1 /*
2 * WPA Supplicant - WPA state machine and EAPOL-Key processing
3 * Copyright (c) 2003-2018, Jouni Malinen <j@w1.fi>
4 * Copyright(c) 2015 Intel Deutschland GmbH
5 *
6 * This software may be distributed under the terms of the BSD license.
7 * See README for more details.
8 */
9
10 #include "includes.h"
11
12 #include "common.h"
13 #include "crypto/aes.h"
14 #include "crypto/aes_wrap.h"
15 #include "crypto/crypto.h"
16 #include "crypto/random.h"
17 #include "crypto/aes_siv.h"
18 #include "crypto/sha256.h"
19 #include "crypto/sha384.h"
20 #include "crypto/sha512.h"
21 #include "common/ieee802_11_defs.h"
22 #include "common/ieee802_11_common.h"
23 #include "common/ocv.h"
24 #include "common/dpp.h"
25 #include "common/wpa_ctrl.h"
26 #include "eap_common/eap_defs.h"
27 #include "eapol_supp/eapol_supp_sm.h"
28 #include "drivers/driver.h"
29 #include "wpa.h"
30 #include "eloop.h"
31 #include "preauth.h"
32 #include "pmksa_cache.h"
33 #include "wpa_i.h"
34 #include "wpa_ie.h"
35 #include "wpa_supplicant_i.h"
36 #include "driver_i.h"
37
38 static const u8 null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
39
40
41 /**
42 * wpa_eapol_key_send - Send WPA/RSN EAPOL-Key message
43 * @sm: Pointer to WPA state machine data from wpa_sm_init()
44 * @ptk: PTK for Key Confirmation/Encryption Key
45 * @ver: Version field from Key Info
46 * @dest: Destination address for the frame
47 * @proto: Ethertype (usually ETH_P_EAPOL)
48 * @msg: EAPOL-Key message
49 * @msg_len: Length of message
50 * @key_mic: Pointer to the buffer to which the EAPOL-Key MIC is written
51 * Returns: >= 0 on success, < 0 on failure
52 */
wpa_eapol_key_send(struct wpa_sm * sm,struct wpa_ptk * ptk,int ver,const u8 * dest,u16 proto,u8 * msg,size_t msg_len,u8 * key_mic)53 int wpa_eapol_key_send(struct wpa_sm *sm, struct wpa_ptk *ptk,
54 int ver, const u8 *dest, u16 proto,
55 u8 *msg, size_t msg_len, u8 *key_mic)
56 {
57 int ret = -1;
58 size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
59
60 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL-Key frame to " MACSTR
61 " ver=%d mic_len=%d key_mgmt=0x%x",
62 MAC2STR(dest), ver, (int) mic_len, sm->key_mgmt);
63 if (is_zero_ether_addr(dest) && is_zero_ether_addr(sm->bssid)) {
64 /*
65 * Association event was not yet received; try to fetch
66 * BSSID from the driver.
67 */
68 if (wpa_sm_get_bssid(sm, sm->bssid) < 0) {
69 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
70 "WPA: Failed to read BSSID for "
71 "EAPOL-Key destination address");
72 } else {
73 dest = sm->bssid;
74 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
75 "WPA: Use BSSID (" MACSTR
76 ") as the destination for EAPOL-Key",
77 MAC2STR(dest));
78 }
79 }
80
81 if (mic_len) {
82 if (key_mic && (!ptk || !ptk->kck_len))
83 goto out;
84
85 if (key_mic &&
86 wpa_eapol_key_mic(ptk->kck, ptk->kck_len, sm->key_mgmt, ver,
87 msg, msg_len, key_mic)) {
88 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
89 "WPA: Failed to generate EAPOL-Key version %d key_mgmt 0x%x MIC",
90 ver, sm->key_mgmt);
91 goto out;
92 }
93 if (ptk)
94 wpa_hexdump_key(MSG_DEBUG, "WPA: KCK",
95 ptk->kck, ptk->kck_len);
96 wpa_hexdump(MSG_DEBUG, "WPA: Derived Key MIC",
97 key_mic, mic_len);
98 } else {
99 #ifdef CONFIG_FILS
100 /* AEAD cipher - Key MIC field not used */
101 struct ieee802_1x_hdr *s_hdr, *hdr;
102 struct wpa_eapol_key *s_key, *key;
103 u8 *buf, *s_key_data, *key_data;
104 size_t buf_len = msg_len + AES_BLOCK_SIZE;
105 size_t key_data_len;
106 u16 eapol_len;
107 const u8 *aad[1];
108 size_t aad_len[1];
109
110 if (!ptk || !ptk->kek_len)
111 goto out;
112
113 key_data_len = msg_len - sizeof(struct ieee802_1x_hdr) -
114 sizeof(struct wpa_eapol_key) - 2;
115
116 buf = os_malloc(buf_len);
117 if (!buf)
118 goto out;
119
120 os_memcpy(buf, msg, msg_len);
121 hdr = (struct ieee802_1x_hdr *) buf;
122 key = (struct wpa_eapol_key *) (hdr + 1);
123 key_data = ((u8 *) (key + 1)) + 2;
124
125 /* Update EAPOL header to include AES-SIV overhead */
126 eapol_len = be_to_host16(hdr->length);
127 eapol_len += AES_BLOCK_SIZE;
128 hdr->length = host_to_be16(eapol_len);
129
130 /* Update Key Data Length field to include AES-SIV overhead */
131 WPA_PUT_BE16((u8 *) (key + 1), AES_BLOCK_SIZE + key_data_len);
132
133 s_hdr = (struct ieee802_1x_hdr *) msg;
134 s_key = (struct wpa_eapol_key *) (s_hdr + 1);
135 s_key_data = ((u8 *) (s_key + 1)) + 2;
136
137 wpa_hexdump_key(MSG_DEBUG, "WPA: Plaintext Key Data",
138 s_key_data, key_data_len);
139
140 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len);
141 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
142 * to Key Data (exclusive). */
143 aad[0] = buf;
144 aad_len[0] = key_data - buf;
145 if (aes_siv_encrypt(ptk->kek, ptk->kek_len,
146 s_key_data, key_data_len,
147 1, aad, aad_len, key_data) < 0) {
148 os_free(buf);
149 goto out;
150 }
151
152 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
153 key_data, AES_BLOCK_SIZE + key_data_len);
154
155 os_free(msg);
156 msg = buf;
157 msg_len = buf_len;
158 #else /* CONFIG_FILS */
159 goto out;
160 #endif /* CONFIG_FILS */
161 }
162
163 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key", msg, msg_len);
164 ret = wpa_sm_ether_send(sm, dest, proto, msg, msg_len);
165 eapol_sm_notify_tx_eapol_key(sm->eapol);
166 out:
167 os_free(msg);
168 return ret;
169 }
170
171
172 /**
173 * wpa_sm_key_request - Send EAPOL-Key Request
174 * @sm: Pointer to WPA state machine data from wpa_sm_init()
175 * @error: Indicate whether this is an Michael MIC error report
176 * @pairwise: 1 = error report for pairwise packet, 0 = for group packet
177 *
178 * Send an EAPOL-Key Request to the current authenticator. This function is
179 * used to request rekeying and it is usually called when a local Michael MIC
180 * failure is detected.
181 */
wpa_sm_key_request(struct wpa_sm * sm,int error,int pairwise)182 void wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise)
183 {
184 size_t mic_len, hdrlen, rlen;
185 struct wpa_eapol_key *reply;
186 int key_info, ver;
187 u8 bssid[ETH_ALEN], *rbuf, *key_mic, *mic;
188
189 if (pairwise && sm->wpa_deny_ptk0_rekey && !sm->use_ext_key_id &&
190 wpa_sm_get_state(sm) == WPA_COMPLETED) {
191 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
192 "WPA: PTK0 rekey not allowed, reconnecting");
193 wpa_sm_reconnect(sm);
194 return;
195 }
196
197 if (wpa_use_akm_defined(sm->key_mgmt))
198 ver = WPA_KEY_INFO_TYPE_AKM_DEFINED;
199 else if (wpa_key_mgmt_ft(sm->key_mgmt) ||
200 wpa_key_mgmt_sha256(sm->key_mgmt))
201 ver = WPA_KEY_INFO_TYPE_AES_128_CMAC;
202 else if (sm->pairwise_cipher != WPA_CIPHER_TKIP)
203 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
204 else
205 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
206
207 if (wpa_sm_get_bssid(sm, bssid) < 0) {
208 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
209 "Failed to read BSSID for EAPOL-Key request");
210 return;
211 }
212
213 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
214 hdrlen = sizeof(*reply) + mic_len + 2;
215 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
216 hdrlen, &rlen, (void *) &reply);
217 if (rbuf == NULL)
218 return;
219
220 reply->type = (sm->proto == WPA_PROTO_RSN ||
221 sm->proto == WPA_PROTO_OSEN) ?
222 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
223 key_info = WPA_KEY_INFO_REQUEST | ver;
224 if (sm->ptk_set)
225 key_info |= WPA_KEY_INFO_SECURE;
226 if (sm->ptk_set && mic_len)
227 key_info |= WPA_KEY_INFO_MIC;
228 if (error)
229 key_info |= WPA_KEY_INFO_ERROR;
230 if (pairwise)
231 key_info |= WPA_KEY_INFO_KEY_TYPE;
232 WPA_PUT_BE16(reply->key_info, key_info);
233 WPA_PUT_BE16(reply->key_length, 0);
234 os_memcpy(reply->replay_counter, sm->request_counter,
235 WPA_REPLAY_COUNTER_LEN);
236 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
237
238 mic = (u8 *) (reply + 1);
239 WPA_PUT_BE16(mic + mic_len, 0);
240 if (!(key_info & WPA_KEY_INFO_MIC))
241 key_mic = NULL;
242 else
243 key_mic = mic;
244
245 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
246 "WPA: Sending EAPOL-Key Request (error=%d "
247 "pairwise=%d ptk_set=%d len=%lu)",
248 error, pairwise, sm->ptk_set, (unsigned long) rlen);
249 wpa_eapol_key_send(sm, &sm->ptk, ver, bssid, ETH_P_EAPOL, rbuf, rlen,
250 key_mic);
251 }
252
253
wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm * sm)254 static void wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm *sm)
255 {
256 #ifdef CONFIG_IEEE80211R
257 if (sm->key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X) {
258 if (wpa_sm_key_mgmt_set_pmk(sm, sm->xxkey, sm->xxkey_len))
259 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
260 "RSN: Cannot set low order 256 bits of MSK for key management offload");
261 } else {
262 #endif /* CONFIG_IEEE80211R */
263 if (wpa_sm_key_mgmt_set_pmk(sm, sm->pmk, sm->pmk_len))
264 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
265 "RSN: Cannot set PMK for key management offload");
266 #ifdef CONFIG_IEEE80211R
267 }
268 #endif /* CONFIG_IEEE80211R */
269 }
270
271
wpa_supplicant_get_pmk(struct wpa_sm * sm,const unsigned char * src_addr,const u8 * pmkid)272 static int wpa_supplicant_get_pmk(struct wpa_sm *sm,
273 const unsigned char *src_addr,
274 const u8 *pmkid)
275 {
276 int abort_cached = 0;
277
278 if (pmkid && !sm->cur_pmksa) {
279 /* When using drivers that generate RSN IE, wpa_supplicant may
280 * not have enough time to get the association information
281 * event before receiving this 1/4 message, so try to find a
282 * matching PMKSA cache entry here. */
283 sm->cur_pmksa = pmksa_cache_get(sm->pmksa, src_addr, pmkid,
284 NULL, 0);
285 if (sm->cur_pmksa) {
286 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
287 "RSN: found matching PMKID from PMKSA cache");
288 } else {
289 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
290 "RSN: no matching PMKID found");
291 abort_cached = 1;
292 }
293 }
294
295 if (pmkid && sm->cur_pmksa &&
296 os_memcmp_const(pmkid, sm->cur_pmksa->pmkid, PMKID_LEN) == 0) {
297 wpa_hexdump(MSG_DEBUG, "RSN: matched PMKID", pmkid, PMKID_LEN);
298 wpa_sm_set_pmk_from_pmksa(sm);
299 wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from PMKSA cache",
300 sm->pmk, sm->pmk_len);
301 eapol_sm_notify_cached(sm->eapol);
302 #ifdef CONFIG_IEEE80211R
303 sm->xxkey_len = 0;
304 #ifdef CONFIG_SAE
305 if (sm->key_mgmt == WPA_KEY_MGMT_FT_SAE &&
306 sm->pmk_len == PMK_LEN) {
307 /* Need to allow FT key derivation to proceed with
308 * PMK from SAE being used as the XXKey in cases where
309 * the PMKID in msg 1/4 matches the PMKSA entry that was
310 * just added based on SAE authentication for the
311 * initial mobility domain association. */
312 os_memcpy(sm->xxkey, sm->pmk, sm->pmk_len);
313 sm->xxkey_len = sm->pmk_len;
314 }
315 #endif /* CONFIG_SAE */
316 #endif /* CONFIG_IEEE80211R */
317 } else if (wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && sm->eapol) {
318 int res, pmk_len;
319 #ifdef CONFIG_IEEE80211R
320 u8 buf[2 * PMK_LEN];
321 #endif /* CONFIG_IEEE80211R */
322
323 if (wpa_key_mgmt_sha384(sm->key_mgmt))
324 pmk_len = PMK_LEN_SUITE_B_192;
325 else
326 pmk_len = PMK_LEN;
327 res = eapol_sm_get_key(sm->eapol, sm->pmk, pmk_len);
328 if (res) {
329 if (pmk_len == PMK_LEN) {
330 /*
331 * EAP-LEAP is an exception from other EAP
332 * methods: it uses only 16-byte PMK.
333 */
334 res = eapol_sm_get_key(sm->eapol, sm->pmk, 16);
335 pmk_len = 16;
336 }
337 }
338 #ifdef CONFIG_IEEE80211R
339 if (res == 0 &&
340 eapol_sm_get_key(sm->eapol, buf, 2 * PMK_LEN) == 0) {
341 if (wpa_key_mgmt_sha384(sm->key_mgmt)) {
342 os_memcpy(sm->xxkey, buf, SHA384_MAC_LEN);
343 sm->xxkey_len = SHA384_MAC_LEN;
344 } else {
345 os_memcpy(sm->xxkey, buf + PMK_LEN, PMK_LEN);
346 sm->xxkey_len = PMK_LEN;
347 }
348 forced_memzero(buf, sizeof(buf));
349 if (sm->proto == WPA_PROTO_RSN &&
350 wpa_key_mgmt_ft(sm->key_mgmt)) {
351 struct rsn_pmksa_cache_entry *sa = NULL;
352 const u8 *fils_cache_id = NULL;
353
354 #ifdef CONFIG_FILS
355 if (sm->fils_cache_id_set)
356 fils_cache_id = sm->fils_cache_id;
357 #endif /* CONFIG_FILS */
358 wpa_hexdump_key(MSG_DEBUG,
359 "FT: Cache XXKey/MPMK",
360 sm->xxkey, sm->xxkey_len);
361 sa = pmksa_cache_add(sm->pmksa,
362 sm->xxkey, sm->xxkey_len,
363 NULL, NULL, 0,
364 src_addr, sm->own_addr,
365 sm->network_ctx,
366 sm->key_mgmt,
367 fils_cache_id);
368 if (!sm->cur_pmksa)
369 sm->cur_pmksa = sa;
370 }
371 }
372 #endif /* CONFIG_IEEE80211R */
373 if (res == 0) {
374 struct rsn_pmksa_cache_entry *sa = NULL;
375 const u8 *fils_cache_id = NULL;
376
377 #ifdef CONFIG_FILS
378 if (sm->fils_cache_id_set)
379 fils_cache_id = sm->fils_cache_id;
380 #endif /* CONFIG_FILS */
381
382 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK from EAPOL state "
383 "machines", sm->pmk, pmk_len);
384 sm->pmk_len = pmk_len;
385 wpa_supplicant_key_mgmt_set_pmk(sm);
386 if (sm->proto == WPA_PROTO_RSN &&
387 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
388 !wpa_key_mgmt_ft(sm->key_mgmt)) {
389 sa = pmksa_cache_add(sm->pmksa,
390 sm->pmk, pmk_len, NULL,
391 NULL, 0,
392 src_addr, sm->own_addr,
393 sm->network_ctx,
394 sm->key_mgmt,
395 fils_cache_id);
396 }
397 if (!sm->cur_pmksa && pmkid &&
398 pmksa_cache_get(sm->pmksa, src_addr, pmkid, NULL,
399 0)) {
400 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
401 "RSN: the new PMK matches with the "
402 "PMKID");
403 abort_cached = 0;
404 } else if (sa && !sm->cur_pmksa && pmkid) {
405 /*
406 * It looks like the authentication server
407 * derived mismatching MSK. This should not
408 * really happen, but bugs happen.. There is not
409 * much we can do here without knowing what
410 * exactly caused the server to misbehave.
411 */
412 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
413 "RSN: PMKID mismatch - authentication server may have derived different MSK?!");
414 return -1;
415 }
416
417 if (!sm->cur_pmksa)
418 sm->cur_pmksa = sa;
419 #ifdef CONFIG_IEEE80211R
420 } else if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->ft_protocol) {
421 wpa_printf(MSG_DEBUG,
422 "FT: Continue 4-way handshake without PMK/PMKID for association using FT protocol");
423 #endif /* CONFIG_IEEE80211R */
424 } else {
425 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
426 "WPA: Failed to get master session key from "
427 "EAPOL state machines - key handshake "
428 "aborted");
429 if (sm->cur_pmksa) {
430 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
431 "RSN: Cancelled PMKSA caching "
432 "attempt");
433 sm->cur_pmksa = NULL;
434 abort_cached = 1;
435 } else if (!abort_cached) {
436 return -1;
437 }
438 }
439 }
440
441 if (abort_cached && wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) &&
442 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
443 !wpa_key_mgmt_ft(sm->key_mgmt) && sm->key_mgmt != WPA_KEY_MGMT_OSEN)
444 {
445 /* Send EAPOL-Start to trigger full EAP authentication. */
446 u8 *buf;
447 size_t buflen;
448
449 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
450 "RSN: no PMKSA entry found - trigger "
451 "full EAP authentication");
452 buf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_START,
453 NULL, 0, &buflen, NULL);
454 if (buf) {
455 wpa_sm_ether_send(sm, sm->bssid, ETH_P_EAPOL,
456 buf, buflen);
457 os_free(buf);
458 return -2;
459 }
460
461 return -1;
462 }
463
464 return 0;
465 }
466
467
468 /**
469 * wpa_supplicant_send_2_of_4 - Send message 2 of WPA/RSN 4-Way Handshake
470 * @sm: Pointer to WPA state machine data from wpa_sm_init()
471 * @dst: Destination address for the frame
472 * @key: Pointer to the EAPOL-Key frame header
473 * @ver: Version bits from EAPOL-Key Key Info
474 * @nonce: Nonce value for the EAPOL-Key frame
475 * @wpa_ie: WPA/RSN IE
476 * @wpa_ie_len: Length of the WPA/RSN IE
477 * @ptk: PTK to use for keyed hash and encryption
478 * Returns: >= 0 on success, < 0 on failure
479 */
wpa_supplicant_send_2_of_4(struct wpa_sm * sm,const unsigned char * dst,const struct wpa_eapol_key * key,int ver,const u8 * nonce,const u8 * wpa_ie,size_t wpa_ie_len,struct wpa_ptk * ptk)480 int wpa_supplicant_send_2_of_4(struct wpa_sm *sm, const unsigned char *dst,
481 const struct wpa_eapol_key *key,
482 int ver, const u8 *nonce,
483 const u8 *wpa_ie, size_t wpa_ie_len,
484 struct wpa_ptk *ptk)
485 {
486 size_t mic_len, hdrlen, rlen;
487 struct wpa_eapol_key *reply;
488 u8 *rbuf, *key_mic;
489 u8 *rsn_ie_buf = NULL;
490 u16 key_info;
491
492 if (wpa_ie == NULL) {
493 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No wpa_ie set - "
494 "cannot generate msg 2/4");
495 return -1;
496 }
497
498 #ifdef CONFIG_IEEE80211R
499 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
500 int res;
501
502 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE before FT processing",
503 wpa_ie, wpa_ie_len);
504 /*
505 * Add PMKR1Name into RSN IE (PMKID-List) and add MDIE and
506 * FTIE from (Re)Association Response.
507 */
508 rsn_ie_buf = os_malloc(wpa_ie_len + 2 + 2 + PMKID_LEN +
509 sm->assoc_resp_ies_len);
510 if (rsn_ie_buf == NULL)
511 return -1;
512 os_memcpy(rsn_ie_buf, wpa_ie, wpa_ie_len);
513 res = wpa_insert_pmkid(rsn_ie_buf, &wpa_ie_len,
514 sm->pmk_r1_name);
515 if (res < 0) {
516 os_free(rsn_ie_buf);
517 return -1;
518 }
519 wpa_hexdump(MSG_DEBUG,
520 "WPA: WPA IE after PMKID[PMKR1Name] addition into RSNE",
521 rsn_ie_buf, wpa_ie_len);
522
523 if (sm->assoc_resp_ies) {
524 wpa_hexdump(MSG_DEBUG, "WPA: Add assoc_resp_ies",
525 sm->assoc_resp_ies,
526 sm->assoc_resp_ies_len);
527 os_memcpy(rsn_ie_buf + wpa_ie_len, sm->assoc_resp_ies,
528 sm->assoc_resp_ies_len);
529 wpa_ie_len += sm->assoc_resp_ies_len;
530 }
531
532 wpa_ie = rsn_ie_buf;
533 }
534 #endif /* CONFIG_IEEE80211R */
535
536 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE for msg 2/4", wpa_ie, wpa_ie_len);
537
538 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
539 hdrlen = sizeof(*reply) + mic_len + 2;
540 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY,
541 NULL, hdrlen + wpa_ie_len,
542 &rlen, (void *) &reply);
543 if (rbuf == NULL) {
544 os_free(rsn_ie_buf);
545 return -1;
546 }
547
548 reply->type = (sm->proto == WPA_PROTO_RSN ||
549 sm->proto == WPA_PROTO_OSEN) ?
550 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
551 key_info = ver | WPA_KEY_INFO_KEY_TYPE;
552 if (mic_len)
553 key_info |= WPA_KEY_INFO_MIC;
554 else
555 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
556 WPA_PUT_BE16(reply->key_info, key_info);
557 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
558 WPA_PUT_BE16(reply->key_length, 0);
559 else
560 os_memcpy(reply->key_length, key->key_length, 2);
561 os_memcpy(reply->replay_counter, key->replay_counter,
562 WPA_REPLAY_COUNTER_LEN);
563 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", reply->replay_counter,
564 WPA_REPLAY_COUNTER_LEN);
565
566 key_mic = (u8 *) (reply + 1);
567 WPA_PUT_BE16(key_mic + mic_len, wpa_ie_len); /* Key Data Length */
568 os_memcpy(key_mic + mic_len + 2, wpa_ie, wpa_ie_len); /* Key Data */
569 os_free(rsn_ie_buf);
570
571 os_memcpy(reply->key_nonce, nonce, WPA_NONCE_LEN);
572
573 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Sending EAPOL-Key 2/4");
574 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
575 key_mic);
576 }
577
578
wpa_derive_ptk(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,struct wpa_ptk * ptk)579 static int wpa_derive_ptk(struct wpa_sm *sm, const unsigned char *src_addr,
580 const struct wpa_eapol_key *key, struct wpa_ptk *ptk)
581 {
582 const u8 *z = NULL;
583 size_t z_len = 0, kdk_len;
584 int akmp;
585
586 #ifdef CONFIG_IEEE80211R
587 if (wpa_key_mgmt_ft(sm->key_mgmt))
588 return wpa_derive_ptk_ft(sm, src_addr, key, ptk);
589 #endif /* CONFIG_IEEE80211R */
590
591 #ifdef CONFIG_DPP2
592 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
593 z = wpabuf_head(sm->dpp_z);
594 z_len = wpabuf_len(sm->dpp_z);
595 }
596 #endif /* CONFIG_DPP2 */
597
598 akmp = sm->key_mgmt;
599 #ifdef CONFIG_OWE
600 if (sm->owe_ptk_workaround && akmp == WPA_KEY_MGMT_OWE &&
601 sm->pmk_len > 32) {
602 wpa_printf(MSG_DEBUG,
603 "OWE: Force SHA256 for PTK derivation");
604 akmp |= WPA_KEY_MGMT_PSK_SHA256;
605 }
606 #endif /* CONFIG_OWE */
607
608 if (sm->force_kdk_derivation ||
609 (sm->secure_ltf && sm->ap_rsnxe && sm->ap_rsnxe_len >= 4 &&
610 sm->ap_rsnxe[3] & BIT(WLAN_RSNX_CAPAB_SECURE_LTF - 8)))
611 kdk_len = WPA_KDK_MAX_LEN;
612 else
613 kdk_len = 0;
614
615 return wpa_pmk_to_ptk(sm->pmk, sm->pmk_len, "Pairwise key expansion",
616 sm->own_addr, sm->bssid, sm->snonce,
617 key->key_nonce, ptk, akmp,
618 sm->pairwise_cipher, z, z_len,
619 kdk_len);
620 }
621
622
wpa_handle_ext_key_id(struct wpa_sm * sm,struct wpa_eapol_ie_parse * kde)623 static int wpa_handle_ext_key_id(struct wpa_sm *sm,
624 struct wpa_eapol_ie_parse *kde)
625 {
626 if (sm->ext_key_id) {
627 u16 key_id;
628
629 if (!kde->key_id) {
630 wpa_msg(sm->ctx->msg_ctx,
631 sm->use_ext_key_id ? MSG_INFO : MSG_DEBUG,
632 "RSN: No Key ID in Extended Key ID handshake");
633 sm->keyidx_active = 0;
634 return sm->use_ext_key_id ? -1 : 0;
635 }
636
637 key_id = kde->key_id[0] & 0x03;
638 if (key_id > 1) {
639 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
640 "RSN: Invalid Extended Key ID: %d", key_id);
641 return -1;
642 }
643 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
644 "RSN: Using Extended Key ID %d", key_id);
645 sm->keyidx_active = key_id;
646 sm->use_ext_key_id = 1;
647 } else {
648 if (kde->key_id && (kde->key_id[0] & 0x03)) {
649 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
650 "RSN: Non-zero Extended Key ID Key ID in PTK0 handshake");
651 return -1;
652 }
653
654 if (kde->key_id) {
655 /* This is not supposed to be included here, but ignore
656 * the case of matching Key ID 0 just in case. */
657 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
658 "RSN: Extended Key ID Key ID 0 in PTK0 handshake");
659 }
660 sm->keyidx_active = 0;
661 sm->use_ext_key_id = 0;
662 }
663
664 return 0;
665 }
666
667
wpa_supplicant_process_1_of_4(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len)668 static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
669 const unsigned char *src_addr,
670 const struct wpa_eapol_key *key,
671 u16 ver, const u8 *key_data,
672 size_t key_data_len)
673 {
674 struct wpa_eapol_ie_parse ie;
675 struct wpa_ptk *ptk;
676 int res;
677 u8 *kde, *kde_buf = NULL;
678 size_t kde_len;
679
680 if (wpa_sm_get_network_ctx(sm) == NULL) {
681 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No SSID info "
682 "found (msg 1 of 4)");
683 return;
684 }
685
686 if (sm->wpa_deny_ptk0_rekey && !sm->use_ext_key_id &&
687 wpa_sm_get_state(sm) == WPA_COMPLETED) {
688 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
689 "WPA: PTK0 rekey not allowed, reconnecting");
690 wpa_sm_reconnect(sm);
691 return;
692 }
693
694 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
695 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO, "WPA: RX message 1 of 4-Way "
696 "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
697
698 os_memset(&ie, 0, sizeof(ie));
699
700 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
701 /* RSN: msg 1/4 should contain PMKID for the selected PMK */
702 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data",
703 key_data, key_data_len);
704 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
705 goto failed;
706 if (ie.pmkid) {
707 wpa_hexdump(MSG_DEBUG, "RSN: PMKID from "
708 "Authenticator", ie.pmkid, PMKID_LEN);
709 }
710 }
711
712 res = wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid);
713 if (res == -2) {
714 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: Do not reply to "
715 "msg 1/4 - requesting full EAP authentication");
716 return;
717 }
718 if (res)
719 goto failed;
720
721 if (sm->renew_snonce) {
722 if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) {
723 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
724 "WPA: Failed to get random data for SNonce");
725 goto failed;
726 }
727 sm->renew_snonce = 0;
728 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce",
729 sm->snonce, WPA_NONCE_LEN);
730 }
731
732 /* Calculate PTK which will be stored as a temporary PTK until it has
733 * been verified when processing message 3/4. */
734 ptk = &sm->tptk;
735 if (wpa_derive_ptk(sm, src_addr, key, ptk) < 0)
736 goto failed;
737 if (sm->pairwise_cipher == WPA_CIPHER_TKIP) {
738 u8 buf[8];
739 /* Supplicant: swap tx/rx Mic keys */
740 os_memcpy(buf, &ptk->tk[16], 8);
741 os_memcpy(&ptk->tk[16], &ptk->tk[24], 8);
742 os_memcpy(&ptk->tk[24], buf, 8);
743 forced_memzero(buf, sizeof(buf));
744 }
745 sm->tptk_set = 1;
746
747 kde = sm->assoc_wpa_ie;
748 kde_len = sm->assoc_wpa_ie_len;
749 kde_buf = os_malloc(kde_len +
750 2 + RSN_SELECTOR_LEN + 3 +
751 sm->assoc_rsnxe_len +
752 2 + RSN_SELECTOR_LEN + 1 +
753 2 + RSN_SELECTOR_LEN + 2);
754 if (!kde_buf)
755 goto failed;
756 os_memcpy(kde_buf, kde, kde_len);
757 kde = kde_buf;
758
759 #ifdef CONFIG_OCV
760 if (wpa_sm_ocv_enabled(sm)) {
761 struct wpa_channel_info ci;
762 u8 *pos;
763
764 pos = kde + kde_len;
765 if (wpa_sm_channel_info(sm, &ci) != 0) {
766 wpa_printf(MSG_WARNING,
767 "Failed to get channel info for OCI element in EAPOL-Key 2/4");
768 goto failed;
769 }
770 #ifdef CONFIG_TESTING_OPTIONS
771 if (sm->oci_freq_override_eapol) {
772 wpa_printf(MSG_INFO,
773 "TEST: Override OCI KDE frequency %d -> %d MHz",
774 ci.frequency, sm->oci_freq_override_eapol);
775 ci.frequency = sm->oci_freq_override_eapol;
776 }
777 #endif /* CONFIG_TESTING_OPTIONS */
778
779 if (ocv_insert_oci_kde(&ci, &pos) < 0)
780 goto failed;
781 kde_len = pos - kde;
782 }
783 #endif /* CONFIG_OCV */
784
785 if (sm->assoc_rsnxe && sm->assoc_rsnxe_len) {
786 os_memcpy(kde + kde_len, sm->assoc_rsnxe, sm->assoc_rsnxe_len);
787 kde_len += sm->assoc_rsnxe_len;
788 }
789
790 #ifdef CONFIG_P2P
791 if (sm->p2p) {
792 u8 *pos;
793
794 wpa_printf(MSG_DEBUG,
795 "P2P: Add IP Address Request KDE into EAPOL-Key 2/4");
796 pos = kde + kde_len;
797 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
798 *pos++ = RSN_SELECTOR_LEN + 1;
799 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_IP_ADDR_REQ);
800 pos += RSN_SELECTOR_LEN;
801 *pos++ = 0x01;
802 kde_len = pos - kde;
803 }
804 #endif /* CONFIG_P2P */
805
806 #ifdef CONFIG_DPP2
807 if (DPP_VERSION > 1 && sm->key_mgmt == WPA_KEY_MGMT_DPP) {
808 u8 *pos;
809
810 wpa_printf(MSG_DEBUG, "DPP: Add DPP KDE into EAPOL-Key 2/4");
811 pos = kde + kde_len;
812 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
813 *pos++ = RSN_SELECTOR_LEN + 2;
814 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_DPP);
815 pos += RSN_SELECTOR_LEN;
816 *pos++ = DPP_VERSION; /* Protocol Version */
817 *pos = 0; /* Flags */
818 if (sm->dpp_pfs == 0)
819 *pos |= DPP_KDE_PFS_ALLOWED;
820 else if (sm->dpp_pfs == 1)
821 *pos |= DPP_KDE_PFS_ALLOWED | DPP_KDE_PFS_REQUIRED;
822 pos++;
823 kde_len = pos - kde;
824 }
825 #endif /* CONFIG_DPP2 */
826
827 if (wpa_supplicant_send_2_of_4(sm, sm->bssid, key, ver, sm->snonce,
828 kde, kde_len, ptk) < 0)
829 goto failed;
830
831 os_free(kde_buf);
832 os_memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN);
833 return;
834
835 failed:
836 os_free(kde_buf);
837 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
838 }
839
840
wpa_sm_start_preauth(void * eloop_ctx,void * timeout_ctx)841 static void wpa_sm_start_preauth(void *eloop_ctx, void *timeout_ctx)
842 {
843 struct wpa_sm *sm = eloop_ctx;
844 rsn_preauth_candidate_process(sm);
845 }
846
847
wpa_supplicant_key_neg_complete(struct wpa_sm * sm,const u8 * addr,int secure)848 static void wpa_supplicant_key_neg_complete(struct wpa_sm *sm,
849 const u8 *addr, int secure)
850 {
851 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
852 "WPA: Key negotiation completed with "
853 MACSTR " [PTK=%s GTK=%s]", MAC2STR(addr),
854 wpa_cipher_txt(sm->pairwise_cipher),
855 wpa_cipher_txt(sm->group_cipher));
856 wpa_sm_cancel_auth_timeout(sm);
857 wpa_sm_set_state(sm, WPA_COMPLETED);
858
859 if (secure) {
860 wpa_sm_mlme_setprotection(
861 sm, addr, MLME_SETPROTECTION_PROTECT_TYPE_RX_TX,
862 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
863 eapol_sm_notify_portValid(sm->eapol, true);
864 if (wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
865 sm->key_mgmt == WPA_KEY_MGMT_DPP ||
866 sm->key_mgmt == WPA_KEY_MGMT_OWE)
867 eapol_sm_notify_eap_success(sm->eapol, true);
868 /*
869 * Start preauthentication after a short wait to avoid a
870 * possible race condition between the data receive and key
871 * configuration after the 4-Way Handshake. This increases the
872 * likelihood of the first preauth EAPOL-Start frame getting to
873 * the target AP.
874 */
875 if (!dl_list_empty(&sm->pmksa_candidates))
876 eloop_register_timeout(1, 0, wpa_sm_start_preauth,
877 sm, NULL);
878 }
879
880 if (sm->cur_pmksa && sm->cur_pmksa->opportunistic) {
881 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
882 "RSN: Authenticator accepted "
883 "opportunistic PMKSA entry - marking it valid");
884 sm->cur_pmksa->opportunistic = 0;
885 }
886
887 #ifdef CONFIG_IEEE80211R
888 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
889 /* Prepare for the next transition */
890 wpa_ft_prepare_auth_request(sm, NULL);
891 }
892 #endif /* CONFIG_IEEE80211R */
893 }
894
895
wpa_sm_rekey_ptk(void * eloop_ctx,void * timeout_ctx)896 static void wpa_sm_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
897 {
898 struct wpa_sm *sm = eloop_ctx;
899 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Request PTK rekeying");
900 wpa_sm_key_request(sm, 0, 1);
901 }
902
903
wpa_supplicant_install_ptk(struct wpa_sm * sm,const struct wpa_eapol_key * key,enum key_flag key_flag)904 static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
905 const struct wpa_eapol_key *key,
906 enum key_flag key_flag)
907 {
908 int keylen, rsclen;
909 enum wpa_alg alg;
910 const u8 *key_rsc;
911
912 if (sm->ptk.installed) {
913 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
914 "WPA: Do not re-install same PTK to the driver");
915 return 0;
916 }
917
918 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
919 "WPA: Installing PTK to the driver");
920
921 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
922 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Pairwise Cipher "
923 "Suite: NONE - do not use pairwise keys");
924 return 0;
925 }
926
927 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
928 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
929 "WPA: Unsupported pairwise cipher %d",
930 sm->pairwise_cipher);
931 return -1;
932 }
933
934 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
935 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
936 if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) {
937 wpa_printf(MSG_DEBUG, "WPA: TK length mismatch: %d != %lu",
938 keylen, (long unsigned int) sm->ptk.tk_len);
939 return -1;
940 }
941 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
942
943 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
944 key_rsc = null_rsc;
945 } else {
946 key_rsc = key->key_rsc;
947 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen);
948 }
949
950 if (wpa_sm_set_key(sm, alg, sm->bssid, sm->keyidx_active, 1, key_rsc,
951 rsclen, sm->ptk.tk, keylen,
952 KEY_FLAG_PAIRWISE | key_flag) < 0) {
953 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
954 "WPA: Failed to set PTK to the driver (alg=%d keylen=%d bssid="
955 MACSTR " idx=%d key_flag=0x%x)",
956 alg, keylen, MAC2STR(sm->bssid),
957 sm->keyidx_active, key_flag);
958 return -1;
959 }
960
961 wpa_sm_store_ptk(sm, sm->bssid, sm->pairwise_cipher,
962 sm->dot11RSNAConfigPMKLifetime, &sm->ptk);
963
964 /* TK is not needed anymore in supplicant */
965 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
966 sm->ptk.tk_len = 0;
967 sm->ptk.installed = 1;
968
969 if (sm->wpa_ptk_rekey) {
970 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
971 eloop_register_timeout(sm->wpa_ptk_rekey, 0, wpa_sm_rekey_ptk,
972 sm, NULL);
973 }
974 return 0;
975 }
976
977
wpa_supplicant_activate_ptk(struct wpa_sm * sm)978 static int wpa_supplicant_activate_ptk(struct wpa_sm *sm)
979 {
980 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
981 "WPA: Activate PTK (idx=%d bssid=" MACSTR ")",
982 sm->keyidx_active, MAC2STR(sm->bssid));
983
984 if (wpa_sm_set_key(sm, 0, sm->bssid, sm->keyidx_active, 0, NULL, 0,
985 NULL, 0, KEY_FLAG_PAIRWISE_RX_TX_MODIFY) < 0) {
986 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
987 "WPA: Failed to activate PTK for TX (idx=%d bssid="
988 MACSTR ")", sm->keyidx_active, MAC2STR(sm->bssid));
989 return -1;
990 }
991 return 0;
992 }
993
994
wpa_supplicant_check_group_cipher(struct wpa_sm * sm,int group_cipher,int keylen,int maxkeylen,int * key_rsc_len,enum wpa_alg * alg)995 static int wpa_supplicant_check_group_cipher(struct wpa_sm *sm,
996 int group_cipher,
997 int keylen, int maxkeylen,
998 int *key_rsc_len,
999 enum wpa_alg *alg)
1000 {
1001 int klen;
1002
1003 *alg = wpa_cipher_to_alg(group_cipher);
1004 if (*alg == WPA_ALG_NONE) {
1005 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1006 "WPA: Unsupported Group Cipher %d",
1007 group_cipher);
1008 return -1;
1009 }
1010 *key_rsc_len = wpa_cipher_rsc_len(group_cipher);
1011
1012 klen = wpa_cipher_key_len(group_cipher);
1013 if (keylen != klen || maxkeylen < klen) {
1014 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1015 "WPA: Unsupported %s Group Cipher key length %d (%d)",
1016 wpa_cipher_txt(group_cipher), keylen, maxkeylen);
1017 return -1;
1018 }
1019 return 0;
1020 }
1021
1022
1023 struct wpa_gtk_data {
1024 enum wpa_alg alg;
1025 int tx, key_rsc_len, keyidx;
1026 u8 gtk[32];
1027 int gtk_len;
1028 };
1029
1030
wpa_supplicant_install_gtk(struct wpa_sm * sm,const struct wpa_gtk_data * gd,const u8 * key_rsc,int wnm_sleep)1031 static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
1032 const struct wpa_gtk_data *gd,
1033 const u8 *key_rsc, int wnm_sleep)
1034 {
1035 const u8 *_gtk = gd->gtk;
1036 u8 gtk_buf[32];
1037
1038 /* Detect possible key reinstallation */
1039 if ((sm->gtk.gtk_len == (size_t) gd->gtk_len &&
1040 os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) ||
1041 (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len &&
1042 os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk,
1043 sm->gtk_wnm_sleep.gtk_len) == 0)) {
1044 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1045 "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
1046 gd->keyidx, gd->tx, gd->gtk_len);
1047 return 0;
1048 }
1049
1050 wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
1051 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1052 "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
1053 gd->keyidx, gd->tx, gd->gtk_len);
1054 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, gd->key_rsc_len);
1055 if (sm->group_cipher == WPA_CIPHER_TKIP) {
1056 /* Swap Tx/Rx keys for Michael MIC */
1057 os_memcpy(gtk_buf, gd->gtk, 16);
1058 os_memcpy(gtk_buf + 16, gd->gtk + 24, 8);
1059 os_memcpy(gtk_buf + 24, gd->gtk + 16, 8);
1060 _gtk = gtk_buf;
1061 }
1062 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
1063 if (wpa_sm_set_key(sm, gd->alg, NULL,
1064 gd->keyidx, 1, key_rsc, gd->key_rsc_len,
1065 _gtk, gd->gtk_len,
1066 KEY_FLAG_GROUP_RX_TX_DEFAULT) < 0) {
1067 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1068 "WPA: Failed to set GTK to the driver "
1069 "(Group only)");
1070 forced_memzero(gtk_buf, sizeof(gtk_buf));
1071 return -1;
1072 }
1073 } else if (wpa_sm_set_key(sm, gd->alg, broadcast_ether_addr,
1074 gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len,
1075 _gtk, gd->gtk_len, KEY_FLAG_GROUP_RX) < 0) {
1076 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1077 "WPA: Failed to set GTK to "
1078 "the driver (alg=%d keylen=%d keyidx=%d)",
1079 gd->alg, gd->gtk_len, gd->keyidx);
1080 forced_memzero(gtk_buf, sizeof(gtk_buf));
1081 return -1;
1082 }
1083 forced_memzero(gtk_buf, sizeof(gtk_buf));
1084
1085 if (wnm_sleep) {
1086 sm->gtk_wnm_sleep.gtk_len = gd->gtk_len;
1087 os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk,
1088 sm->gtk_wnm_sleep.gtk_len);
1089 } else {
1090 sm->gtk.gtk_len = gd->gtk_len;
1091 os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
1092 }
1093
1094 return 0;
1095 }
1096
1097
wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm * sm,int tx)1098 static int wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm *sm,
1099 int tx)
1100 {
1101 if (tx && sm->pairwise_cipher != WPA_CIPHER_NONE) {
1102 /* Ignore Tx bit for GTK if a pairwise key is used. One AP
1103 * seemed to set this bit (incorrectly, since Tx is only when
1104 * doing Group Key only APs) and without this workaround, the
1105 * data connection does not work because wpa_supplicant
1106 * configured non-zero keyidx to be used for unicast. */
1107 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1108 "WPA: Tx bit set for GTK, but pairwise "
1109 "keys are used - ignore Tx bit");
1110 return 0;
1111 }
1112 return tx;
1113 }
1114
1115
wpa_supplicant_rsc_relaxation(const struct wpa_sm * sm,const u8 * rsc)1116 static int wpa_supplicant_rsc_relaxation(const struct wpa_sm *sm,
1117 const u8 *rsc)
1118 {
1119 int rsclen;
1120
1121 if (!sm->wpa_rsc_relaxation)
1122 return 0;
1123
1124 rsclen = wpa_cipher_rsc_len(sm->group_cipher);
1125
1126 /*
1127 * Try to detect RSC (endian) corruption issue where the AP sends
1128 * the RSC bytes in EAPOL-Key message in the wrong order, both if
1129 * it's actually a 6-byte field (as it should be) and if it treats
1130 * it as an 8-byte field.
1131 * An AP model known to have this bug is the Sapido RB-1632.
1132 */
1133 if (rsclen == 6 && ((rsc[5] && !rsc[0]) || rsc[6] || rsc[7])) {
1134 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1135 "RSC %02x%02x%02x%02x%02x%02x%02x%02x is likely bogus, using 0",
1136 rsc[0], rsc[1], rsc[2], rsc[3],
1137 rsc[4], rsc[5], rsc[6], rsc[7]);
1138
1139 return 1;
1140 }
1141
1142 return 0;
1143 }
1144
1145
wpa_supplicant_pairwise_gtk(struct wpa_sm * sm,const struct wpa_eapol_key * key,const u8 * gtk,size_t gtk_len,int key_info)1146 static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
1147 const struct wpa_eapol_key *key,
1148 const u8 *gtk, size_t gtk_len,
1149 int key_info)
1150 {
1151 struct wpa_gtk_data gd;
1152 const u8 *key_rsc;
1153
1154 /*
1155 * IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames - Figure 43x
1156 * GTK KDE format:
1157 * KeyID[bits 0-1], Tx [bit 2], Reserved [bits 3-7]
1158 * Reserved [bits 0-7]
1159 * GTK
1160 */
1161
1162 os_memset(&gd, 0, sizeof(gd));
1163 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in pairwise handshake",
1164 gtk, gtk_len);
1165
1166 if (gtk_len < 2 || gtk_len - 2 > sizeof(gd.gtk))
1167 return -1;
1168
1169 gd.keyidx = gtk[0] & 0x3;
1170 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
1171 !!(gtk[0] & BIT(2)));
1172 gtk += 2;
1173 gtk_len -= 2;
1174
1175 os_memcpy(gd.gtk, gtk, gtk_len);
1176 gd.gtk_len = gtk_len;
1177
1178 key_rsc = key->key_rsc;
1179 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
1180 key_rsc = null_rsc;
1181
1182 if (sm->group_cipher != WPA_CIPHER_GTK_NOT_USED &&
1183 (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
1184 gtk_len, gtk_len,
1185 &gd.key_rsc_len, &gd.alg) ||
1186 wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) {
1187 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1188 "RSN: Failed to install GTK");
1189 forced_memzero(&gd, sizeof(gd));
1190 return -1;
1191 }
1192 forced_memzero(&gd, sizeof(gd));
1193
1194 return 0;
1195 }
1196
1197
wpa_supplicant_install_igtk(struct wpa_sm * sm,const struct wpa_igtk_kde * igtk,int wnm_sleep)1198 static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
1199 const struct wpa_igtk_kde *igtk,
1200 int wnm_sleep)
1201 {
1202 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1203 u16 keyidx = WPA_GET_LE16(igtk->keyid);
1204
1205 /* Detect possible key reinstallation */
1206 if ((sm->igtk.igtk_len == len &&
1207 os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) ||
1208 (sm->igtk_wnm_sleep.igtk_len == len &&
1209 os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk,
1210 sm->igtk_wnm_sleep.igtk_len) == 0)) {
1211 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1212 "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
1213 keyidx);
1214 return 0;
1215 }
1216
1217 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1218 "WPA: IGTK keyid %d pn " COMPACT_MACSTR,
1219 keyidx, MAC2STR(igtk->pn));
1220 wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len);
1221 if (keyidx > 4095) {
1222 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1223 "WPA: Invalid IGTK KeyID %d", keyidx);
1224 return -1;
1225 }
1226 if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
1227 broadcast_ether_addr,
1228 keyidx, 0, igtk->pn, sizeof(igtk->pn),
1229 igtk->igtk, len, KEY_FLAG_GROUP_RX) < 0) {
1230 if (keyidx == 0x0400 || keyidx == 0x0500) {
1231 /* Assume the AP has broken PMF implementation since it
1232 * seems to have swapped the KeyID bytes. The AP cannot
1233 * be trusted to implement BIP correctly or provide a
1234 * valid IGTK, so do not try to configure this key with
1235 * swapped KeyID bytes. Instead, continue without
1236 * configuring the IGTK so that the driver can drop any
1237 * received group-addressed robust management frames due
1238 * to missing keys.
1239 *
1240 * Normally, this error behavior would result in us
1241 * disconnecting, but there are number of deployed APs
1242 * with this broken behavior, so as an interoperability
1243 * workaround, allow the connection to proceed. */
1244 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1245 "WPA: Ignore IGTK configuration error due to invalid IGTK KeyID byte order");
1246 } else {
1247 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1248 "WPA: Failed to configure IGTK to the driver");
1249 return -1;
1250 }
1251 }
1252
1253 if (wnm_sleep) {
1254 sm->igtk_wnm_sleep.igtk_len = len;
1255 os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk,
1256 sm->igtk_wnm_sleep.igtk_len);
1257 } else {
1258 sm->igtk.igtk_len = len;
1259 os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
1260 }
1261
1262 return 0;
1263 }
1264
1265
wpa_supplicant_install_bigtk(struct wpa_sm * sm,const struct wpa_bigtk_kde * bigtk,int wnm_sleep)1266 static int wpa_supplicant_install_bigtk(struct wpa_sm *sm,
1267 const struct wpa_bigtk_kde *bigtk,
1268 int wnm_sleep)
1269 {
1270 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1271 u16 keyidx = WPA_GET_LE16(bigtk->keyid);
1272
1273 /* Detect possible key reinstallation */
1274 if ((sm->bigtk.bigtk_len == len &&
1275 os_memcmp(sm->bigtk.bigtk, bigtk->bigtk,
1276 sm->bigtk.bigtk_len) == 0) ||
1277 (sm->bigtk_wnm_sleep.bigtk_len == len &&
1278 os_memcmp(sm->bigtk_wnm_sleep.bigtk, bigtk->bigtk,
1279 sm->bigtk_wnm_sleep.bigtk_len) == 0)) {
1280 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1281 "WPA: Not reinstalling already in-use BIGTK to the driver (keyidx=%d)",
1282 keyidx);
1283 return 0;
1284 }
1285
1286 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1287 "WPA: BIGTK keyid %d pn " COMPACT_MACSTR,
1288 keyidx, MAC2STR(bigtk->pn));
1289 wpa_hexdump_key(MSG_DEBUG, "WPA: BIGTK", bigtk->bigtk, len);
1290 if (keyidx < 6 || keyidx > 7) {
1291 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1292 "WPA: Invalid BIGTK KeyID %d", keyidx);
1293 return -1;
1294 }
1295 if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
1296 broadcast_ether_addr,
1297 keyidx, 0, bigtk->pn, sizeof(bigtk->pn),
1298 bigtk->bigtk, len, KEY_FLAG_GROUP_RX) < 0) {
1299 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1300 "WPA: Failed to configure BIGTK to the driver");
1301 return -1;
1302 }
1303
1304 if (wnm_sleep) {
1305 sm->bigtk_wnm_sleep.bigtk_len = len;
1306 os_memcpy(sm->bigtk_wnm_sleep.bigtk, bigtk->bigtk,
1307 sm->bigtk_wnm_sleep.bigtk_len);
1308 } else {
1309 sm->bigtk.bigtk_len = len;
1310 os_memcpy(sm->bigtk.bigtk, bigtk->bigtk, sm->bigtk.bigtk_len);
1311 }
1312
1313 return 0;
1314 }
1315
1316
ieee80211w_set_keys(struct wpa_sm * sm,struct wpa_eapol_ie_parse * ie)1317 static int ieee80211w_set_keys(struct wpa_sm *sm,
1318 struct wpa_eapol_ie_parse *ie)
1319 {
1320 size_t len;
1321
1322 if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) ||
1323 sm->mgmt_group_cipher == WPA_CIPHER_GTK_NOT_USED)
1324 return 0;
1325
1326 if (ie->igtk) {
1327 const struct wpa_igtk_kde *igtk;
1328
1329 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1330 if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
1331 return -1;
1332
1333 igtk = (const struct wpa_igtk_kde *) ie->igtk;
1334 if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0)
1335 return -1;
1336 }
1337
1338 if (ie->bigtk && sm->beacon_prot) {
1339 const struct wpa_bigtk_kde *bigtk;
1340
1341 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1342 if (ie->bigtk_len != WPA_BIGTK_KDE_PREFIX_LEN + len)
1343 return -1;
1344
1345 bigtk = (const struct wpa_bigtk_kde *) ie->bigtk;
1346 if (wpa_supplicant_install_bigtk(sm, bigtk, 0) < 0)
1347 return -1;
1348 }
1349
1350 return 0;
1351 }
1352
1353
wpa_report_ie_mismatch(struct wpa_sm * sm,const char * reason,const u8 * src_addr,const u8 * wpa_ie,size_t wpa_ie_len,const u8 * rsn_ie,size_t rsn_ie_len)1354 static void wpa_report_ie_mismatch(struct wpa_sm *sm,
1355 const char *reason, const u8 *src_addr,
1356 const u8 *wpa_ie, size_t wpa_ie_len,
1357 const u8 *rsn_ie, size_t rsn_ie_len)
1358 {
1359 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: %s (src=" MACSTR ")",
1360 reason, MAC2STR(src_addr));
1361
1362 if (sm->ap_wpa_ie) {
1363 wpa_hexdump(MSG_INFO, "WPA: WPA IE in Beacon/ProbeResp",
1364 sm->ap_wpa_ie, sm->ap_wpa_ie_len);
1365 }
1366 if (wpa_ie) {
1367 if (!sm->ap_wpa_ie) {
1368 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1369 "WPA: No WPA IE in Beacon/ProbeResp");
1370 }
1371 wpa_hexdump(MSG_INFO, "WPA: WPA IE in 3/4 msg",
1372 wpa_ie, wpa_ie_len);
1373 }
1374
1375 if (sm->ap_rsn_ie) {
1376 wpa_hexdump(MSG_INFO, "WPA: RSN IE in Beacon/ProbeResp",
1377 sm->ap_rsn_ie, sm->ap_rsn_ie_len);
1378 }
1379 if (rsn_ie) {
1380 if (!sm->ap_rsn_ie) {
1381 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1382 "WPA: No RSN IE in Beacon/ProbeResp");
1383 }
1384 wpa_hexdump(MSG_INFO, "WPA: RSN IE in 3/4 msg",
1385 rsn_ie, rsn_ie_len);
1386 }
1387
1388 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
1389 }
1390
1391
1392 #ifdef CONFIG_IEEE80211R
1393
ft_validate_mdie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie,const u8 * assoc_resp_mdie)1394 static int ft_validate_mdie(struct wpa_sm *sm,
1395 const unsigned char *src_addr,
1396 struct wpa_eapol_ie_parse *ie,
1397 const u8 *assoc_resp_mdie)
1398 {
1399 struct rsn_mdie *mdie;
1400
1401 mdie = (struct rsn_mdie *) (ie->mdie + 2);
1402 if (ie->mdie == NULL || ie->mdie_len < 2 + sizeof(*mdie) ||
1403 os_memcmp(mdie->mobility_domain, sm->mobility_domain,
1404 MOBILITY_DOMAIN_ID_LEN) != 0) {
1405 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE in msg 3/4 did "
1406 "not match with the current mobility domain");
1407 return -1;
1408 }
1409
1410 if (assoc_resp_mdie &&
1411 (assoc_resp_mdie[1] != ie->mdie[1] ||
1412 os_memcmp(assoc_resp_mdie, ie->mdie, 2 + ie->mdie[1]) != 0)) {
1413 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE mismatch");
1414 wpa_hexdump(MSG_DEBUG, "FT: MDIE in EAPOL-Key msg 3/4",
1415 ie->mdie, 2 + ie->mdie[1]);
1416 wpa_hexdump(MSG_DEBUG, "FT: MDIE in (Re)Association Response",
1417 assoc_resp_mdie, 2 + assoc_resp_mdie[1]);
1418 return -1;
1419 }
1420
1421 return 0;
1422 }
1423
1424
ft_validate_ftie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie,const u8 * assoc_resp_ftie)1425 static int ft_validate_ftie(struct wpa_sm *sm,
1426 const unsigned char *src_addr,
1427 struct wpa_eapol_ie_parse *ie,
1428 const u8 *assoc_resp_ftie)
1429 {
1430 if (ie->ftie == NULL) {
1431 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1432 "FT: No FTIE in EAPOL-Key msg 3/4");
1433 return -1;
1434 }
1435
1436 if (assoc_resp_ftie == NULL)
1437 return 0;
1438
1439 if (assoc_resp_ftie[1] != ie->ftie[1] ||
1440 os_memcmp(assoc_resp_ftie, ie->ftie, 2 + ie->ftie[1]) != 0) {
1441 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: FTIE mismatch");
1442 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 3/4",
1443 ie->ftie, 2 + ie->ftie[1]);
1444 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)Association Response",
1445 assoc_resp_ftie, 2 + assoc_resp_ftie[1]);
1446 return -1;
1447 }
1448
1449 return 0;
1450 }
1451
1452
ft_validate_rsnie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie)1453 static int ft_validate_rsnie(struct wpa_sm *sm,
1454 const unsigned char *src_addr,
1455 struct wpa_eapol_ie_parse *ie)
1456 {
1457 struct wpa_ie_data rsn;
1458
1459 if (!ie->rsn_ie)
1460 return 0;
1461
1462 /*
1463 * Verify that PMKR1Name from EAPOL-Key message 3/4
1464 * matches with the value we derived.
1465 */
1466 if (wpa_parse_wpa_ie_rsn(ie->rsn_ie, ie->rsn_ie_len, &rsn) < 0 ||
1467 rsn.num_pmkid != 1 || rsn.pmkid == NULL) {
1468 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: No PMKR1Name in "
1469 "FT 4-way handshake message 3/4");
1470 return -1;
1471 }
1472
1473 if (os_memcmp_const(rsn.pmkid, sm->pmk_r1_name, WPA_PMK_NAME_LEN) != 0)
1474 {
1475 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1476 "FT: PMKR1Name mismatch in "
1477 "FT 4-way handshake message 3/4");
1478 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Authenticator",
1479 rsn.pmkid, WPA_PMK_NAME_LEN);
1480 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
1481 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
1482 return -1;
1483 }
1484
1485 return 0;
1486 }
1487
1488
wpa_supplicant_validate_ie_ft(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie)1489 static int wpa_supplicant_validate_ie_ft(struct wpa_sm *sm,
1490 const unsigned char *src_addr,
1491 struct wpa_eapol_ie_parse *ie)
1492 {
1493 const u8 *pos, *end, *mdie = NULL, *ftie = NULL;
1494
1495 if (sm->assoc_resp_ies) {
1496 pos = sm->assoc_resp_ies;
1497 end = pos + sm->assoc_resp_ies_len;
1498 while (end - pos > 2) {
1499 if (2 + pos[1] > end - pos)
1500 break;
1501 switch (*pos) {
1502 case WLAN_EID_MOBILITY_DOMAIN:
1503 mdie = pos;
1504 break;
1505 case WLAN_EID_FAST_BSS_TRANSITION:
1506 ftie = pos;
1507 break;
1508 }
1509 pos += 2 + pos[1];
1510 }
1511 }
1512
1513 if (ft_validate_mdie(sm, src_addr, ie, mdie) < 0 ||
1514 ft_validate_ftie(sm, src_addr, ie, ftie) < 0 ||
1515 ft_validate_rsnie(sm, src_addr, ie) < 0)
1516 return -1;
1517
1518 return 0;
1519 }
1520
1521 #endif /* CONFIG_IEEE80211R */
1522
1523
wpa_supplicant_validate_ie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie)1524 static int wpa_supplicant_validate_ie(struct wpa_sm *sm,
1525 const unsigned char *src_addr,
1526 struct wpa_eapol_ie_parse *ie)
1527 {
1528 if (sm->ap_wpa_ie == NULL && sm->ap_rsn_ie == NULL) {
1529 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1530 "WPA: No WPA/RSN IE for this AP known. "
1531 "Trying to get from scan results");
1532 if (wpa_sm_get_beacon_ie(sm) < 0) {
1533 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1534 "WPA: Could not find AP from "
1535 "the scan results");
1536 return -1;
1537 }
1538 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
1539 "WPA: Found the current AP from updated scan results");
1540 }
1541
1542 if (ie->wpa_ie == NULL && ie->rsn_ie == NULL &&
1543 (sm->ap_wpa_ie || sm->ap_rsn_ie)) {
1544 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
1545 "with IE in Beacon/ProbeResp (no IE?)",
1546 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1547 ie->rsn_ie, ie->rsn_ie_len);
1548 return -1;
1549 }
1550
1551 if ((ie->wpa_ie && sm->ap_wpa_ie &&
1552 (ie->wpa_ie_len != sm->ap_wpa_ie_len ||
1553 os_memcmp(ie->wpa_ie, sm->ap_wpa_ie, ie->wpa_ie_len) != 0)) ||
1554 (ie->rsn_ie && sm->ap_rsn_ie &&
1555 wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
1556 sm->ap_rsn_ie, sm->ap_rsn_ie_len,
1557 ie->rsn_ie, ie->rsn_ie_len))) {
1558 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
1559 "with IE in Beacon/ProbeResp",
1560 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1561 ie->rsn_ie, ie->rsn_ie_len);
1562 return -1;
1563 }
1564
1565 if (sm->proto == WPA_PROTO_WPA &&
1566 ie->rsn_ie && sm->ap_rsn_ie == NULL && sm->rsn_enabled) {
1567 wpa_report_ie_mismatch(sm, "Possible downgrade attack "
1568 "detected - RSN was enabled and RSN IE "
1569 "was in msg 3/4, but not in "
1570 "Beacon/ProbeResp",
1571 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1572 ie->rsn_ie, ie->rsn_ie_len);
1573 return -1;
1574 }
1575
1576 if (sm->proto == WPA_PROTO_RSN &&
1577 ((sm->ap_rsnxe && !ie->rsnxe) ||
1578 (!sm->ap_rsnxe && ie->rsnxe) ||
1579 (sm->ap_rsnxe && ie->rsnxe &&
1580 (sm->ap_rsnxe_len != ie->rsnxe_len ||
1581 os_memcmp(sm->ap_rsnxe, ie->rsnxe, sm->ap_rsnxe_len) != 0)))) {
1582 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1583 "WPA: RSNXE mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4");
1584 wpa_hexdump(MSG_INFO, "RSNXE in Beacon/ProbeResp",
1585 sm->ap_rsnxe, sm->ap_rsnxe_len);
1586 wpa_hexdump(MSG_INFO, "RSNXE in EAPOL-Key msg 3/4",
1587 ie->rsnxe, ie->rsnxe_len);
1588 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
1589 return -1;
1590 }
1591
1592 #ifdef CONFIG_IEEE80211R
1593 if (wpa_key_mgmt_ft(sm->key_mgmt) &&
1594 wpa_supplicant_validate_ie_ft(sm, src_addr, ie) < 0)
1595 return -1;
1596 #endif /* CONFIG_IEEE80211R */
1597
1598 return 0;
1599 }
1600
1601
1602 /**
1603 * wpa_supplicant_send_4_of_4 - Send message 4 of WPA/RSN 4-Way Handshake
1604 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1605 * @dst: Destination address for the frame
1606 * @key: Pointer to the EAPOL-Key frame header
1607 * @ver: Version bits from EAPOL-Key Key Info
1608 * @key_info: Key Info
1609 * @ptk: PTK to use for keyed hash and encryption
1610 * Returns: >= 0 on success, < 0 on failure
1611 */
wpa_supplicant_send_4_of_4(struct wpa_sm * sm,const unsigned char * dst,const struct wpa_eapol_key * key,u16 ver,u16 key_info,struct wpa_ptk * ptk)1612 int wpa_supplicant_send_4_of_4(struct wpa_sm *sm, const unsigned char *dst,
1613 const struct wpa_eapol_key *key,
1614 u16 ver, u16 key_info,
1615 struct wpa_ptk *ptk)
1616 {
1617 size_t mic_len, hdrlen, rlen;
1618 struct wpa_eapol_key *reply;
1619 u8 *rbuf, *key_mic;
1620
1621 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
1622 hdrlen = sizeof(*reply) + mic_len + 2;
1623 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
1624 hdrlen, &rlen, (void *) &reply);
1625 if (rbuf == NULL)
1626 return -1;
1627
1628 reply->type = (sm->proto == WPA_PROTO_RSN ||
1629 sm->proto == WPA_PROTO_OSEN) ?
1630 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1631 key_info &= WPA_KEY_INFO_SECURE;
1632 key_info |= ver | WPA_KEY_INFO_KEY_TYPE;
1633 if (mic_len)
1634 key_info |= WPA_KEY_INFO_MIC;
1635 else
1636 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1637 WPA_PUT_BE16(reply->key_info, key_info);
1638 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
1639 WPA_PUT_BE16(reply->key_length, 0);
1640 else
1641 os_memcpy(reply->key_length, key->key_length, 2);
1642 os_memcpy(reply->replay_counter, key->replay_counter,
1643 WPA_REPLAY_COUNTER_LEN);
1644
1645 key_mic = (u8 *) (reply + 1);
1646 WPA_PUT_BE16(key_mic + mic_len, 0);
1647
1648 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Sending EAPOL-Key 4/4");
1649 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
1650 key_mic);
1651 }
1652
1653
wpa_supplicant_process_3_of_4(struct wpa_sm * sm,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len)1654 static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
1655 const struct wpa_eapol_key *key,
1656 u16 ver, const u8 *key_data,
1657 size_t key_data_len)
1658 {
1659 u16 key_info, keylen;
1660 struct wpa_eapol_ie_parse ie;
1661
1662 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
1663 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO, "WPA: RX message 3 of 4-Way "
1664 "Handshake from " MACSTR " (ver=%d)", MAC2STR(sm->bssid), ver);
1665
1666 key_info = WPA_GET_BE16(key->key_info);
1667
1668 wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", key_data, key_data_len);
1669 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
1670 goto failed;
1671 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1672 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1673 "WPA: GTK IE in unencrypted key data");
1674 goto failed;
1675 }
1676 if (ie.igtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1677 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1678 "WPA: IGTK KDE in unencrypted key data");
1679 goto failed;
1680 }
1681
1682 if (ie.igtk &&
1683 sm->mgmt_group_cipher != WPA_CIPHER_GTK_NOT_USED &&
1684 wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) &&
1685 ie.igtk_len != WPA_IGTK_KDE_PREFIX_LEN +
1686 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
1687 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1688 "WPA: Invalid IGTK KDE length %lu",
1689 (unsigned long) ie.igtk_len);
1690 goto failed;
1691 }
1692
1693 if (wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0)
1694 goto failed;
1695
1696 if (wpa_handle_ext_key_id(sm, &ie))
1697 goto failed;
1698
1699 if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
1700 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1701 "WPA: ANonce from message 1 of 4-Way Handshake "
1702 "differs from 3 of 4-Way Handshake - drop packet (src="
1703 MACSTR ")", MAC2STR(sm->bssid));
1704 goto failed;
1705 }
1706
1707 keylen = WPA_GET_BE16(key->key_length);
1708 if (keylen != wpa_cipher_key_len(sm->pairwise_cipher)) {
1709 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1710 "WPA: Invalid %s key length %d (src=" MACSTR
1711 ")", wpa_cipher_txt(sm->pairwise_cipher), keylen,
1712 MAC2STR(sm->bssid));
1713 goto failed;
1714 }
1715
1716 #ifdef CONFIG_P2P
1717 if (ie.ip_addr_alloc) {
1718 os_memcpy(sm->p2p_ip_addr, ie.ip_addr_alloc, 3 * 4);
1719 wpa_hexdump(MSG_DEBUG, "P2P: IP address info",
1720 sm->p2p_ip_addr, sizeof(sm->p2p_ip_addr));
1721 }
1722 #endif /* CONFIG_P2P */
1723
1724 #ifdef CONFIG_OCV
1725 if (wpa_sm_ocv_enabled(sm)) {
1726 struct wpa_channel_info ci;
1727
1728 if (wpa_sm_channel_info(sm, &ci) != 0) {
1729 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1730 "Failed to get channel info to validate received OCI in EAPOL-Key 3/4");
1731 return;
1732 }
1733
1734 if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci,
1735 channel_width_to_int(ci.chanwidth),
1736 ci.seg1_idx) != OCI_SUCCESS) {
1737 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
1738 "addr=" MACSTR " frame=eapol-key-m3 error=%s",
1739 MAC2STR(sm->bssid), ocv_errorstr);
1740 return;
1741 }
1742 }
1743 #endif /* CONFIG_OCV */
1744
1745 #ifdef CONFIG_DPP2
1746 if (DPP_VERSION > 1 && ie.dpp_kde) {
1747 wpa_printf(MSG_DEBUG,
1748 "DPP: peer Protocol Version %u Flags 0x%x",
1749 ie.dpp_kde[0], ie.dpp_kde[1]);
1750 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_pfs != 2 &&
1751 (ie.dpp_kde[1] & DPP_KDE_PFS_ALLOWED) && !sm->dpp_z) {
1752 wpa_printf(MSG_INFO,
1753 "DPP: Peer indicated it supports PFS and local configuration allows this, but PFS was not negotiated for the association");
1754 goto failed;
1755 }
1756 }
1757 #endif /* CONFIG_DPP2 */
1758
1759 if (sm->use_ext_key_id &&
1760 wpa_supplicant_install_ptk(sm, key, KEY_FLAG_RX))
1761 goto failed;
1762
1763 if (wpa_supplicant_send_4_of_4(sm, sm->bssid, key, ver, key_info,
1764 &sm->ptk) < 0) {
1765 goto failed;
1766 }
1767
1768 /* SNonce was successfully used in msg 3/4, so mark it to be renewed
1769 * for the next 4-Way Handshake. If msg 3 is received again, the old
1770 * SNonce will still be used to avoid changing PTK. */
1771 sm->renew_snonce = 1;
1772
1773 if (key_info & WPA_KEY_INFO_INSTALL) {
1774 int res;
1775
1776 if (sm->use_ext_key_id)
1777 res = wpa_supplicant_activate_ptk(sm);
1778 else
1779 res = wpa_supplicant_install_ptk(sm, key,
1780 KEY_FLAG_RX_TX);
1781 if (res)
1782 goto failed;
1783 }
1784
1785 if (key_info & WPA_KEY_INFO_SECURE) {
1786 wpa_sm_mlme_setprotection(
1787 sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX,
1788 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
1789 eapol_sm_notify_portValid(sm->eapol, true);
1790 }
1791 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
1792
1793 if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED) {
1794 /* No GTK to be set to the driver */
1795 } else if (!ie.gtk && sm->proto == WPA_PROTO_RSN) {
1796 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1797 "RSN: No GTK KDE included in EAPOL-Key msg 3/4");
1798 goto failed;
1799 } else if (ie.gtk &&
1800 wpa_supplicant_pairwise_gtk(sm, key,
1801 ie.gtk, ie.gtk_len, key_info) < 0) {
1802 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1803 "RSN: Failed to configure GTK");
1804 goto failed;
1805 }
1806
1807 if (ieee80211w_set_keys(sm, &ie) < 0) {
1808 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1809 "RSN: Failed to configure IGTK");
1810 goto failed;
1811 }
1812
1813 if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED || ie.gtk)
1814 wpa_supplicant_key_neg_complete(sm, sm->bssid,
1815 key_info & WPA_KEY_INFO_SECURE);
1816
1817 if (ie.gtk)
1818 wpa_sm_set_rekey_offload(sm);
1819
1820 /* Add PMKSA cache entry for Suite B AKMs here since PMKID can be
1821 * calculated only after KCK has been derived. Though, do not replace an
1822 * existing PMKSA entry after each 4-way handshake (i.e., new KCK/PMKID)
1823 * to avoid unnecessary changes of PMKID while continuing to use the
1824 * same PMK. */
1825 if (sm->proto == WPA_PROTO_RSN && wpa_key_mgmt_suite_b(sm->key_mgmt) &&
1826 !sm->cur_pmksa) {
1827 struct rsn_pmksa_cache_entry *sa;
1828
1829 sa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, NULL,
1830 sm->ptk.kck, sm->ptk.kck_len,
1831 sm->bssid, sm->own_addr,
1832 sm->network_ctx, sm->key_mgmt, NULL);
1833 if (!sm->cur_pmksa)
1834 sm->cur_pmksa = sa;
1835 }
1836
1837 if (ie.transition_disable)
1838 wpa_sm_transition_disable(sm, ie.transition_disable[0]);
1839 sm->msg_3_of_4_ok = 1;
1840 return;
1841
1842 failed:
1843 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
1844 }
1845
1846
wpa_supplicant_process_1_of_2_rsn(struct wpa_sm * sm,const u8 * keydata,size_t keydatalen,u16 key_info,struct wpa_gtk_data * gd)1847 static int wpa_supplicant_process_1_of_2_rsn(struct wpa_sm *sm,
1848 const u8 *keydata,
1849 size_t keydatalen,
1850 u16 key_info,
1851 struct wpa_gtk_data *gd)
1852 {
1853 int maxkeylen;
1854 struct wpa_eapol_ie_parse ie;
1855 u16 gtk_len;
1856
1857 wpa_hexdump_key(MSG_DEBUG, "RSN: msg 1/2 key data",
1858 keydata, keydatalen);
1859 if (wpa_supplicant_parse_ies(keydata, keydatalen, &ie) < 0)
1860 return -1;
1861 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1862 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1863 "WPA: GTK IE in unencrypted key data");
1864 return -1;
1865 }
1866 if (ie.gtk == NULL) {
1867 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1868 "WPA: No GTK IE in Group Key msg 1/2");
1869 return -1;
1870 }
1871 gtk_len = ie.gtk_len;
1872 if (gtk_len < 2) {
1873 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1874 "RSN: Invalid GTK KDE length (%u) in Group Key msg 1/2",
1875 gtk_len);
1876 return -1;
1877 }
1878 gtk_len -= 2;
1879 if (gtk_len > sizeof(gd->gtk)) {
1880 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1881 "RSN: Too long GTK in GTK KDE (len=%u)", gtk_len);
1882 return -1;
1883 }
1884 maxkeylen = gd->gtk_len = gtk_len;
1885
1886 #ifdef CONFIG_OCV
1887 if (wpa_sm_ocv_enabled(sm)) {
1888 struct wpa_channel_info ci;
1889
1890 if (wpa_sm_channel_info(sm, &ci) != 0) {
1891 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1892 "Failed to get channel info to validate received OCI in EAPOL-Key group msg 1/2");
1893 return -1;
1894 }
1895
1896 if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci,
1897 channel_width_to_int(ci.chanwidth),
1898 ci.seg1_idx) != OCI_SUCCESS) {
1899 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
1900 "addr=" MACSTR " frame=eapol-key-g1 error=%s",
1901 MAC2STR(sm->bssid), ocv_errorstr);
1902 return -1;
1903 }
1904 }
1905 #endif /* CONFIG_OCV */
1906
1907 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
1908 gtk_len, maxkeylen,
1909 &gd->key_rsc_len, &gd->alg))
1910 return -1;
1911
1912 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in group key handshake",
1913 ie.gtk, 2 + gtk_len);
1914 gd->keyidx = ie.gtk[0] & 0x3;
1915 gd->tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
1916 !!(ie.gtk[0] & BIT(2)));
1917 os_memcpy(gd->gtk, ie.gtk + 2, gtk_len);
1918
1919 if (ieee80211w_set_keys(sm, &ie) < 0)
1920 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1921 "RSN: Failed to configure IGTK");
1922
1923 return 0;
1924 }
1925
1926
wpa_supplicant_process_1_of_2_wpa(struct wpa_sm * sm,const struct wpa_eapol_key * key,const u8 * key_data,size_t key_data_len,u16 key_info,u16 ver,struct wpa_gtk_data * gd)1927 static int wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm,
1928 const struct wpa_eapol_key *key,
1929 const u8 *key_data,
1930 size_t key_data_len, u16 key_info,
1931 u16 ver, struct wpa_gtk_data *gd)
1932 {
1933 size_t maxkeylen;
1934 u16 gtk_len;
1935
1936 gtk_len = WPA_GET_BE16(key->key_length);
1937 maxkeylen = key_data_len;
1938 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1939 if (maxkeylen < 8) {
1940 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1941 "WPA: Too short maxkeylen (%lu)",
1942 (unsigned long) maxkeylen);
1943 return -1;
1944 }
1945 maxkeylen -= 8;
1946 }
1947
1948 if (gtk_len > maxkeylen ||
1949 wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
1950 gtk_len, maxkeylen,
1951 &gd->key_rsc_len, &gd->alg))
1952 return -1;
1953
1954 gd->gtk_len = gtk_len;
1955 gd->keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
1956 WPA_KEY_INFO_KEY_INDEX_SHIFT;
1957 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
1958 #ifdef CONFIG_NO_RC4
1959 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1960 "WPA: RC4 not supported in the build");
1961 return -1;
1962 #else /* CONFIG_NO_RC4 */
1963 u8 ek[32];
1964 if (key_data_len > sizeof(gd->gtk)) {
1965 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1966 "WPA: RC4 key data too long (%lu)",
1967 (unsigned long) key_data_len);
1968 return -1;
1969 }
1970 os_memcpy(ek, key->key_iv, 16);
1971 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
1972 os_memcpy(gd->gtk, key_data, key_data_len);
1973 if (rc4_skip(ek, 32, 256, gd->gtk, key_data_len)) {
1974 forced_memzero(ek, sizeof(ek));
1975 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
1976 "WPA: RC4 failed");
1977 return -1;
1978 }
1979 forced_memzero(ek, sizeof(ek));
1980 #endif /* CONFIG_NO_RC4 */
1981 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1982 if (maxkeylen % 8) {
1983 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1984 "WPA: Unsupported AES-WRAP len %lu",
1985 (unsigned long) maxkeylen);
1986 return -1;
1987 }
1988 if (maxkeylen > sizeof(gd->gtk)) {
1989 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1990 "WPA: AES-WRAP key data "
1991 "too long (keydatalen=%lu maxkeylen=%lu)",
1992 (unsigned long) key_data_len,
1993 (unsigned long) maxkeylen);
1994 return -1;
1995 }
1996 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, maxkeylen / 8,
1997 key_data, gd->gtk)) {
1998 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1999 "WPA: AES unwrap failed - could not decrypt "
2000 "GTK");
2001 return -1;
2002 }
2003 } else {
2004 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2005 "WPA: Unsupported key_info type %d", ver);
2006 return -1;
2007 }
2008 gd->tx = wpa_supplicant_gtk_tx_bit_workaround(
2009 sm, !!(key_info & WPA_KEY_INFO_TXRX));
2010 return 0;
2011 }
2012
2013
wpa_supplicant_send_2_of_2(struct wpa_sm * sm,const struct wpa_eapol_key * key,int ver,u16 key_info)2014 static int wpa_supplicant_send_2_of_2(struct wpa_sm *sm,
2015 const struct wpa_eapol_key *key,
2016 int ver, u16 key_info)
2017 {
2018 size_t mic_len, hdrlen, rlen;
2019 struct wpa_eapol_key *reply;
2020 u8 *rbuf, *key_mic;
2021 size_t kde_len = 0;
2022
2023 #ifdef CONFIG_OCV
2024 if (wpa_sm_ocv_enabled(sm))
2025 kde_len = OCV_OCI_KDE_LEN;
2026 #endif /* CONFIG_OCV */
2027
2028 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
2029 hdrlen = sizeof(*reply) + mic_len + 2;
2030 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
2031 hdrlen + kde_len, &rlen, (void *) &reply);
2032 if (rbuf == NULL)
2033 return -1;
2034
2035 reply->type = (sm->proto == WPA_PROTO_RSN ||
2036 sm->proto == WPA_PROTO_OSEN) ?
2037 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
2038 key_info &= WPA_KEY_INFO_KEY_INDEX_MASK;
2039 key_info |= ver | WPA_KEY_INFO_SECURE;
2040 if (mic_len)
2041 key_info |= WPA_KEY_INFO_MIC;
2042 else
2043 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
2044 WPA_PUT_BE16(reply->key_info, key_info);
2045 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
2046 WPA_PUT_BE16(reply->key_length, 0);
2047 else
2048 os_memcpy(reply->key_length, key->key_length, 2);
2049 os_memcpy(reply->replay_counter, key->replay_counter,
2050 WPA_REPLAY_COUNTER_LEN);
2051
2052 key_mic = (u8 *) (reply + 1);
2053 WPA_PUT_BE16(key_mic + mic_len, kde_len); /* Key Data Length */
2054
2055 #ifdef CONFIG_OCV
2056 if (wpa_sm_ocv_enabled(sm)) {
2057 struct wpa_channel_info ci;
2058 u8 *pos;
2059
2060 if (wpa_sm_channel_info(sm, &ci) != 0) {
2061 wpa_printf(MSG_WARNING,
2062 "Failed to get channel info for OCI element in EAPOL-Key 2/2");
2063 os_free(rbuf);
2064 return -1;
2065 }
2066 #ifdef CONFIG_TESTING_OPTIONS
2067 if (sm->oci_freq_override_eapol_g2) {
2068 wpa_printf(MSG_INFO,
2069 "TEST: Override OCI KDE frequency %d -> %d MHz",
2070 ci.frequency,
2071 sm->oci_freq_override_eapol_g2);
2072 ci.frequency = sm->oci_freq_override_eapol_g2;
2073 }
2074 #endif /* CONFIG_TESTING_OPTIONS */
2075
2076 pos = key_mic + mic_len + 2; /* Key Data */
2077 if (ocv_insert_oci_kde(&ci, &pos) < 0) {
2078 os_free(rbuf);
2079 return -1;
2080 }
2081 }
2082 #endif /* CONFIG_OCV */
2083
2084 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/2");
2085 return wpa_eapol_key_send(sm, &sm->ptk, ver, sm->bssid, ETH_P_EAPOL,
2086 rbuf, rlen, key_mic);
2087 }
2088
2089
wpa_supplicant_process_1_of_2(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,const u8 * key_data,size_t key_data_len,u16 ver)2090 static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
2091 const unsigned char *src_addr,
2092 const struct wpa_eapol_key *key,
2093 const u8 *key_data,
2094 size_t key_data_len, u16 ver)
2095 {
2096 u16 key_info;
2097 int rekey, ret;
2098 struct wpa_gtk_data gd;
2099 const u8 *key_rsc;
2100
2101 if (!sm->msg_3_of_4_ok && !wpa_fils_is_completed(sm)) {
2102 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2103 "WPA: Group Key Handshake started prior to completion of 4-way handshake");
2104 goto failed;
2105 }
2106
2107 os_memset(&gd, 0, sizeof(gd));
2108
2109 rekey = wpa_sm_get_state(sm) == WPA_COMPLETED;
2110 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of Group Key "
2111 "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
2112
2113 key_info = WPA_GET_BE16(key->key_info);
2114
2115 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
2116 ret = wpa_supplicant_process_1_of_2_rsn(sm, key_data,
2117 key_data_len, key_info,
2118 &gd);
2119 } else {
2120 ret = wpa_supplicant_process_1_of_2_wpa(sm, key, key_data,
2121 key_data_len,
2122 key_info, ver, &gd);
2123 }
2124
2125 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
2126
2127 if (ret)
2128 goto failed;
2129
2130 key_rsc = key->key_rsc;
2131 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
2132 key_rsc = null_rsc;
2133
2134 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
2135 wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
2136 goto failed;
2137 forced_memzero(&gd, sizeof(gd));
2138
2139 if (rekey) {
2140 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Group rekeying "
2141 "completed with " MACSTR " [GTK=%s]",
2142 MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher));
2143 wpa_sm_cancel_auth_timeout(sm);
2144 wpa_sm_set_state(sm, WPA_COMPLETED);
2145 } else {
2146 wpa_supplicant_key_neg_complete(sm, sm->bssid,
2147 key_info &
2148 WPA_KEY_INFO_SECURE);
2149 }
2150
2151 wpa_sm_set_rekey_offload(sm);
2152
2153 return;
2154
2155 failed:
2156 forced_memzero(&gd, sizeof(gd));
2157 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
2158 }
2159
2160
wpa_supplicant_verify_eapol_key_mic(struct wpa_sm * sm,struct wpa_eapol_key * key,u16 ver,const u8 * buf,size_t len)2161 static int wpa_supplicant_verify_eapol_key_mic(struct wpa_sm *sm,
2162 struct wpa_eapol_key *key,
2163 u16 ver,
2164 const u8 *buf, size_t len)
2165 {
2166 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN];
2167 int ok = 0;
2168 size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
2169
2170 os_memcpy(mic, key + 1, mic_len);
2171 if (sm->tptk_set) {
2172 os_memset(key + 1, 0, mic_len);
2173 if (wpa_eapol_key_mic(sm->tptk.kck, sm->tptk.kck_len,
2174 sm->key_mgmt,
2175 ver, buf, len, (u8 *) (key + 1)) < 0 ||
2176 os_memcmp_const(mic, key + 1, mic_len) != 0) {
2177 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2178 "WPA: Invalid EAPOL-Key MIC "
2179 "when using TPTK - ignoring TPTK");
2180 #ifdef TEST_FUZZ
2181 wpa_printf(MSG_INFO,
2182 "TEST: Ignore Key MIC failure for fuzz testing");
2183 goto continue_fuzz;
2184 #endif /* TEST_FUZZ */
2185 } else {
2186 #ifdef TEST_FUZZ
2187 continue_fuzz:
2188 #endif /* TEST_FUZZ */
2189 ok = 1;
2190 sm->tptk_set = 0;
2191 sm->ptk_set = 1;
2192 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
2193 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
2194 /*
2195 * This assures the same TPTK in sm->tptk can never be
2196 * copied twice to sm->ptk as the new PTK. In
2197 * combination with the installed flag in the wpa_ptk
2198 * struct, this assures the same PTK is only installed
2199 * once.
2200 */
2201 sm->renew_snonce = 1;
2202 }
2203 }
2204
2205 if (!ok && sm->ptk_set) {
2206 os_memset(key + 1, 0, mic_len);
2207 if (wpa_eapol_key_mic(sm->ptk.kck, sm->ptk.kck_len,
2208 sm->key_mgmt,
2209 ver, buf, len, (u8 *) (key + 1)) < 0 ||
2210 os_memcmp_const(mic, key + 1, mic_len) != 0) {
2211 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2212 "WPA: Invalid EAPOL-Key MIC - "
2213 "dropping packet");
2214 #ifdef TEST_FUZZ
2215 wpa_printf(MSG_INFO,
2216 "TEST: Ignore Key MIC failure for fuzz testing");
2217 goto continue_fuzz2;
2218 #endif /* TEST_FUZZ */
2219 return -1;
2220 }
2221 #ifdef TEST_FUZZ
2222 continue_fuzz2:
2223 #endif /* TEST_FUZZ */
2224 ok = 1;
2225 }
2226
2227 if (!ok) {
2228 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2229 "WPA: Could not verify EAPOL-Key MIC - "
2230 "dropping packet");
2231 return -1;
2232 }
2233
2234 os_memcpy(sm->rx_replay_counter, key->replay_counter,
2235 WPA_REPLAY_COUNTER_LEN);
2236 sm->rx_replay_counter_set = 1;
2237 return 0;
2238 }
2239
2240
2241 /* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */
wpa_supplicant_decrypt_key_data(struct wpa_sm * sm,struct wpa_eapol_key * key,size_t mic_len,u16 ver,u8 * key_data,size_t * key_data_len)2242 static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm,
2243 struct wpa_eapol_key *key,
2244 size_t mic_len, u16 ver,
2245 u8 *key_data, size_t *key_data_len)
2246 {
2247 wpa_hexdump(MSG_DEBUG, "RSN: encrypted key data",
2248 key_data, *key_data_len);
2249 if (!sm->ptk_set) {
2250 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2251 "WPA: PTK not available, cannot decrypt EAPOL-Key Key "
2252 "Data");
2253 return -1;
2254 }
2255
2256 /* Decrypt key data here so that this operation does not need
2257 * to be implemented separately for each message type. */
2258 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
2259 #ifdef CONFIG_NO_RC4
2260 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2261 "WPA: RC4 not supported in the build");
2262 return -1;
2263 #else /* CONFIG_NO_RC4 */
2264 u8 ek[32];
2265
2266 wpa_printf(MSG_DEBUG, "WPA: Decrypt Key Data using RC4");
2267 os_memcpy(ek, key->key_iv, 16);
2268 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
2269 if (rc4_skip(ek, 32, 256, key_data, *key_data_len)) {
2270 forced_memzero(ek, sizeof(ek));
2271 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
2272 "WPA: RC4 failed");
2273 return -1;
2274 }
2275 forced_memzero(ek, sizeof(ek));
2276 #endif /* CONFIG_NO_RC4 */
2277 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
2278 ver == WPA_KEY_INFO_TYPE_AES_128_CMAC ||
2279 wpa_use_aes_key_wrap(sm->key_mgmt)) {
2280 u8 *buf;
2281
2282 wpa_printf(MSG_DEBUG,
2283 "WPA: Decrypt Key Data using AES-UNWRAP (KEK length %u)",
2284 (unsigned int) sm->ptk.kek_len);
2285 if (*key_data_len < 8 || *key_data_len % 8) {
2286 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2287 "WPA: Unsupported AES-WRAP len %u",
2288 (unsigned int) *key_data_len);
2289 return -1;
2290 }
2291 *key_data_len -= 8; /* AES-WRAP adds 8 bytes */
2292 buf = os_malloc(*key_data_len);
2293 if (buf == NULL) {
2294 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2295 "WPA: No memory for AES-UNWRAP buffer");
2296 return -1;
2297 }
2298 #ifdef TEST_FUZZ
2299 os_memset(buf, 0x11, *key_data_len);
2300 #endif /* TEST_FUZZ */
2301 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, *key_data_len / 8,
2302 key_data, buf)) {
2303 #ifdef TEST_FUZZ
2304 wpa_printf(MSG_INFO,
2305 "TEST: Ignore AES unwrap failure for fuzz testing");
2306 goto continue_fuzz;
2307 #endif /* TEST_FUZZ */
2308 bin_clear_free(buf, *key_data_len);
2309 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2310 "WPA: AES unwrap failed - "
2311 "could not decrypt EAPOL-Key key data");
2312 return -1;
2313 }
2314 #ifdef TEST_FUZZ
2315 continue_fuzz:
2316 #endif /* TEST_FUZZ */
2317 os_memcpy(key_data, buf, *key_data_len);
2318 bin_clear_free(buf, *key_data_len);
2319 WPA_PUT_BE16(((u8 *) (key + 1)) + mic_len, *key_data_len);
2320 } else {
2321 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2322 "WPA: Unsupported key_info type %d", ver);
2323 return -1;
2324 }
2325 wpa_hexdump_key(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data",
2326 key_data, *key_data_len);
2327 return 0;
2328 }
2329
2330
2331 /**
2332 * wpa_sm_aborted_cached - Notify WPA that PMKSA caching was aborted
2333 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2334 */
wpa_sm_aborted_cached(struct wpa_sm * sm)2335 void wpa_sm_aborted_cached(struct wpa_sm *sm)
2336 {
2337 if (sm && sm->cur_pmksa) {
2338 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2339 "RSN: Cancelling PMKSA caching attempt");
2340 sm->cur_pmksa = NULL;
2341 }
2342 }
2343
2344
wpa_eapol_key_dump(struct wpa_sm * sm,const struct wpa_eapol_key * key,unsigned int key_data_len,const u8 * mic,unsigned int mic_len)2345 static void wpa_eapol_key_dump(struct wpa_sm *sm,
2346 const struct wpa_eapol_key *key,
2347 unsigned int key_data_len,
2348 const u8 *mic, unsigned int mic_len)
2349 {
2350 #ifndef CONFIG_NO_STDOUT_DEBUG
2351 u16 key_info = WPA_GET_BE16(key->key_info);
2352
2353 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, " EAPOL-Key type=%d", key->type);
2354 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2355 " key_info 0x%x (ver=%d keyidx=%d rsvd=%d %s%s%s%s%s%s%s%s)",
2356 key_info, key_info & WPA_KEY_INFO_TYPE_MASK,
2357 (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
2358 WPA_KEY_INFO_KEY_INDEX_SHIFT,
2359 (key_info & (BIT(13) | BIT(14) | BIT(15))) >> 13,
2360 key_info & WPA_KEY_INFO_KEY_TYPE ? "Pairwise" : "Group",
2361 key_info & WPA_KEY_INFO_INSTALL ? " Install" : "",
2362 key_info & WPA_KEY_INFO_ACK ? " Ack" : "",
2363 key_info & WPA_KEY_INFO_MIC ? " MIC" : "",
2364 key_info & WPA_KEY_INFO_SECURE ? " Secure" : "",
2365 key_info & WPA_KEY_INFO_ERROR ? " Error" : "",
2366 key_info & WPA_KEY_INFO_REQUEST ? " Request" : "",
2367 key_info & WPA_KEY_INFO_ENCR_KEY_DATA ? " Encr" : "");
2368 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2369 " key_length=%u key_data_length=%u",
2370 WPA_GET_BE16(key->key_length), key_data_len);
2371 wpa_hexdump(MSG_DEBUG, " replay_counter",
2372 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
2373 wpa_hexdump(MSG_DEBUG, " key_nonce", key->key_nonce, WPA_NONCE_LEN);
2374 wpa_hexdump(MSG_DEBUG, " key_iv", key->key_iv, 16);
2375 wpa_hexdump(MSG_DEBUG, " key_rsc", key->key_rsc, 8);
2376 wpa_hexdump(MSG_DEBUG, " key_id (reserved)", key->key_id, 8);
2377 wpa_hexdump(MSG_DEBUG, " key_mic", mic, mic_len);
2378 #endif /* CONFIG_NO_STDOUT_DEBUG */
2379 }
2380
2381
2382 #ifdef CONFIG_FILS
wpa_supp_aead_decrypt(struct wpa_sm * sm,u8 * buf,size_t buf_len,size_t * key_data_len)2383 static int wpa_supp_aead_decrypt(struct wpa_sm *sm, u8 *buf, size_t buf_len,
2384 size_t *key_data_len)
2385 {
2386 struct wpa_ptk *ptk;
2387 struct ieee802_1x_hdr *hdr;
2388 struct wpa_eapol_key *key;
2389 u8 *pos, *tmp;
2390 const u8 *aad[1];
2391 size_t aad_len[1];
2392
2393 if (*key_data_len < AES_BLOCK_SIZE) {
2394 wpa_printf(MSG_INFO, "No room for AES-SIV data in the frame");
2395 return -1;
2396 }
2397
2398 if (sm->tptk_set)
2399 ptk = &sm->tptk;
2400 else if (sm->ptk_set)
2401 ptk = &sm->ptk;
2402 else
2403 return -1;
2404
2405 hdr = (struct ieee802_1x_hdr *) buf;
2406 key = (struct wpa_eapol_key *) (hdr + 1);
2407 pos = (u8 *) (key + 1);
2408 pos += 2; /* Pointing at the Encrypted Key Data field */
2409
2410 tmp = os_malloc(*key_data_len);
2411 if (!tmp)
2412 return -1;
2413
2414 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
2415 * to Key Data (exclusive). */
2416 aad[0] = buf;
2417 aad_len[0] = pos - buf;
2418 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, *key_data_len,
2419 1, aad, aad_len, tmp) < 0) {
2420 wpa_printf(MSG_INFO, "Invalid AES-SIV data in the frame");
2421 bin_clear_free(tmp, *key_data_len);
2422 return -1;
2423 }
2424
2425 /* AEAD decryption and validation completed successfully */
2426 (*key_data_len) -= AES_BLOCK_SIZE;
2427 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
2428 tmp, *key_data_len);
2429
2430 /* Replace Key Data field with the decrypted version */
2431 os_memcpy(pos, tmp, *key_data_len);
2432 pos -= 2; /* Key Data Length field */
2433 WPA_PUT_BE16(pos, *key_data_len);
2434 bin_clear_free(tmp, *key_data_len);
2435
2436 if (sm->tptk_set) {
2437 sm->tptk_set = 0;
2438 sm->ptk_set = 1;
2439 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
2440 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
2441 }
2442
2443 os_memcpy(sm->rx_replay_counter, key->replay_counter,
2444 WPA_REPLAY_COUNTER_LEN);
2445 sm->rx_replay_counter_set = 1;
2446
2447 return 0;
2448 }
2449 #endif /* CONFIG_FILS */
2450
2451
2452 /**
2453 * wpa_sm_rx_eapol - Process received WPA EAPOL frames
2454 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2455 * @src_addr: Source MAC address of the EAPOL packet
2456 * @buf: Pointer to the beginning of the EAPOL data (EAPOL header)
2457 * @len: Length of the EAPOL frame
2458 * Returns: 1 = WPA EAPOL-Key processed, 0 = not a WPA EAPOL-Key, -1 failure
2459 *
2460 * This function is called for each received EAPOL frame. Other than EAPOL-Key
2461 * frames can be skipped if filtering is done elsewhere. wpa_sm_rx_eapol() is
2462 * only processing WPA and WPA2 EAPOL-Key frames.
2463 *
2464 * The received EAPOL-Key packets are validated and valid packets are replied
2465 * to. In addition, key material (PTK, GTK) is configured at the end of a
2466 * successful key handshake.
2467 */
wpa_sm_rx_eapol(struct wpa_sm * sm,const u8 * src_addr,const u8 * buf,size_t len)2468 int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr,
2469 const u8 *buf, size_t len)
2470 {
2471 size_t plen, data_len, key_data_len;
2472 const struct ieee802_1x_hdr *hdr;
2473 struct wpa_eapol_key *key;
2474 u16 key_info, ver;
2475 u8 *tmp = NULL;
2476 int ret = -1;
2477 u8 *mic, *key_data;
2478 size_t mic_len, keyhdrlen, pmk_len;
2479
2480 #ifdef CONFIG_IEEE80211R
2481 sm->ft_completed = 0;
2482 #endif /* CONFIG_IEEE80211R */
2483
2484 pmk_len = sm->pmk_len;
2485 if (!pmk_len && sm->cur_pmksa)
2486 pmk_len = sm->cur_pmksa->pmk_len;
2487 mic_len = wpa_mic_len(sm->key_mgmt, pmk_len);
2488 keyhdrlen = sizeof(*key) + mic_len + 2;
2489
2490 if (len < sizeof(*hdr) + keyhdrlen) {
2491 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2492 "WPA: EAPOL frame too short to be a WPA "
2493 "EAPOL-Key (len %lu, expecting at least %lu)",
2494 (unsigned long) len,
2495 (unsigned long) sizeof(*hdr) + keyhdrlen);
2496 return 0;
2497 }
2498
2499 hdr = (const struct ieee802_1x_hdr *) buf;
2500 plen = be_to_host16(hdr->length);
2501 data_len = plen + sizeof(*hdr);
2502 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2503 "IEEE 802.1X RX: version=%d type=%d length=%lu",
2504 hdr->version, hdr->type, (unsigned long) plen);
2505
2506 if (hdr->version < EAPOL_VERSION) {
2507 /* TODO: backwards compatibility */
2508 }
2509 if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) {
2510 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2511 "WPA: EAPOL frame (type %u) discarded, "
2512 "not a Key frame", hdr->type);
2513 ret = 0;
2514 goto out;
2515 }
2516 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", buf, len);
2517 if (plen > len - sizeof(*hdr) || plen < keyhdrlen) {
2518 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2519 "WPA: EAPOL frame payload size %lu "
2520 "invalid (frame size %lu)",
2521 (unsigned long) plen, (unsigned long) len);
2522 ret = 0;
2523 goto out;
2524 }
2525 if (data_len < len) {
2526 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2527 "WPA: ignoring %lu bytes after the IEEE 802.1X data",
2528 (unsigned long) len - data_len);
2529 }
2530
2531 /*
2532 * Make a copy of the frame since we need to modify the buffer during
2533 * MAC validation and Key Data decryption.
2534 */
2535 tmp = os_memdup(buf, data_len);
2536 if (tmp == NULL)
2537 goto out;
2538 key = (struct wpa_eapol_key *) (tmp + sizeof(struct ieee802_1x_hdr));
2539 mic = (u8 *) (key + 1);
2540 key_data = mic + mic_len + 2;
2541
2542 if (key->type != EAPOL_KEY_TYPE_WPA && key->type != EAPOL_KEY_TYPE_RSN)
2543 {
2544 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2545 "WPA: EAPOL-Key type (%d) unknown, discarded",
2546 key->type);
2547 ret = 0;
2548 goto out;
2549 }
2550
2551 key_data_len = WPA_GET_BE16(mic + mic_len);
2552 wpa_eapol_key_dump(sm, key, key_data_len, mic, mic_len);
2553
2554 if (key_data_len > plen - keyhdrlen) {
2555 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Invalid EAPOL-Key "
2556 "frame - key_data overflow (%u > %u)",
2557 (unsigned int) key_data_len,
2558 (unsigned int) (plen - keyhdrlen));
2559 goto out;
2560 }
2561
2562 eapol_sm_notify_lower_layer_success(sm->eapol, 0);
2563 key_info = WPA_GET_BE16(key->key_info);
2564 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
2565 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
2566 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
2567 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES &&
2568 !wpa_use_akm_defined(sm->key_mgmt)) {
2569 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2570 "WPA: Unsupported EAPOL-Key descriptor version %d",
2571 ver);
2572 goto out;
2573 }
2574
2575 if (wpa_use_akm_defined(sm->key_mgmt) &&
2576 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
2577 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2578 "RSN: Unsupported EAPOL-Key descriptor version %d (expected AKM defined = 0)",
2579 ver);
2580 goto out;
2581 }
2582
2583 #ifdef CONFIG_IEEE80211R
2584 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
2585 /* IEEE 802.11r uses a new key_info type (AES-128-CMAC). */
2586 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
2587 !wpa_use_akm_defined(sm->key_mgmt)) {
2588 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2589 "FT: AP did not use AES-128-CMAC");
2590 goto out;
2591 }
2592 } else
2593 #endif /* CONFIG_IEEE80211R */
2594 if (wpa_key_mgmt_sha256(sm->key_mgmt)) {
2595 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
2596 !wpa_use_akm_defined(sm->key_mgmt)) {
2597 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2598 "WPA: AP did not use the "
2599 "negotiated AES-128-CMAC");
2600 goto out;
2601 }
2602 } else if (sm->pairwise_cipher == WPA_CIPHER_CCMP &&
2603 !wpa_use_akm_defined(sm->key_mgmt) &&
2604 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
2605 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2606 "WPA: CCMP is used, but EAPOL-Key "
2607 "descriptor version (%d) is not 2", ver);
2608 if (sm->group_cipher != WPA_CIPHER_CCMP &&
2609 !(key_info & WPA_KEY_INFO_KEY_TYPE)) {
2610 /* Earlier versions of IEEE 802.11i did not explicitly
2611 * require version 2 descriptor for all EAPOL-Key
2612 * packets, so allow group keys to use version 1 if
2613 * CCMP is not used for them. */
2614 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2615 "WPA: Backwards compatibility: allow invalid "
2616 "version for non-CCMP group keys");
2617 } else if (ver == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
2618 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2619 "WPA: Interoperability workaround: allow incorrect (should have been HMAC-SHA1), but stronger (is AES-128-CMAC), descriptor version to be used");
2620 } else
2621 goto out;
2622 } else if (sm->pairwise_cipher == WPA_CIPHER_GCMP &&
2623 !wpa_use_akm_defined(sm->key_mgmt) &&
2624 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
2625 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2626 "WPA: GCMP is used, but EAPOL-Key "
2627 "descriptor version (%d) is not 2", ver);
2628 goto out;
2629 }
2630
2631 if (sm->rx_replay_counter_set &&
2632 os_memcmp(key->replay_counter, sm->rx_replay_counter,
2633 WPA_REPLAY_COUNTER_LEN) <= 0) {
2634 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2635 "WPA: EAPOL-Key Replay Counter did not increase - "
2636 "dropping packet");
2637 goto out;
2638 }
2639
2640 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
2641 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2642 "WPA: Unsupported SMK bit in key_info");
2643 goto out;
2644 }
2645
2646 if (!(key_info & WPA_KEY_INFO_ACK)) {
2647 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2648 "WPA: No Ack bit in key_info");
2649 goto out;
2650 }
2651
2652 if (key_info & WPA_KEY_INFO_REQUEST) {
2653 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2654 "WPA: EAPOL-Key with Request bit - dropped");
2655 goto out;
2656 }
2657
2658 if ((key_info & WPA_KEY_INFO_MIC) &&
2659 wpa_supplicant_verify_eapol_key_mic(sm, key, ver, tmp, data_len))
2660 goto out;
2661
2662 #ifdef CONFIG_FILS
2663 if (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
2664 if (wpa_supp_aead_decrypt(sm, tmp, data_len, &key_data_len))
2665 goto out;
2666 }
2667 #endif /* CONFIG_FILS */
2668
2669 if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
2670 (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && mic_len) {
2671 /*
2672 * Only decrypt the Key Data field if the frame's authenticity
2673 * was verified. When using AES-SIV (FILS), the MIC flag is not
2674 * set, so this check should only be performed if mic_len != 0
2675 * which is the case in this code branch.
2676 */
2677 if (!(key_info & WPA_KEY_INFO_MIC)) {
2678 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2679 "WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
2680 goto out;
2681 }
2682 if (wpa_supplicant_decrypt_key_data(sm, key, mic_len,
2683 ver, key_data,
2684 &key_data_len))
2685 goto out;
2686 }
2687
2688 if (key_info & WPA_KEY_INFO_KEY_TYPE) {
2689 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) {
2690 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2691 "WPA: Ignored EAPOL-Key (Pairwise) with "
2692 "non-zero key index");
2693 goto out;
2694 }
2695 if (key_info & (WPA_KEY_INFO_MIC |
2696 WPA_KEY_INFO_ENCR_KEY_DATA)) {
2697 /* 3/4 4-Way Handshake */
2698 wpa_supplicant_process_3_of_4(sm, key, ver, key_data,
2699 key_data_len);
2700 } else {
2701 /* 1/4 4-Way Handshake */
2702 wpa_supplicant_process_1_of_4(sm, src_addr, key,
2703 ver, key_data,
2704 key_data_len);
2705 }
2706 } else {
2707 if ((mic_len && (key_info & WPA_KEY_INFO_MIC)) ||
2708 (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA))) {
2709 /* 1/2 Group Key Handshake */
2710 wpa_supplicant_process_1_of_2(sm, src_addr, key,
2711 key_data, key_data_len,
2712 ver);
2713 } else {
2714 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2715 "WPA: EAPOL-Key (Group) without Mic/Encr bit - "
2716 "dropped");
2717 }
2718 }
2719
2720 ret = 1;
2721
2722 out:
2723 bin_clear_free(tmp, data_len);
2724 return ret;
2725 }
2726
2727
2728 #ifdef CONFIG_CTRL_IFACE
wpa_key_mgmt_suite(struct wpa_sm * sm)2729 static u32 wpa_key_mgmt_suite(struct wpa_sm *sm)
2730 {
2731 switch (sm->key_mgmt) {
2732 case WPA_KEY_MGMT_IEEE8021X:
2733 return ((sm->proto == WPA_PROTO_RSN ||
2734 sm->proto == WPA_PROTO_OSEN) ?
2735 RSN_AUTH_KEY_MGMT_UNSPEC_802_1X :
2736 WPA_AUTH_KEY_MGMT_UNSPEC_802_1X);
2737 case WPA_KEY_MGMT_PSK:
2738 return (sm->proto == WPA_PROTO_RSN ?
2739 RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X :
2740 WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X);
2741 #ifdef CONFIG_IEEE80211R
2742 case WPA_KEY_MGMT_FT_IEEE8021X:
2743 return RSN_AUTH_KEY_MGMT_FT_802_1X;
2744 case WPA_KEY_MGMT_FT_PSK:
2745 return RSN_AUTH_KEY_MGMT_FT_PSK;
2746 #endif /* CONFIG_IEEE80211R */
2747 case WPA_KEY_MGMT_IEEE8021X_SHA256:
2748 return RSN_AUTH_KEY_MGMT_802_1X_SHA256;
2749 case WPA_KEY_MGMT_PSK_SHA256:
2750 return RSN_AUTH_KEY_MGMT_PSK_SHA256;
2751 case WPA_KEY_MGMT_CCKM:
2752 return (sm->proto == WPA_PROTO_RSN ?
2753 RSN_AUTH_KEY_MGMT_CCKM:
2754 WPA_AUTH_KEY_MGMT_CCKM);
2755 case WPA_KEY_MGMT_WPA_NONE:
2756 return WPA_AUTH_KEY_MGMT_NONE;
2757 case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
2758 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B;
2759 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
2760 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192;
2761 default:
2762 return 0;
2763 }
2764 }
2765
2766
2767 #define RSN_SUITE "%02x-%02x-%02x-%d"
2768 #define RSN_SUITE_ARG(s) \
2769 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
2770
2771 /**
2772 * wpa_sm_get_mib - Dump text list of MIB entries
2773 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2774 * @buf: Buffer for the list
2775 * @buflen: Length of the buffer
2776 * Returns: Number of bytes written to buffer
2777 *
2778 * This function is used fetch dot11 MIB variables.
2779 */
wpa_sm_get_mib(struct wpa_sm * sm,char * buf,size_t buflen)2780 int wpa_sm_get_mib(struct wpa_sm *sm, char *buf, size_t buflen)
2781 {
2782 char pmkid_txt[PMKID_LEN * 2 + 1];
2783 bool rsna;
2784 int ret;
2785 size_t len;
2786
2787 if (sm->cur_pmksa) {
2788 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
2789 sm->cur_pmksa->pmkid, PMKID_LEN);
2790 } else
2791 pmkid_txt[0] = '\0';
2792
2793 rsna = (wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
2794 wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt)) &&
2795 sm->proto == WPA_PROTO_RSN;
2796
2797 ret = os_snprintf(buf, buflen,
2798 "dot11RSNAOptionImplemented=TRUE\n"
2799 "dot11RSNAPreauthenticationImplemented=TRUE\n"
2800 "dot11RSNAEnabled=%s\n"
2801 "dot11RSNAPreauthenticationEnabled=%s\n"
2802 "dot11RSNAConfigVersion=%d\n"
2803 "dot11RSNAConfigPairwiseKeysSupported=5\n"
2804 "dot11RSNAConfigGroupCipherSize=%d\n"
2805 "dot11RSNAConfigPMKLifetime=%d\n"
2806 "dot11RSNAConfigPMKReauthThreshold=%d\n"
2807 "dot11RSNAConfigNumberOfPTKSAReplayCounters=1\n"
2808 "dot11RSNAConfigSATimeout=%d\n",
2809 rsna ? "TRUE" : "FALSE",
2810 rsna ? "TRUE" : "FALSE",
2811 RSN_VERSION,
2812 wpa_cipher_key_len(sm->group_cipher) * 8,
2813 sm->dot11RSNAConfigPMKLifetime,
2814 sm->dot11RSNAConfigPMKReauthThreshold,
2815 sm->dot11RSNAConfigSATimeout);
2816 if (os_snprintf_error(buflen, ret))
2817 return 0;
2818 len = ret;
2819
2820 ret = os_snprintf(
2821 buf + len, buflen - len,
2822 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
2823 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
2824 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
2825 "dot11RSNAPMKIDUsed=%s\n"
2826 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
2827 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
2828 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
2829 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n"
2830 "dot11RSNA4WayHandshakeFailures=%u\n",
2831 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
2832 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2833 sm->pairwise_cipher)),
2834 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2835 sm->group_cipher)),
2836 pmkid_txt,
2837 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
2838 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2839 sm->pairwise_cipher)),
2840 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2841 sm->group_cipher)),
2842 sm->dot11RSNA4WayHandshakeFailures);
2843 if (!os_snprintf_error(buflen - len, ret))
2844 len += ret;
2845
2846 return (int) len;
2847 }
2848 #endif /* CONFIG_CTRL_IFACE */
2849
2850
wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry * entry,void * ctx,enum pmksa_free_reason reason)2851 static void wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
2852 void *ctx, enum pmksa_free_reason reason)
2853 {
2854 struct wpa_sm *sm = ctx;
2855 int deauth = 0;
2856
2857 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: PMKSA cache entry free_cb: "
2858 MACSTR " reason=%d", MAC2STR(entry->aa), reason);
2859
2860 if (sm->cur_pmksa == entry) {
2861 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2862 "RSN: %s current PMKSA entry",
2863 reason == PMKSA_REPLACE ? "replaced" : "removed");
2864 pmksa_cache_clear_current(sm);
2865
2866 /*
2867 * If an entry is simply being replaced, there's no need to
2868 * deauthenticate because it will be immediately re-added.
2869 * This happens when EAP authentication is completed again
2870 * (reauth or failed PMKSA caching attempt).
2871 */
2872 if (reason != PMKSA_REPLACE)
2873 deauth = 1;
2874 }
2875
2876 if (reason == PMKSA_EXPIRE &&
2877 (sm->pmk_len == entry->pmk_len &&
2878 os_memcmp(sm->pmk, entry->pmk, sm->pmk_len) == 0)) {
2879 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2880 "RSN: deauthenticating due to expired PMK");
2881 pmksa_cache_clear_current(sm);
2882 deauth = 1;
2883 }
2884
2885 if (deauth) {
2886 sm->pmk_len = 0;
2887 os_memset(sm->pmk, 0, sizeof(sm->pmk));
2888 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
2889 }
2890 }
2891
2892
2893 /**
2894 * wpa_sm_init - Initialize WPA state machine
2895 * @ctx: Context pointer for callbacks; this needs to be an allocated buffer
2896 * Returns: Pointer to the allocated WPA state machine data
2897 *
2898 * This function is used to allocate a new WPA state machine and the returned
2899 * value is passed to all WPA state machine calls.
2900 */
wpa_sm_init(struct wpa_sm_ctx * ctx)2901 struct wpa_sm * wpa_sm_init(struct wpa_sm_ctx *ctx)
2902 {
2903 struct wpa_sm *sm;
2904
2905 sm = os_zalloc(sizeof(*sm));
2906 if (sm == NULL)
2907 return NULL;
2908 dl_list_init(&sm->pmksa_candidates);
2909 sm->renew_snonce = 1;
2910 sm->ctx = ctx;
2911
2912 sm->dot11RSNAConfigPMKLifetime = 43200;
2913 sm->dot11RSNAConfigPMKReauthThreshold = 70;
2914 sm->dot11RSNAConfigSATimeout = 60;
2915
2916 sm->pmksa = pmksa_cache_init(wpa_sm_pmksa_free_cb, sm, sm);
2917 if (sm->pmksa == NULL) {
2918 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
2919 "RSN: PMKSA cache initialization failed");
2920 os_free(sm);
2921 return NULL;
2922 }
2923
2924 return sm;
2925 }
2926
2927
2928 /**
2929 * wpa_sm_deinit - Deinitialize WPA state machine
2930 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2931 */
wpa_sm_deinit(struct wpa_sm * sm)2932 void wpa_sm_deinit(struct wpa_sm *sm)
2933 {
2934 if (sm == NULL)
2935 return;
2936 pmksa_cache_deinit(sm->pmksa);
2937 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
2938 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
2939 os_free(sm->assoc_wpa_ie);
2940 os_free(sm->assoc_rsnxe);
2941 os_free(sm->ap_wpa_ie);
2942 os_free(sm->ap_rsn_ie);
2943 os_free(sm->ap_rsnxe);
2944 wpa_sm_drop_sa(sm);
2945 os_free(sm->ctx);
2946 #ifdef CONFIG_IEEE80211R
2947 os_free(sm->assoc_resp_ies);
2948 #endif /* CONFIG_IEEE80211R */
2949 #ifdef CONFIG_TESTING_OPTIONS
2950 wpabuf_free(sm->test_assoc_ie);
2951 #endif /* CONFIG_TESTING_OPTIONS */
2952 #ifdef CONFIG_FILS_SK_PFS
2953 crypto_ecdh_deinit(sm->fils_ecdh);
2954 #endif /* CONFIG_FILS_SK_PFS */
2955 #ifdef CONFIG_FILS
2956 wpabuf_free(sm->fils_ft_ies);
2957 #endif /* CONFIG_FILS */
2958 #ifdef CONFIG_OWE
2959 crypto_ecdh_deinit(sm->owe_ecdh);
2960 #endif /* CONFIG_OWE */
2961 #ifdef CONFIG_DPP2
2962 wpabuf_clear_free(sm->dpp_z);
2963 #endif /* CONFIG_DPP2 */
2964 os_free(sm);
2965 }
2966
2967
2968 /**
2969 * wpa_sm_notify_assoc - Notify WPA state machine about association
2970 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2971 * @bssid: The BSSID of the new association
2972 *
2973 * This function is called to let WPA state machine know that the connection
2974 * was established.
2975 */
wpa_sm_notify_assoc(struct wpa_sm * sm,const u8 * bssid)2976 void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
2977 {
2978 int clear_keys = 1;
2979
2980 if (sm == NULL)
2981 return;
2982
2983 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2984 "WPA: Association event - clear replay counter");
2985 os_memcpy(sm->bssid, bssid, ETH_ALEN);
2986 os_memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN);
2987 sm->rx_replay_counter_set = 0;
2988 sm->renew_snonce = 1;
2989 if (os_memcmp(sm->preauth_bssid, bssid, ETH_ALEN) == 0)
2990 rsn_preauth_deinit(sm);
2991
2992 #ifdef CONFIG_IEEE80211R
2993 if (wpa_ft_is_completed(sm)) {
2994 /*
2995 * Clear portValid to kick EAPOL state machine to re-enter
2996 * AUTHENTICATED state to get the EAPOL port Authorized.
2997 */
2998 eapol_sm_notify_portValid(sm->eapol, false);
2999 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
3000
3001 /* Prepare for the next transition */
3002 wpa_ft_prepare_auth_request(sm, NULL);
3003
3004 clear_keys = 0;
3005 sm->ft_protocol = 1;
3006 } else {
3007 sm->ft_protocol = 0;
3008 }
3009 #endif /* CONFIG_IEEE80211R */
3010 #ifdef CONFIG_FILS
3011 if (sm->fils_completed) {
3012 /*
3013 * Clear portValid to kick EAPOL state machine to re-enter
3014 * AUTHENTICATED state to get the EAPOL port Authorized.
3015 */
3016 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
3017 clear_keys = 0;
3018 }
3019 #endif /* CONFIG_FILS */
3020
3021 if (clear_keys) {
3022 /*
3023 * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
3024 * this is not part of a Fast BSS Transition.
3025 */
3026 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PTK");
3027 sm->ptk_set = 0;
3028 os_memset(&sm->ptk, 0, sizeof(sm->ptk));
3029 sm->tptk_set = 0;
3030 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
3031 os_memset(&sm->gtk, 0, sizeof(sm->gtk));
3032 os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
3033 os_memset(&sm->igtk, 0, sizeof(sm->igtk));
3034 os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
3035 }
3036
3037 #ifdef CONFIG_TDLS
3038 wpa_tdls_assoc(sm);
3039 #endif /* CONFIG_TDLS */
3040
3041 #ifdef CONFIG_P2P
3042 os_memset(sm->p2p_ip_addr, 0, sizeof(sm->p2p_ip_addr));
3043 #endif /* CONFIG_P2P */
3044
3045 sm->keyidx_active = 0;
3046 }
3047
3048
3049 /**
3050 * wpa_sm_notify_disassoc - Notify WPA state machine about disassociation
3051 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3052 *
3053 * This function is called to let WPA state machine know that the connection
3054 * was lost. This will abort any existing pre-authentication session.
3055 */
wpa_sm_notify_disassoc(struct wpa_sm * sm)3056 void wpa_sm_notify_disassoc(struct wpa_sm *sm)
3057 {
3058 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
3059 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
3060 rsn_preauth_deinit(sm);
3061 pmksa_cache_clear_current(sm);
3062 if (wpa_sm_get_state(sm) == WPA_4WAY_HANDSHAKE)
3063 sm->dot11RSNA4WayHandshakeFailures++;
3064 #ifdef CONFIG_TDLS
3065 wpa_tdls_disassoc(sm);
3066 #endif /* CONFIG_TDLS */
3067 #ifdef CONFIG_FILS
3068 sm->fils_completed = 0;
3069 #endif /* CONFIG_FILS */
3070 #ifdef CONFIG_IEEE80211R
3071 sm->ft_reassoc_completed = 0;
3072 sm->ft_protocol = 0;
3073 #endif /* CONFIG_IEEE80211R */
3074
3075 /* Keys are not needed in the WPA state machine anymore */
3076 wpa_sm_drop_sa(sm);
3077 sm->keyidx_active = 0;
3078
3079 sm->msg_3_of_4_ok = 0;
3080 os_memset(sm->bssid, 0, ETH_ALEN);
3081 }
3082
3083
3084 /**
3085 * wpa_sm_set_pmk - Set PMK
3086 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3087 * @pmk: The new PMK
3088 * @pmk_len: The length of the new PMK in bytes
3089 * @pmkid: Calculated PMKID
3090 * @bssid: AA to add into PMKSA cache or %NULL to not cache the PMK
3091 *
3092 * Configure the PMK for WPA state machine.
3093 */
wpa_sm_set_pmk(struct wpa_sm * sm,const u8 * pmk,size_t pmk_len,const u8 * pmkid,const u8 * bssid)3094 void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
3095 const u8 *pmkid, const u8 *bssid)
3096 {
3097 if (sm == NULL)
3098 return;
3099
3100 wpa_hexdump_key(MSG_DEBUG, "WPA: Set PMK based on external data",
3101 pmk, pmk_len);
3102 sm->pmk_len = pmk_len;
3103 os_memcpy(sm->pmk, pmk, pmk_len);
3104
3105 #ifdef CONFIG_IEEE80211R
3106 /* Set XXKey to be PSK for FT key derivation */
3107 sm->xxkey_len = pmk_len;
3108 os_memcpy(sm->xxkey, pmk, pmk_len);
3109 #endif /* CONFIG_IEEE80211R */
3110
3111 if (bssid) {
3112 pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0,
3113 bssid, sm->own_addr,
3114 sm->network_ctx, sm->key_mgmt, NULL);
3115 }
3116 }
3117
3118
3119 /**
3120 * wpa_sm_set_pmk_from_pmksa - Set PMK based on the current PMKSA
3121 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3122 *
3123 * Take the PMK from the current PMKSA into use. If no PMKSA is active, the PMK
3124 * will be cleared.
3125 */
wpa_sm_set_pmk_from_pmksa(struct wpa_sm * sm)3126 void wpa_sm_set_pmk_from_pmksa(struct wpa_sm *sm)
3127 {
3128 if (sm == NULL)
3129 return;
3130
3131 if (sm->cur_pmksa) {
3132 wpa_hexdump_key(MSG_DEBUG,
3133 "WPA: Set PMK based on current PMKSA",
3134 sm->cur_pmksa->pmk, sm->cur_pmksa->pmk_len);
3135 sm->pmk_len = sm->cur_pmksa->pmk_len;
3136 os_memcpy(sm->pmk, sm->cur_pmksa->pmk, sm->pmk_len);
3137 } else {
3138 wpa_printf(MSG_DEBUG, "WPA: No current PMKSA - clear PMK");
3139 sm->pmk_len = 0;
3140 os_memset(sm->pmk, 0, PMK_LEN_MAX);
3141 }
3142 }
3143
3144
3145 /**
3146 * wpa_sm_set_fast_reauth - Set fast reauthentication (EAP) enabled/disabled
3147 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3148 * @fast_reauth: Whether fast reauthentication (EAP) is allowed
3149 */
wpa_sm_set_fast_reauth(struct wpa_sm * sm,int fast_reauth)3150 void wpa_sm_set_fast_reauth(struct wpa_sm *sm, int fast_reauth)
3151 {
3152 if (sm)
3153 sm->fast_reauth = fast_reauth;
3154 }
3155
3156
3157 /**
3158 * wpa_sm_set_scard_ctx - Set context pointer for smartcard callbacks
3159 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3160 * @scard_ctx: Context pointer for smartcard related callback functions
3161 */
wpa_sm_set_scard_ctx(struct wpa_sm * sm,void * scard_ctx)3162 void wpa_sm_set_scard_ctx(struct wpa_sm *sm, void *scard_ctx)
3163 {
3164 if (sm == NULL)
3165 return;
3166 sm->scard_ctx = scard_ctx;
3167 if (sm->preauth_eapol)
3168 eapol_sm_register_scard_ctx(sm->preauth_eapol, scard_ctx);
3169 }
3170
3171
3172 /**
3173 * wpa_sm_set_config - Notification of current configuration change
3174 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3175 * @config: Pointer to current network configuration
3176 *
3177 * Notify WPA state machine that configuration has changed. config will be
3178 * stored as a backpointer to network configuration. This can be %NULL to clear
3179 * the stored pointed.
3180 */
wpa_sm_set_config(struct wpa_sm * sm,struct rsn_supp_config * config)3181 void wpa_sm_set_config(struct wpa_sm *sm, struct rsn_supp_config *config)
3182 {
3183 if (!sm)
3184 return;
3185
3186 if (config) {
3187 sm->network_ctx = config->network_ctx;
3188 sm->allowed_pairwise_cipher = config->allowed_pairwise_cipher;
3189 sm->proactive_key_caching = config->proactive_key_caching;
3190 sm->eap_workaround = config->eap_workaround;
3191 sm->eap_conf_ctx = config->eap_conf_ctx;
3192 if (config->ssid) {
3193 os_memcpy(sm->ssid, config->ssid, config->ssid_len);
3194 sm->ssid_len = config->ssid_len;
3195 } else
3196 sm->ssid_len = 0;
3197 sm->wpa_ptk_rekey = config->wpa_ptk_rekey;
3198 sm->p2p = config->p2p;
3199 sm->wpa_rsc_relaxation = config->wpa_rsc_relaxation;
3200 sm->owe_ptk_workaround = config->owe_ptk_workaround;
3201 sm->force_kdk_derivation = config->force_kdk_derivation;
3202 #ifdef CONFIG_FILS
3203 if (config->fils_cache_id) {
3204 sm->fils_cache_id_set = 1;
3205 os_memcpy(sm->fils_cache_id, config->fils_cache_id,
3206 FILS_CACHE_ID_LEN);
3207 } else {
3208 sm->fils_cache_id_set = 0;
3209 }
3210 #endif /* CONFIG_FILS */
3211 sm->beacon_prot = config->beacon_prot;
3212 } else {
3213 sm->network_ctx = NULL;
3214 sm->allowed_pairwise_cipher = 0;
3215 sm->proactive_key_caching = 0;
3216 sm->eap_workaround = 0;
3217 sm->eap_conf_ctx = NULL;
3218 sm->ssid_len = 0;
3219 sm->wpa_ptk_rekey = 0;
3220 sm->p2p = 0;
3221 sm->wpa_rsc_relaxation = 0;
3222 sm->owe_ptk_workaround = 0;
3223 sm->beacon_prot = 0;
3224 sm->force_kdk_derivation = false;
3225 }
3226 }
3227
3228
3229 /**
3230 * wpa_sm_set_own_addr - Set own MAC address
3231 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3232 * @addr: Own MAC address
3233 */
wpa_sm_set_own_addr(struct wpa_sm * sm,const u8 * addr)3234 void wpa_sm_set_own_addr(struct wpa_sm *sm, const u8 *addr)
3235 {
3236 if (sm)
3237 os_memcpy(sm->own_addr, addr, ETH_ALEN);
3238 }
3239
3240
3241 /**
3242 * wpa_sm_set_ifname - Set network interface name
3243 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3244 * @ifname: Interface name
3245 * @bridge_ifname: Optional bridge interface name (for pre-auth)
3246 */
wpa_sm_set_ifname(struct wpa_sm * sm,const char * ifname,const char * bridge_ifname)3247 void wpa_sm_set_ifname(struct wpa_sm *sm, const char *ifname,
3248 const char *bridge_ifname)
3249 {
3250 if (sm) {
3251 sm->ifname = ifname;
3252 sm->bridge_ifname = bridge_ifname;
3253 }
3254 }
3255
3256
3257 /**
3258 * wpa_sm_set_eapol - Set EAPOL state machine pointer
3259 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3260 * @eapol: Pointer to EAPOL state machine allocated with eapol_sm_init()
3261 */
wpa_sm_set_eapol(struct wpa_sm * sm,struct eapol_sm * eapol)3262 void wpa_sm_set_eapol(struct wpa_sm *sm, struct eapol_sm *eapol)
3263 {
3264 if (sm)
3265 sm->eapol = eapol;
3266 }
3267
3268
3269 /**
3270 * wpa_sm_set_param - Set WPA state machine parameters
3271 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3272 * @param: Parameter field
3273 * @value: Parameter value
3274 * Returns: 0 on success, -1 on failure
3275 */
wpa_sm_set_param(struct wpa_sm * sm,enum wpa_sm_conf_params param,unsigned int value)3276 int wpa_sm_set_param(struct wpa_sm *sm, enum wpa_sm_conf_params param,
3277 unsigned int value)
3278 {
3279 int ret = 0;
3280
3281 if (sm == NULL)
3282 return -1;
3283
3284 switch (param) {
3285 case RSNA_PMK_LIFETIME:
3286 if (value > 0)
3287 sm->dot11RSNAConfigPMKLifetime = value;
3288 else
3289 ret = -1;
3290 break;
3291 case RSNA_PMK_REAUTH_THRESHOLD:
3292 if (value > 0 && value <= 100)
3293 sm->dot11RSNAConfigPMKReauthThreshold = value;
3294 else
3295 ret = -1;
3296 break;
3297 case RSNA_SA_TIMEOUT:
3298 if (value > 0)
3299 sm->dot11RSNAConfigSATimeout = value;
3300 else
3301 ret = -1;
3302 break;
3303 case WPA_PARAM_PROTO:
3304 sm->proto = value;
3305 break;
3306 case WPA_PARAM_PAIRWISE:
3307 sm->pairwise_cipher = value;
3308 break;
3309 case WPA_PARAM_GROUP:
3310 sm->group_cipher = value;
3311 break;
3312 case WPA_PARAM_KEY_MGMT:
3313 sm->key_mgmt = value;
3314 break;
3315 case WPA_PARAM_MGMT_GROUP:
3316 sm->mgmt_group_cipher = value;
3317 break;
3318 case WPA_PARAM_RSN_ENABLED:
3319 sm->rsn_enabled = value;
3320 break;
3321 case WPA_PARAM_MFP:
3322 sm->mfp = value;
3323 break;
3324 case WPA_PARAM_OCV:
3325 sm->ocv = value;
3326 break;
3327 case WPA_PARAM_SAE_PWE:
3328 sm->sae_pwe = value;
3329 break;
3330 case WPA_PARAM_SAE_PK:
3331 sm->sae_pk = value;
3332 break;
3333 case WPA_PARAM_DENY_PTK0_REKEY:
3334 sm->wpa_deny_ptk0_rekey = value;
3335 break;
3336 case WPA_PARAM_EXT_KEY_ID:
3337 sm->ext_key_id = value;
3338 break;
3339 case WPA_PARAM_USE_EXT_KEY_ID:
3340 sm->use_ext_key_id = value;
3341 break;
3342 #ifdef CONFIG_TESTING_OPTIONS
3343 case WPA_PARAM_FT_RSNXE_USED:
3344 sm->ft_rsnxe_used = value;
3345 break;
3346 case WPA_PARAM_OCI_FREQ_EAPOL:
3347 sm->oci_freq_override_eapol = value;
3348 break;
3349 case WPA_PARAM_OCI_FREQ_EAPOL_G2:
3350 sm->oci_freq_override_eapol_g2 = value;
3351 break;
3352 case WPA_PARAM_OCI_FREQ_FT_ASSOC:
3353 sm->oci_freq_override_ft_assoc = value;
3354 break;
3355 case WPA_PARAM_OCI_FREQ_FILS_ASSOC:
3356 sm->oci_freq_override_fils_assoc = value;
3357 break;
3358 #endif /* CONFIG_TESTING_OPTIONS */
3359 #ifdef CONFIG_DPP2
3360 case WPA_PARAM_DPP_PFS:
3361 sm->dpp_pfs = value;
3362 break;
3363 #endif /* CONFIG_DPP2 */
3364 default:
3365 break;
3366 }
3367
3368 return ret;
3369 }
3370
3371
3372 /**
3373 * wpa_sm_get_status - Get WPA state machine
3374 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3375 * @buf: Buffer for status information
3376 * @buflen: Maximum buffer length
3377 * @verbose: Whether to include verbose status information
3378 * Returns: Number of bytes written to buf.
3379 *
3380 * Query WPA state machine for status information. This function fills in
3381 * a text area with current status information. If the buffer (buf) is not
3382 * large enough, status information will be truncated to fit the buffer.
3383 */
wpa_sm_get_status(struct wpa_sm * sm,char * buf,size_t buflen,int verbose)3384 int wpa_sm_get_status(struct wpa_sm *sm, char *buf, size_t buflen,
3385 int verbose)
3386 {
3387 char *pos = buf, *end = buf + buflen;
3388 int ret;
3389
3390 ret = os_snprintf(pos, end - pos,
3391 "pairwise_cipher=%s\n"
3392 "group_cipher=%s\n"
3393 "key_mgmt=%s\n",
3394 wpa_cipher_txt(sm->pairwise_cipher),
3395 wpa_cipher_txt(sm->group_cipher),
3396 wpa_key_mgmt_txt(sm->key_mgmt, sm->proto));
3397 if (os_snprintf_error(end - pos, ret))
3398 return pos - buf;
3399 pos += ret;
3400
3401 #ifdef CONFIG_DPP2
3402 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
3403 ret = os_snprintf(pos, end - pos, "dpp_pfs=1\n");
3404 if (os_snprintf_error(end - pos, ret))
3405 return pos - buf;
3406 pos += ret;
3407 }
3408 #endif /* CONFIG_DPP2 */
3409
3410 if (sm->mfp != NO_MGMT_FRAME_PROTECTION && sm->ap_rsn_ie) {
3411 struct wpa_ie_data rsn;
3412 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn)
3413 >= 0 &&
3414 rsn.capabilities & (WPA_CAPABILITY_MFPR |
3415 WPA_CAPABILITY_MFPC)) {
3416 ret = os_snprintf(pos, end - pos, "pmf=%d\n"
3417 "mgmt_group_cipher=%s\n",
3418 (rsn.capabilities &
3419 WPA_CAPABILITY_MFPR) ? 2 : 1,
3420 wpa_cipher_txt(
3421 sm->mgmt_group_cipher));
3422 if (os_snprintf_error(end - pos, ret))
3423 return pos - buf;
3424 pos += ret;
3425 }
3426 }
3427
3428 return pos - buf;
3429 }
3430
3431
wpa_sm_pmf_enabled(struct wpa_sm * sm)3432 int wpa_sm_pmf_enabled(struct wpa_sm *sm)
3433 {
3434 struct wpa_ie_data rsn;
3435
3436 if (sm->mfp == NO_MGMT_FRAME_PROTECTION || !sm->ap_rsn_ie)
3437 return 0;
3438
3439 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn) >= 0 &&
3440 rsn.capabilities & (WPA_CAPABILITY_MFPR | WPA_CAPABILITY_MFPC))
3441 return 1;
3442
3443 return 0;
3444 }
3445
3446
wpa_sm_ext_key_id(struct wpa_sm * sm)3447 int wpa_sm_ext_key_id(struct wpa_sm *sm)
3448 {
3449 return sm ? sm->ext_key_id : 0;
3450 }
3451
3452
wpa_sm_ext_key_id_active(struct wpa_sm * sm)3453 int wpa_sm_ext_key_id_active(struct wpa_sm *sm)
3454 {
3455 return sm ? sm->use_ext_key_id : 0;
3456 }
3457
3458
wpa_sm_ocv_enabled(struct wpa_sm * sm)3459 int wpa_sm_ocv_enabled(struct wpa_sm *sm)
3460 {
3461 struct wpa_ie_data rsn;
3462
3463 if (!sm->ocv || !sm->ap_rsn_ie)
3464 return 0;
3465
3466 return wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len,
3467 &rsn) >= 0 &&
3468 (rsn.capabilities & WPA_CAPABILITY_OCVC);
3469 }
3470
3471
3472 /**
3473 * wpa_sm_set_assoc_wpa_ie_default - Generate own WPA/RSN IE from configuration
3474 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3475 * @wpa_ie: Pointer to buffer for WPA/RSN IE
3476 * @wpa_ie_len: Pointer to the length of the wpa_ie buffer
3477 * Returns: 0 on success, -1 on failure
3478 */
wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm * sm,u8 * wpa_ie,size_t * wpa_ie_len)3479 int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm *sm, u8 *wpa_ie,
3480 size_t *wpa_ie_len)
3481 {
3482 int res;
3483
3484 if (sm == NULL)
3485 return -1;
3486
3487 #ifdef CONFIG_TESTING_OPTIONS
3488 if (sm->test_assoc_ie) {
3489 wpa_printf(MSG_DEBUG,
3490 "TESTING: Replace association WPA/RSN IE");
3491 if (*wpa_ie_len < wpabuf_len(sm->test_assoc_ie))
3492 return -1;
3493 os_memcpy(wpa_ie, wpabuf_head(sm->test_assoc_ie),
3494 wpabuf_len(sm->test_assoc_ie));
3495 res = wpabuf_len(sm->test_assoc_ie);
3496 } else
3497 #endif /* CONFIG_TESTING_OPTIONS */
3498 res = wpa_gen_wpa_ie(sm, wpa_ie, *wpa_ie_len);
3499 if (res < 0)
3500 return -1;
3501 *wpa_ie_len = res;
3502
3503 wpa_hexdump(MSG_DEBUG, "WPA: Set own WPA IE default",
3504 wpa_ie, *wpa_ie_len);
3505
3506 if (sm->assoc_wpa_ie == NULL) {
3507 /*
3508 * Make a copy of the WPA/RSN IE so that 4-Way Handshake gets
3509 * the correct version of the IE even if PMKSA caching is
3510 * aborted (which would remove PMKID from IE generation).
3511 */
3512 sm->assoc_wpa_ie = os_memdup(wpa_ie, *wpa_ie_len);
3513 if (sm->assoc_wpa_ie == NULL)
3514 return -1;
3515
3516 sm->assoc_wpa_ie_len = *wpa_ie_len;
3517 } else {
3518 wpa_hexdump(MSG_DEBUG,
3519 "WPA: Leave previously set WPA IE default",
3520 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
3521 }
3522
3523 return 0;
3524 }
3525
3526
3527 /**
3528 * wpa_sm_set_assoc_wpa_ie - Set own WPA/RSN IE from (Re)AssocReq
3529 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3530 * @ie: Pointer to IE data (starting from id)
3531 * @len: IE length
3532 * Returns: 0 on success, -1 on failure
3533 *
3534 * Inform WPA state machine about the WPA/RSN IE used in (Re)Association
3535 * Request frame. The IE will be used to override the default value generated
3536 * with wpa_sm_set_assoc_wpa_ie_default().
3537 */
wpa_sm_set_assoc_wpa_ie(struct wpa_sm * sm,const u8 * ie,size_t len)3538 int wpa_sm_set_assoc_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
3539 {
3540 if (sm == NULL)
3541 return -1;
3542
3543 os_free(sm->assoc_wpa_ie);
3544 if (ie == NULL || len == 0) {
3545 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3546 "WPA: clearing own WPA/RSN IE");
3547 sm->assoc_wpa_ie = NULL;
3548 sm->assoc_wpa_ie_len = 0;
3549 } else {
3550 wpa_hexdump(MSG_DEBUG, "WPA: set own WPA/RSN IE", ie, len);
3551 sm->assoc_wpa_ie = os_memdup(ie, len);
3552 if (sm->assoc_wpa_ie == NULL)
3553 return -1;
3554
3555 sm->assoc_wpa_ie_len = len;
3556 }
3557
3558 return 0;
3559 }
3560
3561
3562 /**
3563 * wpa_sm_set_assoc_rsnxe_default - Generate own RSNXE from configuration
3564 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3565 * @rsnxe: Pointer to buffer for RSNXE
3566 * @rsnxe_len: Pointer to the length of the rsne buffer
3567 * Returns: 0 on success, -1 on failure
3568 */
wpa_sm_set_assoc_rsnxe_default(struct wpa_sm * sm,u8 * rsnxe,size_t * rsnxe_len)3569 int wpa_sm_set_assoc_rsnxe_default(struct wpa_sm *sm, u8 *rsnxe,
3570 size_t *rsnxe_len)
3571 {
3572 int res;
3573
3574 if (!sm)
3575 return -1;
3576
3577 res = wpa_gen_rsnxe(sm, rsnxe, *rsnxe_len);
3578 if (res < 0)
3579 return -1;
3580 *rsnxe_len = res;
3581
3582 wpa_hexdump(MSG_DEBUG, "RSN: Set own RSNXE default", rsnxe, *rsnxe_len);
3583
3584 if (sm->assoc_rsnxe) {
3585 wpa_hexdump(MSG_DEBUG,
3586 "RSN: Leave previously set RSNXE default",
3587 sm->assoc_rsnxe, sm->assoc_rsnxe_len);
3588 } else if (*rsnxe_len > 0) {
3589 /*
3590 * Make a copy of the RSNXE so that 4-Way Handshake gets the
3591 * correct version of the IE even if it gets changed.
3592 */
3593 sm->assoc_rsnxe = os_memdup(rsnxe, *rsnxe_len);
3594 if (!sm->assoc_rsnxe)
3595 return -1;
3596
3597 sm->assoc_rsnxe_len = *rsnxe_len;
3598 }
3599
3600 return 0;
3601 }
3602
3603
3604 /**
3605 * wpa_sm_set_assoc_rsnxe - Set own RSNXE from (Re)AssocReq
3606 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3607 * @ie: Pointer to IE data (starting from id)
3608 * @len: IE length
3609 * Returns: 0 on success, -1 on failure
3610 *
3611 * Inform WPA state machine about the RSNXE used in (Re)Association Request
3612 * frame. The IE will be used to override the default value generated
3613 * with wpa_sm_set_assoc_rsnxe_default().
3614 */
wpa_sm_set_assoc_rsnxe(struct wpa_sm * sm,const u8 * ie,size_t len)3615 int wpa_sm_set_assoc_rsnxe(struct wpa_sm *sm, const u8 *ie, size_t len)
3616 {
3617 if (!sm)
3618 return -1;
3619
3620 os_free(sm->assoc_rsnxe);
3621 if (!ie || len == 0) {
3622 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3623 "RSN: clearing own RSNXE");
3624 sm->assoc_rsnxe = NULL;
3625 sm->assoc_rsnxe_len = 0;
3626 } else {
3627 wpa_hexdump(MSG_DEBUG, "RSN: set own RSNXE", ie, len);
3628 sm->assoc_rsnxe = os_memdup(ie, len);
3629 if (!sm->assoc_rsnxe)
3630 return -1;
3631
3632 sm->assoc_rsnxe_len = len;
3633 }
3634
3635 return 0;
3636 }
3637
3638
3639 /**
3640 * wpa_sm_set_ap_wpa_ie - Set AP WPA IE from Beacon/ProbeResp
3641 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3642 * @ie: Pointer to IE data (starting from id)
3643 * @len: IE length
3644 * Returns: 0 on success, -1 on failure
3645 *
3646 * Inform WPA state machine about the WPA IE used in Beacon / Probe Response
3647 * frame.
3648 */
wpa_sm_set_ap_wpa_ie(struct wpa_sm * sm,const u8 * ie,size_t len)3649 int wpa_sm_set_ap_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
3650 {
3651 if (sm == NULL)
3652 return -1;
3653
3654 os_free(sm->ap_wpa_ie);
3655 if (ie == NULL || len == 0) {
3656 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3657 "WPA: clearing AP WPA IE");
3658 sm->ap_wpa_ie = NULL;
3659 sm->ap_wpa_ie_len = 0;
3660 } else {
3661 wpa_hexdump(MSG_DEBUG, "WPA: set AP WPA IE", ie, len);
3662 sm->ap_wpa_ie = os_memdup(ie, len);
3663 if (sm->ap_wpa_ie == NULL)
3664 return -1;
3665
3666 sm->ap_wpa_ie_len = len;
3667 }
3668
3669 return 0;
3670 }
3671
3672
3673 /**
3674 * wpa_sm_set_ap_rsn_ie - Set AP RSN IE from Beacon/ProbeResp
3675 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3676 * @ie: Pointer to IE data (starting from id)
3677 * @len: IE length
3678 * Returns: 0 on success, -1 on failure
3679 *
3680 * Inform WPA state machine about the RSN IE used in Beacon / Probe Response
3681 * frame.
3682 */
wpa_sm_set_ap_rsn_ie(struct wpa_sm * sm,const u8 * ie,size_t len)3683 int wpa_sm_set_ap_rsn_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
3684 {
3685 if (sm == NULL)
3686 return -1;
3687
3688 os_free(sm->ap_rsn_ie);
3689 if (ie == NULL || len == 0) {
3690 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3691 "WPA: clearing AP RSN IE");
3692 sm->ap_rsn_ie = NULL;
3693 sm->ap_rsn_ie_len = 0;
3694 } else {
3695 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSN IE", ie, len);
3696 sm->ap_rsn_ie = os_memdup(ie, len);
3697 if (sm->ap_rsn_ie == NULL)
3698 return -1;
3699
3700 sm->ap_rsn_ie_len = len;
3701 }
3702
3703 return 0;
3704 }
3705
3706
3707 /**
3708 * wpa_sm_set_ap_rsnxe - Set AP RSNXE from Beacon/ProbeResp
3709 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3710 * @ie: Pointer to IE data (starting from id)
3711 * @len: IE length
3712 * Returns: 0 on success, -1 on failure
3713 *
3714 * Inform WPA state machine about the RSNXE used in Beacon / Probe Response
3715 * frame.
3716 */
wpa_sm_set_ap_rsnxe(struct wpa_sm * sm,const u8 * ie,size_t len)3717 int wpa_sm_set_ap_rsnxe(struct wpa_sm *sm, const u8 *ie, size_t len)
3718 {
3719 if (!sm)
3720 return -1;
3721
3722 os_free(sm->ap_rsnxe);
3723 if (!ie || len == 0) {
3724 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: clearing AP RSNXE");
3725 sm->ap_rsnxe = NULL;
3726 sm->ap_rsnxe_len = 0;
3727 } else {
3728 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSNXE", ie, len);
3729 sm->ap_rsnxe = os_memdup(ie, len);
3730 if (!sm->ap_rsnxe)
3731 return -1;
3732
3733 sm->ap_rsnxe_len = len;
3734 }
3735
3736 return 0;
3737 }
3738
3739
3740 /**
3741 * wpa_sm_parse_own_wpa_ie - Parse own WPA/RSN IE
3742 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3743 * @data: Pointer to data area for parsing results
3744 * Returns: 0 on success, -1 if IE is not known, or -2 on parsing failure
3745 *
3746 * Parse the contents of the own WPA or RSN IE from (Re)AssocReq and write the
3747 * parsed data into data.
3748 */
wpa_sm_parse_own_wpa_ie(struct wpa_sm * sm,struct wpa_ie_data * data)3749 int wpa_sm_parse_own_wpa_ie(struct wpa_sm *sm, struct wpa_ie_data *data)
3750 {
3751 if (sm == NULL)
3752 return -1;
3753
3754 if (sm->assoc_wpa_ie == NULL) {
3755 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3756 "WPA: No WPA/RSN IE available from association info");
3757 return -1;
3758 }
3759 if (wpa_parse_wpa_ie(sm->assoc_wpa_ie, sm->assoc_wpa_ie_len, data))
3760 return -2;
3761 return 0;
3762 }
3763
3764
wpa_sm_pmksa_cache_list(struct wpa_sm * sm,char * buf,size_t len)3765 int wpa_sm_pmksa_cache_list(struct wpa_sm *sm, char *buf, size_t len)
3766 {
3767 return pmksa_cache_list(sm->pmksa, buf, len);
3768 }
3769
3770
wpa_sm_pmksa_cache_head(struct wpa_sm * sm)3771 struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_head(struct wpa_sm *sm)
3772 {
3773 return pmksa_cache_head(sm->pmksa);
3774 }
3775
3776
3777 struct rsn_pmksa_cache_entry *
wpa_sm_pmksa_cache_add_entry(struct wpa_sm * sm,struct rsn_pmksa_cache_entry * entry)3778 wpa_sm_pmksa_cache_add_entry(struct wpa_sm *sm,
3779 struct rsn_pmksa_cache_entry * entry)
3780 {
3781 return pmksa_cache_add_entry(sm->pmksa, entry);
3782 }
3783
3784
wpa_sm_pmksa_cache_add(struct wpa_sm * sm,const u8 * pmk,size_t pmk_len,const u8 * pmkid,const u8 * bssid,const u8 * fils_cache_id)3785 void wpa_sm_pmksa_cache_add(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
3786 const u8 *pmkid, const u8 *bssid,
3787 const u8 *fils_cache_id)
3788 {
3789 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0,
3790 bssid, sm->own_addr, sm->network_ctx,
3791 sm->key_mgmt, fils_cache_id);
3792 }
3793
3794
wpa_sm_pmksa_exists(struct wpa_sm * sm,const u8 * bssid,const void * network_ctx)3795 int wpa_sm_pmksa_exists(struct wpa_sm *sm, const u8 *bssid,
3796 const void *network_ctx)
3797 {
3798 return pmksa_cache_get(sm->pmksa, bssid, NULL, network_ctx, 0) != NULL;
3799 }
3800
3801
wpa_sm_pmksa_cache_get(struct wpa_sm * sm,const u8 * aa,const u8 * pmkid,const void * network_ctx,int akmp)3802 struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_get(struct wpa_sm *sm,
3803 const u8 *aa,
3804 const u8 *pmkid,
3805 const void *network_ctx,
3806 int akmp)
3807 {
3808 return pmksa_cache_get(sm->pmksa, aa, pmkid, network_ctx, akmp);
3809 }
3810
3811
wpa_sm_drop_sa(struct wpa_sm * sm)3812 void wpa_sm_drop_sa(struct wpa_sm *sm)
3813 {
3814 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PMK and PTK");
3815 sm->ptk_set = 0;
3816 sm->tptk_set = 0;
3817 sm->pmk_len = 0;
3818 os_memset(sm->pmk, 0, sizeof(sm->pmk));
3819 os_memset(&sm->ptk, 0, sizeof(sm->ptk));
3820 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
3821 os_memset(&sm->gtk, 0, sizeof(sm->gtk));
3822 os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
3823 os_memset(&sm->igtk, 0, sizeof(sm->igtk));
3824 os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
3825 #ifdef CONFIG_IEEE80211R
3826 os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
3827 sm->xxkey_len = 0;
3828 os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
3829 sm->pmk_r0_len = 0;
3830 os_memset(sm->pmk_r1, 0, sizeof(sm->pmk_r1));
3831 sm->pmk_r1_len = 0;
3832 #ifdef CONFIG_PASN
3833 os_free(sm->pasn_r1kh);
3834 sm->pasn_r1kh = NULL;
3835 sm->n_pasn_r1kh = 0;
3836 #endif /* CONFIG_PASN */
3837 #endif /* CONFIG_IEEE80211R */
3838 }
3839
3840
wpa_sm_has_ptk(struct wpa_sm * sm)3841 int wpa_sm_has_ptk(struct wpa_sm *sm)
3842 {
3843 if (sm == NULL)
3844 return 0;
3845 return sm->ptk_set;
3846 }
3847
3848
wpa_sm_has_ptk_installed(struct wpa_sm * sm)3849 int wpa_sm_has_ptk_installed(struct wpa_sm *sm)
3850 {
3851 if (!sm)
3852 return 0;
3853 return sm->ptk.installed;
3854 }
3855
3856
wpa_sm_update_replay_ctr(struct wpa_sm * sm,const u8 * replay_ctr)3857 void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr)
3858 {
3859 os_memcpy(sm->rx_replay_counter, replay_ctr, WPA_REPLAY_COUNTER_LEN);
3860 }
3861
3862
wpa_sm_pmksa_cache_flush(struct wpa_sm * sm,void * network_ctx)3863 void wpa_sm_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx)
3864 {
3865 pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0);
3866 }
3867
3868 #ifdef CONFIG_DRIVER_NL80211_BRCM
wpa_sm_install_pmk(struct wpa_sm * sm)3869 void wpa_sm_install_pmk(struct wpa_sm *sm)
3870 {
3871 /* In case the driver wants to handle re-assocs, pass it down the PMK. */
3872 if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->pairwise_cipher), NULL, 0, 0, NULL, 0,
3873 (u8*)sm->pmk, sm->pmk_len, KEY_FLAG_PMK) < 0) {
3874 wpa_hexdump(MSG_DEBUG, "PSK: Install PMK to the driver for driver reassociations",
3875 (u8*)sm->pmk, sm->pmk_len);
3876 /* No harm if the driver doesn't support. */
3877 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
3878 "WPA: Failed to set PMK to the driver");
3879 }
3880 }
3881
wpa_sm_notify_brcm_ft_reassoc(struct wpa_sm * sm,const u8 * bssid)3882 void wpa_sm_notify_brcm_ft_reassoc(struct wpa_sm *sm, const u8 *bssid)
3883 {
3884 u8 buf[256];
3885 struct wpa_supplicant *wpa_s = sm->ctx->ctx;
3886
3887 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3888 "WPA: BRCM FT Reassociation event - clear replay counter");
3889 os_memcpy(sm->bssid, bssid, ETH_ALEN);
3890 os_memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN);
3891 sm->rx_replay_counter_set = 0;
3892
3893 if (wpa_drv_driver_cmd(wpa_s, "GET_FTKEY", (char *)buf, sizeof(buf)) < 0) {
3894 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
3895 "WPA: Failed to get FT KEY information");
3896 wpa_supplicant_deauthenticate(
3897 wpa_s, WLAN_REASON_DEAUTH_LEAVING);
3898
3899 } else {
3900 /* update kck and kek */
3901 os_memcpy(sm->ptk.kck, buf, 16);
3902 os_memcpy(sm->ptk.kek, buf + 16, 16);
3903 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3904 "WPA: Updated KCK and KEK after FT reassoc");
3905 }
3906 }
3907 #endif /* CONFIG_DRIVER_NL80211_BRCM */
3908
3909 #ifdef CONFIG_WNM
wpa_wnmsleep_install_key(struct wpa_sm * sm,u8 subelem_id,u8 * buf)3910 int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
3911 {
3912 u16 keyinfo;
3913 u8 keylen; /* plaintext key len */
3914 u8 *key_rsc;
3915
3916 if (subelem_id == WNM_SLEEP_SUBELEM_GTK) {
3917 struct wpa_gtk_data gd;
3918
3919 os_memset(&gd, 0, sizeof(gd));
3920 keylen = wpa_cipher_key_len(sm->group_cipher);
3921 gd.key_rsc_len = wpa_cipher_rsc_len(sm->group_cipher);
3922 gd.alg = wpa_cipher_to_alg(sm->group_cipher);
3923 if (gd.alg == WPA_ALG_NONE) {
3924 wpa_printf(MSG_DEBUG, "Unsupported group cipher suite");
3925 return -1;
3926 }
3927
3928 key_rsc = buf + 5;
3929 keyinfo = WPA_GET_LE16(buf + 2);
3930 gd.gtk_len = keylen;
3931 if (gd.gtk_len != buf[4]) {
3932 wpa_printf(MSG_DEBUG, "GTK len mismatch len %d vs %d",
3933 gd.gtk_len, buf[4]);
3934 return -1;
3935 }
3936 gd.keyidx = keyinfo & 0x03; /* B0 - B1 */
3937 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(
3938 sm, !!(keyinfo & WPA_KEY_INFO_TXRX));
3939
3940 os_memcpy(gd.gtk, buf + 13, gd.gtk_len);
3941
3942 wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)",
3943 gd.gtk, gd.gtk_len);
3944 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) {
3945 forced_memzero(&gd, sizeof(gd));
3946 wpa_printf(MSG_DEBUG, "Failed to install the GTK in "
3947 "WNM mode");
3948 return -1;
3949 }
3950 forced_memzero(&gd, sizeof(gd));
3951 } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
3952 const struct wpa_igtk_kde *igtk;
3953
3954 igtk = (const struct wpa_igtk_kde *) (buf + 2);
3955 if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0)
3956 return -1;
3957 } else if (subelem_id == WNM_SLEEP_SUBELEM_BIGTK) {
3958 const struct wpa_bigtk_kde *bigtk;
3959
3960 bigtk = (const struct wpa_bigtk_kde *) (buf + 2);
3961 if (sm->beacon_prot &&
3962 wpa_supplicant_install_bigtk(sm, bigtk, 1) < 0)
3963 return -1;
3964 } else {
3965 wpa_printf(MSG_DEBUG, "Unknown element id");
3966 return -1;
3967 }
3968
3969 return 0;
3970 }
3971 #endif /* CONFIG_WNM */
3972
3973
3974 #ifdef CONFIG_P2P
3975
wpa_sm_get_p2p_ip_addr(struct wpa_sm * sm,u8 * buf)3976 int wpa_sm_get_p2p_ip_addr(struct wpa_sm *sm, u8 *buf)
3977 {
3978 if (sm == NULL || WPA_GET_BE32(sm->p2p_ip_addr) == 0)
3979 return -1;
3980 os_memcpy(buf, sm->p2p_ip_addr, 3 * 4);
3981 return 0;
3982 }
3983
3984 #endif /* CONFIG_P2P */
3985
3986
wpa_sm_set_rx_replay_ctr(struct wpa_sm * sm,const u8 * rx_replay_counter)3987 void wpa_sm_set_rx_replay_ctr(struct wpa_sm *sm, const u8 *rx_replay_counter)
3988 {
3989 if (rx_replay_counter == NULL)
3990 return;
3991
3992 os_memcpy(sm->rx_replay_counter, rx_replay_counter,
3993 WPA_REPLAY_COUNTER_LEN);
3994 sm->rx_replay_counter_set = 1;
3995 wpa_printf(MSG_DEBUG, "Updated key replay counter");
3996 }
3997
3998
wpa_sm_set_ptk_kck_kek(struct wpa_sm * sm,const u8 * ptk_kck,size_t ptk_kck_len,const u8 * ptk_kek,size_t ptk_kek_len)3999 void wpa_sm_set_ptk_kck_kek(struct wpa_sm *sm,
4000 const u8 *ptk_kck, size_t ptk_kck_len,
4001 const u8 *ptk_kek, size_t ptk_kek_len)
4002 {
4003 if (ptk_kck && ptk_kck_len <= WPA_KCK_MAX_LEN) {
4004 os_memcpy(sm->ptk.kck, ptk_kck, ptk_kck_len);
4005 sm->ptk.kck_len = ptk_kck_len;
4006 wpa_printf(MSG_DEBUG, "Updated PTK KCK");
4007 }
4008 if (ptk_kek && ptk_kek_len <= WPA_KEK_MAX_LEN) {
4009 os_memcpy(sm->ptk.kek, ptk_kek, ptk_kek_len);
4010 sm->ptk.kek_len = ptk_kek_len;
4011 wpa_printf(MSG_DEBUG, "Updated PTK KEK");
4012 }
4013 sm->ptk_set = 1;
4014 }
4015
4016
4017 #ifdef CONFIG_TESTING_OPTIONS
4018
wpa_sm_set_test_assoc_ie(struct wpa_sm * sm,struct wpabuf * buf)4019 void wpa_sm_set_test_assoc_ie(struct wpa_sm *sm, struct wpabuf *buf)
4020 {
4021 wpabuf_free(sm->test_assoc_ie);
4022 sm->test_assoc_ie = buf;
4023 }
4024
4025
wpa_sm_get_anonce(struct wpa_sm * sm)4026 const u8 * wpa_sm_get_anonce(struct wpa_sm *sm)
4027 {
4028 return sm->anonce;
4029 }
4030
4031 #endif /* CONFIG_TESTING_OPTIONS */
4032
4033
wpa_sm_get_key_mgmt(struct wpa_sm * sm)4034 unsigned int wpa_sm_get_key_mgmt(struct wpa_sm *sm)
4035 {
4036 return sm->key_mgmt;
4037 }
4038
4039
4040 #ifdef CONFIG_FILS
4041
fils_build_auth(struct wpa_sm * sm,int dh_group,const u8 * md)4042 struct wpabuf * fils_build_auth(struct wpa_sm *sm, int dh_group, const u8 *md)
4043 {
4044 struct wpabuf *buf = NULL;
4045 struct wpabuf *erp_msg;
4046 struct wpabuf *pub = NULL;
4047
4048 erp_msg = eapol_sm_build_erp_reauth_start(sm->eapol);
4049 if (!erp_msg && !sm->cur_pmksa) {
4050 wpa_printf(MSG_DEBUG,
4051 "FILS: Neither ERP EAP-Initiate/Re-auth nor PMKSA cache entry is available - skip FILS");
4052 goto fail;
4053 }
4054
4055 wpa_printf(MSG_DEBUG, "FILS: Try to use FILS (erp=%d pmksa_cache=%d)",
4056 erp_msg != NULL, sm->cur_pmksa != NULL);
4057
4058 sm->fils_completed = 0;
4059
4060 if (!sm->assoc_wpa_ie) {
4061 wpa_printf(MSG_INFO, "FILS: No own RSN IE set for FILS");
4062 goto fail;
4063 }
4064
4065 if (random_get_bytes(sm->fils_nonce, FILS_NONCE_LEN) < 0 ||
4066 random_get_bytes(sm->fils_session, FILS_SESSION_LEN) < 0)
4067 goto fail;
4068
4069 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Nonce",
4070 sm->fils_nonce, FILS_NONCE_LEN);
4071 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Session",
4072 sm->fils_session, FILS_SESSION_LEN);
4073
4074 #ifdef CONFIG_FILS_SK_PFS
4075 sm->fils_dh_group = dh_group;
4076 if (dh_group) {
4077 crypto_ecdh_deinit(sm->fils_ecdh);
4078 sm->fils_ecdh = crypto_ecdh_init(dh_group);
4079 if (!sm->fils_ecdh) {
4080 wpa_printf(MSG_INFO,
4081 "FILS: Could not initialize ECDH with group %d",
4082 dh_group);
4083 goto fail;
4084 }
4085 pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1);
4086 if (!pub)
4087 goto fail;
4088 wpa_hexdump_buf(MSG_DEBUG, "FILS: Element (DH public key)",
4089 pub);
4090 sm->fils_dh_elem_len = wpabuf_len(pub);
4091 }
4092 #endif /* CONFIG_FILS_SK_PFS */
4093
4094 buf = wpabuf_alloc(1000 + sm->assoc_wpa_ie_len +
4095 (pub ? wpabuf_len(pub) : 0));
4096 if (!buf)
4097 goto fail;
4098
4099 /* Fields following the Authentication algorithm number field */
4100
4101 /* Authentication Transaction seq# */
4102 wpabuf_put_le16(buf, 1);
4103
4104 /* Status Code */
4105 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
4106
4107 /* TODO: FILS PK */
4108 #ifdef CONFIG_FILS_SK_PFS
4109 if (dh_group) {
4110 /* Finite Cyclic Group */
4111 wpabuf_put_le16(buf, dh_group);
4112 /* Element */
4113 wpabuf_put_buf(buf, pub);
4114 }
4115 #endif /* CONFIG_FILS_SK_PFS */
4116
4117 /* RSNE */
4118 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in FILS Authentication frame",
4119 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
4120 wpabuf_put_data(buf, sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
4121
4122 if (md) {
4123 /* MDE when using FILS for FT initial association */
4124 struct rsn_mdie *mdie;
4125
4126 wpabuf_put_u8(buf, WLAN_EID_MOBILITY_DOMAIN);
4127 wpabuf_put_u8(buf, sizeof(*mdie));
4128 mdie = wpabuf_put(buf, sizeof(*mdie));
4129 os_memcpy(mdie->mobility_domain, md, MOBILITY_DOMAIN_ID_LEN);
4130 mdie->ft_capab = 0;
4131 }
4132
4133 /* FILS Nonce */
4134 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
4135 wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN); /* Length */
4136 /* Element ID Extension */
4137 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
4138 wpabuf_put_data(buf, sm->fils_nonce, FILS_NONCE_LEN);
4139
4140 /* FILS Session */
4141 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
4142 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
4143 /* Element ID Extension */
4144 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
4145 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
4146
4147 /* Wrapped Data */
4148 sm->fils_erp_pmkid_set = 0;
4149 if (erp_msg) {
4150 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
4151 wpabuf_put_u8(buf, 1 + wpabuf_len(erp_msg)); /* Length */
4152 /* Element ID Extension */
4153 wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA);
4154 wpabuf_put_buf(buf, erp_msg);
4155 /* Calculate pending PMKID here so that we do not need to
4156 * maintain a copy of the EAP-Initiate/Reauth message. */
4157 if (fils_pmkid_erp(sm->key_mgmt, wpabuf_head(erp_msg),
4158 wpabuf_len(erp_msg),
4159 sm->fils_erp_pmkid) == 0)
4160 sm->fils_erp_pmkid_set = 1;
4161 }
4162
4163 wpa_hexdump_buf(MSG_DEBUG, "RSN: FILS fields for Authentication frame",
4164 buf);
4165
4166 fail:
4167 wpabuf_free(erp_msg);
4168 wpabuf_free(pub);
4169 return buf;
4170 }
4171
4172
fils_process_auth(struct wpa_sm * sm,const u8 * bssid,const u8 * data,size_t len)4173 int fils_process_auth(struct wpa_sm *sm, const u8 *bssid, const u8 *data,
4174 size_t len)
4175 {
4176 const u8 *pos, *end;
4177 struct ieee802_11_elems elems;
4178 struct wpa_ie_data rsn;
4179 int pmkid_match = 0;
4180 u8 ick[FILS_ICK_MAX_LEN];
4181 size_t ick_len;
4182 int res;
4183 struct wpabuf *dh_ss = NULL;
4184 const u8 *g_sta = NULL;
4185 size_t g_sta_len = 0;
4186 const u8 *g_ap = NULL;
4187 size_t g_ap_len = 0, kdk_len;
4188 struct wpabuf *pub = NULL;
4189
4190 os_memcpy(sm->bssid, bssid, ETH_ALEN);
4191
4192 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
4193 data, len);
4194 pos = data;
4195 end = data + len;
4196
4197 /* TODO: FILS PK */
4198 #ifdef CONFIG_FILS_SK_PFS
4199 if (sm->fils_dh_group) {
4200 u16 group;
4201
4202 /* Using FILS PFS */
4203
4204 /* Finite Cyclic Group */
4205 if (end - pos < 2) {
4206 wpa_printf(MSG_DEBUG,
4207 "FILS: No room for Finite Cyclic Group");
4208 goto fail;
4209 }
4210 group = WPA_GET_LE16(pos);
4211 pos += 2;
4212 if (group != sm->fils_dh_group) {
4213 wpa_printf(MSG_DEBUG,
4214 "FILS: Unexpected change in Finite Cyclic Group: %u (expected %u)",
4215 group, sm->fils_dh_group);
4216 goto fail;
4217 }
4218
4219 /* Element */
4220 if ((size_t) (end - pos) < sm->fils_dh_elem_len) {
4221 wpa_printf(MSG_DEBUG, "FILS: No room for Element");
4222 goto fail;
4223 }
4224
4225 if (!sm->fils_ecdh) {
4226 wpa_printf(MSG_DEBUG, "FILS: No ECDH state available");
4227 goto fail;
4228 }
4229 dh_ss = crypto_ecdh_set_peerkey(sm->fils_ecdh, 1, pos,
4230 sm->fils_dh_elem_len);
4231 if (!dh_ss) {
4232 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
4233 goto fail;
4234 }
4235 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", dh_ss);
4236 g_ap = pos;
4237 g_ap_len = sm->fils_dh_elem_len;
4238 pos += sm->fils_dh_elem_len;
4239 }
4240 #endif /* CONFIG_FILS_SK_PFS */
4241
4242 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
4243 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
4244 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
4245 goto fail;
4246 }
4247
4248 /* RSNE */
4249 wpa_hexdump(MSG_DEBUG, "FILS: RSN element", elems.rsn_ie,
4250 elems.rsn_ie_len);
4251 if (!elems.rsn_ie ||
4252 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
4253 &rsn) < 0) {
4254 wpa_printf(MSG_DEBUG, "FILS: No RSN element");
4255 goto fail;
4256 }
4257
4258 if (!elems.fils_nonce) {
4259 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
4260 goto fail;
4261 }
4262 os_memcpy(sm->fils_anonce, elems.fils_nonce, FILS_NONCE_LEN);
4263 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", sm->fils_anonce, FILS_NONCE_LEN);
4264
4265 #ifdef CONFIG_IEEE80211R
4266 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
4267 struct wpa_ft_ies parse;
4268
4269 if (!elems.mdie || !elems.ftie) {
4270 wpa_printf(MSG_DEBUG, "FILS+FT: No MDE or FTE");
4271 goto fail;
4272 }
4273
4274 if (wpa_ft_parse_ies(pos, end - pos, &parse,
4275 wpa_key_mgmt_sha384(sm->key_mgmt)) < 0) {
4276 wpa_printf(MSG_DEBUG, "FILS+FT: Failed to parse IEs");
4277 goto fail;
4278 }
4279
4280 if (!parse.r0kh_id) {
4281 wpa_printf(MSG_DEBUG,
4282 "FILS+FT: No R0KH-ID subelem in FTE");
4283 goto fail;
4284 }
4285 os_memcpy(sm->r0kh_id, parse.r0kh_id, parse.r0kh_id_len);
4286 sm->r0kh_id_len = parse.r0kh_id_len;
4287 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID",
4288 sm->r0kh_id, sm->r0kh_id_len);
4289
4290 if (!parse.r1kh_id) {
4291 wpa_printf(MSG_DEBUG,
4292 "FILS+FT: No R1KH-ID subelem in FTE");
4293 goto fail;
4294 }
4295 os_memcpy(sm->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN);
4296 wpa_hexdump(MSG_DEBUG, "FILS+FT: R1KH-ID",
4297 sm->r1kh_id, FT_R1KH_ID_LEN);
4298
4299 /* TODO: Check MDE and FTE payload */
4300
4301 wpabuf_free(sm->fils_ft_ies);
4302 sm->fils_ft_ies = wpabuf_alloc(2 + elems.mdie_len +
4303 2 + elems.ftie_len);
4304 if (!sm->fils_ft_ies)
4305 goto fail;
4306 wpabuf_put_data(sm->fils_ft_ies, elems.mdie - 2,
4307 2 + elems.mdie_len);
4308 wpabuf_put_data(sm->fils_ft_ies, elems.ftie - 2,
4309 2 + elems.ftie_len);
4310 } else {
4311 wpabuf_free(sm->fils_ft_ies);
4312 sm->fils_ft_ies = NULL;
4313 }
4314 #endif /* CONFIG_IEEE80211R */
4315
4316 /* PMKID List */
4317 if (rsn.pmkid && rsn.num_pmkid > 0) {
4318 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
4319 rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
4320
4321 if (rsn.num_pmkid != 1) {
4322 wpa_printf(MSG_DEBUG, "FILS: Invalid PMKID selection");
4323 goto fail;
4324 }
4325 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", rsn.pmkid, PMKID_LEN);
4326 if (os_memcmp(sm->cur_pmksa->pmkid, rsn.pmkid, PMKID_LEN) != 0)
4327 {
4328 wpa_printf(MSG_DEBUG, "FILS: PMKID mismatch");
4329 wpa_hexdump(MSG_DEBUG, "FILS: Expected PMKID",
4330 sm->cur_pmksa->pmkid, PMKID_LEN);
4331 goto fail;
4332 }
4333 wpa_printf(MSG_DEBUG,
4334 "FILS: Matching PMKID - continue using PMKSA caching");
4335 pmkid_match = 1;
4336 }
4337 if (!pmkid_match && sm->cur_pmksa) {
4338 wpa_printf(MSG_DEBUG,
4339 "FILS: No PMKID match - cannot use cached PMKSA entry");
4340 sm->cur_pmksa = NULL;
4341 }
4342
4343 /* FILS Session */
4344 if (!elems.fils_session) {
4345 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
4346 goto fail;
4347 }
4348 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
4349 FILS_SESSION_LEN);
4350 if (os_memcmp(sm->fils_session, elems.fils_session, FILS_SESSION_LEN)
4351 != 0) {
4352 wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
4353 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
4354 sm->fils_session, FILS_SESSION_LEN);
4355 goto fail;
4356 }
4357
4358 /* Wrapped Data */
4359 if (!sm->cur_pmksa && elems.wrapped_data) {
4360 u8 rmsk[ERP_MAX_KEY_LEN];
4361 size_t rmsk_len;
4362
4363 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
4364 elems.wrapped_data,
4365 elems.wrapped_data_len);
4366 eapol_sm_process_erp_finish(sm->eapol, elems.wrapped_data,
4367 elems.wrapped_data_len);
4368 if (eapol_sm_failed(sm->eapol))
4369 goto fail;
4370
4371 rmsk_len = ERP_MAX_KEY_LEN;
4372 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
4373 if (res == PMK_LEN) {
4374 rmsk_len = PMK_LEN;
4375 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
4376 }
4377 if (res)
4378 goto fail;
4379
4380 res = fils_rmsk_to_pmk(sm->key_mgmt, rmsk, rmsk_len,
4381 sm->fils_nonce, sm->fils_anonce,
4382 dh_ss ? wpabuf_head(dh_ss) : NULL,
4383 dh_ss ? wpabuf_len(dh_ss) : 0,
4384 sm->pmk, &sm->pmk_len);
4385 forced_memzero(rmsk, sizeof(rmsk));
4386
4387 /* Don't use DHss in PTK derivation if PMKSA caching is not
4388 * used. */
4389 wpabuf_clear_free(dh_ss);
4390 dh_ss = NULL;
4391
4392 if (res)
4393 goto fail;
4394
4395 if (!sm->fils_erp_pmkid_set) {
4396 wpa_printf(MSG_DEBUG, "FILS: PMKID not available");
4397 goto fail;
4398 }
4399 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", sm->fils_erp_pmkid,
4400 PMKID_LEN);
4401 wpa_printf(MSG_DEBUG, "FILS: ERP processing succeeded - add PMKSA cache entry for the result");
4402 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len,
4403 sm->fils_erp_pmkid, NULL, 0,
4404 sm->bssid, sm->own_addr,
4405 sm->network_ctx, sm->key_mgmt,
4406 NULL);
4407 }
4408
4409 if (!sm->cur_pmksa) {
4410 wpa_printf(MSG_DEBUG,
4411 "FILS: No remaining options to continue FILS authentication");
4412 goto fail;
4413 }
4414
4415 if (sm->force_kdk_derivation ||
4416 (sm->secure_ltf && sm->ap_rsnxe && sm->ap_rsnxe_len >= 4 &&
4417 sm->ap_rsnxe[3] & BIT(WLAN_RSNX_CAPAB_SECURE_LTF - 8)))
4418 kdk_len = WPA_KDK_MAX_LEN;
4419 else
4420 kdk_len = 0;
4421
4422 if (fils_pmk_to_ptk(sm->pmk, sm->pmk_len, sm->own_addr, sm->bssid,
4423 sm->fils_nonce, sm->fils_anonce,
4424 dh_ss ? wpabuf_head(dh_ss) : NULL,
4425 dh_ss ? wpabuf_len(dh_ss) : 0,
4426 &sm->ptk, ick, &ick_len,
4427 sm->key_mgmt, sm->pairwise_cipher,
4428 sm->fils_ft, &sm->fils_ft_len,
4429 kdk_len) < 0) {
4430 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PTK");
4431 goto fail;
4432 }
4433
4434 wpabuf_clear_free(dh_ss);
4435 dh_ss = NULL;
4436
4437 sm->ptk_set = 1;
4438 sm->tptk_set = 0;
4439 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
4440
4441 #ifdef CONFIG_FILS_SK_PFS
4442 if (sm->fils_dh_group) {
4443 if (!sm->fils_ecdh) {
4444 wpa_printf(MSG_INFO, "FILS: ECDH not initialized");
4445 goto fail;
4446 }
4447 pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1);
4448 if (!pub)
4449 goto fail;
4450 wpa_hexdump_buf(MSG_DEBUG, "FILS: gSTA", pub);
4451 g_sta = wpabuf_head(pub);
4452 g_sta_len = wpabuf_len(pub);
4453 if (!g_ap) {
4454 wpa_printf(MSG_INFO, "FILS: gAP not available");
4455 goto fail;
4456 }
4457 wpa_hexdump(MSG_DEBUG, "FILS: gAP", g_ap, g_ap_len);
4458 }
4459 #endif /* CONFIG_FILS_SK_PFS */
4460
4461 res = fils_key_auth_sk(ick, ick_len, sm->fils_nonce,
4462 sm->fils_anonce, sm->own_addr, sm->bssid,
4463 g_sta, g_sta_len, g_ap, g_ap_len,
4464 sm->key_mgmt, sm->fils_key_auth_sta,
4465 sm->fils_key_auth_ap,
4466 &sm->fils_key_auth_len);
4467 wpabuf_free(pub);
4468 forced_memzero(ick, sizeof(ick));
4469 return res;
4470 fail:
4471 wpabuf_free(pub);
4472 wpabuf_clear_free(dh_ss);
4473 return -1;
4474 }
4475
4476
4477 #ifdef CONFIG_IEEE80211R
fils_ft_build_assoc_req_rsne(struct wpa_sm * sm,struct wpabuf * buf)4478 static int fils_ft_build_assoc_req_rsne(struct wpa_sm *sm, struct wpabuf *buf)
4479 {
4480 struct rsn_ie_hdr *rsnie;
4481 u16 capab;
4482 u8 *pos;
4483 int use_sha384 = wpa_key_mgmt_sha384(sm->key_mgmt);
4484
4485 /* RSNIE[PMKR0Name/PMKR1Name] */
4486 rsnie = wpabuf_put(buf, sizeof(*rsnie));
4487 rsnie->elem_id = WLAN_EID_RSN;
4488 WPA_PUT_LE16(rsnie->version, RSN_VERSION);
4489
4490 /* Group Suite Selector */
4491 if (!wpa_cipher_valid_group(sm->group_cipher)) {
4492 wpa_printf(MSG_WARNING, "FT: Invalid group cipher (%d)",
4493 sm->group_cipher);
4494 return -1;
4495 }
4496 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
4497 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
4498 sm->group_cipher));
4499
4500 /* Pairwise Suite Count */
4501 wpabuf_put_le16(buf, 1);
4502
4503 /* Pairwise Suite List */
4504 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
4505 wpa_printf(MSG_WARNING, "FT: Invalid pairwise cipher (%d)",
4506 sm->pairwise_cipher);
4507 return -1;
4508 }
4509 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
4510 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
4511 sm->pairwise_cipher));
4512
4513 /* Authenticated Key Management Suite Count */
4514 wpabuf_put_le16(buf, 1);
4515
4516 /* Authenticated Key Management Suite List */
4517 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
4518 if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA256)
4519 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA256);
4520 else if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA384)
4521 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA384);
4522 else {
4523 wpa_printf(MSG_WARNING,
4524 "FILS+FT: Invalid key management type (%d)",
4525 sm->key_mgmt);
4526 return -1;
4527 }
4528
4529 /* RSN Capabilities */
4530 capab = 0;
4531 if (sm->mfp)
4532 capab |= WPA_CAPABILITY_MFPC;
4533 if (sm->mfp == 2)
4534 capab |= WPA_CAPABILITY_MFPR;
4535 if (sm->ocv)
4536 capab |= WPA_CAPABILITY_OCVC;
4537 if (sm->ext_key_id)
4538 capab |= WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST;
4539 wpabuf_put_le16(buf, capab);
4540
4541 /* PMKID Count */
4542 wpabuf_put_le16(buf, 1);
4543
4544 /* PMKID List [PMKR1Name] */
4545 wpa_hexdump_key(MSG_DEBUG, "FILS+FT: XXKey (FILS-FT)",
4546 sm->fils_ft, sm->fils_ft_len);
4547 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: SSID", sm->ssid, sm->ssid_len);
4548 wpa_hexdump(MSG_DEBUG, "FILS+FT: MDID",
4549 sm->mobility_domain, MOBILITY_DOMAIN_ID_LEN);
4550 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID",
4551 sm->r0kh_id, sm->r0kh_id_len);
4552 if (wpa_derive_pmk_r0(sm->fils_ft, sm->fils_ft_len, sm->ssid,
4553 sm->ssid_len, sm->mobility_domain,
4554 sm->r0kh_id, sm->r0kh_id_len, sm->own_addr,
4555 sm->pmk_r0, sm->pmk_r0_name, use_sha384) < 0) {
4556 wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMK-R0");
4557 return -1;
4558 }
4559 sm->pmk_r0_len = use_sha384 ? SHA384_MAC_LEN : PMK_LEN;
4560 wpa_printf(MSG_DEBUG, "FILS+FT: R1KH-ID: " MACSTR,
4561 MAC2STR(sm->r1kh_id));
4562 pos = wpabuf_put(buf, WPA_PMK_NAME_LEN);
4563 if (wpa_derive_pmk_r1_name(sm->pmk_r0_name, sm->r1kh_id, sm->own_addr,
4564 sm->pmk_r1_name, use_sha384) < 0) {
4565 wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMKR1Name");
4566 return -1;
4567 }
4568 os_memcpy(pos, sm->pmk_r1_name, WPA_PMK_NAME_LEN);
4569
4570 if (sm->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC) {
4571 /* Management Group Cipher Suite */
4572 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
4573 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_AES_128_CMAC);
4574 }
4575
4576 rsnie->len = ((u8 *) wpabuf_put(buf, 0) - (u8 *) rsnie) - 2;
4577 return 0;
4578 }
4579 #endif /* CONFIG_IEEE80211R */
4580
4581
fils_build_assoc_req(struct wpa_sm * sm,const u8 ** kek,size_t * kek_len,const u8 ** snonce,const u8 ** anonce,const struct wpabuf ** hlp,unsigned int num_hlp)4582 struct wpabuf * fils_build_assoc_req(struct wpa_sm *sm, const u8 **kek,
4583 size_t *kek_len, const u8 **snonce,
4584 const u8 **anonce,
4585 const struct wpabuf **hlp,
4586 unsigned int num_hlp)
4587 {
4588 struct wpabuf *buf;
4589 size_t len;
4590 unsigned int i;
4591
4592 len = 1000;
4593 #ifdef CONFIG_IEEE80211R
4594 if (sm->fils_ft_ies)
4595 len += wpabuf_len(sm->fils_ft_ies);
4596 if (wpa_key_mgmt_ft(sm->key_mgmt))
4597 len += 256;
4598 #endif /* CONFIG_IEEE80211R */
4599 for (i = 0; hlp && i < num_hlp; i++)
4600 len += 10 + wpabuf_len(hlp[i]);
4601 buf = wpabuf_alloc(len);
4602 if (!buf)
4603 return NULL;
4604
4605 #ifdef CONFIG_IEEE80211R
4606 if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) {
4607 /* MDE and FTE when using FILS+FT */
4608 wpabuf_put_buf(buf, sm->fils_ft_ies);
4609 /* RSNE with PMKR1Name in PMKID field */
4610 if (fils_ft_build_assoc_req_rsne(sm, buf) < 0) {
4611 wpabuf_free(buf);
4612 return NULL;
4613 }
4614 }
4615 #endif /* CONFIG_IEEE80211R */
4616
4617 /* FILS Session */
4618 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
4619 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
4620 /* Element ID Extension */
4621 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
4622 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
4623
4624 /* Everything after FILS Session element gets encrypted in the driver
4625 * with KEK. The buffer returned from here is the plaintext version. */
4626
4627 /* TODO: FILS Public Key */
4628
4629 /* FILS Key Confirm */
4630 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
4631 wpabuf_put_u8(buf, 1 + sm->fils_key_auth_len); /* Length */
4632 /* Element ID Extension */
4633 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_KEY_CONFIRM);
4634 wpabuf_put_data(buf, sm->fils_key_auth_sta, sm->fils_key_auth_len);
4635
4636 /* FILS HLP Container */
4637 for (i = 0; hlp && i < num_hlp; i++) {
4638 const u8 *pos = wpabuf_head(hlp[i]);
4639 size_t left = wpabuf_len(hlp[i]);
4640
4641 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
4642 if (left <= 254)
4643 len = 1 + left;
4644 else
4645 len = 255;
4646 wpabuf_put_u8(buf, len); /* Length */
4647 /* Element ID Extension */
4648 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_HLP_CONTAINER);
4649 /* Destination MAC Address, Source MAC Address, HLP Packet.
4650 * HLP Packet is in MSDU format (i.e., included the LLC/SNAP
4651 * header when LPD is used). */
4652 wpabuf_put_data(buf, pos, len - 1);
4653 pos += len - 1;
4654 left -= len - 1;
4655 while (left) {
4656 wpabuf_put_u8(buf, WLAN_EID_FRAGMENT);
4657 len = left > 255 ? 255 : left;
4658 wpabuf_put_u8(buf, len);
4659 wpabuf_put_data(buf, pos, len);
4660 pos += len;
4661 left -= len;
4662 }
4663 }
4664
4665 /* TODO: FILS IP Address Assignment */
4666
4667 #ifdef CONFIG_OCV
4668 if (wpa_sm_ocv_enabled(sm)) {
4669 struct wpa_channel_info ci;
4670 u8 *pos;
4671
4672 if (wpa_sm_channel_info(sm, &ci) != 0) {
4673 wpa_printf(MSG_WARNING,
4674 "FILS: Failed to get channel info for OCI element");
4675 wpabuf_free(buf);
4676 return NULL;
4677 }
4678 #ifdef CONFIG_TESTING_OPTIONS
4679 if (sm->oci_freq_override_fils_assoc) {
4680 wpa_printf(MSG_INFO,
4681 "TEST: Override OCI KDE frequency %d -> %d MHz",
4682 ci.frequency,
4683 sm->oci_freq_override_fils_assoc);
4684 ci.frequency = sm->oci_freq_override_fils_assoc;
4685 }
4686 #endif /* CONFIG_TESTING_OPTIONS */
4687
4688 pos = wpabuf_put(buf, OCV_OCI_EXTENDED_LEN);
4689 if (ocv_insert_extended_oci(&ci, pos) < 0) {
4690 wpabuf_free(buf);
4691 return NULL;
4692 }
4693 }
4694 #endif /* CONFIG_OCV */
4695
4696 wpa_hexdump_buf(MSG_DEBUG, "FILS: Association Request plaintext", buf);
4697
4698 *kek = sm->ptk.kek;
4699 *kek_len = sm->ptk.kek_len;
4700 wpa_hexdump_key(MSG_DEBUG, "FILS: KEK for AEAD", *kek, *kek_len);
4701 *snonce = sm->fils_nonce;
4702 wpa_hexdump(MSG_DEBUG, "FILS: SNonce for AEAD AAD",
4703 *snonce, FILS_NONCE_LEN);
4704 *anonce = sm->fils_anonce;
4705 wpa_hexdump(MSG_DEBUG, "FILS: ANonce for AEAD AAD",
4706 *anonce, FILS_NONCE_LEN);
4707
4708 return buf;
4709 }
4710
4711
fils_process_hlp_resp(struct wpa_sm * sm,const u8 * resp,size_t len)4712 static void fils_process_hlp_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
4713 {
4714 const u8 *pos, *end;
4715
4716 wpa_hexdump(MSG_MSGDUMP, "FILS: HLP response", resp, len);
4717 if (len < 2 * ETH_ALEN)
4718 return;
4719 pos = resp + 2 * ETH_ALEN;
4720 end = resp + len;
4721 if (end - pos >= 6 &&
4722 os_memcmp(pos, "\xaa\xaa\x03\x00\x00\x00", 6) == 0)
4723 pos += 6; /* Remove SNAP/LLC header */
4724 wpa_sm_fils_hlp_rx(sm, resp, resp + ETH_ALEN, pos, end - pos);
4725 }
4726
4727
fils_process_hlp_container(struct wpa_sm * sm,const u8 * pos,size_t len)4728 static void fils_process_hlp_container(struct wpa_sm *sm, const u8 *pos,
4729 size_t len)
4730 {
4731 const u8 *end = pos + len;
4732 u8 *tmp, *tmp_pos;
4733
4734 /* Check if there are any FILS HLP Container elements */
4735 while (end - pos >= 2) {
4736 if (2 + pos[1] > end - pos)
4737 return;
4738 if (pos[0] == WLAN_EID_EXTENSION &&
4739 pos[1] >= 1 + 2 * ETH_ALEN &&
4740 pos[2] == WLAN_EID_EXT_FILS_HLP_CONTAINER)
4741 break;
4742 pos += 2 + pos[1];
4743 }
4744 if (end - pos < 2)
4745 return; /* No FILS HLP Container elements */
4746
4747 tmp = os_malloc(end - pos);
4748 if (!tmp)
4749 return;
4750
4751 while (end - pos >= 2) {
4752 if (2 + pos[1] > end - pos ||
4753 pos[0] != WLAN_EID_EXTENSION ||
4754 pos[1] < 1 + 2 * ETH_ALEN ||
4755 pos[2] != WLAN_EID_EXT_FILS_HLP_CONTAINER)
4756 break;
4757 tmp_pos = tmp;
4758 os_memcpy(tmp_pos, pos + 3, pos[1] - 1);
4759 tmp_pos += pos[1] - 1;
4760 pos += 2 + pos[1];
4761
4762 /* Add possible fragments */
4763 while (end - pos >= 2 && pos[0] == WLAN_EID_FRAGMENT &&
4764 2 + pos[1] <= end - pos) {
4765 os_memcpy(tmp_pos, pos + 2, pos[1]);
4766 tmp_pos += pos[1];
4767 pos += 2 + pos[1];
4768 }
4769
4770 fils_process_hlp_resp(sm, tmp, tmp_pos - tmp);
4771 }
4772
4773 os_free(tmp);
4774 }
4775
4776
fils_process_assoc_resp(struct wpa_sm * sm,const u8 * resp,size_t len)4777 int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
4778 {
4779 const struct ieee80211_mgmt *mgmt;
4780 const u8 *end, *ie_start;
4781 struct ieee802_11_elems elems;
4782 int keylen, rsclen;
4783 enum wpa_alg alg;
4784 struct wpa_gtk_data gd;
4785 int maxkeylen;
4786 struct wpa_eapol_ie_parse kde;
4787
4788 if (!sm || !sm->ptk_set) {
4789 wpa_printf(MSG_DEBUG, "FILS: No KEK available");
4790 return -1;
4791 }
4792
4793 if (!wpa_key_mgmt_fils(sm->key_mgmt)) {
4794 wpa_printf(MSG_DEBUG, "FILS: Not a FILS AKM");
4795 return -1;
4796 }
4797
4798 if (sm->fils_completed) {
4799 wpa_printf(MSG_DEBUG,
4800 "FILS: Association has already been completed for this FILS authentication - ignore unexpected retransmission");
4801 return -1;
4802 }
4803
4804 wpa_hexdump(MSG_DEBUG, "FILS: (Re)Association Response frame",
4805 resp, len);
4806
4807 mgmt = (const struct ieee80211_mgmt *) resp;
4808 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_resp))
4809 return -1;
4810
4811 end = resp + len;
4812 /* Same offset for Association Response and Reassociation Response */
4813 ie_start = mgmt->u.assoc_resp.variable;
4814
4815 if (ieee802_11_parse_elems(ie_start, end - ie_start, &elems, 1) ==
4816 ParseFailed) {
4817 wpa_printf(MSG_DEBUG,
4818 "FILS: Failed to parse decrypted elements");
4819 goto fail;
4820 }
4821
4822 if (!elems.fils_session) {
4823 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
4824 return -1;
4825 }
4826 if (os_memcmp(elems.fils_session, sm->fils_session,
4827 FILS_SESSION_LEN) != 0) {
4828 wpa_printf(MSG_DEBUG, "FILS: FILS Session mismatch");
4829 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
4830 elems.fils_session, FILS_SESSION_LEN);
4831 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
4832 sm->fils_session, FILS_SESSION_LEN);
4833 }
4834
4835 if (!elems.rsn_ie) {
4836 wpa_printf(MSG_DEBUG,
4837 "FILS: No RSNE in (Re)Association Response");
4838 /* As an interop workaround, allow this for now since IEEE Std
4839 * 802.11ai-2016 did not include all the needed changes to make
4840 * a FILS AP include RSNE in the frame. This workaround might
4841 * eventually be removed and replaced with rejection (goto fail)
4842 * to follow a strict interpretation of the standard. */
4843 } else if (wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
4844 sm->ap_rsn_ie, sm->ap_rsn_ie_len,
4845 elems.rsn_ie - 2, elems.rsn_ie_len + 2)) {
4846 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
4847 "FILS: RSNE mismatch between Beacon/Probe Response and (Re)Association Response");
4848 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in Beacon/Probe Response",
4849 sm->ap_rsn_ie, sm->ap_rsn_ie_len);
4850 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in (Re)Association Response",
4851 elems.rsn_ie, elems.rsn_ie_len);
4852 goto fail;
4853 }
4854
4855 /* TODO: FILS Public Key */
4856
4857 if (!elems.fils_key_confirm) {
4858 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
4859 goto fail;
4860 }
4861 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
4862 wpa_printf(MSG_DEBUG,
4863 "FILS: Unexpected Key-Auth length %d (expected %d)",
4864 elems.fils_key_confirm_len,
4865 (int) sm->fils_key_auth_len);
4866 goto fail;
4867 }
4868 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_ap,
4869 sm->fils_key_auth_len) != 0) {
4870 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
4871 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
4872 elems.fils_key_confirm,
4873 elems.fils_key_confirm_len);
4874 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
4875 sm->fils_key_auth_ap, sm->fils_key_auth_len);
4876 goto fail;
4877 }
4878
4879 #ifdef CONFIG_OCV
4880 if (wpa_sm_ocv_enabled(sm)) {
4881 struct wpa_channel_info ci;
4882
4883 if (wpa_sm_channel_info(sm, &ci) != 0) {
4884 wpa_printf(MSG_WARNING,
4885 "Failed to get channel info to validate received OCI in FILS (Re)Association Response frame");
4886 goto fail;
4887 }
4888
4889 if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci,
4890 channel_width_to_int(ci.chanwidth),
4891 ci.seg1_idx) != OCI_SUCCESS) {
4892 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
4893 "addr=" MACSTR " frame=fils-assoc error=%s",
4894 MAC2STR(sm->bssid), ocv_errorstr);
4895 goto fail;
4896 }
4897 }
4898 #endif /* CONFIG_OCV */
4899
4900 #ifdef CONFIG_IEEE80211R
4901 if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) {
4902 struct wpa_ie_data rsn;
4903
4904 /* Check that PMKR1Name derived by the AP matches */
4905 if (!elems.rsn_ie ||
4906 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
4907 &rsn) < 0 ||
4908 !rsn.pmkid || rsn.num_pmkid != 1 ||
4909 os_memcmp(rsn.pmkid, sm->pmk_r1_name,
4910 WPA_PMK_NAME_LEN) != 0) {
4911 wpa_printf(MSG_DEBUG,
4912 "FILS+FT: No RSNE[PMKR1Name] match in AssocResp");
4913 goto fail;
4914 }
4915 }
4916 #endif /* CONFIG_IEEE80211R */
4917
4918 /* Key Delivery */
4919 if (!elems.key_delivery) {
4920 wpa_printf(MSG_DEBUG, "FILS: No Key Delivery element");
4921 goto fail;
4922 }
4923
4924 /* Parse GTK and set the key to the driver */
4925 os_memset(&gd, 0, sizeof(gd));
4926 if (wpa_supplicant_parse_ies(elems.key_delivery + WPA_KEY_RSC_LEN,
4927 elems.key_delivery_len - WPA_KEY_RSC_LEN,
4928 &kde) < 0) {
4929 wpa_printf(MSG_DEBUG, "FILS: Failed to parse KDEs");
4930 goto fail;
4931 }
4932 if (!kde.gtk) {
4933 wpa_printf(MSG_DEBUG, "FILS: No GTK KDE");
4934 goto fail;
4935 }
4936 maxkeylen = gd.gtk_len = kde.gtk_len - 2;
4937 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
4938 gd.gtk_len, maxkeylen,
4939 &gd.key_rsc_len, &gd.alg))
4940 goto fail;
4941
4942 wpa_hexdump_key(MSG_DEBUG, "FILS: Received GTK", kde.gtk, kde.gtk_len);
4943 gd.keyidx = kde.gtk[0] & 0x3;
4944 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
4945 !!(kde.gtk[0] & BIT(2)));
4946 if (kde.gtk_len - 2 > sizeof(gd.gtk)) {
4947 wpa_printf(MSG_DEBUG, "FILS: Too long GTK in GTK KDE (len=%lu)",
4948 (unsigned long) kde.gtk_len - 2);
4949 goto fail;
4950 }
4951 os_memcpy(gd.gtk, kde.gtk + 2, kde.gtk_len - 2);
4952
4953 wpa_printf(MSG_DEBUG, "FILS: Set GTK to driver");
4954 if (wpa_supplicant_install_gtk(sm, &gd, elems.key_delivery, 0) < 0) {
4955 wpa_printf(MSG_DEBUG, "FILS: Failed to set GTK");
4956 goto fail;
4957 }
4958
4959 if (ieee80211w_set_keys(sm, &kde) < 0) {
4960 wpa_printf(MSG_DEBUG, "FILS: Failed to set IGTK");
4961 goto fail;
4962 }
4963
4964 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
4965 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
4966 if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) {
4967 wpa_printf(MSG_DEBUG, "FILS: TK length mismatch: %u != %lu",
4968 keylen, (long unsigned int) sm->ptk.tk_len);
4969 goto fail;
4970 }
4971
4972 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
4973 wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver",
4974 sm->ptk.tk, keylen);
4975 if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, null_rsc, rsclen,
4976 sm->ptk.tk, keylen, KEY_FLAG_PAIRWISE_RX_TX) < 0) {
4977 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
4978 "FILS: Failed to set PTK to the driver (alg=%d keylen=%d bssid="
4979 MACSTR ")",
4980 alg, keylen, MAC2STR(sm->bssid));
4981 goto fail;
4982 }
4983
4984 wpa_sm_store_ptk(sm, sm->bssid, sm->pairwise_cipher,
4985 sm->dot11RSNAConfigPMKLifetime, &sm->ptk);
4986
4987 /* TODO: TK could be cleared after auth frame exchange now that driver
4988 * takes care of association frame encryption/decryption. */
4989 /* TK is not needed anymore in supplicant */
4990 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
4991 sm->ptk.tk_len = 0;
4992 sm->ptk.installed = 1;
4993
4994 /* FILS HLP Container */
4995 fils_process_hlp_container(sm, ie_start, end - ie_start);
4996
4997 /* TODO: FILS IP Address Assignment */
4998
4999 wpa_printf(MSG_DEBUG, "FILS: Auth+Assoc completed successfully");
5000 sm->fils_completed = 1;
5001 forced_memzero(&gd, sizeof(gd));
5002
5003 if (kde.transition_disable)
5004 wpa_sm_transition_disable(sm, kde.transition_disable[0]);
5005
5006 return 0;
5007 fail:
5008 forced_memzero(&gd, sizeof(gd));
5009 return -1;
5010 }
5011
5012
wpa_sm_set_reset_fils_completed(struct wpa_sm * sm,int set)5013 void wpa_sm_set_reset_fils_completed(struct wpa_sm *sm, int set)
5014 {
5015 if (sm)
5016 sm->fils_completed = !!set;
5017 }
5018
5019 #endif /* CONFIG_FILS */
5020
5021
wpa_fils_is_completed(struct wpa_sm * sm)5022 int wpa_fils_is_completed(struct wpa_sm *sm)
5023 {
5024 #ifdef CONFIG_FILS
5025 return sm && sm->fils_completed;
5026 #else /* CONFIG_FILS */
5027 return 0;
5028 #endif /* CONFIG_FILS */
5029 }
5030
5031
5032 #ifdef CONFIG_OWE
5033
owe_build_assoc_req(struct wpa_sm * sm,u16 group)5034 struct wpabuf * owe_build_assoc_req(struct wpa_sm *sm, u16 group)
5035 {
5036 struct wpabuf *ie = NULL, *pub = NULL;
5037 size_t prime_len;
5038
5039 if (group == 19)
5040 prime_len = 32;
5041 else if (group == 20)
5042 prime_len = 48;
5043 else if (group == 21)
5044 prime_len = 66;
5045 else
5046 return NULL;
5047
5048 crypto_ecdh_deinit(sm->owe_ecdh);
5049 sm->owe_ecdh = crypto_ecdh_init(group);
5050 if (!sm->owe_ecdh)
5051 goto fail;
5052 sm->owe_group = group;
5053 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
5054 pub = wpabuf_zeropad(pub, prime_len);
5055 if (!pub)
5056 goto fail;
5057
5058 ie = wpabuf_alloc(5 + wpabuf_len(pub));
5059 if (!ie)
5060 goto fail;
5061 wpabuf_put_u8(ie, WLAN_EID_EXTENSION);
5062 wpabuf_put_u8(ie, 1 + 2 + wpabuf_len(pub));
5063 wpabuf_put_u8(ie, WLAN_EID_EXT_OWE_DH_PARAM);
5064 wpabuf_put_le16(ie, group);
5065 wpabuf_put_buf(ie, pub);
5066 wpabuf_free(pub);
5067 wpa_hexdump_buf(MSG_DEBUG, "OWE: Diffie-Hellman Parameter element",
5068 ie);
5069
5070 return ie;
5071 fail:
5072 wpabuf_free(pub);
5073 crypto_ecdh_deinit(sm->owe_ecdh);
5074 sm->owe_ecdh = NULL;
5075 return NULL;
5076 }
5077
5078
owe_process_assoc_resp(struct wpa_sm * sm,const u8 * bssid,const u8 * resp_ies,size_t resp_ies_len)5079 int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *bssid,
5080 const u8 *resp_ies, size_t resp_ies_len)
5081 {
5082 struct ieee802_11_elems elems;
5083 u16 group;
5084 struct wpabuf *secret, *pub, *hkey;
5085 int res;
5086 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
5087 const char *info = "OWE Key Generation";
5088 const u8 *addr[2];
5089 size_t len[2];
5090 size_t hash_len, prime_len;
5091 struct wpa_ie_data data;
5092
5093 if (!resp_ies ||
5094 ieee802_11_parse_elems(resp_ies, resp_ies_len, &elems, 1) ==
5095 ParseFailed) {
5096 wpa_printf(MSG_INFO,
5097 "OWE: Could not parse Association Response frame elements");
5098 return -1;
5099 }
5100
5101 if (sm->cur_pmksa && elems.rsn_ie &&
5102 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, 2 + elems.rsn_ie_len,
5103 &data) == 0 &&
5104 data.num_pmkid == 1 && data.pmkid &&
5105 os_memcmp(sm->cur_pmksa->pmkid, data.pmkid, PMKID_LEN) == 0) {
5106 wpa_printf(MSG_DEBUG, "OWE: Use PMKSA caching");
5107 wpa_sm_set_pmk_from_pmksa(sm);
5108 return 0;
5109 }
5110
5111 if (!elems.owe_dh) {
5112 wpa_printf(MSG_INFO,
5113 "OWE: No Diffie-Hellman Parameter element found in Association Response frame");
5114 return -1;
5115 }
5116
5117 group = WPA_GET_LE16(elems.owe_dh);
5118 if (group != sm->owe_group) {
5119 wpa_printf(MSG_INFO,
5120 "OWE: Unexpected Diffie-Hellman group in response: %u",
5121 group);
5122 return -1;
5123 }
5124
5125 if (!sm->owe_ecdh) {
5126 wpa_printf(MSG_INFO, "OWE: No ECDH state available");
5127 return -1;
5128 }
5129
5130 if (group == 19)
5131 prime_len = 32;
5132 else if (group == 20)
5133 prime_len = 48;
5134 else if (group == 21)
5135 prime_len = 66;
5136 else
5137 return -1;
5138
5139 secret = crypto_ecdh_set_peerkey(sm->owe_ecdh, 0,
5140 elems.owe_dh + 2,
5141 elems.owe_dh_len - 2);
5142 secret = wpabuf_zeropad(secret, prime_len);
5143 if (!secret) {
5144 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
5145 return -1;
5146 }
5147 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
5148
5149 /* prk = HKDF-extract(C | A | group, z) */
5150
5151 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
5152 if (!pub) {
5153 wpabuf_clear_free(secret);
5154 return -1;
5155 }
5156
5157 /* PMKID = Truncate-128(Hash(C | A)) */
5158 addr[0] = wpabuf_head(pub);
5159 len[0] = wpabuf_len(pub);
5160 addr[1] = elems.owe_dh + 2;
5161 len[1] = elems.owe_dh_len - 2;
5162 if (group == 19) {
5163 res = sha256_vector(2, addr, len, pmkid);
5164 hash_len = SHA256_MAC_LEN;
5165 } else if (group == 20) {
5166 res = sha384_vector(2, addr, len, pmkid);
5167 hash_len = SHA384_MAC_LEN;
5168 } else if (group == 21) {
5169 res = sha512_vector(2, addr, len, pmkid);
5170 hash_len = SHA512_MAC_LEN;
5171 } else {
5172 res = -1;
5173 hash_len = 0;
5174 }
5175 pub = wpabuf_zeropad(pub, prime_len);
5176 if (res < 0 || !pub) {
5177 wpabuf_free(pub);
5178 wpabuf_clear_free(secret);
5179 return -1;
5180 }
5181
5182 hkey = wpabuf_alloc(wpabuf_len(pub) + elems.owe_dh_len - 2 + 2);
5183 if (!hkey) {
5184 wpabuf_free(pub);
5185 wpabuf_clear_free(secret);
5186 return -1;
5187 }
5188
5189 wpabuf_put_buf(hkey, pub); /* C */
5190 wpabuf_free(pub);
5191 wpabuf_put_data(hkey, elems.owe_dh + 2, elems.owe_dh_len - 2); /* A */
5192 wpabuf_put_le16(hkey, sm->owe_group); /* group */
5193 if (group == 19)
5194 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
5195 wpabuf_head(secret), wpabuf_len(secret), prk);
5196 else if (group == 20)
5197 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
5198 wpabuf_head(secret), wpabuf_len(secret), prk);
5199 else if (group == 21)
5200 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
5201 wpabuf_head(secret), wpabuf_len(secret), prk);
5202 wpabuf_clear_free(hkey);
5203 wpabuf_clear_free(secret);
5204 if (res < 0)
5205 return -1;
5206
5207 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
5208
5209 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
5210
5211 if (group == 19)
5212 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
5213 os_strlen(info), sm->pmk, hash_len);
5214 else if (group == 20)
5215 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
5216 os_strlen(info), sm->pmk, hash_len);
5217 else if (group == 21)
5218 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
5219 os_strlen(info), sm->pmk, hash_len);
5220 forced_memzero(prk, SHA512_MAC_LEN);
5221 if (res < 0) {
5222 sm->pmk_len = 0;
5223 return -1;
5224 }
5225 sm->pmk_len = hash_len;
5226
5227 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sm->pmk, sm->pmk_len);
5228 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
5229 pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, pmkid, NULL, 0,
5230 bssid, sm->own_addr, sm->network_ctx, sm->key_mgmt,
5231 NULL);
5232
5233 return 0;
5234 }
5235
5236 #endif /* CONFIG_OWE */
5237
5238
wpa_sm_set_fils_cache_id(struct wpa_sm * sm,const u8 * fils_cache_id)5239 void wpa_sm_set_fils_cache_id(struct wpa_sm *sm, const u8 *fils_cache_id)
5240 {
5241 #ifdef CONFIG_FILS
5242 if (sm && fils_cache_id) {
5243 sm->fils_cache_id_set = 1;
5244 os_memcpy(sm->fils_cache_id, fils_cache_id, FILS_CACHE_ID_LEN);
5245 }
5246 #endif /* CONFIG_FILS */
5247 }
5248
5249
5250 #ifdef CONFIG_DPP2
wpa_sm_set_dpp_z(struct wpa_sm * sm,const struct wpabuf * z)5251 void wpa_sm_set_dpp_z(struct wpa_sm *sm, const struct wpabuf *z)
5252 {
5253 if (sm) {
5254 wpabuf_clear_free(sm->dpp_z);
5255 sm->dpp_z = z ? wpabuf_dup(z) : NULL;
5256 }
5257 }
5258 #endif /* CONFIG_DPP2 */
5259
5260
5261 #ifdef CONFIG_PASN
wpa_pasn_pmksa_cache_add(struct wpa_sm * sm,const u8 * pmk,size_t pmk_len,const u8 * pmkid,const u8 * bssid,int key_mgmt)5262 void wpa_pasn_pmksa_cache_add(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
5263 const u8 *pmkid, const u8 *bssid, int key_mgmt)
5264 {
5265 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0,
5266 bssid, sm->own_addr, NULL,
5267 key_mgmt, 0);
5268 }
5269 #endif /* CONFIG_PASN */
5270