1 /*
2 * WPA Supplicant - WPA state machine and EAPOL-Key processing
3 * Copyright (c) 2003-2018, Jouni Malinen <j@w1.fi>
4 * Copyright(c) 2015 Intel Deutschland GmbH
5 *
6 * This software may be distributed under the terms of the BSD license.
7 * See README for more details.
8 */
9
10 #include "includes.h"
11
12 #include "common.h"
13 #include "crypto/aes.h"
14 #include "crypto/aes_wrap.h"
15 #include "crypto/crypto.h"
16 #include "crypto/random.h"
17 #include "crypto/aes_siv.h"
18 #include "crypto/sha256.h"
19 #include "crypto/sha384.h"
20 #include "crypto/sha512.h"
21 #include "common/ieee802_11_defs.h"
22 #include "common/ieee802_11_common.h"
23 #include "common/ocv.h"
24 #include "common/dpp.h"
25 #include "common/wpa_ctrl.h"
26 #include "eap_common/eap_defs.h"
27 #include "eapol_supp/eapol_supp_sm.h"
28 #include "drivers/driver.h"
29 #include "wpa.h"
30 #include "eloop.h"
31 #include "preauth.h"
32 #include "pmksa_cache.h"
33 #include "wpa_i.h"
34 #include "wpa_ie.h"
35 #include "wpa_supplicant_i.h"
36 #include "driver_i.h"
37
38 static const u8 null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
39
40
41 /**
42 * wpa_eapol_key_send - Send WPA/RSN EAPOL-Key message
43 * @sm: Pointer to WPA state machine data from wpa_sm_init()
44 * @ptk: PTK for Key Confirmation/Encryption Key
45 * @ver: Version field from Key Info
46 * @dest: Destination address for the frame
47 * @proto: Ethertype (usually ETH_P_EAPOL)
48 * @msg: EAPOL-Key message
49 * @msg_len: Length of message
50 * @key_mic: Pointer to the buffer to which the EAPOL-Key MIC is written
51 * Returns: >= 0 on success, < 0 on failure
52 */
wpa_eapol_key_send(struct wpa_sm * sm,struct wpa_ptk * ptk,int ver,const u8 * dest,u16 proto,u8 * msg,size_t msg_len,u8 * key_mic)53 int wpa_eapol_key_send(struct wpa_sm *sm, struct wpa_ptk *ptk,
54 int ver, const u8 *dest, u16 proto,
55 u8 *msg, size_t msg_len, u8 *key_mic)
56 {
57 int ret = -1;
58 size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
59
60 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL-Key frame to " MACSTR
61 " ver=%d mic_len=%d key_mgmt=0x%x",
62 MAC2STR(dest), ver, (int) mic_len, sm->key_mgmt);
63 if (is_zero_ether_addr(dest) && is_zero_ether_addr(sm->bssid)) {
64 /*
65 * Association event was not yet received; try to fetch
66 * BSSID from the driver.
67 */
68 if (wpa_sm_get_bssid(sm, sm->bssid) < 0) {
69 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
70 "WPA: Failed to read BSSID for "
71 "EAPOL-Key destination address");
72 } else {
73 dest = sm->bssid;
74 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
75 "WPA: Use BSSID (" MACSTR
76 ") as the destination for EAPOL-Key",
77 MAC2STR(dest));
78 }
79 }
80
81 if (mic_len) {
82 if (key_mic && (!ptk || !ptk->kck_len))
83 goto out;
84
85 if (key_mic &&
86 wpa_eapol_key_mic(ptk->kck, ptk->kck_len, sm->key_mgmt, ver,
87 msg, msg_len, key_mic)) {
88 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
89 "WPA: Failed to generate EAPOL-Key version %d key_mgmt 0x%x MIC",
90 ver, sm->key_mgmt);
91 goto out;
92 }
93 if (ptk)
94 wpa_hexdump_key(MSG_DEBUG, "WPA: KCK",
95 ptk->kck, ptk->kck_len);
96 wpa_hexdump(MSG_DEBUG, "WPA: Derived Key MIC",
97 key_mic, mic_len);
98 } else {
99 #ifdef CONFIG_FILS
100 /* AEAD cipher - Key MIC field not used */
101 struct ieee802_1x_hdr *s_hdr, *hdr;
102 struct wpa_eapol_key *s_key, *key;
103 u8 *buf, *s_key_data, *key_data;
104 size_t buf_len = msg_len + AES_BLOCK_SIZE;
105 size_t key_data_len;
106 u16 eapol_len;
107 const u8 *aad[1];
108 size_t aad_len[1];
109
110 if (!ptk || !ptk->kek_len)
111 goto out;
112
113 key_data_len = msg_len - sizeof(struct ieee802_1x_hdr) -
114 sizeof(struct wpa_eapol_key) - 2;
115
116 buf = os_malloc(buf_len);
117 if (!buf)
118 goto out;
119
120 os_memcpy(buf, msg, msg_len);
121 hdr = (struct ieee802_1x_hdr *) buf;
122 key = (struct wpa_eapol_key *) (hdr + 1);
123 key_data = ((u8 *) (key + 1)) + 2;
124
125 /* Update EAPOL header to include AES-SIV overhead */
126 eapol_len = be_to_host16(hdr->length);
127 eapol_len += AES_BLOCK_SIZE;
128 hdr->length = host_to_be16(eapol_len);
129
130 /* Update Key Data Length field to include AES-SIV overhead */
131 WPA_PUT_BE16((u8 *) (key + 1), AES_BLOCK_SIZE + key_data_len);
132
133 s_hdr = (struct ieee802_1x_hdr *) msg;
134 s_key = (struct wpa_eapol_key *) (s_hdr + 1);
135 s_key_data = ((u8 *) (s_key + 1)) + 2;
136
137 wpa_hexdump_key(MSG_DEBUG, "WPA: Plaintext Key Data",
138 s_key_data, key_data_len);
139
140 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len);
141 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
142 * to Key Data (exclusive). */
143 aad[0] = buf;
144 aad_len[0] = key_data - buf;
145 if (aes_siv_encrypt(ptk->kek, ptk->kek_len,
146 s_key_data, key_data_len,
147 1, aad, aad_len, key_data) < 0) {
148 os_free(buf);
149 goto out;
150 }
151
152 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
153 key_data, AES_BLOCK_SIZE + key_data_len);
154
155 os_free(msg);
156 msg = buf;
157 msg_len = buf_len;
158 #else /* CONFIG_FILS */
159 goto out;
160 #endif /* CONFIG_FILS */
161 }
162
163 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key", msg, msg_len);
164 ret = wpa_sm_ether_send(sm, dest, proto, msg, msg_len);
165 eapol_sm_notify_tx_eapol_key(sm->eapol);
166 out:
167 os_free(msg);
168 return ret;
169 }
170
171
172 /**
173 * wpa_sm_key_request - Send EAPOL-Key Request
174 * @sm: Pointer to WPA state machine data from wpa_sm_init()
175 * @error: Indicate whether this is an Michael MIC error report
176 * @pairwise: 1 = error report for pairwise packet, 0 = for group packet
177 *
178 * Send an EAPOL-Key Request to the current authenticator. This function is
179 * used to request rekeying and it is usually called when a local Michael MIC
180 * failure is detected.
181 */
wpa_sm_key_request(struct wpa_sm * sm,int error,int pairwise)182 void wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise)
183 {
184 size_t mic_len, hdrlen, rlen;
185 struct wpa_eapol_key *reply;
186 int key_info, ver;
187 u8 bssid[ETH_ALEN], *rbuf, *key_mic, *mic;
188
189 if (pairwise && sm->wpa_deny_ptk0_rekey && !sm->use_ext_key_id &&
190 wpa_sm_get_state(sm) == WPA_COMPLETED) {
191 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
192 "WPA: PTK0 rekey not allowed, reconnecting");
193 wpa_sm_reconnect(sm);
194 return;
195 }
196
197 if (wpa_use_akm_defined(sm->key_mgmt))
198 ver = WPA_KEY_INFO_TYPE_AKM_DEFINED;
199 else if (wpa_key_mgmt_ft(sm->key_mgmt) ||
200 wpa_key_mgmt_sha256(sm->key_mgmt))
201 ver = WPA_KEY_INFO_TYPE_AES_128_CMAC;
202 else if (sm->pairwise_cipher != WPA_CIPHER_TKIP)
203 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
204 else
205 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
206
207 if (wpa_sm_get_bssid(sm, bssid) < 0) {
208 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
209 "Failed to read BSSID for EAPOL-Key request");
210 return;
211 }
212
213 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
214 hdrlen = sizeof(*reply) + mic_len + 2;
215 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
216 hdrlen, &rlen, (void *) &reply);
217 if (rbuf == NULL)
218 return;
219
220 reply->type = (sm->proto == WPA_PROTO_RSN ||
221 sm->proto == WPA_PROTO_OSEN) ?
222 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
223 key_info = WPA_KEY_INFO_REQUEST | ver;
224 if (sm->ptk_set)
225 key_info |= WPA_KEY_INFO_SECURE;
226 if (sm->ptk_set && mic_len)
227 key_info |= WPA_KEY_INFO_MIC;
228 if (error)
229 key_info |= WPA_KEY_INFO_ERROR;
230 if (pairwise)
231 key_info |= WPA_KEY_INFO_KEY_TYPE;
232 WPA_PUT_BE16(reply->key_info, key_info);
233 WPA_PUT_BE16(reply->key_length, 0);
234 os_memcpy(reply->replay_counter, sm->request_counter,
235 WPA_REPLAY_COUNTER_LEN);
236 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
237
238 mic = (u8 *) (reply + 1);
239 WPA_PUT_BE16(mic + mic_len, 0);
240 if (!(key_info & WPA_KEY_INFO_MIC))
241 key_mic = NULL;
242 else
243 key_mic = mic;
244
245 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
246 "WPA: Sending EAPOL-Key Request (error=%d "
247 "pairwise=%d ptk_set=%d len=%lu)",
248 error, pairwise, sm->ptk_set, (unsigned long) rlen);
249 wpa_eapol_key_send(sm, &sm->ptk, ver, bssid, ETH_P_EAPOL, rbuf, rlen,
250 key_mic);
251 }
252
253
wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm * sm)254 static void wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm *sm)
255 {
256 #ifdef CONFIG_IEEE80211R
257 if (sm->key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X) {
258 if (wpa_sm_key_mgmt_set_pmk(sm, sm->xxkey, sm->xxkey_len))
259 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
260 "RSN: Cannot set low order 256 bits of MSK for key management offload");
261 } else {
262 #endif /* CONFIG_IEEE80211R */
263 if (wpa_sm_key_mgmt_set_pmk(sm, sm->pmk, sm->pmk_len))
264 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
265 "RSN: Cannot set PMK for key management offload");
266 #ifdef CONFIG_IEEE80211R
267 }
268 #endif /* CONFIG_IEEE80211R */
269 }
270
271
wpa_supplicant_get_pmk(struct wpa_sm * sm,const unsigned char * src_addr,const u8 * pmkid)272 static int wpa_supplicant_get_pmk(struct wpa_sm *sm,
273 const unsigned char *src_addr,
274 const u8 *pmkid)
275 {
276 int abort_cached = 0;
277
278 if (pmkid && !sm->cur_pmksa) {
279 /* When using drivers that generate RSN IE, wpa_supplicant may
280 * not have enough time to get the association information
281 * event before receiving this 1/4 message, so try to find a
282 * matching PMKSA cache entry here. */
283 sm->cur_pmksa = pmksa_cache_get(sm->pmksa, src_addr, pmkid,
284 NULL, 0);
285 if (sm->cur_pmksa) {
286 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
287 "RSN: found matching PMKID from PMKSA cache");
288 } else {
289 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
290 "RSN: no matching PMKID found");
291 abort_cached = 1;
292 }
293 }
294
295 if (pmkid && sm->cur_pmksa &&
296 os_memcmp_const(pmkid, sm->cur_pmksa->pmkid, PMKID_LEN) == 0) {
297 wpa_hexdump(MSG_DEBUG, "RSN: matched PMKID", pmkid, PMKID_LEN);
298 wpa_sm_set_pmk_from_pmksa(sm);
299 wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from PMKSA cache",
300 sm->pmk, sm->pmk_len);
301 eapol_sm_notify_cached(sm->eapol);
302 #ifdef CONFIG_IEEE80211R
303 sm->xxkey_len = 0;
304 #ifdef CONFIG_SAE
305 if (sm->key_mgmt == WPA_KEY_MGMT_FT_SAE &&
306 sm->pmk_len == PMK_LEN) {
307 /* Need to allow FT key derivation to proceed with
308 * PMK from SAE being used as the XXKey in cases where
309 * the PMKID in msg 1/4 matches the PMKSA entry that was
310 * just added based on SAE authentication for the
311 * initial mobility domain association. */
312 os_memcpy(sm->xxkey, sm->pmk, sm->pmk_len);
313 sm->xxkey_len = sm->pmk_len;
314 }
315 #endif /* CONFIG_SAE */
316 #endif /* CONFIG_IEEE80211R */
317 } else if (wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && sm->eapol) {
318 int res, pmk_len;
319 #ifdef CONFIG_IEEE80211R
320 u8 buf[2 * PMK_LEN];
321 #endif /* CONFIG_IEEE80211R */
322
323 if (wpa_key_mgmt_sha384(sm->key_mgmt))
324 pmk_len = PMK_LEN_SUITE_B_192;
325 else
326 pmk_len = PMK_LEN;
327 res = eapol_sm_get_key(sm->eapol, sm->pmk, pmk_len);
328 if (res) {
329 if (pmk_len == PMK_LEN) {
330 /*
331 * EAP-LEAP is an exception from other EAP
332 * methods: it uses only 16-byte PMK.
333 */
334 res = eapol_sm_get_key(sm->eapol, sm->pmk, 16);
335 pmk_len = 16;
336 }
337 }
338 #ifdef CONFIG_IEEE80211R
339 if (res == 0 &&
340 eapol_sm_get_key(sm->eapol, buf, 2 * PMK_LEN) == 0) {
341 if (wpa_key_mgmt_sha384(sm->key_mgmt)) {
342 os_memcpy(sm->xxkey, buf, SHA384_MAC_LEN);
343 sm->xxkey_len = SHA384_MAC_LEN;
344 } else {
345 os_memcpy(sm->xxkey, buf + PMK_LEN, PMK_LEN);
346 sm->xxkey_len = PMK_LEN;
347 }
348 forced_memzero(buf, sizeof(buf));
349 if (sm->proto == WPA_PROTO_RSN &&
350 wpa_key_mgmt_ft(sm->key_mgmt)) {
351 struct rsn_pmksa_cache_entry *sa = NULL;
352 const u8 *fils_cache_id = NULL;
353
354 #ifdef CONFIG_FILS
355 if (sm->fils_cache_id_set)
356 fils_cache_id = sm->fils_cache_id;
357 #endif /* CONFIG_FILS */
358 wpa_hexdump_key(MSG_DEBUG,
359 "FT: Cache XXKey/MPMK",
360 sm->xxkey, sm->xxkey_len);
361 sa = pmksa_cache_add(sm->pmksa,
362 sm->xxkey, sm->xxkey_len,
363 NULL, NULL, 0,
364 src_addr, sm->own_addr,
365 sm->network_ctx,
366 sm->key_mgmt,
367 fils_cache_id);
368 if (!sm->cur_pmksa)
369 sm->cur_pmksa = sa;
370 }
371 }
372 #endif /* CONFIG_IEEE80211R */
373 if (res == 0) {
374 struct rsn_pmksa_cache_entry *sa = NULL;
375 const u8 *fils_cache_id = NULL;
376
377 #ifdef CONFIG_FILS
378 if (sm->fils_cache_id_set)
379 fils_cache_id = sm->fils_cache_id;
380 #endif /* CONFIG_FILS */
381
382 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK from EAPOL state "
383 "machines", sm->pmk, pmk_len);
384 sm->pmk_len = pmk_len;
385 wpa_supplicant_key_mgmt_set_pmk(sm);
386 if (sm->proto == WPA_PROTO_RSN &&
387 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
388 !wpa_key_mgmt_ft(sm->key_mgmt)) {
389 sa = pmksa_cache_add(sm->pmksa,
390 sm->pmk, pmk_len, NULL,
391 NULL, 0,
392 src_addr, sm->own_addr,
393 sm->network_ctx,
394 sm->key_mgmt,
395 fils_cache_id);
396 }
397 if (!sm->cur_pmksa && pmkid &&
398 pmksa_cache_get(sm->pmksa, src_addr, pmkid, NULL,
399 0)) {
400 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
401 "RSN: the new PMK matches with the "
402 "PMKID");
403 abort_cached = 0;
404 } else if (sa && !sm->cur_pmksa && pmkid) {
405 /*
406 * It looks like the authentication server
407 * derived mismatching MSK. This should not
408 * really happen, but bugs happen.. There is not
409 * much we can do here without knowing what
410 * exactly caused the server to misbehave.
411 */
412 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
413 "RSN: PMKID mismatch - authentication server may have derived different MSK?!");
414 return -1;
415 }
416
417 if (!sm->cur_pmksa)
418 sm->cur_pmksa = sa;
419 #ifdef CONFIG_IEEE80211R
420 } else if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->ft_protocol) {
421 wpa_printf(MSG_DEBUG,
422 "FT: Continue 4-way handshake without PMK/PMKID for association using FT protocol");
423 #endif /* CONFIG_IEEE80211R */
424 } else {
425 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
426 "WPA: Failed to get master session key from "
427 "EAPOL state machines - key handshake "
428 "aborted");
429 if (sm->cur_pmksa) {
430 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
431 "RSN: Cancelled PMKSA caching "
432 "attempt");
433 sm->cur_pmksa = NULL;
434 abort_cached = 1;
435 } else if (!abort_cached) {
436 return -1;
437 }
438 }
439 }
440
441 if (abort_cached && wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) &&
442 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
443 !wpa_key_mgmt_ft(sm->key_mgmt) && sm->key_mgmt != WPA_KEY_MGMT_OSEN)
444 {
445 /* Send EAPOL-Start to trigger full EAP authentication. */
446 u8 *buf;
447 size_t buflen;
448
449 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
450 "RSN: no PMKSA entry found - trigger "
451 "full EAP authentication");
452 buf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_START,
453 NULL, 0, &buflen, NULL);
454 if (buf) {
455 /* Set and reset eapFail to allow EAP state machine to
456 * proceed with new authentication. */
457 eapol_sm_notify_eap_fail(sm->eapol, true);
458 eapol_sm_notify_eap_fail(sm->eapol, false);
459 wpa_sm_ether_send(sm, sm->bssid, ETH_P_EAPOL,
460 buf, buflen);
461 os_free(buf);
462 return -2;
463 }
464
465 return -1;
466 }
467
468 return 0;
469 }
470
471
472 /**
473 * wpa_supplicant_send_2_of_4 - Send message 2 of WPA/RSN 4-Way Handshake
474 * @sm: Pointer to WPA state machine data from wpa_sm_init()
475 * @dst: Destination address for the frame
476 * @key: Pointer to the EAPOL-Key frame header
477 * @ver: Version bits from EAPOL-Key Key Info
478 * @nonce: Nonce value for the EAPOL-Key frame
479 * @wpa_ie: WPA/RSN IE
480 * @wpa_ie_len: Length of the WPA/RSN IE
481 * @ptk: PTK to use for keyed hash and encryption
482 * Returns: >= 0 on success, < 0 on failure
483 */
wpa_supplicant_send_2_of_4(struct wpa_sm * sm,const unsigned char * dst,const struct wpa_eapol_key * key,int ver,const u8 * nonce,const u8 * wpa_ie,size_t wpa_ie_len,struct wpa_ptk * ptk)484 int wpa_supplicant_send_2_of_4(struct wpa_sm *sm, const unsigned char *dst,
485 const struct wpa_eapol_key *key,
486 int ver, const u8 *nonce,
487 const u8 *wpa_ie, size_t wpa_ie_len,
488 struct wpa_ptk *ptk)
489 {
490 size_t mic_len, hdrlen, rlen;
491 struct wpa_eapol_key *reply;
492 u8 *rbuf, *key_mic;
493 u8 *rsn_ie_buf = NULL;
494 u16 key_info;
495
496 if (wpa_ie == NULL) {
497 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No wpa_ie set - "
498 "cannot generate msg 2/4");
499 return -1;
500 }
501
502 #ifdef CONFIG_IEEE80211R
503 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
504 int res;
505
506 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE before FT processing",
507 wpa_ie, wpa_ie_len);
508 /*
509 * Add PMKR1Name into RSN IE (PMKID-List) and add MDIE and
510 * FTIE from (Re)Association Response.
511 */
512 rsn_ie_buf = os_malloc(wpa_ie_len + 2 + 2 + PMKID_LEN +
513 sm->assoc_resp_ies_len);
514 if (rsn_ie_buf == NULL)
515 return -1;
516 os_memcpy(rsn_ie_buf, wpa_ie, wpa_ie_len);
517 res = wpa_insert_pmkid(rsn_ie_buf, &wpa_ie_len,
518 sm->pmk_r1_name);
519 if (res < 0) {
520 os_free(rsn_ie_buf);
521 return -1;
522 }
523 wpa_hexdump(MSG_DEBUG,
524 "WPA: WPA IE after PMKID[PMKR1Name] addition into RSNE",
525 rsn_ie_buf, wpa_ie_len);
526
527 if (sm->assoc_resp_ies) {
528 wpa_hexdump(MSG_DEBUG, "WPA: Add assoc_resp_ies",
529 sm->assoc_resp_ies,
530 sm->assoc_resp_ies_len);
531 os_memcpy(rsn_ie_buf + wpa_ie_len, sm->assoc_resp_ies,
532 sm->assoc_resp_ies_len);
533 wpa_ie_len += sm->assoc_resp_ies_len;
534 }
535
536 wpa_ie = rsn_ie_buf;
537 }
538 #endif /* CONFIG_IEEE80211R */
539
540 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE for msg 2/4", wpa_ie, wpa_ie_len);
541
542 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
543 hdrlen = sizeof(*reply) + mic_len + 2;
544 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY,
545 NULL, hdrlen + wpa_ie_len,
546 &rlen, (void *) &reply);
547 if (rbuf == NULL) {
548 os_free(rsn_ie_buf);
549 return -1;
550 }
551
552 reply->type = (sm->proto == WPA_PROTO_RSN ||
553 sm->proto == WPA_PROTO_OSEN) ?
554 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
555 key_info = ver | WPA_KEY_INFO_KEY_TYPE;
556 if (mic_len)
557 key_info |= WPA_KEY_INFO_MIC;
558 else
559 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
560 WPA_PUT_BE16(reply->key_info, key_info);
561 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
562 WPA_PUT_BE16(reply->key_length, 0);
563 else
564 os_memcpy(reply->key_length, key->key_length, 2);
565 os_memcpy(reply->replay_counter, key->replay_counter,
566 WPA_REPLAY_COUNTER_LEN);
567 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", reply->replay_counter,
568 WPA_REPLAY_COUNTER_LEN);
569
570 key_mic = (u8 *) (reply + 1);
571 WPA_PUT_BE16(key_mic + mic_len, wpa_ie_len); /* Key Data Length */
572 os_memcpy(key_mic + mic_len + 2, wpa_ie, wpa_ie_len); /* Key Data */
573 os_free(rsn_ie_buf);
574
575 os_memcpy(reply->key_nonce, nonce, WPA_NONCE_LEN);
576
577 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Sending EAPOL-Key 2/4");
578 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
579 key_mic);
580 }
581
582
wpa_derive_ptk(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,struct wpa_ptk * ptk)583 static int wpa_derive_ptk(struct wpa_sm *sm, const unsigned char *src_addr,
584 const struct wpa_eapol_key *key, struct wpa_ptk *ptk)
585 {
586 const u8 *z = NULL;
587 size_t z_len = 0, kdk_len;
588 int akmp;
589
590 #ifdef CONFIG_IEEE80211R
591 if (wpa_key_mgmt_ft(sm->key_mgmt))
592 return wpa_derive_ptk_ft(sm, src_addr, key, ptk);
593 #endif /* CONFIG_IEEE80211R */
594
595 #ifdef CONFIG_DPP2
596 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
597 z = wpabuf_head(sm->dpp_z);
598 z_len = wpabuf_len(sm->dpp_z);
599 }
600 #endif /* CONFIG_DPP2 */
601
602 akmp = sm->key_mgmt;
603 #ifdef CONFIG_OWE
604 if (sm->owe_ptk_workaround && akmp == WPA_KEY_MGMT_OWE &&
605 sm->pmk_len > 32) {
606 wpa_printf(MSG_DEBUG,
607 "OWE: Force SHA256 for PTK derivation");
608 akmp |= WPA_KEY_MGMT_PSK_SHA256;
609 }
610 #endif /* CONFIG_OWE */
611
612 if (sm->force_kdk_derivation ||
613 (sm->secure_ltf &&
614 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)))
615 kdk_len = WPA_KDK_MAX_LEN;
616 else
617 kdk_len = 0;
618
619 return wpa_pmk_to_ptk(sm->pmk, sm->pmk_len, "Pairwise key expansion",
620 sm->own_addr, sm->bssid, sm->snonce,
621 key->key_nonce, ptk, akmp,
622 sm->pairwise_cipher, z, z_len,
623 kdk_len);
624 }
625
626
wpa_handle_ext_key_id(struct wpa_sm * sm,struct wpa_eapol_ie_parse * kde)627 static int wpa_handle_ext_key_id(struct wpa_sm *sm,
628 struct wpa_eapol_ie_parse *kde)
629 {
630 if (sm->ext_key_id) {
631 u16 key_id;
632
633 if (!kde->key_id) {
634 wpa_msg(sm->ctx->msg_ctx,
635 sm->use_ext_key_id ? MSG_INFO : MSG_DEBUG,
636 "RSN: No Key ID in Extended Key ID handshake");
637 sm->keyidx_active = 0;
638 return sm->use_ext_key_id ? -1 : 0;
639 }
640
641 key_id = kde->key_id[0] & 0x03;
642 if (key_id > 1) {
643 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
644 "RSN: Invalid Extended Key ID: %d", key_id);
645 return -1;
646 }
647 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
648 "RSN: Using Extended Key ID %d", key_id);
649 sm->keyidx_active = key_id;
650 sm->use_ext_key_id = 1;
651 } else {
652 if (kde->key_id && (kde->key_id[0] & 0x03)) {
653 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
654 "RSN: Non-zero Extended Key ID Key ID in PTK0 handshake");
655 return -1;
656 }
657
658 if (kde->key_id) {
659 /* This is not supposed to be included here, but ignore
660 * the case of matching Key ID 0 just in case. */
661 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
662 "RSN: Extended Key ID Key ID 0 in PTK0 handshake");
663 }
664 sm->keyidx_active = 0;
665 sm->use_ext_key_id = 0;
666 }
667
668 return 0;
669 }
670
671
wpa_supplicant_process_1_of_4(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len)672 static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
673 const unsigned char *src_addr,
674 const struct wpa_eapol_key *key,
675 u16 ver, const u8 *key_data,
676 size_t key_data_len)
677 {
678 struct wpa_eapol_ie_parse ie;
679 struct wpa_ptk *ptk;
680 int res;
681 u8 *kde, *kde_buf = NULL;
682 size_t kde_len;
683
684 if (wpa_sm_get_network_ctx(sm) == NULL) {
685 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No SSID info "
686 "found (msg 1 of 4)");
687 return;
688 }
689
690 if (sm->wpa_deny_ptk0_rekey && !sm->use_ext_key_id &&
691 wpa_sm_get_state(sm) == WPA_COMPLETED) {
692 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
693 "WPA: PTK0 rekey not allowed, reconnecting");
694 wpa_sm_reconnect(sm);
695 return;
696 }
697
698 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
699 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO, "WPA: RX message 1 of 4-Way "
700 "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
701
702 os_memset(&ie, 0, sizeof(ie));
703
704 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
705 /* RSN: msg 1/4 should contain PMKID for the selected PMK */
706 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data",
707 key_data, key_data_len);
708 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
709 goto failed;
710 if (ie.pmkid) {
711 wpa_hexdump(MSG_DEBUG, "RSN: PMKID from "
712 "Authenticator", ie.pmkid, PMKID_LEN);
713 }
714 }
715
716 res = wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid);
717 if (res == -2) {
718 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: Do not reply to "
719 "msg 1/4 - requesting full EAP authentication");
720 return;
721 }
722 if (res)
723 goto failed;
724
725 if (sm->renew_snonce) {
726 if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) {
727 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
728 "WPA: Failed to get random data for SNonce");
729 goto failed;
730 }
731 sm->renew_snonce = 0;
732 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce",
733 sm->snonce, WPA_NONCE_LEN);
734 }
735
736 /* Calculate PTK which will be stored as a temporary PTK until it has
737 * been verified when processing message 3/4. */
738 ptk = &sm->tptk;
739 if (wpa_derive_ptk(sm, src_addr, key, ptk) < 0)
740 goto failed;
741 if (sm->pairwise_cipher == WPA_CIPHER_TKIP) {
742 u8 buf[8];
743 /* Supplicant: swap tx/rx Mic keys */
744 os_memcpy(buf, &ptk->tk[16], 8);
745 os_memcpy(&ptk->tk[16], &ptk->tk[24], 8);
746 os_memcpy(&ptk->tk[24], buf, 8);
747 forced_memzero(buf, sizeof(buf));
748 }
749 sm->tptk_set = 1;
750
751 kde = sm->assoc_wpa_ie;
752 kde_len = sm->assoc_wpa_ie_len;
753 kde_buf = os_malloc(kde_len +
754 2 + RSN_SELECTOR_LEN + 3 +
755 sm->assoc_rsnxe_len +
756 2 + RSN_SELECTOR_LEN + 1 +
757 2 + RSN_SELECTOR_LEN + 2);
758 if (!kde_buf)
759 goto failed;
760 os_memcpy(kde_buf, kde, kde_len);
761 kde = kde_buf;
762
763 #ifdef CONFIG_OCV
764 if (wpa_sm_ocv_enabled(sm)) {
765 struct wpa_channel_info ci;
766 u8 *pos;
767
768 pos = kde + kde_len;
769 if (wpa_sm_channel_info(sm, &ci) != 0) {
770 wpa_printf(MSG_WARNING,
771 "Failed to get channel info for OCI element in EAPOL-Key 2/4");
772 goto failed;
773 }
774 #ifdef CONFIG_TESTING_OPTIONS
775 if (sm->oci_freq_override_eapol) {
776 wpa_printf(MSG_INFO,
777 "TEST: Override OCI KDE frequency %d -> %d MHz",
778 ci.frequency, sm->oci_freq_override_eapol);
779 ci.frequency = sm->oci_freq_override_eapol;
780 }
781 #endif /* CONFIG_TESTING_OPTIONS */
782
783 if (ocv_insert_oci_kde(&ci, &pos) < 0)
784 goto failed;
785 kde_len = pos - kde;
786 }
787 #endif /* CONFIG_OCV */
788
789 if (sm->assoc_rsnxe && sm->assoc_rsnxe_len) {
790 os_memcpy(kde + kde_len, sm->assoc_rsnxe, sm->assoc_rsnxe_len);
791 kde_len += sm->assoc_rsnxe_len;
792 }
793
794 #ifdef CONFIG_P2P
795 if (sm->p2p) {
796 u8 *pos;
797
798 wpa_printf(MSG_DEBUG,
799 "P2P: Add IP Address Request KDE into EAPOL-Key 2/4");
800 pos = kde + kde_len;
801 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
802 *pos++ = RSN_SELECTOR_LEN + 1;
803 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_IP_ADDR_REQ);
804 pos += RSN_SELECTOR_LEN;
805 *pos++ = 0x01;
806 kde_len = pos - kde;
807 }
808 #endif /* CONFIG_P2P */
809
810 #ifdef CONFIG_DPP2
811 if (DPP_VERSION > 1 && sm->key_mgmt == WPA_KEY_MGMT_DPP) {
812 u8 *pos;
813
814 wpa_printf(MSG_DEBUG, "DPP: Add DPP KDE into EAPOL-Key 2/4");
815 pos = kde + kde_len;
816 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
817 *pos++ = RSN_SELECTOR_LEN + 2;
818 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_DPP);
819 pos += RSN_SELECTOR_LEN;
820 *pos++ = DPP_VERSION; /* Protocol Version */
821 *pos = 0; /* Flags */
822 if (sm->dpp_pfs == 0)
823 *pos |= DPP_KDE_PFS_ALLOWED;
824 else if (sm->dpp_pfs == 1)
825 *pos |= DPP_KDE_PFS_ALLOWED | DPP_KDE_PFS_REQUIRED;
826 pos++;
827 kde_len = pos - kde;
828 }
829 #endif /* CONFIG_DPP2 */
830
831 if (wpa_supplicant_send_2_of_4(sm, sm->bssid, key, ver, sm->snonce,
832 kde, kde_len, ptk) < 0)
833 goto failed;
834
835 os_free(kde_buf);
836 os_memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN);
837 return;
838
839 failed:
840 os_free(kde_buf);
841 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
842 }
843
844
wpa_sm_start_preauth(void * eloop_ctx,void * timeout_ctx)845 static void wpa_sm_start_preauth(void *eloop_ctx, void *timeout_ctx)
846 {
847 struct wpa_sm *sm = eloop_ctx;
848 rsn_preauth_candidate_process(sm);
849 }
850
851
wpa_supplicant_key_neg_complete(struct wpa_sm * sm,const u8 * addr,int secure)852 static void wpa_supplicant_key_neg_complete(struct wpa_sm *sm,
853 const u8 *addr, int secure)
854 {
855 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
856 "WPA: Key negotiation completed with "
857 MACSTR " [PTK=%s GTK=%s]", MAC2STR(addr),
858 wpa_cipher_txt(sm->pairwise_cipher),
859 wpa_cipher_txt(sm->group_cipher));
860 wpa_sm_cancel_auth_timeout(sm);
861 wpa_sm_set_state(sm, WPA_COMPLETED);
862
863 if (secure) {
864 wpa_sm_mlme_setprotection(
865 sm, addr, MLME_SETPROTECTION_PROTECT_TYPE_RX_TX,
866 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
867 eapol_sm_notify_portValid(sm->eapol, true);
868 if (wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
869 sm->key_mgmt == WPA_KEY_MGMT_DPP ||
870 sm->key_mgmt == WPA_KEY_MGMT_OWE)
871 eapol_sm_notify_eap_success(sm->eapol, true);
872 /*
873 * Start preauthentication after a short wait to avoid a
874 * possible race condition between the data receive and key
875 * configuration after the 4-Way Handshake. This increases the
876 * likelihood of the first preauth EAPOL-Start frame getting to
877 * the target AP.
878 */
879 if (!dl_list_empty(&sm->pmksa_candidates))
880 eloop_register_timeout(1, 0, wpa_sm_start_preauth,
881 sm, NULL);
882 }
883
884 if (sm->cur_pmksa && sm->cur_pmksa->opportunistic) {
885 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
886 "RSN: Authenticator accepted "
887 "opportunistic PMKSA entry - marking it valid");
888 sm->cur_pmksa->opportunistic = 0;
889 }
890
891 #ifdef CONFIG_IEEE80211R
892 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
893 /* Prepare for the next transition */
894 wpa_ft_prepare_auth_request(sm, NULL);
895 }
896 #endif /* CONFIG_IEEE80211R */
897 }
898
899
wpa_sm_rekey_ptk(void * eloop_ctx,void * timeout_ctx)900 static void wpa_sm_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
901 {
902 struct wpa_sm *sm = eloop_ctx;
903 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Request PTK rekeying");
904 wpa_sm_key_request(sm, 0, 1);
905 }
906
907
wpa_supplicant_install_ptk(struct wpa_sm * sm,const struct wpa_eapol_key * key,enum key_flag key_flag)908 static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
909 const struct wpa_eapol_key *key,
910 enum key_flag key_flag)
911 {
912 int keylen, rsclen;
913 enum wpa_alg alg;
914 const u8 *key_rsc;
915
916 if (sm->ptk.installed) {
917 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
918 "WPA: Do not re-install same PTK to the driver");
919 return 0;
920 }
921
922 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
923 "WPA: Installing PTK to the driver");
924
925 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
926 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Pairwise Cipher "
927 "Suite: NONE - do not use pairwise keys");
928 return 0;
929 }
930
931 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
932 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
933 "WPA: Unsupported pairwise cipher %d",
934 sm->pairwise_cipher);
935 return -1;
936 }
937
938 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
939 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
940 if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) {
941 wpa_printf(MSG_DEBUG, "WPA: TK length mismatch: %d != %lu",
942 keylen, (long unsigned int) sm->ptk.tk_len);
943 return -1;
944 }
945 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
946
947 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
948 key_rsc = null_rsc;
949 } else {
950 key_rsc = key->key_rsc;
951 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen);
952 }
953
954 if (wpa_sm_set_key(sm, alg, sm->bssid, sm->keyidx_active, 1, key_rsc,
955 rsclen, sm->ptk.tk, keylen,
956 KEY_FLAG_PAIRWISE | key_flag) < 0) {
957 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
958 "WPA: Failed to set PTK to the driver (alg=%d keylen=%d bssid="
959 MACSTR " idx=%d key_flag=0x%x)",
960 alg, keylen, MAC2STR(sm->bssid),
961 sm->keyidx_active, key_flag);
962 return -1;
963 }
964
965 wpa_sm_store_ptk(sm, sm->bssid, sm->pairwise_cipher,
966 sm->dot11RSNAConfigPMKLifetime, &sm->ptk);
967
968 /* TK is not needed anymore in supplicant */
969 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
970 sm->ptk.tk_len = 0;
971 sm->ptk.installed = 1;
972
973 if (sm->wpa_ptk_rekey) {
974 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
975 eloop_register_timeout(sm->wpa_ptk_rekey, 0, wpa_sm_rekey_ptk,
976 sm, NULL);
977 }
978 return 0;
979 }
980
981
wpa_supplicant_activate_ptk(struct wpa_sm * sm)982 static int wpa_supplicant_activate_ptk(struct wpa_sm *sm)
983 {
984 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
985 "WPA: Activate PTK (idx=%d bssid=" MACSTR ")",
986 sm->keyidx_active, MAC2STR(sm->bssid));
987
988 if (wpa_sm_set_key(sm, 0, sm->bssid, sm->keyidx_active, 0, NULL, 0,
989 NULL, 0, KEY_FLAG_PAIRWISE_RX_TX_MODIFY) < 0) {
990 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
991 "WPA: Failed to activate PTK for TX (idx=%d bssid="
992 MACSTR ")", sm->keyidx_active, MAC2STR(sm->bssid));
993 return -1;
994 }
995 return 0;
996 }
997
998
wpa_supplicant_check_group_cipher(struct wpa_sm * sm,int group_cipher,int keylen,int maxkeylen,int * key_rsc_len,enum wpa_alg * alg)999 static int wpa_supplicant_check_group_cipher(struct wpa_sm *sm,
1000 int group_cipher,
1001 int keylen, int maxkeylen,
1002 int *key_rsc_len,
1003 enum wpa_alg *alg)
1004 {
1005 int klen;
1006
1007 *alg = wpa_cipher_to_alg(group_cipher);
1008 if (*alg == WPA_ALG_NONE) {
1009 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1010 "WPA: Unsupported Group Cipher %d",
1011 group_cipher);
1012 return -1;
1013 }
1014 *key_rsc_len = wpa_cipher_rsc_len(group_cipher);
1015
1016 klen = wpa_cipher_key_len(group_cipher);
1017 if (keylen != klen || maxkeylen < klen) {
1018 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1019 "WPA: Unsupported %s Group Cipher key length %d (%d)",
1020 wpa_cipher_txt(group_cipher), keylen, maxkeylen);
1021 return -1;
1022 }
1023 return 0;
1024 }
1025
1026
1027 struct wpa_gtk_data {
1028 enum wpa_alg alg;
1029 int tx, key_rsc_len, keyidx;
1030 u8 gtk[32];
1031 int gtk_len;
1032 };
1033
1034
wpa_supplicant_install_gtk(struct wpa_sm * sm,const struct wpa_gtk_data * gd,const u8 * key_rsc,int wnm_sleep)1035 static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
1036 const struct wpa_gtk_data *gd,
1037 const u8 *key_rsc, int wnm_sleep)
1038 {
1039 const u8 *_gtk = gd->gtk;
1040 u8 gtk_buf[32];
1041
1042 /* Detect possible key reinstallation */
1043 if ((sm->gtk.gtk_len == (size_t) gd->gtk_len &&
1044 os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) ||
1045 (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len &&
1046 os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk,
1047 sm->gtk_wnm_sleep.gtk_len) == 0)) {
1048 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1049 "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
1050 gd->keyidx, gd->tx, gd->gtk_len);
1051 return 0;
1052 }
1053
1054 wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
1055 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1056 "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
1057 gd->keyidx, gd->tx, gd->gtk_len);
1058 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, gd->key_rsc_len);
1059 if (sm->group_cipher == WPA_CIPHER_TKIP) {
1060 /* Swap Tx/Rx keys for Michael MIC */
1061 os_memcpy(gtk_buf, gd->gtk, 16);
1062 os_memcpy(gtk_buf + 16, gd->gtk + 24, 8);
1063 os_memcpy(gtk_buf + 24, gd->gtk + 16, 8);
1064 _gtk = gtk_buf;
1065 }
1066 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
1067 if (wpa_sm_set_key(sm, gd->alg, NULL,
1068 gd->keyidx, 1, key_rsc, gd->key_rsc_len,
1069 _gtk, gd->gtk_len,
1070 KEY_FLAG_GROUP_RX_TX_DEFAULT) < 0) {
1071 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1072 "WPA: Failed to set GTK to the driver "
1073 "(Group only)");
1074 forced_memzero(gtk_buf, sizeof(gtk_buf));
1075 return -1;
1076 }
1077 } else if (wpa_sm_set_key(sm, gd->alg, broadcast_ether_addr,
1078 gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len,
1079 _gtk, gd->gtk_len, KEY_FLAG_GROUP_RX) < 0) {
1080 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1081 "WPA: Failed to set GTK to "
1082 "the driver (alg=%d keylen=%d keyidx=%d)",
1083 gd->alg, gd->gtk_len, gd->keyidx);
1084 forced_memzero(gtk_buf, sizeof(gtk_buf));
1085 return -1;
1086 }
1087 forced_memzero(gtk_buf, sizeof(gtk_buf));
1088
1089 if (wnm_sleep) {
1090 sm->gtk_wnm_sleep.gtk_len = gd->gtk_len;
1091 os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk,
1092 sm->gtk_wnm_sleep.gtk_len);
1093 } else {
1094 sm->gtk.gtk_len = gd->gtk_len;
1095 os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
1096 }
1097
1098 return 0;
1099 }
1100
1101
wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm * sm,int tx)1102 static int wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm *sm,
1103 int tx)
1104 {
1105 if (tx && sm->pairwise_cipher != WPA_CIPHER_NONE) {
1106 /* Ignore Tx bit for GTK if a pairwise key is used. One AP
1107 * seemed to set this bit (incorrectly, since Tx is only when
1108 * doing Group Key only APs) and without this workaround, the
1109 * data connection does not work because wpa_supplicant
1110 * configured non-zero keyidx to be used for unicast. */
1111 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1112 "WPA: Tx bit set for GTK, but pairwise "
1113 "keys are used - ignore Tx bit");
1114 return 0;
1115 }
1116 return tx;
1117 }
1118
1119
wpa_supplicant_rsc_relaxation(const struct wpa_sm * sm,const u8 * rsc)1120 static int wpa_supplicant_rsc_relaxation(const struct wpa_sm *sm,
1121 const u8 *rsc)
1122 {
1123 int rsclen;
1124
1125 if (!sm->wpa_rsc_relaxation)
1126 return 0;
1127
1128 rsclen = wpa_cipher_rsc_len(sm->group_cipher);
1129
1130 /*
1131 * Try to detect RSC (endian) corruption issue where the AP sends
1132 * the RSC bytes in EAPOL-Key message in the wrong order, both if
1133 * it's actually a 6-byte field (as it should be) and if it treats
1134 * it as an 8-byte field.
1135 * An AP model known to have this bug is the Sapido RB-1632.
1136 */
1137 if (rsclen == 6 && ((rsc[5] && !rsc[0]) || rsc[6] || rsc[7])) {
1138 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1139 "RSC %02x%02x%02x%02x%02x%02x%02x%02x is likely bogus, using 0",
1140 rsc[0], rsc[1], rsc[2], rsc[3],
1141 rsc[4], rsc[5], rsc[6], rsc[7]);
1142
1143 return 1;
1144 }
1145
1146 return 0;
1147 }
1148
1149
wpa_supplicant_pairwise_gtk(struct wpa_sm * sm,const struct wpa_eapol_key * key,const u8 * gtk,size_t gtk_len,int key_info)1150 static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
1151 const struct wpa_eapol_key *key,
1152 const u8 *gtk, size_t gtk_len,
1153 int key_info)
1154 {
1155 struct wpa_gtk_data gd;
1156 const u8 *key_rsc;
1157
1158 /*
1159 * IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames - Figure 43x
1160 * GTK KDE format:
1161 * KeyID[bits 0-1], Tx [bit 2], Reserved [bits 3-7]
1162 * Reserved [bits 0-7]
1163 * GTK
1164 */
1165
1166 os_memset(&gd, 0, sizeof(gd));
1167 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in pairwise handshake",
1168 gtk, gtk_len);
1169
1170 if (gtk_len < 2 || gtk_len - 2 > sizeof(gd.gtk))
1171 return -1;
1172
1173 gd.keyidx = gtk[0] & 0x3;
1174 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
1175 !!(gtk[0] & BIT(2)));
1176 gtk += 2;
1177 gtk_len -= 2;
1178
1179 os_memcpy(gd.gtk, gtk, gtk_len);
1180 gd.gtk_len = gtk_len;
1181
1182 key_rsc = key->key_rsc;
1183 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
1184 key_rsc = null_rsc;
1185
1186 if (sm->group_cipher != WPA_CIPHER_GTK_NOT_USED &&
1187 (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
1188 gtk_len, gtk_len,
1189 &gd.key_rsc_len, &gd.alg) ||
1190 wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) {
1191 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1192 "RSN: Failed to install GTK");
1193 forced_memzero(&gd, sizeof(gd));
1194 return -1;
1195 }
1196 forced_memzero(&gd, sizeof(gd));
1197
1198 return 0;
1199 }
1200
1201
wpa_supplicant_install_igtk(struct wpa_sm * sm,const struct wpa_igtk_kde * igtk,int wnm_sleep)1202 static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
1203 const struct wpa_igtk_kde *igtk,
1204 int wnm_sleep)
1205 {
1206 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1207 u16 keyidx = WPA_GET_LE16(igtk->keyid);
1208
1209 /* Detect possible key reinstallation */
1210 if ((sm->igtk.igtk_len == len &&
1211 os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) ||
1212 (sm->igtk_wnm_sleep.igtk_len == len &&
1213 os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk,
1214 sm->igtk_wnm_sleep.igtk_len) == 0)) {
1215 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1216 "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
1217 keyidx);
1218 return 0;
1219 }
1220
1221 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1222 "WPA: IGTK keyid %d pn " COMPACT_MACSTR,
1223 keyidx, MAC2STR(igtk->pn));
1224 wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len);
1225 if (keyidx > 4095) {
1226 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1227 "WPA: Invalid IGTK KeyID %d", keyidx);
1228 return -1;
1229 }
1230 if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
1231 broadcast_ether_addr,
1232 keyidx, 0, igtk->pn, sizeof(igtk->pn),
1233 igtk->igtk, len, KEY_FLAG_GROUP_RX) < 0) {
1234 if (keyidx == 0x0400 || keyidx == 0x0500) {
1235 /* Assume the AP has broken PMF implementation since it
1236 * seems to have swapped the KeyID bytes. The AP cannot
1237 * be trusted to implement BIP correctly or provide a
1238 * valid IGTK, so do not try to configure this key with
1239 * swapped KeyID bytes. Instead, continue without
1240 * configuring the IGTK so that the driver can drop any
1241 * received group-addressed robust management frames due
1242 * to missing keys.
1243 *
1244 * Normally, this error behavior would result in us
1245 * disconnecting, but there are number of deployed APs
1246 * with this broken behavior, so as an interoperability
1247 * workaround, allow the connection to proceed. */
1248 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1249 "WPA: Ignore IGTK configuration error due to invalid IGTK KeyID byte order");
1250 } else {
1251 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1252 "WPA: Failed to configure IGTK to the driver");
1253 return -1;
1254 }
1255 }
1256
1257 if (wnm_sleep) {
1258 sm->igtk_wnm_sleep.igtk_len = len;
1259 os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk,
1260 sm->igtk_wnm_sleep.igtk_len);
1261 } else {
1262 sm->igtk.igtk_len = len;
1263 os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
1264 }
1265
1266 return 0;
1267 }
1268
1269
wpa_supplicant_install_bigtk(struct wpa_sm * sm,const struct wpa_bigtk_kde * bigtk,int wnm_sleep)1270 static int wpa_supplicant_install_bigtk(struct wpa_sm *sm,
1271 const struct wpa_bigtk_kde *bigtk,
1272 int wnm_sleep)
1273 {
1274 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1275 u16 keyidx = WPA_GET_LE16(bigtk->keyid);
1276
1277 /* Detect possible key reinstallation */
1278 if ((sm->bigtk.bigtk_len == len &&
1279 os_memcmp(sm->bigtk.bigtk, bigtk->bigtk,
1280 sm->bigtk.bigtk_len) == 0) ||
1281 (sm->bigtk_wnm_sleep.bigtk_len == len &&
1282 os_memcmp(sm->bigtk_wnm_sleep.bigtk, bigtk->bigtk,
1283 sm->bigtk_wnm_sleep.bigtk_len) == 0)) {
1284 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1285 "WPA: Not reinstalling already in-use BIGTK to the driver (keyidx=%d)",
1286 keyidx);
1287 return 0;
1288 }
1289
1290 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1291 "WPA: BIGTK keyid %d pn " COMPACT_MACSTR,
1292 keyidx, MAC2STR(bigtk->pn));
1293 wpa_hexdump_key(MSG_DEBUG, "WPA: BIGTK", bigtk->bigtk, len);
1294 if (keyidx < 6 || keyidx > 7) {
1295 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1296 "WPA: Invalid BIGTK KeyID %d", keyidx);
1297 return -1;
1298 }
1299 if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
1300 broadcast_ether_addr,
1301 keyidx, 0, bigtk->pn, sizeof(bigtk->pn),
1302 bigtk->bigtk, len, KEY_FLAG_GROUP_RX) < 0) {
1303 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1304 "WPA: Failed to configure BIGTK to the driver");
1305 return -1;
1306 }
1307
1308 if (wnm_sleep) {
1309 sm->bigtk_wnm_sleep.bigtk_len = len;
1310 os_memcpy(sm->bigtk_wnm_sleep.bigtk, bigtk->bigtk,
1311 sm->bigtk_wnm_sleep.bigtk_len);
1312 } else {
1313 sm->bigtk.bigtk_len = len;
1314 os_memcpy(sm->bigtk.bigtk, bigtk->bigtk, sm->bigtk.bigtk_len);
1315 }
1316
1317 return 0;
1318 }
1319
1320
ieee80211w_set_keys(struct wpa_sm * sm,struct wpa_eapol_ie_parse * ie)1321 static int ieee80211w_set_keys(struct wpa_sm *sm,
1322 struct wpa_eapol_ie_parse *ie)
1323 {
1324 size_t len;
1325
1326 if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) ||
1327 sm->mgmt_group_cipher == WPA_CIPHER_GTK_NOT_USED)
1328 return 0;
1329
1330 if (ie->igtk) {
1331 const struct wpa_igtk_kde *igtk;
1332
1333 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1334 if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
1335 return -1;
1336
1337 igtk = (const struct wpa_igtk_kde *) ie->igtk;
1338 if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0)
1339 return -1;
1340 }
1341
1342 if (ie->bigtk && sm->beacon_prot) {
1343 const struct wpa_bigtk_kde *bigtk;
1344
1345 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1346 if (ie->bigtk_len != WPA_BIGTK_KDE_PREFIX_LEN + len)
1347 return -1;
1348
1349 bigtk = (const struct wpa_bigtk_kde *) ie->bigtk;
1350 if (wpa_supplicant_install_bigtk(sm, bigtk, 0) < 0)
1351 return -1;
1352 }
1353
1354 return 0;
1355 }
1356
1357
wpa_report_ie_mismatch(struct wpa_sm * sm,const char * reason,const u8 * src_addr,const u8 * wpa_ie,size_t wpa_ie_len,const u8 * rsn_ie,size_t rsn_ie_len)1358 static void wpa_report_ie_mismatch(struct wpa_sm *sm,
1359 const char *reason, const u8 *src_addr,
1360 const u8 *wpa_ie, size_t wpa_ie_len,
1361 const u8 *rsn_ie, size_t rsn_ie_len)
1362 {
1363 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: %s (src=" MACSTR ")",
1364 reason, MAC2STR(src_addr));
1365
1366 if (sm->ap_wpa_ie) {
1367 wpa_hexdump(MSG_INFO, "WPA: WPA IE in Beacon/ProbeResp",
1368 sm->ap_wpa_ie, sm->ap_wpa_ie_len);
1369 }
1370 if (wpa_ie) {
1371 if (!sm->ap_wpa_ie) {
1372 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1373 "WPA: No WPA IE in Beacon/ProbeResp");
1374 }
1375 wpa_hexdump(MSG_INFO, "WPA: WPA IE in 3/4 msg",
1376 wpa_ie, wpa_ie_len);
1377 }
1378
1379 if (sm->ap_rsn_ie) {
1380 wpa_hexdump(MSG_INFO, "WPA: RSN IE in Beacon/ProbeResp",
1381 sm->ap_rsn_ie, sm->ap_rsn_ie_len);
1382 }
1383 if (rsn_ie) {
1384 if (!sm->ap_rsn_ie) {
1385 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1386 "WPA: No RSN IE in Beacon/ProbeResp");
1387 }
1388 wpa_hexdump(MSG_INFO, "WPA: RSN IE in 3/4 msg",
1389 rsn_ie, rsn_ie_len);
1390 }
1391
1392 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
1393 }
1394
1395
1396 #ifdef CONFIG_IEEE80211R
1397
ft_validate_mdie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie,const u8 * assoc_resp_mdie)1398 static int ft_validate_mdie(struct wpa_sm *sm,
1399 const unsigned char *src_addr,
1400 struct wpa_eapol_ie_parse *ie,
1401 const u8 *assoc_resp_mdie)
1402 {
1403 struct rsn_mdie *mdie;
1404
1405 mdie = (struct rsn_mdie *) (ie->mdie + 2);
1406 if (ie->mdie == NULL || ie->mdie_len < 2 + sizeof(*mdie) ||
1407 os_memcmp(mdie->mobility_domain, sm->mobility_domain,
1408 MOBILITY_DOMAIN_ID_LEN) != 0) {
1409 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE in msg 3/4 did "
1410 "not match with the current mobility domain");
1411 return -1;
1412 }
1413
1414 if (assoc_resp_mdie &&
1415 (assoc_resp_mdie[1] != ie->mdie[1] ||
1416 os_memcmp(assoc_resp_mdie, ie->mdie, 2 + ie->mdie[1]) != 0)) {
1417 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE mismatch");
1418 wpa_hexdump(MSG_DEBUG, "FT: MDIE in EAPOL-Key msg 3/4",
1419 ie->mdie, 2 + ie->mdie[1]);
1420 wpa_hexdump(MSG_DEBUG, "FT: MDIE in (Re)Association Response",
1421 assoc_resp_mdie, 2 + assoc_resp_mdie[1]);
1422 return -1;
1423 }
1424
1425 return 0;
1426 }
1427
1428
ft_validate_ftie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie,const u8 * assoc_resp_ftie)1429 static int ft_validate_ftie(struct wpa_sm *sm,
1430 const unsigned char *src_addr,
1431 struct wpa_eapol_ie_parse *ie,
1432 const u8 *assoc_resp_ftie)
1433 {
1434 if (ie->ftie == NULL) {
1435 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1436 "FT: No FTIE in EAPOL-Key msg 3/4");
1437 return -1;
1438 }
1439
1440 if (assoc_resp_ftie == NULL)
1441 return 0;
1442
1443 if (assoc_resp_ftie[1] != ie->ftie[1] ||
1444 os_memcmp(assoc_resp_ftie, ie->ftie, 2 + ie->ftie[1]) != 0) {
1445 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: FTIE mismatch");
1446 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 3/4",
1447 ie->ftie, 2 + ie->ftie[1]);
1448 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)Association Response",
1449 assoc_resp_ftie, 2 + assoc_resp_ftie[1]);
1450 return -1;
1451 }
1452
1453 return 0;
1454 }
1455
1456
ft_validate_rsnie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie)1457 static int ft_validate_rsnie(struct wpa_sm *sm,
1458 const unsigned char *src_addr,
1459 struct wpa_eapol_ie_parse *ie)
1460 {
1461 struct wpa_ie_data rsn;
1462
1463 if (!ie->rsn_ie)
1464 return 0;
1465
1466 /*
1467 * Verify that PMKR1Name from EAPOL-Key message 3/4
1468 * matches with the value we derived.
1469 */
1470 if (wpa_parse_wpa_ie_rsn(ie->rsn_ie, ie->rsn_ie_len, &rsn) < 0 ||
1471 rsn.num_pmkid != 1 || rsn.pmkid == NULL) {
1472 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: No PMKR1Name in "
1473 "FT 4-way handshake message 3/4");
1474 return -1;
1475 }
1476
1477 if (os_memcmp_const(rsn.pmkid, sm->pmk_r1_name, WPA_PMK_NAME_LEN) != 0)
1478 {
1479 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1480 "FT: PMKR1Name mismatch in "
1481 "FT 4-way handshake message 3/4");
1482 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Authenticator",
1483 rsn.pmkid, WPA_PMK_NAME_LEN);
1484 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
1485 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
1486 return -1;
1487 }
1488
1489 return 0;
1490 }
1491
1492
wpa_supplicant_validate_ie_ft(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie)1493 static int wpa_supplicant_validate_ie_ft(struct wpa_sm *sm,
1494 const unsigned char *src_addr,
1495 struct wpa_eapol_ie_parse *ie)
1496 {
1497 const u8 *pos, *end, *mdie = NULL, *ftie = NULL;
1498
1499 if (sm->assoc_resp_ies) {
1500 pos = sm->assoc_resp_ies;
1501 end = pos + sm->assoc_resp_ies_len;
1502 while (end - pos > 2) {
1503 if (2 + pos[1] > end - pos)
1504 break;
1505 switch (*pos) {
1506 case WLAN_EID_MOBILITY_DOMAIN:
1507 mdie = pos;
1508 break;
1509 case WLAN_EID_FAST_BSS_TRANSITION:
1510 ftie = pos;
1511 break;
1512 }
1513 pos += 2 + pos[1];
1514 }
1515 }
1516
1517 if (ft_validate_mdie(sm, src_addr, ie, mdie) < 0 ||
1518 ft_validate_ftie(sm, src_addr, ie, ftie) < 0 ||
1519 ft_validate_rsnie(sm, src_addr, ie) < 0)
1520 return -1;
1521
1522 return 0;
1523 }
1524
1525 #endif /* CONFIG_IEEE80211R */
1526
1527
wpa_supplicant_validate_ie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie)1528 static int wpa_supplicant_validate_ie(struct wpa_sm *sm,
1529 const unsigned char *src_addr,
1530 struct wpa_eapol_ie_parse *ie)
1531 {
1532 if (sm->ap_wpa_ie == NULL && sm->ap_rsn_ie == NULL) {
1533 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1534 "WPA: No WPA/RSN IE for this AP known. "
1535 "Trying to get from scan results");
1536 if (wpa_sm_get_beacon_ie(sm) < 0) {
1537 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1538 "WPA: Could not find AP from "
1539 "the scan results");
1540 return -1;
1541 }
1542 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
1543 "WPA: Found the current AP from updated scan results");
1544 }
1545
1546 if (ie->wpa_ie == NULL && ie->rsn_ie == NULL &&
1547 (sm->ap_wpa_ie || sm->ap_rsn_ie)) {
1548 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
1549 "with IE in Beacon/ProbeResp (no IE?)",
1550 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1551 ie->rsn_ie, ie->rsn_ie_len);
1552 return -1;
1553 }
1554
1555 if ((ie->wpa_ie && sm->ap_wpa_ie &&
1556 (ie->wpa_ie_len != sm->ap_wpa_ie_len ||
1557 os_memcmp(ie->wpa_ie, sm->ap_wpa_ie, ie->wpa_ie_len) != 0)) ||
1558 (ie->rsn_ie && sm->ap_rsn_ie &&
1559 wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
1560 sm->ap_rsn_ie, sm->ap_rsn_ie_len,
1561 ie->rsn_ie, ie->rsn_ie_len))) {
1562 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
1563 "with IE in Beacon/ProbeResp",
1564 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1565 ie->rsn_ie, ie->rsn_ie_len);
1566 return -1;
1567 }
1568
1569 if (sm->proto == WPA_PROTO_WPA &&
1570 ie->rsn_ie && sm->ap_rsn_ie == NULL && sm->rsn_enabled) {
1571 wpa_report_ie_mismatch(sm, "Possible downgrade attack "
1572 "detected - RSN was enabled and RSN IE "
1573 "was in msg 3/4, but not in "
1574 "Beacon/ProbeResp",
1575 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1576 ie->rsn_ie, ie->rsn_ie_len);
1577 return -1;
1578 }
1579
1580 if (sm->proto == WPA_PROTO_RSN &&
1581 ((sm->ap_rsnxe && !ie->rsnxe) ||
1582 (!sm->ap_rsnxe && ie->rsnxe) ||
1583 (sm->ap_rsnxe && ie->rsnxe &&
1584 (sm->ap_rsnxe_len != ie->rsnxe_len ||
1585 os_memcmp(sm->ap_rsnxe, ie->rsnxe, sm->ap_rsnxe_len) != 0)))) {
1586 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1587 "WPA: RSNXE mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4");
1588 wpa_hexdump(MSG_INFO, "RSNXE in Beacon/ProbeResp",
1589 sm->ap_rsnxe, sm->ap_rsnxe_len);
1590 wpa_hexdump(MSG_INFO, "RSNXE in EAPOL-Key msg 3/4",
1591 ie->rsnxe, ie->rsnxe_len);
1592 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
1593 return -1;
1594 }
1595
1596 #ifdef CONFIG_IEEE80211R
1597 if (wpa_key_mgmt_ft(sm->key_mgmt) &&
1598 wpa_supplicant_validate_ie_ft(sm, src_addr, ie) < 0)
1599 return -1;
1600 #endif /* CONFIG_IEEE80211R */
1601
1602 return 0;
1603 }
1604
1605
1606 /**
1607 * wpa_supplicant_send_4_of_4 - Send message 4 of WPA/RSN 4-Way Handshake
1608 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1609 * @dst: Destination address for the frame
1610 * @key: Pointer to the EAPOL-Key frame header
1611 * @ver: Version bits from EAPOL-Key Key Info
1612 * @key_info: Key Info
1613 * @ptk: PTK to use for keyed hash and encryption
1614 * Returns: >= 0 on success, < 0 on failure
1615 */
wpa_supplicant_send_4_of_4(struct wpa_sm * sm,const unsigned char * dst,const struct wpa_eapol_key * key,u16 ver,u16 key_info,struct wpa_ptk * ptk)1616 int wpa_supplicant_send_4_of_4(struct wpa_sm *sm, const unsigned char *dst,
1617 const struct wpa_eapol_key *key,
1618 u16 ver, u16 key_info,
1619 struct wpa_ptk *ptk)
1620 {
1621 size_t mic_len, hdrlen, rlen;
1622 struct wpa_eapol_key *reply;
1623 u8 *rbuf, *key_mic;
1624
1625 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
1626 hdrlen = sizeof(*reply) + mic_len + 2;
1627 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
1628 hdrlen, &rlen, (void *) &reply);
1629 if (rbuf == NULL)
1630 return -1;
1631
1632 reply->type = (sm->proto == WPA_PROTO_RSN ||
1633 sm->proto == WPA_PROTO_OSEN) ?
1634 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1635 key_info &= WPA_KEY_INFO_SECURE;
1636 key_info |= ver | WPA_KEY_INFO_KEY_TYPE;
1637 if (mic_len)
1638 key_info |= WPA_KEY_INFO_MIC;
1639 else
1640 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1641 WPA_PUT_BE16(reply->key_info, key_info);
1642 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
1643 WPA_PUT_BE16(reply->key_length, 0);
1644 else
1645 os_memcpy(reply->key_length, key->key_length, 2);
1646 os_memcpy(reply->replay_counter, key->replay_counter,
1647 WPA_REPLAY_COUNTER_LEN);
1648
1649 key_mic = (u8 *) (reply + 1);
1650 WPA_PUT_BE16(key_mic + mic_len, 0);
1651
1652 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Sending EAPOL-Key 4/4");
1653 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
1654 key_mic);
1655 }
1656
1657
wpa_supplicant_process_3_of_4(struct wpa_sm * sm,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len)1658 static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
1659 const struct wpa_eapol_key *key,
1660 u16 ver, const u8 *key_data,
1661 size_t key_data_len)
1662 {
1663 u16 key_info, keylen;
1664 struct wpa_eapol_ie_parse ie;
1665
1666 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
1667 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO, "WPA: RX message 3 of 4-Way "
1668 "Handshake from " MACSTR " (ver=%d)", MAC2STR(sm->bssid), ver);
1669
1670 key_info = WPA_GET_BE16(key->key_info);
1671
1672 wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", key_data, key_data_len);
1673 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
1674 goto failed;
1675 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1676 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1677 "WPA: GTK IE in unencrypted key data");
1678 goto failed;
1679 }
1680 if (ie.igtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1681 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1682 "WPA: IGTK KDE in unencrypted key data");
1683 goto failed;
1684 }
1685
1686 if (ie.igtk &&
1687 sm->mgmt_group_cipher != WPA_CIPHER_GTK_NOT_USED &&
1688 wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) &&
1689 ie.igtk_len != WPA_IGTK_KDE_PREFIX_LEN +
1690 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
1691 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1692 "WPA: Invalid IGTK KDE length %lu",
1693 (unsigned long) ie.igtk_len);
1694 goto failed;
1695 }
1696
1697 if (wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0)
1698 goto failed;
1699
1700 if (wpa_handle_ext_key_id(sm, &ie))
1701 goto failed;
1702
1703 if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
1704 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1705 "WPA: ANonce from message 1 of 4-Way Handshake "
1706 "differs from 3 of 4-Way Handshake - drop packet (src="
1707 MACSTR ")", MAC2STR(sm->bssid));
1708 goto failed;
1709 }
1710
1711 keylen = WPA_GET_BE16(key->key_length);
1712 if (keylen != wpa_cipher_key_len(sm->pairwise_cipher)) {
1713 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1714 "WPA: Invalid %s key length %d (src=" MACSTR
1715 ")", wpa_cipher_txt(sm->pairwise_cipher), keylen,
1716 MAC2STR(sm->bssid));
1717 goto failed;
1718 }
1719
1720 #ifdef CONFIG_P2P
1721 if (ie.ip_addr_alloc) {
1722 os_memcpy(sm->p2p_ip_addr, ie.ip_addr_alloc, 3 * 4);
1723 wpa_hexdump(MSG_DEBUG, "P2P: IP address info",
1724 sm->p2p_ip_addr, sizeof(sm->p2p_ip_addr));
1725 }
1726 #endif /* CONFIG_P2P */
1727
1728 #ifdef CONFIG_OCV
1729 if (wpa_sm_ocv_enabled(sm)) {
1730 struct wpa_channel_info ci;
1731
1732 if (wpa_sm_channel_info(sm, &ci) != 0) {
1733 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1734 "Failed to get channel info to validate received OCI in EAPOL-Key 3/4");
1735 return;
1736 }
1737
1738 if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci,
1739 channel_width_to_int(ci.chanwidth),
1740 ci.seg1_idx) != OCI_SUCCESS) {
1741 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
1742 "addr=" MACSTR " frame=eapol-key-m3 error=%s",
1743 MAC2STR(sm->bssid), ocv_errorstr);
1744 return;
1745 }
1746 }
1747 #endif /* CONFIG_OCV */
1748
1749 #ifdef CONFIG_DPP2
1750 if (DPP_VERSION > 1 && ie.dpp_kde) {
1751 wpa_printf(MSG_DEBUG,
1752 "DPP: peer Protocol Version %u Flags 0x%x",
1753 ie.dpp_kde[0], ie.dpp_kde[1]);
1754 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_pfs != 2 &&
1755 (ie.dpp_kde[1] & DPP_KDE_PFS_ALLOWED) && !sm->dpp_z) {
1756 wpa_printf(MSG_INFO,
1757 "DPP: Peer indicated it supports PFS and local configuration allows this, but PFS was not negotiated for the association");
1758 goto failed;
1759 }
1760 }
1761 #endif /* CONFIG_DPP2 */
1762
1763 if (sm->use_ext_key_id &&
1764 wpa_supplicant_install_ptk(sm, key, KEY_FLAG_RX))
1765 goto failed;
1766
1767 if (wpa_supplicant_send_4_of_4(sm, sm->bssid, key, ver, key_info,
1768 &sm->ptk) < 0) {
1769 goto failed;
1770 }
1771
1772 /* SNonce was successfully used in msg 3/4, so mark it to be renewed
1773 * for the next 4-Way Handshake. If msg 3 is received again, the old
1774 * SNonce will still be used to avoid changing PTK. */
1775 sm->renew_snonce = 1;
1776
1777 if (key_info & WPA_KEY_INFO_INSTALL) {
1778 int res;
1779
1780 if (sm->use_ext_key_id)
1781 res = wpa_supplicant_activate_ptk(sm);
1782 else
1783 res = wpa_supplicant_install_ptk(sm, key,
1784 KEY_FLAG_RX_TX);
1785 if (res)
1786 goto failed;
1787 }
1788
1789 if (key_info & WPA_KEY_INFO_SECURE) {
1790 wpa_sm_mlme_setprotection(
1791 sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX,
1792 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
1793 eapol_sm_notify_portValid(sm->eapol, true);
1794 }
1795 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
1796
1797 if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED) {
1798 /* No GTK to be set to the driver */
1799 } else if (!ie.gtk && sm->proto == WPA_PROTO_RSN) {
1800 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1801 "RSN: No GTK KDE included in EAPOL-Key msg 3/4");
1802 goto failed;
1803 } else if (ie.gtk &&
1804 wpa_supplicant_pairwise_gtk(sm, key,
1805 ie.gtk, ie.gtk_len, key_info) < 0) {
1806 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1807 "RSN: Failed to configure GTK");
1808 goto failed;
1809 }
1810
1811 if (ieee80211w_set_keys(sm, &ie) < 0) {
1812 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1813 "RSN: Failed to configure IGTK");
1814 goto failed;
1815 }
1816
1817 if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED || ie.gtk)
1818 wpa_supplicant_key_neg_complete(sm, sm->bssid,
1819 key_info & WPA_KEY_INFO_SECURE);
1820
1821 if (ie.gtk)
1822 wpa_sm_set_rekey_offload(sm);
1823
1824 /* Add PMKSA cache entry for Suite B AKMs here since PMKID can be
1825 * calculated only after KCK has been derived. Though, do not replace an
1826 * existing PMKSA entry after each 4-way handshake (i.e., new KCK/PMKID)
1827 * to avoid unnecessary changes of PMKID while continuing to use the
1828 * same PMK. */
1829 if (sm->proto == WPA_PROTO_RSN && wpa_key_mgmt_suite_b(sm->key_mgmt) &&
1830 !sm->cur_pmksa) {
1831 struct rsn_pmksa_cache_entry *sa;
1832
1833 sa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, NULL,
1834 sm->ptk.kck, sm->ptk.kck_len,
1835 sm->bssid, sm->own_addr,
1836 sm->network_ctx, sm->key_mgmt, NULL);
1837 if (!sm->cur_pmksa)
1838 sm->cur_pmksa = sa;
1839 }
1840
1841 if (ie.transition_disable)
1842 wpa_sm_transition_disable(sm, ie.transition_disable[0]);
1843 sm->msg_3_of_4_ok = 1;
1844 return;
1845
1846 failed:
1847 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
1848 }
1849
1850
wpa_supplicant_process_1_of_2_rsn(struct wpa_sm * sm,const u8 * keydata,size_t keydatalen,u16 key_info,struct wpa_gtk_data * gd)1851 static int wpa_supplicant_process_1_of_2_rsn(struct wpa_sm *sm,
1852 const u8 *keydata,
1853 size_t keydatalen,
1854 u16 key_info,
1855 struct wpa_gtk_data *gd)
1856 {
1857 int maxkeylen;
1858 struct wpa_eapol_ie_parse ie;
1859 u16 gtk_len;
1860
1861 wpa_hexdump_key(MSG_DEBUG, "RSN: msg 1/2 key data",
1862 keydata, keydatalen);
1863 if (wpa_supplicant_parse_ies(keydata, keydatalen, &ie) < 0)
1864 return -1;
1865 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1866 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1867 "WPA: GTK IE in unencrypted key data");
1868 return -1;
1869 }
1870 if (ie.gtk == NULL) {
1871 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1872 "WPA: No GTK IE in Group Key msg 1/2");
1873 return -1;
1874 }
1875 gtk_len = ie.gtk_len;
1876 if (gtk_len < 2) {
1877 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1878 "RSN: Invalid GTK KDE length (%u) in Group Key msg 1/2",
1879 gtk_len);
1880 return -1;
1881 }
1882 gtk_len -= 2;
1883 if (gtk_len > sizeof(gd->gtk)) {
1884 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1885 "RSN: Too long GTK in GTK KDE (len=%u)", gtk_len);
1886 return -1;
1887 }
1888 maxkeylen = gd->gtk_len = gtk_len;
1889
1890 #ifdef CONFIG_OCV
1891 if (wpa_sm_ocv_enabled(sm)) {
1892 struct wpa_channel_info ci;
1893
1894 if (wpa_sm_channel_info(sm, &ci) != 0) {
1895 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1896 "Failed to get channel info to validate received OCI in EAPOL-Key group msg 1/2");
1897 return -1;
1898 }
1899
1900 if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci,
1901 channel_width_to_int(ci.chanwidth),
1902 ci.seg1_idx) != OCI_SUCCESS) {
1903 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
1904 "addr=" MACSTR " frame=eapol-key-g1 error=%s",
1905 MAC2STR(sm->bssid), ocv_errorstr);
1906 return -1;
1907 }
1908 }
1909 #endif /* CONFIG_OCV */
1910
1911 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
1912 gtk_len, maxkeylen,
1913 &gd->key_rsc_len, &gd->alg))
1914 return -1;
1915
1916 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in group key handshake",
1917 ie.gtk, 2 + gtk_len);
1918 gd->keyidx = ie.gtk[0] & 0x3;
1919 gd->tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
1920 !!(ie.gtk[0] & BIT(2)));
1921 os_memcpy(gd->gtk, ie.gtk + 2, gtk_len);
1922
1923 if (ieee80211w_set_keys(sm, &ie) < 0)
1924 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1925 "RSN: Failed to configure IGTK");
1926
1927 return 0;
1928 }
1929
1930
wpa_supplicant_process_1_of_2_wpa(struct wpa_sm * sm,const struct wpa_eapol_key * key,const u8 * key_data,size_t key_data_len,u16 key_info,u16 ver,struct wpa_gtk_data * gd)1931 static int wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm,
1932 const struct wpa_eapol_key *key,
1933 const u8 *key_data,
1934 size_t key_data_len, u16 key_info,
1935 u16 ver, struct wpa_gtk_data *gd)
1936 {
1937 size_t maxkeylen;
1938 u16 gtk_len;
1939
1940 gtk_len = WPA_GET_BE16(key->key_length);
1941 maxkeylen = key_data_len;
1942 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1943 if (maxkeylen < 8) {
1944 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1945 "WPA: Too short maxkeylen (%lu)",
1946 (unsigned long) maxkeylen);
1947 return -1;
1948 }
1949 maxkeylen -= 8;
1950 }
1951
1952 if (gtk_len > maxkeylen ||
1953 wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
1954 gtk_len, maxkeylen,
1955 &gd->key_rsc_len, &gd->alg))
1956 return -1;
1957
1958 gd->gtk_len = gtk_len;
1959 gd->keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
1960 WPA_KEY_INFO_KEY_INDEX_SHIFT;
1961 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
1962 #ifdef CONFIG_NO_RC4
1963 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1964 "WPA: RC4 not supported in the build");
1965 return -1;
1966 #else /* CONFIG_NO_RC4 */
1967 u8 ek[32];
1968 if (key_data_len > sizeof(gd->gtk)) {
1969 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1970 "WPA: RC4 key data too long (%lu)",
1971 (unsigned long) key_data_len);
1972 return -1;
1973 }
1974 os_memcpy(ek, key->key_iv, 16);
1975 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
1976 os_memcpy(gd->gtk, key_data, key_data_len);
1977 if (rc4_skip(ek, 32, 256, gd->gtk, key_data_len)) {
1978 forced_memzero(ek, sizeof(ek));
1979 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
1980 "WPA: RC4 failed");
1981 return -1;
1982 }
1983 forced_memzero(ek, sizeof(ek));
1984 #endif /* CONFIG_NO_RC4 */
1985 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1986 if (maxkeylen % 8) {
1987 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1988 "WPA: Unsupported AES-WRAP len %lu",
1989 (unsigned long) maxkeylen);
1990 return -1;
1991 }
1992 if (maxkeylen > sizeof(gd->gtk)) {
1993 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1994 "WPA: AES-WRAP key data "
1995 "too long (keydatalen=%lu maxkeylen=%lu)",
1996 (unsigned long) key_data_len,
1997 (unsigned long) maxkeylen);
1998 return -1;
1999 }
2000 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, maxkeylen / 8,
2001 key_data, gd->gtk)) {
2002 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2003 "WPA: AES unwrap failed - could not decrypt "
2004 "GTK");
2005 return -1;
2006 }
2007 } else {
2008 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2009 "WPA: Unsupported key_info type %d", ver);
2010 return -1;
2011 }
2012 gd->tx = wpa_supplicant_gtk_tx_bit_workaround(
2013 sm, !!(key_info & WPA_KEY_INFO_TXRX));
2014 return 0;
2015 }
2016
2017
wpa_supplicant_send_2_of_2(struct wpa_sm * sm,const struct wpa_eapol_key * key,int ver,u16 key_info)2018 static int wpa_supplicant_send_2_of_2(struct wpa_sm *sm,
2019 const struct wpa_eapol_key *key,
2020 int ver, u16 key_info)
2021 {
2022 size_t mic_len, hdrlen, rlen;
2023 struct wpa_eapol_key *reply;
2024 u8 *rbuf, *key_mic;
2025 size_t kde_len = 0;
2026
2027 #ifdef CONFIG_TESTING_OPTIONS
2028 if (sm->disable_eapol_g2_tx) {
2029 wpa_printf(MSG_INFO, "TEST: Disable sending EAPOL-Key 2/2");
2030 return 0;
2031 }
2032 #endif /* CONFIG_TESTING_OPTIONS */
2033
2034 #ifdef CONFIG_OCV
2035 if (wpa_sm_ocv_enabled(sm))
2036 kde_len = OCV_OCI_KDE_LEN;
2037 #endif /* CONFIG_OCV */
2038
2039 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
2040 hdrlen = sizeof(*reply) + mic_len + 2;
2041 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
2042 hdrlen + kde_len, &rlen, (void *) &reply);
2043 if (rbuf == NULL)
2044 return -1;
2045
2046 reply->type = (sm->proto == WPA_PROTO_RSN ||
2047 sm->proto == WPA_PROTO_OSEN) ?
2048 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
2049 key_info &= WPA_KEY_INFO_KEY_INDEX_MASK;
2050 key_info |= ver | WPA_KEY_INFO_SECURE;
2051 if (mic_len)
2052 key_info |= WPA_KEY_INFO_MIC;
2053 else
2054 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
2055 WPA_PUT_BE16(reply->key_info, key_info);
2056 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
2057 WPA_PUT_BE16(reply->key_length, 0);
2058 else
2059 os_memcpy(reply->key_length, key->key_length, 2);
2060 os_memcpy(reply->replay_counter, key->replay_counter,
2061 WPA_REPLAY_COUNTER_LEN);
2062
2063 key_mic = (u8 *) (reply + 1);
2064 WPA_PUT_BE16(key_mic + mic_len, kde_len); /* Key Data Length */
2065
2066 #ifdef CONFIG_OCV
2067 if (wpa_sm_ocv_enabled(sm)) {
2068 struct wpa_channel_info ci;
2069 u8 *pos;
2070
2071 if (wpa_sm_channel_info(sm, &ci) != 0) {
2072 wpa_printf(MSG_WARNING,
2073 "Failed to get channel info for OCI element in EAPOL-Key 2/2");
2074 os_free(rbuf);
2075 return -1;
2076 }
2077 #ifdef CONFIG_TESTING_OPTIONS
2078 if (sm->oci_freq_override_eapol_g2) {
2079 wpa_printf(MSG_INFO,
2080 "TEST: Override OCI KDE frequency %d -> %d MHz",
2081 ci.frequency,
2082 sm->oci_freq_override_eapol_g2);
2083 ci.frequency = sm->oci_freq_override_eapol_g2;
2084 }
2085 #endif /* CONFIG_TESTING_OPTIONS */
2086
2087 pos = key_mic + mic_len + 2; /* Key Data */
2088 if (ocv_insert_oci_kde(&ci, &pos) < 0) {
2089 os_free(rbuf);
2090 return -1;
2091 }
2092 }
2093 #endif /* CONFIG_OCV */
2094
2095 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/2");
2096 return wpa_eapol_key_send(sm, &sm->ptk, ver, sm->bssid, ETH_P_EAPOL,
2097 rbuf, rlen, key_mic);
2098 }
2099
2100
wpa_supplicant_process_1_of_2(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,const u8 * key_data,size_t key_data_len,u16 ver)2101 static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
2102 const unsigned char *src_addr,
2103 const struct wpa_eapol_key *key,
2104 const u8 *key_data,
2105 size_t key_data_len, u16 ver)
2106 {
2107 u16 key_info;
2108 int rekey, ret;
2109 struct wpa_gtk_data gd;
2110 const u8 *key_rsc;
2111
2112 if (!sm->msg_3_of_4_ok && !wpa_fils_is_completed(sm)) {
2113 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2114 "WPA: Group Key Handshake started prior to completion of 4-way handshake");
2115 goto failed;
2116 }
2117
2118 os_memset(&gd, 0, sizeof(gd));
2119
2120 rekey = wpa_sm_get_state(sm) == WPA_COMPLETED;
2121 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of Group Key "
2122 "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
2123
2124 key_info = WPA_GET_BE16(key->key_info);
2125
2126 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
2127 ret = wpa_supplicant_process_1_of_2_rsn(sm, key_data,
2128 key_data_len, key_info,
2129 &gd);
2130 } else {
2131 ret = wpa_supplicant_process_1_of_2_wpa(sm, key, key_data,
2132 key_data_len,
2133 key_info, ver, &gd);
2134 }
2135
2136 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
2137
2138 if (ret)
2139 goto failed;
2140
2141 key_rsc = key->key_rsc;
2142 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
2143 key_rsc = null_rsc;
2144
2145 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
2146 wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
2147 goto failed;
2148 forced_memzero(&gd, sizeof(gd));
2149
2150 if (rekey) {
2151 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Group rekeying "
2152 "completed with " MACSTR " [GTK=%s]",
2153 MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher));
2154 wpa_sm_cancel_auth_timeout(sm);
2155 wpa_sm_set_state(sm, WPA_COMPLETED);
2156 } else {
2157 wpa_supplicant_key_neg_complete(sm, sm->bssid,
2158 key_info &
2159 WPA_KEY_INFO_SECURE);
2160 }
2161
2162 wpa_sm_set_rekey_offload(sm);
2163
2164 return;
2165
2166 failed:
2167 forced_memzero(&gd, sizeof(gd));
2168 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
2169 }
2170
2171
wpa_supplicant_verify_eapol_key_mic(struct wpa_sm * sm,struct wpa_eapol_key * key,u16 ver,const u8 * buf,size_t len)2172 static int wpa_supplicant_verify_eapol_key_mic(struct wpa_sm *sm,
2173 struct wpa_eapol_key *key,
2174 u16 ver,
2175 const u8 *buf, size_t len)
2176 {
2177 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN];
2178 int ok = 0;
2179 size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
2180
2181 os_memcpy(mic, key + 1, mic_len);
2182 if (sm->tptk_set) {
2183 os_memset(key + 1, 0, mic_len);
2184 if (wpa_eapol_key_mic(sm->tptk.kck, sm->tptk.kck_len,
2185 sm->key_mgmt,
2186 ver, buf, len, (u8 *) (key + 1)) < 0 ||
2187 os_memcmp_const(mic, key + 1, mic_len) != 0) {
2188 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2189 "WPA: Invalid EAPOL-Key MIC "
2190 "when using TPTK - ignoring TPTK");
2191 #ifdef TEST_FUZZ
2192 wpa_printf(MSG_INFO,
2193 "TEST: Ignore Key MIC failure for fuzz testing");
2194 goto continue_fuzz;
2195 #endif /* TEST_FUZZ */
2196 } else {
2197 #ifdef TEST_FUZZ
2198 continue_fuzz:
2199 #endif /* TEST_FUZZ */
2200 ok = 1;
2201 sm->tptk_set = 0;
2202 sm->ptk_set = 1;
2203 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
2204 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
2205 /*
2206 * This assures the same TPTK in sm->tptk can never be
2207 * copied twice to sm->ptk as the new PTK. In
2208 * combination with the installed flag in the wpa_ptk
2209 * struct, this assures the same PTK is only installed
2210 * once.
2211 */
2212 sm->renew_snonce = 1;
2213 }
2214 }
2215
2216 if (!ok && sm->ptk_set) {
2217 os_memset(key + 1, 0, mic_len);
2218 if (wpa_eapol_key_mic(sm->ptk.kck, sm->ptk.kck_len,
2219 sm->key_mgmt,
2220 ver, buf, len, (u8 *) (key + 1)) < 0 ||
2221 os_memcmp_const(mic, key + 1, mic_len) != 0) {
2222 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2223 "WPA: Invalid EAPOL-Key MIC - "
2224 "dropping packet");
2225 #ifdef TEST_FUZZ
2226 wpa_printf(MSG_INFO,
2227 "TEST: Ignore Key MIC failure for fuzz testing");
2228 goto continue_fuzz2;
2229 #endif /* TEST_FUZZ */
2230 return -1;
2231 }
2232 #ifdef TEST_FUZZ
2233 continue_fuzz2:
2234 #endif /* TEST_FUZZ */
2235 ok = 1;
2236 }
2237
2238 if (!ok) {
2239 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2240 "WPA: Could not verify EAPOL-Key MIC - "
2241 "dropping packet");
2242 return -1;
2243 }
2244
2245 os_memcpy(sm->rx_replay_counter, key->replay_counter,
2246 WPA_REPLAY_COUNTER_LEN);
2247 sm->rx_replay_counter_set = 1;
2248 return 0;
2249 }
2250
2251
2252 /* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */
wpa_supplicant_decrypt_key_data(struct wpa_sm * sm,struct wpa_eapol_key * key,size_t mic_len,u16 ver,u8 * key_data,size_t * key_data_len)2253 static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm,
2254 struct wpa_eapol_key *key,
2255 size_t mic_len, u16 ver,
2256 u8 *key_data, size_t *key_data_len)
2257 {
2258 wpa_hexdump(MSG_DEBUG, "RSN: encrypted key data",
2259 key_data, *key_data_len);
2260 if (!sm->ptk_set) {
2261 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2262 "WPA: PTK not available, cannot decrypt EAPOL-Key Key "
2263 "Data");
2264 return -1;
2265 }
2266
2267 /* Decrypt key data here so that this operation does not need
2268 * to be implemented separately for each message type. */
2269 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
2270 #ifdef CONFIG_NO_RC4
2271 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2272 "WPA: RC4 not supported in the build");
2273 return -1;
2274 #else /* CONFIG_NO_RC4 */
2275 u8 ek[32];
2276
2277 wpa_printf(MSG_DEBUG, "WPA: Decrypt Key Data using RC4");
2278 os_memcpy(ek, key->key_iv, 16);
2279 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
2280 if (rc4_skip(ek, 32, 256, key_data, *key_data_len)) {
2281 forced_memzero(ek, sizeof(ek));
2282 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
2283 "WPA: RC4 failed");
2284 return -1;
2285 }
2286 forced_memzero(ek, sizeof(ek));
2287 #endif /* CONFIG_NO_RC4 */
2288 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
2289 ver == WPA_KEY_INFO_TYPE_AES_128_CMAC ||
2290 wpa_use_aes_key_wrap(sm->key_mgmt)) {
2291 u8 *buf;
2292
2293 wpa_printf(MSG_DEBUG,
2294 "WPA: Decrypt Key Data using AES-UNWRAP (KEK length %u)",
2295 (unsigned int) sm->ptk.kek_len);
2296 if (*key_data_len < 8 || *key_data_len % 8) {
2297 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2298 "WPA: Unsupported AES-WRAP len %u",
2299 (unsigned int) *key_data_len);
2300 return -1;
2301 }
2302 *key_data_len -= 8; /* AES-WRAP adds 8 bytes */
2303 buf = os_malloc(*key_data_len);
2304 if (buf == NULL) {
2305 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2306 "WPA: No memory for AES-UNWRAP buffer");
2307 return -1;
2308 }
2309 #ifdef TEST_FUZZ
2310 os_memset(buf, 0x11, *key_data_len);
2311 #endif /* TEST_FUZZ */
2312 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, *key_data_len / 8,
2313 key_data, buf)) {
2314 #ifdef TEST_FUZZ
2315 wpa_printf(MSG_INFO,
2316 "TEST: Ignore AES unwrap failure for fuzz testing");
2317 goto continue_fuzz;
2318 #endif /* TEST_FUZZ */
2319 bin_clear_free(buf, *key_data_len);
2320 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2321 "WPA: AES unwrap failed - "
2322 "could not decrypt EAPOL-Key key data");
2323 return -1;
2324 }
2325 #ifdef TEST_FUZZ
2326 continue_fuzz:
2327 #endif /* TEST_FUZZ */
2328 os_memcpy(key_data, buf, *key_data_len);
2329 bin_clear_free(buf, *key_data_len);
2330 WPA_PUT_BE16(((u8 *) (key + 1)) + mic_len, *key_data_len);
2331 } else {
2332 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2333 "WPA: Unsupported key_info type %d", ver);
2334 return -1;
2335 }
2336 wpa_hexdump_key(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data",
2337 key_data, *key_data_len);
2338 return 0;
2339 }
2340
2341
2342 /**
2343 * wpa_sm_aborted_cached - Notify WPA that PMKSA caching was aborted
2344 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2345 */
wpa_sm_aborted_cached(struct wpa_sm * sm)2346 void wpa_sm_aborted_cached(struct wpa_sm *sm)
2347 {
2348 if (sm && sm->cur_pmksa) {
2349 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2350 "RSN: Cancelling PMKSA caching attempt");
2351 sm->cur_pmksa = NULL;
2352 }
2353 }
2354
2355
wpa_sm_aborted_external_cached(struct wpa_sm * sm)2356 void wpa_sm_aborted_external_cached(struct wpa_sm *sm)
2357 {
2358 if (sm && sm->cur_pmksa && sm->cur_pmksa->external) {
2359 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2360 "RSN: Cancelling external PMKSA caching attempt");
2361 sm->cur_pmksa = NULL;
2362 }
2363 }
2364
2365
wpa_eapol_key_dump(struct wpa_sm * sm,const struct wpa_eapol_key * key,unsigned int key_data_len,const u8 * mic,unsigned int mic_len)2366 static void wpa_eapol_key_dump(struct wpa_sm *sm,
2367 const struct wpa_eapol_key *key,
2368 unsigned int key_data_len,
2369 const u8 *mic, unsigned int mic_len)
2370 {
2371 #ifndef CONFIG_NO_STDOUT_DEBUG
2372 u16 key_info = WPA_GET_BE16(key->key_info);
2373
2374 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, " EAPOL-Key type=%d", key->type);
2375 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2376 " key_info 0x%x (ver=%d keyidx=%d rsvd=%d %s%s%s%s%s%s%s%s)",
2377 key_info, key_info & WPA_KEY_INFO_TYPE_MASK,
2378 (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
2379 WPA_KEY_INFO_KEY_INDEX_SHIFT,
2380 (key_info & (BIT(13) | BIT(14) | BIT(15))) >> 13,
2381 key_info & WPA_KEY_INFO_KEY_TYPE ? "Pairwise" : "Group",
2382 key_info & WPA_KEY_INFO_INSTALL ? " Install" : "",
2383 key_info & WPA_KEY_INFO_ACK ? " Ack" : "",
2384 key_info & WPA_KEY_INFO_MIC ? " MIC" : "",
2385 key_info & WPA_KEY_INFO_SECURE ? " Secure" : "",
2386 key_info & WPA_KEY_INFO_ERROR ? " Error" : "",
2387 key_info & WPA_KEY_INFO_REQUEST ? " Request" : "",
2388 key_info & WPA_KEY_INFO_ENCR_KEY_DATA ? " Encr" : "");
2389 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2390 " key_length=%u key_data_length=%u",
2391 WPA_GET_BE16(key->key_length), key_data_len);
2392 wpa_hexdump(MSG_DEBUG, " replay_counter",
2393 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
2394 wpa_hexdump(MSG_DEBUG, " key_nonce", key->key_nonce, WPA_NONCE_LEN);
2395 wpa_hexdump(MSG_DEBUG, " key_iv", key->key_iv, 16);
2396 wpa_hexdump(MSG_DEBUG, " key_rsc", key->key_rsc, 8);
2397 wpa_hexdump(MSG_DEBUG, " key_id (reserved)", key->key_id, 8);
2398 wpa_hexdump(MSG_DEBUG, " key_mic", mic, mic_len);
2399 #endif /* CONFIG_NO_STDOUT_DEBUG */
2400 }
2401
2402
2403 #ifdef CONFIG_FILS
wpa_supp_aead_decrypt(struct wpa_sm * sm,u8 * buf,size_t buf_len,size_t * key_data_len)2404 static int wpa_supp_aead_decrypt(struct wpa_sm *sm, u8 *buf, size_t buf_len,
2405 size_t *key_data_len)
2406 {
2407 struct wpa_ptk *ptk;
2408 struct ieee802_1x_hdr *hdr;
2409 struct wpa_eapol_key *key;
2410 u8 *pos, *tmp;
2411 const u8 *aad[1];
2412 size_t aad_len[1];
2413
2414 if (*key_data_len < AES_BLOCK_SIZE) {
2415 wpa_printf(MSG_INFO, "No room for AES-SIV data in the frame");
2416 return -1;
2417 }
2418
2419 if (sm->tptk_set)
2420 ptk = &sm->tptk;
2421 else if (sm->ptk_set)
2422 ptk = &sm->ptk;
2423 else
2424 return -1;
2425
2426 hdr = (struct ieee802_1x_hdr *) buf;
2427 key = (struct wpa_eapol_key *) (hdr + 1);
2428 pos = (u8 *) (key + 1);
2429 pos += 2; /* Pointing at the Encrypted Key Data field */
2430
2431 tmp = os_malloc(*key_data_len);
2432 if (!tmp)
2433 return -1;
2434
2435 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
2436 * to Key Data (exclusive). */
2437 aad[0] = buf;
2438 aad_len[0] = pos - buf;
2439 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, *key_data_len,
2440 1, aad, aad_len, tmp) < 0) {
2441 wpa_printf(MSG_INFO, "Invalid AES-SIV data in the frame");
2442 bin_clear_free(tmp, *key_data_len);
2443 return -1;
2444 }
2445
2446 /* AEAD decryption and validation completed successfully */
2447 (*key_data_len) -= AES_BLOCK_SIZE;
2448 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
2449 tmp, *key_data_len);
2450
2451 /* Replace Key Data field with the decrypted version */
2452 os_memcpy(pos, tmp, *key_data_len);
2453 pos -= 2; /* Key Data Length field */
2454 WPA_PUT_BE16(pos, *key_data_len);
2455 bin_clear_free(tmp, *key_data_len);
2456
2457 if (sm->tptk_set) {
2458 sm->tptk_set = 0;
2459 sm->ptk_set = 1;
2460 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
2461 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
2462 }
2463
2464 os_memcpy(sm->rx_replay_counter, key->replay_counter,
2465 WPA_REPLAY_COUNTER_LEN);
2466 sm->rx_replay_counter_set = 1;
2467
2468 return 0;
2469 }
2470 #endif /* CONFIG_FILS */
2471
2472
2473 /**
2474 * wpa_sm_rx_eapol - Process received WPA EAPOL frames
2475 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2476 * @src_addr: Source MAC address of the EAPOL packet
2477 * @buf: Pointer to the beginning of the EAPOL data (EAPOL header)
2478 * @len: Length of the EAPOL frame
2479 * Returns: 1 = WPA EAPOL-Key processed, 0 = not a WPA EAPOL-Key, -1 failure
2480 *
2481 * This function is called for each received EAPOL frame. Other than EAPOL-Key
2482 * frames can be skipped if filtering is done elsewhere. wpa_sm_rx_eapol() is
2483 * only processing WPA and WPA2 EAPOL-Key frames.
2484 *
2485 * The received EAPOL-Key packets are validated and valid packets are replied
2486 * to. In addition, key material (PTK, GTK) is configured at the end of a
2487 * successful key handshake.
2488 */
wpa_sm_rx_eapol(struct wpa_sm * sm,const u8 * src_addr,const u8 * buf,size_t len)2489 int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr,
2490 const u8 *buf, size_t len)
2491 {
2492 size_t plen, data_len, key_data_len;
2493 const struct ieee802_1x_hdr *hdr;
2494 struct wpa_eapol_key *key;
2495 u16 key_info, ver;
2496 u8 *tmp = NULL;
2497 int ret = -1;
2498 u8 *mic, *key_data;
2499 size_t mic_len, keyhdrlen, pmk_len;
2500
2501 #ifdef CONFIG_IEEE80211R
2502 sm->ft_completed = 0;
2503 #endif /* CONFIG_IEEE80211R */
2504
2505 pmk_len = sm->pmk_len;
2506 if (!pmk_len && sm->cur_pmksa)
2507 pmk_len = sm->cur_pmksa->pmk_len;
2508 mic_len = wpa_mic_len(sm->key_mgmt, pmk_len);
2509 keyhdrlen = sizeof(*key) + mic_len + 2;
2510
2511 if (len < sizeof(*hdr) + keyhdrlen) {
2512 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2513 "WPA: EAPOL frame too short to be a WPA "
2514 "EAPOL-Key (len %lu, expecting at least %lu)",
2515 (unsigned long) len,
2516 (unsigned long) sizeof(*hdr) + keyhdrlen);
2517 return 0;
2518 }
2519
2520 hdr = (const struct ieee802_1x_hdr *) buf;
2521 plen = be_to_host16(hdr->length);
2522 data_len = plen + sizeof(*hdr);
2523 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2524 "IEEE 802.1X RX: version=%d type=%d length=%lu",
2525 hdr->version, hdr->type, (unsigned long) plen);
2526
2527 if (hdr->version < EAPOL_VERSION) {
2528 /* TODO: backwards compatibility */
2529 }
2530 if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) {
2531 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2532 "WPA: EAPOL frame (type %u) discarded, "
2533 "not a Key frame", hdr->type);
2534 ret = 0;
2535 goto out;
2536 }
2537 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", buf, len);
2538 if (plen > len - sizeof(*hdr) || plen < keyhdrlen) {
2539 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2540 "WPA: EAPOL frame payload size %lu "
2541 "invalid (frame size %lu)",
2542 (unsigned long) plen, (unsigned long) len);
2543 ret = 0;
2544 goto out;
2545 }
2546 if (data_len < len) {
2547 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2548 "WPA: ignoring %lu bytes after the IEEE 802.1X data",
2549 (unsigned long) len - data_len);
2550 }
2551
2552 /*
2553 * Make a copy of the frame since we need to modify the buffer during
2554 * MAC validation and Key Data decryption.
2555 */
2556 tmp = os_memdup(buf, data_len);
2557 if (tmp == NULL)
2558 goto out;
2559 key = (struct wpa_eapol_key *) (tmp + sizeof(struct ieee802_1x_hdr));
2560 mic = (u8 *) (key + 1);
2561 key_data = mic + mic_len + 2;
2562
2563 if (key->type != EAPOL_KEY_TYPE_WPA && key->type != EAPOL_KEY_TYPE_RSN)
2564 {
2565 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2566 "WPA: EAPOL-Key type (%d) unknown, discarded",
2567 key->type);
2568 ret = 0;
2569 goto out;
2570 }
2571
2572 key_data_len = WPA_GET_BE16(mic + mic_len);
2573 wpa_eapol_key_dump(sm, key, key_data_len, mic, mic_len);
2574
2575 if (key_data_len > plen - keyhdrlen) {
2576 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Invalid EAPOL-Key "
2577 "frame - key_data overflow (%u > %u)",
2578 (unsigned int) key_data_len,
2579 (unsigned int) (plen - keyhdrlen));
2580 goto out;
2581 }
2582
2583 eapol_sm_notify_lower_layer_success(sm->eapol, 0);
2584 key_info = WPA_GET_BE16(key->key_info);
2585 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
2586 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
2587 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
2588 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES &&
2589 !wpa_use_akm_defined(sm->key_mgmt)) {
2590 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2591 "WPA: Unsupported EAPOL-Key descriptor version %d",
2592 ver);
2593 goto out;
2594 }
2595
2596 if (wpa_use_akm_defined(sm->key_mgmt) &&
2597 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
2598 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2599 "RSN: Unsupported EAPOL-Key descriptor version %d (expected AKM defined = 0)",
2600 ver);
2601 goto out;
2602 }
2603
2604 #ifdef CONFIG_IEEE80211R
2605 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
2606 /* IEEE 802.11r uses a new key_info type (AES-128-CMAC). */
2607 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
2608 !wpa_use_akm_defined(sm->key_mgmt)) {
2609 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2610 "FT: AP did not use AES-128-CMAC");
2611 goto out;
2612 }
2613 } else
2614 #endif /* CONFIG_IEEE80211R */
2615 if (wpa_key_mgmt_sha256(sm->key_mgmt)) {
2616 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
2617 !wpa_use_akm_defined(sm->key_mgmt)) {
2618 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2619 "WPA: AP did not use the "
2620 "negotiated AES-128-CMAC");
2621 goto out;
2622 }
2623 } else if (sm->pairwise_cipher == WPA_CIPHER_CCMP &&
2624 !wpa_use_akm_defined(sm->key_mgmt) &&
2625 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
2626 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2627 "WPA: CCMP is used, but EAPOL-Key "
2628 "descriptor version (%d) is not 2", ver);
2629 if (sm->group_cipher != WPA_CIPHER_CCMP &&
2630 !(key_info & WPA_KEY_INFO_KEY_TYPE)) {
2631 /* Earlier versions of IEEE 802.11i did not explicitly
2632 * require version 2 descriptor for all EAPOL-Key
2633 * packets, so allow group keys to use version 1 if
2634 * CCMP is not used for them. */
2635 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2636 "WPA: Backwards compatibility: allow invalid "
2637 "version for non-CCMP group keys");
2638 } else if (ver == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
2639 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2640 "WPA: Interoperability workaround: allow incorrect (should have been HMAC-SHA1), but stronger (is AES-128-CMAC), descriptor version to be used");
2641 } else
2642 goto out;
2643 } else if (sm->pairwise_cipher == WPA_CIPHER_GCMP &&
2644 !wpa_use_akm_defined(sm->key_mgmt) &&
2645 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
2646 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2647 "WPA: GCMP is used, but EAPOL-Key "
2648 "descriptor version (%d) is not 2", ver);
2649 goto out;
2650 }
2651
2652 if (sm->rx_replay_counter_set &&
2653 os_memcmp(key->replay_counter, sm->rx_replay_counter,
2654 WPA_REPLAY_COUNTER_LEN) <= 0) {
2655 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2656 "WPA: EAPOL-Key Replay Counter did not increase - "
2657 "dropping packet");
2658 goto out;
2659 }
2660
2661 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
2662 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2663 "WPA: Unsupported SMK bit in key_info");
2664 goto out;
2665 }
2666
2667 if (!(key_info & WPA_KEY_INFO_ACK)) {
2668 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2669 "WPA: No Ack bit in key_info");
2670 goto out;
2671 }
2672
2673 if (key_info & WPA_KEY_INFO_REQUEST) {
2674 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2675 "WPA: EAPOL-Key with Request bit - dropped");
2676 goto out;
2677 }
2678
2679 if ((key_info & WPA_KEY_INFO_MIC) &&
2680 wpa_supplicant_verify_eapol_key_mic(sm, key, ver, tmp, data_len))
2681 goto out;
2682
2683 #ifdef CONFIG_FILS
2684 if (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
2685 if (wpa_supp_aead_decrypt(sm, tmp, data_len, &key_data_len))
2686 goto out;
2687 }
2688 #endif /* CONFIG_FILS */
2689
2690 if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
2691 (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && mic_len) {
2692 /*
2693 * Only decrypt the Key Data field if the frame's authenticity
2694 * was verified. When using AES-SIV (FILS), the MIC flag is not
2695 * set, so this check should only be performed if mic_len != 0
2696 * which is the case in this code branch.
2697 */
2698 if (!(key_info & WPA_KEY_INFO_MIC)) {
2699 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2700 "WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
2701 goto out;
2702 }
2703 if (wpa_supplicant_decrypt_key_data(sm, key, mic_len,
2704 ver, key_data,
2705 &key_data_len))
2706 goto out;
2707 }
2708
2709 if (key_info & WPA_KEY_INFO_KEY_TYPE) {
2710 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) {
2711 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2712 "WPA: Ignored EAPOL-Key (Pairwise) with "
2713 "non-zero key index");
2714 goto out;
2715 }
2716 if (key_info & (WPA_KEY_INFO_MIC |
2717 WPA_KEY_INFO_ENCR_KEY_DATA)) {
2718 /* 3/4 4-Way Handshake */
2719 wpa_supplicant_process_3_of_4(sm, key, ver, key_data,
2720 key_data_len);
2721 } else {
2722 /* 1/4 4-Way Handshake */
2723 wpa_supplicant_process_1_of_4(sm, src_addr, key,
2724 ver, key_data,
2725 key_data_len);
2726 }
2727 } else {
2728 if ((mic_len && (key_info & WPA_KEY_INFO_MIC)) ||
2729 (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA))) {
2730 /* 1/2 Group Key Handshake */
2731 wpa_supplicant_process_1_of_2(sm, src_addr, key,
2732 key_data, key_data_len,
2733 ver);
2734 } else {
2735 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2736 "WPA: EAPOL-Key (Group) without Mic/Encr bit - "
2737 "dropped");
2738 }
2739 }
2740
2741 ret = 1;
2742
2743 out:
2744 bin_clear_free(tmp, data_len);
2745 return ret;
2746 }
2747
2748
2749 #ifdef CONFIG_CTRL_IFACE
wpa_key_mgmt_suite(struct wpa_sm * sm)2750 static u32 wpa_key_mgmt_suite(struct wpa_sm *sm)
2751 {
2752 switch (sm->key_mgmt) {
2753 case WPA_KEY_MGMT_IEEE8021X:
2754 return ((sm->proto == WPA_PROTO_RSN ||
2755 sm->proto == WPA_PROTO_OSEN) ?
2756 RSN_AUTH_KEY_MGMT_UNSPEC_802_1X :
2757 WPA_AUTH_KEY_MGMT_UNSPEC_802_1X);
2758 case WPA_KEY_MGMT_PSK:
2759 return (sm->proto == WPA_PROTO_RSN ?
2760 RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X :
2761 WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X);
2762 #ifdef CONFIG_IEEE80211R
2763 case WPA_KEY_MGMT_FT_IEEE8021X:
2764 return RSN_AUTH_KEY_MGMT_FT_802_1X;
2765 case WPA_KEY_MGMT_FT_PSK:
2766 return RSN_AUTH_KEY_MGMT_FT_PSK;
2767 #endif /* CONFIG_IEEE80211R */
2768 case WPA_KEY_MGMT_IEEE8021X_SHA256:
2769 return RSN_AUTH_KEY_MGMT_802_1X_SHA256;
2770 case WPA_KEY_MGMT_PSK_SHA256:
2771 return RSN_AUTH_KEY_MGMT_PSK_SHA256;
2772 case WPA_KEY_MGMT_CCKM:
2773 return (sm->proto == WPA_PROTO_RSN ?
2774 RSN_AUTH_KEY_MGMT_CCKM:
2775 WPA_AUTH_KEY_MGMT_CCKM);
2776 case WPA_KEY_MGMT_WPA_NONE:
2777 return WPA_AUTH_KEY_MGMT_NONE;
2778 case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
2779 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B;
2780 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
2781 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192;
2782 default:
2783 return 0;
2784 }
2785 }
2786
2787
2788 #define RSN_SUITE "%02x-%02x-%02x-%d"
2789 #define RSN_SUITE_ARG(s) \
2790 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
2791
2792 /**
2793 * wpa_sm_get_mib - Dump text list of MIB entries
2794 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2795 * @buf: Buffer for the list
2796 * @buflen: Length of the buffer
2797 * Returns: Number of bytes written to buffer
2798 *
2799 * This function is used fetch dot11 MIB variables.
2800 */
wpa_sm_get_mib(struct wpa_sm * sm,char * buf,size_t buflen)2801 int wpa_sm_get_mib(struct wpa_sm *sm, char *buf, size_t buflen)
2802 {
2803 char pmkid_txt[PMKID_LEN * 2 + 1];
2804 bool rsna;
2805 int ret;
2806 size_t len;
2807
2808 if (sm->cur_pmksa) {
2809 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
2810 sm->cur_pmksa->pmkid, PMKID_LEN);
2811 } else
2812 pmkid_txt[0] = '\0';
2813
2814 rsna = (wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
2815 wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt)) &&
2816 sm->proto == WPA_PROTO_RSN;
2817
2818 ret = os_snprintf(buf, buflen,
2819 "dot11RSNAOptionImplemented=TRUE\n"
2820 "dot11RSNAPreauthenticationImplemented=TRUE\n"
2821 "dot11RSNAEnabled=%s\n"
2822 "dot11RSNAPreauthenticationEnabled=%s\n"
2823 "dot11RSNAConfigVersion=%d\n"
2824 "dot11RSNAConfigPairwiseKeysSupported=5\n"
2825 "dot11RSNAConfigGroupCipherSize=%d\n"
2826 "dot11RSNAConfigPMKLifetime=%d\n"
2827 "dot11RSNAConfigPMKReauthThreshold=%d\n"
2828 "dot11RSNAConfigNumberOfPTKSAReplayCounters=1\n"
2829 "dot11RSNAConfigSATimeout=%d\n",
2830 rsna ? "TRUE" : "FALSE",
2831 rsna ? "TRUE" : "FALSE",
2832 RSN_VERSION,
2833 wpa_cipher_key_len(sm->group_cipher) * 8,
2834 sm->dot11RSNAConfigPMKLifetime,
2835 sm->dot11RSNAConfigPMKReauthThreshold,
2836 sm->dot11RSNAConfigSATimeout);
2837 if (os_snprintf_error(buflen, ret))
2838 return 0;
2839 len = ret;
2840
2841 ret = os_snprintf(
2842 buf + len, buflen - len,
2843 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
2844 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
2845 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
2846 "dot11RSNAPMKIDUsed=%s\n"
2847 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
2848 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
2849 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
2850 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n"
2851 "dot11RSNA4WayHandshakeFailures=%u\n",
2852 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
2853 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2854 sm->pairwise_cipher)),
2855 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2856 sm->group_cipher)),
2857 pmkid_txt,
2858 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
2859 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2860 sm->pairwise_cipher)),
2861 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2862 sm->group_cipher)),
2863 sm->dot11RSNA4WayHandshakeFailures);
2864 if (!os_snprintf_error(buflen - len, ret))
2865 len += ret;
2866
2867 return (int) len;
2868 }
2869 #endif /* CONFIG_CTRL_IFACE */
2870
2871
wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry * entry,void * ctx,enum pmksa_free_reason reason)2872 static void wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
2873 void *ctx, enum pmksa_free_reason reason)
2874 {
2875 struct wpa_sm *sm = ctx;
2876 int deauth = 0;
2877
2878 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: PMKSA cache entry free_cb: "
2879 MACSTR " reason=%d", MAC2STR(entry->aa), reason);
2880
2881 if (sm->cur_pmksa == entry) {
2882 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2883 "RSN: %s current PMKSA entry",
2884 reason == PMKSA_REPLACE ? "replaced" : "removed");
2885 pmksa_cache_clear_current(sm);
2886
2887 /*
2888 * If an entry is simply being replaced, there's no need to
2889 * deauthenticate because it will be immediately re-added.
2890 * This happens when EAP authentication is completed again
2891 * (reauth or failed PMKSA caching attempt).
2892 */
2893 if (reason != PMKSA_REPLACE)
2894 deauth = 1;
2895 }
2896
2897 if (reason == PMKSA_EXPIRE &&
2898 (sm->pmk_len == entry->pmk_len &&
2899 os_memcmp(sm->pmk, entry->pmk, sm->pmk_len) == 0)) {
2900 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2901 "RSN: deauthenticating due to expired PMK");
2902 pmksa_cache_clear_current(sm);
2903 deauth = 1;
2904 }
2905
2906 if (deauth) {
2907 sm->pmk_len = 0;
2908 os_memset(sm->pmk, 0, sizeof(sm->pmk));
2909 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
2910 }
2911 }
2912
2913
wpa_sm_pmksa_is_current_cb(struct rsn_pmksa_cache_entry * entry,void * ctx)2914 static bool wpa_sm_pmksa_is_current_cb(struct rsn_pmksa_cache_entry *entry,
2915 void *ctx)
2916 {
2917 struct wpa_sm *sm = ctx;
2918
2919 return sm->cur_pmksa == entry;
2920 }
2921
2922
2923 /**
2924 * wpa_sm_init - Initialize WPA state machine
2925 * @ctx: Context pointer for callbacks; this needs to be an allocated buffer
2926 * Returns: Pointer to the allocated WPA state machine data
2927 *
2928 * This function is used to allocate a new WPA state machine and the returned
2929 * value is passed to all WPA state machine calls.
2930 */
wpa_sm_init(struct wpa_sm_ctx * ctx)2931 struct wpa_sm * wpa_sm_init(struct wpa_sm_ctx *ctx)
2932 {
2933 struct wpa_sm *sm;
2934
2935 sm = os_zalloc(sizeof(*sm));
2936 if (sm == NULL)
2937 return NULL;
2938 dl_list_init(&sm->pmksa_candidates);
2939 sm->renew_snonce = 1;
2940 sm->ctx = ctx;
2941
2942 sm->dot11RSNAConfigPMKLifetime = 43200;
2943 sm->dot11RSNAConfigPMKReauthThreshold = 70;
2944 sm->dot11RSNAConfigSATimeout = 60;
2945
2946 sm->pmksa = pmksa_cache_init(wpa_sm_pmksa_free_cb,
2947 wpa_sm_pmksa_is_current_cb, sm, sm);
2948 if (sm->pmksa == NULL) {
2949 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
2950 "RSN: PMKSA cache initialization failed");
2951 os_free(sm);
2952 return NULL;
2953 }
2954
2955 return sm;
2956 }
2957
2958
2959 /**
2960 * wpa_sm_deinit - Deinitialize WPA state machine
2961 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2962 */
wpa_sm_deinit(struct wpa_sm * sm)2963 void wpa_sm_deinit(struct wpa_sm *sm)
2964 {
2965 if (sm == NULL)
2966 return;
2967 pmksa_cache_deinit(sm->pmksa);
2968 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
2969 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
2970 os_free(sm->assoc_wpa_ie);
2971 os_free(sm->assoc_rsnxe);
2972 os_free(sm->ap_wpa_ie);
2973 os_free(sm->ap_rsn_ie);
2974 os_free(sm->ap_rsnxe);
2975 wpa_sm_drop_sa(sm);
2976 os_free(sm->ctx);
2977 #ifdef CONFIG_IEEE80211R
2978 os_free(sm->assoc_resp_ies);
2979 #endif /* CONFIG_IEEE80211R */
2980 #ifdef CONFIG_TESTING_OPTIONS
2981 wpabuf_free(sm->test_assoc_ie);
2982 #endif /* CONFIG_TESTING_OPTIONS */
2983 #ifdef CONFIG_FILS_SK_PFS
2984 crypto_ecdh_deinit(sm->fils_ecdh);
2985 #endif /* CONFIG_FILS_SK_PFS */
2986 #ifdef CONFIG_FILS
2987 wpabuf_free(sm->fils_ft_ies);
2988 #endif /* CONFIG_FILS */
2989 #ifdef CONFIG_OWE
2990 crypto_ecdh_deinit(sm->owe_ecdh);
2991 #endif /* CONFIG_OWE */
2992 #ifdef CONFIG_DPP2
2993 wpabuf_clear_free(sm->dpp_z);
2994 #endif /* CONFIG_DPP2 */
2995 os_free(sm);
2996 }
2997
2998
2999 /**
3000 * wpa_sm_notify_assoc - Notify WPA state machine about association
3001 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3002 * @bssid: The BSSID of the new association
3003 *
3004 * This function is called to let WPA state machine know that the connection
3005 * was established.
3006 */
wpa_sm_notify_assoc(struct wpa_sm * sm,const u8 * bssid)3007 void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
3008 {
3009 int clear_keys = 1;
3010
3011 if (sm == NULL)
3012 return;
3013
3014 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3015 "WPA: Association event - clear replay counter");
3016 os_memcpy(sm->bssid, bssid, ETH_ALEN);
3017 os_memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN);
3018 sm->rx_replay_counter_set = 0;
3019 sm->renew_snonce = 1;
3020 if (os_memcmp(sm->preauth_bssid, bssid, ETH_ALEN) == 0)
3021 rsn_preauth_deinit(sm);
3022
3023 #ifdef CONFIG_IEEE80211R
3024 if (wpa_ft_is_completed(sm)) {
3025 /*
3026 * Clear portValid to kick EAPOL state machine to re-enter
3027 * AUTHENTICATED state to get the EAPOL port Authorized.
3028 */
3029 eapol_sm_notify_portValid(sm->eapol, false);
3030 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
3031
3032 /* Prepare for the next transition */
3033 wpa_ft_prepare_auth_request(sm, NULL);
3034
3035 clear_keys = 0;
3036 sm->ft_protocol = 1;
3037 } else {
3038 sm->ft_protocol = 0;
3039 }
3040 #endif /* CONFIG_IEEE80211R */
3041 #ifdef CONFIG_FILS
3042 if (sm->fils_completed) {
3043 /*
3044 * Clear portValid to kick EAPOL state machine to re-enter
3045 * AUTHENTICATED state to get the EAPOL port Authorized.
3046 */
3047 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
3048 clear_keys = 0;
3049 }
3050 #endif /* CONFIG_FILS */
3051
3052 if (clear_keys) {
3053 /*
3054 * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
3055 * this is not part of a Fast BSS Transition.
3056 */
3057 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PTK");
3058 sm->ptk_set = 0;
3059 os_memset(&sm->ptk, 0, sizeof(sm->ptk));
3060 sm->tptk_set = 0;
3061 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
3062 os_memset(&sm->gtk, 0, sizeof(sm->gtk));
3063 os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
3064 os_memset(&sm->igtk, 0, sizeof(sm->igtk));
3065 os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
3066 }
3067
3068 #ifdef CONFIG_TDLS
3069 wpa_tdls_assoc(sm);
3070 #endif /* CONFIG_TDLS */
3071
3072 #ifdef CONFIG_P2P
3073 os_memset(sm->p2p_ip_addr, 0, sizeof(sm->p2p_ip_addr));
3074 #endif /* CONFIG_P2P */
3075
3076 sm->keyidx_active = 0;
3077 }
3078
3079
3080 /**
3081 * wpa_sm_notify_disassoc - Notify WPA state machine about disassociation
3082 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3083 *
3084 * This function is called to let WPA state machine know that the connection
3085 * was lost. This will abort any existing pre-authentication session.
3086 */
wpa_sm_notify_disassoc(struct wpa_sm * sm)3087 void wpa_sm_notify_disassoc(struct wpa_sm *sm)
3088 {
3089 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
3090 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
3091 rsn_preauth_deinit(sm);
3092 pmksa_cache_clear_current(sm);
3093 if (wpa_sm_get_state(sm) == WPA_4WAY_HANDSHAKE)
3094 sm->dot11RSNA4WayHandshakeFailures++;
3095 #ifdef CONFIG_TDLS
3096 wpa_tdls_disassoc(sm);
3097 #endif /* CONFIG_TDLS */
3098 #ifdef CONFIG_FILS
3099 sm->fils_completed = 0;
3100 #endif /* CONFIG_FILS */
3101 #ifdef CONFIG_IEEE80211R
3102 sm->ft_reassoc_completed = 0;
3103 sm->ft_protocol = 0;
3104 #endif /* CONFIG_IEEE80211R */
3105
3106 /* Keys are not needed in the WPA state machine anymore */
3107 wpa_sm_drop_sa(sm);
3108 sm->keyidx_active = 0;
3109
3110 sm->msg_3_of_4_ok = 0;
3111 os_memset(sm->bssid, 0, ETH_ALEN);
3112 }
3113
3114
3115 /**
3116 * wpa_sm_set_pmk - Set PMK
3117 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3118 * @pmk: The new PMK
3119 * @pmk_len: The length of the new PMK in bytes
3120 * @pmkid: Calculated PMKID
3121 * @bssid: AA to add into PMKSA cache or %NULL to not cache the PMK
3122 *
3123 * Configure the PMK for WPA state machine.
3124 */
wpa_sm_set_pmk(struct wpa_sm * sm,const u8 * pmk,size_t pmk_len,const u8 * pmkid,const u8 * bssid)3125 void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
3126 const u8 *pmkid, const u8 *bssid)
3127 {
3128 if (sm == NULL)
3129 return;
3130
3131 wpa_hexdump_key(MSG_DEBUG, "WPA: Set PMK based on external data",
3132 pmk, pmk_len);
3133 sm->pmk_len = pmk_len;
3134 os_memcpy(sm->pmk, pmk, pmk_len);
3135
3136 #ifdef CONFIG_IEEE80211R
3137 /* Set XXKey to be PSK for FT key derivation */
3138 sm->xxkey_len = pmk_len;
3139 os_memcpy(sm->xxkey, pmk, pmk_len);
3140 #endif /* CONFIG_IEEE80211R */
3141
3142 if (bssid) {
3143 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len,
3144 pmkid, NULL, 0, bssid,
3145 sm->own_addr,
3146 sm->network_ctx, sm->key_mgmt,
3147 NULL);
3148 }
3149 }
3150
3151
3152 /**
3153 * wpa_sm_set_pmk_from_pmksa - Set PMK based on the current PMKSA
3154 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3155 *
3156 * Take the PMK from the current PMKSA into use. If no PMKSA is active, the PMK
3157 * will be cleared.
3158 */
wpa_sm_set_pmk_from_pmksa(struct wpa_sm * sm)3159 void wpa_sm_set_pmk_from_pmksa(struct wpa_sm *sm)
3160 {
3161 if (sm == NULL)
3162 return;
3163
3164 if (sm->cur_pmksa) {
3165 wpa_hexdump_key(MSG_DEBUG,
3166 "WPA: Set PMK based on current PMKSA",
3167 sm->cur_pmksa->pmk, sm->cur_pmksa->pmk_len);
3168 sm->pmk_len = sm->cur_pmksa->pmk_len;
3169 os_memcpy(sm->pmk, sm->cur_pmksa->pmk, sm->pmk_len);
3170 } else {
3171 wpa_printf(MSG_DEBUG, "WPA: No current PMKSA - clear PMK");
3172 sm->pmk_len = 0;
3173 os_memset(sm->pmk, 0, PMK_LEN_MAX);
3174 }
3175 }
3176
3177
3178 /**
3179 * wpa_sm_set_fast_reauth - Set fast reauthentication (EAP) enabled/disabled
3180 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3181 * @fast_reauth: Whether fast reauthentication (EAP) is allowed
3182 */
wpa_sm_set_fast_reauth(struct wpa_sm * sm,int fast_reauth)3183 void wpa_sm_set_fast_reauth(struct wpa_sm *sm, int fast_reauth)
3184 {
3185 if (sm)
3186 sm->fast_reauth = fast_reauth;
3187 }
3188
3189
3190 /**
3191 * wpa_sm_set_scard_ctx - Set context pointer for smartcard callbacks
3192 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3193 * @scard_ctx: Context pointer for smartcard related callback functions
3194 */
wpa_sm_set_scard_ctx(struct wpa_sm * sm,void * scard_ctx)3195 void wpa_sm_set_scard_ctx(struct wpa_sm *sm, void *scard_ctx)
3196 {
3197 if (sm == NULL)
3198 return;
3199 sm->scard_ctx = scard_ctx;
3200 if (sm->preauth_eapol)
3201 eapol_sm_register_scard_ctx(sm->preauth_eapol, scard_ctx);
3202 }
3203
3204
3205 /**
3206 * wpa_sm_set_config - Notification of current configuration change
3207 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3208 * @config: Pointer to current network configuration
3209 *
3210 * Notify WPA state machine that configuration has changed. config will be
3211 * stored as a backpointer to network configuration. This can be %NULL to clear
3212 * the stored pointed.
3213 */
wpa_sm_set_config(struct wpa_sm * sm,struct rsn_supp_config * config)3214 void wpa_sm_set_config(struct wpa_sm *sm, struct rsn_supp_config *config)
3215 {
3216 if (!sm)
3217 return;
3218
3219 if (config) {
3220 sm->network_ctx = config->network_ctx;
3221 sm->allowed_pairwise_cipher = config->allowed_pairwise_cipher;
3222 sm->proactive_key_caching = config->proactive_key_caching;
3223 sm->eap_workaround = config->eap_workaround;
3224 sm->eap_conf_ctx = config->eap_conf_ctx;
3225 if (config->ssid) {
3226 os_memcpy(sm->ssid, config->ssid, config->ssid_len);
3227 sm->ssid_len = config->ssid_len;
3228 } else
3229 sm->ssid_len = 0;
3230 sm->wpa_ptk_rekey = config->wpa_ptk_rekey;
3231 sm->p2p = config->p2p;
3232 sm->wpa_rsc_relaxation = config->wpa_rsc_relaxation;
3233 sm->owe_ptk_workaround = config->owe_ptk_workaround;
3234 sm->force_kdk_derivation = config->force_kdk_derivation;
3235 #ifdef CONFIG_FILS
3236 if (config->fils_cache_id) {
3237 sm->fils_cache_id_set = 1;
3238 os_memcpy(sm->fils_cache_id, config->fils_cache_id,
3239 FILS_CACHE_ID_LEN);
3240 } else {
3241 sm->fils_cache_id_set = 0;
3242 }
3243 #endif /* CONFIG_FILS */
3244 sm->beacon_prot = config->beacon_prot;
3245 } else {
3246 sm->network_ctx = NULL;
3247 sm->allowed_pairwise_cipher = 0;
3248 sm->proactive_key_caching = 0;
3249 sm->eap_workaround = 0;
3250 sm->eap_conf_ctx = NULL;
3251 sm->ssid_len = 0;
3252 sm->wpa_ptk_rekey = 0;
3253 sm->p2p = 0;
3254 sm->wpa_rsc_relaxation = 0;
3255 sm->owe_ptk_workaround = 0;
3256 sm->beacon_prot = 0;
3257 sm->force_kdk_derivation = false;
3258 }
3259 }
3260
3261
3262 /**
3263 * wpa_sm_set_own_addr - Set own MAC address
3264 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3265 * @addr: Own MAC address
3266 */
wpa_sm_set_own_addr(struct wpa_sm * sm,const u8 * addr)3267 void wpa_sm_set_own_addr(struct wpa_sm *sm, const u8 *addr)
3268 {
3269 if (sm)
3270 os_memcpy(sm->own_addr, addr, ETH_ALEN);
3271 }
3272
3273
3274 /**
3275 * wpa_sm_set_ifname - Set network interface name
3276 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3277 * @ifname: Interface name
3278 * @bridge_ifname: Optional bridge interface name (for pre-auth)
3279 */
wpa_sm_set_ifname(struct wpa_sm * sm,const char * ifname,const char * bridge_ifname)3280 void wpa_sm_set_ifname(struct wpa_sm *sm, const char *ifname,
3281 const char *bridge_ifname)
3282 {
3283 if (sm) {
3284 sm->ifname = ifname;
3285 sm->bridge_ifname = bridge_ifname;
3286 }
3287 }
3288
3289
3290 /**
3291 * wpa_sm_set_eapol - Set EAPOL state machine pointer
3292 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3293 * @eapol: Pointer to EAPOL state machine allocated with eapol_sm_init()
3294 */
wpa_sm_set_eapol(struct wpa_sm * sm,struct eapol_sm * eapol)3295 void wpa_sm_set_eapol(struct wpa_sm *sm, struct eapol_sm *eapol)
3296 {
3297 if (sm)
3298 sm->eapol = eapol;
3299 }
3300
3301
3302 /**
3303 * wpa_sm_set_param - Set WPA state machine parameters
3304 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3305 * @param: Parameter field
3306 * @value: Parameter value
3307 * Returns: 0 on success, -1 on failure
3308 */
wpa_sm_set_param(struct wpa_sm * sm,enum wpa_sm_conf_params param,unsigned int value)3309 int wpa_sm_set_param(struct wpa_sm *sm, enum wpa_sm_conf_params param,
3310 unsigned int value)
3311 {
3312 int ret = 0;
3313
3314 if (sm == NULL)
3315 return -1;
3316
3317 switch (param) {
3318 case RSNA_PMK_LIFETIME:
3319 if (value > 0)
3320 sm->dot11RSNAConfigPMKLifetime = value;
3321 else
3322 ret = -1;
3323 break;
3324 case RSNA_PMK_REAUTH_THRESHOLD:
3325 if (value > 0 && value <= 100)
3326 sm->dot11RSNAConfigPMKReauthThreshold = value;
3327 else
3328 ret = -1;
3329 break;
3330 case RSNA_SA_TIMEOUT:
3331 if (value > 0)
3332 sm->dot11RSNAConfigSATimeout = value;
3333 else
3334 ret = -1;
3335 break;
3336 case WPA_PARAM_PROTO:
3337 sm->proto = value;
3338 break;
3339 case WPA_PARAM_PAIRWISE:
3340 sm->pairwise_cipher = value;
3341 break;
3342 case WPA_PARAM_GROUP:
3343 sm->group_cipher = value;
3344 break;
3345 case WPA_PARAM_KEY_MGMT:
3346 sm->key_mgmt = value;
3347 break;
3348 case WPA_PARAM_MGMT_GROUP:
3349 sm->mgmt_group_cipher = value;
3350 break;
3351 case WPA_PARAM_RSN_ENABLED:
3352 sm->rsn_enabled = value;
3353 break;
3354 case WPA_PARAM_MFP:
3355 sm->mfp = value;
3356 break;
3357 case WPA_PARAM_OCV:
3358 sm->ocv = value;
3359 break;
3360 case WPA_PARAM_SAE_PWE:
3361 sm->sae_pwe = value;
3362 break;
3363 case WPA_PARAM_SAE_PK:
3364 sm->sae_pk = value;
3365 break;
3366 case WPA_PARAM_DENY_PTK0_REKEY:
3367 sm->wpa_deny_ptk0_rekey = value;
3368 break;
3369 case WPA_PARAM_EXT_KEY_ID:
3370 sm->ext_key_id = value;
3371 break;
3372 case WPA_PARAM_USE_EXT_KEY_ID:
3373 sm->use_ext_key_id = value;
3374 break;
3375 #ifdef CONFIG_TESTING_OPTIONS
3376 case WPA_PARAM_FT_RSNXE_USED:
3377 sm->ft_rsnxe_used = value;
3378 break;
3379 case WPA_PARAM_OCI_FREQ_EAPOL:
3380 sm->oci_freq_override_eapol = value;
3381 break;
3382 case WPA_PARAM_OCI_FREQ_EAPOL_G2:
3383 sm->oci_freq_override_eapol_g2 = value;
3384 break;
3385 case WPA_PARAM_OCI_FREQ_FT_ASSOC:
3386 sm->oci_freq_override_ft_assoc = value;
3387 break;
3388 case WPA_PARAM_OCI_FREQ_FILS_ASSOC:
3389 sm->oci_freq_override_fils_assoc = value;
3390 break;
3391 case WPA_PARAM_DISABLE_EAPOL_G2_TX:
3392 sm->disable_eapol_g2_tx = value;
3393 break;
3394 #endif /* CONFIG_TESTING_OPTIONS */
3395 #ifdef CONFIG_DPP2
3396 case WPA_PARAM_DPP_PFS:
3397 sm->dpp_pfs = value;
3398 break;
3399 #endif /* CONFIG_DPP2 */
3400 default:
3401 break;
3402 }
3403
3404 return ret;
3405 }
3406
3407
3408 /**
3409 * wpa_sm_get_status - Get WPA state machine
3410 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3411 * @buf: Buffer for status information
3412 * @buflen: Maximum buffer length
3413 * @verbose: Whether to include verbose status information
3414 * Returns: Number of bytes written to buf.
3415 *
3416 * Query WPA state machine for status information. This function fills in
3417 * a text area with current status information. If the buffer (buf) is not
3418 * large enough, status information will be truncated to fit the buffer.
3419 */
wpa_sm_get_status(struct wpa_sm * sm,char * buf,size_t buflen,int verbose)3420 int wpa_sm_get_status(struct wpa_sm *sm, char *buf, size_t buflen,
3421 int verbose)
3422 {
3423 char *pos = buf, *end = buf + buflen;
3424 int ret;
3425
3426 ret = os_snprintf(pos, end - pos,
3427 "pairwise_cipher=%s\n"
3428 "group_cipher=%s\n"
3429 "key_mgmt=%s\n",
3430 wpa_cipher_txt(sm->pairwise_cipher),
3431 wpa_cipher_txt(sm->group_cipher),
3432 wpa_key_mgmt_txt(sm->key_mgmt, sm->proto));
3433 if (os_snprintf_error(end - pos, ret))
3434 return pos - buf;
3435 pos += ret;
3436
3437 #ifdef CONFIG_DPP2
3438 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
3439 ret = os_snprintf(pos, end - pos, "dpp_pfs=1\n");
3440 if (os_snprintf_error(end - pos, ret))
3441 return pos - buf;
3442 pos += ret;
3443 }
3444 #endif /* CONFIG_DPP2 */
3445
3446 if (sm->mfp != NO_MGMT_FRAME_PROTECTION && sm->ap_rsn_ie) {
3447 struct wpa_ie_data rsn;
3448 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn)
3449 >= 0 &&
3450 rsn.capabilities & (WPA_CAPABILITY_MFPR |
3451 WPA_CAPABILITY_MFPC)) {
3452 ret = os_snprintf(pos, end - pos, "pmf=%d\n"
3453 "mgmt_group_cipher=%s\n",
3454 (rsn.capabilities &
3455 WPA_CAPABILITY_MFPR) ? 2 : 1,
3456 wpa_cipher_txt(
3457 sm->mgmt_group_cipher));
3458 if (os_snprintf_error(end - pos, ret))
3459 return pos - buf;
3460 pos += ret;
3461 }
3462 }
3463
3464 return pos - buf;
3465 }
3466
3467
wpa_sm_pmf_enabled(struct wpa_sm * sm)3468 int wpa_sm_pmf_enabled(struct wpa_sm *sm)
3469 {
3470 struct wpa_ie_data rsn;
3471
3472 if (sm->mfp == NO_MGMT_FRAME_PROTECTION || !sm->ap_rsn_ie)
3473 return 0;
3474
3475 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn) >= 0 &&
3476 rsn.capabilities & (WPA_CAPABILITY_MFPR | WPA_CAPABILITY_MFPC))
3477 return 1;
3478
3479 return 0;
3480 }
3481
3482
wpa_sm_ext_key_id(struct wpa_sm * sm)3483 int wpa_sm_ext_key_id(struct wpa_sm *sm)
3484 {
3485 return sm ? sm->ext_key_id : 0;
3486 }
3487
3488
wpa_sm_ext_key_id_active(struct wpa_sm * sm)3489 int wpa_sm_ext_key_id_active(struct wpa_sm *sm)
3490 {
3491 return sm ? sm->use_ext_key_id : 0;
3492 }
3493
3494
wpa_sm_ocv_enabled(struct wpa_sm * sm)3495 int wpa_sm_ocv_enabled(struct wpa_sm *sm)
3496 {
3497 struct wpa_ie_data rsn;
3498
3499 if (!sm->ocv || !sm->ap_rsn_ie)
3500 return 0;
3501
3502 return wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len,
3503 &rsn) >= 0 &&
3504 (rsn.capabilities & WPA_CAPABILITY_OCVC);
3505 }
3506
3507
3508 /**
3509 * wpa_sm_set_assoc_wpa_ie_default - Generate own WPA/RSN IE from configuration
3510 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3511 * @wpa_ie: Pointer to buffer for WPA/RSN IE
3512 * @wpa_ie_len: Pointer to the length of the wpa_ie buffer
3513 * Returns: 0 on success, -1 on failure
3514 */
wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm * sm,u8 * wpa_ie,size_t * wpa_ie_len)3515 int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm *sm, u8 *wpa_ie,
3516 size_t *wpa_ie_len)
3517 {
3518 int res;
3519
3520 if (sm == NULL)
3521 return -1;
3522
3523 #ifdef CONFIG_TESTING_OPTIONS
3524 if (sm->test_assoc_ie) {
3525 wpa_printf(MSG_DEBUG,
3526 "TESTING: Replace association WPA/RSN IE");
3527 if (*wpa_ie_len < wpabuf_len(sm->test_assoc_ie))
3528 return -1;
3529 os_memcpy(wpa_ie, wpabuf_head(sm->test_assoc_ie),
3530 wpabuf_len(sm->test_assoc_ie));
3531 res = wpabuf_len(sm->test_assoc_ie);
3532 } else
3533 #endif /* CONFIG_TESTING_OPTIONS */
3534 res = wpa_gen_wpa_ie(sm, wpa_ie, *wpa_ie_len);
3535 if (res < 0)
3536 return -1;
3537 *wpa_ie_len = res;
3538
3539 wpa_hexdump(MSG_DEBUG, "WPA: Set own WPA IE default",
3540 wpa_ie, *wpa_ie_len);
3541
3542 if (sm->assoc_wpa_ie == NULL) {
3543 /*
3544 * Make a copy of the WPA/RSN IE so that 4-Way Handshake gets
3545 * the correct version of the IE even if PMKSA caching is
3546 * aborted (which would remove PMKID from IE generation).
3547 */
3548 sm->assoc_wpa_ie = os_memdup(wpa_ie, *wpa_ie_len);
3549 if (sm->assoc_wpa_ie == NULL)
3550 return -1;
3551
3552 sm->assoc_wpa_ie_len = *wpa_ie_len;
3553 } else {
3554 wpa_hexdump(MSG_DEBUG,
3555 "WPA: Leave previously set WPA IE default",
3556 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
3557 }
3558
3559 return 0;
3560 }
3561
3562
3563 /**
3564 * wpa_sm_set_assoc_wpa_ie - Set own WPA/RSN IE from (Re)AssocReq
3565 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3566 * @ie: Pointer to IE data (starting from id)
3567 * @len: IE length
3568 * Returns: 0 on success, -1 on failure
3569 *
3570 * Inform WPA state machine about the WPA/RSN IE used in (Re)Association
3571 * Request frame. The IE will be used to override the default value generated
3572 * with wpa_sm_set_assoc_wpa_ie_default().
3573 */
wpa_sm_set_assoc_wpa_ie(struct wpa_sm * sm,const u8 * ie,size_t len)3574 int wpa_sm_set_assoc_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
3575 {
3576 if (sm == NULL)
3577 return -1;
3578
3579 os_free(sm->assoc_wpa_ie);
3580 if (ie == NULL || len == 0) {
3581 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3582 "WPA: clearing own WPA/RSN IE");
3583 sm->assoc_wpa_ie = NULL;
3584 sm->assoc_wpa_ie_len = 0;
3585 } else {
3586 wpa_hexdump(MSG_DEBUG, "WPA: set own WPA/RSN IE", ie, len);
3587 sm->assoc_wpa_ie = os_memdup(ie, len);
3588 if (sm->assoc_wpa_ie == NULL)
3589 return -1;
3590
3591 sm->assoc_wpa_ie_len = len;
3592 }
3593
3594 return 0;
3595 }
3596
3597
3598 /**
3599 * wpa_sm_set_assoc_rsnxe_default - Generate own RSNXE from configuration
3600 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3601 * @rsnxe: Pointer to buffer for RSNXE
3602 * @rsnxe_len: Pointer to the length of the rsne buffer
3603 * Returns: 0 on success, -1 on failure
3604 */
wpa_sm_set_assoc_rsnxe_default(struct wpa_sm * sm,u8 * rsnxe,size_t * rsnxe_len)3605 int wpa_sm_set_assoc_rsnxe_default(struct wpa_sm *sm, u8 *rsnxe,
3606 size_t *rsnxe_len)
3607 {
3608 int res;
3609
3610 if (!sm)
3611 return -1;
3612
3613 res = wpa_gen_rsnxe(sm, rsnxe, *rsnxe_len);
3614 if (res < 0)
3615 return -1;
3616 *rsnxe_len = res;
3617
3618 wpa_hexdump(MSG_DEBUG, "RSN: Set own RSNXE default", rsnxe, *rsnxe_len);
3619
3620 if (sm->assoc_rsnxe) {
3621 wpa_hexdump(MSG_DEBUG,
3622 "RSN: Leave previously set RSNXE default",
3623 sm->assoc_rsnxe, sm->assoc_rsnxe_len);
3624 } else if (*rsnxe_len > 0) {
3625 /*
3626 * Make a copy of the RSNXE so that 4-Way Handshake gets the
3627 * correct version of the IE even if it gets changed.
3628 */
3629 sm->assoc_rsnxe = os_memdup(rsnxe, *rsnxe_len);
3630 if (!sm->assoc_rsnxe)
3631 return -1;
3632
3633 sm->assoc_rsnxe_len = *rsnxe_len;
3634 }
3635
3636 return 0;
3637 }
3638
3639
3640 /**
3641 * wpa_sm_set_assoc_rsnxe - Set own RSNXE from (Re)AssocReq
3642 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3643 * @ie: Pointer to IE data (starting from id)
3644 * @len: IE length
3645 * Returns: 0 on success, -1 on failure
3646 *
3647 * Inform WPA state machine about the RSNXE used in (Re)Association Request
3648 * frame. The IE will be used to override the default value generated
3649 * with wpa_sm_set_assoc_rsnxe_default().
3650 */
wpa_sm_set_assoc_rsnxe(struct wpa_sm * sm,const u8 * ie,size_t len)3651 int wpa_sm_set_assoc_rsnxe(struct wpa_sm *sm, const u8 *ie, size_t len)
3652 {
3653 if (!sm)
3654 return -1;
3655
3656 os_free(sm->assoc_rsnxe);
3657 if (!ie || len == 0) {
3658 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3659 "RSN: clearing own RSNXE");
3660 sm->assoc_rsnxe = NULL;
3661 sm->assoc_rsnxe_len = 0;
3662 } else {
3663 wpa_hexdump(MSG_DEBUG, "RSN: set own RSNXE", ie, len);
3664 sm->assoc_rsnxe = os_memdup(ie, len);
3665 if (!sm->assoc_rsnxe)
3666 return -1;
3667
3668 sm->assoc_rsnxe_len = len;
3669 }
3670
3671 return 0;
3672 }
3673
3674
3675 /**
3676 * wpa_sm_set_ap_wpa_ie - Set AP WPA IE from Beacon/ProbeResp
3677 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3678 * @ie: Pointer to IE data (starting from id)
3679 * @len: IE length
3680 * Returns: 0 on success, -1 on failure
3681 *
3682 * Inform WPA state machine about the WPA IE used in Beacon / Probe Response
3683 * frame.
3684 */
wpa_sm_set_ap_wpa_ie(struct wpa_sm * sm,const u8 * ie,size_t len)3685 int wpa_sm_set_ap_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
3686 {
3687 if (sm == NULL)
3688 return -1;
3689
3690 os_free(sm->ap_wpa_ie);
3691 if (ie == NULL || len == 0) {
3692 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3693 "WPA: clearing AP WPA IE");
3694 sm->ap_wpa_ie = NULL;
3695 sm->ap_wpa_ie_len = 0;
3696 } else {
3697 wpa_hexdump(MSG_DEBUG, "WPA: set AP WPA IE", ie, len);
3698 sm->ap_wpa_ie = os_memdup(ie, len);
3699 if (sm->ap_wpa_ie == NULL)
3700 return -1;
3701
3702 sm->ap_wpa_ie_len = len;
3703 }
3704
3705 return 0;
3706 }
3707
3708
3709 /**
3710 * wpa_sm_set_ap_rsn_ie - Set AP RSN IE from Beacon/ProbeResp
3711 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3712 * @ie: Pointer to IE data (starting from id)
3713 * @len: IE length
3714 * Returns: 0 on success, -1 on failure
3715 *
3716 * Inform WPA state machine about the RSN IE used in Beacon / Probe Response
3717 * frame.
3718 */
wpa_sm_set_ap_rsn_ie(struct wpa_sm * sm,const u8 * ie,size_t len)3719 int wpa_sm_set_ap_rsn_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
3720 {
3721 if (sm == NULL)
3722 return -1;
3723
3724 os_free(sm->ap_rsn_ie);
3725 if (ie == NULL || len == 0) {
3726 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3727 "WPA: clearing AP RSN IE");
3728 sm->ap_rsn_ie = NULL;
3729 sm->ap_rsn_ie_len = 0;
3730 } else {
3731 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSN IE", ie, len);
3732 sm->ap_rsn_ie = os_memdup(ie, len);
3733 if (sm->ap_rsn_ie == NULL)
3734 return -1;
3735
3736 sm->ap_rsn_ie_len = len;
3737 }
3738
3739 return 0;
3740 }
3741
3742
3743 /**
3744 * wpa_sm_set_ap_rsnxe - Set AP RSNXE from Beacon/ProbeResp
3745 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3746 * @ie: Pointer to IE data (starting from id)
3747 * @len: IE length
3748 * Returns: 0 on success, -1 on failure
3749 *
3750 * Inform WPA state machine about the RSNXE used in Beacon / Probe Response
3751 * frame.
3752 */
wpa_sm_set_ap_rsnxe(struct wpa_sm * sm,const u8 * ie,size_t len)3753 int wpa_sm_set_ap_rsnxe(struct wpa_sm *sm, const u8 *ie, size_t len)
3754 {
3755 if (!sm)
3756 return -1;
3757
3758 os_free(sm->ap_rsnxe);
3759 if (!ie || len == 0) {
3760 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: clearing AP RSNXE");
3761 sm->ap_rsnxe = NULL;
3762 sm->ap_rsnxe_len = 0;
3763 } else {
3764 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSNXE", ie, len);
3765 sm->ap_rsnxe = os_memdup(ie, len);
3766 if (!sm->ap_rsnxe)
3767 return -1;
3768
3769 sm->ap_rsnxe_len = len;
3770 }
3771
3772 return 0;
3773 }
3774
3775
3776 /**
3777 * wpa_sm_parse_own_wpa_ie - Parse own WPA/RSN IE
3778 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3779 * @data: Pointer to data area for parsing results
3780 * Returns: 0 on success, -1 if IE is not known, or -2 on parsing failure
3781 *
3782 * Parse the contents of the own WPA or RSN IE from (Re)AssocReq and write the
3783 * parsed data into data.
3784 */
wpa_sm_parse_own_wpa_ie(struct wpa_sm * sm,struct wpa_ie_data * data)3785 int wpa_sm_parse_own_wpa_ie(struct wpa_sm *sm, struct wpa_ie_data *data)
3786 {
3787 if (sm == NULL)
3788 return -1;
3789
3790 if (sm->assoc_wpa_ie == NULL) {
3791 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3792 "WPA: No WPA/RSN IE available from association info");
3793 return -1;
3794 }
3795 if (wpa_parse_wpa_ie(sm->assoc_wpa_ie, sm->assoc_wpa_ie_len, data))
3796 return -2;
3797 return 0;
3798 }
3799
3800
wpa_sm_pmksa_cache_list(struct wpa_sm * sm,char * buf,size_t len)3801 int wpa_sm_pmksa_cache_list(struct wpa_sm *sm, char *buf, size_t len)
3802 {
3803 return pmksa_cache_list(sm->pmksa, buf, len);
3804 }
3805
3806
wpa_sm_pmksa_cache_head(struct wpa_sm * sm)3807 struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_head(struct wpa_sm *sm)
3808 {
3809 return pmksa_cache_head(sm->pmksa);
3810 }
3811
3812
3813 struct rsn_pmksa_cache_entry *
wpa_sm_pmksa_cache_add_entry(struct wpa_sm * sm,struct rsn_pmksa_cache_entry * entry)3814 wpa_sm_pmksa_cache_add_entry(struct wpa_sm *sm,
3815 struct rsn_pmksa_cache_entry * entry)
3816 {
3817 return pmksa_cache_add_entry(sm->pmksa, entry);
3818 }
3819
3820
wpa_sm_pmksa_cache_add(struct wpa_sm * sm,const u8 * pmk,size_t pmk_len,const u8 * pmkid,const u8 * bssid,const u8 * fils_cache_id)3821 void wpa_sm_pmksa_cache_add(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
3822 const u8 *pmkid, const u8 *bssid,
3823 const u8 *fils_cache_id)
3824 {
3825 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0,
3826 bssid, sm->own_addr, sm->network_ctx,
3827 sm->key_mgmt, fils_cache_id);
3828 }
3829
3830
wpa_sm_pmksa_exists(struct wpa_sm * sm,const u8 * bssid,const void * network_ctx)3831 int wpa_sm_pmksa_exists(struct wpa_sm *sm, const u8 *bssid,
3832 const void *network_ctx)
3833 {
3834 return pmksa_cache_get(sm->pmksa, bssid, NULL, network_ctx, 0) != NULL;
3835 }
3836
3837
wpa_sm_pmksa_cache_get(struct wpa_sm * sm,const u8 * aa,const u8 * pmkid,const void * network_ctx,int akmp)3838 struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_get(struct wpa_sm *sm,
3839 const u8 *aa,
3840 const u8 *pmkid,
3841 const void *network_ctx,
3842 int akmp)
3843 {
3844 return pmksa_cache_get(sm->pmksa, aa, pmkid, network_ctx, akmp);
3845 }
3846
3847
wpa_sm_drop_sa(struct wpa_sm * sm)3848 void wpa_sm_drop_sa(struct wpa_sm *sm)
3849 {
3850 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PMK and PTK");
3851 sm->ptk_set = 0;
3852 sm->tptk_set = 0;
3853 sm->pmk_len = 0;
3854 os_memset(sm->pmk, 0, sizeof(sm->pmk));
3855 os_memset(&sm->ptk, 0, sizeof(sm->ptk));
3856 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
3857 os_memset(&sm->gtk, 0, sizeof(sm->gtk));
3858 os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
3859 os_memset(&sm->igtk, 0, sizeof(sm->igtk));
3860 os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
3861 #ifdef CONFIG_IEEE80211R
3862 os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
3863 sm->xxkey_len = 0;
3864 os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
3865 sm->pmk_r0_len = 0;
3866 os_memset(sm->pmk_r1, 0, sizeof(sm->pmk_r1));
3867 sm->pmk_r1_len = 0;
3868 #ifdef CONFIG_PASN
3869 os_free(sm->pasn_r1kh);
3870 sm->pasn_r1kh = NULL;
3871 sm->n_pasn_r1kh = 0;
3872 #endif /* CONFIG_PASN */
3873 #endif /* CONFIG_IEEE80211R */
3874 }
3875
3876
wpa_sm_has_ptk(struct wpa_sm * sm)3877 int wpa_sm_has_ptk(struct wpa_sm *sm)
3878 {
3879 if (sm == NULL)
3880 return 0;
3881 return sm->ptk_set;
3882 }
3883
3884
wpa_sm_has_ptk_installed(struct wpa_sm * sm)3885 int wpa_sm_has_ptk_installed(struct wpa_sm *sm)
3886 {
3887 if (!sm)
3888 return 0;
3889 return sm->ptk.installed;
3890 }
3891
3892
wpa_sm_update_replay_ctr(struct wpa_sm * sm,const u8 * replay_ctr)3893 void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr)
3894 {
3895 os_memcpy(sm->rx_replay_counter, replay_ctr, WPA_REPLAY_COUNTER_LEN);
3896 }
3897
3898
wpa_sm_pmksa_cache_flush(struct wpa_sm * sm,void * network_ctx)3899 void wpa_sm_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx)
3900 {
3901 pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0, false);
3902 }
3903
3904
wpa_sm_external_pmksa_cache_flush(struct wpa_sm * sm,void * network_ctx)3905 void wpa_sm_external_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx)
3906 {
3907 pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0, true);
3908 }
3909
3910 #if defined(CONFIG_DRIVER_NL80211_BRCM) || defined(CONFIG_DRIVER_NL80211_SYNA)
wpa_sm_install_pmk(struct wpa_sm * sm)3911 void wpa_sm_install_pmk(struct wpa_sm *sm)
3912 {
3913 /* In case the driver wants to handle re-assocs, pass it down the PMK. */
3914 if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->pairwise_cipher), NULL, 0, 0, NULL, 0,
3915 (u8*)sm->pmk, sm->pmk_len, KEY_FLAG_PMK) < 0) {
3916 wpa_hexdump(MSG_DEBUG, "PSK: Install PMK to the driver for driver reassociations",
3917 (u8*)sm->pmk, sm->pmk_len);
3918 /* No harm if the driver doesn't support. */
3919 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
3920 "WPA: Failed to set PMK to the driver");
3921 }
3922 }
3923
wpa_sm_notify_brcm_ft_reassoc(struct wpa_sm * sm,const u8 * bssid)3924 void wpa_sm_notify_brcm_ft_reassoc(struct wpa_sm *sm, const u8 *bssid)
3925 {
3926 u8 buf[256];
3927 struct wpa_supplicant *wpa_s = sm->ctx->ctx;
3928
3929 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3930 "WPA: BRCM FT Reassociation event - clear replay counter");
3931 os_memcpy(sm->bssid, bssid, ETH_ALEN);
3932 os_memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN);
3933 sm->rx_replay_counter_set = 0;
3934
3935 if (wpa_drv_driver_cmd(wpa_s, "GET_FTKEY", (char *)buf, sizeof(buf)) < 0) {
3936 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
3937 "WPA: Failed to get FT KEY information");
3938 wpa_supplicant_deauthenticate(
3939 wpa_s, WLAN_REASON_DEAUTH_LEAVING);
3940
3941 } else {
3942 /* update kck and kek */
3943 os_memcpy(sm->ptk.kck, buf, 16);
3944 os_memcpy(sm->ptk.kek, buf + 16, 16);
3945 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3946 "WPA: Updated KCK and KEK after FT reassoc");
3947 }
3948 }
3949 #endif /* CONFIG_DRIVER_NL80211_BRCM || CONFIG_DRIVER_NL80211_SYNA */
3950
3951
3952 #ifdef CONFIG_WNM
wpa_wnmsleep_install_key(struct wpa_sm * sm,u8 subelem_id,u8 * buf)3953 int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
3954 {
3955 u16 keyinfo;
3956 u8 keylen; /* plaintext key len */
3957 u8 *key_rsc;
3958
3959 if (subelem_id == WNM_SLEEP_SUBELEM_GTK) {
3960 struct wpa_gtk_data gd;
3961
3962 os_memset(&gd, 0, sizeof(gd));
3963 keylen = wpa_cipher_key_len(sm->group_cipher);
3964 gd.key_rsc_len = wpa_cipher_rsc_len(sm->group_cipher);
3965 gd.alg = wpa_cipher_to_alg(sm->group_cipher);
3966 if (gd.alg == WPA_ALG_NONE) {
3967 wpa_printf(MSG_DEBUG, "Unsupported group cipher suite");
3968 return -1;
3969 }
3970
3971 key_rsc = buf + 5;
3972 keyinfo = WPA_GET_LE16(buf + 2);
3973 gd.gtk_len = keylen;
3974 if (gd.gtk_len != buf[4]) {
3975 wpa_printf(MSG_DEBUG, "GTK len mismatch len %d vs %d",
3976 gd.gtk_len, buf[4]);
3977 return -1;
3978 }
3979 gd.keyidx = keyinfo & 0x03; /* B0 - B1 */
3980 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(
3981 sm, !!(keyinfo & WPA_KEY_INFO_TXRX));
3982
3983 os_memcpy(gd.gtk, buf + 13, gd.gtk_len);
3984
3985 wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)",
3986 gd.gtk, gd.gtk_len);
3987 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) {
3988 forced_memzero(&gd, sizeof(gd));
3989 wpa_printf(MSG_DEBUG, "Failed to install the GTK in "
3990 "WNM mode");
3991 return -1;
3992 }
3993 forced_memzero(&gd, sizeof(gd));
3994 } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
3995 const struct wpa_igtk_kde *igtk;
3996
3997 igtk = (const struct wpa_igtk_kde *) (buf + 2);
3998 if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0)
3999 return -1;
4000 } else if (subelem_id == WNM_SLEEP_SUBELEM_BIGTK) {
4001 const struct wpa_bigtk_kde *bigtk;
4002
4003 bigtk = (const struct wpa_bigtk_kde *) (buf + 2);
4004 if (sm->beacon_prot &&
4005 wpa_supplicant_install_bigtk(sm, bigtk, 1) < 0)
4006 return -1;
4007 } else {
4008 wpa_printf(MSG_DEBUG, "Unknown element id");
4009 return -1;
4010 }
4011
4012 return 0;
4013 }
4014 #endif /* CONFIG_WNM */
4015
4016
4017 #ifdef CONFIG_P2P
4018
wpa_sm_get_p2p_ip_addr(struct wpa_sm * sm,u8 * buf)4019 int wpa_sm_get_p2p_ip_addr(struct wpa_sm *sm, u8 *buf)
4020 {
4021 if (sm == NULL || WPA_GET_BE32(sm->p2p_ip_addr) == 0)
4022 return -1;
4023 os_memcpy(buf, sm->p2p_ip_addr, 3 * 4);
4024 return 0;
4025 }
4026
4027 #endif /* CONFIG_P2P */
4028
4029
wpa_sm_set_rx_replay_ctr(struct wpa_sm * sm,const u8 * rx_replay_counter)4030 void wpa_sm_set_rx_replay_ctr(struct wpa_sm *sm, const u8 *rx_replay_counter)
4031 {
4032 if (rx_replay_counter == NULL)
4033 return;
4034
4035 os_memcpy(sm->rx_replay_counter, rx_replay_counter,
4036 WPA_REPLAY_COUNTER_LEN);
4037 sm->rx_replay_counter_set = 1;
4038 wpa_printf(MSG_DEBUG, "Updated key replay counter");
4039 }
4040
4041
wpa_sm_set_ptk_kck_kek(struct wpa_sm * sm,const u8 * ptk_kck,size_t ptk_kck_len,const u8 * ptk_kek,size_t ptk_kek_len)4042 void wpa_sm_set_ptk_kck_kek(struct wpa_sm *sm,
4043 const u8 *ptk_kck, size_t ptk_kck_len,
4044 const u8 *ptk_kek, size_t ptk_kek_len)
4045 {
4046 if (ptk_kck && ptk_kck_len <= WPA_KCK_MAX_LEN) {
4047 os_memcpy(sm->ptk.kck, ptk_kck, ptk_kck_len);
4048 sm->ptk.kck_len = ptk_kck_len;
4049 wpa_printf(MSG_DEBUG, "Updated PTK KCK");
4050 }
4051 if (ptk_kek && ptk_kek_len <= WPA_KEK_MAX_LEN) {
4052 os_memcpy(sm->ptk.kek, ptk_kek, ptk_kek_len);
4053 sm->ptk.kek_len = ptk_kek_len;
4054 wpa_printf(MSG_DEBUG, "Updated PTK KEK");
4055 }
4056 sm->ptk_set = 1;
4057 }
4058
4059
4060 #ifdef CONFIG_TESTING_OPTIONS
4061
wpa_sm_set_test_assoc_ie(struct wpa_sm * sm,struct wpabuf * buf)4062 void wpa_sm_set_test_assoc_ie(struct wpa_sm *sm, struct wpabuf *buf)
4063 {
4064 wpabuf_free(sm->test_assoc_ie);
4065 sm->test_assoc_ie = buf;
4066 }
4067
4068
wpa_sm_get_anonce(struct wpa_sm * sm)4069 const u8 * wpa_sm_get_anonce(struct wpa_sm *sm)
4070 {
4071 return sm->anonce;
4072 }
4073
4074 #endif /* CONFIG_TESTING_OPTIONS */
4075
4076
wpa_sm_get_key_mgmt(struct wpa_sm * sm)4077 unsigned int wpa_sm_get_key_mgmt(struct wpa_sm *sm)
4078 {
4079 return sm->key_mgmt;
4080 }
4081
4082
4083 #ifdef CONFIG_FILS
4084
fils_build_auth(struct wpa_sm * sm,int dh_group,const u8 * md)4085 struct wpabuf * fils_build_auth(struct wpa_sm *sm, int dh_group, const u8 *md)
4086 {
4087 struct wpabuf *buf = NULL;
4088 struct wpabuf *erp_msg;
4089 struct wpabuf *pub = NULL;
4090
4091 erp_msg = eapol_sm_build_erp_reauth_start(sm->eapol);
4092 if (!erp_msg && !sm->cur_pmksa) {
4093 wpa_printf(MSG_DEBUG,
4094 "FILS: Neither ERP EAP-Initiate/Re-auth nor PMKSA cache entry is available - skip FILS");
4095 goto fail;
4096 }
4097
4098 wpa_printf(MSG_DEBUG, "FILS: Try to use FILS (erp=%d pmksa_cache=%d)",
4099 erp_msg != NULL, sm->cur_pmksa != NULL);
4100
4101 sm->fils_completed = 0;
4102
4103 if (!sm->assoc_wpa_ie) {
4104 wpa_printf(MSG_INFO, "FILS: No own RSN IE set for FILS");
4105 goto fail;
4106 }
4107
4108 if (random_get_bytes(sm->fils_nonce, FILS_NONCE_LEN) < 0 ||
4109 random_get_bytes(sm->fils_session, FILS_SESSION_LEN) < 0)
4110 goto fail;
4111
4112 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Nonce",
4113 sm->fils_nonce, FILS_NONCE_LEN);
4114 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Session",
4115 sm->fils_session, FILS_SESSION_LEN);
4116
4117 #ifdef CONFIG_FILS_SK_PFS
4118 sm->fils_dh_group = dh_group;
4119 if (dh_group) {
4120 crypto_ecdh_deinit(sm->fils_ecdh);
4121 sm->fils_ecdh = crypto_ecdh_init(dh_group);
4122 if (!sm->fils_ecdh) {
4123 wpa_printf(MSG_INFO,
4124 "FILS: Could not initialize ECDH with group %d",
4125 dh_group);
4126 goto fail;
4127 }
4128 pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1);
4129 if (!pub)
4130 goto fail;
4131 wpa_hexdump_buf(MSG_DEBUG, "FILS: Element (DH public key)",
4132 pub);
4133 sm->fils_dh_elem_len = wpabuf_len(pub);
4134 }
4135 #endif /* CONFIG_FILS_SK_PFS */
4136
4137 buf = wpabuf_alloc(1000 + sm->assoc_wpa_ie_len +
4138 (pub ? wpabuf_len(pub) : 0));
4139 if (!buf)
4140 goto fail;
4141
4142 /* Fields following the Authentication algorithm number field */
4143
4144 /* Authentication Transaction seq# */
4145 wpabuf_put_le16(buf, 1);
4146
4147 /* Status Code */
4148 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
4149
4150 /* TODO: FILS PK */
4151 #ifdef CONFIG_FILS_SK_PFS
4152 if (dh_group) {
4153 /* Finite Cyclic Group */
4154 wpabuf_put_le16(buf, dh_group);
4155 /* Element */
4156 wpabuf_put_buf(buf, pub);
4157 }
4158 #endif /* CONFIG_FILS_SK_PFS */
4159
4160 /* RSNE */
4161 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in FILS Authentication frame",
4162 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
4163 wpabuf_put_data(buf, sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
4164
4165 if (md) {
4166 /* MDE when using FILS for FT initial association */
4167 struct rsn_mdie *mdie;
4168
4169 wpabuf_put_u8(buf, WLAN_EID_MOBILITY_DOMAIN);
4170 wpabuf_put_u8(buf, sizeof(*mdie));
4171 mdie = wpabuf_put(buf, sizeof(*mdie));
4172 os_memcpy(mdie->mobility_domain, md, MOBILITY_DOMAIN_ID_LEN);
4173 mdie->ft_capab = 0;
4174 }
4175
4176 /* FILS Nonce */
4177 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
4178 wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN); /* Length */
4179 /* Element ID Extension */
4180 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
4181 wpabuf_put_data(buf, sm->fils_nonce, FILS_NONCE_LEN);
4182
4183 /* FILS Session */
4184 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
4185 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
4186 /* Element ID Extension */
4187 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
4188 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
4189
4190 /* Wrapped Data */
4191 sm->fils_erp_pmkid_set = 0;
4192 if (erp_msg) {
4193 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
4194 wpabuf_put_u8(buf, 1 + wpabuf_len(erp_msg)); /* Length */
4195 /* Element ID Extension */
4196 wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA);
4197 wpabuf_put_buf(buf, erp_msg);
4198 /* Calculate pending PMKID here so that we do not need to
4199 * maintain a copy of the EAP-Initiate/Reauth message. */
4200 if (fils_pmkid_erp(sm->key_mgmt, wpabuf_head(erp_msg),
4201 wpabuf_len(erp_msg),
4202 sm->fils_erp_pmkid) == 0)
4203 sm->fils_erp_pmkid_set = 1;
4204 }
4205
4206 wpa_hexdump_buf(MSG_DEBUG, "RSN: FILS fields for Authentication frame",
4207 buf);
4208
4209 fail:
4210 wpabuf_free(erp_msg);
4211 wpabuf_free(pub);
4212 return buf;
4213 }
4214
4215
fils_process_auth(struct wpa_sm * sm,const u8 * bssid,const u8 * data,size_t len)4216 int fils_process_auth(struct wpa_sm *sm, const u8 *bssid, const u8 *data,
4217 size_t len)
4218 {
4219 const u8 *pos, *end;
4220 struct ieee802_11_elems elems;
4221 struct wpa_ie_data rsn;
4222 int pmkid_match = 0;
4223 u8 ick[FILS_ICK_MAX_LEN];
4224 size_t ick_len;
4225 int res;
4226 struct wpabuf *dh_ss = NULL;
4227 const u8 *g_sta = NULL;
4228 size_t g_sta_len = 0;
4229 const u8 *g_ap = NULL;
4230 size_t g_ap_len = 0, kdk_len;
4231 struct wpabuf *pub = NULL;
4232
4233 os_memcpy(sm->bssid, bssid, ETH_ALEN);
4234
4235 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
4236 data, len);
4237 pos = data;
4238 end = data + len;
4239
4240 /* TODO: FILS PK */
4241 #ifdef CONFIG_FILS_SK_PFS
4242 if (sm->fils_dh_group) {
4243 u16 group;
4244
4245 /* Using FILS PFS */
4246
4247 /* Finite Cyclic Group */
4248 if (end - pos < 2) {
4249 wpa_printf(MSG_DEBUG,
4250 "FILS: No room for Finite Cyclic Group");
4251 goto fail;
4252 }
4253 group = WPA_GET_LE16(pos);
4254 pos += 2;
4255 if (group != sm->fils_dh_group) {
4256 wpa_printf(MSG_DEBUG,
4257 "FILS: Unexpected change in Finite Cyclic Group: %u (expected %u)",
4258 group, sm->fils_dh_group);
4259 goto fail;
4260 }
4261
4262 /* Element */
4263 if ((size_t) (end - pos) < sm->fils_dh_elem_len) {
4264 wpa_printf(MSG_DEBUG, "FILS: No room for Element");
4265 goto fail;
4266 }
4267
4268 if (!sm->fils_ecdh) {
4269 wpa_printf(MSG_DEBUG, "FILS: No ECDH state available");
4270 goto fail;
4271 }
4272 dh_ss = crypto_ecdh_set_peerkey(sm->fils_ecdh, 1, pos,
4273 sm->fils_dh_elem_len);
4274 if (!dh_ss) {
4275 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
4276 goto fail;
4277 }
4278 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", dh_ss);
4279 g_ap = pos;
4280 g_ap_len = sm->fils_dh_elem_len;
4281 pos += sm->fils_dh_elem_len;
4282 }
4283 #endif /* CONFIG_FILS_SK_PFS */
4284
4285 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
4286 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
4287 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
4288 goto fail;
4289 }
4290
4291 /* RSNE */
4292 wpa_hexdump(MSG_DEBUG, "FILS: RSN element", elems.rsn_ie,
4293 elems.rsn_ie_len);
4294 if (!elems.rsn_ie ||
4295 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
4296 &rsn) < 0) {
4297 wpa_printf(MSG_DEBUG, "FILS: No RSN element");
4298 goto fail;
4299 }
4300
4301 if (!elems.fils_nonce) {
4302 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
4303 goto fail;
4304 }
4305 os_memcpy(sm->fils_anonce, elems.fils_nonce, FILS_NONCE_LEN);
4306 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", sm->fils_anonce, FILS_NONCE_LEN);
4307
4308 #ifdef CONFIG_IEEE80211R
4309 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
4310 struct wpa_ft_ies parse;
4311
4312 if (!elems.mdie || !elems.ftie) {
4313 wpa_printf(MSG_DEBUG, "FILS+FT: No MDE or FTE");
4314 goto fail;
4315 }
4316
4317 if (wpa_ft_parse_ies(pos, end - pos, &parse,
4318 wpa_key_mgmt_sha384(sm->key_mgmt)) < 0) {
4319 wpa_printf(MSG_DEBUG, "FILS+FT: Failed to parse IEs");
4320 goto fail;
4321 }
4322
4323 if (!parse.r0kh_id) {
4324 wpa_printf(MSG_DEBUG,
4325 "FILS+FT: No R0KH-ID subelem in FTE");
4326 goto fail;
4327 }
4328 os_memcpy(sm->r0kh_id, parse.r0kh_id, parse.r0kh_id_len);
4329 sm->r0kh_id_len = parse.r0kh_id_len;
4330 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID",
4331 sm->r0kh_id, sm->r0kh_id_len);
4332
4333 if (!parse.r1kh_id) {
4334 wpa_printf(MSG_DEBUG,
4335 "FILS+FT: No R1KH-ID subelem in FTE");
4336 goto fail;
4337 }
4338 os_memcpy(sm->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN);
4339 wpa_hexdump(MSG_DEBUG, "FILS+FT: R1KH-ID",
4340 sm->r1kh_id, FT_R1KH_ID_LEN);
4341
4342 /* TODO: Check MDE and FTE payload */
4343
4344 wpabuf_free(sm->fils_ft_ies);
4345 sm->fils_ft_ies = wpabuf_alloc(2 + elems.mdie_len +
4346 2 + elems.ftie_len);
4347 if (!sm->fils_ft_ies)
4348 goto fail;
4349 wpabuf_put_data(sm->fils_ft_ies, elems.mdie - 2,
4350 2 + elems.mdie_len);
4351 wpabuf_put_data(sm->fils_ft_ies, elems.ftie - 2,
4352 2 + elems.ftie_len);
4353 } else {
4354 wpabuf_free(sm->fils_ft_ies);
4355 sm->fils_ft_ies = NULL;
4356 }
4357 #endif /* CONFIG_IEEE80211R */
4358
4359 /* PMKID List */
4360 if (rsn.pmkid && rsn.num_pmkid > 0) {
4361 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
4362 rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
4363
4364 if (rsn.num_pmkid != 1) {
4365 wpa_printf(MSG_DEBUG, "FILS: Invalid PMKID selection");
4366 goto fail;
4367 }
4368 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", rsn.pmkid, PMKID_LEN);
4369 if (os_memcmp(sm->cur_pmksa->pmkid, rsn.pmkid, PMKID_LEN) != 0)
4370 {
4371 wpa_printf(MSG_DEBUG, "FILS: PMKID mismatch");
4372 wpa_hexdump(MSG_DEBUG, "FILS: Expected PMKID",
4373 sm->cur_pmksa->pmkid, PMKID_LEN);
4374 goto fail;
4375 }
4376 wpa_printf(MSG_DEBUG,
4377 "FILS: Matching PMKID - continue using PMKSA caching");
4378 pmkid_match = 1;
4379 }
4380 if (!pmkid_match && sm->cur_pmksa) {
4381 wpa_printf(MSG_DEBUG,
4382 "FILS: No PMKID match - cannot use cached PMKSA entry");
4383 sm->cur_pmksa = NULL;
4384 }
4385
4386 /* FILS Session */
4387 if (!elems.fils_session) {
4388 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
4389 goto fail;
4390 }
4391 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
4392 FILS_SESSION_LEN);
4393 if (os_memcmp(sm->fils_session, elems.fils_session, FILS_SESSION_LEN)
4394 != 0) {
4395 wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
4396 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
4397 sm->fils_session, FILS_SESSION_LEN);
4398 goto fail;
4399 }
4400
4401 /* Wrapped Data */
4402 if (!sm->cur_pmksa && elems.wrapped_data) {
4403 u8 rmsk[ERP_MAX_KEY_LEN];
4404 size_t rmsk_len;
4405
4406 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
4407 elems.wrapped_data,
4408 elems.wrapped_data_len);
4409 eapol_sm_process_erp_finish(sm->eapol, elems.wrapped_data,
4410 elems.wrapped_data_len);
4411 if (eapol_sm_failed(sm->eapol))
4412 goto fail;
4413
4414 rmsk_len = ERP_MAX_KEY_LEN;
4415 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
4416 if (res == PMK_LEN) {
4417 rmsk_len = PMK_LEN;
4418 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
4419 }
4420 if (res)
4421 goto fail;
4422
4423 res = fils_rmsk_to_pmk(sm->key_mgmt, rmsk, rmsk_len,
4424 sm->fils_nonce, sm->fils_anonce,
4425 dh_ss ? wpabuf_head(dh_ss) : NULL,
4426 dh_ss ? wpabuf_len(dh_ss) : 0,
4427 sm->pmk, &sm->pmk_len);
4428 forced_memzero(rmsk, sizeof(rmsk));
4429
4430 /* Don't use DHss in PTK derivation if PMKSA caching is not
4431 * used. */
4432 wpabuf_clear_free(dh_ss);
4433 dh_ss = NULL;
4434
4435 if (res)
4436 goto fail;
4437
4438 if (!sm->fils_erp_pmkid_set) {
4439 wpa_printf(MSG_DEBUG, "FILS: PMKID not available");
4440 goto fail;
4441 }
4442 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", sm->fils_erp_pmkid,
4443 PMKID_LEN);
4444 wpa_printf(MSG_DEBUG, "FILS: ERP processing succeeded - add PMKSA cache entry for the result");
4445 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len,
4446 sm->fils_erp_pmkid, NULL, 0,
4447 sm->bssid, sm->own_addr,
4448 sm->network_ctx, sm->key_mgmt,
4449 NULL);
4450 }
4451
4452 if (!sm->cur_pmksa) {
4453 wpa_printf(MSG_DEBUG,
4454 "FILS: No remaining options to continue FILS authentication");
4455 goto fail;
4456 }
4457
4458 if (sm->force_kdk_derivation ||
4459 (sm->secure_ltf &&
4460 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)))
4461 kdk_len = WPA_KDK_MAX_LEN;
4462 else
4463 kdk_len = 0;
4464
4465 if (fils_pmk_to_ptk(sm->pmk, sm->pmk_len, sm->own_addr, sm->bssid,
4466 sm->fils_nonce, sm->fils_anonce,
4467 dh_ss ? wpabuf_head(dh_ss) : NULL,
4468 dh_ss ? wpabuf_len(dh_ss) : 0,
4469 &sm->ptk, ick, &ick_len,
4470 sm->key_mgmt, sm->pairwise_cipher,
4471 sm->fils_ft, &sm->fils_ft_len,
4472 kdk_len) < 0) {
4473 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PTK");
4474 goto fail;
4475 }
4476
4477 wpabuf_clear_free(dh_ss);
4478 dh_ss = NULL;
4479
4480 sm->ptk_set = 1;
4481 sm->tptk_set = 0;
4482 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
4483
4484 #ifdef CONFIG_FILS_SK_PFS
4485 if (sm->fils_dh_group) {
4486 if (!sm->fils_ecdh) {
4487 wpa_printf(MSG_INFO, "FILS: ECDH not initialized");
4488 goto fail;
4489 }
4490 pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1);
4491 if (!pub)
4492 goto fail;
4493 wpa_hexdump_buf(MSG_DEBUG, "FILS: gSTA", pub);
4494 g_sta = wpabuf_head(pub);
4495 g_sta_len = wpabuf_len(pub);
4496 if (!g_ap) {
4497 wpa_printf(MSG_INFO, "FILS: gAP not available");
4498 goto fail;
4499 }
4500 wpa_hexdump(MSG_DEBUG, "FILS: gAP", g_ap, g_ap_len);
4501 }
4502 #endif /* CONFIG_FILS_SK_PFS */
4503
4504 res = fils_key_auth_sk(ick, ick_len, sm->fils_nonce,
4505 sm->fils_anonce, sm->own_addr, sm->bssid,
4506 g_sta, g_sta_len, g_ap, g_ap_len,
4507 sm->key_mgmt, sm->fils_key_auth_sta,
4508 sm->fils_key_auth_ap,
4509 &sm->fils_key_auth_len);
4510 wpabuf_free(pub);
4511 forced_memzero(ick, sizeof(ick));
4512 return res;
4513 fail:
4514 wpabuf_free(pub);
4515 wpabuf_clear_free(dh_ss);
4516 return -1;
4517 }
4518
4519
4520 #ifdef CONFIG_IEEE80211R
fils_ft_build_assoc_req_rsne(struct wpa_sm * sm,struct wpabuf * buf)4521 static int fils_ft_build_assoc_req_rsne(struct wpa_sm *sm, struct wpabuf *buf)
4522 {
4523 struct rsn_ie_hdr *rsnie;
4524 u16 capab;
4525 u8 *pos;
4526 int use_sha384 = wpa_key_mgmt_sha384(sm->key_mgmt);
4527
4528 /* RSNIE[PMKR0Name/PMKR1Name] */
4529 rsnie = wpabuf_put(buf, sizeof(*rsnie));
4530 rsnie->elem_id = WLAN_EID_RSN;
4531 WPA_PUT_LE16(rsnie->version, RSN_VERSION);
4532
4533 /* Group Suite Selector */
4534 if (!wpa_cipher_valid_group(sm->group_cipher)) {
4535 wpa_printf(MSG_WARNING, "FT: Invalid group cipher (%d)",
4536 sm->group_cipher);
4537 return -1;
4538 }
4539 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
4540 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
4541 sm->group_cipher));
4542
4543 /* Pairwise Suite Count */
4544 wpabuf_put_le16(buf, 1);
4545
4546 /* Pairwise Suite List */
4547 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
4548 wpa_printf(MSG_WARNING, "FT: Invalid pairwise cipher (%d)",
4549 sm->pairwise_cipher);
4550 return -1;
4551 }
4552 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
4553 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
4554 sm->pairwise_cipher));
4555
4556 /* Authenticated Key Management Suite Count */
4557 wpabuf_put_le16(buf, 1);
4558
4559 /* Authenticated Key Management Suite List */
4560 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
4561 if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA256)
4562 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA256);
4563 else if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA384)
4564 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA384);
4565 else {
4566 wpa_printf(MSG_WARNING,
4567 "FILS+FT: Invalid key management type (%d)",
4568 sm->key_mgmt);
4569 return -1;
4570 }
4571
4572 /* RSN Capabilities */
4573 capab = 0;
4574 if (sm->mfp)
4575 capab |= WPA_CAPABILITY_MFPC;
4576 if (sm->mfp == 2)
4577 capab |= WPA_CAPABILITY_MFPR;
4578 if (sm->ocv)
4579 capab |= WPA_CAPABILITY_OCVC;
4580 if (sm->ext_key_id)
4581 capab |= WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST;
4582 wpabuf_put_le16(buf, capab);
4583
4584 /* PMKID Count */
4585 wpabuf_put_le16(buf, 1);
4586
4587 /* PMKID List [PMKR1Name] */
4588 wpa_hexdump_key(MSG_DEBUG, "FILS+FT: XXKey (FILS-FT)",
4589 sm->fils_ft, sm->fils_ft_len);
4590 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: SSID", sm->ssid, sm->ssid_len);
4591 wpa_hexdump(MSG_DEBUG, "FILS+FT: MDID",
4592 sm->mobility_domain, MOBILITY_DOMAIN_ID_LEN);
4593 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID",
4594 sm->r0kh_id, sm->r0kh_id_len);
4595 if (wpa_derive_pmk_r0(sm->fils_ft, sm->fils_ft_len, sm->ssid,
4596 sm->ssid_len, sm->mobility_domain,
4597 sm->r0kh_id, sm->r0kh_id_len, sm->own_addr,
4598 sm->pmk_r0, sm->pmk_r0_name, use_sha384) < 0) {
4599 wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMK-R0");
4600 return -1;
4601 }
4602 sm->pmk_r0_len = use_sha384 ? SHA384_MAC_LEN : PMK_LEN;
4603 wpa_printf(MSG_DEBUG, "FILS+FT: R1KH-ID: " MACSTR,
4604 MAC2STR(sm->r1kh_id));
4605 pos = wpabuf_put(buf, WPA_PMK_NAME_LEN);
4606 if (wpa_derive_pmk_r1_name(sm->pmk_r0_name, sm->r1kh_id, sm->own_addr,
4607 sm->pmk_r1_name, use_sha384) < 0) {
4608 wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMKR1Name");
4609 return -1;
4610 }
4611 os_memcpy(pos, sm->pmk_r1_name, WPA_PMK_NAME_LEN);
4612
4613 if (sm->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC) {
4614 /* Management Group Cipher Suite */
4615 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
4616 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_AES_128_CMAC);
4617 }
4618
4619 rsnie->len = ((u8 *) wpabuf_put(buf, 0) - (u8 *) rsnie) - 2;
4620 return 0;
4621 }
4622 #endif /* CONFIG_IEEE80211R */
4623
4624
fils_build_assoc_req(struct wpa_sm * sm,const u8 ** kek,size_t * kek_len,const u8 ** snonce,const u8 ** anonce,const struct wpabuf ** hlp,unsigned int num_hlp)4625 struct wpabuf * fils_build_assoc_req(struct wpa_sm *sm, const u8 **kek,
4626 size_t *kek_len, const u8 **snonce,
4627 const u8 **anonce,
4628 const struct wpabuf **hlp,
4629 unsigned int num_hlp)
4630 {
4631 struct wpabuf *buf;
4632 size_t len;
4633 unsigned int i;
4634
4635 len = 1000;
4636 #ifdef CONFIG_IEEE80211R
4637 if (sm->fils_ft_ies)
4638 len += wpabuf_len(sm->fils_ft_ies);
4639 if (wpa_key_mgmt_ft(sm->key_mgmt))
4640 len += 256;
4641 #endif /* CONFIG_IEEE80211R */
4642 for (i = 0; hlp && i < num_hlp; i++)
4643 len += 10 + wpabuf_len(hlp[i]);
4644 buf = wpabuf_alloc(len);
4645 if (!buf)
4646 return NULL;
4647
4648 #ifdef CONFIG_IEEE80211R
4649 if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) {
4650 /* MDE and FTE when using FILS+FT */
4651 wpabuf_put_buf(buf, sm->fils_ft_ies);
4652 /* RSNE with PMKR1Name in PMKID field */
4653 if (fils_ft_build_assoc_req_rsne(sm, buf) < 0) {
4654 wpabuf_free(buf);
4655 return NULL;
4656 }
4657 }
4658 #endif /* CONFIG_IEEE80211R */
4659
4660 /* FILS Session */
4661 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
4662 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
4663 /* Element ID Extension */
4664 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
4665 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
4666
4667 /* Everything after FILS Session element gets encrypted in the driver
4668 * with KEK. The buffer returned from here is the plaintext version. */
4669
4670 /* TODO: FILS Public Key */
4671
4672 /* FILS Key Confirm */
4673 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
4674 wpabuf_put_u8(buf, 1 + sm->fils_key_auth_len); /* Length */
4675 /* Element ID Extension */
4676 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_KEY_CONFIRM);
4677 wpabuf_put_data(buf, sm->fils_key_auth_sta, sm->fils_key_auth_len);
4678
4679 /* FILS HLP Container */
4680 for (i = 0; hlp && i < num_hlp; i++) {
4681 const u8 *pos = wpabuf_head(hlp[i]);
4682 size_t left = wpabuf_len(hlp[i]);
4683
4684 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
4685 if (left <= 254)
4686 len = 1 + left;
4687 else
4688 len = 255;
4689 wpabuf_put_u8(buf, len); /* Length */
4690 /* Element ID Extension */
4691 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_HLP_CONTAINER);
4692 /* Destination MAC Address, Source MAC Address, HLP Packet.
4693 * HLP Packet is in MSDU format (i.e., included the LLC/SNAP
4694 * header when LPD is used). */
4695 wpabuf_put_data(buf, pos, len - 1);
4696 pos += len - 1;
4697 left -= len - 1;
4698 while (left) {
4699 wpabuf_put_u8(buf, WLAN_EID_FRAGMENT);
4700 len = left > 255 ? 255 : left;
4701 wpabuf_put_u8(buf, len);
4702 wpabuf_put_data(buf, pos, len);
4703 pos += len;
4704 left -= len;
4705 }
4706 }
4707
4708 /* TODO: FILS IP Address Assignment */
4709
4710 #ifdef CONFIG_OCV
4711 if (wpa_sm_ocv_enabled(sm)) {
4712 struct wpa_channel_info ci;
4713 u8 *pos;
4714
4715 if (wpa_sm_channel_info(sm, &ci) != 0) {
4716 wpa_printf(MSG_WARNING,
4717 "FILS: Failed to get channel info for OCI element");
4718 wpabuf_free(buf);
4719 return NULL;
4720 }
4721 #ifdef CONFIG_TESTING_OPTIONS
4722 if (sm->oci_freq_override_fils_assoc) {
4723 wpa_printf(MSG_INFO,
4724 "TEST: Override OCI KDE frequency %d -> %d MHz",
4725 ci.frequency,
4726 sm->oci_freq_override_fils_assoc);
4727 ci.frequency = sm->oci_freq_override_fils_assoc;
4728 }
4729 #endif /* CONFIG_TESTING_OPTIONS */
4730
4731 pos = wpabuf_put(buf, OCV_OCI_EXTENDED_LEN);
4732 if (ocv_insert_extended_oci(&ci, pos) < 0) {
4733 wpabuf_free(buf);
4734 return NULL;
4735 }
4736 }
4737 #endif /* CONFIG_OCV */
4738
4739 wpa_hexdump_buf(MSG_DEBUG, "FILS: Association Request plaintext", buf);
4740
4741 *kek = sm->ptk.kek;
4742 *kek_len = sm->ptk.kek_len;
4743 wpa_hexdump_key(MSG_DEBUG, "FILS: KEK for AEAD", *kek, *kek_len);
4744 *snonce = sm->fils_nonce;
4745 wpa_hexdump(MSG_DEBUG, "FILS: SNonce for AEAD AAD",
4746 *snonce, FILS_NONCE_LEN);
4747 *anonce = sm->fils_anonce;
4748 wpa_hexdump(MSG_DEBUG, "FILS: ANonce for AEAD AAD",
4749 *anonce, FILS_NONCE_LEN);
4750
4751 return buf;
4752 }
4753
4754
fils_process_hlp_resp(struct wpa_sm * sm,const u8 * resp,size_t len)4755 static void fils_process_hlp_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
4756 {
4757 const u8 *pos, *end;
4758
4759 wpa_hexdump(MSG_MSGDUMP, "FILS: HLP response", resp, len);
4760 if (len < 2 * ETH_ALEN)
4761 return;
4762 pos = resp + 2 * ETH_ALEN;
4763 end = resp + len;
4764 if (end - pos >= 6 &&
4765 os_memcmp(pos, "\xaa\xaa\x03\x00\x00\x00", 6) == 0)
4766 pos += 6; /* Remove SNAP/LLC header */
4767 wpa_sm_fils_hlp_rx(sm, resp, resp + ETH_ALEN, pos, end - pos);
4768 }
4769
4770
fils_process_hlp_container(struct wpa_sm * sm,const u8 * pos,size_t len)4771 static void fils_process_hlp_container(struct wpa_sm *sm, const u8 *pos,
4772 size_t len)
4773 {
4774 const u8 *end = pos + len;
4775 u8 *tmp, *tmp_pos;
4776
4777 /* Check if there are any FILS HLP Container elements */
4778 while (end - pos >= 2) {
4779 if (2 + pos[1] > end - pos)
4780 return;
4781 if (pos[0] == WLAN_EID_EXTENSION &&
4782 pos[1] >= 1 + 2 * ETH_ALEN &&
4783 pos[2] == WLAN_EID_EXT_FILS_HLP_CONTAINER)
4784 break;
4785 pos += 2 + pos[1];
4786 }
4787 if (end - pos < 2)
4788 return; /* No FILS HLP Container elements */
4789
4790 tmp = os_malloc(end - pos);
4791 if (!tmp)
4792 return;
4793
4794 while (end - pos >= 2) {
4795 if (2 + pos[1] > end - pos ||
4796 pos[0] != WLAN_EID_EXTENSION ||
4797 pos[1] < 1 + 2 * ETH_ALEN ||
4798 pos[2] != WLAN_EID_EXT_FILS_HLP_CONTAINER)
4799 break;
4800 tmp_pos = tmp;
4801 os_memcpy(tmp_pos, pos + 3, pos[1] - 1);
4802 tmp_pos += pos[1] - 1;
4803 pos += 2 + pos[1];
4804
4805 /* Add possible fragments */
4806 while (end - pos >= 2 && pos[0] == WLAN_EID_FRAGMENT &&
4807 2 + pos[1] <= end - pos) {
4808 os_memcpy(tmp_pos, pos + 2, pos[1]);
4809 tmp_pos += pos[1];
4810 pos += 2 + pos[1];
4811 }
4812
4813 fils_process_hlp_resp(sm, tmp, tmp_pos - tmp);
4814 }
4815
4816 os_free(tmp);
4817 }
4818
4819
fils_process_assoc_resp(struct wpa_sm * sm,const u8 * resp,size_t len)4820 int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
4821 {
4822 const struct ieee80211_mgmt *mgmt;
4823 const u8 *end, *ie_start;
4824 struct ieee802_11_elems elems;
4825 int keylen, rsclen;
4826 enum wpa_alg alg;
4827 struct wpa_gtk_data gd;
4828 int maxkeylen;
4829 struct wpa_eapol_ie_parse kde;
4830
4831 if (!sm || !sm->ptk_set) {
4832 wpa_printf(MSG_DEBUG, "FILS: No KEK available");
4833 return -1;
4834 }
4835
4836 if (!wpa_key_mgmt_fils(sm->key_mgmt)) {
4837 wpa_printf(MSG_DEBUG, "FILS: Not a FILS AKM");
4838 return -1;
4839 }
4840
4841 if (sm->fils_completed) {
4842 wpa_printf(MSG_DEBUG,
4843 "FILS: Association has already been completed for this FILS authentication - ignore unexpected retransmission");
4844 return -1;
4845 }
4846
4847 wpa_hexdump(MSG_DEBUG, "FILS: (Re)Association Response frame",
4848 resp, len);
4849
4850 mgmt = (const struct ieee80211_mgmt *) resp;
4851 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_resp))
4852 return -1;
4853
4854 end = resp + len;
4855 /* Same offset for Association Response and Reassociation Response */
4856 ie_start = mgmt->u.assoc_resp.variable;
4857
4858 if (ieee802_11_parse_elems(ie_start, end - ie_start, &elems, 1) ==
4859 ParseFailed) {
4860 wpa_printf(MSG_DEBUG,
4861 "FILS: Failed to parse decrypted elements");
4862 goto fail;
4863 }
4864
4865 if (!elems.fils_session) {
4866 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
4867 return -1;
4868 }
4869 if (os_memcmp(elems.fils_session, sm->fils_session,
4870 FILS_SESSION_LEN) != 0) {
4871 wpa_printf(MSG_DEBUG, "FILS: FILS Session mismatch");
4872 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
4873 elems.fils_session, FILS_SESSION_LEN);
4874 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
4875 sm->fils_session, FILS_SESSION_LEN);
4876 }
4877
4878 if (!elems.rsn_ie) {
4879 wpa_printf(MSG_DEBUG,
4880 "FILS: No RSNE in (Re)Association Response");
4881 /* As an interop workaround, allow this for now since IEEE Std
4882 * 802.11ai-2016 did not include all the needed changes to make
4883 * a FILS AP include RSNE in the frame. This workaround might
4884 * eventually be removed and replaced with rejection (goto fail)
4885 * to follow a strict interpretation of the standard. */
4886 } else if (wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
4887 sm->ap_rsn_ie, sm->ap_rsn_ie_len,
4888 elems.rsn_ie - 2, elems.rsn_ie_len + 2)) {
4889 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
4890 "FILS: RSNE mismatch between Beacon/Probe Response and (Re)Association Response");
4891 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in Beacon/Probe Response",
4892 sm->ap_rsn_ie, sm->ap_rsn_ie_len);
4893 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in (Re)Association Response",
4894 elems.rsn_ie, elems.rsn_ie_len);
4895 goto fail;
4896 }
4897
4898 /* TODO: FILS Public Key */
4899
4900 if (!elems.fils_key_confirm) {
4901 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
4902 goto fail;
4903 }
4904 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
4905 wpa_printf(MSG_DEBUG,
4906 "FILS: Unexpected Key-Auth length %d (expected %d)",
4907 elems.fils_key_confirm_len,
4908 (int) sm->fils_key_auth_len);
4909 goto fail;
4910 }
4911 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_ap,
4912 sm->fils_key_auth_len) != 0) {
4913 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
4914 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
4915 elems.fils_key_confirm,
4916 elems.fils_key_confirm_len);
4917 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
4918 sm->fils_key_auth_ap, sm->fils_key_auth_len);
4919 goto fail;
4920 }
4921
4922 #ifdef CONFIG_OCV
4923 if (wpa_sm_ocv_enabled(sm)) {
4924 struct wpa_channel_info ci;
4925
4926 if (wpa_sm_channel_info(sm, &ci) != 0) {
4927 wpa_printf(MSG_WARNING,
4928 "Failed to get channel info to validate received OCI in FILS (Re)Association Response frame");
4929 goto fail;
4930 }
4931
4932 if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci,
4933 channel_width_to_int(ci.chanwidth),
4934 ci.seg1_idx) != OCI_SUCCESS) {
4935 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
4936 "addr=" MACSTR " frame=fils-assoc error=%s",
4937 MAC2STR(sm->bssid), ocv_errorstr);
4938 goto fail;
4939 }
4940 }
4941 #endif /* CONFIG_OCV */
4942
4943 #ifdef CONFIG_IEEE80211R
4944 if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) {
4945 struct wpa_ie_data rsn;
4946
4947 /* Check that PMKR1Name derived by the AP matches */
4948 if (!elems.rsn_ie ||
4949 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
4950 &rsn) < 0 ||
4951 !rsn.pmkid || rsn.num_pmkid != 1 ||
4952 os_memcmp(rsn.pmkid, sm->pmk_r1_name,
4953 WPA_PMK_NAME_LEN) != 0) {
4954 wpa_printf(MSG_DEBUG,
4955 "FILS+FT: No RSNE[PMKR1Name] match in AssocResp");
4956 goto fail;
4957 }
4958 }
4959 #endif /* CONFIG_IEEE80211R */
4960
4961 /* Key Delivery */
4962 if (!elems.key_delivery) {
4963 wpa_printf(MSG_DEBUG, "FILS: No Key Delivery element");
4964 goto fail;
4965 }
4966
4967 /* Parse GTK and set the key to the driver */
4968 os_memset(&gd, 0, sizeof(gd));
4969 if (wpa_supplicant_parse_ies(elems.key_delivery + WPA_KEY_RSC_LEN,
4970 elems.key_delivery_len - WPA_KEY_RSC_LEN,
4971 &kde) < 0) {
4972 wpa_printf(MSG_DEBUG, "FILS: Failed to parse KDEs");
4973 goto fail;
4974 }
4975 if (!kde.gtk) {
4976 wpa_printf(MSG_DEBUG, "FILS: No GTK KDE");
4977 goto fail;
4978 }
4979 maxkeylen = gd.gtk_len = kde.gtk_len - 2;
4980 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
4981 gd.gtk_len, maxkeylen,
4982 &gd.key_rsc_len, &gd.alg))
4983 goto fail;
4984
4985 wpa_hexdump_key(MSG_DEBUG, "FILS: Received GTK", kde.gtk, kde.gtk_len);
4986 gd.keyidx = kde.gtk[0] & 0x3;
4987 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
4988 !!(kde.gtk[0] & BIT(2)));
4989 if (kde.gtk_len - 2 > sizeof(gd.gtk)) {
4990 wpa_printf(MSG_DEBUG, "FILS: Too long GTK in GTK KDE (len=%lu)",
4991 (unsigned long) kde.gtk_len - 2);
4992 goto fail;
4993 }
4994 os_memcpy(gd.gtk, kde.gtk + 2, kde.gtk_len - 2);
4995
4996 wpa_printf(MSG_DEBUG, "FILS: Set GTK to driver");
4997 if (wpa_supplicant_install_gtk(sm, &gd, elems.key_delivery, 0) < 0) {
4998 wpa_printf(MSG_DEBUG, "FILS: Failed to set GTK");
4999 goto fail;
5000 }
5001
5002 if (ieee80211w_set_keys(sm, &kde) < 0) {
5003 wpa_printf(MSG_DEBUG, "FILS: Failed to set IGTK");
5004 goto fail;
5005 }
5006
5007 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
5008 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
5009 if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) {
5010 wpa_printf(MSG_DEBUG, "FILS: TK length mismatch: %u != %lu",
5011 keylen, (long unsigned int) sm->ptk.tk_len);
5012 goto fail;
5013 }
5014
5015 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
5016 wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver",
5017 sm->ptk.tk, keylen);
5018 if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, null_rsc, rsclen,
5019 sm->ptk.tk, keylen, KEY_FLAG_PAIRWISE_RX_TX) < 0) {
5020 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
5021 "FILS: Failed to set PTK to the driver (alg=%d keylen=%d bssid="
5022 MACSTR ")",
5023 alg, keylen, MAC2STR(sm->bssid));
5024 goto fail;
5025 }
5026
5027 wpa_sm_store_ptk(sm, sm->bssid, sm->pairwise_cipher,
5028 sm->dot11RSNAConfigPMKLifetime, &sm->ptk);
5029
5030 /* TODO: TK could be cleared after auth frame exchange now that driver
5031 * takes care of association frame encryption/decryption. */
5032 /* TK is not needed anymore in supplicant */
5033 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
5034 sm->ptk.tk_len = 0;
5035 sm->ptk.installed = 1;
5036
5037 /* FILS HLP Container */
5038 fils_process_hlp_container(sm, ie_start, end - ie_start);
5039
5040 /* TODO: FILS IP Address Assignment */
5041
5042 wpa_printf(MSG_DEBUG, "FILS: Auth+Assoc completed successfully");
5043 sm->fils_completed = 1;
5044 forced_memzero(&gd, sizeof(gd));
5045
5046 if (kde.transition_disable)
5047 wpa_sm_transition_disable(sm, kde.transition_disable[0]);
5048
5049 return 0;
5050 fail:
5051 forced_memzero(&gd, sizeof(gd));
5052 return -1;
5053 }
5054
5055
wpa_sm_set_reset_fils_completed(struct wpa_sm * sm,int set)5056 void wpa_sm_set_reset_fils_completed(struct wpa_sm *sm, int set)
5057 {
5058 if (sm)
5059 sm->fils_completed = !!set;
5060 }
5061
5062 #endif /* CONFIG_FILS */
5063
5064
wpa_fils_is_completed(struct wpa_sm * sm)5065 int wpa_fils_is_completed(struct wpa_sm *sm)
5066 {
5067 #ifdef CONFIG_FILS
5068 return sm && sm->fils_completed;
5069 #else /* CONFIG_FILS */
5070 return 0;
5071 #endif /* CONFIG_FILS */
5072 }
5073
5074
5075 #ifdef CONFIG_OWE
5076
owe_build_assoc_req(struct wpa_sm * sm,u16 group)5077 struct wpabuf * owe_build_assoc_req(struct wpa_sm *sm, u16 group)
5078 {
5079 struct wpabuf *ie = NULL, *pub = NULL;
5080 size_t prime_len;
5081
5082 if (group == 19)
5083 prime_len = 32;
5084 else if (group == 20)
5085 prime_len = 48;
5086 else if (group == 21)
5087 prime_len = 66;
5088 else
5089 return NULL;
5090
5091 crypto_ecdh_deinit(sm->owe_ecdh);
5092 sm->owe_ecdh = crypto_ecdh_init(group);
5093 if (!sm->owe_ecdh)
5094 goto fail;
5095 sm->owe_group = group;
5096 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
5097 pub = wpabuf_zeropad(pub, prime_len);
5098 if (!pub)
5099 goto fail;
5100
5101 ie = wpabuf_alloc(5 + wpabuf_len(pub));
5102 if (!ie)
5103 goto fail;
5104 wpabuf_put_u8(ie, WLAN_EID_EXTENSION);
5105 wpabuf_put_u8(ie, 1 + 2 + wpabuf_len(pub));
5106 wpabuf_put_u8(ie, WLAN_EID_EXT_OWE_DH_PARAM);
5107 wpabuf_put_le16(ie, group);
5108 wpabuf_put_buf(ie, pub);
5109 wpabuf_free(pub);
5110 wpa_hexdump_buf(MSG_DEBUG, "OWE: Diffie-Hellman Parameter element",
5111 ie);
5112
5113 return ie;
5114 fail:
5115 wpabuf_free(pub);
5116 crypto_ecdh_deinit(sm->owe_ecdh);
5117 sm->owe_ecdh = NULL;
5118 return NULL;
5119 }
5120
5121
owe_process_assoc_resp(struct wpa_sm * sm,const u8 * bssid,const u8 * resp_ies,size_t resp_ies_len)5122 int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *bssid,
5123 const u8 *resp_ies, size_t resp_ies_len)
5124 {
5125 struct ieee802_11_elems elems;
5126 u16 group;
5127 struct wpabuf *secret, *pub, *hkey;
5128 int res;
5129 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
5130 const char *info = "OWE Key Generation";
5131 const u8 *addr[2];
5132 size_t len[2];
5133 size_t hash_len, prime_len;
5134 struct wpa_ie_data data;
5135
5136 if (!resp_ies ||
5137 ieee802_11_parse_elems(resp_ies, resp_ies_len, &elems, 1) ==
5138 ParseFailed) {
5139 wpa_printf(MSG_INFO,
5140 "OWE: Could not parse Association Response frame elements");
5141 return -1;
5142 }
5143
5144 if (sm->cur_pmksa && elems.rsn_ie &&
5145 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, 2 + elems.rsn_ie_len,
5146 &data) == 0 &&
5147 data.num_pmkid == 1 && data.pmkid &&
5148 os_memcmp(sm->cur_pmksa->pmkid, data.pmkid, PMKID_LEN) == 0) {
5149 wpa_printf(MSG_DEBUG, "OWE: Use PMKSA caching");
5150 wpa_sm_set_pmk_from_pmksa(sm);
5151 return 0;
5152 }
5153
5154 if (!elems.owe_dh) {
5155 wpa_printf(MSG_INFO,
5156 "OWE: No Diffie-Hellman Parameter element found in Association Response frame");
5157 return -1;
5158 }
5159
5160 group = WPA_GET_LE16(elems.owe_dh);
5161 if (group != sm->owe_group) {
5162 wpa_printf(MSG_INFO,
5163 "OWE: Unexpected Diffie-Hellman group in response: %u",
5164 group);
5165 return -1;
5166 }
5167
5168 if (!sm->owe_ecdh) {
5169 wpa_printf(MSG_INFO, "OWE: No ECDH state available");
5170 return -1;
5171 }
5172
5173 if (group == 19)
5174 prime_len = 32;
5175 else if (group == 20)
5176 prime_len = 48;
5177 else if (group == 21)
5178 prime_len = 66;
5179 else
5180 return -1;
5181
5182 secret = crypto_ecdh_set_peerkey(sm->owe_ecdh, 0,
5183 elems.owe_dh + 2,
5184 elems.owe_dh_len - 2);
5185 secret = wpabuf_zeropad(secret, prime_len);
5186 if (!secret) {
5187 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
5188 return -1;
5189 }
5190 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
5191
5192 /* prk = HKDF-extract(C | A | group, z) */
5193
5194 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
5195 if (!pub) {
5196 wpabuf_clear_free(secret);
5197 return -1;
5198 }
5199
5200 /* PMKID = Truncate-128(Hash(C | A)) */
5201 addr[0] = wpabuf_head(pub);
5202 len[0] = wpabuf_len(pub);
5203 addr[1] = elems.owe_dh + 2;
5204 len[1] = elems.owe_dh_len - 2;
5205 if (group == 19) {
5206 res = sha256_vector(2, addr, len, pmkid);
5207 hash_len = SHA256_MAC_LEN;
5208 } else if (group == 20) {
5209 res = sha384_vector(2, addr, len, pmkid);
5210 hash_len = SHA384_MAC_LEN;
5211 } else if (group == 21) {
5212 res = sha512_vector(2, addr, len, pmkid);
5213 hash_len = SHA512_MAC_LEN;
5214 } else {
5215 res = -1;
5216 hash_len = 0;
5217 }
5218 pub = wpabuf_zeropad(pub, prime_len);
5219 if (res < 0 || !pub) {
5220 wpabuf_free(pub);
5221 wpabuf_clear_free(secret);
5222 return -1;
5223 }
5224
5225 hkey = wpabuf_alloc(wpabuf_len(pub) + elems.owe_dh_len - 2 + 2);
5226 if (!hkey) {
5227 wpabuf_free(pub);
5228 wpabuf_clear_free(secret);
5229 return -1;
5230 }
5231
5232 wpabuf_put_buf(hkey, pub); /* C */
5233 wpabuf_free(pub);
5234 wpabuf_put_data(hkey, elems.owe_dh + 2, elems.owe_dh_len - 2); /* A */
5235 wpabuf_put_le16(hkey, sm->owe_group); /* group */
5236 if (group == 19)
5237 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
5238 wpabuf_head(secret), wpabuf_len(secret), prk);
5239 else if (group == 20)
5240 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
5241 wpabuf_head(secret), wpabuf_len(secret), prk);
5242 else if (group == 21)
5243 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
5244 wpabuf_head(secret), wpabuf_len(secret), prk);
5245 wpabuf_clear_free(hkey);
5246 wpabuf_clear_free(secret);
5247 if (res < 0)
5248 return -1;
5249
5250 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
5251
5252 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
5253
5254 if (group == 19)
5255 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
5256 os_strlen(info), sm->pmk, hash_len);
5257 else if (group == 20)
5258 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
5259 os_strlen(info), sm->pmk, hash_len);
5260 else if (group == 21)
5261 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
5262 os_strlen(info), sm->pmk, hash_len);
5263 forced_memzero(prk, SHA512_MAC_LEN);
5264 if (res < 0) {
5265 sm->pmk_len = 0;
5266 return -1;
5267 }
5268 sm->pmk_len = hash_len;
5269
5270 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sm->pmk, sm->pmk_len);
5271 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
5272 pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, pmkid, NULL, 0,
5273 bssid, sm->own_addr, sm->network_ctx, sm->key_mgmt,
5274 NULL);
5275
5276 return 0;
5277 }
5278
5279 #endif /* CONFIG_OWE */
5280
5281
wpa_sm_set_fils_cache_id(struct wpa_sm * sm,const u8 * fils_cache_id)5282 void wpa_sm_set_fils_cache_id(struct wpa_sm *sm, const u8 *fils_cache_id)
5283 {
5284 #ifdef CONFIG_FILS
5285 if (sm && fils_cache_id) {
5286 sm->fils_cache_id_set = 1;
5287 os_memcpy(sm->fils_cache_id, fils_cache_id, FILS_CACHE_ID_LEN);
5288 }
5289 #endif /* CONFIG_FILS */
5290 }
5291
5292
5293 #ifdef CONFIG_DPP2
wpa_sm_set_dpp_z(struct wpa_sm * sm,const struct wpabuf * z)5294 void wpa_sm_set_dpp_z(struct wpa_sm *sm, const struct wpabuf *z)
5295 {
5296 if (sm) {
5297 wpabuf_clear_free(sm->dpp_z);
5298 sm->dpp_z = z ? wpabuf_dup(z) : NULL;
5299 }
5300 }
5301 #endif /* CONFIG_DPP2 */
5302
5303
5304 #ifdef CONFIG_PASN
wpa_pasn_pmksa_cache_add(struct wpa_sm * sm,const u8 * pmk,size_t pmk_len,const u8 * pmkid,const u8 * bssid,int key_mgmt)5305 void wpa_pasn_pmksa_cache_add(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
5306 const u8 *pmkid, const u8 *bssid, int key_mgmt)
5307 {
5308 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0,
5309 bssid, sm->own_addr, NULL,
5310 key_mgmt, 0);
5311 }
5312 #endif /* CONFIG_PASN */
5313
5314
wpa_sm_pmksa_cache_reconfig(struct wpa_sm * sm)5315 void wpa_sm_pmksa_cache_reconfig(struct wpa_sm *sm)
5316 {
5317 if (sm)
5318 pmksa_cache_reconfig(sm->pmksa);
5319 }
5320