
988 if (sm->mlo.valid_links && !is_valid_ap_mld_mac_kde(sm, ie.mac_addr)) {
989 wpa_printf(MSG_INFO,
990 "RSN: Discard EAPOL-Key msg 1/4 with invalid AP MLD MAC address KDE");
991 return;
992 }
993
994 res = wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid);
995 if (res == -2) {
996 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: Do not reply to "
997 "msg 1/4 - requesting full EAP authentication");
998 return;
999 }
1000 if (res)
1001 goto failed;
1002
1003 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
1004
1005 if (sm->renew_snonce) {
1006 if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) {
1007 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1008 "WPA: Failed to get random data for SNonce");
1009 goto failed;
1010 }
1011 sm->renew_snonce = 0;
1012 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce",
1013 sm->snonce, WPA_NONCE_LEN);
1014 }
1015
1016 /* Calculate PTK which will be stored as a temporary PTK until it has
1017 * been verified when processing message 3/4. */
1018 ptk = &sm->tptk;
1019 if (wpa_derive_ptk(sm, src_addr, key, ptk) < 0)
1020 goto failed;
1021 if (sm->pairwise_cipher == WPA_CIPHER_TKIP)
1022 wpas_swap_tkip_mic_keys(ptk);
1023 sm->tptk_set = 1;
1024
1025 /* Add MLO Link KDE and MAC KDE in M2 for ML connection */
1026 if (sm->mlo.valid_links)
1027 mlo_kde_len = wpa_mlo_link_kde_len(sm) +
1028 RSN_SELECTOR_LEN + ETH_ALEN + 2;
1029
1030 kde = sm->assoc_wpa_ie;
1031 kde_len = sm->assoc_wpa_ie_len;
1032 kde_buf = os_malloc(kde_len +
1033 2 + RSN_SELECTOR_LEN + 3 +
1034 sm->assoc_rsnxe_len +
1035 2 + RSN_SELECTOR_LEN + 1 +
1036 2 + RSN_SELECTOR_LEN + 2 + mlo_kde_len);
1037
1038 if (!kde_buf)
1039 goto failed;
1040 os_memcpy(kde_buf, kde, kde_len);
1041 kde = kde_buf;
1042
1043 #ifdef CONFIG_OCV
1044 if (wpa_sm_ocv_enabled(sm)) {
1045 struct wpa_channel_info ci;
1046 u8 *pos;
1047
1048 pos = kde + kde_len;
1049 if (wpa_sm_channel_info(sm, &ci) != 0) {
1050 wpa_printf(MSG_WARNING,
1051 "Failed to get channel info for OCI element in EAPOL-Key 2/4");
1052 goto failed;
1053 }
1054 #ifdef CONFIG_TESTING_OPTIONS
1055 if (sm->oci_freq_override_eapol) {
1056 wpa_printf(MSG_INFO,
1057 "TEST: Override OCI KDE frequency %d -> %d MHz",
1058 ci.frequency, sm->oci_freq_override_eapol);
1059 ci.frequency = sm->oci_freq_override_eapol;
1060 }
1061 #endif /* CONFIG_TESTING_OPTIONS */
1062
1063 if (ocv_insert_oci_kde(&ci, &pos) < 0)
1064 goto failed;
1065 kde_len = pos - kde;
1066 }
1067 #endif /* CONFIG_OCV */
1068
1069 if (sm->assoc_rsnxe && sm->assoc_rsnxe_len) {
1070 os_memcpy(kde + kde_len, sm->assoc_rsnxe, sm->assoc_rsnxe_len);
1071 kde_len += sm->assoc_rsnxe_len;
1072 }
1073
1074 #ifdef CONFIG_P2P
1075 if (sm->p2p) {
1076 u8 *pos;
1077
1078 wpa_printf(MSG_DEBUG,
1079 "P2P: Add IP Address Request KDE into EAPOL-Key 2/4");
1080 pos = kde + kde_len;
1081 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
1082 *pos++ = RSN_SELECTOR_LEN + 1;
1083 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_IP_ADDR_REQ);
1084 pos += RSN_SELECTOR_LEN;
1085 *pos++ = 0x01;
1086 kde_len = pos - kde;
1087 }
1088 #endif /* CONFIG_P2P */
1089
1090 #ifdef CONFIG_DPP2
1091 if (DPP_VERSION > 1 && sm->key_mgmt == WPA_KEY_MGMT_DPP) {
1092 u8 *pos;
1093
1094 wpa_printf(MSG_DEBUG, "DPP: Add DPP KDE into EAPOL-Key 2/4");
1095 pos = kde + kde_len;
1096 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
1097 *pos++ = RSN_SELECTOR_LEN + 2;
1098 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_DPP);
1099 pos += RSN_SELECTOR_LEN;
1100 *pos++ = DPP_VERSION; /* Protocol Version */
1101 *pos = 0; /* Flags */
1102 if (sm->dpp_pfs == 0)
1103 *pos |= DPP_KDE_PFS_ALLOWED;
1104 else if (sm->dpp_pfs == 1)
1105 *pos |= DPP_KDE_PFS_ALLOWED | DPP_KDE_PFS_REQUIRED;
1106 pos++;
1107 kde_len = pos - kde;
1108 }
1109 #endif /* CONFIG_DPP2 */
1110
1111 if (sm->mlo.valid_links) {
1112 u8 *pos;
1113
1114 /* Add MAC KDE */
1115 wpa_printf(MSG_DEBUG, "MLO: Add MAC KDE into EAPOL-Key 2/4");
1116 pos = kde + kde_len;
1117 pos = rsn_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, sm->own_addr,
1118 ETH_ALEN);
1119
1120 /* Add MLO Link KDE */
1121 wpa_printf(MSG_DEBUG, "Add MLO Link KDE(s) into EAPOL-Key 2/4");
1122 pos = wpa_mlo_link_kde(sm, pos);
1123 kde_len = pos - kde;
1124 }
1125
1126 if (wpa_supplicant_send_2_of_4(sm, wpa_sm_get_auth_addr(sm), key, ver,
1127 sm->snonce, kde, kde_len, ptk) < 0)
1128 goto failed;
1129 #ifdef CONFIG_P2P_CHR
1130 wpa_supplicant_upload_p2p_state(sm->ctx->ctx, P2P_INTERFACE_STATE_4WAY_HANDSHAKE_2,
1131 P2P_CHR_DEFAULT_REASON_CODE, P2P_CHR_DEFAULT_REASON_CODE);
1132 #endif
1133 os_free(kde_buf);
1134 os_memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN);
1135 return;
1136
1137 failed:
1138 os_free(kde_buf);
1139 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
1140 }
1141
1142
wpa_sm_start_preauth(void * eloop_ctx,void * timeout_ctx)1143 static void wpa_sm_start_preauth(void *eloop_ctx, void *timeout_ctx)
1144 {
1145 struct wpa_sm *sm = eloop_ctx;
1146 rsn_preauth_candidate_process(sm);
1147 }
1148
1149
wpa_supplicant_key_neg_complete(struct wpa_sm * sm,const u8 * addr,int secure)1150 static void wpa_supplicant_key_neg_complete(struct wpa_sm *sm,
1151 const u8 *addr, int secure)
1152 {
1153 wpa_msg_only_for_cb(sm->ctx->msg_ctx, MSG_INFO,
1154 "WPA: Key negotiation completed with "
1155 MACSTR " [PTK=%s GTK=%s]", MAC2STR(addr),
1156 wpa_cipher_txt(sm->pairwise_cipher),
1157 wpa_cipher_txt(sm->group_cipher));
1158 wpa_printf(MSG_INFO, "WPA: Key negotiation completed with "
1159 MACSTR_SEC " [PTK=%s GTK=%s]", MAC2STR_SEC(addr),
1160 wpa_cipher_txt(sm->pairwise_cipher),
1161 wpa_cipher_txt(sm->group_cipher));
1162 wpa_sm_cancel_auth_timeout(sm);
1163 wpa_sm_set_state(sm, WPA_COMPLETED);
1164 #ifdef CONFIG_P2P_CHR
1165 wpa_supplicant_upload_p2p_state(sm->ctx->ctx, P2P_INTERFACE_STATE_COMPLETED,
1166 P2P_CHR_DEFAULT_REASON_CODE, P2P_CHR_DEFAULT_REASON_CODE);
1167 #endif
1168 if (secure) {
1169 wpa_sm_mlme_setprotection(
1170 sm, addr, MLME_SETPROTECTION_PROTECT_TYPE_RX_TX,
1171 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
1172 eapol_sm_notify_portValid(sm->eapol, true);
1173 if (wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
1174 sm->key_mgmt == WPA_KEY_MGMT_DPP ||
1175 sm->key_mgmt == WPA_KEY_MGMT_OWE)
1176 eapol_sm_notify_eap_success(sm->eapol, true);
1177 /*
1178 * Start preauthentication after a short wait to avoid a
1179 * possible race condition between the data receive and key
1180 * configuration after the 4-Way Handshake. This increases the
1181 * likelihood of the first preauth EAPOL-Start frame getting to
1182 * the target AP.
1183 */
1184 if (!dl_list_empty(&sm->pmksa_candidates))
1185 eloop_register_timeout(1, 0, wpa_sm_start_preauth,
1186 sm, NULL);
1187 }
1188
1189 if (sm->cur_pmksa && sm->cur_pmksa->opportunistic) {
1190 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1191 "RSN: Authenticator accepted "
1192 "opportunistic PMKSA entry - marking it valid");
1193 sm->cur_pmksa->opportunistic = 0;
1194 }
1195
1196 #ifdef CONFIG_IEEE80211R
1197 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
1198 /* Prepare for the next transition */
1199 wpa_ft_prepare_auth_request(sm, NULL);
1200 }
1201 #endif /* CONFIG_IEEE80211R */
1202 }
1203
1204
wpa_sm_rekey_ptk(void * eloop_ctx,void * timeout_ctx)1205 static void wpa_sm_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
1206 {
1207 struct wpa_sm *sm = eloop_ctx;
1208 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Request PTK rekeying");
1209 wpa_sm_key_request(sm, 0, 1);
1210 }
1211
1212
wpa_supplicant_install_ptk(struct wpa_sm * sm,const struct wpa_eapol_key * key,enum key_flag key_flag)1213 static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
1214 const struct wpa_eapol_key *key,
1215 enum key_flag key_flag)
1216 {
1217 int keylen, rsclen;
1218 enum wpa_alg alg;
1219 const u8 *key_rsc;
1220
1221 if (sm->ptk.installed) {
1222 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1223 "WPA: Do not re-install same PTK to the driver");
1224 return 0;
1225 }
1226
1227 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1228 "WPA: Installing PTK to the driver");
1229
1230 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
1231 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Pairwise Cipher "
1232 "Suite: NONE - do not use pairwise keys");
1233 return 0;
1234 }
1235
1236 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
1237 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1238 "WPA: Unsupported pairwise cipher %d",
1239 sm->pairwise_cipher);
1240 return -1;
1241 }
1242
1243 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
1244 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
1245 if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) {
1246 wpa_printf(MSG_INFO, "WPA: TK length mismatch: %d != %lu",
1247 keylen, (long unsigned int) sm->ptk.tk_len);
1248 return -1;
1249 }
1250 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
1251
1252 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
1253 key_rsc = null_rsc;
1254 } else {
1255 key_rsc = key->key_rsc;
1256 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen);
1257 }
1258
1259 if (wpa_sm_set_key(sm, -1, alg, wpa_sm_get_auth_addr(sm),
1260 sm->keyidx_active, 1, key_rsc, rsclen, sm->ptk.tk,
1261 keylen, KEY_FLAG_PAIRWISE | key_flag) < 0) {
1262 wpa_msg_only_for_cb(sm->ctx->msg_ctx, MSG_WARNING,
1263 "WPA: Failed to set PTK to the driver (alg=%d keylen=%d bssid="
1264 MACSTR " idx=%d key_flag=0x%x)",
1265 alg, keylen, MAC2STR(sm->bssid),
1266 sm->keyidx_active, key_flag);
1267 wpa_printf(MSG_WARNING, "WPA: Failed to set PTK to the driver (alg=%d keylen=%d bssid="
1268 MACSTR_SEC " idx=%d key_flag=0x%x)",
1269 alg, keylen, MAC2STR_SEC(sm->bssid),
1270 sm->keyidx_active, key_flag);
1271 return -1;
1272 }
1273
1274 #ifdef CONFIG_PASN
1275 if (sm->secure_ltf &&
1276 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF) &&
1277 wpa_sm_set_ltf_keyseed(sm, sm->own_addr, sm->bssid,
1278 sm->ptk.ltf_keyseed_len,
1279 sm->ptk.ltf_keyseed) < 0) {
1280 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1281 "WPA: Failed to set LTF keyseed to the driver (keylen=%zu bssid="
1282 MACSTR ")", sm->ptk.ltf_keyseed_len,
1283 MAC2STR(sm->bssid));
1284 return -1;
1285 }
1286 #endif /* CONFIG_PASN */
1287
1288 wpa_sm_store_ptk(sm, sm->bssid, sm->pairwise_cipher,
1289 sm->dot11RSNAConfigPMKLifetime, &sm->ptk);
1290
1291 /* TK is not needed anymore in supplicant */
1292 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
1293 sm->ptk.tk_len = 0;
1294 sm->ptk.installed = 1;
1295 sm->tk_set = true;
1296
1297 if (sm->wpa_ptk_rekey) {
1298 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
1299 eloop_register_timeout(sm->wpa_ptk_rekey, 0, wpa_sm_rekey_ptk,
1300 sm, NULL);
1301 }
1302 return 0;
1303 }
1304
1305
wpa_supplicant_activate_ptk(struct wpa_sm * sm)1306 static int wpa_supplicant_activate_ptk(struct wpa_sm *sm)
1307 {
1308 wpa_msg_only_for_cb(sm->ctx->msg_ctx, MSG_DEBUG,
1309 "WPA: Activate PTK (idx=%d auth_addr=" MACSTR ")",
1310 sm->keyidx_active, MAC2STR(wpa_sm_get_auth_addr(sm)));
1311 wpa_printf(MSG_DEBUG, "WPA: Activate PTK (idx=%d auth_addr=" MACSTR_SEC ")",
1312 sm->keyidx_active, MAC2STR_SEC(wpa_sm_get_auth_addr(sm)));
1313
1314 if (wpa_sm_set_key(sm, -1, 0, wpa_sm_get_auth_addr(sm),
1315 sm->keyidx_active, 0, NULL, 0, NULL, 0,
1316 KEY_FLAG_PAIRWISE_RX_TX_MODIFY) < 0) {
1317 wpa_msg_only_for_cb(sm->ctx->msg_ctx, MSG_WARNING,
1318 "WPA: Failed to activate PTK for TX (idx=%d auth_addr="
1319 MACSTR ")", sm->keyidx_active,
1320 MAC2STR(wpa_sm_get_auth_addr(sm)));
1321 wpa_printf(MSG_WARNING, "WPA: Failed to activate PTK for TX (idx=%d auth_addr="
1322 MACSTR_SEC ")", sm->keyidx_active, MAC2STR_SEC(wpa_sm_get_auth_addr(sm)));
1323 return -1;
1324 }
1325 return 0;
1326 }
1327
1328
wpa_supplicant_check_group_cipher(struct wpa_sm * sm,int group_cipher,int keylen,int maxkeylen,int * key_rsc_len,enum wpa_alg * alg)1329 static int wpa_supplicant_check_group_cipher(struct wpa_sm *sm,
1330 int group_cipher,
1331 int keylen, int maxkeylen,
1332 int *key_rsc_len,
1333 enum wpa_alg *alg)
1334 {
1335 int klen;
1336
1337 *alg = wpa_cipher_to_alg(group_cipher);
1338 if (*alg == WPA_ALG_NONE) {
1339 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1340 "WPA: Unsupported Group Cipher %d",
1341 group_cipher);
1342 return -1;
1343 }
1344 *key_rsc_len = wpa_cipher_rsc_len(group_cipher);
1345
1346 klen = wpa_cipher_key_len(group_cipher);
1347 if (keylen != klen || maxkeylen < klen) {
1348 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1349 "WPA: Unsupported %s Group Cipher key length %d (%d)",
1350 wpa_cipher_txt(group_cipher), keylen, maxkeylen);
1351 return -1;
1352 }
1353 return 0;
1354 }
1355
1356
1357 struct wpa_gtk_data {
1358 enum wpa_alg alg;
1359 int tx, key_rsc_len, keyidx;
1360 u8 gtk[32];
1361 int gtk_len;
1362 };
1363
1364
wpa_supplicant_install_gtk(struct wpa_sm * sm,const struct wpa_gtk_data * gd,const u8 * key_rsc,int wnm_sleep)1365 static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
1366 const struct wpa_gtk_data *gd,
1367 const u8 *key_rsc, int wnm_sleep)
1368 {
1369 const u8 *_gtk = gd->gtk;
1370 u8 gtk_buf[32];
1371
1372 /* Detect possible key reinstallation */
1373 if ((sm->gtk.gtk_len == (size_t) gd->gtk_len &&
1374 os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) ||
1375 (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len &&
1376 os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk,
1377 sm->gtk_wnm_sleep.gtk_len) == 0)) {
1378 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1379 "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
1380 gd->keyidx, gd->tx, gd->gtk_len);
1381 return 0;
1382 }
1383
1384 wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
1385 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1386 "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
1387 gd->keyidx, gd->tx, gd->gtk_len);
1388 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, gd->key_rsc_len);
1389 if (sm->group_cipher == WPA_CIPHER_TKIP) {
1390 /* Swap Tx/Rx keys for Michael MIC */
1391 os_memcpy(gtk_buf, gd->gtk, 16);
1392 os_memcpy(gtk_buf + 16, gd->gtk + 24, 8);
1393 os_memcpy(gtk_buf + 24, gd->gtk + 16, 8);
1394 _gtk = gtk_buf;
1395 }
1396 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
1397 if (wpa_sm_set_key(sm, -1, gd->alg, NULL,
1398 gd->keyidx, 1, key_rsc, gd->key_rsc_len,
1399 _gtk, gd->gtk_len,
1400 KEY_FLAG_GROUP_RX_TX_DEFAULT) < 0) {
1401 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1402 "WPA: Failed to set GTK to the driver "
1403 "(Group only)");
1404 forced_memzero(gtk_buf, sizeof(gtk_buf));
1405 return -1;
1406 }
1407 } else if (wpa_sm_set_key(sm, -1, gd->alg, broadcast_ether_addr,
1408 gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len,
1409 _gtk, gd->gtk_len, KEY_FLAG_GROUP_RX) < 0) {
1410 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1411 "WPA: Failed to set GTK to "
1412 "the driver (alg=%d keylen=%d keyidx=%d)",
1413 gd->alg, gd->gtk_len, gd->keyidx);
1414 forced_memzero(gtk_buf, sizeof(gtk_buf));
1415 return -1;
1416 }
1417 forced_memzero(gtk_buf, sizeof(gtk_buf));
1418
1419 if (wnm_sleep) {
1420 sm->gtk_wnm_sleep.gtk_len = gd->gtk_len;
1421 os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk,
1422 sm->gtk_wnm_sleep.gtk_len);
1423 } else {
1424 sm->gtk.gtk_len = gd->gtk_len;
1425 os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
1426 }
1427
1428 return 0;
1429 }
1430
1431
wpa_supplicant_install_mlo_gtk(struct wpa_sm * sm,u8 link_id,const struct wpa_gtk_data * gd,const u8 * key_rsc,int wnm_sleep)1432 static int wpa_supplicant_install_mlo_gtk(struct wpa_sm *sm, u8 link_id,
1433 const struct wpa_gtk_data *gd,
1434 const u8 *key_rsc, int wnm_sleep)
1435 {
1436 const u8 *gtk = gd->gtk;
1437 u8 gtk_buf[32];
1438
1439 /* Detect possible key reinstallation */
1440 if ((sm->mlo.links[link_id].gtk.gtk_len == (size_t) gd->gtk_len &&
1441 os_memcmp(sm->mlo.links[link_id].gtk.gtk, gd->gtk,
1442 sm->mlo.links[link_id].gtk.gtk_len) == 0) ||
1443 (sm->mlo.links[link_id].gtk_wnm_sleep.gtk_len ==
1444 (size_t) gd->gtk_len &&
1445 os_memcmp(sm->mlo.links[link_id].gtk_wnm_sleep.gtk, gd->gtk,
1446 sm->mlo.links[link_id].gtk_wnm_sleep.gtk_len) == 0)) {
1447 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1448 "RSN: Not reinstalling already in-use GTK to the driver (link_id=%d keyidx=%d tx=%d len=%d)",
1449 link_id, gd->keyidx, gd->tx, gd->gtk_len);
1450 return 0;
1451 }
1452
1453 wpa_hexdump_link_key(MSG_DEBUG, link_id, "RSN: Group Key", gd->gtk,
1454 gd->gtk_len);
1455 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1456 "RSN: Installing GTK to the driver (link_id=%d keyidx=%d tx=%d len=%d)",
1457 link_id, gd->keyidx, gd->tx, gd->gtk_len);
1458 wpa_hexdump_link(MSG_DEBUG, link_id, "RSN: RSC",
1459 key_rsc, gd->key_rsc_len);
1460 if (sm->group_cipher == WPA_CIPHER_TKIP) {
1461 /* Swap Tx/Rx keys for Michael MIC */
1462 os_memcpy(gtk_buf, gd->gtk, 16);
1463 os_memcpy(gtk_buf + 16, gd->gtk + 24, 8);
1464 os_memcpy(gtk_buf + 24, gd->gtk + 16, 8);
1465 gtk = gtk_buf;
1466 }
1467 if (wpa_sm_set_key(sm, link_id, gd->alg, broadcast_ether_addr,
1468 gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len, gtk,
1469 gd->gtk_len, KEY_FLAG_GROUP_RX) < 0) {
1470 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1471 "RSN: Failed to set GTK to the driver (link_id=%d alg=%d keylen=%d keyidx=%d)",
1472 link_id, gd->alg, gd->gtk_len, gd->keyidx);
1473 forced_memzero(gtk_buf, sizeof(gtk_buf));
1474 return -1;
1475 }
1476 forced_memzero(gtk_buf, sizeof(gtk_buf));
1477
1478 if (wnm_sleep) {
1479 sm->mlo.links[link_id].gtk_wnm_sleep.gtk_len = gd->gtk_len;
1480 os_memcpy(sm->mlo.links[link_id].gtk_wnm_sleep.gtk, gd->gtk,
1481 sm->mlo.links[link_id].gtk_wnm_sleep.gtk_len);
1482 } else {
1483 sm->mlo.links[link_id].gtk.gtk_len = gd->gtk_len;
1484 os_memcpy(sm->mlo.links[link_id].gtk.gtk, gd->gtk,
1485 sm->mlo.links[link_id].gtk.gtk_len);
1486 }
1487
1488 return 0;
1489 }
1490
1491
wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm * sm,int tx)1492 static int wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm *sm,
1493 int tx)
1494 {
1495 if (tx && sm->pairwise_cipher != WPA_CIPHER_NONE) {
1496 /* Ignore Tx bit for GTK if a pairwise key is used. One AP
1497 * seemed to set this bit (incorrectly, since Tx is only when
1498 * doing Group Key only APs) and without this workaround, the
1499 * data connection does not work because wpa_supplicant
1500 * configured non-zero keyidx to be used for unicast. */
1501 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1502 "WPA: Tx bit set for GTK, but pairwise "
1503 "keys are used - ignore Tx bit");
1504 return 0;
1505 }
1506 return tx;
1507 }
1508
1509
wpa_supplicant_rsc_relaxation(const struct wpa_sm * sm,const u8 * rsc)1510 static int wpa_supplicant_rsc_relaxation(const struct wpa_sm *sm,
1511 const u8 *rsc)
1512 {
1513 int rsclen;
1514
1515 if (!sm->wpa_rsc_relaxation)
1516 return 0;
1517
1518 rsclen = wpa_cipher_rsc_len(sm->group_cipher);
1519
1520 /*
1521 * Try to detect RSC (endian) corruption issue where the AP sends
1522 * the RSC bytes in EAPOL-Key message in the wrong order, both if
1523 * it's actually a 6-byte field (as it should be) and if it treats
1524 * it as an 8-byte field.
1525 * An AP model known to have this bug is the Sapido RB-1632.
1526 */
1527 if (rsclen == 6 && ((rsc[5] && !rsc[0]) || rsc[6] || rsc[7])) {
1528 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1529 "RSC %02x%02x%02x%02x%02x%02x%02x%02x is likely bogus, using 0",
1530 rsc[0], rsc[1], rsc[2], rsc[3],
1531 rsc[4], rsc[5], rsc[6], rsc[7]);
1532
1533 return 1;
1534 }
1535
1536 return 0;
1537 }
1538
1539
wpa_supplicant_mlo_gtk(struct wpa_sm * sm,u8 link_id,const u8 * gtk,size_t gtk_len,int key_info)1540 static int wpa_supplicant_mlo_gtk(struct wpa_sm *sm, u8 link_id, const u8 *gtk,
1541 size_t gtk_len, int key_info)
1542 {
1543 struct wpa_gtk_data gd;
1544 const u8 *key_rsc;
1545 int ret;
1546
1547 /*
1548 * MLO GTK KDE format:
1549 * KeyID[bits 0-1], Tx [bit 2], Reserved [bit 3], link id [4-7]
1550 * PN
1551 * GTK
1552 */
1553 os_memset(&gd, 0, sizeof(gd));
1554 wpa_hexdump_link_key(MSG_DEBUG, link_id,
1555 "RSN: received GTK in pairwise handshake",
1556 gtk, gtk_len);
1557
1558 if (gtk_len < RSN_MLO_GTK_KDE_PREFIX_LENGTH ||
1559 gtk_len - RSN_MLO_GTK_KDE_PREFIX_LENGTH > sizeof(gd.gtk))
1560 return -1;
1561
1562 gd.keyidx = gtk[0] & 0x3;
1563 gtk += 1;
1564 gtk_len -= 1;
1565
1566 key_rsc = gtk;
1567
1568 gtk += 6;
1569 gtk_len -= 6;
1570
1571 os_memcpy(gd.gtk, gtk, gtk_len);
1572 gd.gtk_len = gtk_len;
1573
1574 ret = 0;
1575 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, gtk_len,
1576 gtk_len, &gd.key_rsc_len,
1577 &gd.alg) ||
1578 wpa_supplicant_install_mlo_gtk(sm, link_id, &gd, key_rsc, 0)) {
1579 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1580 "RSN: Failed to install GTK for MLO Link ID %u",
1581 link_id);
1582 ret = -1;
1583 goto out;
1584 }
1585
1586 out:
1587 forced_memzero(&gd, sizeof(gd));
1588 return ret;
1589 }
1590
1591
wpa_supplicant_pairwise_mlo_gtk(struct wpa_sm * sm,const struct wpa_eapol_key * key,struct wpa_eapol_ie_parse * ie,int key_info)1592 static int wpa_supplicant_pairwise_mlo_gtk(struct wpa_sm *sm,
1593 const struct wpa_eapol_key *key,
1594 struct wpa_eapol_ie_parse *ie,
1595 int key_info)
1596 {
1597 u8 i;
1598
1599 for_each_link(sm->mlo.valid_links, i) {
1600 if (!ie->mlo_gtk[i]) {
1601 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
1602 "MLO RSN: GTK not found for link ID %u", i);
1603 return -1;
1604 }
1605
1606 if (wpa_supplicant_mlo_gtk(sm, i, ie->mlo_gtk[i],
1607 ie->mlo_gtk_len[i], key_info))
1608 return -1;
1609 }
1610
1611 return 0;
1612 }
1613
1614
wpa_supplicant_pairwise_gtk(struct wpa_sm * sm,const struct wpa_eapol_key * key,const u8 * gtk,size_t gtk_len,int key_info)1615 static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
1616 const struct wpa_eapol_key *key,
1617 const u8 *gtk, size_t gtk_len,
1618 int key_info)
1619 {
1620 struct wpa_gtk_data gd;
1621 const u8 *key_rsc;
1622
1623 /*
1624 * IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames - Figure 43x
1625 * GTK KDE format:
1626 * KeyID[bits 0-1], Tx [bit 2], Reserved [bits 3-7]
1627 * Reserved [bits 0-7]
1628 * GTK
1629 */
1630
1631 os_memset(&gd, 0, sizeof(gd));
1632 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in pairwise handshake",
1633 gtk, gtk_len);
1634
1635 if (gtk_len < 2 || gtk_len - 2 > sizeof(gd.gtk))
1636 return -1;
1637
1638 gd.keyidx = gtk[0] & 0x3;
1639 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
1640 !!(gtk[0] & BIT(2)));
1641 gtk += 2;
1642 gtk_len -= 2;
1643
1644 os_memcpy(gd.gtk, gtk, gtk_len);
1645 gd.gtk_len = gtk_len;
1646
1647 key_rsc = key->key_rsc;
1648 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
1649 key_rsc = null_rsc;
1650
1651 if (sm->group_cipher != WPA_CIPHER_GTK_NOT_USED &&
1652 (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
1653 gtk_len, gtk_len,
1654 &gd.key_rsc_len, &gd.alg) ||
1655 wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) {
1656 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1657 "RSN: Failed to install GTK");
1658 forced_memzero(&gd, sizeof(gd));
1659 return -1;
1660 }
1661 forced_memzero(&gd, sizeof(gd));
1662
1663 return 0;
1664 }
1665
1666
wpa_supplicant_install_igtk(struct wpa_sm * sm,const struct wpa_igtk_kde * igtk,int wnm_sleep)1667 static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
1668 const struct wpa_igtk_kde *igtk,
1669 int wnm_sleep)
1670 {
1671 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1672 u16 keyidx = WPA_GET_LE16(igtk->keyid);
1673
1674 /* Detect possible key reinstallation */
1675 if ((sm->igtk.igtk_len == len &&
1676 os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) ||
1677 (sm->igtk_wnm_sleep.igtk_len == len &&
1678 os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk,
1679 sm->igtk_wnm_sleep.igtk_len) == 0)) {
1680 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1681 "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
1682 keyidx);
1683 return 0;
1684 }
1685
1686 wpa_msg_only_for_cb(sm->ctx->msg_ctx, MSG_DEBUG,
1687 "WPA: IGTK keyid %d pn " MACSTR,
1688 keyidx, MAC2STR(igtk->pn));
1689 wpa_printf(MSG_DEBUG, "WPA: IGTK keyid %d pn " MACSTR_SEC,
1690 keyidx, MAC2STR_SEC(igtk->pn));
1691 wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len);
1692 if (keyidx > 4095) {
1693 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1694 "WPA: Invalid IGTK KeyID %d", keyidx);
1695 return -1;
1696 }
1697 if (wpa_sm_set_key(sm, -1, wpa_cipher_to_alg(sm->mgmt_group_cipher),
1698 broadcast_ether_addr,
1699 keyidx, 0, igtk->pn, sizeof(igtk->pn),
1700 igtk->igtk, len, KEY_FLAG_GROUP_RX) < 0) {
1701 if (keyidx == 0x0400 || keyidx == 0x0500) {
1702 /* Assume the AP has broken PMF implementation since it
1703 * seems to have swapped the KeyID bytes. The AP cannot
1704 * be trusted to implement BIP correctly or provide a
1705 * valid IGTK, so do not try to configure this key with
1706 * swapped KeyID bytes. Instead, continue without
1707 * configuring the IGTK so that the driver can drop any
1708 * received group-addressed robust management frames due
1709 * to missing keys.
1710 *
1711 * Normally, this error behavior would result in us
1712 * disconnecting, but there are number of deployed APs
1713 * with this broken behavior, so as an interoperability
1714 * workaround, allow the connection to proceed. */
1715 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1716 "WPA: Ignore IGTK configuration error due to invalid IGTK KeyID byte order");
1717 } else {
1718 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1719 "WPA: Failed to configure IGTK to the driver");
1720 return -1;
1721 }
1722 }
1723
1724 if (wnm_sleep) {
1725 sm->igtk_wnm_sleep.igtk_len = len;
1726 os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk,
1727 sm->igtk_wnm_sleep.igtk_len);
1728 } else {
1729 sm->igtk.igtk_len = len;
1730 os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
1731 }
1732
1733 return 0;
1734 }
1735
1736
wpa_supplicant_install_bigtk(struct wpa_sm * sm,const struct wpa_bigtk_kde * bigtk,int wnm_sleep)1737 static int wpa_supplicant_install_bigtk(struct wpa_sm *sm,
1738 const struct wpa_bigtk_kde *bigtk,
1739 int wnm_sleep)
1740 {
1741 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1742 u16 keyidx = WPA_GET_LE16(bigtk->keyid);
1743
1744 /* Detect possible key reinstallation */
1745 if ((sm->bigtk.bigtk_len == len &&
1746 os_memcmp(sm->bigtk.bigtk, bigtk->bigtk,
1747 sm->bigtk.bigtk_len) == 0) ||
1748 (sm->bigtk_wnm_sleep.bigtk_len == len &&
1749 os_memcmp(sm->bigtk_wnm_sleep.bigtk, bigtk->bigtk,
1750 sm->bigtk_wnm_sleep.bigtk_len) == 0)) {
1751 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1752 "WPA: Not reinstalling already in-use BIGTK to the driver (keyidx=%d)",
1753 keyidx);
1754 return 0;
1755 }
1756
1757 wpa_msg_only_for_cb(sm->ctx->msg_ctx, MSG_DEBUG,
1758 "WPA: BIGTK keyid %d pn " MACSTR,
1759 keyidx, MAC2STR(bigtk->pn));
1760 wpa_printf(MSG_DEBUG, "WPA: BIGTK keyid %d pn " MACSTR_SEC,
1761 keyidx, MAC2STR_SEC(bigtk->pn));
1762 wpa_hexdump_key(MSG_DEBUG, "WPA: BIGTK", bigtk->bigtk, len);
1763 if (keyidx < 6 || keyidx > 7) {
1764 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1765 "WPA: Invalid BIGTK KeyID %d", keyidx);
1766 return -1;
1767 }
1768 if (wpa_sm_set_key(sm, -1, wpa_cipher_to_alg(sm->mgmt_group_cipher),
1769 broadcast_ether_addr,
1770 keyidx, 0, bigtk->pn, sizeof(bigtk->pn),
1771 bigtk->bigtk, len, KEY_FLAG_GROUP_RX) < 0) {
1772 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1773 "WPA: Failed to configure BIGTK to the driver");
1774 return -1;
1775 }
1776
1777 if (wnm_sleep) {
1778 sm->bigtk_wnm_sleep.bigtk_len = len;
1779 os_memcpy(sm->bigtk_wnm_sleep.bigtk, bigtk->bigtk,
1780 sm->bigtk_wnm_sleep.bigtk_len);
1781 } else {
1782 sm->bigtk.bigtk_len = len;
1783 os_memcpy(sm->bigtk.bigtk, bigtk->bigtk, sm->bigtk.bigtk_len);
1784 }
1785
1786 return 0;
1787 }
1788
1789
wpa_supplicant_install_mlo_igtk(struct wpa_sm * sm,u8 link_id,const struct rsn_mlo_igtk_kde * igtk,int wnm_sleep)1790 static int wpa_supplicant_install_mlo_igtk(struct wpa_sm *sm, u8 link_id,
1791 const struct rsn_mlo_igtk_kde *igtk,
1792 int wnm_sleep)
1793 {
1794 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1795 u16 keyidx = WPA_GET_LE16(igtk->keyid);
1796
1797 /* Detect possible key reinstallation */
1798 if ((sm->mlo.links[link_id].igtk.igtk_len == len &&
1799 os_memcmp(sm->mlo.links[link_id].igtk.igtk, igtk->igtk,
1800 sm->mlo.links[link_id].igtk.igtk_len) == 0) ||
1801 (sm->mlo.links[link_id].igtk_wnm_sleep.igtk_len == len &&
1802 os_memcmp(sm->mlo.links[link_id].igtk_wnm_sleep.igtk, igtk->igtk,
1803 sm->mlo.links[link_id].igtk_wnm_sleep.igtk_len) == 0)) {
1804 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1805 "RSN: Not reinstalling already in-use IGTK to the driver (link_id=%d keyidx=%d)",
1806 link_id, keyidx);
1807 return 0;
1808 }
1809
1810 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1811 "RSN: MLO Link %u IGTK keyid %d pn " COMPACT_MACSTR,
1812 link_id, keyidx, MAC2STR(igtk->pn));
1813 wpa_hexdump_link_key(MSG_DEBUG, link_id, "RSN: IGTK", igtk->igtk, len);
1814 if (keyidx > 4095) {
1815 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1816 "RSN: Invalid MLO Link %d IGTK KeyID %d", link_id,
1817 keyidx);
1818 return -1;
1819 }
1820 if (wpa_sm_set_key(sm, link_id,
1821 wpa_cipher_to_alg(sm->mgmt_group_cipher),
1822 broadcast_ether_addr, keyidx, 0, igtk->pn,
1823 sizeof(igtk->pn), igtk->igtk, len,
1824 KEY_FLAG_GROUP_RX) < 0) {
1825 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1826 "RSN: Failed to configure MLO Link %d IGTK to the driver",
1827 link_id);
1828 return -1;
1829 }
1830
1831 if (wnm_sleep) {
1832 sm->mlo.links[link_id].igtk_wnm_sleep.igtk_len = len;
1833 os_memcpy(sm->mlo.links[link_id].igtk_wnm_sleep.igtk,
1834 igtk->igtk,
1835 sm->mlo.links[link_id].igtk_wnm_sleep.igtk_len);
1836 } else {
1837 sm->mlo.links[link_id].igtk.igtk_len = len;
1838 os_memcpy(sm->mlo.links[link_id].igtk.igtk, igtk->igtk,
1839 sm->mlo.links[link_id].igtk.igtk_len);
1840 }
1841
1842 return 0;
1843 }
1844
1845
1846 static int
wpa_supplicant_install_mlo_bigtk(struct wpa_sm * sm,u8 link_id,const struct rsn_mlo_bigtk_kde * bigtk,int wnm_sleep)1847 wpa_supplicant_install_mlo_bigtk(struct wpa_sm *sm, u8 link_id,
1848 const struct rsn_mlo_bigtk_kde *bigtk,
1849 int wnm_sleep)
1850 {
1851 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1852 u16 keyidx = WPA_GET_LE16(bigtk->keyid);
1853
1854 /* Detect possible key reinstallation */
1855 if ((sm->mlo.links[link_id].bigtk.bigtk_len == len &&
1856 os_memcmp(sm->mlo.links[link_id].bigtk.bigtk, bigtk->bigtk,
1857 sm->mlo.links[link_id].bigtk.bigtk_len) == 0) ||
1858 (sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk_len == len &&
1859 os_memcmp(sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk,
1860 bigtk->bigtk,
1861 sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk_len) ==
1862 0)) {
1863 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1864 "RSN: Not reinstalling already in-use BIGTK to the driver (link_id=%d keyidx=%d)",
1865 link_id, keyidx);
1866 return 0;
1867 }
1868
1869 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1870 "RSN: MLO Link %u BIGTK keyid %d pn " COMPACT_MACSTR,
1871 link_id, keyidx, MAC2STR(bigtk->pn));
1872 wpa_hexdump_link_key(MSG_DEBUG, link_id, "RSN: BIGTK", bigtk->bigtk,
1873 len);
1874 if (keyidx < 6 || keyidx > 7) {
1875 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1876 "RSN: Invalid MLO Link %d BIGTK KeyID %d", link_id,
1877 keyidx);
1878 return -1;
1879 }
1880 if (wpa_sm_set_key(sm, link_id,
1881 wpa_cipher_to_alg(sm->mgmt_group_cipher),
1882 broadcast_ether_addr, keyidx, 0, bigtk->pn,
1883 sizeof(bigtk->pn), bigtk->bigtk, len,
1884 KEY_FLAG_GROUP_RX) < 0) {
1885 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1886 "RSN: Failed to configure MLO Link %d BIGTK to the driver",
1887 link_id);
1888 return -1;
1889 }
1890
1891 if (wnm_sleep) {
1892 sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk_len = len;
1893 os_memcpy(sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk,
1894 bigtk->bigtk,
1895 sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk_len);
1896 } else {
1897 sm->mlo.links[link_id].bigtk.bigtk_len = len;
1898 os_memcpy(sm->mlo.links[link_id].bigtk.bigtk, bigtk->bigtk,
1899 sm->mlo.links[link_id].bigtk.bigtk_len);
1900 }
1901
1902 return 0;
1903 }
1904
1905
_mlo_ieee80211w_set_keys(struct wpa_sm * sm,u8 link_id,struct wpa_eapol_ie_parse * ie)1906 static int _mlo_ieee80211w_set_keys(struct wpa_sm *sm, u8 link_id,
1907 struct wpa_eapol_ie_parse *ie)
1908 {
1909 size_t len;
1910
1911 if (ie->mlo_igtk[link_id]) {
1912 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1913 if (ie->mlo_igtk_len[link_id] !=
1914 RSN_MLO_IGTK_KDE_PREFIX_LENGTH + len)
1915 return -1;
1916
1917 if (wpa_supplicant_install_mlo_igtk(
1918 sm, link_id,
1919 (const struct rsn_mlo_igtk_kde *)
1920 ie->mlo_igtk[link_id],
1921 0) < 0)
1922 return -1;
1923 }
1924
1925 if (ie->mlo_bigtk[link_id] && sm->beacon_prot) {
1926 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1927 if (ie->mlo_bigtk_len[link_id] !=
1928 RSN_MLO_BIGTK_KDE_PREFIX_LENGTH + len)
1929 return -1;
1930
1931 if (wpa_supplicant_install_mlo_bigtk(
1932 sm, link_id,
1933 (const struct rsn_mlo_bigtk_kde *)
1934 ie->mlo_bigtk[link_id],
1935 0) < 0)
1936 return -1;
1937 }
1938
1939 return 0;
1940 }
1941
1942
mlo_ieee80211w_set_keys(struct wpa_sm * sm,struct wpa_eapol_ie_parse * ie)1943 static int mlo_ieee80211w_set_keys(struct wpa_sm *sm,
1944 struct wpa_eapol_ie_parse *ie)
1945 {
1946 u8 i;
1947
1948 if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) ||
1949 sm->mgmt_group_cipher == WPA_CIPHER_GTK_NOT_USED)
1950 return 0;
1951
1952 for_each_link(sm->mlo.valid_links, i) {
1953 if (_mlo_ieee80211w_set_keys(sm, i, ie))
1954 return -1;
1955 }
1956
1957 return 0;
1958 }
1959
1960
ieee80211w_set_keys(struct wpa_sm * sm,struct wpa_eapol_ie_parse * ie)1961 static int ieee80211w_set_keys(struct wpa_sm *sm,
1962 struct wpa_eapol_ie_parse *ie)
1963 {
1964 size_t len;
1965
1966 if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) ||
1967 sm->mgmt_group_cipher == WPA_CIPHER_GTK_NOT_USED)
1968 return 0;
1969
1970 if (ie->igtk) {
1971 const struct wpa_igtk_kde *igtk;
1972
1973 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1974 if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
1975 return -1;
1976
1977 igtk = (const struct wpa_igtk_kde *) ie->igtk;
1978 if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0)
1979 return -1;
1980 }
1981
1982 if (ie->bigtk && sm->beacon_prot) {
1983 const struct wpa_bigtk_kde *bigtk;
1984
1985 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1986 if (ie->bigtk_len != WPA_BIGTK_KDE_PREFIX_LEN + len)
1987 return -1;
1988
1989 bigtk = (const struct wpa_bigtk_kde *) ie->bigtk;
1990 if (wpa_supplicant_install_bigtk(sm, bigtk, 0) < 0)
1991 return -1;
1992 }
1993
1994 return 0;
1995 }
1996
1997
wpa_report_ie_mismatch(struct wpa_sm * sm,const char * reason,const u8 * src_addr,const u8 * wpa_ie,size_t wpa_ie_len,const u8 * rsn_ie,size_t rsn_ie_len)1998 static void wpa_report_ie_mismatch(struct wpa_sm *sm,
1999 const char *reason, const u8 *src_addr,
2000 const u8 *wpa_ie, size_t wpa_ie_len,
2001 const u8 *rsn_ie, size_t rsn_ie_len)
2002 {
2003 wpa_msg_only_for_cb(sm->ctx->msg_ctx, MSG_WARNING, "WPA: %s (src=" MACSTR_SEC ")",
2004 reason, MAC2STR_SEC(src_addr));
2005 wpa_printf(MSG_WARNING, "WPA: %s (src=" MACSTR_SEC ")",
2006 reason, MAC2STR_SEC(src_addr));
2007
2008 if (sm->ap_wpa_ie) {
2009 wpa_hexdump(MSG_INFO, "WPA: WPA IE in Beacon/ProbeResp",
2010 sm->ap_wpa_ie, sm->ap_wpa_ie_len);
2011 }
2012 if (wpa_ie) {
2013 if (!sm->ap_wpa_ie) {
2014 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2015 "WPA: No WPA IE in Beacon/ProbeResp");
2016 }
2017 wpa_hexdump(MSG_INFO, "WPA: WPA IE in 3/4 msg",
2018 wpa_ie, wpa_ie_len);
2019 }
2020
2021 if (sm->ap_rsn_ie) {
2022 wpa_hexdump(MSG_INFO, "WPA: RSN IE in Beacon/ProbeResp",
2023 sm->ap_rsn_ie, sm->ap_rsn_ie_len);
2024 }
2025 if (rsn_ie) {
2026 if (!sm->ap_rsn_ie) {
2027 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2028 "WPA: No RSN IE in Beacon/ProbeResp");
2029 }
2030 wpa_hexdump(MSG_INFO, "WPA: RSN IE in 3/4 msg",
2031 rsn_ie, rsn_ie_len);
2032 }
2033
2034 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
2035 }
2036
2037
2038 #ifdef CONFIG_IEEE80211R
2039
ft_validate_mdie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie,const u8 * assoc_resp_mdie)2040 static int ft_validate_mdie(struct wpa_sm *sm,
2041 const unsigned char *src_addr,
2042 struct wpa_eapol_ie_parse *ie,
2043 const u8 *assoc_resp_mdie)
2044 {
2045 struct rsn_mdie *mdie;
2046
2047 mdie = (struct rsn_mdie *) (ie->mdie + 2);
2048 if (ie->mdie == NULL || ie->mdie_len < 2 + sizeof(*mdie) ||
2049 os_memcmp(mdie->mobility_domain, sm->mobility_domain,
2050 MOBILITY_DOMAIN_ID_LEN) != 0) {
2051 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE in msg 3/4 did "
2052 "not match with the current mobility domain");
2053 return -1;
2054 }
2055
2056 if (assoc_resp_mdie &&
2057 (assoc_resp_mdie[1] != ie->mdie[1] ||
2058 os_memcmp(assoc_resp_mdie, ie->mdie, 2 + ie->mdie[1]) != 0)) {
2059 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE mismatch");
2060 wpa_hexdump(MSG_DEBUG, "FT: MDIE in EAPOL-Key msg 3/4",
2061 ie->mdie, 2 + ie->mdie[1]);
2062 wpa_hexdump(MSG_DEBUG, "FT: MDIE in (Re)Association Response",
2063 assoc_resp_mdie, 2 + assoc_resp_mdie[1]);
2064 return -1;
2065 }
2066
2067 return 0;
2068 }
2069
2070
ft_validate_ftie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie,const u8 * assoc_resp_ftie)2071 static int ft_validate_ftie(struct wpa_sm *sm,
2072 const unsigned char *src_addr,
2073 struct wpa_eapol_ie_parse *ie,
2074 const u8 *assoc_resp_ftie)
2075 {
2076 if (ie->ftie == NULL) {
2077 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2078 "FT: No FTIE in EAPOL-Key msg 3/4");
2079 return -1;
2080 }
2081
2082 if (assoc_resp_ftie == NULL)
2083 return 0;
2084
2085 if (assoc_resp_ftie[1] != ie->ftie[1] ||
2086 os_memcmp(assoc_resp_ftie, ie->ftie, 2 + ie->ftie[1]) != 0) {
2087 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: FTIE mismatch");
2088 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 3/4",
2089 ie->ftie, 2 + ie->ftie[1]);
2090 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)Association Response",
2091 assoc_resp_ftie, 2 + assoc_resp_ftie[1]);
2092 return -1;
2093 }
2094
2095 return 0;
2096 }
2097
2098
ft_validate_rsnie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie)2099 static int ft_validate_rsnie(struct wpa_sm *sm,
2100 const unsigned char *src_addr,
2101 struct wpa_eapol_ie_parse *ie)
2102 {
2103 struct wpa_ie_data rsn;
2104
2105 if (!ie->rsn_ie)
2106 return 0;
2107
2108 /*
2109 * Verify that PMKR1Name from EAPOL-Key message 3/4
2110 * matches with the value we derived.
2111 */
2112 if (wpa_parse_wpa_ie_rsn(ie->rsn_ie, ie->rsn_ie_len, &rsn) < 0 ||
2113 rsn.num_pmkid != 1 || rsn.pmkid == NULL) {
2114 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: No PMKR1Name in "
2115 "FT 4-way handshake message 3/4");
2116 return -1;
2117 }
2118
2119 if (os_memcmp_const(rsn.pmkid, sm->pmk_r1_name, WPA_PMK_NAME_LEN) != 0)
2120 {
2121 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2122 "FT: PMKR1Name mismatch in "
2123 "FT 4-way handshake message 3/4");
2124 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Authenticator",
2125 rsn.pmkid, WPA_PMK_NAME_LEN);
2126 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
2127 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
2128 return -1;
2129 }
2130
2131 return 0;
2132 }
2133
2134
wpa_supplicant_validate_ie_ft(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie)2135 static int wpa_supplicant_validate_ie_ft(struct wpa_sm *sm,
2136 const unsigned char *src_addr,
2137 struct wpa_eapol_ie_parse *ie)
2138 {
2139 const u8 *pos, *end, *mdie = NULL, *ftie = NULL;
2140
2141 if (sm->assoc_resp_ies) {
2142 pos = sm->assoc_resp_ies;
2143 end = pos + sm->assoc_resp_ies_len;
2144 while (end - pos > 2) {
2145 if (2 + pos[1] > end - pos)
2146 break;
2147 switch (*pos) {
2148 case WLAN_EID_MOBILITY_DOMAIN:
2149 mdie = pos;
2150 break;
2151 case WLAN_EID_FAST_BSS_TRANSITION:
2152 ftie = pos;
2153 break;
2154 }
2155 pos += 2 + pos[1];
2156 }
2157 }
2158
2159 if (ft_validate_mdie(sm, src_addr, ie, mdie) < 0 ||
2160 ft_validate_ftie(sm, src_addr, ie, ftie) < 0 ||
2161 ft_validate_rsnie(sm, src_addr, ie) < 0)
2162 return -1;
2163
2164 return 0;
2165 }
2166
2167 #endif /* CONFIG_IEEE80211R */
2168
2169
wpa_supplicant_validate_ie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie)2170 static int wpa_supplicant_validate_ie(struct wpa_sm *sm,
2171 const unsigned char *src_addr,
2172 struct wpa_eapol_ie_parse *ie)
2173 {
2174 #ifdef CONFIG_DRIVER_NL80211_HISI
2175 struct wpa_supplicant *wpa_s =NULL;
2176 struct i802_bss *bss = NULL;
2177 #endif /* CONFIG_DRIVER_NL80211_HISI */
2178
2179 if (sm->ap_wpa_ie == NULL && sm->ap_rsn_ie == NULL) {
2180 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2181 "WPA: No WPA/RSN IE for this AP known. "
2182 "Trying to get from scan results");
2183 if (wpa_sm_get_beacon_ie(sm) < 0) {
2184 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2185 "WPA: Could not find AP from "
2186 "the scan results");
2187 return -1;
2188 }
2189 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
2190 "WPA: Found the current AP from updated scan results");
2191 }
2192
2193 if (ie->wpa_ie == NULL && ie->rsn_ie == NULL &&
2194 (sm->ap_wpa_ie || sm->ap_rsn_ie)) {
2195 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
2196 "with IE in Beacon/ProbeResp (no IE?)",
2197 src_addr, ie->wpa_ie, ie->wpa_ie_len,
2198 ie->rsn_ie, ie->rsn_ie_len);
2199 return -1;
2200 }
2201
2202 #ifdef CONFIG_DRIVER_NL80211_HISI
2203 /* skip 3/4 handshake match in when sta is wlan1 */
2204 wpa_s = sm->ctx->ctx;
2205 if (wpa_s != NULL && os_strncmp(wpa_s->ifname, "wlan1", strlen("wlan1")) == 0) {
2206 bss = (struct i802_bss *)wpa_s->drv_priv;
2207 if (bss != NULL && bss->drv != NULL && bss->drv->nlmode == NL80211_IFTYPE_STATION) {
2208 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "validate_ie skip sta wlan1 3/4 match");
2209 return 0;
2210 }
2211 }
2212 #endif /* CONFIG_DRIVER_NL80211_HISI */
2213
2214 #ifdef CONFIG_MAGICLINK_PC
2215 if (sm->legacyGO == 0) {
2216 #endif /* CONFIG_MAGICLINK_PC */
2217 if ((ie->wpa_ie && sm->ap_wpa_ie &&
2218 (ie->wpa_ie_len != sm->ap_wpa_ie_len ||
2219 os_memcmp(ie->wpa_ie, sm->ap_wpa_ie, ie->wpa_ie_len) != 0)) ||
2220 (ie->rsn_ie && sm->ap_rsn_ie &&
2221 wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
2222 sm->ap_rsn_ie, sm->ap_rsn_ie_len,
2223 ie->rsn_ie, ie->rsn_ie_len))) {
2224 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
2225 "with IE in Beacon/ProbeResp",
2226 src_addr, ie->wpa_ie, ie->wpa_ie_len,
2227 ie->rsn_ie, ie->rsn_ie_len);
2228 return -1;
2229 }
2230 #ifdef CONFIG_MAGICLINK_PC
2231 }
2232 #endif /* CONFIG_MAGICLINK_PC */
2233
2234 if (sm->proto == WPA_PROTO_WPA &&
2235 ie->rsn_ie && sm->ap_rsn_ie == NULL && sm->rsn_enabled) {
2236 wpa_report_ie_mismatch(sm, "Possible downgrade attack "
2237 "detected - RSN was enabled and RSN IE "
2238 "was in msg 3/4, but not in "
2239 "Beacon/ProbeResp",
2240 src_addr, ie->wpa_ie, ie->wpa_ie_len,
2241 ie->rsn_ie, ie->rsn_ie_len);
2242 return -1;
2243 }
2244
2245 if (sm->proto == WPA_PROTO_RSN &&
2246 ((sm->ap_rsnxe && !ie->rsnxe) ||
2247 (!sm->ap_rsnxe && ie->rsnxe) ||
2248 (sm->ap_rsnxe && ie->rsnxe &&
2249 (sm->ap_rsnxe_len != ie->rsnxe_len ||
2250 os_memcmp(sm->ap_rsnxe, ie->rsnxe, sm->ap_rsnxe_len) != 0)))) {
2251 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2252 "WPA: RSNXE mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4");
2253 wpa_hexdump(MSG_INFO, "RSNXE in Beacon/ProbeResp",
2254 sm->ap_rsnxe, sm->ap_rsnxe_len);
2255 wpa_hexdump(MSG_INFO, "RSNXE in EAPOL-Key msg 3/4",
2256 ie->rsnxe, ie->rsnxe_len);
2257 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
2258 return -1;
2259 }
2260
2261 #ifdef CONFIG_IEEE80211R
2262 if (wpa_key_mgmt_ft(sm->key_mgmt) &&
2263 wpa_supplicant_validate_ie_ft(sm, src_addr, ie) < 0)
2264 return -1;
2265 #endif /* CONFIG_IEEE80211R */
2266
2267 return 0;
2268 }
2269
2270
2271 /**
2272 * wpa_supplicant_send_4_of_4 - Send message 4 of WPA/RSN 4-Way Handshake
2273 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2274 * @dst: Destination address for the frame
2275 * @key: Pointer to the EAPOL-Key frame header
2276 * @ver: Version bits from EAPOL-Key Key Info
2277 * @key_info: Key Info
2278 * @ptk: PTK to use for keyed hash and encryption
2279 * Returns: >= 0 on success, < 0 on failure
2280 */
wpa_supplicant_send_4_of_4(struct wpa_sm * sm,const unsigned char * dst,const struct wpa_eapol_key * key,u16 ver,u16 key_info,struct wpa_ptk * ptk)2281 int wpa_supplicant_send_4_of_4(struct wpa_sm *sm, const unsigned char *dst,
2282 const struct wpa_eapol_key *key,
2283 u16 ver, u16 key_info,
2284 struct wpa_ptk *ptk)
2285 {
2286 size_t mic_len, hdrlen, rlen;
2287 struct wpa_eapol_key *reply;
2288 u8 *rbuf, *key_mic;
2289 u8 *kde = NULL;
2290 size_t kde_len = 0, extra_len = 0;
2291 #ifdef CONFIG_TESTING_OPTIONS
2292 size_t pad_len = 0;
2293 #endif /* CONFIG_TESTING_OPTIONS */
2294
2295 if (sm->mlo.valid_links) {
2296 u8 *pos;
2297
2298 kde = os_malloc(RSN_SELECTOR_LEN + ETH_ALEN + 2);
2299 if (!kde)
2300 return -1;
2301
2302 /* Add MAC KDE */
2303 wpa_printf(MSG_DEBUG, "MLO: Add MAC KDE into EAPOL-Key 4/4");
2304 pos = kde;
2305 pos = rsn_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, sm->own_addr,
2306 ETH_ALEN);
2307 kde_len = pos - kde;
2308 }
2309
2310 #ifdef CONFIG_TESTING_OPTIONS
2311 if (sm->test_eapol_m4_elems)
2312 extra_len = wpabuf_len(sm->test_eapol_m4_elems);
2313 if (sm->encrypt_eapol_m4) {
2314 pad_len = (kde_len + extra_len) % 8;
2315 if (pad_len)
2316 pad_len = 8 - pad_len;
2317 extra_len += pad_len + 8;
2318 }
2319 #endif /* CONFIG_TESTING_OPTIONS */
2320
2321 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
2322 hdrlen = sizeof(*reply) + mic_len + 2;
2323 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
2324 hdrlen + kde_len + extra_len, &rlen,
2325 (void *) &reply);
2326 if (!rbuf) {
2327 os_free(kde);
2328 wpa_printf(MSG_INFO, "wpa alloc eapol failed");
2329 return -1;
2330 }
2331
2332 reply->type = (sm->proto == WPA_PROTO_RSN ||
2333 sm->proto == WPA_PROTO_OSEN) ?
2334 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
2335 key_info &= WPA_KEY_INFO_SECURE;
2336 key_info |= ver | WPA_KEY_INFO_KEY_TYPE;
2337 if (mic_len)
2338 key_info |= WPA_KEY_INFO_MIC;
2339 else
2340 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
2341 #ifdef CONFIG_TESTING_OPTIONS
2342 if (sm->encrypt_eapol_m4)
2343 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
2344 #endif /* CONFIG_TESTING_OPTIONS */
2345 WPA_PUT_BE16(reply->key_info, key_info);
2346 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
2347 WPA_PUT_BE16(reply->key_length, 0);
2348 else
2349 os_memcpy(reply->key_length, key->key_length, 2);
2350 os_memcpy(reply->replay_counter, key->replay_counter,
2351 WPA_REPLAY_COUNTER_LEN);
2352
2353 key_mic = (u8 *) (reply + 1);
2354 /* Key Data length */
2355 WPA_PUT_BE16(key_mic + mic_len, kde_len + extra_len);
2356 if (kde) {
2357 os_memcpy(key_mic + mic_len + 2, kde, kde_len); /* Key Data */
2358 os_free(kde);
2359 }
2360
2361 #ifdef CONFIG_TESTING_OPTIONS
2362 if (sm->test_eapol_m4_elems) {
2363 os_memcpy(key_mic + mic_len + 2 + kde_len,
2364 wpabuf_head(sm->test_eapol_m4_elems),
2365 wpabuf_len(sm->test_eapol_m4_elems));
2366 }
2367
2368 if (sm->encrypt_eapol_m4) {
2369 u8 *plain;
2370 size_t plain_len;
2371
2372 if (sm->test_eapol_m4_elems)
2373 extra_len = wpabuf_len(sm->test_eapol_m4_elems);
2374 else
2375 extra_len = 0;
2376 plain_len = kde_len + extra_len + pad_len;
2377 plain = os_memdup(key_mic + mic_len + 2, plain_len);
2378 if (!plain) {
2379 os_free(rbuf);
2380 return -1;
2381 }
2382 if (pad_len)
2383 plain[plain_len - pad_len] = 0xdd;
2384
2385 wpa_hexdump_key(MSG_DEBUG, "RSN: AES-WRAP using KEK",
2386 ptk->kek, ptk->kek_len);
2387 if (aes_wrap(ptk->kek, ptk->kek_len, plain_len / 8, plain,
2388 key_mic + mic_len + 2)) {
2389 os_free(plain);
2390 os_free(rbuf);
2391 return -1;
2392 }
2393 wpa_hexdump(MSG_DEBUG,
2394 "RSN: Encrypted Key Data from AES-WRAP",
2395 key_mic + mic_len + 2, plain_len + 8);
2396 os_free(plain);
2397 }
2398 #endif /* CONFIG_TESTING_OPTIONS */
2399
2400 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 4/4");
2401 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
2402 key_mic);
2403 }
2404
2405
wpa_supplicant_validate_link_kde(struct wpa_sm * sm,u8 link_id,const u8 * link_kde,size_t link_kde_len)2406 static int wpa_supplicant_validate_link_kde(struct wpa_sm *sm, u8 link_id,
2407 const u8 *link_kde,
2408 size_t link_kde_len)
2409 {
2410 size_t rsne_len = 0, rsnxe_len = 0;
2411 const u8 *rsne = NULL, *rsnxe = NULL;
2412
2413 if (!link_kde ||
2414 link_kde_len < RSN_MLO_LINK_KDE_LINK_MAC_INDEX + ETH_ALEN) {
2415 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2416 "RSN: MLO Link KDE is not found for link ID %d",
2417 link_id);
2418 return -1;
2419 }
2420
2421 if (!ether_addr_equal(sm->mlo.links[link_id].bssid,
2422 &link_kde[RSN_MLO_LINK_KDE_LINK_MAC_INDEX])) {
2423 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2424 "RSN: MLO Link %u MAC address (" MACSTR
2425 ") not matching association response (" MACSTR ")",
2426 link_id,
2427 MAC2STR(&link_kde[RSN_MLO_LINK_KDE_LINK_MAC_INDEX]),
2428 MAC2STR(sm->mlo.links[link_id].bssid));
2429 return -1;
2430 }
2431
2432 if (link_kde[0] & RSN_MLO_LINK_KDE_LI_RSNE_INFO) {
2433 rsne = link_kde + RSN_MLO_LINK_KDE_FIXED_LENGTH;
2434 if (link_kde_len < RSN_MLO_LINK_KDE_FIXED_LENGTH + 2 ||
2435 link_kde_len <
2436 (size_t) (RSN_MLO_LINK_KDE_FIXED_LENGTH + 2 + rsne[1])) {
2437 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2438 "RSN: No room for link %u RSNE in MLO Link KDE",
2439 link_id);
2440 return -1;
2441 }
2442
2443 rsne_len = rsne[1] + 2;
2444 }
2445
2446 if (!rsne) {
2447 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2448 "RSN: RSNE not present in MLO Link %u KDE", link_id);
2449 return -1;
2450 }
2451
2452 if (link_kde[0] & RSN_MLO_LINK_KDE_LI_RSNXE_INFO) {
2453 rsnxe = link_kde + RSN_MLO_LINK_KDE_FIXED_LENGTH + rsne_len;
2454 if (link_kde_len <
2455 (RSN_MLO_LINK_KDE_FIXED_LENGTH + rsne_len + 2) ||
2456 link_kde_len <
2457 (RSN_MLO_LINK_KDE_FIXED_LENGTH + rsne_len + 2 + rsnxe[1])) {
2458 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2459 "RSN: No room for link %u RSNXE in MLO Link KDE",
2460 link_id);
2461 return -1;
2462 }
2463
2464 rsnxe_len = rsnxe[1] + 2;
2465 }
2466
2467 if (wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
2468 sm->mlo.links[link_id].ap_rsne,
2469 sm->mlo.links[link_id].ap_rsne_len,
2470 rsne, rsne_len)) {
2471 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2472 "RSN MLO: IE in 3/4 msg does not match with IE in Beacon/ProbeResp for link ID %u",
2473 link_id);
2474 wpa_hexdump(MSG_INFO, "RSNE in Beacon/ProbeResp",
2475 sm->mlo.links[link_id].ap_rsne,
2476 sm->mlo.links[link_id].ap_rsne_len);
2477 wpa_hexdump(MSG_INFO, "RSNE in EAPOL-Key msg 3/4",
2478 rsne, rsne_len);
2479 return -1;
2480 }
2481
2482 if ((sm->mlo.links[link_id].ap_rsnxe && !rsnxe) ||
2483 (!sm->mlo.links[link_id].ap_rsnxe && rsnxe) ||
2484 (sm->mlo.links[link_id].ap_rsnxe && rsnxe &&
2485 (sm->mlo.links[link_id].ap_rsnxe_len != rsnxe_len ||
2486 os_memcmp(sm->mlo.links[link_id].ap_rsnxe, rsnxe,
2487 sm->mlo.links[link_id].ap_rsnxe_len) != 0))) {
2488 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2489 "RSN MLO: RSNXE mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4 for link ID %u",
2490 link_id);
2491 wpa_hexdump(MSG_INFO, "RSNXE in Beacon/ProbeResp",
2492 sm->mlo.links[link_id].ap_rsnxe,
2493 sm->mlo.links[link_id].ap_rsnxe_len);
2494 wpa_hexdump(MSG_INFO, "RSNXE in EAPOL-Key msg 3/4",
2495 rsnxe, rsnxe_len);
2496 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
2497 return -1;
2498 }
2499
2500 return 0;
2501 }
2502
2503
wpa_validate_mlo_ieee80211w_kdes(struct wpa_sm * sm,u8 link_id,struct wpa_eapol_ie_parse * ie)2504 static int wpa_validate_mlo_ieee80211w_kdes(struct wpa_sm *sm,
2505 u8 link_id,
2506 struct wpa_eapol_ie_parse *ie)
2507 {
2508 if (ie->mlo_igtk[link_id] &&
2509 ie->mlo_igtk_len[link_id] != RSN_MLO_IGTK_KDE_PREFIX_LENGTH +
2510 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
2511 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2512 "RSN MLO: Invalid IGTK KDE length %lu for link ID %u",
2513 (unsigned long) ie->mlo_igtk_len[link_id], link_id);
2514 return -1;
2515 }
2516
2517 if (!sm->beacon_prot)
2518 return 0;
2519
2520 if (ie->mlo_bigtk[link_id] &&
2521 ie->mlo_bigtk_len[link_id] != RSN_MLO_BIGTK_KDE_PREFIX_LENGTH +
2522 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
2523 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2524 "RSN MLO: Invalid BIGTK KDE length %lu for link ID %u",
2525 (unsigned long) ie->mlo_bigtk_len[link_id], link_id);
2526 return -1;
2527 }
2528
2529 return 0;
2530 }
2531
2532
wpa_supplicant_process_3_of_4_wpa(struct wpa_sm * sm,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len)2533 static void wpa_supplicant_process_3_of_4_wpa(struct wpa_sm *sm,
2534 const struct wpa_eapol_key *key,
2535 u16 ver, const u8 *key_data,
2536 size_t key_data_len)
2537 {
2538 u16 key_info, keylen;
2539 struct wpa_eapol_ie_parse ie;
2540
2541 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
2542 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2543 "WPA: RX message 3 of 4-Way Handshake from " MACSTR
2544 " (ver=%d)", MAC2STR(sm->bssid), ver);
2545
2546 key_info = WPA_GET_BE16(key->key_info);
2547
2548 wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", key_data, key_data_len);
2549 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0) {
2550 wpa_printf(MSG_INFO, "wpa supplicant parse ies failed");
2551 goto failed;
2552 }
2553
2554 if (wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0)
2555 goto failed;
2556
2557 if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
2558 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2559 "WPA: ANonce from message 1 of 4-Way Handshake differs from 3 of 4-Way Handshake - drop packet (src="
2560 MACSTR ")", MAC2STR(sm->bssid));
2561 goto failed;
2562 }
2563
2564 keylen = WPA_GET_BE16(key->key_length);
2565 if (keylen != wpa_cipher_key_len(sm->pairwise_cipher)) {
2566 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2567 "WPA: Invalid %s key length %d (src=" MACSTR ")",
2568 wpa_cipher_txt(sm->pairwise_cipher), keylen,
2569 MAC2STR(sm->bssid));
2570 goto failed;
2571 }
2572
2573 if (wpa_supplicant_send_4_of_4(sm, wpa_sm_get_auth_addr(sm), key, ver,
2574 key_info, &sm->ptk) < 0) {
2575 wpa_printf(MSG_INFO, "wpa supplicant send 4 of 4 failed");
2576 goto failed;
2577 }
2578
2579 /* SNonce was successfully used in msg 3/4, so mark it to be renewed
2580 * for the next 4-Way Handshake. If msg 3 is received again, the old
2581 * SNonce will still be used to avoid changing PTK. */
2582 sm->renew_snonce = 1;
2583
2584 if ((key_info & WPA_KEY_INFO_INSTALL) &&
2585 wpa_supplicant_install_ptk(sm, key, KEY_FLAG_RX_TX))
2586 goto failed;
2587
2588 if (key_info & WPA_KEY_INFO_SECURE) {
2589 wpa_sm_mlme_setprotection(
2590 sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX,
2591 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
2592 eapol_sm_notify_portValid(sm->eapol, true);
2593 }
2594 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
2595
2596 sm->msg_3_of_4_ok = 1;
2597 return;
2598
2599 failed:
2600 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
2601 }
2602
2603
wpa_supplicant_process_3_of_4(struct wpa_sm * sm,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len)2604 static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
2605 const struct wpa_eapol_key *key,
2606 u16 ver, const u8 *key_data,
2607 size_t key_data_len)
2608 {
2609 u16 key_info, keylen;
2610 struct wpa_eapol_ie_parse ie;
2611 bool mlo = sm->mlo.valid_links;
2612 int i;
2613
2614 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
2615 #ifdef CONFIG_P2P_CHR
2616 wpa_supplicant_upload_p2p_state(sm->ctx->ctx, P2P_INTERFACE_STATE_4WAY_HANDSHAKE_3,
2617 P2P_CHR_DEFAULT_REASON_CODE, P2P_CHR_DEFAULT_REASON_CODE);
2618 #endif
2619 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2620 "RSN: RX message 3 of 4-Way Handshake from " MACSTR
2621 " (ver=%d)%s", MAC2STR(sm->bssid), ver, mlo ? " (MLO)" : "");
2622
2623 key_info = WPA_GET_BE16(key->key_info);
2624
2625 wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", key_data, key_data_len);
2626 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
2627 goto failed;
2628
2629 if (sm->ssid_protection) {
2630 if (!ie.ssid) {
2631 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2632 "RSN: No SSID included in EAPOL-Key msg 3/4");
2633 goto failed;
2634 }
2635
2636 if (ie.ssid_len != sm->ssid_len ||
2637 os_memcmp(ie.ssid, sm->ssid, sm->ssid_len) != 0) {
2638 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2639 "RSN: SSID mismatch in EAPOL-Key msg 3/4");
2640 wpa_hexdump_ascii(MSG_DEBUG, "RSN: Received SSID",
2641 ie.ssid, ie.ssid_len);
2642 wpa_hexdump_ascii(MSG_DEBUG, "RSN: Expected SSID",
2643 sm->ssid, sm->ssid_len);
2644 goto failed;
2645 }
2646
2647 wpa_sm_ssid_verified(sm);
2648 }
2649
2650 if (mlo && !ie.valid_mlo_gtks) {
2651 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2652 "MLO RSN: No GTK KDE included in EAPOL-Key msg 3/4");
2653 goto failed;
2654 }
2655 if (mlo &&
2656 (key_info &
2657 (WPA_KEY_INFO_ENCR_KEY_DATA | WPA_KEY_INFO_INSTALL |
2658 WPA_KEY_INFO_SECURE)) !=
2659 (WPA_KEY_INFO_ENCR_KEY_DATA | WPA_KEY_INFO_INSTALL |
2660 WPA_KEY_INFO_SECURE)) {
2661 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2662 "RSN MLO: Invalid key info (0x%x) in EAPOL-Key msg 3/4",
2663 key_info);
2664 goto failed;
2665 }
2666
2667 if (mlo && !is_valid_ap_mld_mac_kde(sm, ie.mac_addr)) {
2668 wpa_printf(MSG_INFO, "RSN: Invalid AP MLD MAC address KDE");
2669 goto failed;
2670 }
2671
2672 for (i = 0; mlo && i < MAX_NUM_MLD_LINKS; i++) {
2673 if (!(sm->mlo.req_links & BIT(i)))
2674 continue;
2675
2676 if (wpa_supplicant_validate_link_kde(sm, i, ie.mlo_link[i],
2677 ie.mlo_link_len[i]) < 0)
2678 goto failed;
2679
2680 if (!(sm->mlo.valid_links & BIT(i)))
2681 continue;
2682
2683 if (!ie.mlo_gtk[i]) {
2684 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
2685 "RSN: GTK not found for link ID %u", i);
2686 goto failed;
2687 }
2688
2689 if (sm->mgmt_group_cipher != WPA_CIPHER_GTK_NOT_USED &&
2690 wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) &&
2691 wpa_validate_mlo_ieee80211w_kdes(sm, i, &ie) < 0) {
2692 wpa_printf(MSG_INFO, "wpa cipher valid mgmt group or wpa validate mlo ieee80211w kdes failed");
2693 goto failed;
2694 }
2695 }
2696
2697 #ifdef CONFIG_IEEE80211R
2698 if (mlo && wpa_key_mgmt_ft(sm->key_mgmt) &&
2699 wpa_supplicant_validate_ie_ft(sm, sm->bssid, &ie) < 0)
2700 goto failed;
2701 #endif /* CONFIG_IEEE80211R */
2702
2703 if (!mlo && ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
2704 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2705 "WPA: GTK IE in unencrypted key data");
2706 goto failed;
2707 }
2708 if (!mlo && ie.igtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
2709 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2710 "WPA: IGTK KDE in unencrypted key data");
2711 goto failed;
2712 }
2713
2714 if (!mlo && ie.igtk &&
2715 sm->mgmt_group_cipher != WPA_CIPHER_GTK_NOT_USED &&
2716 wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) &&
2717 ie.igtk_len != WPA_IGTK_KDE_PREFIX_LEN +
2718 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
2719 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2720 "WPA: Invalid IGTK KDE length %lu",
2721 (unsigned long) ie.igtk_len);
2722 goto failed;
2723 }
2724
2725 if (!mlo && wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0) {
2726 wpa_printf(MSG_INFO, "wpa supplicant validate ie failed");
2727 goto failed;
2728 }
2729
2730 if (wpa_handle_ext_key_id(sm, &ie)) {
2731 wpa_printf(MSG_INFO, "wpa handle ext key id failed");
2732 goto failed;
2733 }
2734
2735 if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
2736 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2737 "WPA: ANonce from message 1 of 4-Way Handshake "
2738 "differs from 3 of 4-Way Handshake - drop packet (src="
2739 MACSTR ")", MAC2STR(sm->bssid));
2740 goto failed;
2741 }
2742
2743 keylen = WPA_GET_BE16(key->key_length);
2744 if (keylen != wpa_cipher_key_len(sm->pairwise_cipher)) {
2745 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2746 "WPA: Invalid %s key length %d (src=" MACSTR
2747 ")", wpa_cipher_txt(sm->pairwise_cipher), keylen,
2748 MAC2STR(sm->bssid));
2749 goto failed;
2750 }
2751
2752 #ifdef CONFIG_P2P
2753 if (ie.ip_addr_alloc) {
2754 os_memcpy(sm->p2p_ip_addr, ie.ip_addr_alloc, 3 * 4);
2755 wpa_hexdump(MSG_DEBUG, "P2P: IP address info",
2756 sm->p2p_ip_addr, sizeof(sm->p2p_ip_addr));
2757 }
2758 #endif /* CONFIG_P2P */
2759
2760 #ifdef CONFIG_OCV
2761 if (wpa_sm_ocv_enabled(sm)) {
2762 struct wpa_channel_info ci;
2763
2764 if (wpa_sm_channel_info(sm, &ci) != 0) {
2765 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2766 "Failed to get channel info to validate received OCI in EAPOL-Key 3/4");
2767 return;
2768 }
2769
2770 if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci,
2771 channel_width_to_int(ci.chanwidth),
2772 ci.seg1_idx) != OCI_SUCCESS) {
2773 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
2774 "addr=" MACSTR " frame=eapol-key-m3 error=%s",
2775 MAC2STR(sm->bssid), ocv_errorstr);
2776 return;
2777 }
2778 }
2779 #endif /* CONFIG_OCV */
2780
2781 #ifdef CONFIG_DPP2
2782 if (DPP_VERSION > 1 && ie.dpp_kde) {
2783 wpa_printf(MSG_DEBUG,
2784 "DPP: peer Protocol Version %u Flags 0x%x",
2785 ie.dpp_kde[0], ie.dpp_kde[1]);
2786 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_pfs != 2 &&
2787 (ie.dpp_kde[1] & DPP_KDE_PFS_ALLOWED) && !sm->dpp_z) {
2788 wpa_printf(MSG_INFO,
2789 "DPP: Peer indicated it supports PFS and local configuration allows this, but PFS was not negotiated for the association");
2790 goto failed;
2791 }
2792 }
2793 #endif /* CONFIG_DPP2 */
2794
2795 if (sm->use_ext_key_id &&
2796 wpa_supplicant_install_ptk(sm, key, KEY_FLAG_RX)) {
2797 wpa_printf(MSG_INFO, "wpa supplicant install ptk failed");
2798 goto failed;
2799 }
2800
2801 if (wpa_supplicant_send_4_of_4(sm, wpa_sm_get_auth_addr(sm), key, ver,
2802 key_info, &sm->ptk) < 0) {
2803 wpa_printf(MSG_INFO, "wpa supplicant send 4 of 4 failed");
2804 goto failed;
2805 }
2806
2807 /* SNonce was successfully used in msg 3/4, so mark it to be renewed
2808 * for the next 4-Way Handshake. If msg 3 is received again, the old
2809 * SNonce will still be used to avoid changing PTK. */
2810 sm->renew_snonce = 1;
2811
2812 if (key_info & WPA_KEY_INFO_INSTALL) {
2813 int res;
2814
2815 if (sm->use_ext_key_id)
2816 res = wpa_supplicant_activate_ptk(sm);
2817 else
2818 res = wpa_supplicant_install_ptk(sm, key,
2819 KEY_FLAG_RX_TX);
2820 if (res)
2821 goto failed;
2822 }
2823
2824 if (key_info & WPA_KEY_INFO_SECURE) {
2825 wpa_sm_mlme_setprotection(
2826 sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX,
2827 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
2828 eapol_sm_notify_portValid(sm->eapol, true);
2829 }
2830 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
2831 #ifdef CONFIG_P2P_CHR
2832 wpa_supplicant_upload_p2p_state(sm->ctx->ctx, P2P_INTERFACE_STATE_GROUP_HANDSHAKE,
2833 P2P_CHR_DEFAULT_REASON_CODE, P2P_CHR_DEFAULT_REASON_CODE);
2834 #endif
2835 if (mlo) {
2836 if (wpa_supplicant_pairwise_mlo_gtk(sm, key, &ie,
2837 key_info) < 0) {
2838 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2839 "MLO RSN: Failed to configure MLO GTKs");
2840 goto failed;
2841 }
2842 } else if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED) {
2843 /* No GTK to be set to the driver */
2844 } else if (!ie.gtk && sm->proto == WPA_PROTO_RSN) {
2845 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2846 "RSN: No GTK KDE included in EAPOL-Key msg 3/4");
2847 goto failed;
2848 } else if (ie.gtk &&
2849 wpa_supplicant_pairwise_gtk(sm, key,
2850 ie.gtk, ie.gtk_len, key_info) < 0) {
2851 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2852 "RSN: Failed to configure GTK");
2853 goto failed;
2854 }
2855
2856 if ((mlo && mlo_ieee80211w_set_keys(sm, &ie) < 0) ||
2857 (!mlo && ieee80211w_set_keys(sm, &ie) < 0)) {
2858 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2859 "RSN: Failed to configure IGTK");
2860 goto failed;
2861 }
2862
2863 if (mlo || sm->group_cipher == WPA_CIPHER_GTK_NOT_USED || ie.gtk)
2864 wpa_supplicant_key_neg_complete(sm, sm->bssid,
2865 key_info & WPA_KEY_INFO_SECURE);
2866
2867 if (mlo || ie.gtk)
2868 wpa_sm_set_rekey_offload(sm);
2869
2870 /* Add PMKSA cache entry for Suite B AKMs here since PMKID can be
2871 * calculated only after KCK has been derived. Though, do not replace an
2872 * existing PMKSA entry after each 4-way handshake (i.e., new KCK/PMKID)
2873 * to avoid unnecessary changes of PMKID while continuing to use the
2874 * same PMK. */
2875 if (sm->proto == WPA_PROTO_RSN && wpa_key_mgmt_suite_b(sm->key_mgmt) &&
2876 !sm->cur_pmksa) {
2877 struct rsn_pmksa_cache_entry *sa;
2878
2879 sa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, NULL,
2880 sm->ptk.kck, sm->ptk.kck_len,
2881 wpa_sm_get_auth_addr(sm), sm->own_addr,
2882 sm->network_ctx, sm->key_mgmt, NULL);
2883 if (!sm->cur_pmksa)
2884 sm->cur_pmksa = sa;
2885 }
2886
2887 if (ie.transition_disable)
2888 wpa_sm_transition_disable(sm, ie.transition_disable[0]);
2889 sm->msg_3_of_4_ok = 1;
2890 return;
2891
2892 failed:
2893 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
2894 }
2895
2896
wpa_supplicant_send_2_of_2(struct wpa_sm * sm,const struct wpa_eapol_key * key,int ver,u16 key_info)2897 static int wpa_supplicant_send_2_of_2(struct wpa_sm *sm,
2898 const struct wpa_eapol_key *key,
2899 int ver, u16 key_info)
2900 {
2901 size_t mic_len, hdrlen, rlen;
2902 struct wpa_eapol_key *reply;
2903 u8 *rbuf, *key_mic;
2904 size_t kde_len = 0;
2905
2906 #ifdef CONFIG_TESTING_OPTIONS
2907 if (sm->disable_eapol_g2_tx) {
2908 wpa_printf(MSG_INFO, "TEST: Disable sending EAPOL-Key 2/2");
2909 return 0;
2910 }
2911 #endif /* CONFIG_TESTING_OPTIONS */
2912
2913 #ifdef CONFIG_OCV
2914 if (wpa_sm_ocv_enabled(sm))
2915 kde_len = OCV_OCI_KDE_LEN;
2916 #endif /* CONFIG_OCV */
2917
2918 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
2919 hdrlen = sizeof(*reply) + mic_len + 2;
2920 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
2921 hdrlen + kde_len, &rlen, (void *) &reply);
2922 if (rbuf == NULL)
2923 return -1;
2924
2925 reply->type = (sm->proto == WPA_PROTO_RSN ||
2926 sm->proto == WPA_PROTO_OSEN) ?
2927 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
2928 key_info &= WPA_KEY_INFO_KEY_INDEX_MASK;
2929 key_info |= ver | WPA_KEY_INFO_SECURE;
2930 if (mic_len)
2931 key_info |= WPA_KEY_INFO_MIC;
2932 else
2933 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
2934 WPA_PUT_BE16(reply->key_info, key_info);
2935 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
2936 WPA_PUT_BE16(reply->key_length, 0);
2937 else
2938 os_memcpy(reply->key_length, key->key_length, 2);
2939 os_memcpy(reply->replay_counter, key->replay_counter,
2940 WPA_REPLAY_COUNTER_LEN);
2941
2942 key_mic = (u8 *) (reply + 1);
2943 WPA_PUT_BE16(key_mic + mic_len, kde_len); /* Key Data Length */
2944
2945 #ifdef CONFIG_OCV
2946 if (wpa_sm_ocv_enabled(sm)) {
2947 struct wpa_channel_info ci;
2948 u8 *pos;
2949
2950 if (wpa_sm_channel_info(sm, &ci) != 0) {
2951 wpa_printf(MSG_WARNING,
2952 "Failed to get channel info for OCI element in EAPOL-Key 2/2");
2953 os_free(rbuf);
2954 return -1;
2955 }
2956 #ifdef CONFIG_TESTING_OPTIONS
2957 if (sm->oci_freq_override_eapol_g2) {
2958 wpa_printf(MSG_INFO,
2959 "TEST: Override OCI KDE frequency %d -> %d MHz",
2960 ci.frequency,
2961 sm->oci_freq_override_eapol_g2);
2962 ci.frequency = sm->oci_freq_override_eapol_g2;
2963 }
2964 #endif /* CONFIG_TESTING_OPTIONS */
2965
2966 pos = key_mic + mic_len + 2; /* Key Data */
2967 if (ocv_insert_oci_kde(&ci, &pos) < 0) {
2968 os_free(rbuf);
2969 return -1;
2970 }
2971 }
2972 #endif /* CONFIG_OCV */
2973
2974 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/2");
2975 return wpa_eapol_key_send(sm, &sm->ptk, ver, wpa_sm_get_auth_addr(sm),
2976 ETH_P_EAPOL, rbuf, rlen, key_mic);
2977 }
2978
2979
wpa_supplicant_process_mlo_1_of_2(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,const u8 * key_data,size_t key_data_len,u16 ver)2980 static void wpa_supplicant_process_mlo_1_of_2(struct wpa_sm *sm,
2981 const unsigned char *src_addr,
2982 const struct wpa_eapol_key *key,
2983 const u8 *key_data,
2984 size_t key_data_len, u16 ver)
2985 {
2986 u16 key_info;
2987 u8 i;
2988 struct wpa_eapol_ie_parse ie;
2989
2990 if (!sm->msg_3_of_4_ok && !wpa_fils_is_completed(sm)) {
2991 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2992 "MLO RSN: Group Key Handshake started prior to completion of 4-way handshake");
2993 goto failed;
2994 }
2995
2996 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "MLO RSN: RX message 1 of Group "
2997 "Key Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr),
2998 ver);
2999
3000 key_info = WPA_GET_BE16(key->key_info);
3001
3002 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
3003
3004 wpa_hexdump_key(MSG_DEBUG, "MLO RSN: msg 1/2 key data", key_data,
3005 key_data_len);
3006 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
3007 goto failed;
3008
3009 if (!ie.valid_mlo_gtks) {
3010 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3011 "MLO RSN: No MLO GTK KDE in Group Key msg 1/2");
3012 goto failed;
3013 }
3014
3015 if (!(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
3016 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3017 "MLO RSN: MLO GTK KDE in unencrypted key data");
3018 goto failed;
3019 }
3020
3021 #ifdef CONFIG_OCV
3022 if (wpa_sm_ocv_enabled(sm)) {
3023 struct wpa_channel_info ci;
3024
3025 if (wpa_sm_channel_info(sm, &ci) != 0) {
3026 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3027 "Failed to get channel info to validate received OCI in EAPOL-Key group msg 1/2");
3028 goto failed;
3029 }
3030
3031 if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci,
3032 channel_width_to_int(ci.chanwidth),
3033 ci.seg1_idx) != OCI_SUCCESS) {
3034 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
3035 "addr=" MACSTR " frame=eapol-key-g1 error=%s",
3036 MAC2STR(sm->bssid), ocv_errorstr);
3037 goto failed;
3038 }
3039 }
3040 #endif /* CONFIG_OCV */
3041
3042 if (mlo_ieee80211w_set_keys(sm, &ie) < 0)
3043 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3044 "MLO RSN: Failed to configure MLO IGTK");
3045
3046 for_each_link(sm->mlo.valid_links, i) {
3047 /*
3048 * AP may send group keys for subset of the all links during
3049 * rekey
3050 */
3051 if (!ie.mlo_gtk[i])
3052 continue;
3053
3054 if (wpa_supplicant_mlo_gtk(sm, i, ie.mlo_gtk[i],
3055 ie.mlo_gtk_len[i], key_info))
3056 goto failed;
3057 }
3058
3059 if (wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
3060 goto failed;
3061
3062 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "MLO RSN: Group rekeying completed "
3063 "with " MACSTR " [GTK=%s]", MAC2STR(sm->mlo.ap_mld_addr),
3064 wpa_cipher_txt(sm->group_cipher));
3065 wpa_sm_cancel_auth_timeout(sm);
3066 wpa_sm_set_state(sm, WPA_COMPLETED);
3067
3068 wpa_sm_set_rekey_offload(sm);
3069
3070 return;
3071
3072 failed:
3073 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
3074 }
3075
3076
wpa_supplicant_process_1_of_2_wpa(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,const u8 * key_data,size_t key_data_len,u16 ver)3077 static void wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm,
3078 const unsigned char *src_addr,
3079 const struct wpa_eapol_key *key,
3080 const u8 *key_data,
3081 size_t key_data_len, u16 ver)
3082 {
3083 u16 key_info;
3084 int rekey;
3085 struct wpa_gtk_data gd;
3086 const u8 *key_rsc;
3087 size_t maxkeylen;
3088 u16 gtk_len;
3089
3090 if (!sm->msg_3_of_4_ok) {
3091 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3092 "WPA: Group Key Handshake started prior to completion of 4-way handshake");
3093 goto failed;
3094 }
3095
3096 os_memset(&gd, 0, sizeof(gd));
3097
3098 rekey = wpa_sm_get_state(sm) == WPA_COMPLETED;
3099 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3100 "WPA: RX message 1 of Group Key Handshake from " MACSTR
3101 " (ver=%d)", MAC2STR(src_addr), ver);
3102
3103 key_info = WPA_GET_BE16(key->key_info);
3104
3105 gtk_len = WPA_GET_BE16(key->key_length);
3106 maxkeylen = key_data_len;
3107 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
3108 if (maxkeylen < 8) {
3109 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3110 "WPA: Too short maxkeylen (%lu)",
3111 (unsigned long) maxkeylen);
3112 goto failed;
3113 }
3114 maxkeylen -= 8;
3115 }
3116
3117 if (gtk_len > maxkeylen ||
3118 wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
3119 gtk_len, maxkeylen,
3120 &gd.key_rsc_len, &gd.alg))
3121 goto failed;
3122
3123 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
3124
3125 gd.gtk_len = gtk_len;
3126 gd.keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
3127 WPA_KEY_INFO_KEY_INDEX_SHIFT;
3128 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
3129 #if defined(CONFIG_NO_RC4) || defined(CONFIG_FIPS)
3130 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3131 "WPA: RC4 not supported in the build");
3132 goto failed;
3133 #else /* CONFIG_NO_RC4 || CONFIG_FIPS */
3134 u8 ek[32];
3135 if (key_data_len > sizeof(gd.gtk)) {
3136 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3137 "WPA: RC4 key data too long (%lu)",
3138 (unsigned long) key_data_len);
3139 goto failed;
3140 }
3141 os_memcpy(ek, key->key_iv, 16);
3142 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
3143 os_memcpy(gd.gtk, key_data, key_data_len);
3144 if (rc4_skip(ek, 32, 256, gd.gtk, key_data_len)) {
3145 forced_memzero(ek, sizeof(ek));
3146 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
3147 "WPA: RC4 failed");
3148 goto failed;
3149 }
3150 forced_memzero(ek, sizeof(ek));
3151 #endif /* CONFIG_NO_RC4 || CONFIG_FIPS */
3152 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
3153 if (maxkeylen % 8) {
3154 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3155 "WPA: Unsupported AES-WRAP len %lu",
3156 (unsigned long) maxkeylen);
3157 goto failed;
3158 }
3159 if (maxkeylen > sizeof(gd.gtk)) {
3160 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3161 "WPA: AES-WRAP key data "
3162 "too long (keydatalen=%lu maxkeylen=%lu)",
3163 (unsigned long) key_data_len,
3164 (unsigned long) maxkeylen);
3165 goto failed;
3166 }
3167 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, maxkeylen / 8,
3168 key_data, gd.gtk)) {
3169 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3170 "WPA: AES unwrap failed - could not decrypt "
3171 "GTK");
3172 goto failed;
3173 }
3174 } else {
3175 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3176 "WPA: Unsupported key_info type %d", ver);
3177 goto failed;
3178 }
3179 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(
3180 sm, !!(key_info & WPA_KEY_INFO_TXRX));
3181
3182 key_rsc = key->key_rsc;
3183 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
3184 key_rsc = null_rsc;
3185
3186 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
3187 wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
3188 goto failed;
3189 forced_memzero(&gd, sizeof(gd));
3190
3191 if (rekey) {
3192 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3193 "WPA: Group rekeying completed with " MACSTR
3194 " [GTK=%s]",
3195 MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher));
3196 wpa_sm_cancel_auth_timeout(sm);
3197 wpa_sm_set_state(sm, WPA_COMPLETED);
3198 } else {
3199 wpa_supplicant_key_neg_complete(sm, sm->bssid,
3200 key_info & WPA_KEY_INFO_SECURE);
3201 }
3202
3203 wpa_sm_set_rekey_offload(sm);
3204
3205 return;
3206
3207 failed:
3208 forced_memzero(&gd, sizeof(gd));
3209 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
3210 }
3211
3212
wpa_supplicant_process_1_of_2(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,const u8 * key_data,size_t key_data_len,u16 ver)3213 static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
3214 const unsigned char *src_addr,
3215 const struct wpa_eapol_key *key,
3216 const u8 *key_data,
3217 size_t key_data_len, u16 ver)
3218 {
3219 u16 key_info;
3220 struct wpa_gtk_data gd;
3221 const u8 *key_rsc;
3222 int maxkeylen;
3223 struct wpa_eapol_ie_parse ie;
3224 u16 gtk_len;
3225
3226 if (!sm->msg_3_of_4_ok && !wpa_fils_is_completed(sm)) {
3227 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3228 "RSN: Group Key Handshake started prior to completion of 4-way handshake");
3229 goto failed;
3230 }
3231
3232 os_memset(&gd, 0, sizeof(gd));
3233
3234 wpa_msg_only_for_cb(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of Group Key "
3235 "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
3236 wpa_printf(MSG_DEBUG, "WPA: RX message 1 of Group Key "
3237 "Handshake from " MACSTR_SEC " (ver=%d)", MAC2STR_SEC(src_addr), ver);
3238
3239 key_info = WPA_GET_BE16(key->key_info);
3240
3241 wpa_hexdump_key(MSG_DEBUG, "RSN: msg 1/2 key data",
3242 key_data, key_data_len);
3243 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
3244 goto failed;
3245
3246 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
3247
3248 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
3249 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3250 "RSN: GTK KDE in unencrypted key data");
3251 goto failed;
3252 }
3253 if (!ie.gtk) {
3254 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3255 "RSN: No GTK KDE in Group Key msg 1/2");
3256 goto failed;
3257 }
3258 gtk_len = ie.gtk_len;
3259 if (gtk_len < 2) {
3260 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3261 "RSN: Invalid GTK KDE length (%u) in Group Key msg 1/2",
3262 gtk_len);
3263 goto failed;
3264 }
3265 gtk_len -= 2;
3266 if (gtk_len > sizeof(gd.gtk)) {
3267 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3268 "RSN: Too long GTK in GTK KDE (len=%u)", gtk_len);
3269 goto failed;
3270 }
3271 maxkeylen = gd.gtk_len = gtk_len;
3272
3273 #ifdef CONFIG_OCV
3274 if (wpa_sm_ocv_enabled(sm)) {
3275 struct wpa_channel_info ci;
3276
3277 if (wpa_sm_channel_info(sm, &ci) != 0) {
3278 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3279 "Failed to get channel info to validate received OCI in EAPOL-Key group msg 1/2");
3280 goto failed;
3281 }
3282
3283 if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci,
3284 channel_width_to_int(ci.chanwidth),
3285 ci.seg1_idx) != OCI_SUCCESS) {
3286 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
3287 "addr=" MACSTR " frame=eapol-key-g1 error=%s",
3288 MAC2STR(sm->bssid), ocv_errorstr);
3289 goto failed;
3290 }
3291 }
3292 #endif /* CONFIG_OCV */
3293
3294 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
3295 gtk_len, maxkeylen,
3296 &gd.key_rsc_len, &gd.alg))
3297 goto failed;
3298
3299 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in group key handshake",
3300 ie.gtk, 2 + gtk_len);
3301 gd.keyidx = ie.gtk[0] & 0x3;
3302 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
3303 !!(ie.gtk[0] & BIT(2)));
3304 os_memcpy(gd.gtk, ie.gtk + 2, gtk_len);
3305
3306 if (ieee80211w_set_keys(sm, &ie) < 0)
3307 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3308 "RSN: Failed to configure IGTK");
3309
3310 key_rsc = key->key_rsc;
3311 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
3312 key_rsc = null_rsc;
3313
3314 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
3315 wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
3316 goto failed;
3317 forced_memzero(&gd, sizeof(gd));
3318
3319 wpa_msg_only_for_cb(sm->ctx->msg_ctx, MSG_INFO, "WPA: Group rekeying "
3320 "completed with " MACSTR " [GTK=%s]",
3321 MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher));
3322 wpa_printf(MSG_INFO, "WPA: Group rekeying "
3323 "completed with " MACSTR_SEC " [GTK=%s]",
3324 MAC2STR_SEC(sm->bssid), wpa_cipher_txt(sm->group_cipher));
3325 wpa_sm_cancel_auth_timeout(sm);
3326 wpa_sm_set_state(sm, WPA_COMPLETED);
3327
3328 wpa_sm_set_rekey_offload(sm);
3329
3330 return;
3331
3332 failed:
3333 forced_memzero(&gd, sizeof(gd));
3334 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
3335 }
3336
3337
wpa_supplicant_verify_eapol_key_mic(struct wpa_sm * sm,struct wpa_eapol_key * key,u16 ver,const u8 * buf,size_t len)3338 static int wpa_supplicant_verify_eapol_key_mic(struct wpa_sm *sm,
3339 struct wpa_eapol_key *key,
3340 u16 ver,
3341 const u8 *buf, size_t len)
3342 {
3343 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN];
3344 int ok = 0;
3345 size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
3346
3347 os_memcpy(mic, key + 1, mic_len);
3348 if (sm->tptk_set) {
3349 os_memset(key + 1, 0, mic_len);
3350 if (wpa_eapol_key_mic(sm->tptk.kck, sm->tptk.kck_len,
3351 sm->key_mgmt,
3352 ver, buf, len, (u8 *) (key + 1)) < 0 ||
3353 os_memcmp_const(mic, key + 1, mic_len) != 0) {
3354 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3355 "WPA: Invalid EAPOL-Key MIC "
3356 "when using TPTK - ignoring TPTK");
3357 #ifdef TEST_FUZZ
3358 wpa_printf(MSG_INFO,
3359 "TEST: Ignore Key MIC failure for fuzz testing");
3360 goto continue_fuzz;
3361 #endif /* TEST_FUZZ */
3362 } else {
3363 #ifdef TEST_FUZZ
3364 continue_fuzz:
3365 #endif /* TEST_FUZZ */
3366 ok = 1;
3367 sm->tptk_set = 0;
3368 sm->ptk_set = 1;
3369 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
3370 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
3371 /*
3372 * This assures the same TPTK in sm->tptk can never be
3373 * copied twice to sm->ptk as the new PTK. In
3374 * combination with the installed flag in the wpa_ptk
3375 * struct, this assures the same PTK is only installed
3376 * once.
3377 */
3378 sm->renew_snonce = 1;
3379 }
3380 }
3381
3382 if (!ok && sm->ptk_set) {
3383 os_memset(key + 1, 0, mic_len);
3384 if (wpa_eapol_key_mic(sm->ptk.kck, sm->ptk.kck_len,
3385 sm->key_mgmt,
3386 ver, buf, len, (u8 *) (key + 1)) < 0 ||
3387 os_memcmp_const(mic, key + 1, mic_len) != 0) {
3388 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3389 "WPA: Invalid EAPOL-Key MIC - "
3390 "dropping packet");
3391 #ifdef TEST_FUZZ
3392 wpa_printf(MSG_INFO,
3393 "TEST: Ignore Key MIC failure for fuzz testing");
3394 goto continue_fuzz2;
3395 #endif /* TEST_FUZZ */
3396 return -1;
3397 }
3398 #ifdef TEST_FUZZ
3399 continue_fuzz2:
3400 #endif /* TEST_FUZZ */
3401 ok = 1;
3402 }
3403
3404 if (!ok) {
3405 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3406 "WPA: Could not verify EAPOL-Key MIC - "
3407 "dropping packet");
3408 return -1;
3409 }
3410
3411 os_memcpy(sm->rx_replay_counter, key->replay_counter,
3412 WPA_REPLAY_COUNTER_LEN);
3413 sm->rx_replay_counter_set = 1;
3414 return 0;
3415 }
3416
3417
3418 /* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */
wpa_supplicant_decrypt_key_data(struct wpa_sm * sm,struct wpa_eapol_key * key,size_t mic_len,u16 ver,u8 * key_data,size_t * key_data_len)3419 static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm,
3420 struct wpa_eapol_key *key,
3421 size_t mic_len, u16 ver,
3422 u8 *key_data, size_t *key_data_len)
3423 {
3424 wpa_hexdump(MSG_DEBUG, "RSN: encrypted key data",
3425 key_data, *key_data_len);
3426 if (!sm->ptk_set) {
3427 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3428 "WPA: PTK not available, cannot decrypt EAPOL-Key Key "
3429 "Data");
3430 return -1;
3431 }
3432
3433 /* Decrypt key data here so that this operation does not need
3434 * to be implemented separately for each message type. */
3435 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
3436 #if defined(CONFIG_NO_RC4) || defined(CONFIG_FIPS)
3437 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3438 "WPA: RC4 not supported in the build");
3439 return -1;
3440 #else /* CONFIG_NO_RC4 || CONFIG_FIPS */
3441 u8 ek[32];
3442
3443 wpa_printf(MSG_DEBUG, "WPA: Decrypt Key Data using RC4");
3444 os_memcpy(ek, key->key_iv, 16);
3445 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
3446 if (rc4_skip(ek, 32, 256, key_data, *key_data_len)) {
3447 forced_memzero(ek, sizeof(ek));
3448 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
3449 "WPA: RC4 failed");
3450 return -1;
3451 }
3452 forced_memzero(ek, sizeof(ek));
3453 #endif /* CONFIG_NO_RC4 || CONFIG_FIPS */
3454 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
3455 ver == WPA_KEY_INFO_TYPE_AES_128_CMAC ||
3456 wpa_use_aes_key_wrap(sm->key_mgmt)) {
3457 u8 *buf;
3458
3459 wpa_printf(MSG_DEBUG,
3460 "WPA: Decrypt Key Data using AES-UNWRAP (KEK length %u)",
3461 (unsigned int) sm->ptk.kek_len);
3462 if (*key_data_len < 8 || *key_data_len % 8) {
3463 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3464 "WPA: Unsupported AES-WRAP len %u",
3465 (unsigned int) *key_data_len);
3466 return -1;
3467 }
3468 *key_data_len -= 8; /* AES-WRAP adds 8 bytes */
3469 buf = os_malloc(*key_data_len);
3470 if (buf == NULL) {
3471 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3472 "WPA: No memory for AES-UNWRAP buffer");
3473 return -1;
3474 }
3475 #ifdef TEST_FUZZ
3476 os_memset(buf, 0x11, *key_data_len);
3477 #endif /* TEST_FUZZ */
3478 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, *key_data_len / 8,
3479 key_data, buf)) {
3480 #ifdef TEST_FUZZ
3481 wpa_printf(MSG_INFO,
3482 "TEST: Ignore AES unwrap failure for fuzz testing");
3483 goto continue_fuzz;
3484 #endif /* TEST_FUZZ */
3485 bin_clear_free(buf, *key_data_len);
3486 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3487 "WPA: AES unwrap failed - "
3488 "could not decrypt EAPOL-Key key data");
3489 return -1;
3490 }
3491 #ifdef TEST_FUZZ
3492 continue_fuzz:
3493 #endif /* TEST_FUZZ */
3494 os_memcpy(key_data, buf, *key_data_len);
3495 bin_clear_free(buf, *key_data_len);
3496 WPA_PUT_BE16(((u8 *) (key + 1)) + mic_len, *key_data_len);
3497 } else {
3498 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3499 "WPA: Unsupported key_info type %d", ver);
3500 return -1;
3501 }
3502 wpa_hexdump_key(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data",
3503 key_data, *key_data_len);
3504 return 0;
3505 }
3506
3507
3508 /**
3509 * wpa_sm_aborted_cached - Notify WPA that PMKSA caching was aborted
3510 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3511 */
wpa_sm_aborted_cached(struct wpa_sm * sm)3512 void wpa_sm_aborted_cached(struct wpa_sm *sm)
3513 {
3514 if (sm && sm->cur_pmksa) {
3515 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3516 "RSN: Cancelling PMKSA caching attempt");
3517 sm->cur_pmksa = NULL;
3518 }
3519 }
3520
3521
wpa_sm_aborted_external_cached(struct wpa_sm * sm)3522 void wpa_sm_aborted_external_cached(struct wpa_sm *sm)
3523 {
3524 if (sm && sm->cur_pmksa && sm->cur_pmksa->external) {
3525 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3526 "RSN: Cancelling external PMKSA caching attempt");
3527 sm->cur_pmksa = NULL;
3528 }
3529 }
3530
3531
wpa_eapol_key_dump(struct wpa_sm * sm,const struct wpa_eapol_key * key,unsigned int key_data_len,const u8 * mic,unsigned int mic_len)3532 static void wpa_eapol_key_dump(struct wpa_sm *sm,
3533 const struct wpa_eapol_key *key,
3534 unsigned int key_data_len,
3535 const u8 *mic, unsigned int mic_len)
3536 {
3537 #ifndef CONFIG_NO_STDOUT_DEBUG
3538 u16 key_info = WPA_GET_BE16(key->key_info);
3539
3540 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, " EAPOL-Key type=%d", key->type);
3541 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3542 " key_info 0x%x (ver=%d keyidx=%d rsvd=%d %s%s%s%s%s%s%s%s)",
3543 key_info, key_info & WPA_KEY_INFO_TYPE_MASK,
3544 (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
3545 WPA_KEY_INFO_KEY_INDEX_SHIFT,
3546 (key_info & (BIT(13) | BIT(14) | BIT(15))) >> 13,
3547 key_info & WPA_KEY_INFO_KEY_TYPE ? "Pairwise" : "Group",
3548 key_info & WPA_KEY_INFO_INSTALL ? " Install" : "",
3549 key_info & WPA_KEY_INFO_ACK ? " Ack" : "",
3550 key_info & WPA_KEY_INFO_MIC ? " MIC" : "",
3551 key_info & WPA_KEY_INFO_SECURE ? " Secure" : "",
3552 key_info & WPA_KEY_INFO_ERROR ? " Error" : "",
3553 key_info & WPA_KEY_INFO_REQUEST ? " Request" : "",
3554 key_info & WPA_KEY_INFO_ENCR_KEY_DATA ? " Encr" : "");
3555 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3556 " key_length=%u key_data_length=%u",
3557 WPA_GET_BE16(key->key_length), key_data_len);
3558 wpa_hexdump(MSG_DEBUG, " replay_counter",
3559 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
3560 wpa_hexdump(MSG_DEBUG, " key_nonce", key->key_nonce, WPA_NONCE_LEN);
3561 wpa_hexdump(MSG_DEBUG, " key_iv", key->key_iv, 16);
3562 wpa_hexdump(MSG_DEBUG, " key_rsc", key->key_rsc, 8);
3563 wpa_hexdump(MSG_DEBUG, " key_id (reserved)", key->key_id, 8);
3564 wpa_hexdump(MSG_DEBUG, " key_mic", mic, mic_len);
3565 #endif /* CONFIG_NO_STDOUT_DEBUG */
3566 }
3567
3568
3569 #ifdef CONFIG_FILS
wpa_supp_aead_decrypt(struct wpa_sm * sm,u8 * buf,size_t buf_len,size_t * key_data_len)3570 static int wpa_supp_aead_decrypt(struct wpa_sm *sm, u8 *buf, size_t buf_len,
3571 size_t *key_data_len)
3572 {
3573 struct wpa_ptk *ptk;
3574 struct ieee802_1x_hdr *hdr;
3575 struct wpa_eapol_key *key;
3576 u8 *pos, *tmp;
3577 const u8 *aad[1];
3578 size_t aad_len[1];
3579
3580 if (*key_data_len < AES_BLOCK_SIZE) {
3581 wpa_printf(MSG_INFO, "No room for AES-SIV data in the frame");
3582 return -1;
3583 }
3584
3585 if (sm->tptk_set)
3586 ptk = &sm->tptk;
3587 else if (sm->ptk_set)
3588 ptk = &sm->ptk;
3589 else
3590 return -1;
3591
3592 hdr = (struct ieee802_1x_hdr *) buf;
3593 key = (struct wpa_eapol_key *) (hdr + 1);
3594 pos = (u8 *) (key + 1);
3595 pos += 2; /* Pointing at the Encrypted Key Data field */
3596
3597 tmp = os_malloc(*key_data_len);
3598 if (!tmp)
3599 return -1;
3600
3601 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
3602 * to Key Data (exclusive). */
3603 aad[0] = buf;
3604 aad_len[0] = pos - buf;
3605 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, *key_data_len,
3606 1, aad, aad_len, tmp) < 0) {
3607 wpa_printf(MSG_INFO, "Invalid AES-SIV data in the frame");
3608 bin_clear_free(tmp, *key_data_len);
3609 return -1;
3610 }
3611
3612 /* AEAD decryption and validation completed successfully */
3613 (*key_data_len) -= AES_BLOCK_SIZE;
3614 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
3615 tmp, *key_data_len);
3616
3617 /* Replace Key Data field with the decrypted version */
3618 os_memcpy(pos, tmp, *key_data_len);
3619 pos -= 2; /* Key Data Length field */
3620 WPA_PUT_BE16(pos, *key_data_len);
3621 bin_clear_free(tmp, *key_data_len);
3622
3623 if (sm->tptk_set) {
3624 sm->tptk_set = 0;
3625 sm->ptk_set = 1;
3626 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
3627 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
3628 }
3629
3630 os_memcpy(sm->rx_replay_counter, key->replay_counter,
3631 WPA_REPLAY_COUNTER_LEN);
3632 sm->rx_replay_counter_set = 1;
3633
3634 return 0;
3635 }
3636 #endif /* CONFIG_FILS */
3637
3638
wpa_sm_rx_eapol_wpa(struct wpa_sm * sm,const u8 * src_addr,struct wpa_eapol_key * key,enum frame_encryption encrypted,const u8 * tmp,size_t data_len,u8 * key_data,size_t key_data_len)3639 static int wpa_sm_rx_eapol_wpa(struct wpa_sm *sm, const u8 *src_addr,
3640 struct wpa_eapol_key *key,
3641 enum frame_encryption encrypted,
3642 const u8 *tmp, size_t data_len,
3643 u8 *key_data, size_t key_data_len)
3644 {
3645 u16 key_info, ver;
3646
3647 key_info = WPA_GET_BE16(key->key_info);
3648
3649 if (key->type != EAPOL_KEY_TYPE_WPA) {
3650 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3651 "WPA: Unsupported EAPOL-Key type %d", key->type);
3652 return -1;
3653 }
3654
3655 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
3656 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
3657 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
3658 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3659 "WPA: Unsupported EAPOL-Key descriptor version %d",
3660 ver);
3661 return -1;
3662 }
3663
3664 if (sm->pairwise_cipher == WPA_CIPHER_CCMP &&
3665 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
3666 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3667 "WPA: CCMP is used, but EAPOL-Key descriptor version (%d) is not 2",
3668 ver);
3669 if (sm->group_cipher != WPA_CIPHER_CCMP &&
3670 !(key_info & WPA_KEY_INFO_KEY_TYPE)) {
3671 /* Earlier versions of IEEE 802.11i did not explicitly
3672 * require version 2 descriptor for all EAPOL-Key
3673 * packets, so allow group keys to use version 1 if
3674 * CCMP is not used for them. */
3675 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3676 "WPA: Backwards compatibility: allow invalid version for non-CCMP group keys");
3677 } else
3678 return -1;
3679 }
3680
3681 if ((key_info & WPA_KEY_INFO_MIC) &&
3682 wpa_supplicant_verify_eapol_key_mic(sm, key, ver, tmp, data_len))
3683 return -1;
3684
3685 if (key_info & WPA_KEY_INFO_KEY_TYPE) {
3686 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) {
3687 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3688 "WPA: Ignored EAPOL-Key (Pairwise) with non-zero key index");
3689 return -1;
3690 }
3691 if (key_info & (WPA_KEY_INFO_MIC |
3692 WPA_KEY_INFO_ENCR_KEY_DATA)) {
3693 /* 3/4 4-Way Handshake */
3694 wpa_supplicant_process_3_of_4_wpa(sm, key, ver,
3695 key_data,
3696 key_data_len);
3697 } else {
3698 /* 1/4 4-Way Handshake */
3699 wpa_supplicant_process_1_of_4_wpa(sm, src_addr, key,
3700 ver, key_data,
3701 key_data_len,
3702 encrypted);
3703 }
3704 } else {
3705 if (key_info & WPA_KEY_INFO_MIC) {
3706 /* 1/2 Group Key Handshake */
3707 wpa_supplicant_process_1_of_2_wpa(sm, src_addr, key,
3708 key_data,
3709 key_data_len,
3710 ver);
3711 } else {
3712 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3713 "WPA: EAPOL-Key (Group) without Mic/Encr bit - dropped");
3714 }
3715 }
3716
3717 return 1;
3718 }
3719
3720
3721 /**
3722 * wpa_sm_rx_eapol - Process received WPA EAPOL frames
3723 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3724 * @src_addr: Source MAC address of the EAPOL packet
3725 * @buf: Pointer to the beginning of the EAPOL data (EAPOL header)
3726 * @len: Length of the EAPOL frame
3727 * @encrypted: Whether the frame was encrypted
3728 * Returns: 1 = WPA EAPOL-Key processed, 0 = not a WPA EAPOL-Key, -1 failure
3729 *
3730 * This function is called for each received EAPOL frame. Other than EAPOL-Key
3731 * frames can be skipped if filtering is done elsewhere. wpa_sm_rx_eapol() is
3732 * only processing WPA and WPA2 EAPOL-Key frames.
3733 *
3734 * The received EAPOL-Key packets are validated and valid packets are replied
3735 * to. In addition, key material (PTK, GTK) is configured at the end of a
3736 * successful key handshake.
3737 */
wpa_sm_rx_eapol(struct wpa_sm * sm,const u8 * src_addr,const u8 * buf,size_t len,enum frame_encryption encrypted)3738 int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr,
3739 const u8 *buf, size_t len, enum frame_encryption encrypted)
3740 {
3741 size_t plen, data_len, key_data_len;
3742 const struct ieee802_1x_hdr *hdr;
3743 struct wpa_eapol_key *key;
3744 u16 key_info, ver;
3745 u8 *tmp = NULL;
3746 int ret = -1;
3747 u8 *mic, *key_data;
3748 size_t mic_len, keyhdrlen, pmk_len;
3749
3750 #ifdef CONFIG_IEEE80211R
3751 sm->ft_completed = 0;
3752 #endif /* CONFIG_IEEE80211R */
3753
3754 pmk_len = sm->pmk_len;
3755 if (!pmk_len && sm->cur_pmksa)
3756 pmk_len = sm->cur_pmksa->pmk_len;
3757 mic_len = wpa_mic_len(sm->key_mgmt, pmk_len);
3758 keyhdrlen = sizeof(*key) + mic_len + 2;
3759
3760 if (len < sizeof(*hdr) + keyhdrlen) {
3761 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3762 "WPA: EAPOL frame too short to be a WPA "
3763 "EAPOL-Key (len %lu, expecting at least %lu)",
3764 (unsigned long) len,
3765 (unsigned long) sizeof(*hdr) + keyhdrlen);
3766 return 0;
3767 }
3768
3769 hdr = (const struct ieee802_1x_hdr *) buf;
3770 plen = be_to_host16(hdr->length);
3771 data_len = plen + sizeof(*hdr);
3772 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3773 "IEEE 802.1X RX: version=%d type=%d length=%lu",
3774 hdr->version, hdr->type, (unsigned long) plen);
3775
3776 if (hdr->version < EAPOL_VERSION) {
3777 /* TODO: backwards compatibility */
3778 }
3779 if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) {
3780 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3781 "WPA: EAPOL frame (type %u) discarded, "
3782 "not a Key frame", hdr->type);
3783 ret = 0;
3784 goto out;
3785 }
3786 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", buf, len);
3787 if (plen > len - sizeof(*hdr) || plen < keyhdrlen) {
3788 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3789 "WPA: EAPOL frame payload size %lu "
3790 "invalid (frame size %lu)",
3791 (unsigned long) plen, (unsigned long) len);
3792 ret = 0;
3793 goto out;
3794 }
3795 if (data_len < len) {
3796 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3797 "WPA: ignoring %lu bytes after the IEEE 802.1X data",
3798 (unsigned long) len - data_len);
3799 }
3800
3801 /*
3802 * Make a copy of the frame since we need to modify the buffer during
3803 * MAC validation and Key Data decryption.
3804 */
3805 tmp = os_memdup(buf, data_len);
3806 if (tmp == NULL)
3807 goto out;
3808 key = (struct wpa_eapol_key *) (tmp + sizeof(struct ieee802_1x_hdr));
3809 mic = (u8 *) (key + 1);
3810 key_data = mic + mic_len + 2;
3811
3812 if (key->type != EAPOL_KEY_TYPE_WPA && key->type != EAPOL_KEY_TYPE_RSN)
3813 {
3814 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3815 "WPA: EAPOL-Key type (%d) unknown, discarded",
3816 key->type);
3817 ret = 0;
3818 goto out;
3819 }
3820
3821 key_data_len = WPA_GET_BE16(mic + mic_len);
3822 wpa_eapol_key_dump(sm, key, key_data_len, mic, mic_len);
3823
3824 if (key_data_len > plen - keyhdrlen) {
3825 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Invalid EAPOL-Key "
3826 "frame - key_data overflow (%u > %u)",
3827 (unsigned int) key_data_len,
3828 (unsigned int) (plen - keyhdrlen));
3829 goto out;
3830 }
3831
3832 if (sm->rx_replay_counter_set &&
3833 os_memcmp(key->replay_counter, sm->rx_replay_counter,
3834 WPA_REPLAY_COUNTER_LEN) <= 0) {
3835 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3836 "WPA: EAPOL-Key Replay Counter did not increase - dropping packet");
3837 goto out;
3838 }
3839
3840 eapol_sm_notify_lower_layer_success(sm->eapol, 0);
3841
3842 key_info = WPA_GET_BE16(key->key_info);
3843
3844 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
3845 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3846 "WPA: Unsupported SMK bit in key_info");
3847 goto out;
3848 }
3849
3850 if (!(key_info & WPA_KEY_INFO_ACK)) {
3851 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3852 "WPA: No Ack bit in key_info");
3853 goto out;
3854 }
3855
3856 if (key_info & WPA_KEY_INFO_REQUEST) {
3857 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3858 "WPA: EAPOL-Key with Request bit - dropped");
3859 goto out;
3860 }
3861
3862 if (sm->proto == WPA_PROTO_WPA) {
3863 ret = wpa_sm_rx_eapol_wpa(sm, src_addr, key, encrypted,
3864 tmp, data_len,
3865 key_data, key_data_len);
3866 goto out;
3867 }
3868
3869 if (key->type != EAPOL_KEY_TYPE_RSN) {
3870 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3871 "RSN: Unsupported EAPOL-Key type %d", key->type);
3872 goto out;
3873 }
3874
3875 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
3876 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
3877 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
3878 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES &&
3879 !wpa_use_akm_defined(sm->key_mgmt)) {
3880 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3881 "RSN: Unsupported EAPOL-Key descriptor version %d",
3882 ver);
3883 goto out;
3884 }
3885
3886 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
3887 sm->pairwise_cipher != WPA_CIPHER_TKIP) {
3888 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3889 "RSN: EAPOL-Key descriptor version %d not allowed without TKIP as the pairwise cipher",
3890 ver);
3891 goto out;
3892 }
3893
3894 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES &&
3895 (sm->key_mgmt != WPA_KEY_MGMT_IEEE8021X &&
3896 sm->key_mgmt != WPA_KEY_MGMT_PSK)) {
3897 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3898 "RSN: EAPOL-Key descriptor version %d not allowed due to negotiated AKM (0x%x)",
3899 ver, sm->key_mgmt);
3900 goto out;
3901 }
3902
3903 if (wpa_use_akm_defined(sm->key_mgmt) &&
3904 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
3905 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3906 "RSN: Unsupported EAPOL-Key descriptor version %d (expected AKM defined = 0)",
3907 ver);
3908 goto out;
3909 }
3910
3911 #ifdef CONFIG_IEEE80211R
3912 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
3913 /* IEEE 802.11r uses a new key_info type (AES-128-CMAC). */
3914 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
3915 !wpa_use_akm_defined(sm->key_mgmt)) {
3916 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3917 "FT: AP did not use AES-128-CMAC");
3918 goto out;
3919 }
3920 } else
3921 #endif /* CONFIG_IEEE80211R */
3922 if (wpa_key_mgmt_sha256(sm->key_mgmt)) {
3923 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
3924 !wpa_use_akm_defined(sm->key_mgmt)) {
3925 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3926 "RSN: AP did not use the negotiated AES-128-CMAC");
3927 goto out;
3928 }
3929 } else if (sm->pairwise_cipher == WPA_CIPHER_CCMP &&
3930 !wpa_use_akm_defined(sm->key_mgmt) &&
3931 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
3932 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3933 "RSN: CCMP is used, but EAPOL-Key descriptor version (%d) is not 2", ver);
3934 if (ver == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
3935 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3936 "RSN: Interoperability workaround: allow incorrect (should have been HMAC-SHA1), but stronger (is AES-128-CMAC), descriptor version to be used");
3937 } else {
3938 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3939 "RSN: Unexpected descriptor version %u", ver);
3940 goto out;
3941 }
3942 } else if (sm->pairwise_cipher == WPA_CIPHER_GCMP &&
3943 !wpa_use_akm_defined(sm->key_mgmt) &&
3944 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
3945 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3946 "RSN: GCMP is used, but EAPOL-Key descriptor version (%d) is not 2",
3947 ver);
3948 goto out;
3949 }
3950
3951 if ((key_info & WPA_KEY_INFO_MIC) &&
3952 wpa_supplicant_verify_eapol_key_mic(sm, key, ver, tmp, data_len))
3953 goto out;
3954
3955 #ifdef CONFIG_FILS
3956 if (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
3957 if (wpa_supp_aead_decrypt(sm, tmp, data_len, &key_data_len))
3958 goto out;
3959 }
3960 #endif /* CONFIG_FILS */
3961
3962 if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
3963 (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && mic_len) {
3964 /*
3965 * Only decrypt the Key Data field if the frame's authenticity
3966 * was verified. When using AES-SIV (FILS), the MIC flag is not
3967 * set, so this check should only be performed if mic_len != 0
3968 * which is the case in this code branch.
3969 */
3970 if (!(key_info & WPA_KEY_INFO_MIC)) {
3971 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3972 "WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
3973 goto out;
3974 }
3975 if (wpa_supplicant_decrypt_key_data(sm, key, mic_len,
3976 ver, key_data,
3977 &key_data_len))
3978 goto out;
3979 }
3980
3981 if (key_info & WPA_KEY_INFO_KEY_TYPE) {
3982 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) {
3983 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3984 "RSN: Ignored EAPOL-Key (Pairwise) with non-zero key index");
3985 goto out;
3986 }
3987 if (key_info & (WPA_KEY_INFO_MIC |
3988 WPA_KEY_INFO_ENCR_KEY_DATA)) {
3989 /* 3/4 4-Way Handshake */
3990 wpa_supplicant_process_3_of_4(sm, key, ver, key_data,
3991 key_data_len);
3992 } else {
3993 /* 1/4 4-Way Handshake */
3994 wpa_supplicant_process_1_of_4(sm, src_addr, key,
3995 ver, key_data,
3996 key_data_len,
3997 encrypted);
3998 }
3999 } else {
4000 if ((mic_len && (key_info & WPA_KEY_INFO_MIC)) ||
4001 (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA))) {
4002 /* 1/2 Group Key Handshake */
4003 if (sm->mlo.valid_links)
4004 wpa_supplicant_process_mlo_1_of_2(sm, src_addr,
4005 key, key_data,
4006 key_data_len,
4007 ver);
4008 else
4009 wpa_supplicant_process_1_of_2(sm, src_addr, key,
4010 key_data,
4011 key_data_len,
4012 ver);
4013 } else {
4014 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
4015 "RSN: EAPOL-Key (Group) without Mic/Encr bit - dropped");
4016 }
4017 }
4018
4019 ret = 1;
4020
4021 out:
4022 bin_clear_free(tmp, data_len);
4023 return ret;
4024 }
4025
4026
4027 #ifdef CONFIG_CTRL_IFACE
wpa_key_mgmt_suite(struct wpa_sm * sm)4028 static u32 wpa_key_mgmt_suite(struct wpa_sm *sm)
4029 {
4030 switch (sm->key_mgmt) {
4031 case WPA_KEY_MGMT_IEEE8021X:
4032 return ((sm->proto == WPA_PROTO_RSN ||
4033 sm->proto == WPA_PROTO_OSEN) ?
4034 RSN_AUTH_KEY_MGMT_UNSPEC_802_1X :
4035 WPA_AUTH_KEY_MGMT_UNSPEC_802_1X);
4036 case WPA_KEY_MGMT_PSK:
4037 return (sm->proto == WPA_PROTO_RSN ?
4038 RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X :
4039 WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X);
4040 #ifdef CONFIG_IEEE80211R
4041 case WPA_KEY_MGMT_FT_IEEE8021X:
4042 return RSN_AUTH_KEY_MGMT_FT_802_1X;
4043 case WPA_KEY_MGMT_FT_PSK:
4044 return RSN_AUTH_KEY_MGMT_FT_PSK;
4045 #endif /* CONFIG_IEEE80211R */
4046 case WPA_KEY_MGMT_IEEE8021X_SHA256:
4047 return RSN_AUTH_KEY_MGMT_802_1X_SHA256;
4048 case WPA_KEY_MGMT_PSK_SHA256:
4049 return RSN_AUTH_KEY_MGMT_PSK_SHA256;
4050 case WPA_KEY_MGMT_CCKM:
4051 return (sm->proto == WPA_PROTO_RSN ?
4052 RSN_AUTH_KEY_MGMT_CCKM:
4053 WPA_AUTH_KEY_MGMT_CCKM);
4054 case WPA_KEY_MGMT_WPA_NONE:
4055 return WPA_AUTH_KEY_MGMT_NONE;
4056 case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
4057 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B;
4058 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
4059 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192;
4060 case WPA_KEY_MGMT_IEEE8021X_SHA384:
4061 return RSN_AUTH_KEY_MGMT_802_1X_SHA384;
4062 default:
4063 return 0;
4064 }
4065 }
4066
4067
4068 #define RSN_SUITE "%02x-%02x-%02x-%d"
4069 #define RSN_SUITE_ARG(s) \
4070 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
4071
4072 /**
4073 * wpa_sm_get_mib - Dump text list of MIB entries
4074 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4075 * @buf: Buffer for the list
4076 * @buflen: Length of the buffer
4077 * Returns: Number of bytes written to buffer
4078 *
4079 * This function is used fetch dot11 MIB variables.
4080 */
wpa_sm_get_mib(struct wpa_sm * sm,char * buf,size_t buflen)4081 int wpa_sm_get_mib(struct wpa_sm *sm, char *buf, size_t buflen)
4082 {
4083 char pmkid_txt[PMKID_LEN * 2 + 1];
4084 bool rsna;
4085 int ret;
4086 size_t len;
4087
4088 if (sm->cur_pmksa) {
4089 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
4090 sm->cur_pmksa->pmkid, PMKID_LEN);
4091 } else
4092 pmkid_txt[0] = '\0';
4093
4094 rsna = (wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
4095 wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt)) &&
4096 sm->proto == WPA_PROTO_RSN;
4097
4098 ret = os_snprintf(buf, buflen,
4099 "dot11RSNAOptionImplemented=TRUE\n"
4100 "dot11RSNAPreauthenticationImplemented=TRUE\n"
4101 "dot11RSNAEnabled=%s\n"
4102 "dot11RSNAPreauthenticationEnabled=%s\n"
4103 "dot11RSNAConfigVersion=%d\n"
4104 "dot11RSNAConfigPairwiseKeysSupported=5\n"
4105 "dot11RSNAConfigGroupCipherSize=%d\n"
4106 "dot11RSNAConfigPMKLifetime=%d\n"
4107 "dot11RSNAConfigPMKReauthThreshold=%d\n"
4108 "dot11RSNAConfigNumberOfPTKSAReplayCounters=1\n"
4109 "dot11RSNAConfigSATimeout=%d\n",
4110 rsna ? "TRUE" : "FALSE",
4111 rsna ? "TRUE" : "FALSE",
4112 RSN_VERSION,
4113 wpa_cipher_key_len(sm->group_cipher) * 8,
4114 sm->dot11RSNAConfigPMKLifetime,
4115 sm->dot11RSNAConfigPMKReauthThreshold,
4116 sm->dot11RSNAConfigSATimeout);
4117 if (os_snprintf_error(buflen, ret))
4118 return 0;
4119 len = ret;
4120
4121 ret = os_snprintf(
4122 buf + len, buflen - len,
4123 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
4124 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
4125 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
4126 "dot11RSNAPMKIDUsed=%s\n"
4127 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
4128 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
4129 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
4130 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n"
4131 "dot11RSNA4WayHandshakeFailures=%u\n",
4132 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
4133 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
4134 sm->pairwise_cipher)),
4135 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
4136 sm->group_cipher)),
4137 pmkid_txt,
4138 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
4139 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
4140 sm->pairwise_cipher)),
4141 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
4142 sm->group_cipher)),
4143 sm->dot11RSNA4WayHandshakeFailures);
4144 if (!os_snprintf_error(buflen - len, ret))
4145 len += ret;
4146
4147 return (int) len;
4148 }
4149 #endif /* CONFIG_CTRL_IFACE */
4150
4151
wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry * entry,void * ctx,enum pmksa_free_reason reason)4152 static void wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
4153 void *ctx, enum pmksa_free_reason reason)
4154 {
4155 struct wpa_sm *sm = ctx;
4156 int deauth = 0;
4157
4158 wpa_msg_only_for_cb(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: PMKSA cache entry free_cb: "
4159 MACSTR " reason=%d", MAC2STR(entry->aa), reason);
4160 wpa_printf(MSG_DEBUG, "RSN: PMKSA cache entry free_cb: "
4161 MACSTR_SEC " reason=%d", MAC2STR_SEC(entry->aa), reason);
4162
4163 if (sm->cur_pmksa == entry) {
4164 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4165 "RSN: %s current PMKSA entry",
4166 reason == PMKSA_REPLACE ? "replaced" : "removed");
4167 pmksa_cache_clear_current(sm);
4168
4169 /*
4170 * If an entry is simply being replaced, there's no need to
4171 * deauthenticate because it will be immediately re-added.
4172 * This happens when EAP authentication is completed again
4173 * (reauth or failed PMKSA caching attempt).
4174 */
4175 if (reason != PMKSA_REPLACE)
4176 deauth = 1;
4177 }
4178
4179 if (reason == PMKSA_EXPIRE &&
4180 (sm->pmk_len == entry->pmk_len &&
4181 os_memcmp(sm->pmk, entry->pmk, sm->pmk_len) == 0)) {
4182 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4183 "RSN: deauthenticating due to expired PMK");
4184 pmksa_cache_clear_current(sm);
4185 deauth = 1;
4186 }
4187
4188 if (deauth) {
4189 sm->pmk_len = 0;
4190 os_memset(sm->pmk, 0, sizeof(sm->pmk));
4191 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
4192 }
4193 }
4194
4195
wpa_sm_pmksa_is_current_cb(struct rsn_pmksa_cache_entry * entry,void * ctx)4196 static bool wpa_sm_pmksa_is_current_cb(struct rsn_pmksa_cache_entry *entry,
4197 void *ctx)
4198 {
4199 struct wpa_sm *sm = ctx;
4200
4201 return sm->cur_pmksa == entry;
4202 }
4203
4204
wpa_sm_pmksa_notify_cb(struct rsn_pmksa_cache_entry * entry,void * ctx)4205 static void wpa_sm_pmksa_notify_cb(struct rsn_pmksa_cache_entry *entry,
4206 void *ctx)
4207 {
4208 struct wpa_sm *sm = ctx;
4209
4210 wpa_sm_notify_pmksa_cache_entry(sm, entry);
4211 }
4212
4213
4214 /**
4215 * wpa_sm_init - Initialize WPA state machine
4216 * @ctx: Context pointer for callbacks; this needs to be an allocated buffer
4217 * Returns: Pointer to the allocated WPA state machine data
4218 *
4219 * This function is used to allocate a new WPA state machine and the returned
4220 * value is passed to all WPA state machine calls.
4221 */
wpa_sm_init(struct wpa_sm_ctx * ctx)4222 struct wpa_sm * wpa_sm_init(struct wpa_sm_ctx *ctx)
4223 {
4224 struct wpa_sm *sm;
4225
4226 sm = os_zalloc(sizeof(*sm));
4227 if (sm == NULL)
4228 return NULL;
4229 dl_list_init(&sm->pmksa_candidates);
4230 sm->renew_snonce = 1;
4231 sm->ctx = ctx;
4232
4233 sm->dot11RSNAConfigPMKLifetime = 43200;
4234 sm->dot11RSNAConfigPMKReauthThreshold = 70;
4235 sm->dot11RSNAConfigSATimeout = 60;
4236 #ifdef CONFIG_VENDOR_EXT
4237 wpa_vendor_ext_sm_param_init(sm);
4238 #endif
4239
4240 sm->pmksa = pmksa_cache_init(wpa_sm_pmksa_free_cb,
4241 wpa_sm_pmksa_is_current_cb,
4242 wpa_sm_pmksa_notify_cb, sm, sm);
4243 if (sm->pmksa == NULL) {
4244 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
4245 "RSN: PMKSA cache initialization failed");
4246 os_free(sm);
4247 return NULL;
4248 }
4249
4250 return sm;
4251 }
4252
4253
4254 /**
4255 * wpa_sm_deinit - Deinitialize WPA state machine
4256 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4257 */
wpa_sm_deinit(struct wpa_sm * sm)4258 void wpa_sm_deinit(struct wpa_sm *sm)
4259 {
4260 int i;
4261
4262 if (sm == NULL)
4263 return;
4264 pmksa_cache_deinit(sm->pmksa);
4265 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
4266 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
4267 os_free(sm->assoc_wpa_ie);
4268 os_free(sm->assoc_rsnxe);
4269 os_free(sm->ap_wpa_ie);
4270 os_free(sm->ap_rsn_ie);
4271 os_free(sm->ap_rsnxe);
4272 for (i = 0; i < MAX_NUM_MLD_LINKS; i++) {
4273 os_free(sm->mlo.links[i].ap_rsne);
4274 os_free(sm->mlo.links[i].ap_rsnxe);
4275 }
4276 wpa_sm_drop_sa(sm);
4277 os_free(sm->ctx);
4278 #ifdef CONFIG_IEEE80211R
4279 os_free(sm->assoc_resp_ies);
4280 #endif /* CONFIG_IEEE80211R */
4281 #ifdef CONFIG_TESTING_OPTIONS
4282 wpabuf_free(sm->test_assoc_ie);
4283 wpabuf_free(sm->test_eapol_m2_elems);
4284 wpabuf_free(sm->test_eapol_m4_elems);
4285 #endif /* CONFIG_TESTING_OPTIONS */
4286 #ifdef CONFIG_FILS_SK_PFS
4287 crypto_ecdh_deinit(sm->fils_ecdh);
4288 #endif /* CONFIG_FILS_SK_PFS */
4289 #ifdef CONFIG_FILS
4290 wpabuf_free(sm->fils_ft_ies);
4291 #endif /* CONFIG_FILS */
4292 #ifdef CONFIG_OWE
4293 crypto_ecdh_deinit(sm->owe_ecdh);
4294 #endif /* CONFIG_OWE */
4295 #ifdef CONFIG_DPP2
4296 wpabuf_clear_free(sm->dpp_z);
4297 #endif /* CONFIG_DPP2 */
4298 os_free(sm);
4299 }
4300
4301
wpa_sm_clear_ptk(struct wpa_sm * sm)4302 static void wpa_sm_clear_ptk(struct wpa_sm *sm)
4303 {
4304 int i;
4305
4306 sm->ptk_set = 0;
4307 os_memset(&sm->ptk, 0, sizeof(sm->ptk));
4308 sm->tptk_set = 0;
4309 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
4310 os_memset(&sm->gtk, 0, sizeof(sm->gtk));
4311 os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
4312 os_memset(&sm->igtk, 0, sizeof(sm->igtk));
4313 os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
4314 os_memset(&sm->bigtk, 0, sizeof(sm->bigtk));
4315 os_memset(&sm->bigtk_wnm_sleep, 0, sizeof(sm->bigtk_wnm_sleep));
4316 sm->tk_set = false;
4317 for (i = 0; i < MAX_NUM_MLD_LINKS; i++) {
4318 os_memset(&sm->mlo.links[i].gtk, 0,
4319 sizeof(sm->mlo.links[i].gtk));
4320 os_memset(&sm->mlo.links[i].gtk_wnm_sleep, 0,
4321 sizeof(sm->mlo.links[i].gtk_wnm_sleep));
4322 os_memset(&sm->mlo.links[i].igtk, 0,
4323 sizeof(sm->mlo.links[i].igtk));
4324 os_memset(&sm->mlo.links[i].igtk_wnm_sleep, 0,
4325 sizeof(sm->mlo.links[i].igtk_wnm_sleep));
4326 os_memset(&sm->mlo.links[i].bigtk, 0,
4327 sizeof(sm->mlo.links[i].bigtk));
4328 os_memset(&sm->mlo.links[i].bigtk_wnm_sleep, 0,
4329 sizeof(sm->mlo.links[i].bigtk_wnm_sleep));
4330 }
4331 }
4332
4333
4334 /**
4335 * wpa_sm_notify_assoc - Notify WPA state machine about association
4336 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4337 * @bssid: The BSSID of the new association
4338 *
4339 * This function is called to let WPA state machine know that the connection
4340 * was established.
4341 */
wpa_sm_notify_assoc(struct wpa_sm * sm,const u8 * bssid)4342 void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
4343 {
4344 int clear_keys = 1;
4345
4346 if (sm == NULL)
4347 return;
4348
4349 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4350 "WPA: Association event - clear replay counter");
4351 os_memcpy(sm->bssid, bssid, ETH_ALEN);
4352 os_memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN);
4353 sm->rx_replay_counter_set = 0;
4354 sm->renew_snonce = 1;
4355 if (ether_addr_equal(sm->preauth_bssid, bssid))
4356 rsn_preauth_deinit(sm);
4357
4358 #ifdef CONFIG_IEEE80211R
4359 if (wpa_ft_is_completed(sm)) {
4360 /*
4361 * Clear portValid to kick EAPOL state machine to re-enter
4362 * AUTHENTICATED state to get the EAPOL port Authorized.
4363 */
4364 eapol_sm_notify_portValid(sm->eapol, false);
4365 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
4366
4367 /* Prepare for the next transition */
4368 wpa_ft_prepare_auth_request(sm, NULL);
4369
4370 clear_keys = 0;
4371 sm->ft_protocol = 1;
4372 } else {
4373 sm->ft_protocol = 0;
4374 }
4375 #endif /* CONFIG_IEEE80211R */
4376 #ifdef CONFIG_FILS
4377 if (sm->fils_completed) {
4378 /*
4379 * Clear portValid to kick EAPOL state machine to re-enter
4380 * AUTHENTICATED state to get the EAPOL port Authorized.
4381 */
4382 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
4383 clear_keys = 0;
4384 }
4385 #endif /* CONFIG_FILS */
4386
4387 if (clear_keys) {
4388 /*
4389 * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
4390 * this is not part of a Fast BSS Transition.
4391 */
4392 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PTK");
4393 wpa_sm_clear_ptk(sm);
4394 }
4395
4396 #ifdef CONFIG_TDLS
4397 wpa_tdls_assoc(sm);
4398 #endif /* CONFIG_TDLS */
4399
4400 #ifdef CONFIG_P2P
4401 os_memset(sm->p2p_ip_addr, 0, sizeof(sm->p2p_ip_addr));
4402 #endif /* CONFIG_P2P */
4403
4404 sm->keyidx_active = 0;
4405 }
4406
4407
4408 /**
4409 * wpa_sm_notify_disassoc - Notify WPA state machine about disassociation
4410 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4411 *
4412 * This function is called to let WPA state machine know that the connection
4413 * was lost. This will abort any existing pre-authentication session.
4414 */
wpa_sm_notify_disassoc(struct wpa_sm * sm)4415 void wpa_sm_notify_disassoc(struct wpa_sm *sm)
4416 {
4417 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
4418 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
4419 rsn_preauth_deinit(sm);
4420 pmksa_cache_clear_current(sm);
4421 if (wpa_sm_get_state(sm) == WPA_4WAY_HANDSHAKE)
4422 sm->dot11RSNA4WayHandshakeFailures++;
4423 #ifdef CONFIG_TDLS
4424 wpa_tdls_disassoc(sm);
4425 #endif /* CONFIG_TDLS */
4426 #ifdef CONFIG_FILS
4427 sm->fils_completed = 0;
4428 #endif /* CONFIG_FILS */
4429 #ifdef CONFIG_IEEE80211R
4430 sm->ft_reassoc_completed = 0;
4431 sm->ft_protocol = 0;
4432 #endif /* CONFIG_IEEE80211R */
4433
4434 /* Keys are not needed in the WPA state machine anymore */
4435 wpa_sm_drop_sa(sm);
4436 sm->keyidx_active = 0;
4437
4438 sm->msg_3_of_4_ok = 0;
4439 os_memset(sm->bssid, 0, ETH_ALEN);
4440 }
4441
4442
4443 /**
4444 * wpa_sm_set_pmk - Set PMK
4445 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4446 * @pmk: The new PMK
4447 * @pmk_len: The length of the new PMK in bytes
4448 * @pmkid: Calculated PMKID
4449 * @bssid: AA to add into PMKSA cache or %NULL to not cache the PMK
4450 *
4451 * Configure the PMK for WPA state machine.
4452 */
wpa_sm_set_pmk(struct wpa_sm * sm,const u8 * pmk,size_t pmk_len,const u8 * pmkid,const u8 * bssid)4453 void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
4454 const u8 *pmkid, const u8 *bssid)
4455 {
4456 if (sm == NULL)
4457 return;
4458
4459 wpa_hexdump_key(MSG_DEBUG, "WPA: Set PMK based on external data",
4460 pmk, pmk_len);
4461 sm->pmk_len = pmk_len;
4462 os_memcpy(sm->pmk, pmk, pmk_len);
4463
4464 #ifdef CONFIG_IEEE80211R
4465 /* Set XXKey to be PSK for FT key derivation */
4466 sm->xxkey_len = pmk_len;
4467 os_memcpy(sm->xxkey, pmk, pmk_len);
4468 #endif /* CONFIG_IEEE80211R */
4469
4470 if (bssid) {
4471 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len,
4472 pmkid, NULL, 0, bssid,
4473 sm->own_addr,
4474 sm->network_ctx, sm->key_mgmt,
4475 NULL);
4476 }
4477 }
4478
4479
4480 /**
4481 * wpa_sm_set_pmk_from_pmksa - Set PMK based on the current PMKSA
4482 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4483 *
4484 * Take the PMK from the current PMKSA into use. If no PMKSA is active, the PMK
4485 * will be cleared.
4486 */
wpa_sm_set_pmk_from_pmksa(struct wpa_sm * sm)4487 void wpa_sm_set_pmk_from_pmksa(struct wpa_sm *sm)
4488 {
4489 if (sm == NULL)
4490 return;
4491
4492 if (sm->cur_pmksa) {
4493 wpa_hexdump_key(MSG_DEBUG,
4494 "WPA: Set PMK based on current PMKSA",
4495 sm->cur_pmksa->pmk, sm->cur_pmksa->pmk_len);
4496 sm->pmk_len = sm->cur_pmksa->pmk_len;
4497 os_memcpy(sm->pmk, sm->cur_pmksa->pmk, sm->pmk_len);
4498 } else {
4499 wpa_printf(MSG_DEBUG, "WPA: No current PMKSA - clear PMK");
4500 sm->pmk_len = 0;
4501 os_memset(sm->pmk, 0, PMK_LEN_MAX);
4502 }
4503 }
4504
4505
4506 /**
4507 * wpa_sm_set_fast_reauth - Set fast reauthentication (EAP) enabled/disabled
4508 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4509 * @fast_reauth: Whether fast reauthentication (EAP) is allowed
4510 */
wpa_sm_set_fast_reauth(struct wpa_sm * sm,int fast_reauth)4511 void wpa_sm_set_fast_reauth(struct wpa_sm *sm, int fast_reauth)
4512 {
4513 if (sm)
4514 sm->fast_reauth = fast_reauth;
4515 }
4516
4517
4518 /**
4519 * wpa_sm_set_scard_ctx - Set context pointer for smartcard callbacks
4520 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4521 * @scard_ctx: Context pointer for smartcard related callback functions
4522 */
wpa_sm_set_scard_ctx(struct wpa_sm * sm,void * scard_ctx)4523 void wpa_sm_set_scard_ctx(struct wpa_sm *sm, void *scard_ctx)
4524 {
4525 if (sm == NULL)
4526 return;
4527 sm->scard_ctx = scard_ctx;
4528 if (sm->preauth_eapol)
4529 eapol_sm_register_scard_ctx(sm->preauth_eapol, scard_ctx);
4530 }
4531
4532
4533 /**
4534 * wpa_sm_set_config - Notification of current configuration change
4535 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4536 * @config: Pointer to current network configuration
4537 *
4538 * Notify WPA state machine that configuration has changed. config will be
4539 * stored as a backpointer to network configuration. This can be %NULL to clear
4540 * the stored pointed.
4541 */
wpa_sm_set_config(struct wpa_sm * sm,struct rsn_supp_config * config)4542 void wpa_sm_set_config(struct wpa_sm *sm, struct rsn_supp_config *config)
4543 {
4544 if (!sm)
4545 return;
4546
4547 if (config) {
4548 sm->network_ctx = config->network_ctx;
4549 sm->allowed_pairwise_cipher = config->allowed_pairwise_cipher;
4550 sm->proactive_key_caching = config->proactive_key_caching;
4551 sm->eap_workaround = config->eap_workaround;
4552 sm->eap_conf_ctx = config->eap_conf_ctx;
4553 if (config->ssid) {
4554 os_memcpy(sm->ssid, config->ssid, config->ssid_len);
4555 sm->ssid_len = config->ssid_len;
4556 } else
4557 sm->ssid_len = 0;
4558 sm->wpa_ptk_rekey = config->wpa_ptk_rekey;
4559 sm->p2p = config->p2p;
4560 sm->wpa_rsc_relaxation = config->wpa_rsc_relaxation;
4561 sm->owe_ptk_workaround = config->owe_ptk_workaround;
4562 sm->force_kdk_derivation = config->force_kdk_derivation;
4563 #ifdef CONFIG_FILS
4564 if (config->fils_cache_id) {
4565 sm->fils_cache_id_set = 1;
4566 os_memcpy(sm->fils_cache_id, config->fils_cache_id,
4567 FILS_CACHE_ID_LEN);
4568 } else {
4569 sm->fils_cache_id_set = 0;
4570 }
4571 #endif /* CONFIG_FILS */
4572 sm->beacon_prot = config->beacon_prot;
4573 } else {
4574 sm->network_ctx = NULL;
4575 sm->allowed_pairwise_cipher = 0;
4576 sm->proactive_key_caching = 0;
4577 sm->eap_workaround = 0;
4578 sm->eap_conf_ctx = NULL;
4579 sm->ssid_len = 0;
4580 sm->wpa_ptk_rekey = 0;
4581 sm->p2p = 0;
4582 sm->wpa_rsc_relaxation = 0;
4583 sm->owe_ptk_workaround = 0;
4584 sm->beacon_prot = 0;
4585 sm->force_kdk_derivation = false;
4586 }
4587 }
4588
4589
wpa_sm_set_ssid(struct wpa_sm * sm,const u8 * ssid,size_t ssid_len)4590 void wpa_sm_set_ssid(struct wpa_sm *sm, const u8 *ssid, size_t ssid_len)
4591 {
4592 if (!sm)
4593 return;
4594
4595 if (ssid) {
4596 os_memcpy(sm->ssid, ssid, ssid_len);
4597 sm->ssid_len = ssid_len;
4598 } else {
4599 sm->ssid_len = 0;
4600 }
4601 }
4602
4603
wpa_sm_set_mlo_params(struct wpa_sm * sm,const struct wpa_sm_mlo * mlo)4604 int wpa_sm_set_mlo_params(struct wpa_sm *sm, const struct wpa_sm_mlo *mlo)
4605 {
4606 int i;
4607
4608 if (!sm)
4609 return -1;
4610
4611 os_memcpy(sm->mlo.ap_mld_addr, mlo->ap_mld_addr, ETH_ALEN);
4612 sm->mlo.assoc_link_id = mlo->assoc_link_id;
4613 sm->mlo.valid_links = mlo->valid_links;
4614 sm->mlo.req_links = mlo->req_links;
4615
4616 for (i = 0; i < MAX_NUM_MLD_LINKS; i++) {
4617 const u8 *ie;
4618 size_t len;
4619
4620 if (sm->mlo.req_links & BIT(i)) {
4621 #ifndef CONFIG_MLD_PATCH
4622 if (!mlo->links[i].ap_rsne ||
4623 mlo->links[i].ap_rsne_len == 0) {
4624 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO,
4625 "RSN: No RSNE for AP MLO link %d with BSSID "
4626 MACSTR,
4627 i, MAC2STR(mlo->links[i].bssid));
4628 return -1;
4629
4630 }
4631 #endif
4632 os_memcpy(sm->mlo.links[i].addr, mlo->links[i].addr,
4633 ETH_ALEN);
4634 os_memcpy(sm->mlo.links[i].bssid, mlo->links[i].bssid,
4635 ETH_ALEN);
4636 }
4637
4638 ie = mlo->links[i].ap_rsne;
4639 len = mlo->links[i].ap_rsne_len;
4640 os_free(sm->mlo.links[i].ap_rsne);
4641 if (!ie || len == 0) {
4642 if (sm->mlo.links[i].ap_rsne)
4643 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4644 "RSN: Clearing MLO link[%u] AP RSNE",
4645 i);
4646 sm->mlo.links[i].ap_rsne = NULL;
4647 sm->mlo.links[i].ap_rsne_len = 0;
4648 } else {
4649 wpa_hexdump_link(MSG_DEBUG, i, "RSN: Set AP RSNE",
4650 ie, len);
4651 sm->mlo.links[i].ap_rsne = os_memdup(ie, len);
4652 if (!sm->mlo.links[i].ap_rsne) {
4653 sm->mlo.links[i].ap_rsne_len = 0;
4654 return -1;
4655 }
4656 sm->mlo.links[i].ap_rsne_len = len;
4657 }
4658
4659 ie = mlo->links[i].ap_rsnxe;
4660 len = mlo->links[i].ap_rsnxe_len;
4661 os_free(sm->mlo.links[i].ap_rsnxe);
4662 if (!ie || len == 0) {
4663 if (sm->mlo.links[i].ap_rsnxe)
4664 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4665 "RSN: Clearing MLO link[%u] AP RSNXE",
4666 i);
4667 sm->mlo.links[i].ap_rsnxe = NULL;
4668 sm->mlo.links[i].ap_rsnxe_len = 0;
4669 } else {
4670 wpa_hexdump_link(MSG_DEBUG, i, "RSN: Set AP RSNXE", ie,
4671 len);
4672 sm->mlo.links[i].ap_rsnxe = os_memdup(ie, len);
4673 if (!sm->mlo.links[i].ap_rsnxe) {
4674 sm->mlo.links[i].ap_rsnxe_len = 0;
4675 return -1;
4676 }
4677 sm->mlo.links[i].ap_rsnxe_len = len;
4678 }
4679 }
4680
4681 return 0;
4682 }
4683
4684
4685 /**
4686 * wpa_sm_set_own_addr - Set own MAC address
4687 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4688 * @addr: Own MAC address
4689 */
wpa_sm_set_own_addr(struct wpa_sm * sm,const u8 * addr)4690 void wpa_sm_set_own_addr(struct wpa_sm *sm, const u8 *addr)
4691 {
4692 if (sm)
4693 os_memcpy(sm->own_addr, addr, ETH_ALEN);
4694 }
4695
4696
4697 /**
4698 * wpa_sm_set_ifname - Set network interface name
4699 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4700 * @ifname: Interface name
4701 * @bridge_ifname: Optional bridge interface name (for pre-auth)
4702 */
wpa_sm_set_ifname(struct wpa_sm * sm,const char * ifname,const char * bridge_ifname)4703 void wpa_sm_set_ifname(struct wpa_sm *sm, const char *ifname,
4704 const char *bridge_ifname)
4705 {
4706 if (sm) {
4707 sm->ifname = ifname;
4708 sm->bridge_ifname = bridge_ifname;
4709 }
4710 }
4711
4712
4713 /**
4714 * wpa_sm_set_eapol - Set EAPOL state machine pointer
4715 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4716 * @eapol: Pointer to EAPOL state machine allocated with eapol_sm_init()
4717 */
wpa_sm_set_eapol(struct wpa_sm * sm,struct eapol_sm * eapol)4718 void wpa_sm_set_eapol(struct wpa_sm *sm, struct eapol_sm *eapol)
4719 {
4720 if (sm)
4721 sm->eapol = eapol;
4722 }
4723
4724
4725 /**
4726 * wpa_sm_set_param - Set WPA state machine parameters
4727 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4728 * @param: Parameter field
4729 * @value: Parameter value
4730 * Returns: 0 on success, -1 on failure
4731 */
wpa_sm_set_param(struct wpa_sm * sm,enum wpa_sm_conf_params param,unsigned int value)4732 int wpa_sm_set_param(struct wpa_sm *sm, enum wpa_sm_conf_params param,
4733 unsigned int value)
4734 {
4735 int ret = 0;
4736
4737 if (sm == NULL)
4738 return -1;
4739
4740 switch (param) {
4741 case RSNA_PMK_LIFETIME:
4742 if (value > 0)
4743 sm->dot11RSNAConfigPMKLifetime = value;
4744 else
4745 ret = -1;
4746 break;
4747 case RSNA_PMK_REAUTH_THRESHOLD:
4748 if (value > 0 && value <= 100)
4749 sm->dot11RSNAConfigPMKReauthThreshold = value;
4750 else
4751 ret = -1;
4752 break;
4753 case RSNA_SA_TIMEOUT:
4754 if (value > 0)
4755 sm->dot11RSNAConfigSATimeout = value;
4756 else
4757 ret = -1;
4758 break;
4759 case WPA_PARAM_PROTO:
4760 sm->proto = value;
4761 break;
4762 case WPA_PARAM_PAIRWISE:
4763 sm->pairwise_cipher = value;
4764 break;
4765 case WPA_PARAM_GROUP:
4766 sm->group_cipher = value;
4767 break;
4768 case WPA_PARAM_KEY_MGMT:
4769 sm->key_mgmt = value;
4770 break;
4771 case WPA_PARAM_MGMT_GROUP:
4772 sm->mgmt_group_cipher = value;
4773 break;
4774 case WPA_PARAM_RSN_ENABLED:
4775 sm->rsn_enabled = value;
4776 break;
4777 case WPA_PARAM_MFP:
4778 sm->mfp = value;
4779 break;
4780 case WPA_PARAM_OCV:
4781 sm->ocv = value;
4782 break;
4783 case WPA_PARAM_SAE_PWE:
4784 sm->sae_pwe = value;
4785 break;
4786 case WPA_PARAM_SAE_PK:
4787 sm->sae_pk = value;
4788 break;
4789 case WPA_PARAM_DENY_PTK0_REKEY:
4790 sm->wpa_deny_ptk0_rekey = value;
4791 break;
4792 case WPA_PARAM_EXT_KEY_ID:
4793 sm->ext_key_id = value;
4794 break;
4795 case WPA_PARAM_USE_EXT_KEY_ID:
4796 sm->use_ext_key_id = value;
4797 break;
4798 #ifdef CONFIG_TESTING_OPTIONS
4799 case WPA_PARAM_FT_RSNXE_USED:
4800 sm->ft_rsnxe_used = value;
4801 break;
4802 case WPA_PARAM_OCI_FREQ_EAPOL:
4803 sm->oci_freq_override_eapol = value;
4804 break;
4805 case WPA_PARAM_OCI_FREQ_EAPOL_G2:
4806 sm->oci_freq_override_eapol_g2 = value;
4807 break;
4808 case WPA_PARAM_OCI_FREQ_FT_ASSOC:
4809 sm->oci_freq_override_ft_assoc = value;
4810 break;
4811 case WPA_PARAM_OCI_FREQ_FILS_ASSOC:
4812 sm->oci_freq_override_fils_assoc = value;
4813 break;
4814 case WPA_PARAM_DISABLE_EAPOL_G2_TX:
4815 sm->disable_eapol_g2_tx = value;
4816 break;
4817 case WPA_PARAM_ENCRYPT_EAPOL_M2:
4818 sm->encrypt_eapol_m2 = value;
4819 break;
4820 case WPA_PARAM_ENCRYPT_EAPOL_M4:
4821 sm->encrypt_eapol_m4 = value;
4822 break;
4823 #endif /* CONFIG_TESTING_OPTIONS */
4824 #ifdef CONFIG_DPP2
4825 case WPA_PARAM_DPP_PFS:
4826 sm->dpp_pfs = value;
4827 break;
4828 #endif /* CONFIG_DPP2 */
4829 case WPA_PARAM_WMM_ENABLED:
4830 sm->wmm_enabled = value;
4831 break;
4832 case WPA_PARAM_FT_PREPEND_PMKID:
4833 sm->ft_prepend_pmkid = value;
4834 break;
4835 case WPA_PARAM_SSID_PROTECTION:
4836 sm->ssid_protection = value;
4837 break;
4838 default:
4839 break;
4840 }
4841
4842 return ret;
4843 }
4844
4845
4846 /**
4847 * wpa_sm_get_status - Get WPA state machine
4848 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4849 * @buf: Buffer for status information
4850 * @buflen: Maximum buffer length
4851 * @verbose: Whether to include verbose status information
4852 * Returns: Number of bytes written to buf.
4853 *
4854 * Query WPA state machine for status information. This function fills in
4855 * a text area with current status information. If the buffer (buf) is not
4856 * large enough, status information will be truncated to fit the buffer.
4857 */
wpa_sm_get_status(struct wpa_sm * sm,char * buf,size_t buflen,int verbose)4858 int wpa_sm_get_status(struct wpa_sm *sm, char *buf, size_t buflen,
4859 int verbose)
4860 {
4861 char *pos = buf, *end = buf + buflen;
4862 int ret;
4863
4864 ret = os_snprintf(pos, end - pos,
4865 "pairwise_cipher=%s\n"
4866 "group_cipher=%s\n"
4867 "key_mgmt=%s\n",
4868 wpa_cipher_txt(sm->pairwise_cipher),
4869 wpa_cipher_txt(sm->group_cipher),
4870 wpa_key_mgmt_txt(sm->key_mgmt, sm->proto));
4871 if (os_snprintf_error(end - pos, ret))
4872 return pos - buf;
4873 pos += ret;
4874
4875 #ifdef CONFIG_DPP2
4876 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
4877 ret = os_snprintf(pos, end - pos, "dpp_pfs=1\n");
4878 if (os_snprintf_error(end - pos, ret))
4879 return pos - buf;
4880 pos += ret;
4881 }
4882 #endif /* CONFIG_DPP2 */
4883
4884 if (sm->mfp != NO_MGMT_FRAME_PROTECTION && sm->ap_rsn_ie) {
4885 struct wpa_ie_data rsn;
4886 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn)
4887 >= 0 &&
4888 rsn.capabilities & (WPA_CAPABILITY_MFPR |
4889 WPA_CAPABILITY_MFPC)) {
4890 ret = os_snprintf(pos, end - pos, "pmf=%d\n"
4891 "mgmt_group_cipher=%s\n",
4892 (rsn.capabilities &
4893 WPA_CAPABILITY_MFPR) ? 2 : 1,
4894 wpa_cipher_txt(
4895 sm->mgmt_group_cipher));
4896 if (os_snprintf_error(end - pos, ret))
4897 return pos - buf;
4898 pos += ret;
4899 }
4900 }
4901
4902 return pos - buf;
4903 }
4904
4905
wpa_sm_pmf_enabled(struct wpa_sm * sm)4906 int wpa_sm_pmf_enabled(struct wpa_sm *sm)
4907 {
4908 struct wpa_ie_data rsn;
4909
4910 if (sm->mfp == NO_MGMT_FRAME_PROTECTION || !sm->ap_rsn_ie)
4911 return 0;
4912
4913 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn) >= 0 &&
4914 rsn.capabilities & (WPA_CAPABILITY_MFPR | WPA_CAPABILITY_MFPC))
4915 return 1;
4916
4917 return 0;
4918 }
4919
4920
wpa_sm_ext_key_id(struct wpa_sm * sm)4921 int wpa_sm_ext_key_id(struct wpa_sm *sm)
4922 {
4923 return sm ? sm->ext_key_id : 0;
4924 }
4925
4926
wpa_sm_ext_key_id_active(struct wpa_sm * sm)4927 int wpa_sm_ext_key_id_active(struct wpa_sm *sm)
4928 {
4929 return sm ? sm->use_ext_key_id : 0;
4930 }
4931
4932
wpa_sm_ocv_enabled(struct wpa_sm * sm)4933 int wpa_sm_ocv_enabled(struct wpa_sm *sm)
4934 {
4935 struct wpa_ie_data rsn;
4936
4937 if (!sm->ocv || !sm->ap_rsn_ie)
4938 return 0;
4939
4940 return wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len,
4941 &rsn) >= 0 &&
4942 (rsn.capabilities & WPA_CAPABILITY_OCVC);
4943 }
4944
4945
4946 /**
4947 * wpa_sm_set_assoc_wpa_ie_default - Generate own WPA/RSN IE from configuration
4948 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4949 * @wpa_ie: Pointer to buffer for WPA/RSN IE
4950 * @wpa_ie_len: Pointer to the length of the wpa_ie buffer
4951 * Returns: 0 on success, -1 on failure
4952 */
wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm * sm,u8 * wpa_ie,size_t * wpa_ie_len)4953 int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm *sm, u8 *wpa_ie,
4954 size_t *wpa_ie_len)
4955 {
4956 int res;
4957
4958 if (sm == NULL)
4959 return -1;
4960
4961 #ifdef CONFIG_TESTING_OPTIONS
4962 if (sm->test_assoc_ie) {
4963 wpa_printf(MSG_DEBUG,
4964 "TESTING: Replace association WPA/RSN IE");
4965 if (*wpa_ie_len < wpabuf_len(sm->test_assoc_ie))
4966 return -1;
4967 os_memcpy(wpa_ie, wpabuf_head(sm->test_assoc_ie),
4968 wpabuf_len(sm->test_assoc_ie));
4969 res = wpabuf_len(sm->test_assoc_ie);
4970 } else
4971 #endif /* CONFIG_TESTING_OPTIONS */
4972 res = wpa_gen_wpa_ie(sm, wpa_ie, *wpa_ie_len);
4973 if (res < 0)
4974 return -1;
4975 *wpa_ie_len = res;
4976
4977 wpa_hexdump(MSG_DEBUG, "WPA: Set own WPA IE default",
4978 wpa_ie, *wpa_ie_len);
4979
4980 if (sm->assoc_wpa_ie == NULL) {
4981 /*
4982 * Make a copy of the WPA/RSN IE so that 4-Way Handshake gets
4983 * the correct version of the IE even if PMKSA caching is
4984 * aborted (which would remove PMKID from IE generation).
4985 */
4986 sm->assoc_wpa_ie = os_memdup(wpa_ie, *wpa_ie_len);
4987 if (sm->assoc_wpa_ie == NULL)
4988 return -1;
4989
4990 sm->assoc_wpa_ie_len = *wpa_ie_len;
4991 } else {
4992 wpa_hexdump(MSG_DEBUG,
4993 "WPA: Leave previously set WPA IE default",
4994 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
4995 }
4996
4997 return 0;
4998 }
4999
5000
5001 /**
5002 * wpa_sm_set_assoc_wpa_ie - Set own WPA/RSN IE from (Re)AssocReq
5003 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5004 * @ie: Pointer to IE data (starting from id)
5005 * @len: IE length
5006 * Returns: 0 on success, -1 on failure
5007 *
5008 * Inform WPA state machine about the WPA/RSN IE used in (Re)Association
5009 * Request frame. The IE will be used to override the default value generated
5010 * with wpa_sm_set_assoc_wpa_ie_default().
5011 */
wpa_sm_set_assoc_wpa_ie(struct wpa_sm * sm,const u8 * ie,size_t len)5012 int wpa_sm_set_assoc_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
5013 {
5014 if (sm == NULL)
5015 return -1;
5016
5017 os_free(sm->assoc_wpa_ie);
5018 if (ie == NULL || len == 0) {
5019 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5020 "WPA: clearing own WPA/RSN IE");
5021 sm->assoc_wpa_ie = NULL;
5022 sm->assoc_wpa_ie_len = 0;
5023 } else {
5024 wpa_hexdump(MSG_DEBUG, "WPA: set own WPA/RSN IE", ie, len);
5025 sm->assoc_wpa_ie = os_memdup(ie, len);
5026 if (sm->assoc_wpa_ie == NULL)
5027 return -1;
5028
5029 sm->assoc_wpa_ie_len = len;
5030 }
5031
5032 return 0;
5033 }
5034
5035
5036 /**
5037 * wpa_sm_set_assoc_rsnxe_default - Generate own RSNXE from configuration
5038 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5039 * @rsnxe: Pointer to buffer for RSNXE
5040 * @rsnxe_len: Pointer to the length of the rsne buffer
5041 * Returns: 0 on success, -1 on failure
5042 */
wpa_sm_set_assoc_rsnxe_default(struct wpa_sm * sm,u8 * rsnxe,size_t * rsnxe_len)5043 int wpa_sm_set_assoc_rsnxe_default(struct wpa_sm *sm, u8 *rsnxe,
5044 size_t *rsnxe_len)
5045 {
5046 int res;
5047
5048 if (!sm)
5049 return -1;
5050
5051 res = wpa_gen_rsnxe(sm, rsnxe, *rsnxe_len);
5052 if (res < 0)
5053 return -1;
5054 *rsnxe_len = res;
5055
5056 wpa_hexdump(MSG_DEBUG, "RSN: Set own RSNXE default", rsnxe, *rsnxe_len);
5057
5058 if (sm->assoc_rsnxe) {
5059 wpa_hexdump(MSG_DEBUG,
5060 "RSN: Leave previously set RSNXE default",
5061 sm->assoc_rsnxe, sm->assoc_rsnxe_len);
5062 } else if (*rsnxe_len > 0) {
5063 /*
5064 * Make a copy of the RSNXE so that 4-Way Handshake gets the
5065 * correct version of the IE even if it gets changed.
5066 */
5067 sm->assoc_rsnxe = os_memdup(rsnxe, *rsnxe_len);
5068 if (!sm->assoc_rsnxe)
5069 return -1;
5070
5071 sm->assoc_rsnxe_len = *rsnxe_len;
5072 }
5073
5074 return 0;
5075 }
5076
5077
5078 /**
5079 * wpa_sm_set_assoc_rsnxe - Set own RSNXE from (Re)AssocReq
5080 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5081 * @ie: Pointer to IE data (starting from id)
5082 * @len: IE length
5083 * Returns: 0 on success, -1 on failure
5084 *
5085 * Inform WPA state machine about the RSNXE used in (Re)Association Request
5086 * frame. The IE will be used to override the default value generated
5087 * with wpa_sm_set_assoc_rsnxe_default().
5088 */
wpa_sm_set_assoc_rsnxe(struct wpa_sm * sm,const u8 * ie,size_t len)5089 int wpa_sm_set_assoc_rsnxe(struct wpa_sm *sm, const u8 *ie, size_t len)
5090 {
5091 if (!sm)
5092 return -1;
5093
5094 os_free(sm->assoc_rsnxe);
5095 if (!ie || len == 0) {
5096 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5097 "RSN: clearing own RSNXE");
5098 sm->assoc_rsnxe = NULL;
5099 sm->assoc_rsnxe_len = 0;
5100 } else {
5101 wpa_hexdump(MSG_DEBUG, "RSN: set own RSNXE", ie, len);
5102 sm->assoc_rsnxe = os_memdup(ie, len);
5103 if (!sm->assoc_rsnxe)
5104 return -1;
5105
5106 sm->assoc_rsnxe_len = len;
5107 }
5108
5109 if (sm->ssid_protection &&
5110 !ieee802_11_rsnx_capab(sm->assoc_rsnxe,
5111 WLAN_RSNX_CAPAB_SSID_PROTECTION)) {
5112 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5113 "RSN: Disabling SSID protection based on own RSNXE update");
5114 sm->ssid_protection = 0;
5115 }
5116
5117 return 0;
5118 }
5119
5120
5121 /**
5122 * wpa_sm_set_ap_wpa_ie - Set AP WPA IE from Beacon/ProbeResp
5123 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5124 * @ie: Pointer to IE data (starting from id)
5125 * @len: IE length
5126 * Returns: 0 on success, -1 on failure
5127 *
5128 * Inform WPA state machine about the WPA IE used in Beacon / Probe Response
5129 * frame.
5130 */
wpa_sm_set_ap_wpa_ie(struct wpa_sm * sm,const u8 * ie,size_t len)5131 int wpa_sm_set_ap_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
5132 {
5133 if (sm == NULL)
5134 return -1;
5135
5136 os_free(sm->ap_wpa_ie);
5137 if (ie == NULL || len == 0) {
5138 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5139 "WPA: clearing AP WPA IE");
5140 sm->ap_wpa_ie = NULL;
5141 sm->ap_wpa_ie_len = 0;
5142 } else {
5143 wpa_hexdump(MSG_DEBUG, "WPA: set AP WPA IE", ie, len);
5144 sm->ap_wpa_ie = os_memdup(ie, len);
5145 if (sm->ap_wpa_ie == NULL)
5146 return -1;
5147
5148 sm->ap_wpa_ie_len = len;
5149 }
5150
5151 return 0;
5152 }
5153
5154 #ifdef CONFIG_MAGICLINK_PC
wpa_sm_set_p2p_legacyGO_state(struct wpa_sm * sm,int legacyGO)5155 int wpa_sm_set_p2p_legacyGO_state(struct wpa_sm *sm, int legacyGO)
5156 {
5157 if (sm == NULL)
5158 return -1;
5159 sm->legacyGO = legacyGO;
5160 return 0;
5161 }
5162 #endif /* CONFIG_MAGICLINK_PC */
5163
5164 /**
5165 * wpa_sm_set_ap_rsn_ie - Set AP RSN IE from Beacon/ProbeResp
5166 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5167 * @ie: Pointer to IE data (starting from id)
5168 * @len: IE length
5169 * Returns: 0 on success, -1 on failure
5170 *
5171 * Inform WPA state machine about the RSN IE used in Beacon / Probe Response
5172 * frame.
5173 */
wpa_sm_set_ap_rsn_ie(struct wpa_sm * sm,const u8 * ie,size_t len)5174 int wpa_sm_set_ap_rsn_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
5175 {
5176 if (sm == NULL)
5177 return -1;
5178
5179 os_free(sm->ap_rsn_ie);
5180 if (ie == NULL || len == 0) {
5181 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5182 "WPA: clearing AP RSN IE");
5183 sm->ap_rsn_ie = NULL;
5184 sm->ap_rsn_ie_len = 0;
5185 } else {
5186 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSN IE", ie, len);
5187 sm->ap_rsn_ie = os_memdup(ie, len);
5188 if (sm->ap_rsn_ie == NULL)
5189 return -1;
5190
5191 sm->ap_rsn_ie_len = len;
5192 }
5193
5194 return 0;
5195 }
5196
5197
5198 /**
5199 * wpa_sm_set_ap_rsnxe - Set AP RSNXE from Beacon/ProbeResp
5200 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5201 * @ie: Pointer to IE data (starting from id)
5202 * @len: IE length
5203 * Returns: 0 on success, -1 on failure
5204 *
5205 * Inform WPA state machine about the RSNXE used in Beacon / Probe Response
5206 * frame.
5207 */
wpa_sm_set_ap_rsnxe(struct wpa_sm * sm,const u8 * ie,size_t len)5208 int wpa_sm_set_ap_rsnxe(struct wpa_sm *sm, const u8 *ie, size_t len)
5209 {
5210 if (!sm)
5211 return -1;
5212
5213 os_free(sm->ap_rsnxe);
5214 if (!ie || len == 0) {
5215 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: clearing AP RSNXE");
5216 sm->ap_rsnxe = NULL;
5217 sm->ap_rsnxe_len = 0;
5218 } else {
5219 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSNXE", ie, len);
5220 sm->ap_rsnxe = os_memdup(ie, len);
5221 if (!sm->ap_rsnxe)
5222 return -1;
5223
5224 sm->ap_rsnxe_len = len;
5225 }
5226
5227 return 0;
5228 }
5229
5230
5231 /**
5232 * wpa_sm_parse_own_wpa_ie - Parse own WPA/RSN IE
5233 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5234 * @data: Pointer to data area for parsing results
5235 * Returns: 0 on success, -1 if IE is not known, or -2 on parsing failure
5236 *
5237 * Parse the contents of the own WPA or RSN IE from (Re)AssocReq and write the
5238 * parsed data into data.
5239 */
wpa_sm_parse_own_wpa_ie(struct wpa_sm * sm,struct wpa_ie_data * data)5240 int wpa_sm_parse_own_wpa_ie(struct wpa_sm *sm, struct wpa_ie_data *data)
5241 {
5242 if (sm == NULL)
5243 return -1;
5244
5245 if (sm->assoc_wpa_ie == NULL) {
5246 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5247 "WPA: No WPA/RSN IE available from association info");
5248 return -1;
5249 }
5250 if (wpa_parse_wpa_ie(sm->assoc_wpa_ie, sm->assoc_wpa_ie_len, data))
5251 return -2;
5252 return 0;
5253 }
5254
5255
wpa_sm_pmksa_cache_list(struct wpa_sm * sm,char * buf,size_t len)5256 int wpa_sm_pmksa_cache_list(struct wpa_sm *sm, char *buf, size_t len)
5257 {
5258 return pmksa_cache_list(sm->pmksa, buf, len);
5259 }
5260
5261
wpa_sm_pmksa_cache_head(struct wpa_sm * sm)5262 struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_head(struct wpa_sm *sm)
5263 {
5264 return pmksa_cache_head(sm->pmksa);
5265 }
5266
5267
5268 struct rsn_pmksa_cache_entry *
wpa_sm_pmksa_cache_add_entry(struct wpa_sm * sm,struct rsn_pmksa_cache_entry * entry)5269 wpa_sm_pmksa_cache_add_entry(struct wpa_sm *sm,
5270 struct rsn_pmksa_cache_entry * entry)
5271 {
5272 return pmksa_cache_add_entry(sm->pmksa, entry);
5273 }
5274
5275
wpa_sm_pmksa_cache_add(struct wpa_sm * sm,const u8 * pmk,size_t pmk_len,const u8 * pmkid,const u8 * bssid,const u8 * fils_cache_id)5276 void wpa_sm_pmksa_cache_add(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
5277 const u8 *pmkid, const u8 *bssid,
5278 const u8 *fils_cache_id)
5279 {
5280 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0,
5281 bssid, sm->own_addr, sm->network_ctx,
5282 sm->key_mgmt, fils_cache_id);
5283 }
5284
5285
wpa_sm_pmksa_exists(struct wpa_sm * sm,const u8 * bssid,const u8 * own_addr,const void * network_ctx)5286 int wpa_sm_pmksa_exists(struct wpa_sm *sm, const u8 *bssid, const u8 *own_addr,
5287 const void *network_ctx)
5288 {
5289 return pmksa_cache_get(sm->pmksa, bssid, own_addr, NULL, network_ctx,
5290 0) != NULL;
5291 }
5292
5293
wpa_sm_pmksa_cache_get(struct wpa_sm * sm,const u8 * aa,const u8 * pmkid,const void * network_ctx,int akmp)5294 struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_get(struct wpa_sm *sm,
5295 const u8 *aa,
5296 const u8 *pmkid,
5297 const void *network_ctx,
5298 int akmp)
5299 {
5300 return pmksa_cache_get(sm->pmksa, aa, sm->own_addr, pmkid, network_ctx,
5301 akmp);
5302 }
5303
5304
wpa_sm_pmksa_cache_remove(struct wpa_sm * sm,struct rsn_pmksa_cache_entry * entry)5305 void wpa_sm_pmksa_cache_remove(struct wpa_sm *sm,
5306 struct rsn_pmksa_cache_entry *entry)
5307 {
5308 if (sm && sm->pmksa)
5309 pmksa_cache_remove(sm->pmksa, entry);
5310 }
5311
5312
wpa_sm_drop_sa(struct wpa_sm * sm)5313 void wpa_sm_drop_sa(struct wpa_sm *sm)
5314 {
5315 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PMK and PTK");
5316 wpa_sm_clear_ptk(sm);
5317 sm->pmk_len = 0;
5318 os_memset(sm->pmk, 0, sizeof(sm->pmk));
5319 #ifdef CONFIG_IEEE80211R
5320 os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
5321 sm->xxkey_len = 0;
5322 os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
5323 sm->pmk_r0_len = 0;
5324 os_memset(sm->pmk_r1, 0, sizeof(sm->pmk_r1));
5325 sm->pmk_r1_len = 0;
5326 #ifdef CONFIG_PASN
5327 os_free(sm->pasn_r1kh);
5328 sm->pasn_r1kh = NULL;
5329 sm->n_pasn_r1kh = 0;
5330 #endif /* CONFIG_PASN */
5331 #endif /* CONFIG_IEEE80211R */
5332 }
5333
5334
5335 #ifdef CONFIG_IEEE80211R
wpa_sm_has_ft_keys(struct wpa_sm * sm,const u8 * md)5336 bool wpa_sm_has_ft_keys(struct wpa_sm *sm, const u8 *md)
5337 {
5338 if (!sm)
5339 return false;
5340 if (!wpa_key_mgmt_ft(sm->key_mgmt) ||
5341 os_memcmp(md, sm->key_mobility_domain,
5342 MOBILITY_DOMAIN_ID_LEN) != 0) {
5343 /* Do not allow FT protocol to be used even if we were to have
5344 * an PTK since the mobility domain has changed. */
5345 return false;
5346 }
5347 return sm->ptk_set;
5348 }
5349 #endif /* CONFIG_IEEE80211R */
5350
5351
wpa_sm_has_ptk_installed(struct wpa_sm * sm)5352 int wpa_sm_has_ptk_installed(struct wpa_sm *sm)
5353 {
5354 if (!sm)
5355 return 0;
5356 return sm->tk_set || sm->ptk.installed;
5357 }
5358
5359
wpa_sm_update_replay_ctr(struct wpa_sm * sm,const u8 * replay_ctr)5360 void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr)
5361 {
5362 os_memcpy(sm->rx_replay_counter, replay_ctr, WPA_REPLAY_COUNTER_LEN);
5363 }
5364
5365
wpa_sm_pmksa_cache_flush(struct wpa_sm * sm,void * network_ctx)5366 void wpa_sm_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx)
5367 {
5368 pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0, false);
5369 }
5370
5371
wpa_sm_external_pmksa_cache_flush(struct wpa_sm * sm,void * network_ctx)5372 void wpa_sm_external_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx)
5373 {
5374 pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0, true);
5375 }
5376
5377
5378 #ifdef CONFIG_WNM
wpa_wnmsleep_install_key(struct wpa_sm * sm,u8 subelem_id,u8 * buf)5379 int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
5380 {
5381 u16 keyinfo;
5382 u8 keylen; /* plaintext key len */
5383 u8 *key_rsc;
5384
5385 if (subelem_id == WNM_SLEEP_SUBELEM_GTK) {
5386 struct wpa_gtk_data gd;
5387
5388 os_memset(&gd, 0, sizeof(gd));
5389 keylen = wpa_cipher_key_len(sm->group_cipher);
5390 gd.key_rsc_len = wpa_cipher_rsc_len(sm->group_cipher);
5391 gd.alg = wpa_cipher_to_alg(sm->group_cipher);
5392 if (gd.alg == WPA_ALG_NONE) {
5393 wpa_printf(MSG_DEBUG, "Unsupported group cipher suite");
5394 return -1;
5395 }
5396
5397 key_rsc = buf + 5;
5398 keyinfo = WPA_GET_LE16(buf + 2);
5399 gd.gtk_len = keylen;
5400 if (gd.gtk_len != buf[4]) {
5401 wpa_printf(MSG_DEBUG, "GTK len mismatch len %d vs %d",
5402 gd.gtk_len, buf[4]);
5403 return -1;
5404 }
5405 gd.keyidx = keyinfo & 0x03; /* B0 - B1 */
5406 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(
5407 sm, !!(keyinfo & WPA_KEY_INFO_TXRX));
5408
5409 os_memcpy(gd.gtk, buf + 13, gd.gtk_len);
5410
5411 wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)",
5412 gd.gtk, gd.gtk_len);
5413 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) {
5414 forced_memzero(&gd, sizeof(gd));
5415 wpa_printf(MSG_DEBUG, "Failed to install the GTK in "
5416 "WNM mode");
5417 return -1;
5418 }
5419 forced_memzero(&gd, sizeof(gd));
5420 } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
5421 const struct wpa_igtk_kde *igtk;
5422
5423 igtk = (const struct wpa_igtk_kde *) (buf + 2);
5424 if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0)
5425 return -1;
5426 } else if (subelem_id == WNM_SLEEP_SUBELEM_BIGTK) {
5427 const struct wpa_bigtk_kde *bigtk;
5428
5429 bigtk = (const struct wpa_bigtk_kde *) (buf + 2);
5430 if (sm->beacon_prot &&
5431 wpa_supplicant_install_bigtk(sm, bigtk, 1) < 0)
5432 return -1;
5433 } else {
5434 wpa_printf(MSG_DEBUG, "Unknown element id");
5435 return -1;
5436 }
5437
5438 return 0;
5439 }
5440 #endif /* CONFIG_WNM */
5441
5442
5443 #ifdef CONFIG_P2P
5444
wpa_sm_get_p2p_ip_addr(struct wpa_sm * sm,u8 * buf)5445 int wpa_sm_get_p2p_ip_addr(struct wpa_sm *sm, u8 *buf)
5446 {
5447 if (sm == NULL || WPA_GET_BE32(sm->p2p_ip_addr) == 0)
5448 return -1;
5449 os_memcpy(buf, sm->p2p_ip_addr, 3 * 4);
5450 return 0;
5451 }
5452
5453 #endif /* CONFIG_P2P */
5454
5455
wpa_sm_set_rx_replay_ctr(struct wpa_sm * sm,const u8 * rx_replay_counter)5456 void wpa_sm_set_rx_replay_ctr(struct wpa_sm *sm, const u8 *rx_replay_counter)
5457 {
5458 if (rx_replay_counter == NULL)
5459 return;
5460
5461 os_memcpy(sm->rx_replay_counter, rx_replay_counter,
5462 WPA_REPLAY_COUNTER_LEN);
5463 sm->rx_replay_counter_set = 1;
5464 wpa_printf(MSG_DEBUG, "Updated key replay counter");
5465 }
5466
5467
wpa_sm_set_ptk_kck_kek(struct wpa_sm * sm,const u8 * ptk_kck,size_t ptk_kck_len,const u8 * ptk_kek,size_t ptk_kek_len)5468 void wpa_sm_set_ptk_kck_kek(struct wpa_sm *sm,
5469 const u8 *ptk_kck, size_t ptk_kck_len,
5470 const u8 *ptk_kek, size_t ptk_kek_len)
5471 {
5472 if (ptk_kck && ptk_kck_len <= WPA_KCK_MAX_LEN) {
5473 os_memcpy(sm->ptk.kck, ptk_kck, ptk_kck_len);
5474 sm->ptk.kck_len = ptk_kck_len;
5475 wpa_printf(MSG_DEBUG, "Updated PTK KCK");
5476 }
5477 if (ptk_kek && ptk_kek_len <= WPA_KEK_MAX_LEN) {
5478 os_memcpy(sm->ptk.kek, ptk_kek, ptk_kek_len);
5479 sm->ptk.kek_len = ptk_kek_len;
5480 wpa_printf(MSG_DEBUG, "Updated PTK KEK");
5481 }
5482 sm->ptk_set = 1;
5483 }
5484
5485
5486 #ifdef CONFIG_TESTING_OPTIONS
5487
wpa_sm_set_test_assoc_ie(struct wpa_sm * sm,struct wpabuf * buf)5488 void wpa_sm_set_test_assoc_ie(struct wpa_sm *sm, struct wpabuf *buf)
5489 {
5490 wpabuf_free(sm->test_assoc_ie);
5491 sm->test_assoc_ie = buf;
5492 }
5493
5494
wpa_sm_set_test_eapol_m2_elems(struct wpa_sm * sm,struct wpabuf * buf)5495 void wpa_sm_set_test_eapol_m2_elems(struct wpa_sm *sm, struct wpabuf *buf)
5496 {
5497 wpabuf_free(sm->test_eapol_m2_elems);
5498 sm->test_eapol_m2_elems = buf;
5499 }
5500
5501
wpa_sm_set_test_eapol_m4_elems(struct wpa_sm * sm,struct wpabuf * buf)5502 void wpa_sm_set_test_eapol_m4_elems(struct wpa_sm *sm, struct wpabuf *buf)
5503 {
5504 wpabuf_free(sm->test_eapol_m4_elems);
5505 sm->test_eapol_m4_elems = buf;
5506 }
5507
5508
wpa_sm_get_anonce(struct wpa_sm * sm)5509 const u8 * wpa_sm_get_anonce(struct wpa_sm *sm)
5510 {
5511 return sm->anonce;
5512 }
5513
5514 #endif /* CONFIG_TESTING_OPTIONS */
5515
5516
wpa_sm_get_key_mgmt(struct wpa_sm * sm)5517 unsigned int wpa_sm_get_key_mgmt(struct wpa_sm *sm)
5518 {
5519 return sm->key_mgmt;
5520 }
5521
5522
wpa_sm_get_auth_addr(struct wpa_sm * sm)5523 const u8 * wpa_sm_get_auth_addr(struct wpa_sm *sm)
5524 {
5525 return sm->mlo.valid_links ? sm->mlo.ap_mld_addr : sm->bssid;
5526 }
5527
5528
5529 #ifdef CONFIG_FILS
5530
fils_build_auth(struct wpa_sm * sm,int dh_group,const u8 * md)5531 struct wpabuf * fils_build_auth(struct wpa_sm *sm, int dh_group, const u8 *md)
5532 {
5533 struct wpabuf *buf = NULL;
5534 struct wpabuf *erp_msg;
5535 struct wpabuf *pub = NULL;
5536
5537 erp_msg = eapol_sm_build_erp_reauth_start(sm->eapol);
5538 if (!erp_msg && !sm->cur_pmksa) {
5539 wpa_printf(MSG_DEBUG,
5540 "FILS: Neither ERP EAP-Initiate/Re-auth nor PMKSA cache entry is available - skip FILS");
5541 goto fail;
5542 }
5543
5544 wpa_printf(MSG_DEBUG, "FILS: Try to use FILS (erp=%d pmksa_cache=%d)",
5545 erp_msg != NULL, sm->cur_pmksa != NULL);
5546
5547 sm->fils_completed = 0;
5548
5549 if (!sm->assoc_wpa_ie) {
5550 wpa_printf(MSG_INFO, "FILS: No own RSN IE set for FILS");
5551 goto fail;
5552 }
5553
5554 if (random_get_bytes(sm->fils_nonce, FILS_NONCE_LEN) < 0 ||
5555 random_get_bytes(sm->fils_session, FILS_SESSION_LEN) < 0)
5556 goto fail;
5557
5558 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Nonce",
5559 sm->fils_nonce, FILS_NONCE_LEN);
5560 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Session",
5561 sm->fils_session, FILS_SESSION_LEN);
5562
5563 #ifdef CONFIG_FILS_SK_PFS
5564 sm->fils_dh_group = dh_group;
5565 if (dh_group) {
5566 crypto_ecdh_deinit(sm->fils_ecdh);
5567 sm->fils_ecdh = crypto_ecdh_init(dh_group);
5568 if (!sm->fils_ecdh) {
5569 wpa_printf(MSG_INFO,
5570 "FILS: Could not initialize ECDH with group %d",
5571 dh_group);
5572 goto fail;
5573 }
5574 pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1);
5575 if (!pub)
5576 goto fail;
5577 wpa_hexdump_buf(MSG_DEBUG, "FILS: Element (DH public key)",
5578 pub);
5579 sm->fils_dh_elem_len = wpabuf_len(pub);
5580 }
5581 #endif /* CONFIG_FILS_SK_PFS */
5582
5583 buf = wpabuf_alloc(1000 + sm->assoc_wpa_ie_len +
5584 (pub ? wpabuf_len(pub) : 0));
5585 if (!buf)
5586 goto fail;
5587
5588 /* Fields following the Authentication algorithm number field */
5589
5590 /* Authentication Transaction seq# */
5591 wpabuf_put_le16(buf, 1);
5592
5593 /* Status Code */
5594 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
5595
5596 /* TODO: FILS PK */
5597 #ifdef CONFIG_FILS_SK_PFS
5598 if (dh_group) {
5599 /* Finite Cyclic Group */
5600 wpabuf_put_le16(buf, dh_group);
5601 /* Element */
5602 wpabuf_put_buf(buf, pub);
5603 }
5604 #endif /* CONFIG_FILS_SK_PFS */
5605
5606 /* RSNE */
5607 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in FILS Authentication frame",
5608 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
5609 wpabuf_put_data(buf, sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
5610
5611 if (md) {
5612 /* MDE when using FILS for FT initial association */
5613 struct rsn_mdie *mdie;
5614
5615 wpabuf_put_u8(buf, WLAN_EID_MOBILITY_DOMAIN);
5616 wpabuf_put_u8(buf, sizeof(*mdie));
5617 mdie = wpabuf_put(buf, sizeof(*mdie));
5618 os_memcpy(mdie->mobility_domain, md, MOBILITY_DOMAIN_ID_LEN);
5619 mdie->ft_capab = 0;
5620 }
5621
5622 /* FILS Nonce */
5623 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
5624 wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN); /* Length */
5625 /* Element ID Extension */
5626 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
5627 wpabuf_put_data(buf, sm->fils_nonce, FILS_NONCE_LEN);
5628
5629 /* FILS Session */
5630 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
5631 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
5632 /* Element ID Extension */
5633 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
5634 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
5635
5636 /* Wrapped Data */
5637 sm->fils_erp_pmkid_set = 0;
5638 if (erp_msg) {
5639 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
5640 wpabuf_put_u8(buf, 1 + wpabuf_len(erp_msg)); /* Length */
5641 /* Element ID Extension */
5642 wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA);
5643 wpabuf_put_buf(buf, erp_msg);
5644 /* Calculate pending PMKID here so that we do not need to
5645 * maintain a copy of the EAP-Initiate/Reauth message. */
5646 if (fils_pmkid_erp(sm->key_mgmt, wpabuf_head(erp_msg),
5647 wpabuf_len(erp_msg),
5648 sm->fils_erp_pmkid) == 0)
5649 sm->fils_erp_pmkid_set = 1;
5650 }
5651
5652 wpa_hexdump_buf(MSG_DEBUG, "RSN: FILS fields for Authentication frame",
5653 buf);
5654
5655 fail:
5656 wpabuf_free(erp_msg);
5657 wpabuf_free(pub);
5658 return buf;
5659 }
5660
5661
fils_process_auth(struct wpa_sm * sm,const u8 * bssid,const u8 * data,size_t len)5662 int fils_process_auth(struct wpa_sm *sm, const u8 *bssid, const u8 *data,
5663 size_t len)
5664 {
5665 const u8 *pos, *end;
5666 struct ieee802_11_elems elems;
5667 struct wpa_ie_data rsn;
5668 int pmkid_match = 0;
5669 u8 ick[FILS_ICK_MAX_LEN];
5670 size_t ick_len;
5671 int res;
5672 struct wpabuf *dh_ss = NULL;
5673 const u8 *g_sta = NULL;
5674 size_t g_sta_len = 0;
5675 const u8 *g_ap = NULL;
5676 size_t g_ap_len = 0, kdk_len;
5677 struct wpabuf *pub = NULL;
5678 #ifdef CONFIG_IEEE80211R
5679 struct wpa_ft_ies parse;
5680
5681 os_memset(&parse, 0, sizeof(parse));
5682 #endif /* CONFIG_IEEE80211R */
5683
5684 os_memcpy(sm->bssid, bssid, ETH_ALEN);
5685
5686 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
5687 data, len);
5688 pos = data;
5689 end = data + len;
5690
5691 /* TODO: FILS PK */
5692 #ifdef CONFIG_FILS_SK_PFS
5693 if (sm->fils_dh_group) {
5694 u16 group;
5695
5696 /* Using FILS PFS */
5697
5698 /* Finite Cyclic Group */
5699 if (end - pos < 2) {
5700 wpa_printf(MSG_DEBUG,
5701 "FILS: No room for Finite Cyclic Group");
5702 goto fail;
5703 }
5704 group = WPA_GET_LE16(pos);
5705 pos += 2;
5706 if (group != sm->fils_dh_group) {
5707 wpa_printf(MSG_DEBUG,
5708 "FILS: Unexpected change in Finite Cyclic Group: %u (expected %u)",
5709 group, sm->fils_dh_group);
5710 goto fail;
5711 }
5712
5713 /* Element */
5714 if ((size_t) (end - pos) < sm->fils_dh_elem_len) {
5715 wpa_printf(MSG_DEBUG, "FILS: No room for Element");
5716 goto fail;
5717 }
5718
5719 if (!sm->fils_ecdh) {
5720 wpa_printf(MSG_DEBUG, "FILS: No ECDH state available");
5721 goto fail;
5722 }
5723 dh_ss = crypto_ecdh_set_peerkey(sm->fils_ecdh, 1, pos,
5724 sm->fils_dh_elem_len);
5725 if (!dh_ss) {
5726 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
5727 goto fail;
5728 }
5729 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", dh_ss);
5730 g_ap = pos;
5731 g_ap_len = sm->fils_dh_elem_len;
5732 pos += sm->fils_dh_elem_len;
5733 }
5734 #endif /* CONFIG_FILS_SK_PFS */
5735
5736 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
5737 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
5738 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
5739 goto fail;
5740 }
5741
5742 /* RSNE */
5743 wpa_hexdump(MSG_DEBUG, "FILS: RSN element", elems.rsn_ie,
5744 elems.rsn_ie_len);
5745 if (!elems.rsn_ie ||
5746 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
5747 &rsn) < 0) {
5748 wpa_printf(MSG_DEBUG, "FILS: No RSN element");
5749 goto fail;
5750 }
5751
5752 if (!elems.fils_nonce) {
5753 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
5754 goto fail;
5755 }
5756 os_memcpy(sm->fils_anonce, elems.fils_nonce, FILS_NONCE_LEN);
5757 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", sm->fils_anonce, FILS_NONCE_LEN);
5758
5759 #ifdef CONFIG_IEEE80211R
5760 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
5761 if (!elems.mdie || !elems.ftie) {
5762 wpa_printf(MSG_DEBUG, "FILS+FT: No MDE or FTE");
5763 goto fail;
5764 }
5765
5766 if (wpa_ft_parse_ies(pos, end - pos, &parse,
5767 sm->key_mgmt, false) < 0) {
5768 wpa_printf(MSG_DEBUG, "FILS+FT: Failed to parse IEs");
5769 goto fail;
5770 }
5771
5772 if (!parse.r0kh_id) {
5773 wpa_printf(MSG_DEBUG,
5774 "FILS+FT: No R0KH-ID subelem in FTE");
5775 goto fail;
5776 }
5777 os_memcpy(sm->r0kh_id, parse.r0kh_id, parse.r0kh_id_len);
5778 sm->r0kh_id_len = parse.r0kh_id_len;
5779 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID",
5780 sm->r0kh_id, sm->r0kh_id_len);
5781
5782 if (!parse.r1kh_id) {
5783 wpa_printf(MSG_DEBUG,
5784 "FILS+FT: No R1KH-ID subelem in FTE");
5785 goto fail;
5786 }
5787 os_memcpy(sm->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN);
5788 wpa_hexdump(MSG_DEBUG, "FILS+FT: R1KH-ID",
5789 sm->r1kh_id, FT_R1KH_ID_LEN);
5790
5791 /* TODO: Check MDE and FTE payload */
5792
5793 wpabuf_free(sm->fils_ft_ies);
5794 sm->fils_ft_ies = wpabuf_alloc(2 + elems.mdie_len +
5795 2 + elems.ftie_len);
5796 if (!sm->fils_ft_ies)
5797 goto fail;
5798 wpabuf_put_data(sm->fils_ft_ies, elems.mdie - 2,
5799 2 + elems.mdie_len);
5800 wpabuf_put_data(sm->fils_ft_ies, elems.ftie - 2,
5801 2 + elems.ftie_len);
5802 } else {
5803 wpabuf_free(sm->fils_ft_ies);
5804 sm->fils_ft_ies = NULL;
5805 }
5806 #endif /* CONFIG_IEEE80211R */
5807
5808 /* PMKID List */
5809 if (rsn.pmkid && rsn.num_pmkid > 0) {
5810 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
5811 rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
5812
5813 if (rsn.num_pmkid != 1) {
5814 wpa_printf(MSG_DEBUG, "FILS: Invalid PMKID selection");
5815 goto fail;
5816 }
5817 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", rsn.pmkid, PMKID_LEN);
5818 if (os_memcmp(sm->cur_pmksa->pmkid, rsn.pmkid, PMKID_LEN) != 0)
5819 {
5820 wpa_printf(MSG_DEBUG, "FILS: PMKID mismatch");
5821 wpa_hexdump(MSG_DEBUG, "FILS: Expected PMKID",
5822 sm->cur_pmksa->pmkid, PMKID_LEN);
5823 goto fail;
5824 }
5825 wpa_printf(MSG_DEBUG,
5826 "FILS: Matching PMKID - continue using PMKSA caching");
5827 pmkid_match = 1;
5828 }
5829 if (!pmkid_match && sm->cur_pmksa) {
5830 wpa_printf(MSG_DEBUG,
5831 "FILS: No PMKID match - cannot use cached PMKSA entry");
5832 sm->cur_pmksa = NULL;
5833 }
5834
5835 /* FILS Session */
5836 if (!elems.fils_session) {
5837 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
5838 goto fail;
5839 }
5840 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
5841 FILS_SESSION_LEN);
5842 if (os_memcmp(sm->fils_session, elems.fils_session, FILS_SESSION_LEN)
5843 != 0) {
5844 wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
5845 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
5846 sm->fils_session, FILS_SESSION_LEN);
5847 goto fail;
5848 }
5849
5850 /* Wrapped Data */
5851 if (!sm->cur_pmksa && elems.wrapped_data) {
5852 u8 rmsk[ERP_MAX_KEY_LEN];
5853 size_t rmsk_len;
5854
5855 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
5856 elems.wrapped_data,
5857 elems.wrapped_data_len);
5858 eapol_sm_process_erp_finish(sm->eapol, elems.wrapped_data,
5859 elems.wrapped_data_len);
5860 if (eapol_sm_failed(sm->eapol))
5861 goto fail;
5862
5863 rmsk_len = ERP_MAX_KEY_LEN;
5864 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
5865 if (res == PMK_LEN) {
5866 rmsk_len = PMK_LEN;
5867 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
5868 }
5869 if (res)
5870 goto fail;
5871
5872 res = fils_rmsk_to_pmk(sm->key_mgmt, rmsk, rmsk_len,
5873 sm->fils_nonce, sm->fils_anonce,
5874 dh_ss ? wpabuf_head(dh_ss) : NULL,
5875 dh_ss ? wpabuf_len(dh_ss) : 0,
5876 sm->pmk, &sm->pmk_len);
5877 forced_memzero(rmsk, sizeof(rmsk));
5878
5879 /* Don't use DHss in PTK derivation if PMKSA caching is not
5880 * used. */
5881 wpabuf_clear_free(dh_ss);
5882 dh_ss = NULL;
5883
5884 if (res)
5885 goto fail;
5886
5887 if (!sm->fils_erp_pmkid_set) {
5888 wpa_printf(MSG_DEBUG, "FILS: PMKID not available");
5889 goto fail;
5890 }
5891 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", sm->fils_erp_pmkid,
5892 PMKID_LEN);
5893 wpa_printf(MSG_DEBUG, "FILS: ERP processing succeeded - add PMKSA cache entry for the result");
5894 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len,
5895 sm->fils_erp_pmkid, NULL, 0,
5896 sm->bssid, sm->own_addr,
5897 sm->network_ctx, sm->key_mgmt,
5898 NULL);
5899 }
5900
5901 if (!sm->cur_pmksa) {
5902 wpa_printf(MSG_DEBUG,
5903 "FILS: No remaining options to continue FILS authentication");
5904 goto fail;
5905 }
5906
5907 if (sm->force_kdk_derivation ||
5908 (sm->secure_ltf &&
5909 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)))
5910 kdk_len = WPA_KDK_MAX_LEN;
5911 else
5912 kdk_len = 0;
5913
5914 if (fils_pmk_to_ptk(sm->pmk, sm->pmk_len, sm->own_addr,
5915 wpa_sm_get_auth_addr(sm),
5916 sm->fils_nonce, sm->fils_anonce,
5917 dh_ss ? wpabuf_head(dh_ss) : NULL,
5918 dh_ss ? wpabuf_len(dh_ss) : 0,
5919 &sm->ptk, ick, &ick_len,
5920 sm->key_mgmt, sm->pairwise_cipher,
5921 sm->fils_ft, &sm->fils_ft_len,
5922 kdk_len) < 0) {
5923 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PTK");
5924 goto fail;
5925 }
5926
5927 #ifdef CONFIG_PASN
5928 if (sm->secure_ltf &&
5929 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF) &&
5930 wpa_ltf_keyseed(&sm->ptk, sm->key_mgmt, sm->pairwise_cipher)) {
5931 wpa_printf(MSG_DEBUG, "FILS: Failed to derive LTF keyseed");
5932 goto fail;
5933 }
5934 #endif /* CONFIG_PASN */
5935
5936 wpabuf_clear_free(dh_ss);
5937 dh_ss = NULL;
5938
5939 sm->ptk_set = 1;
5940 sm->tptk_set = 0;
5941 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
5942
5943 #ifdef CONFIG_FILS_SK_PFS
5944 if (sm->fils_dh_group) {
5945 if (!sm->fils_ecdh) {
5946 wpa_printf(MSG_INFO, "FILS: ECDH not initialized");
5947 goto fail;
5948 }
5949 pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1);
5950 if (!pub)
5951 goto fail;
5952 wpa_hexdump_buf(MSG_DEBUG, "FILS: gSTA", pub);
5953 g_sta = wpabuf_head(pub);
5954 g_sta_len = wpabuf_len(pub);
5955 if (!g_ap) {
5956 wpa_printf(MSG_INFO, "FILS: gAP not available");
5957 goto fail;
5958 }
5959 wpa_hexdump(MSG_DEBUG, "FILS: gAP", g_ap, g_ap_len);
5960 }
5961 #endif /* CONFIG_FILS_SK_PFS */
5962
5963 res = fils_key_auth_sk(ick, ick_len, sm->fils_nonce,
5964 sm->fils_anonce, sm->own_addr, sm->bssid,
5965 g_sta, g_sta_len, g_ap, g_ap_len,
5966 sm->key_mgmt, sm->fils_key_auth_sta,
5967 sm->fils_key_auth_ap,
5968 &sm->fils_key_auth_len);
5969 wpabuf_free(pub);
5970 forced_memzero(ick, sizeof(ick));
5971 #ifdef CONFIG_IEEE80211R
5972 wpa_ft_parse_ies_free(&parse);
5973 #endif /* CONFIG_IEEE80211R */
5974 return res;
5975 fail:
5976 wpabuf_free(pub);
5977 wpabuf_clear_free(dh_ss);
5978 #ifdef CONFIG_IEEE80211R
5979 wpa_ft_parse_ies_free(&parse);
5980 #endif /* CONFIG_IEEE80211R */
5981 return -1;
5982 }
5983
5984
5985 #ifdef CONFIG_IEEE80211R
fils_ft_build_assoc_req_rsne(struct wpa_sm * sm,struct wpabuf * buf)5986 static int fils_ft_build_assoc_req_rsne(struct wpa_sm *sm, struct wpabuf *buf)
5987 {
5988 struct rsn_ie_hdr *rsnie;
5989 u16 capab;
5990 u8 *pos;
5991 int use_sha384 = wpa_key_mgmt_sha384(sm->key_mgmt);
5992
5993 /* RSNIE[PMKR0Name/PMKR1Name] */
5994 rsnie = wpabuf_put(buf, sizeof(*rsnie));
5995 rsnie->elem_id = WLAN_EID_RSN;
5996 WPA_PUT_LE16(rsnie->version, RSN_VERSION);
5997
5998 /* Group Suite Selector */
5999 if (!wpa_cipher_valid_group(sm->group_cipher)) {
6000 wpa_printf(MSG_WARNING, "FT: Invalid group cipher (%d)",
6001 sm->group_cipher);
6002 return -1;
6003 }
6004 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
6005 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
6006 sm->group_cipher));
6007
6008 /* Pairwise Suite Count */
6009 wpabuf_put_le16(buf, 1);
6010
6011 /* Pairwise Suite List */
6012 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
6013 wpa_printf(MSG_WARNING, "FT: Invalid pairwise cipher (%d)",
6014 sm->pairwise_cipher);
6015 return -1;
6016 }
6017 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
6018 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
6019 sm->pairwise_cipher));
6020
6021 /* Authenticated Key Management Suite Count */
6022 wpabuf_put_le16(buf, 1);
6023
6024 /* Authenticated Key Management Suite List */
6025 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
6026 if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA256)
6027 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA256);
6028 else if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA384)
6029 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA384);
6030 else {
6031 wpa_printf(MSG_WARNING,
6032 "FILS+FT: Invalid key management type (%d)",
6033 sm->key_mgmt);
6034 return -1;
6035 }
6036
6037 /* RSN Capabilities */
6038 capab = 0;
6039 if (sm->mfp)
6040 capab |= WPA_CAPABILITY_MFPC;
6041 if (sm->mfp == 2)
6042 capab |= WPA_CAPABILITY_MFPR;
6043 if (sm->ocv)
6044 capab |= WPA_CAPABILITY_OCVC;
6045 if (sm->ext_key_id)
6046 capab |= WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST;
6047 wpabuf_put_le16(buf, capab);
6048
6049 /* PMKID Count */
6050 wpabuf_put_le16(buf, 1);
6051
6052 /* PMKID List [PMKR1Name] */
6053 wpa_hexdump_key(MSG_DEBUG, "FILS+FT: XXKey (FILS-FT)",
6054 sm->fils_ft, sm->fils_ft_len);
6055 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: SSID", sm->ssid, sm->ssid_len);
6056 wpa_hexdump(MSG_DEBUG, "FILS+FT: MDID",
6057 sm->mobility_domain, MOBILITY_DOMAIN_ID_LEN);
6058 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID",
6059 sm->r0kh_id, sm->r0kh_id_len);
6060 if (wpa_derive_pmk_r0(sm->fils_ft, sm->fils_ft_len, sm->ssid,
6061 sm->ssid_len, sm->mobility_domain,
6062 sm->r0kh_id, sm->r0kh_id_len, sm->own_addr,
6063 sm->pmk_r0, sm->pmk_r0_name, sm->key_mgmt) < 0) {
6064 wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMK-R0");
6065 return -1;
6066 }
6067 if (wpa_key_mgmt_sae_ext_key(sm->key_mgmt))
6068 sm->pmk_r0_len = sm->fils_ft_len;
6069 else
6070 sm->pmk_r0_len = use_sha384 ? SHA384_MAC_LEN : PMK_LEN;
6071 wpa_printf(MSG_DEBUG, "FILS+FT: R1KH-ID: " MACSTR_SEC,
6072 MAC2STR_SEC(sm->r1kh_id));
6073 pos = wpabuf_put(buf, WPA_PMK_NAME_LEN);
6074 if (wpa_derive_pmk_r1_name(sm->pmk_r0_name, sm->r1kh_id, sm->own_addr,
6075 sm->pmk_r1_name, sm->fils_ft_len) < 0) {
6076 wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMKR1Name");
6077 return -1;
6078 }
6079 os_memcpy(pos, sm->pmk_r1_name, WPA_PMK_NAME_LEN);
6080
6081 os_memcpy(sm->key_mobility_domain, sm->mobility_domain,
6082 MOBILITY_DOMAIN_ID_LEN);
6083
6084 if (sm->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC) {
6085 /* Management Group Cipher Suite */
6086 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
6087 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_AES_128_CMAC);
6088 }
6089
6090 rsnie->len = ((u8 *) wpabuf_put(buf, 0) - (u8 *) rsnie) - 2;
6091 return 0;
6092 }
6093 #endif /* CONFIG_IEEE80211R */
6094
6095
fils_build_assoc_req(struct wpa_sm * sm,const u8 ** kek,size_t * kek_len,const u8 ** snonce,const u8 ** anonce,const struct wpabuf ** hlp,unsigned int num_hlp)6096 struct wpabuf * fils_build_assoc_req(struct wpa_sm *sm, const u8 **kek,
6097 size_t *kek_len, const u8 **snonce,
6098 const u8 **anonce,
6099 const struct wpabuf **hlp,
6100 unsigned int num_hlp)
6101 {
6102 struct wpabuf *buf;
6103 size_t len;
6104 unsigned int i;
6105
6106 len = 1000;
6107 #ifdef CONFIG_IEEE80211R
6108 if (sm->fils_ft_ies)
6109 len += wpabuf_len(sm->fils_ft_ies);
6110 if (wpa_key_mgmt_ft(sm->key_mgmt))
6111 len += 256;
6112 #endif /* CONFIG_IEEE80211R */
6113 for (i = 0; hlp && i < num_hlp; i++)
6114 len += 10 + wpabuf_len(hlp[i]);
6115 buf = wpabuf_alloc(len);
6116 if (!buf)
6117 return NULL;
6118
6119 #ifdef CONFIG_IEEE80211R
6120 if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) {
6121 /* MDE and FTE when using FILS+FT */
6122 wpabuf_put_buf(buf, sm->fils_ft_ies);
6123 /* RSNE with PMKR1Name in PMKID field */
6124 if (fils_ft_build_assoc_req_rsne(sm, buf) < 0) {
6125 wpabuf_free(buf);
6126 return NULL;
6127 }
6128 }
6129 #endif /* CONFIG_IEEE80211R */
6130
6131 /* FILS Session */
6132 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
6133 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
6134 /* Element ID Extension */
6135 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
6136 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
6137
6138 /* Everything after FILS Session element gets encrypted in the driver
6139 * with KEK. The buffer returned from here is the plaintext version. */
6140
6141 /* TODO: FILS Public Key */
6142
6143 /* FILS Key Confirm */
6144 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
6145 wpabuf_put_u8(buf, 1 + sm->fils_key_auth_len); /* Length */
6146 /* Element ID Extension */
6147 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_KEY_CONFIRM);
6148 wpabuf_put_data(buf, sm->fils_key_auth_sta, sm->fils_key_auth_len);
6149
6150 /* FILS HLP Container */
6151 for (i = 0; hlp && i < num_hlp; i++) {
6152 const u8 *pos = wpabuf_head(hlp[i]);
6153 size_t left = wpabuf_len(hlp[i]);
6154
6155 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
6156 if (left <= 254)
6157 len = 1 + left;
6158 else
6159 len = 255;
6160 wpabuf_put_u8(buf, len); /* Length */
6161 /* Element ID Extension */
6162 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_HLP_CONTAINER);
6163 /* Destination MAC Address, Source MAC Address, HLP Packet.
6164 * HLP Packet is in MSDU format (i.e., included the LLC/SNAP
6165 * header when LPD is used). */
6166 wpabuf_put_data(buf, pos, len - 1);
6167 pos += len - 1;
6168 left -= len - 1;
6169 while (left) {
6170 wpabuf_put_u8(buf, WLAN_EID_FRAGMENT);
6171 len = left > 255 ? 255 : left;
6172 wpabuf_put_u8(buf, len);
6173 wpabuf_put_data(buf, pos, len);
6174 pos += len;
6175 left -= len;
6176 }
6177 }
6178
6179 /* TODO: FILS IP Address Assignment */
6180
6181 #ifdef CONFIG_OCV
6182 if (wpa_sm_ocv_enabled(sm)) {
6183 struct wpa_channel_info ci;
6184 u8 *pos;
6185
6186 if (wpa_sm_channel_info(sm, &ci) != 0) {
6187 wpa_printf(MSG_WARNING,
6188 "FILS: Failed to get channel info for OCI element");
6189 wpabuf_free(buf);
6190 return NULL;
6191 }
6192 #ifdef CONFIG_TESTING_OPTIONS
6193 if (sm->oci_freq_override_fils_assoc) {
6194 wpa_printf(MSG_INFO,
6195 "TEST: Override OCI KDE frequency %d -> %d MHz",
6196 ci.frequency,
6197 sm->oci_freq_override_fils_assoc);
6198 ci.frequency = sm->oci_freq_override_fils_assoc;
6199 }
6200 #endif /* CONFIG_TESTING_OPTIONS */
6201
6202 pos = wpabuf_put(buf, OCV_OCI_EXTENDED_LEN);
6203 if (ocv_insert_extended_oci(&ci, pos) < 0) {
6204 wpabuf_free(buf);
6205 return NULL;
6206 }
6207 }
6208 #endif /* CONFIG_OCV */
6209
6210 wpa_hexdump_buf(MSG_DEBUG, "FILS: Association Request plaintext", buf);
6211
6212 *kek = sm->ptk.kek;
6213 *kek_len = sm->ptk.kek_len;
6214 wpa_hexdump_key(MSG_DEBUG, "FILS: KEK for AEAD", *kek, *kek_len);
6215 *snonce = sm->fils_nonce;
6216 wpa_hexdump(MSG_DEBUG, "FILS: SNonce for AEAD AAD",
6217 *snonce, FILS_NONCE_LEN);
6218 *anonce = sm->fils_anonce;
6219 wpa_hexdump(MSG_DEBUG, "FILS: ANonce for AEAD AAD",
6220 *anonce, FILS_NONCE_LEN);
6221
6222 return buf;
6223 }
6224
6225
fils_process_hlp_resp(struct wpa_sm * sm,const u8 * resp,size_t len)6226 static void fils_process_hlp_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
6227 {
6228 const u8 *pos, *end;
6229
6230 wpa_hexdump(MSG_MSGDUMP, "FILS: HLP response", resp, len);
6231 if (len < 2 * ETH_ALEN)
6232 return;
6233 pos = resp + 2 * ETH_ALEN;
6234 end = resp + len;
6235 if (end - pos >= 6 &&
6236 os_memcmp(pos, "\xaa\xaa\x03\x00\x00\x00", 6) == 0)
6237 pos += 6; /* Remove SNAP/LLC header */
6238 wpa_sm_fils_hlp_rx(sm, resp, resp + ETH_ALEN, pos, end - pos);
6239 }
6240
6241
fils_process_hlp_container(struct wpa_sm * sm,const u8 * pos,size_t len)6242 static void fils_process_hlp_container(struct wpa_sm *sm, const u8 *pos,
6243 size_t len)
6244 {
6245 const u8 *end = pos + len;
6246 u8 *tmp, *tmp_pos;
6247
6248 /* Check if there are any FILS HLP Container elements */
6249 while (end - pos >= 2) {
6250 if (2 + pos[1] > end - pos)
6251 return;
6252 if (pos[0] == WLAN_EID_EXTENSION &&
6253 pos[1] >= 1 + 2 * ETH_ALEN &&
6254 pos[2] == WLAN_EID_EXT_FILS_HLP_CONTAINER)
6255 break;
6256 pos += 2 + pos[1];
6257 }
6258 if (end - pos < 2)
6259 return; /* No FILS HLP Container elements */
6260
6261 tmp = os_malloc(end - pos);
6262 if (!tmp)
6263 return;
6264
6265 while (end - pos >= 2) {
6266 if (2 + pos[1] > end - pos ||
6267 pos[0] != WLAN_EID_EXTENSION ||
6268 pos[1] < 1 + 2 * ETH_ALEN ||
6269 pos[2] != WLAN_EID_EXT_FILS_HLP_CONTAINER)
6270 break;
6271 tmp_pos = tmp;
6272 os_memcpy(tmp_pos, pos + 3, pos[1] - 1);
6273 tmp_pos += pos[1] - 1;
6274 pos += 2 + pos[1];
6275
6276 /* Add possible fragments */
6277 while (end - pos >= 2 && pos[0] == WLAN_EID_FRAGMENT &&
6278 2 + pos[1] <= end - pos) {
6279 os_memcpy(tmp_pos, pos + 2, pos[1]);
6280 tmp_pos += pos[1];
6281 pos += 2 + pos[1];
6282 }
6283
6284 fils_process_hlp_resp(sm, tmp, tmp_pos - tmp);
6285 }
6286
6287 os_free(tmp);
6288 }
6289
6290
fils_process_assoc_resp(struct wpa_sm * sm,const u8 * resp,size_t len)6291 int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
6292 {
6293 const struct ieee80211_mgmt *mgmt;
6294 const u8 *end, *ie_start;
6295 struct ieee802_11_elems elems;
6296 int keylen, rsclen;
6297 enum wpa_alg alg;
6298 struct wpa_gtk_data gd;
6299 int maxkeylen;
6300 struct wpa_eapol_ie_parse kde;
6301
6302 if (!sm || !sm->ptk_set) {
6303 wpa_printf(MSG_DEBUG, "FILS: No KEK available");
6304 return -1;
6305 }
6306
6307 if (!wpa_key_mgmt_fils(sm->key_mgmt)) {
6308 wpa_printf(MSG_DEBUG, "FILS: Not a FILS AKM");
6309 return -1;
6310 }
6311
6312 if (sm->fils_completed) {
6313 wpa_printf(MSG_DEBUG,
6314 "FILS: Association has already been completed for this FILS authentication - ignore unexpected retransmission");
6315 return -1;
6316 }
6317
6318 wpa_hexdump(MSG_DEBUG, "FILS: (Re)Association Response frame",
6319 resp, len);
6320
6321 mgmt = (const struct ieee80211_mgmt *) resp;
6322 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_resp))
6323 return -1;
6324
6325 end = resp + len;
6326 /* Same offset for Association Response and Reassociation Response */
6327 ie_start = mgmt->u.assoc_resp.variable;
6328
6329 if (ieee802_11_parse_elems(ie_start, end - ie_start, &elems, 1) ==
6330 ParseFailed) {
6331 wpa_printf(MSG_DEBUG,
6332 "FILS: Failed to parse decrypted elements");
6333 goto fail;
6334 }
6335
6336 if (!elems.fils_session) {
6337 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
6338 return -1;
6339 }
6340 if (os_memcmp(elems.fils_session, sm->fils_session,
6341 FILS_SESSION_LEN) != 0) {
6342 wpa_printf(MSG_DEBUG, "FILS: FILS Session mismatch");
6343 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
6344 elems.fils_session, FILS_SESSION_LEN);
6345 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
6346 sm->fils_session, FILS_SESSION_LEN);
6347 }
6348
6349 if (!elems.rsn_ie) {
6350 wpa_printf(MSG_DEBUG,
6351 "FILS: No RSNE in (Re)Association Response");
6352 /* As an interop workaround, allow this for now since IEEE Std
6353 * 802.11ai-2016 did not include all the needed changes to make
6354 * a FILS AP include RSNE in the frame. This workaround might
6355 * eventually be removed and replaced with rejection (goto fail)
6356 * to follow a strict interpretation of the standard. */
6357 } else if (wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
6358 sm->ap_rsn_ie, sm->ap_rsn_ie_len,
6359 elems.rsn_ie - 2, elems.rsn_ie_len + 2)) {
6360 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
6361 "FILS: RSNE mismatch between Beacon/Probe Response and (Re)Association Response");
6362 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in Beacon/Probe Response",
6363 sm->ap_rsn_ie, sm->ap_rsn_ie_len);
6364 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in (Re)Association Response",
6365 elems.rsn_ie, elems.rsn_ie_len);
6366 goto fail;
6367 }
6368
6369 /* TODO: FILS Public Key */
6370
6371 if (!elems.fils_key_confirm) {
6372 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
6373 goto fail;
6374 }
6375 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
6376 wpa_printf(MSG_DEBUG,
6377 "FILS: Unexpected Key-Auth length %d (expected %d)",
6378 elems.fils_key_confirm_len,
6379 (int) sm->fils_key_auth_len);
6380 goto fail;
6381 }
6382 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_ap,
6383 sm->fils_key_auth_len) != 0) {
6384 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
6385 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
6386 elems.fils_key_confirm,
6387 elems.fils_key_confirm_len);
6388 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
6389 sm->fils_key_auth_ap, sm->fils_key_auth_len);
6390 goto fail;
6391 }
6392
6393 #ifdef CONFIG_OCV
6394 if (wpa_sm_ocv_enabled(sm)) {
6395 struct wpa_channel_info ci;
6396
6397 if (wpa_sm_channel_info(sm, &ci) != 0) {
6398 wpa_printf(MSG_WARNING,
6399 "Failed to get channel info to validate received OCI in FILS (Re)Association Response frame");
6400 goto fail;
6401 }
6402
6403 if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci,
6404 channel_width_to_int(ci.chanwidth),
6405 ci.seg1_idx) != OCI_SUCCESS) {
6406 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
6407 "addr=" MACSTR " frame=fils-assoc error=%s",
6408 MAC2STR(sm->bssid), ocv_errorstr);
6409 goto fail;
6410 }
6411 }
6412 #endif /* CONFIG_OCV */
6413
6414 #ifdef CONFIG_IEEE80211R
6415 if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) {
6416 struct wpa_ie_data rsn;
6417
6418 /* Check that PMKR1Name derived by the AP matches */
6419 if (!elems.rsn_ie ||
6420 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
6421 &rsn) < 0 ||
6422 !rsn.pmkid || rsn.num_pmkid != 1 ||
6423 os_memcmp(rsn.pmkid, sm->pmk_r1_name,
6424 WPA_PMK_NAME_LEN) != 0) {
6425 wpa_printf(MSG_DEBUG,
6426 "FILS+FT: No RSNE[PMKR1Name] match in AssocResp");
6427 goto fail;
6428 }
6429 }
6430 #endif /* CONFIG_IEEE80211R */
6431
6432 /* Key Delivery */
6433 if (!elems.key_delivery) {
6434 wpa_printf(MSG_DEBUG, "FILS: No Key Delivery element");
6435 goto fail;
6436 }
6437
6438 /* Parse GTK and set the key to the driver */
6439 os_memset(&gd, 0, sizeof(gd));
6440 if (wpa_supplicant_parse_ies(elems.key_delivery + WPA_KEY_RSC_LEN,
6441 elems.key_delivery_len - WPA_KEY_RSC_LEN,
6442 &kde) < 0) {
6443 wpa_printf(MSG_DEBUG, "FILS: Failed to parse KDEs");
6444 goto fail;
6445 }
6446 if (!kde.gtk) {
6447 wpa_printf(MSG_DEBUG, "FILS: No GTK KDE");
6448 goto fail;
6449 }
6450 maxkeylen = gd.gtk_len = kde.gtk_len - 2;
6451 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
6452 gd.gtk_len, maxkeylen,
6453 &gd.key_rsc_len, &gd.alg))
6454 goto fail;
6455
6456 wpa_hexdump_key(MSG_DEBUG, "FILS: Received GTK", kde.gtk, kde.gtk_len);
6457 gd.keyidx = kde.gtk[0] & 0x3;
6458 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
6459 !!(kde.gtk[0] & BIT(2)));
6460 if (kde.gtk_len - 2 > sizeof(gd.gtk)) {
6461 wpa_printf(MSG_DEBUG, "FILS: Too long GTK in GTK KDE (len=%lu)",
6462 (unsigned long) kde.gtk_len - 2);
6463 goto fail;
6464 }
6465 os_memcpy(gd.gtk, kde.gtk + 2, kde.gtk_len - 2);
6466
6467 wpa_printf(MSG_DEBUG, "FILS: Set GTK to driver");
6468 if (wpa_supplicant_install_gtk(sm, &gd, elems.key_delivery, 0) < 0) {
6469 wpa_printf(MSG_DEBUG, "FILS: Failed to set GTK");
6470 goto fail;
6471 }
6472
6473 if (ieee80211w_set_keys(sm, &kde) < 0) {
6474 wpa_printf(MSG_DEBUG, "FILS: Failed to set IGTK");
6475 goto fail;
6476 }
6477
6478 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
6479 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
6480 if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) {
6481 wpa_printf(MSG_DEBUG, "FILS: TK length mismatch: %u != %lu",
6482 keylen, (long unsigned int) sm->ptk.tk_len);
6483 goto fail;
6484 }
6485
6486 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
6487 wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver",
6488 sm->ptk.tk, keylen);
6489 if (wpa_sm_set_key(sm, -1, alg, wpa_sm_get_auth_addr(sm), 0, 1,
6490 null_rsc, rsclen,
6491 sm->ptk.tk, keylen, KEY_FLAG_PAIRWISE_RX_TX) < 0) {
6492 wpa_msg_only_for_cb(sm->ctx->msg_ctx, MSG_WARNING,
6493 "FILS: Failed to set PTK to the driver (alg=%d keylen=%d auth_addr="
6494 MACSTR ")",
6495 alg, keylen, MAC2STR(wpa_sm_get_auth_addr(sm)));
6496 wpa_printf(MSG_WARNING, "FILS: Failed to set PTK to the driver (alg=%d keylen=%d auth_addr="
6497 MACSTR_SEC ")",
6498 alg, keylen, MAC2STR_SEC(wpa_sm_get_auth_addr(sm)));
6499 goto fail;
6500 }
6501
6502 wpa_sm_store_ptk(sm, sm->bssid, sm->pairwise_cipher,
6503 sm->dot11RSNAConfigPMKLifetime, &sm->ptk);
6504
6505 /* TODO: TK could be cleared after auth frame exchange now that driver
6506 * takes care of association frame encryption/decryption. */
6507 /* TK is not needed anymore in supplicant */
6508 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
6509 sm->ptk.tk_len = 0;
6510 sm->ptk.installed = 1;
6511 sm->tk_set = true;
6512
6513 /* FILS HLP Container */
6514 fils_process_hlp_container(sm, ie_start, end - ie_start);
6515
6516 /* TODO: FILS IP Address Assignment */
6517
6518 wpa_printf(MSG_DEBUG, "FILS: Auth+Assoc completed successfully");
6519 sm->fils_completed = 1;
6520 forced_memzero(&gd, sizeof(gd));
6521
6522 if (kde.transition_disable)
6523 wpa_sm_transition_disable(sm, kde.transition_disable[0]);
6524
6525 return 0;
6526 fail:
6527 forced_memzero(&gd, sizeof(gd));
6528 return -1;
6529 }
6530
6531
wpa_sm_set_reset_fils_completed(struct wpa_sm * sm,int set)6532 void wpa_sm_set_reset_fils_completed(struct wpa_sm *sm, int set)
6533 {
6534 if (sm)
6535 sm->fils_completed = !!set;
6536 }
6537
6538 #endif /* CONFIG_FILS */
6539
6540
wpa_fils_is_completed(struct wpa_sm * sm)6541 int wpa_fils_is_completed(struct wpa_sm *sm)
6542 {
6543 #ifdef CONFIG_FILS
6544 return sm && sm->fils_completed;
6545 #else /* CONFIG_FILS */
6546 return 0;
6547 #endif /* CONFIG_FILS */
6548 }
6549
6550
6551 #ifdef CONFIG_OWE
6552
owe_build_assoc_req(struct wpa_sm * sm,u16 group)6553 struct wpabuf * owe_build_assoc_req(struct wpa_sm *sm, u16 group)
6554 {
6555 struct wpabuf *ie = NULL, *pub = NULL;
6556 size_t prime_len;
6557
6558 if (group == 19)
6559 prime_len = 32;
6560 else if (group == 20)
6561 prime_len = 48;
6562 else if (group == 21)
6563 prime_len = 66;
6564 else
6565 return NULL;
6566
6567 crypto_ecdh_deinit(sm->owe_ecdh);
6568 sm->owe_ecdh = crypto_ecdh_init(group);
6569 if (!sm->owe_ecdh)
6570 goto fail;
6571 sm->owe_group = group;
6572 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
6573 pub = wpabuf_zeropad(pub, prime_len);
6574 if (!pub)
6575 goto fail;
6576
6577 ie = wpabuf_alloc(5 + wpabuf_len(pub));
6578 if (!ie)
6579 goto fail;
6580 wpabuf_put_u8(ie, WLAN_EID_EXTENSION);
6581 wpabuf_put_u8(ie, 1 + 2 + wpabuf_len(pub));
6582 wpabuf_put_u8(ie, WLAN_EID_EXT_OWE_DH_PARAM);
6583 wpabuf_put_le16(ie, group);
6584 wpabuf_put_buf(ie, pub);
6585 wpabuf_free(pub);
6586 wpa_hexdump_buf(MSG_DEBUG, "OWE: Diffie-Hellman Parameter element",
6587 ie);
6588
6589 return ie;
6590 fail:
6591 wpabuf_free(pub);
6592 crypto_ecdh_deinit(sm->owe_ecdh);
6593 sm->owe_ecdh = NULL;
6594 return NULL;
6595 }
6596
6597
owe_process_assoc_resp(struct wpa_sm * sm,const u8 * bssid,const u8 * resp_ies,size_t resp_ies_len)6598 int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *bssid,
6599 const u8 *resp_ies, size_t resp_ies_len)
6600 {
6601 struct ieee802_11_elems elems;
6602 u16 group;
6603 struct wpabuf *secret, *pub, *hkey;
6604 int res;
6605 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
6606 const char *info = "OWE Key Generation";
6607 const u8 *addr[2];
6608 size_t len[2];
6609 size_t hash_len, prime_len;
6610 struct wpa_ie_data data;
6611
6612 if (!resp_ies ||
6613 ieee802_11_parse_elems(resp_ies, resp_ies_len, &elems, 1) ==
6614 ParseFailed) {
6615 wpa_printf(MSG_INFO,
6616 "OWE: Could not parse Association Response frame elements");
6617 return -1;
6618 }
6619
6620 if (sm->cur_pmksa && elems.rsn_ie &&
6621 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, 2 + elems.rsn_ie_len,
6622 &data) == 0 &&
6623 data.num_pmkid == 1 && data.pmkid &&
6624 os_memcmp(sm->cur_pmksa->pmkid, data.pmkid, PMKID_LEN) == 0) {
6625 wpa_printf(MSG_DEBUG, "OWE: Use PMKSA caching");
6626 wpa_sm_set_pmk_from_pmksa(sm);
6627 return 0;
6628 }
6629
6630 if (!elems.owe_dh) {
6631 wpa_printf(MSG_INFO,
6632 "OWE: No Diffie-Hellman Parameter element found in Association Response frame");
6633 return -1;
6634 }
6635
6636 group = WPA_GET_LE16(elems.owe_dh);
6637 if (group != sm->owe_group) {
6638 wpa_printf(MSG_INFO,
6639 "OWE: Unexpected Diffie-Hellman group in response: %u",
6640 group);
6641 return -1;
6642 }
6643
6644 if (!sm->owe_ecdh) {
6645 wpa_printf(MSG_INFO, "OWE: No ECDH state available");
6646 return -1;
6647 }
6648
6649 if (group == 19)
6650 prime_len = 32;
6651 else if (group == 20)
6652 prime_len = 48;
6653 else if (group == 21)
6654 prime_len = 66;
6655 else
6656 return -1;
6657
6658 secret = crypto_ecdh_set_peerkey(sm->owe_ecdh, 0,
6659 elems.owe_dh + 2,
6660 elems.owe_dh_len - 2);
6661 secret = wpabuf_zeropad(secret, prime_len);
6662 if (!secret) {
6663 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
6664 return -1;
6665 }
6666 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
6667
6668 /* prk = HKDF-extract(C | A | group, z) */
6669
6670 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
6671 if (!pub) {
6672 wpabuf_clear_free(secret);
6673 return -1;
6674 }
6675
6676 /* PMKID = Truncate-128(Hash(C | A)) */
6677 addr[0] = wpabuf_head(pub);
6678 len[0] = wpabuf_len(pub);
6679 addr[1] = elems.owe_dh + 2;
6680 len[1] = elems.owe_dh_len - 2;
6681 if (group == 19) {
6682 res = sha256_vector(2, addr, len, pmkid);
6683 hash_len = SHA256_MAC_LEN;
6684 } else if (group == 20) {
6685 res = sha384_vector(2, addr, len, pmkid);
6686 hash_len = SHA384_MAC_LEN;
6687 } else if (group == 21) {
6688 res = sha512_vector(2, addr, len, pmkid);
6689 hash_len = SHA512_MAC_LEN;
6690 } else {
6691 res = -1;
6692 hash_len = 0;
6693 }
6694 pub = wpabuf_zeropad(pub, prime_len);
6695 if (res < 0 || !pub) {
6696 wpabuf_free(pub);
6697 wpabuf_clear_free(secret);
6698 return -1;
6699 }
6700
6701 hkey = wpabuf_alloc(wpabuf_len(pub) + elems.owe_dh_len - 2 + 2);
6702 if (!hkey) {
6703 wpabuf_free(pub);
6704 wpabuf_clear_free(secret);
6705 return -1;
6706 }
6707
6708 wpabuf_put_buf(hkey, pub); /* C */
6709 wpabuf_free(pub);
6710 wpabuf_put_data(hkey, elems.owe_dh + 2, elems.owe_dh_len - 2); /* A */
6711 wpabuf_put_le16(hkey, sm->owe_group); /* group */
6712 if (group == 19)
6713 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
6714 wpabuf_head(secret), wpabuf_len(secret), prk);
6715 else if (group == 20)
6716 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
6717 wpabuf_head(secret), wpabuf_len(secret), prk);
6718 else if (group == 21)
6719 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
6720 wpabuf_head(secret), wpabuf_len(secret), prk);
6721 wpabuf_clear_free(hkey);
6722 wpabuf_clear_free(secret);
6723 if (res < 0)
6724 return -1;
6725
6726 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
6727
6728 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
6729
6730 if (group == 19)
6731 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
6732 os_strlen(info), sm->pmk, hash_len);
6733 else if (group == 20)
6734 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
6735 os_strlen(info), sm->pmk, hash_len);
6736 else if (group == 21)
6737 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
6738 os_strlen(info), sm->pmk, hash_len);
6739 forced_memzero(prk, SHA512_MAC_LEN);
6740 if (res < 0) {
6741 sm->pmk_len = 0;
6742 return -1;
6743 }
6744 sm->pmk_len = hash_len;
6745
6746 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sm->pmk, sm->pmk_len);
6747 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
6748 pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, pmkid, NULL, 0,
6749 bssid, sm->own_addr, sm->network_ctx, sm->key_mgmt,
6750 NULL);
6751
6752 return 0;
6753 }
6754
6755 #endif /* CONFIG_OWE */
6756
6757
wpa_sm_set_fils_cache_id(struct wpa_sm * sm,const u8 * fils_cache_id)6758 void wpa_sm_set_fils_cache_id(struct wpa_sm *sm, const u8 *fils_cache_id)
6759 {
6760 #ifdef CONFIG_FILS
6761 if (sm && fils_cache_id) {
6762 sm->fils_cache_id_set = 1;
6763 os_memcpy(sm->fils_cache_id, fils_cache_id, FILS_CACHE_ID_LEN);
6764 }
6765 #endif /* CONFIG_FILS */
6766 }
6767
6768
6769 #ifdef CONFIG_DPP2
wpa_sm_set_dpp_z(struct wpa_sm * sm,const struct wpabuf * z)6770 void wpa_sm_set_dpp_z(struct wpa_sm *sm, const struct wpabuf *z)
6771 {
6772 if (sm) {
6773 wpabuf_clear_free(sm->dpp_z);
6774 sm->dpp_z = z ? wpabuf_dup(z) : NULL;
6775 }
6776 }
6777 #endif /* CONFIG_DPP2 */
6778
6779
6780 #ifdef CONFIG_PASN
6781
wpa_pasn_sm_set_caps(struct wpa_sm * sm,unsigned int flags2)6782 void wpa_pasn_sm_set_caps(struct wpa_sm *sm, unsigned int flags2)
6783 {
6784 if (flags2 & WPA_DRIVER_FLAGS2_SEC_LTF_STA)
6785 sm->secure_ltf = 1;
6786 if (flags2 & WPA_DRIVER_FLAGS2_SEC_RTT_STA)
6787 sm->secure_rtt = 1;
6788 if (flags2 & WPA_DRIVER_FLAGS2_PROT_RANGE_NEG_STA)
6789 sm->prot_range_neg = 1;
6790 }
6791
6792 #endif /* CONFIG_PASN */
6793
6794
wpa_sm_pmksa_cache_reconfig(struct wpa_sm * sm)6795 void wpa_sm_pmksa_cache_reconfig(struct wpa_sm *sm)
6796 {
6797 if (sm)
6798 pmksa_cache_reconfig(sm->pmksa);
6799 }
6800
6801
wpa_sm_get_pmksa_cache(struct wpa_sm * sm)6802 struct rsn_pmksa_cache * wpa_sm_get_pmksa_cache(struct wpa_sm *sm)
6803 {
6804 return sm ? sm->pmksa : NULL;
6805 }
6806
6807
wpa_sm_set_cur_pmksa(struct wpa_sm * sm,struct rsn_pmksa_cache_entry * entry)6808 void wpa_sm_set_cur_pmksa(struct wpa_sm *sm,
6809 struct rsn_pmksa_cache_entry *entry)
6810 {
6811 if (sm)
6812 sm->cur_pmksa = entry;
6813 }
6814
6815
wpa_sm_set_driver_bss_selection(struct wpa_sm * sm,bool driver_bss_selection)6816 void wpa_sm_set_driver_bss_selection(struct wpa_sm *sm,
6817 bool driver_bss_selection)
6818 {
6819 if (sm)
6820 sm->driver_bss_selection = driver_bss_selection;
6821 }
6822