1 /*
2 * IEEE 802.11 RSN / WPA Authenticator
3 * Copyright (c) 2004-2022, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "utils/state_machine.h"
14 #include "utils/bitfield.h"
15 #include "common/ieee802_11_defs.h"
16 #include "common/ocv.h"
17 #include "common/dpp.h"
18 #include "common/wpa_ctrl.h"
19 #include "crypto/aes.h"
20 #include "crypto/aes_wrap.h"
21 #include "crypto/aes_siv.h"
22 #include "crypto/crypto.h"
23 #include "crypto/sha1.h"
24 #include "crypto/sha256.h"
25 #include "crypto/sha384.h"
26 #include "crypto/random.h"
27 #include "eapol_auth/eapol_auth_sm.h"
28 #include "drivers/driver.h"
29 #include "ap_config.h"
30 #include "ieee802_11.h"
31 #include "wpa_auth.h"
32 #include "pmksa_cache_auth.h"
33 #include "wpa_auth_i.h"
34 #include "wpa_auth_ie.h"
35
36 #define STATE_MACHINE_DATA struct wpa_state_machine
37 #define STATE_MACHINE_DEBUG_PREFIX "WPA"
38 #define STATE_MACHINE_ADDR sm->addr
39
40
41 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx);
42 static int wpa_sm_step(struct wpa_state_machine *sm);
43 static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK,
44 u8 *data, size_t data_len);
45 #ifdef CONFIG_FILS
46 static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
47 u8 *buf, size_t buf_len, u16 *_key_data_len);
48 static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
49 const struct wpabuf *hlp);
50 #endif /* CONFIG_FILS */
51 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx);
52 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
53 struct wpa_group *group);
54 static void wpa_request_new_ptk(struct wpa_state_machine *sm);
55 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
56 struct wpa_group *group);
57 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
58 struct wpa_group *group);
59 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
60 const u8 *pmk, unsigned int pmk_len,
61 struct wpa_ptk *ptk, int force_sha256);
62 static void wpa_group_free(struct wpa_authenticator *wpa_auth,
63 struct wpa_group *group);
64 static void wpa_group_get(struct wpa_authenticator *wpa_auth,
65 struct wpa_group *group);
66 static void wpa_group_put(struct wpa_authenticator *wpa_auth,
67 struct wpa_group *group);
68 static int ieee80211w_kde_len(struct wpa_state_machine *sm);
69 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
70
71 static const u32 eapol_key_timeout_first = 100; /* ms */
72 static const u32 eapol_key_timeout_subseq = 1000; /* ms */
73 static const u32 eapol_key_timeout_first_group = 500; /* ms */
74 static const u32 eapol_key_timeout_no_retrans = 4000; /* ms */
75
76 /* TODO: make these configurable */
77 static const int dot11RSNAConfigPMKLifetime = 43200;
78 static const int dot11RSNAConfigPMKReauthThreshold = 70;
79 static const int dot11RSNAConfigSATimeout = 60;
80
81
wpa_auth_mic_failure_report(struct wpa_authenticator * wpa_auth,const u8 * addr)82 static inline int wpa_auth_mic_failure_report(
83 struct wpa_authenticator *wpa_auth, const u8 *addr)
84 {
85 if (wpa_auth->cb->mic_failure_report)
86 return wpa_auth->cb->mic_failure_report(wpa_auth->cb_ctx, addr);
87 return 0;
88 }
89
90
wpa_auth_psk_failure_report(struct wpa_authenticator * wpa_auth,const u8 * addr)91 static inline void wpa_auth_psk_failure_report(
92 struct wpa_authenticator *wpa_auth, const u8 *addr)
93 {
94 if (wpa_auth->cb->psk_failure_report)
95 wpa_auth->cb->psk_failure_report(wpa_auth->cb_ctx, addr);
96 }
97
98
wpa_auth_set_eapol(struct wpa_authenticator * wpa_auth,const u8 * addr,wpa_eapol_variable var,int value)99 static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth,
100 const u8 *addr, wpa_eapol_variable var,
101 int value)
102 {
103 if (wpa_auth->cb->set_eapol)
104 wpa_auth->cb->set_eapol(wpa_auth->cb_ctx, addr, var, value);
105 }
106
107
wpa_auth_get_eapol(struct wpa_authenticator * wpa_auth,const u8 * addr,wpa_eapol_variable var)108 static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth,
109 const u8 *addr, wpa_eapol_variable var)
110 {
111 if (!wpa_auth->cb->get_eapol)
112 return -1;
113 return wpa_auth->cb->get_eapol(wpa_auth->cb_ctx, addr, var);
114 }
115
116
wpa_auth_get_psk(struct wpa_authenticator * wpa_auth,const u8 * addr,const u8 * p2p_dev_addr,const u8 * prev_psk,size_t * psk_len,int * vlan_id)117 static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth,
118 const u8 *addr,
119 const u8 *p2p_dev_addr,
120 const u8 *prev_psk, size_t *psk_len,
121 int *vlan_id)
122 {
123 if (!wpa_auth->cb->get_psk)
124 return NULL;
125 return wpa_auth->cb->get_psk(wpa_auth->cb_ctx, addr, p2p_dev_addr,
126 prev_psk, psk_len, vlan_id);
127 }
128
129
wpa_auth_get_msk(struct wpa_authenticator * wpa_auth,const u8 * addr,u8 * msk,size_t * len)130 static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth,
131 const u8 *addr, u8 *msk, size_t *len)
132 {
133 if (!wpa_auth->cb->get_msk)
134 return -1;
135 return wpa_auth->cb->get_msk(wpa_auth->cb_ctx, addr, msk, len);
136 }
137
138
wpa_auth_set_key(struct wpa_authenticator * wpa_auth,int vlan_id,enum wpa_alg alg,const u8 * addr,int idx,u8 * key,size_t key_len,enum key_flag key_flag)139 static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
140 int vlan_id,
141 enum wpa_alg alg, const u8 *addr, int idx,
142 u8 *key, size_t key_len,
143 enum key_flag key_flag)
144 {
145 if (!wpa_auth->cb->set_key)
146 return -1;
147 return wpa_auth->cb->set_key(wpa_auth->cb_ctx, vlan_id, alg, addr, idx,
148 key, key_len, key_flag);
149 }
150
151
wpa_auth_get_seqnum(struct wpa_authenticator * wpa_auth,const u8 * addr,int idx,u8 * seq)152 static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth,
153 const u8 *addr, int idx, u8 *seq)
154 {
155 int res;
156
157 if (!wpa_auth->cb->get_seqnum)
158 return -1;
159 res = wpa_auth->cb->get_seqnum(wpa_auth->cb_ctx, addr, idx, seq);
160 #ifdef CONFIG_TESTING_OPTIONS
161 if (!addr && idx < 4 && wpa_auth->conf.gtk_rsc_override_set) {
162 wpa_printf(MSG_DEBUG,
163 "TESTING: Override GTK RSC %016llx --> %016llx",
164 (long long unsigned) WPA_GET_LE64(seq),
165 (long long unsigned)
166 WPA_GET_LE64(wpa_auth->conf.gtk_rsc_override));
167 os_memcpy(seq, wpa_auth->conf.gtk_rsc_override,
168 WPA_KEY_RSC_LEN);
169 }
170 if (!addr && idx >= 4 && idx <= 5 &&
171 wpa_auth->conf.igtk_rsc_override_set) {
172 wpa_printf(MSG_DEBUG,
173 "TESTING: Override IGTK RSC %016llx --> %016llx",
174 (long long unsigned) WPA_GET_LE64(seq),
175 (long long unsigned)
176 WPA_GET_LE64(wpa_auth->conf.igtk_rsc_override));
177 os_memcpy(seq, wpa_auth->conf.igtk_rsc_override,
178 WPA_KEY_RSC_LEN);
179 }
180 #endif /* CONFIG_TESTING_OPTIONS */
181 return res;
182 }
183
184
185 static inline int
wpa_auth_send_eapol(struct wpa_authenticator * wpa_auth,const u8 * addr,const u8 * data,size_t data_len,int encrypt)186 wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr,
187 const u8 *data, size_t data_len, int encrypt)
188 {
189 if (!wpa_auth->cb->send_eapol)
190 return -1;
191 #ifdef CONFIG_TESTING_OPTIONS
192 if (wpa_auth->conf.skip_send_eapol)
193 return 0;
194 #endif
195 return wpa_auth->cb->send_eapol(wpa_auth->cb_ctx, addr, data, data_len,
196 encrypt);
197 }
198
199
200 #ifdef CONFIG_MESH
wpa_auth_start_ampe(struct wpa_authenticator * wpa_auth,const u8 * addr)201 static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth,
202 const u8 *addr)
203 {
204 if (!wpa_auth->cb->start_ampe)
205 return -1;
206 return wpa_auth->cb->start_ampe(wpa_auth->cb_ctx, addr);
207 }
208 #endif /* CONFIG_MESH */
209
210
wpa_auth_for_each_sta(struct wpa_authenticator * wpa_auth,int (* cb)(struct wpa_state_machine * sm,void * ctx),void * cb_ctx)211 int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
212 int (*cb)(struct wpa_state_machine *sm, void *ctx),
213 void *cb_ctx)
214 {
215 if (!wpa_auth->cb->for_each_sta)
216 return 0;
217 return wpa_auth->cb->for_each_sta(wpa_auth->cb_ctx, cb, cb_ctx);
218 }
219
220
wpa_auth_for_each_auth(struct wpa_authenticator * wpa_auth,int (* cb)(struct wpa_authenticator * a,void * ctx),void * cb_ctx)221 int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
222 int (*cb)(struct wpa_authenticator *a, void *ctx),
223 void *cb_ctx)
224 {
225 if (!wpa_auth->cb->for_each_auth)
226 return 0;
227 return wpa_auth->cb->for_each_auth(wpa_auth->cb_ctx, cb, cb_ctx);
228 }
229
230
wpa_auth_store_ptksa(struct wpa_authenticator * wpa_auth,const u8 * addr,int cipher,u32 life_time,const struct wpa_ptk * ptk)231 void wpa_auth_store_ptksa(struct wpa_authenticator *wpa_auth,
232 const u8 *addr, int cipher,
233 u32 life_time, const struct wpa_ptk *ptk)
234 {
235 if (wpa_auth->cb->store_ptksa)
236 wpa_auth->cb->store_ptksa(wpa_auth->cb_ctx, addr, cipher,
237 life_time, ptk);
238 }
239
240
wpa_auth_remove_ptksa(struct wpa_authenticator * wpa_auth,const u8 * addr,int cipher)241 void wpa_auth_remove_ptksa(struct wpa_authenticator *wpa_auth,
242 const u8 *addr, int cipher)
243 {
244 if (wpa_auth->cb->clear_ptksa)
245 wpa_auth->cb->clear_ptksa(wpa_auth->cb_ctx, addr, cipher);
246 }
247
wpa_auth_logger(struct wpa_authenticator * wpa_auth,const u8 * addr,logger_level level,const char * txt)248 void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr,
249 logger_level level, const char *txt)
250 {
251 if (!wpa_auth->cb->logger)
252 return;
253 wpa_auth->cb->logger(wpa_auth->cb_ctx, addr, level, txt);
254 }
255
256
wpa_auth_vlogger(struct wpa_authenticator * wpa_auth,const u8 * addr,logger_level level,const char * fmt,...)257 void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr,
258 logger_level level, const char *fmt, ...)
259 {
260 char *format;
261 int maxlen;
262 va_list ap;
263
264 if (!wpa_auth->cb->logger)
265 return;
266
267 maxlen = os_strlen(fmt) + 100;
268 format = os_malloc(maxlen);
269 if (!format)
270 return;
271
272 va_start(ap, fmt);
273 vsnprintf(format, maxlen, fmt, ap);
274 va_end(ap);
275
276 wpa_auth_logger(wpa_auth, addr, level, format);
277
278 os_free(format);
279 }
280
281
wpa_sta_disconnect(struct wpa_authenticator * wpa_auth,const u8 * addr,u16 reason)282 static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth,
283 const u8 *addr, u16 reason)
284 {
285 if (!wpa_auth->cb->disconnect)
286 return;
287 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR " (reason %u)",
288 MAC2STR(addr), reason);
289 wpa_auth->cb->disconnect(wpa_auth->cb_ctx, addr, reason);
290 }
291
292
293 #ifdef CONFIG_OCV
wpa_channel_info(struct wpa_authenticator * wpa_auth,struct wpa_channel_info * ci)294 static int wpa_channel_info(struct wpa_authenticator *wpa_auth,
295 struct wpa_channel_info *ci)
296 {
297 if (!wpa_auth->cb->channel_info)
298 return -1;
299 return wpa_auth->cb->channel_info(wpa_auth->cb_ctx, ci);
300 }
301 #endif /* CONFIG_OCV */
302
303
wpa_auth_update_vlan(struct wpa_authenticator * wpa_auth,const u8 * addr,int vlan_id)304 static int wpa_auth_update_vlan(struct wpa_authenticator *wpa_auth,
305 const u8 *addr, int vlan_id)
306 {
307 if (!wpa_auth->cb->update_vlan)
308 return -1;
309 return wpa_auth->cb->update_vlan(wpa_auth->cb_ctx, addr, vlan_id);
310 }
311
312
wpa_rekey_gmk(void * eloop_ctx,void * timeout_ctx)313 static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx)
314 {
315 struct wpa_authenticator *wpa_auth = eloop_ctx;
316
317 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) {
318 wpa_printf(MSG_ERROR,
319 "Failed to get random data for WPA initialization.");
320 } else {
321 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd");
322 wpa_hexdump_key(MSG_DEBUG, "GMK",
323 wpa_auth->group->GMK, WPA_GMK_LEN);
324 }
325
326 if (wpa_auth->conf.wpa_gmk_rekey) {
327 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
328 wpa_rekey_gmk, wpa_auth, NULL);
329 }
330 }
331
332
wpa_rekey_gtk(void * eloop_ctx,void * timeout_ctx)333 static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx)
334 {
335 struct wpa_authenticator *wpa_auth = eloop_ctx;
336 struct wpa_group *group, *next;
337
338 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK");
339 group = wpa_auth->group;
340 while (group) {
341 wpa_group_get(wpa_auth, group);
342
343 group->GTKReKey = true;
344 do {
345 group->changed = false;
346 wpa_group_sm_step(wpa_auth, group);
347 } while (group->changed);
348
349 next = group->next;
350 wpa_group_put(wpa_auth, group);
351 group = next;
352 }
353
354 if (wpa_auth->conf.wpa_group_rekey) {
355 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey,
356 0, wpa_rekey_gtk, wpa_auth, NULL);
357 }
358 }
359
360
wpa_rekey_ptk(void * eloop_ctx,void * timeout_ctx)361 static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
362 {
363 struct wpa_authenticator *wpa_auth = eloop_ctx;
364 struct wpa_state_machine *sm = timeout_ctx;
365
366 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK");
367 wpa_request_new_ptk(sm);
368 wpa_sm_step(sm);
369 }
370
371
wpa_auth_set_ptk_rekey_timer(struct wpa_state_machine * sm)372 void wpa_auth_set_ptk_rekey_timer(struct wpa_state_machine *sm)
373 {
374 if (sm && sm->wpa_auth->conf.wpa_ptk_rekey) {
375 wpa_printf(MSG_DEBUG, "WPA: Start PTK rekeying timer for "
376 MACSTR " (%d seconds)", MAC2STR(sm->addr),
377 sm->wpa_auth->conf.wpa_ptk_rekey);
378 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
379 eloop_register_timeout(sm->wpa_auth->conf.wpa_ptk_rekey, 0,
380 wpa_rekey_ptk, sm->wpa_auth, sm);
381 }
382 }
383
384
wpa_auth_pmksa_clear_cb(struct wpa_state_machine * sm,void * ctx)385 static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx)
386 {
387 if (sm->pmksa == ctx)
388 sm->pmksa = NULL;
389 return 0;
390 }
391
392
wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry * entry,void * ctx)393 static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
394 void *ctx)
395 {
396 struct wpa_authenticator *wpa_auth = ctx;
397 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry);
398 }
399
400
wpa_group_init_gmk_and_counter(struct wpa_authenticator * wpa_auth,struct wpa_group * group)401 static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth,
402 struct wpa_group *group)
403 {
404 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)];
405 u8 rkey[32];
406 unsigned long ptr;
407
408 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0)
409 return -1;
410 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN);
411
412 /*
413 * Counter = PRF-256(Random number, "Init Counter",
414 * Local MAC Address || Time)
415 */
416 os_memcpy(buf, wpa_auth->addr, ETH_ALEN);
417 wpa_get_ntp_timestamp(buf + ETH_ALEN);
418 ptr = (unsigned long) group;
419 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr));
420 #ifdef TEST_FUZZ
421 os_memset(buf + ETH_ALEN, 0xab, 8);
422 os_memset(buf + ETH_ALEN + 8, 0xcd, sizeof(ptr));
423 #endif /* TEST_FUZZ */
424 if (random_get_bytes(rkey, sizeof(rkey)) < 0)
425 return -1;
426
427 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf),
428 group->Counter, WPA_NONCE_LEN) < 0)
429 return -1;
430 wpa_hexdump_key(MSG_DEBUG, "Key Counter",
431 group->Counter, WPA_NONCE_LEN);
432
433 return 0;
434 }
435
436
wpa_group_init(struct wpa_authenticator * wpa_auth,int vlan_id,int delay_init)437 static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth,
438 int vlan_id, int delay_init)
439 {
440 struct wpa_group *group;
441
442 group = os_zalloc(sizeof(struct wpa_group));
443 if (!group)
444 return NULL;
445
446 group->GTKAuthenticator = true;
447 group->vlan_id = vlan_id;
448 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
449
450 if (random_pool_ready() != 1) {
451 wpa_printf(MSG_INFO,
452 "WPA: Not enough entropy in random pool for secure operations - update keys later when the first station connects");
453 }
454
455 /*
456 * Set initial GMK/Counter value here. The actual values that will be
457 * used in negotiations will be set once the first station tries to
458 * connect. This allows more time for collecting additional randomness
459 * on embedded devices.
460 */
461 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) {
462 wpa_printf(MSG_ERROR,
463 "Failed to get random data for WPA initialization.");
464 os_free(group);
465 return NULL;
466 }
467
468 group->GInit = true;
469 if (delay_init) {
470 wpa_printf(MSG_DEBUG,
471 "WPA: Delay group state machine start until Beacon frames have been configured");
472 /* Initialization is completed in wpa_init_keys(). */
473 } else {
474 wpa_group_sm_step(wpa_auth, group);
475 group->GInit = false;
476 wpa_group_sm_step(wpa_auth, group);
477 }
478
479 return group;
480 }
481
482
483 /**
484 * wpa_init - Initialize WPA authenticator
485 * @addr: Authenticator address
486 * @conf: Configuration for WPA authenticator
487 * @cb: Callback functions for WPA authenticator
488 * Returns: Pointer to WPA authenticator data or %NULL on failure
489 */
wpa_init(const u8 * addr,struct wpa_auth_config * conf,const struct wpa_auth_callbacks * cb,void * cb_ctx)490 struct wpa_authenticator * wpa_init(const u8 *addr,
491 struct wpa_auth_config *conf,
492 const struct wpa_auth_callbacks *cb,
493 void *cb_ctx)
494 {
495 struct wpa_authenticator *wpa_auth;
496
497 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator));
498 if (!wpa_auth)
499 return NULL;
500 os_memcpy(wpa_auth->addr, addr, ETH_ALEN);
501 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
502 wpa_auth->cb = cb;
503 wpa_auth->cb_ctx = cb_ctx;
504
505 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
506 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
507 os_free(wpa_auth);
508 return NULL;
509 }
510
511 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1);
512 if (!wpa_auth->group) {
513 os_free(wpa_auth->wpa_ie);
514 os_free(wpa_auth);
515 return NULL;
516 }
517
518 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb,
519 wpa_auth);
520 if (!wpa_auth->pmksa) {
521 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed.");
522 os_free(wpa_auth->group);
523 os_free(wpa_auth->wpa_ie);
524 os_free(wpa_auth);
525 return NULL;
526 }
527
528 #ifdef CONFIG_IEEE80211R_AP
529 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init();
530 if (!wpa_auth->ft_pmk_cache) {
531 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed.");
532 os_free(wpa_auth->group);
533 os_free(wpa_auth->wpa_ie);
534 pmksa_cache_auth_deinit(wpa_auth->pmksa);
535 os_free(wpa_auth);
536 return NULL;
537 }
538 #endif /* CONFIG_IEEE80211R_AP */
539
540 if (wpa_auth->conf.wpa_gmk_rekey) {
541 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
542 wpa_rekey_gmk, wpa_auth, NULL);
543 }
544
545 if (wpa_auth->conf.wpa_group_rekey) {
546 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0,
547 wpa_rekey_gtk, wpa_auth, NULL);
548 }
549
550 #ifdef CONFIG_P2P
551 if (WPA_GET_BE32(conf->ip_addr_start)) {
552 int count = WPA_GET_BE32(conf->ip_addr_end) -
553 WPA_GET_BE32(conf->ip_addr_start) + 1;
554 if (count > 1000)
555 count = 1000;
556 if (count > 0)
557 wpa_auth->ip_pool = bitfield_alloc(count);
558 }
559 #endif /* CONFIG_P2P */
560
561 return wpa_auth;
562 }
563
564
wpa_init_keys(struct wpa_authenticator * wpa_auth)565 int wpa_init_keys(struct wpa_authenticator *wpa_auth)
566 {
567 struct wpa_group *group = wpa_auth->group;
568
569 wpa_printf(MSG_DEBUG,
570 "WPA: Start group state machine to set initial keys");
571 wpa_group_sm_step(wpa_auth, group);
572 group->GInit = false;
573 wpa_group_sm_step(wpa_auth, group);
574 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
575 return -1;
576 return 0;
577 }
578
579
580 /**
581 * wpa_deinit - Deinitialize WPA authenticator
582 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
583 */
wpa_deinit(struct wpa_authenticator * wpa_auth)584 void wpa_deinit(struct wpa_authenticator *wpa_auth)
585 {
586 struct wpa_group *group, *prev;
587
588 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL);
589 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
590
591 pmksa_cache_auth_deinit(wpa_auth->pmksa);
592
593 #ifdef CONFIG_IEEE80211R_AP
594 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache);
595 wpa_auth->ft_pmk_cache = NULL;
596 wpa_ft_deinit(wpa_auth);
597 #endif /* CONFIG_IEEE80211R_AP */
598
599 #ifdef CONFIG_P2P
600 bitfield_free(wpa_auth->ip_pool);
601 #endif /* CONFIG_P2P */
602
603
604 os_free(wpa_auth->wpa_ie);
605
606 group = wpa_auth->group;
607 while (group) {
608 prev = group;
609 group = group->next;
610 bin_clear_free(prev, sizeof(*prev));
611 }
612
613 os_free(wpa_auth);
614 }
615
616
617 /**
618 * wpa_reconfig - Update WPA authenticator configuration
619 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
620 * @conf: Configuration for WPA authenticator
621 */
wpa_reconfig(struct wpa_authenticator * wpa_auth,struct wpa_auth_config * conf)622 int wpa_reconfig(struct wpa_authenticator *wpa_auth,
623 struct wpa_auth_config *conf)
624 {
625 struct wpa_group *group;
626
627 if (!wpa_auth)
628 return 0;
629
630 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
631 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
632 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
633 return -1;
634 }
635
636 /*
637 * Reinitialize GTK to make sure it is suitable for the new
638 * configuration.
639 */
640 group = wpa_auth->group;
641 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
642 group->GInit = true;
643 wpa_group_sm_step(wpa_auth, group);
644 group->GInit = false;
645 wpa_group_sm_step(wpa_auth, group);
646
647 return 0;
648 }
649
650
651 struct wpa_state_machine *
wpa_auth_sta_init(struct wpa_authenticator * wpa_auth,const u8 * addr,const u8 * p2p_dev_addr)652 wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr,
653 const u8 *p2p_dev_addr)
654 {
655 struct wpa_state_machine *sm;
656
657 if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
658 return NULL;
659
660 sm = os_zalloc(sizeof(struct wpa_state_machine));
661 if (!sm)
662 return NULL;
663 os_memcpy(sm->addr, addr, ETH_ALEN);
664 if (p2p_dev_addr)
665 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN);
666
667 sm->wpa_auth = wpa_auth;
668 sm->group = wpa_auth->group;
669 wpa_group_get(sm->wpa_auth, sm->group);
670
671 return sm;
672 }
673
674
wpa_auth_sta_associated(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm)675 int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
676 struct wpa_state_machine *sm)
677 {
678 if (!wpa_auth || !wpa_auth->conf.wpa || !sm)
679 return -1;
680
681 #ifdef CONFIG_IEEE80211R_AP
682 if (sm->ft_completed) {
683 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
684 "FT authentication already completed - do not start 4-way handshake");
685 /* Go to PTKINITDONE state to allow GTK rekeying */
686 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
687 sm->Pair = true;
688 return 0;
689 }
690 #endif /* CONFIG_IEEE80211R_AP */
691
692 #ifdef CONFIG_FILS
693 if (sm->fils_completed) {
694 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
695 "FILS authentication already completed - do not start 4-way handshake");
696 /* Go to PTKINITDONE state to allow GTK rekeying */
697 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
698 sm->Pair = true;
699 return 0;
700 }
701 #endif /* CONFIG_FILS */
702
703 if (sm->started) {
704 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay));
705 sm->ReAuthenticationRequest = true;
706 return wpa_sm_step(sm);
707 }
708
709 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
710 "start authentication");
711 sm->started = 1;
712
713 sm->Init = true;
714 if (wpa_sm_step(sm) == 1)
715 return 1; /* should not really happen */
716 sm->Init = false;
717 sm->AuthenticationRequest = true;
718 return wpa_sm_step(sm);
719 }
720
721
wpa_auth_sta_no_wpa(struct wpa_state_machine * sm)722 void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm)
723 {
724 /* WPA/RSN was not used - clear WPA state. This is needed if the STA
725 * reassociates back to the same AP while the previous entry for the
726 * STA has not yet been removed. */
727 if (!sm)
728 return;
729
730 sm->wpa_key_mgmt = 0;
731 }
732
733
wpa_free_sta_sm(struct wpa_state_machine * sm)734 static void wpa_free_sta_sm(struct wpa_state_machine *sm)
735 {
736 #ifdef CONFIG_P2P
737 if (WPA_GET_BE32(sm->ip_addr)) {
738 u32 start;
739 wpa_printf(MSG_DEBUG,
740 "P2P: Free assigned IP address %u.%u.%u.%u from "
741 MACSTR,
742 sm->ip_addr[0], sm->ip_addr[1],
743 sm->ip_addr[2], sm->ip_addr[3],
744 MAC2STR(sm->addr));
745 start = WPA_GET_BE32(sm->wpa_auth->conf.ip_addr_start);
746 bitfield_clear(sm->wpa_auth->ip_pool,
747 WPA_GET_BE32(sm->ip_addr) - start);
748 }
749 #endif /* CONFIG_P2P */
750 if (sm->GUpdateStationKeys) {
751 sm->group->GKeyDoneStations--;
752 sm->GUpdateStationKeys = false;
753 }
754 #ifdef CONFIG_IEEE80211R_AP
755 os_free(sm->assoc_resp_ftie);
756 wpabuf_free(sm->ft_pending_req_ies);
757 #endif /* CONFIG_IEEE80211R_AP */
758 os_free(sm->last_rx_eapol_key);
759 os_free(sm->wpa_ie);
760 os_free(sm->rsnxe);
761 wpa_group_put(sm->wpa_auth, sm->group);
762 #ifdef CONFIG_DPP2
763 wpabuf_clear_free(sm->dpp_z);
764 #endif /* CONFIG_DPP2 */
765 bin_clear_free(sm, sizeof(*sm));
766 }
767
768
wpa_auth_sta_deinit(struct wpa_state_machine * sm)769 void wpa_auth_sta_deinit(struct wpa_state_machine *sm)
770 {
771 struct wpa_authenticator *wpa_auth;
772
773 if (!sm)
774 return;
775
776 wpa_auth = sm->wpa_auth;
777 if (wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) {
778 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
779 "strict rekeying - force GTK rekey since STA is leaving");
780 if (eloop_deplete_timeout(0, 500000, wpa_rekey_gtk,
781 wpa_auth, NULL) == -1)
782 eloop_register_timeout(0, 500000, wpa_rekey_gtk,
783 wpa_auth, NULL);
784 }
785
786 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
787 sm->pending_1_of_4_timeout = 0;
788 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL);
789 eloop_cancel_timeout(wpa_rekey_ptk, wpa_auth, sm);
790 #ifdef CONFIG_IEEE80211R_AP
791 wpa_ft_sta_deinit(sm);
792 #endif /* CONFIG_IEEE80211R_AP */
793 if (sm->in_step_loop) {
794 /* Must not free state machine while wpa_sm_step() is running.
795 * Freeing will be completed in the end of wpa_sm_step(). */
796 wpa_printf(MSG_DEBUG,
797 "WPA: Registering pending STA state machine deinit for "
798 MACSTR, MAC2STR(sm->addr));
799 sm->pending_deinit = 1;
800 } else
801 wpa_free_sta_sm(sm);
802 }
803
804
wpa_request_new_ptk(struct wpa_state_machine * sm)805 static void wpa_request_new_ptk(struct wpa_state_machine *sm)
806 {
807 if (!sm)
808 return;
809
810 if (!sm->use_ext_key_id && sm->wpa_auth->conf.wpa_deny_ptk0_rekey) {
811 wpa_printf(MSG_INFO,
812 "WPA: PTK0 rekey not allowed, disconnect " MACSTR,
813 MAC2STR(sm->addr));
814 sm->Disconnect = true;
815 /* Try to encourage the STA to reconnect */
816 sm->disconnect_reason =
817 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA;
818 } else {
819 if (sm->use_ext_key_id)
820 sm->keyidx_active ^= 1; /* flip Key ID */
821 sm->PTKRequest = true;
822 sm->PTK_valid = 0;
823 }
824 }
825
826
wpa_replay_counter_valid(struct wpa_key_replay_counter * ctr,const u8 * replay_counter)827 static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr,
828 const u8 *replay_counter)
829 {
830 int i;
831 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
832 if (!ctr[i].valid)
833 break;
834 if (os_memcmp(replay_counter, ctr[i].counter,
835 WPA_REPLAY_COUNTER_LEN) == 0)
836 return 1;
837 }
838 return 0;
839 }
840
841
wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter * ctr,const u8 * replay_counter)842 static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr,
843 const u8 *replay_counter)
844 {
845 int i;
846 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
847 if (ctr[i].valid &&
848 (!replay_counter ||
849 os_memcmp(replay_counter, ctr[i].counter,
850 WPA_REPLAY_COUNTER_LEN) == 0))
851 ctr[i].valid = false;
852 }
853 }
854
855
856 #ifdef CONFIG_IEEE80211R_AP
ft_check_msg_2_of_4(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm,struct wpa_eapol_ie_parse * kde)857 static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth,
858 struct wpa_state_machine *sm,
859 struct wpa_eapol_ie_parse *kde)
860 {
861 struct wpa_ie_data ie;
862 struct rsn_mdie *mdie;
863
864 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 ||
865 ie.num_pmkid != 1 || !ie.pmkid) {
866 wpa_printf(MSG_DEBUG,
867 "FT: No PMKR1Name in FT 4-way handshake message 2/4");
868 return -1;
869 }
870
871 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN);
872 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant",
873 sm->sup_pmk_r1_name, PMKID_LEN);
874
875 if (!kde->mdie || !kde->ftie) {
876 wpa_printf(MSG_DEBUG,
877 "FT: No %s in FT 4-way handshake message 2/4",
878 kde->mdie ? "FTIE" : "MDIE");
879 return -1;
880 }
881
882 mdie = (struct rsn_mdie *) (kde->mdie + 2);
883 if (kde->mdie[1] < sizeof(struct rsn_mdie) ||
884 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain,
885 MOBILITY_DOMAIN_ID_LEN) != 0) {
886 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch");
887 return -1;
888 }
889
890 if (sm->assoc_resp_ftie &&
891 (kde->ftie[1] != sm->assoc_resp_ftie[1] ||
892 os_memcmp(kde->ftie, sm->assoc_resp_ftie,
893 2 + sm->assoc_resp_ftie[1]) != 0)) {
894 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch");
895 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4",
896 kde->ftie, kde->ftie_len);
897 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp",
898 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]);
899 return -1;
900 }
901
902 return 0;
903 }
904 #endif /* CONFIG_IEEE80211R_AP */
905
906
wpa_receive_error_report(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm,int group)907 static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
908 struct wpa_state_machine *sm, int group)
909 {
910 /* Supplicant reported a Michael MIC error */
911 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
912 "received EAPOL-Key Error Request (STA detected Michael MIC failure (group=%d))",
913 group);
914
915 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
916 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
917 "ignore Michael MIC failure report since group cipher is not TKIP");
918 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
919 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
920 "ignore Michael MIC failure report since pairwise cipher is not TKIP");
921 } else {
922 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0)
923 return 1; /* STA entry was removed */
924 sm->dot11RSNAStatsTKIPRemoteMICFailures++;
925 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
926 }
927
928 /*
929 * Error report is not a request for a new key handshake, but since
930 * Authenticator may do it, let's change the keys now anyway.
931 */
932 wpa_request_new_ptk(sm);
933 return 0;
934 }
935
936
wpa_try_alt_snonce(struct wpa_state_machine * sm,u8 * data,size_t data_len)937 static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data,
938 size_t data_len)
939 {
940 struct wpa_ptk PTK;
941 int ok = 0;
942 const u8 *pmk = NULL;
943 size_t pmk_len;
944 int vlan_id = 0;
945
946 os_memset(&PTK, 0, sizeof(PTK));
947 for (;;) {
948 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
949 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
950 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
951 sm->p2p_dev_addr, pmk, &pmk_len,
952 &vlan_id);
953 if (!pmk)
954 break;
955 #ifdef CONFIG_IEEE80211R_AP
956 if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) {
957 os_memcpy(sm->xxkey, pmk, pmk_len);
958 sm->xxkey_len = pmk_len;
959 }
960 #endif /* CONFIG_IEEE80211R_AP */
961 } else {
962 pmk = sm->PMK;
963 pmk_len = sm->pmk_len;
964 }
965
966 if (wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK, 0) <
967 0)
968 break;
969
970 if (wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
971 data, data_len) == 0) {
972 if (sm->PMK != pmk) {
973 os_memcpy(sm->PMK, pmk, pmk_len);
974 sm->pmk_len = pmk_len;
975 }
976 ok = 1;
977 break;
978 }
979
980 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
981 wpa_key_mgmt_sae(sm->wpa_key_mgmt))
982 break;
983 }
984
985 if (!ok) {
986 wpa_printf(MSG_DEBUG,
987 "WPA: Earlier SNonce did not result in matching MIC");
988 return -1;
989 }
990
991 wpa_printf(MSG_DEBUG,
992 "WPA: Earlier SNonce resulted in matching MIC");
993 sm->alt_snonce_valid = 0;
994
995 if (vlan_id && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
996 wpa_auth_update_vlan(sm->wpa_auth, sm->addr, vlan_id) < 0)
997 return -1;
998
999 os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN);
1000 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
1001 forced_memzero(&PTK, sizeof(PTK));
1002 sm->PTK_valid = true;
1003
1004 return 0;
1005 }
1006
1007
wpa_auth_gtk_rekey_in_process(struct wpa_authenticator * wpa_auth)1008 static bool wpa_auth_gtk_rekey_in_process(struct wpa_authenticator *wpa_auth)
1009 {
1010 struct wpa_group *group;
1011
1012 for (group = wpa_auth->group; group; group = group->next) {
1013 if (group->GKeyDoneStations)
1014 return true;
1015 }
1016 return false;
1017 }
1018
1019
wpa_receive(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm,u8 * data,size_t data_len)1020 void wpa_receive(struct wpa_authenticator *wpa_auth,
1021 struct wpa_state_machine *sm,
1022 u8 *data, size_t data_len)
1023 {
1024 struct ieee802_1x_hdr *hdr;
1025 struct wpa_eapol_key *key;
1026 u16 key_info, key_data_length;
1027 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST } msg;
1028 char *msgtxt;
1029 struct wpa_eapol_ie_parse kde;
1030 const u8 *key_data;
1031 size_t keyhdrlen, mic_len;
1032 u8 *mic;
1033
1034 if (!wpa_auth || !wpa_auth->conf.wpa || !sm)
1035 return;
1036 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL data", data, data_len);
1037
1038 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
1039 keyhdrlen = sizeof(*key) + mic_len + 2;
1040
1041 if (data_len < sizeof(*hdr) + keyhdrlen) {
1042 wpa_printf(MSG_DEBUG, "WPA: Ignore too short EAPOL-Key frame");
1043 return;
1044 }
1045
1046 hdr = (struct ieee802_1x_hdr *) data;
1047 key = (struct wpa_eapol_key *) (hdr + 1);
1048 mic = (u8 *) (key + 1);
1049 key_info = WPA_GET_BE16(key->key_info);
1050 key_data = mic + mic_len + 2;
1051 key_data_length = WPA_GET_BE16(mic + mic_len);
1052 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR
1053 " key_info=0x%x type=%u mic_len=%zu key_data_length=%u",
1054 MAC2STR(sm->addr), key_info, key->type,
1055 mic_len, key_data_length);
1056 wpa_hexdump(MSG_MSGDUMP,
1057 "WPA: EAPOL-Key header (ending before Key MIC)",
1058 key, sizeof(*key));
1059 wpa_hexdump(MSG_MSGDUMP, "WPA: EAPOL-Key Key MIC",
1060 mic, mic_len);
1061 if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) {
1062 wpa_printf(MSG_INFO,
1063 "WPA: Invalid EAPOL-Key frame - key_data overflow (%d > %zu)",
1064 key_data_length,
1065 data_len - sizeof(*hdr) - keyhdrlen);
1066 return;
1067 }
1068
1069 if (sm->wpa == WPA_VERSION_WPA2) {
1070 if (key->type == EAPOL_KEY_TYPE_WPA) {
1071 /*
1072 * Some deployed station implementations seem to send
1073 * msg 4/4 with incorrect type value in WPA2 mode.
1074 */
1075 wpa_printf(MSG_DEBUG,
1076 "Workaround: Allow EAPOL-Key with unexpected WPA type in RSN mode");
1077 } else if (key->type != EAPOL_KEY_TYPE_RSN) {
1078 wpa_printf(MSG_DEBUG,
1079 "Ignore EAPOL-Key with unexpected type %d in RSN mode",
1080 key->type);
1081 return;
1082 }
1083 } else {
1084 if (key->type != EAPOL_KEY_TYPE_WPA) {
1085 wpa_printf(MSG_DEBUG,
1086 "Ignore EAPOL-Key with unexpected type %d in WPA mode",
1087 key->type);
1088 return;
1089 }
1090 }
1091
1092 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce,
1093 WPA_NONCE_LEN);
1094 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter",
1095 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1096
1097 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
1098 * are set */
1099
1100 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
1101 wpa_printf(MSG_DEBUG, "WPA: Ignore SMK message");
1102 return;
1103 }
1104
1105 if (key_info & WPA_KEY_INFO_REQUEST) {
1106 msg = REQUEST;
1107 msgtxt = "Request";
1108 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) {
1109 msg = GROUP_2;
1110 msgtxt = "2/2 Group";
1111 } else if (key_data_length == 0 ||
1112 (mic_len == 0 && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) &&
1113 key_data_length == AES_BLOCK_SIZE)) {
1114 msg = PAIRWISE_4;
1115 msgtxt = "4/4 Pairwise";
1116 } else {
1117 msg = PAIRWISE_2;
1118 msgtxt = "2/4 Pairwise";
1119 }
1120
1121 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 ||
1122 msg == GROUP_2) {
1123 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
1124 if (sm->pairwise == WPA_CIPHER_CCMP ||
1125 sm->pairwise == WPA_CIPHER_GCMP) {
1126 if (wpa_use_cmac(sm->wpa_key_mgmt) &&
1127 !wpa_use_akm_defined(sm->wpa_key_mgmt) &&
1128 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1129 wpa_auth_logger(wpa_auth, sm->addr,
1130 LOGGER_WARNING,
1131 "advertised support for AES-128-CMAC, but did not use it");
1132 return;
1133 }
1134
1135 if (!wpa_use_cmac(sm->wpa_key_mgmt) &&
1136 !wpa_use_akm_defined(sm->wpa_key_mgmt) &&
1137 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1138 wpa_auth_logger(wpa_auth, sm->addr,
1139 LOGGER_WARNING,
1140 "did not use HMAC-SHA1-AES with CCMP/GCMP");
1141 return;
1142 }
1143 }
1144
1145 if (wpa_use_akm_defined(sm->wpa_key_mgmt) &&
1146 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
1147 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1148 "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases");
1149 return;
1150 }
1151 }
1152
1153 if (key_info & WPA_KEY_INFO_REQUEST) {
1154 if (sm->req_replay_counter_used &&
1155 os_memcmp(key->replay_counter, sm->req_replay_counter,
1156 WPA_REPLAY_COUNTER_LEN) <= 0) {
1157 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1158 "received EAPOL-Key request with replayed counter");
1159 return;
1160 }
1161 }
1162
1163 if (!(key_info & WPA_KEY_INFO_REQUEST) &&
1164 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) {
1165 int i;
1166
1167 if (msg == PAIRWISE_2 &&
1168 wpa_replay_counter_valid(sm->prev_key_replay,
1169 key->replay_counter) &&
1170 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1171 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0)
1172 {
1173 /*
1174 * Some supplicant implementations (e.g., Windows XP
1175 * WZC) update SNonce for each EAPOL-Key 2/4. This
1176 * breaks the workaround on accepting any of the
1177 * pending requests, so allow the SNonce to be updated
1178 * even if we have already sent out EAPOL-Key 3/4.
1179 */
1180 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1181 "Process SNonce update from STA based on retransmitted EAPOL-Key 1/4");
1182 sm->update_snonce = 1;
1183 os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN);
1184 sm->alt_snonce_valid = true;
1185 os_memcpy(sm->alt_replay_counter,
1186 sm->key_replay[0].counter,
1187 WPA_REPLAY_COUNTER_LEN);
1188 goto continue_processing;
1189 }
1190
1191 if (msg == PAIRWISE_4 && sm->alt_snonce_valid &&
1192 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1193 os_memcmp(key->replay_counter, sm->alt_replay_counter,
1194 WPA_REPLAY_COUNTER_LEN) == 0) {
1195 /*
1196 * Supplicant may still be using the old SNonce since
1197 * there was two EAPOL-Key 2/4 messages and they had
1198 * different SNonce values.
1199 */
1200 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1201 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4");
1202 goto continue_processing;
1203 }
1204
1205 if (msg == PAIRWISE_2 &&
1206 wpa_replay_counter_valid(sm->prev_key_replay,
1207 key->replay_counter) &&
1208 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
1209 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1210 "ignore retransmitted EAPOL-Key %s - SNonce did not change",
1211 msgtxt);
1212 } else {
1213 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1214 "received EAPOL-Key %s with unexpected replay counter",
1215 msgtxt);
1216 }
1217 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
1218 if (!sm->key_replay[i].valid)
1219 break;
1220 wpa_hexdump(MSG_DEBUG, "pending replay counter",
1221 sm->key_replay[i].counter,
1222 WPA_REPLAY_COUNTER_LEN);
1223 }
1224 wpa_hexdump(MSG_DEBUG, "received replay counter",
1225 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1226 return;
1227 }
1228
1229 continue_processing:
1230 #ifdef CONFIG_FILS
1231 if (sm->wpa == WPA_VERSION_WPA2 && mic_len == 0 &&
1232 !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1233 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1234 "WPA: Encr Key Data bit not set even though AEAD cipher is supposed to be used - drop frame");
1235 return;
1236 }
1237 #endif /* CONFIG_FILS */
1238
1239 switch (msg) {
1240 case PAIRWISE_2:
1241 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART &&
1242 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING &&
1243 (!sm->update_snonce ||
1244 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) {
1245 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1246 "received EAPOL-Key msg 2/4 in invalid state (%d) - dropped",
1247 sm->wpa_ptk_state);
1248 return;
1249 }
1250 random_add_randomness(key->key_nonce, WPA_NONCE_LEN);
1251 if (sm->group->reject_4way_hs_for_entropy) {
1252 /*
1253 * The system did not have enough entropy to generate
1254 * strong random numbers. Reject the first 4-way
1255 * handshake(s) and collect some entropy based on the
1256 * information from it. Once enough entropy is
1257 * available, the next atempt will trigger GMK/Key
1258 * Counter update and the station will be allowed to
1259 * continue.
1260 */
1261 wpa_printf(MSG_DEBUG,
1262 "WPA: Reject 4-way handshake to collect more entropy for random number generation");
1263 random_mark_pool_ready();
1264 wpa_sta_disconnect(wpa_auth, sm->addr,
1265 WLAN_REASON_PREV_AUTH_NOT_VALID);
1266 return;
1267 }
1268 break;
1269 case PAIRWISE_4:
1270 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING ||
1271 !sm->PTK_valid) {
1272 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1273 "received EAPOL-Key msg 4/4 in invalid state (%d) - dropped",
1274 sm->wpa_ptk_state);
1275 return;
1276 }
1277 break;
1278 case GROUP_2:
1279 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING
1280 || !sm->PTK_valid) {
1281 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1282 "received EAPOL-Key msg 2/2 in invalid state (%d) - dropped",
1283 sm->wpa_ptk_group_state);
1284 return;
1285 }
1286 break;
1287 case REQUEST:
1288 break;
1289 }
1290
1291 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1292 "received EAPOL-Key frame (%s)", msgtxt);
1293
1294 if (key_info & WPA_KEY_INFO_ACK) {
1295 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1296 "received invalid EAPOL-Key: Key Ack set");
1297 return;
1298 }
1299
1300 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1301 !(key_info & WPA_KEY_INFO_MIC)) {
1302 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1303 "received invalid EAPOL-Key: Key MIC not set");
1304 return;
1305 }
1306
1307 #ifdef CONFIG_FILS
1308 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1309 (key_info & WPA_KEY_INFO_MIC)) {
1310 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1311 "received invalid EAPOL-Key: Key MIC set");
1312 return;
1313 }
1314 #endif /* CONFIG_FILS */
1315
1316 sm->MICVerified = false;
1317 if (sm->PTK_valid && !sm->update_snonce) {
1318 if (mic_len &&
1319 wpa_verify_key_mic(sm->wpa_key_mgmt, sm->pmk_len, &sm->PTK,
1320 data, data_len) &&
1321 (msg != PAIRWISE_4 || !sm->alt_snonce_valid ||
1322 wpa_try_alt_snonce(sm, data, data_len))) {
1323 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1324 "received EAPOL-Key with invalid MIC");
1325 #ifdef TEST_FUZZ
1326 wpa_printf(MSG_INFO,
1327 "TEST: Ignore Key MIC failure for fuzz testing");
1328 goto continue_fuzz;
1329 #endif /* TEST_FUZZ */
1330 return;
1331 }
1332 #ifdef CONFIG_FILS
1333 if (!mic_len &&
1334 wpa_aead_decrypt(sm, &sm->PTK, data, data_len,
1335 &key_data_length) < 0) {
1336 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1337 "received EAPOL-Key with invalid MIC");
1338 #ifdef TEST_FUZZ
1339 wpa_printf(MSG_INFO,
1340 "TEST: Ignore Key MIC failure for fuzz testing");
1341 goto continue_fuzz;
1342 #endif /* TEST_FUZZ */
1343 return;
1344 }
1345 #endif /* CONFIG_FILS */
1346 #ifdef TEST_FUZZ
1347 continue_fuzz:
1348 #endif /* TEST_FUZZ */
1349 sm->MICVerified = true;
1350 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
1351 sm->pending_1_of_4_timeout = 0;
1352 }
1353
1354 if (key_info & WPA_KEY_INFO_REQUEST) {
1355 if (sm->MICVerified) {
1356 sm->req_replay_counter_used = 1;
1357 os_memcpy(sm->req_replay_counter, key->replay_counter,
1358 WPA_REPLAY_COUNTER_LEN);
1359 } else {
1360 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1361 "received EAPOL-Key request with invalid MIC");
1362 return;
1363 }
1364
1365 /*
1366 * TODO: should decrypt key data field if encryption was used;
1367 * even though MAC address KDE is not normally encrypted,
1368 * supplicant is allowed to encrypt it.
1369 */
1370 if (key_info & WPA_KEY_INFO_ERROR) {
1371 if (wpa_receive_error_report(
1372 wpa_auth, sm,
1373 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0)
1374 return; /* STA entry was removed */
1375 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) {
1376 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1377 "received EAPOL-Key Request for new 4-Way Handshake");
1378 wpa_request_new_ptk(sm);
1379 } else if (key_data_length > 0 &&
1380 wpa_parse_kde_ies(key_data, key_data_length,
1381 &kde) == 0 &&
1382 kde.mac_addr) {
1383 } else {
1384 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1385 "received EAPOL-Key Request for GTK rekeying");
1386 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
1387 if (wpa_auth_gtk_rekey_in_process(wpa_auth))
1388 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG,
1389 "skip new GTK rekey - already in process");
1390 else
1391 wpa_rekey_gtk(wpa_auth, NULL);
1392 }
1393 } else {
1394 /* Do not allow the same key replay counter to be reused. */
1395 wpa_replay_counter_mark_invalid(sm->key_replay,
1396 key->replay_counter);
1397
1398 if (msg == PAIRWISE_2) {
1399 /*
1400 * Maintain a copy of the pending EAPOL-Key frames in
1401 * case the EAPOL-Key frame was retransmitted. This is
1402 * needed to allow EAPOL-Key msg 2/4 reply to another
1403 * pending msg 1/4 to update the SNonce to work around
1404 * unexpected supplicant behavior.
1405 */
1406 os_memcpy(sm->prev_key_replay, sm->key_replay,
1407 sizeof(sm->key_replay));
1408 } else {
1409 os_memset(sm->prev_key_replay, 0,
1410 sizeof(sm->prev_key_replay));
1411 }
1412
1413 /*
1414 * Make sure old valid counters are not accepted anymore and
1415 * do not get copied again.
1416 */
1417 wpa_replay_counter_mark_invalid(sm->key_replay, NULL);
1418 }
1419
1420 os_free(sm->last_rx_eapol_key);
1421 sm->last_rx_eapol_key = os_memdup(data, data_len);
1422 if (!sm->last_rx_eapol_key)
1423 return;
1424 sm->last_rx_eapol_key_len = data_len;
1425
1426 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE);
1427 sm->EAPOLKeyReceived = true;
1428 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1429 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST);
1430 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN);
1431 wpa_sm_step(sm);
1432 }
1433
1434
wpa_gmk_to_gtk(const u8 * gmk,const char * label,const u8 * addr,const u8 * gnonce,u8 * gtk,size_t gtk_len)1435 static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr,
1436 const u8 *gnonce, u8 *gtk, size_t gtk_len)
1437 {
1438 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + WPA_GTK_MAX_LEN];
1439 u8 *pos;
1440 int ret = 0;
1441
1442 /* GTK = PRF-X(GMK, "Group key expansion",
1443 * AA || GNonce || Time || random data)
1444 * The example described in the IEEE 802.11 standard uses only AA and
1445 * GNonce as inputs here. Add some more entropy since this derivation
1446 * is done only at the Authenticator and as such, does not need to be
1447 * exactly same.
1448 */
1449 os_memset(data, 0, sizeof(data));
1450 os_memcpy(data, addr, ETH_ALEN);
1451 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN);
1452 pos = data + ETH_ALEN + WPA_NONCE_LEN;
1453 wpa_get_ntp_timestamp(pos);
1454 #ifdef TEST_FUZZ
1455 os_memset(pos, 0xef, 8);
1456 #endif /* TEST_FUZZ */
1457 pos += 8;
1458 if (random_get_bytes(pos, gtk_len) < 0)
1459 ret = -1;
1460
1461 #ifdef CONFIG_SHA384
1462 if (sha384_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
1463 gtk, gtk_len) < 0)
1464 ret = -1;
1465 #else /* CONFIG_SHA384 */
1466 #ifdef CONFIG_SHA256
1467 if (sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
1468 gtk, gtk_len) < 0)
1469 ret = -1;
1470 #else /* CONFIG_SHA256 */
1471 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
1472 gtk, gtk_len) < 0)
1473 ret = -1;
1474 #endif /* CONFIG_SHA256 */
1475 #endif /* CONFIG_SHA384 */
1476
1477 forced_memzero(data, sizeof(data));
1478
1479 return ret;
1480 }
1481
1482
wpa_send_eapol_timeout(void * eloop_ctx,void * timeout_ctx)1483 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx)
1484 {
1485 struct wpa_authenticator *wpa_auth = eloop_ctx;
1486 struct wpa_state_machine *sm = timeout_ctx;
1487
1488 if (sm->waiting_radius_psk) {
1489 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
1490 "Ignore EAPOL-Key timeout while waiting for RADIUS PSK");
1491 return;
1492 }
1493
1494 sm->pending_1_of_4_timeout = 0;
1495 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout");
1496 sm->TimeoutEvt = true;
1497 wpa_sm_step(sm);
1498 }
1499
1500
__wpa_send_eapol(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm,int key_info,const u8 * key_rsc,const u8 * nonce,const u8 * kde,size_t kde_len,int keyidx,int encr,int force_version)1501 void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1502 struct wpa_state_machine *sm, int key_info,
1503 const u8 *key_rsc, const u8 *nonce,
1504 const u8 *kde, size_t kde_len,
1505 int keyidx, int encr, int force_version)
1506 {
1507 struct wpa_auth_config *conf = &wpa_auth->conf;
1508 struct ieee802_1x_hdr *hdr;
1509 struct wpa_eapol_key *key;
1510 size_t len, mic_len, keyhdrlen;
1511 int alg;
1512 int key_data_len, pad_len = 0;
1513 u8 *buf, *pos;
1514 int version, pairwise;
1515 int i;
1516 u8 *key_mic, *key_data;
1517
1518 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
1519 keyhdrlen = sizeof(*key) + mic_len + 2;
1520
1521 len = sizeof(struct ieee802_1x_hdr) + keyhdrlen;
1522
1523 if (force_version)
1524 version = force_version;
1525 else if (wpa_use_akm_defined(sm->wpa_key_mgmt))
1526 version = WPA_KEY_INFO_TYPE_AKM_DEFINED;
1527 else if (wpa_use_cmac(sm->wpa_key_mgmt))
1528 version = WPA_KEY_INFO_TYPE_AES_128_CMAC;
1529 else if (sm->pairwise != WPA_CIPHER_TKIP)
1530 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
1531 else
1532 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
1533
1534 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1535
1536 wpa_printf(MSG_DEBUG,
1537 "WPA: Send EAPOL(version=%d secure=%d mic=%d ack=%d install=%d pairwise=%d kde_len=%zu keyidx=%d encr=%d)",
1538 version,
1539 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0,
1540 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0,
1541 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0,
1542 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0,
1543 pairwise, kde_len, keyidx, encr);
1544
1545 key_data_len = kde_len;
1546
1547 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1548 wpa_use_aes_key_wrap(sm->wpa_key_mgmt) ||
1549 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) {
1550 pad_len = key_data_len % 8;
1551 if (pad_len)
1552 pad_len = 8 - pad_len;
1553 key_data_len += pad_len + 8;
1554 }
1555
1556 len += key_data_len;
1557 if (!mic_len && encr)
1558 len += AES_BLOCK_SIZE;
1559
1560 hdr = os_zalloc(len);
1561 if (!hdr)
1562 return;
1563 hdr->version = conf->eapol_version;
1564 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
1565 hdr->length = host_to_be16(len - sizeof(*hdr));
1566 key = (struct wpa_eapol_key *) (hdr + 1);
1567 key_mic = (u8 *) (key + 1);
1568 key_data = ((u8 *) (hdr + 1)) + keyhdrlen;
1569
1570 key->type = sm->wpa == WPA_VERSION_WPA2 ?
1571 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1572 key_info |= version;
1573 if (encr && sm->wpa == WPA_VERSION_WPA2)
1574 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1575 if (sm->wpa != WPA_VERSION_WPA2)
1576 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT;
1577 WPA_PUT_BE16(key->key_info, key_info);
1578
1579 alg = pairwise ? sm->pairwise : conf->wpa_group;
1580 if (sm->wpa == WPA_VERSION_WPA2 && !pairwise)
1581 WPA_PUT_BE16(key->key_length, 0);
1582 else
1583 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg));
1584
1585 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) {
1586 sm->key_replay[i].valid = sm->key_replay[i - 1].valid;
1587 os_memcpy(sm->key_replay[i].counter,
1588 sm->key_replay[i - 1].counter,
1589 WPA_REPLAY_COUNTER_LEN);
1590 }
1591 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN);
1592 os_memcpy(key->replay_counter, sm->key_replay[0].counter,
1593 WPA_REPLAY_COUNTER_LEN);
1594 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter",
1595 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1596 sm->key_replay[0].valid = true;
1597
1598 if (nonce)
1599 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN);
1600
1601 if (key_rsc)
1602 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN);
1603
1604 if (kde && !encr) {
1605 os_memcpy(key_data, kde, kde_len);
1606 WPA_PUT_BE16(key_mic + mic_len, kde_len);
1607 #ifdef CONFIG_FILS
1608 } else if (!mic_len && kde) {
1609 const u8 *aad[1];
1610 size_t aad_len[1];
1611
1612 WPA_PUT_BE16(key_mic, AES_BLOCK_SIZE + kde_len);
1613 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1614 kde, kde_len);
1615
1616 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK",
1617 sm->PTK.kek, sm->PTK.kek_len);
1618 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
1619 * to Key Data (exclusive). */
1620 aad[0] = (u8 *) hdr;
1621 aad_len[0] = key_mic + 2 - (u8 *) hdr;
1622 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, kde, kde_len,
1623 1, aad, aad_len, key_mic + 2) < 0) {
1624 wpa_printf(MSG_DEBUG, "WPA: AES-SIV encryption failed");
1625 return;
1626 }
1627
1628 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
1629 key_mic + 2, AES_BLOCK_SIZE + kde_len);
1630 #endif /* CONFIG_FILS */
1631 } else if (encr && kde) {
1632 buf = os_zalloc(key_data_len);
1633 if (!buf) {
1634 os_free(hdr);
1635 return;
1636 }
1637 pos = buf;
1638 os_memcpy(pos, kde, kde_len);
1639 pos += kde_len;
1640
1641 if (pad_len)
1642 *pos++ = 0xdd;
1643
1644 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1645 buf, key_data_len);
1646 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1647 wpa_use_aes_key_wrap(sm->wpa_key_mgmt) ||
1648 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1649 wpa_printf(MSG_DEBUG,
1650 "WPA: Encrypt Key Data using AES-WRAP (KEK length %zu)",
1651 sm->PTK.kek_len);
1652 if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len,
1653 (key_data_len - 8) / 8, buf, key_data)) {
1654 os_free(hdr);
1655 bin_clear_free(buf, key_data_len);
1656 return;
1657 }
1658 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
1659 #ifndef CONFIG_NO_RC4
1660 } else if (sm->PTK.kek_len == 16) {
1661 u8 ek[32];
1662
1663 wpa_printf(MSG_DEBUG,
1664 "WPA: Encrypt Key Data using RC4");
1665 os_memcpy(key->key_iv,
1666 sm->group->Counter + WPA_NONCE_LEN - 16, 16);
1667 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
1668 os_memcpy(ek, key->key_iv, 16);
1669 os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len);
1670 os_memcpy(key_data, buf, key_data_len);
1671 rc4_skip(ek, 32, 256, key_data, key_data_len);
1672 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
1673 #endif /* CONFIG_NO_RC4 */
1674 } else {
1675 os_free(hdr);
1676 bin_clear_free(buf, key_data_len);
1677 return;
1678 }
1679 bin_clear_free(buf, key_data_len);
1680 }
1681
1682 if (key_info & WPA_KEY_INFO_MIC) {
1683 if (!sm->PTK_valid || !mic_len) {
1684 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
1685 "PTK not valid when sending EAPOL-Key frame");
1686 os_free(hdr);
1687 return;
1688 }
1689
1690 if (wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len,
1691 sm->wpa_key_mgmt, version,
1692 (u8 *) hdr, len, key_mic) < 0) {
1693 os_free(hdr);
1694 return;
1695 }
1696 #ifdef CONFIG_TESTING_OPTIONS
1697 if (!pairwise &&
1698 conf->corrupt_gtk_rekey_mic_probability > 0.0 &&
1699 drand48() < conf->corrupt_gtk_rekey_mic_probability) {
1700 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1701 "Corrupting group EAPOL-Key Key MIC");
1702 key_mic[0]++;
1703 }
1704 #endif /* CONFIG_TESTING_OPTIONS */
1705 }
1706
1707 wpa_auth_set_eapol(wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx, 1);
1708 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len,
1709 sm->pairwise_set);
1710 os_free(hdr);
1711 }
1712
1713
wpa_send_eapol(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm,int key_info,const u8 * key_rsc,const u8 * nonce,const u8 * kde,size_t kde_len,int keyidx,int encr)1714 static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1715 struct wpa_state_machine *sm, int key_info,
1716 const u8 *key_rsc, const u8 *nonce,
1717 const u8 *kde, size_t kde_len,
1718 int keyidx, int encr)
1719 {
1720 int timeout_ms;
1721 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
1722 u32 ctr;
1723
1724 if (!sm)
1725 return;
1726
1727 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len,
1728 keyidx, encr, 0);
1729
1730 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr;
1731 if (ctr == 1 && wpa_auth->conf.tx_status)
1732 timeout_ms = pairwise ? eapol_key_timeout_first :
1733 eapol_key_timeout_first_group;
1734 else
1735 timeout_ms = eapol_key_timeout_subseq;
1736 if (wpa_auth->conf.wpa_disable_eapol_key_retries &&
1737 (!pairwise || (key_info & WPA_KEY_INFO_MIC)))
1738 timeout_ms = eapol_key_timeout_no_retrans;
1739 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
1740 sm->pending_1_of_4_timeout = 1;
1741 #ifdef TEST_FUZZ
1742 timeout_ms = 1;
1743 #endif /* TEST_FUZZ */
1744 #ifdef CONFIG_TESTING_OPTIONS
1745 if(wpa_auth->conf.enable_eapol_large_timeout) {
1746 timeout_ms = 50 * 1000;
1747 }
1748 #endif
1749 wpa_printf(MSG_DEBUG,
1750 "WPA: Use EAPOL-Key timeout of %u ms (retry counter %u)",
1751 timeout_ms, ctr);
1752 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000,
1753 wpa_send_eapol_timeout, wpa_auth, sm);
1754 }
1755
1756
wpa_verify_key_mic(int akmp,size_t pmk_len,struct wpa_ptk * PTK,u8 * data,size_t data_len)1757 static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK,
1758 u8 *data, size_t data_len)
1759 {
1760 struct ieee802_1x_hdr *hdr;
1761 struct wpa_eapol_key *key;
1762 u16 key_info;
1763 int ret = 0;
1764 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN], *mic_pos;
1765 size_t mic_len = wpa_mic_len(akmp, pmk_len);
1766
1767 if (data_len < sizeof(*hdr) + sizeof(*key))
1768 return -1;
1769
1770 hdr = (struct ieee802_1x_hdr *) data;
1771 key = (struct wpa_eapol_key *) (hdr + 1);
1772 mic_pos = (u8 *) (key + 1);
1773 key_info = WPA_GET_BE16(key->key_info);
1774 os_memcpy(mic, mic_pos, mic_len);
1775 os_memset(mic_pos, 0, mic_len);
1776 if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp,
1777 key_info & WPA_KEY_INFO_TYPE_MASK,
1778 data, data_len, mic_pos) ||
1779 os_memcmp_const(mic, mic_pos, mic_len) != 0)
1780 ret = -1;
1781 os_memcpy(mic_pos, mic, mic_len);
1782 return ret;
1783 }
1784
1785
wpa_remove_ptk(struct wpa_state_machine * sm)1786 void wpa_remove_ptk(struct wpa_state_machine *sm)
1787 {
1788 sm->PTK_valid = false;
1789 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1790
1791 wpa_auth_remove_ptksa(sm->wpa_auth, sm->addr, sm->pairwise);
1792
1793 if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL,
1794 0, KEY_FLAG_PAIRWISE))
1795 wpa_printf(MSG_DEBUG,
1796 "RSN: PTK removal from the driver failed");
1797 if (sm->use_ext_key_id &&
1798 wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 1, NULL,
1799 0, KEY_FLAG_PAIRWISE))
1800 wpa_printf(MSG_DEBUG,
1801 "RSN: PTK Key ID 1 removal from the driver failed");
1802 sm->pairwise_set = false;
1803 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
1804 }
1805
1806
wpa_auth_sm_event(struct wpa_state_machine * sm,enum wpa_event event)1807 int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
1808 {
1809 int remove_ptk = 1;
1810
1811 if (!sm)
1812 return -1;
1813
1814 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1815 "event %d notification", event);
1816
1817 switch (event) {
1818 case WPA_AUTH:
1819 #ifdef CONFIG_MESH
1820 /* PTKs are derived through AMPE */
1821 if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) {
1822 /* not mesh */
1823 break;
1824 }
1825 return 0;
1826 #endif /* CONFIG_MESH */
1827 case WPA_ASSOC:
1828 break;
1829 case WPA_DEAUTH:
1830 case WPA_DISASSOC:
1831 sm->DeauthenticationRequest = true;
1832 os_memset(sm->PMK, 0, sizeof(sm->PMK));
1833 sm->pmk_len = 0;
1834 #ifdef CONFIG_IEEE80211R_AP
1835 os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
1836 sm->xxkey_len = 0;
1837 os_memset(sm->pmk_r1, 0, sizeof(sm->pmk_r1));
1838 sm->pmk_r1_len = 0;
1839 #endif /* CONFIG_IEEE80211R_AP */
1840 break;
1841 case WPA_REAUTH:
1842 case WPA_REAUTH_EAPOL:
1843 if (!sm->started) {
1844 /*
1845 * When using WPS, we may end up here if the STA
1846 * manages to re-associate without the previous STA
1847 * entry getting removed. Consequently, we need to make
1848 * sure that the WPA state machines gets initialized
1849 * properly at this point.
1850 */
1851 wpa_printf(MSG_DEBUG,
1852 "WPA state machine had not been started - initialize now");
1853 sm->started = 1;
1854 sm->Init = true;
1855 if (wpa_sm_step(sm) == 1)
1856 return 1; /* should not really happen */
1857 sm->Init = false;
1858 sm->AuthenticationRequest = true;
1859 break;
1860 }
1861
1862 if (sm->ptkstart_without_success > 3) {
1863 wpa_printf(MSG_INFO,
1864 "WPA: Multiple EAP reauth attempts without 4-way handshake completion, disconnect "
1865 MACSTR, MAC2STR(sm->addr));
1866 sm->Disconnect = true;
1867 break;
1868 }
1869
1870 if (!sm->use_ext_key_id &&
1871 sm->wpa_auth->conf.wpa_deny_ptk0_rekey) {
1872 wpa_printf(MSG_INFO,
1873 "WPA: PTK0 rekey not allowed, disconnect "
1874 MACSTR, MAC2STR(sm->addr));
1875 sm->Disconnect = true;
1876 /* Try to encourage the STA to reconnect */
1877 sm->disconnect_reason =
1878 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA;
1879 break;
1880 }
1881
1882 if (sm->use_ext_key_id)
1883 sm->keyidx_active ^= 1; /* flip Key ID */
1884
1885 if (sm->GUpdateStationKeys) {
1886 /*
1887 * Reauthentication cancels the pending group key
1888 * update for this STA.
1889 */
1890 sm->group->GKeyDoneStations--;
1891 sm->GUpdateStationKeys = false;
1892 sm->PtkGroupInit = true;
1893 }
1894 sm->ReAuthenticationRequest = true;
1895 break;
1896 case WPA_ASSOC_FT:
1897 #ifdef CONFIG_IEEE80211R_AP
1898 wpa_printf(MSG_DEBUG,
1899 "FT: Retry PTK configuration after association");
1900 wpa_ft_install_ptk(sm, 1);
1901
1902 /* Using FT protocol, not WPA auth state machine */
1903 sm->ft_completed = 1;
1904 wpa_auth_set_ptk_rekey_timer(sm);
1905 return 0;
1906 #else /* CONFIG_IEEE80211R_AP */
1907 break;
1908 #endif /* CONFIG_IEEE80211R_AP */
1909 case WPA_ASSOC_FILS:
1910 #ifdef CONFIG_FILS
1911 wpa_printf(MSG_DEBUG,
1912 "FILS: TK configuration after association");
1913 fils_set_tk(sm);
1914 sm->fils_completed = 1;
1915 return 0;
1916 #else /* CONFIG_FILS */
1917 break;
1918 #endif /* CONFIG_FILS */
1919 case WPA_DRV_STA_REMOVED:
1920 sm->tk_already_set = false;
1921 return 0;
1922 }
1923
1924 #ifdef CONFIG_IEEE80211R_AP
1925 sm->ft_completed = 0;
1926 #endif /* CONFIG_IEEE80211R_AP */
1927
1928 if (sm->mgmt_frame_prot && event == WPA_AUTH)
1929 remove_ptk = 0;
1930 #ifdef CONFIG_FILS
1931 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1932 (event == WPA_AUTH || event == WPA_ASSOC))
1933 remove_ptk = 0;
1934 #endif /* CONFIG_FILS */
1935
1936 if (remove_ptk) {
1937 sm->PTK_valid = false;
1938 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1939
1940 if (event != WPA_REAUTH_EAPOL)
1941 wpa_remove_ptk(sm);
1942 }
1943
1944 if (sm->in_step_loop) {
1945 /*
1946 * wpa_sm_step() is already running - avoid recursive call to
1947 * it by making the existing loop process the new update.
1948 */
1949 sm->changed = true;
1950 return 0;
1951 }
1952 return wpa_sm_step(sm);
1953 }
1954
1955
SM_STATE(WPA_PTK,INITIALIZE)1956 SM_STATE(WPA_PTK, INITIALIZE)
1957 {
1958 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk);
1959 if (sm->Init) {
1960 /* Init flag is not cleared here, so avoid busy
1961 * loop by claiming nothing changed. */
1962 sm->changed = false;
1963 }
1964
1965 sm->keycount = 0;
1966 if (sm->GUpdateStationKeys)
1967 sm->group->GKeyDoneStations--;
1968 sm->GUpdateStationKeys = false;
1969 if (sm->wpa == WPA_VERSION_WPA)
1970 sm->PInitAKeys = false;
1971 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and
1972 * Local AA > Remote AA)) */) {
1973 sm->Pair = true;
1974 }
1975 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0);
1976 wpa_remove_ptk(sm);
1977 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0);
1978 sm->TimeoutCtr = 0;
1979 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
1980 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
1981 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
1982 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
1983 WPA_EAPOL_authorized, 0);
1984 }
1985 }
1986
1987
SM_STATE(WPA_PTK,DISCONNECT)1988 SM_STATE(WPA_PTK, DISCONNECT)
1989 {
1990 u16 reason = sm->disconnect_reason;
1991
1992 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk);
1993 sm->Disconnect = false;
1994 sm->disconnect_reason = 0;
1995 if (!reason)
1996 reason = WLAN_REASON_PREV_AUTH_NOT_VALID;
1997 wpa_sta_disconnect(sm->wpa_auth, sm->addr, reason);
1998 }
1999
2000
SM_STATE(WPA_PTK,DISCONNECTED)2001 SM_STATE(WPA_PTK, DISCONNECTED)
2002 {
2003 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk);
2004 sm->DeauthenticationRequest = false;
2005 }
2006
2007
SM_STATE(WPA_PTK,AUTHENTICATION)2008 SM_STATE(WPA_PTK, AUTHENTICATION)
2009 {
2010 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk);
2011 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
2012 sm->PTK_valid = false;
2013 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto,
2014 1);
2015 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1);
2016 sm->AuthenticationRequest = false;
2017 }
2018
2019
wpa_group_ensure_init(struct wpa_authenticator * wpa_auth,struct wpa_group * group)2020 static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth,
2021 struct wpa_group *group)
2022 {
2023 if (group->first_sta_seen)
2024 return;
2025 /*
2026 * System has run bit further than at the time hostapd was started
2027 * potentially very early during boot up. This provides better chances
2028 * of collecting more randomness on embedded systems. Re-initialize the
2029 * GMK and Counter here to improve their strength if there was not
2030 * enough entropy available immediately after system startup.
2031 */
2032 wpa_printf(MSG_DEBUG,
2033 "WPA: Re-initialize GMK/Counter on first station");
2034 if (random_pool_ready() != 1) {
2035 wpa_printf(MSG_INFO,
2036 "WPA: Not enough entropy in random pool to proceed - reject first 4-way handshake");
2037 group->reject_4way_hs_for_entropy = true;
2038 } else {
2039 group->first_sta_seen = true;
2040 group->reject_4way_hs_for_entropy = false;
2041 }
2042
2043 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 ||
2044 wpa_gtk_update(wpa_auth, group) < 0 ||
2045 wpa_group_config_group_keys(wpa_auth, group) < 0) {
2046 wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed");
2047 group->first_sta_seen = false;
2048 group->reject_4way_hs_for_entropy = true;
2049 }
2050 }
2051
2052
SM_STATE(WPA_PTK,AUTHENTICATION2)2053 SM_STATE(WPA_PTK, AUTHENTICATION2)
2054 {
2055 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk);
2056
2057 wpa_group_ensure_init(sm->wpa_auth, sm->group);
2058 sm->ReAuthenticationRequest = false;
2059
2060 /*
2061 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
2062 * ambiguous. The Authenticator state machine uses a counter that is
2063 * incremented by one for each 4-way handshake. However, the security
2064 * analysis of 4-way handshake points out that unpredictable nonces
2065 * help in preventing precomputation attacks. Instead of the state
2066 * machine definition, use an unpredictable nonce value here to provide
2067 * stronger protection against potential precomputation attacks.
2068 */
2069 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
2070 wpa_printf(MSG_ERROR,
2071 "WPA: Failed to get random data for ANonce.");
2072 sm->Disconnect = true;
2073 return;
2074 }
2075 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
2076 WPA_NONCE_LEN);
2077 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more
2078 * logical place than INITIALIZE since AUTHENTICATION2 can be
2079 * re-entered on ReAuthenticationRequest without going through
2080 * INITIALIZE. */
2081 sm->TimeoutCtr = 0;
2082 }
2083
2084
wpa_auth_sm_ptk_update(struct wpa_state_machine * sm)2085 static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm)
2086 {
2087 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
2088 wpa_printf(MSG_ERROR,
2089 "WPA: Failed to get random data for ANonce");
2090 sm->Disconnect = true;
2091 return -1;
2092 }
2093 wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce,
2094 WPA_NONCE_LEN);
2095 sm->TimeoutCtr = 0;
2096 return 0;
2097 }
2098
2099
SM_STATE(WPA_PTK,INITPMK)2100 SM_STATE(WPA_PTK, INITPMK)
2101 {
2102 u8 msk[2 * PMK_LEN];
2103 size_t len = 2 * PMK_LEN;
2104
2105 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk);
2106 #ifdef CONFIG_IEEE80211R_AP
2107 sm->xxkey_len = 0;
2108 #endif /* CONFIG_IEEE80211R_AP */
2109 if (sm->pmksa) {
2110 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache");
2111 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
2112 sm->pmk_len = sm->pmksa->pmk_len;
2113 #ifdef CONFIG_DPP
2114 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) {
2115 wpa_printf(MSG_DEBUG,
2116 "DPP: No PMKSA cache entry for STA - reject connection");
2117 sm->Disconnect = true;
2118 sm->disconnect_reason = WLAN_REASON_INVALID_PMKID;
2119 return;
2120 #endif /* CONFIG_DPP */
2121 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) {
2122 unsigned int pmk_len;
2123
2124 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt))
2125 pmk_len = PMK_LEN_SUITE_B_192;
2126 else
2127 pmk_len = PMK_LEN;
2128 wpa_printf(MSG_DEBUG,
2129 "WPA: PMK from EAPOL state machine (MSK len=%zu PMK len=%u)",
2130 len, pmk_len);
2131 if (len < pmk_len) {
2132 wpa_printf(MSG_DEBUG,
2133 "WPA: MSK not long enough (%zu) to create PMK (%u)",
2134 len, pmk_len);
2135 sm->Disconnect = true;
2136 return;
2137 }
2138 os_memcpy(sm->PMK, msk, pmk_len);
2139 sm->pmk_len = pmk_len;
2140 #ifdef CONFIG_IEEE80211R_AP
2141 if (len >= 2 * PMK_LEN) {
2142 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
2143 os_memcpy(sm->xxkey, msk, SHA384_MAC_LEN);
2144 sm->xxkey_len = SHA384_MAC_LEN;
2145 } else {
2146 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
2147 sm->xxkey_len = PMK_LEN;
2148 }
2149 }
2150 #endif /* CONFIG_IEEE80211R_AP */
2151 } else {
2152 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p",
2153 sm->wpa_auth->cb->get_msk);
2154 sm->Disconnect = true;
2155 return;
2156 }
2157 forced_memzero(msk, sizeof(msk));
2158
2159 sm->req_replay_counter_used = 0;
2160 /* IEEE 802.11i does not set keyRun to false, but not doing this
2161 * will break reauthentication since EAPOL state machines may not be
2162 * get into AUTHENTICATING state that clears keyRun before WPA state
2163 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK
2164 * state and takes PMK from the previously used AAA Key. This will
2165 * eventually fail in 4-Way Handshake because Supplicant uses PMK
2166 * derived from the new AAA Key. Setting keyRun = false here seems to
2167 * be good workaround for this issue. */
2168 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, false);
2169 }
2170
2171
SM_STATE(WPA_PTK,INITPSK)2172 SM_STATE(WPA_PTK, INITPSK)
2173 {
2174 const u8 *psk;
2175 size_t psk_len;
2176
2177 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk);
2178 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL,
2179 &psk_len, NULL);
2180 if (psk) {
2181 os_memcpy(sm->PMK, psk, psk_len);
2182 sm->pmk_len = psk_len;
2183 #ifdef CONFIG_IEEE80211R_AP
2184 os_memcpy(sm->xxkey, psk, PMK_LEN);
2185 sm->xxkey_len = PMK_LEN;
2186 #endif /* CONFIG_IEEE80211R_AP */
2187 }
2188 #ifdef CONFIG_SAE
2189 if (wpa_auth_uses_sae(sm) && sm->pmksa) {
2190 wpa_printf(MSG_DEBUG, "SAE: PMK from PMKSA cache");
2191 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
2192 sm->pmk_len = sm->pmksa->pmk_len;
2193 #ifdef CONFIG_IEEE80211R_AP
2194 os_memcpy(sm->xxkey, sm->pmksa->pmk, sm->pmksa->pmk_len);
2195 sm->xxkey_len = sm->pmksa->pmk_len;
2196 #endif /* CONFIG_IEEE80211R_AP */
2197 }
2198 #endif /* CONFIG_SAE */
2199 sm->req_replay_counter_used = 0;
2200 }
2201
2202
SM_STATE(WPA_PTK,PTKSTART)2203 SM_STATE(WPA_PTK, PTKSTART)
2204 {
2205 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL;
2206 size_t pmkid_len = 0;
2207
2208 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk);
2209 sm->PTKRequest = false;
2210 sm->TimeoutEvt = false;
2211 sm->alt_snonce_valid = false;
2212 sm->ptkstart_without_success++;
2213
2214 sm->TimeoutCtr++;
2215 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
2216 /* No point in sending the EAPOL-Key - we will disconnect
2217 * immediately following this. */
2218 return;
2219 }
2220
2221 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2222 "sending 1/4 msg of 4-Way Handshake");
2223 /*
2224 * For infrastructure BSS cases, it is better for the AP not to include
2225 * the PMKID KDE in EAPOL-Key msg 1/4 since it could be used to initiate
2226 * offline search for the passphrase/PSK without having to be able to
2227 * capture a 4-way handshake from a STA that has access to the network.
2228 *
2229 * For IBSS cases, addition of PMKID KDE could be considered even with
2230 * WPA2-PSK cases that use multiple PSKs, but only if there is a single
2231 * possible PSK for this STA. However, this should not be done unless
2232 * there is support for using that information on the supplicant side.
2233 * The concern about exposing PMKID unnecessarily in infrastructure BSS
2234 * cases would also apply here, but at least in the IBSS case, this
2235 * would cover a potential real use case.
2236 */
2237 if (sm->wpa == WPA_VERSION_WPA2 &&
2238 (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) ||
2239 (sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE && sm->pmksa) ||
2240 wpa_key_mgmt_sae(sm->wpa_key_mgmt)) &&
2241 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) {
2242 pmkid = buf;
2243 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
2244 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC;
2245 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN;
2246 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID);
2247 if (sm->pmksa) {
2248 wpa_hexdump(MSG_DEBUG,
2249 "RSN: Message 1/4 PMKID from PMKSA entry",
2250 sm->pmksa->pmkid, PMKID_LEN);
2251 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2252 sm->pmksa->pmkid, PMKID_LEN);
2253 } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) {
2254 /* No KCK available to derive PMKID */
2255 wpa_printf(MSG_DEBUG,
2256 "RSN: No KCK available to derive PMKID for message 1/4");
2257 pmkid = NULL;
2258 #ifdef CONFIG_FILS
2259 } else if (wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2260 if (sm->pmkid_set) {
2261 wpa_hexdump(MSG_DEBUG,
2262 "RSN: Message 1/4 PMKID from FILS/ERP",
2263 sm->pmkid, PMKID_LEN);
2264 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2265 sm->pmkid, PMKID_LEN);
2266 } else {
2267 /* No PMKID available */
2268 wpa_printf(MSG_DEBUG,
2269 "RSN: No FILS/ERP PMKID available for message 1/4");
2270 pmkid = NULL;
2271 }
2272 #endif /* CONFIG_FILS */
2273 #ifdef CONFIG_IEEE80211R_AP
2274 } else if (wpa_key_mgmt_ft(sm->wpa_key_mgmt) &&
2275 sm->ft_completed) {
2276 wpa_printf(MSG_DEBUG,
2277 "FT: No PMKID in message 1/4 when using FT protocol");
2278 pmkid = NULL;
2279 #endif /* CONFIG_IEEE80211R_AP */
2280 #ifdef CONFIG_SAE
2281 } else if (wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
2282 if (sm->pmkid_set) {
2283 wpa_hexdump(MSG_DEBUG,
2284 "RSN: Message 1/4 PMKID from SAE",
2285 sm->pmkid, PMKID_LEN);
2286 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2287 sm->pmkid, PMKID_LEN);
2288 } else {
2289 /* No PMKID available */
2290 wpa_printf(MSG_DEBUG,
2291 "RSN: No SAE PMKID available for message 1/4");
2292 pmkid = NULL;
2293 }
2294 #endif /* CONFIG_SAE */
2295 } else {
2296 /*
2297 * Calculate PMKID since no PMKSA cache entry was
2298 * available with pre-calculated PMKID.
2299 */
2300 rsn_pmkid(sm->PMK, sm->pmk_len, sm->wpa_auth->addr,
2301 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN],
2302 sm->wpa_key_mgmt);
2303 wpa_hexdump(MSG_DEBUG,
2304 "RSN: Message 1/4 PMKID derived from PMK",
2305 &pmkid[2 + RSN_SELECTOR_LEN], PMKID_LEN);
2306 }
2307 }
2308 if (!pmkid)
2309 pmkid_len = 0;
2310 wpa_send_eapol(sm->wpa_auth, sm,
2311 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
2312 sm->ANonce, pmkid, pmkid_len, 0, 0);
2313 }
2314
2315
wpa_derive_ptk(struct wpa_state_machine * sm,const u8 * snonce,const u8 * pmk,unsigned int pmk_len,struct wpa_ptk * ptk,int force_sha256)2316 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
2317 const u8 *pmk, unsigned int pmk_len,
2318 struct wpa_ptk *ptk, int force_sha256)
2319 {
2320 const u8 *z = NULL;
2321 size_t z_len = 0, kdk_len;
2322 int akmp;
2323
2324 if (sm->wpa_auth->conf.force_kdk_derivation ||
2325 (sm->wpa_auth->conf.secure_ltf &&
2326 ieee802_11_rsnx_capab(sm->rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)))
2327 kdk_len = WPA_KDK_MAX_LEN;
2328 else
2329 kdk_len = 0;
2330
2331 #ifdef CONFIG_IEEE80211R_AP
2332 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2333 if (sm->ft_completed) {
2334 u8 ptk_name[WPA_PMK_NAME_LEN];
2335
2336 return wpa_pmk_r1_to_ptk(sm->pmk_r1, sm->pmk_r1_len,
2337 sm->SNonce, sm->ANonce,
2338 sm->addr, sm->wpa_auth->addr,
2339 sm->pmk_r1_name,
2340 ptk, ptk_name,
2341 sm->wpa_key_mgmt,
2342 sm->pairwise,
2343 kdk_len);
2344 }
2345 return wpa_auth_derive_ptk_ft(sm, ptk);
2346 }
2347 #endif /* CONFIG_IEEE80211R_AP */
2348
2349 #ifdef CONFIG_DPP2
2350 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
2351 z = wpabuf_head(sm->dpp_z);
2352 z_len = wpabuf_len(sm->dpp_z);
2353 }
2354 #endif /* CONFIG_DPP2 */
2355
2356 akmp = sm->wpa_key_mgmt;
2357 if (force_sha256)
2358 akmp |= WPA_KEY_MGMT_PSK_SHA256;
2359 return wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion",
2360 sm->wpa_auth->addr, sm->addr, sm->ANonce, snonce,
2361 ptk, akmp, sm->pairwise, z, z_len, kdk_len);
2362 }
2363
2364
2365 #ifdef CONFIG_FILS
2366
fils_auth_pmk_to_ptk(struct wpa_state_machine * sm,const u8 * pmk,size_t pmk_len,const u8 * snonce,const u8 * anonce,const u8 * dhss,size_t dhss_len,struct wpabuf * g_sta,struct wpabuf * g_ap)2367 int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk,
2368 size_t pmk_len, const u8 *snonce, const u8 *anonce,
2369 const u8 *dhss, size_t dhss_len,
2370 struct wpabuf *g_sta, struct wpabuf *g_ap)
2371 {
2372 u8 ick[FILS_ICK_MAX_LEN];
2373 size_t ick_len;
2374 int res;
2375 u8 fils_ft[FILS_FT_MAX_LEN];
2376 size_t fils_ft_len = 0, kdk_len;
2377
2378 if (sm->wpa_auth->conf.force_kdk_derivation ||
2379 (sm->wpa_auth->conf.secure_ltf &&
2380 ieee802_11_rsnx_capab(sm->rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)))
2381 kdk_len = WPA_KDK_MAX_LEN;
2382 else
2383 kdk_len = 0;
2384
2385 res = fils_pmk_to_ptk(pmk, pmk_len, sm->addr, sm->wpa_auth->addr,
2386 snonce, anonce, dhss, dhss_len,
2387 &sm->PTK, ick, &ick_len,
2388 sm->wpa_key_mgmt, sm->pairwise,
2389 fils_ft, &fils_ft_len, kdk_len);
2390 if (res < 0)
2391 return res;
2392 sm->PTK_valid = true;
2393 sm->tk_already_set = false;
2394
2395 #ifdef CONFIG_IEEE80211R_AP
2396 if (fils_ft_len) {
2397 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2398 struct wpa_auth_config *conf = &wpa_auth->conf;
2399 u8 pmk_r0[PMK_LEN_MAX], pmk_r0_name[WPA_PMK_NAME_LEN];
2400 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt);
2401
2402 if (wpa_derive_pmk_r0(fils_ft, fils_ft_len,
2403 conf->ssid, conf->ssid_len,
2404 conf->mobility_domain,
2405 conf->r0_key_holder,
2406 conf->r0_key_holder_len,
2407 sm->addr, pmk_r0, pmk_r0_name,
2408 use_sha384) < 0)
2409 return -1;
2410
2411 wpa_ft_store_pmk_fils(sm, pmk_r0, pmk_r0_name);
2412 forced_memzero(fils_ft, sizeof(fils_ft));
2413
2414 res = wpa_derive_pmk_r1_name(pmk_r0_name, conf->r1_key_holder,
2415 sm->addr, sm->pmk_r1_name,
2416 use_sha384);
2417 forced_memzero(pmk_r0, PMK_LEN_MAX);
2418 if (res < 0)
2419 return -1;
2420 wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR1Name", sm->pmk_r1_name,
2421 WPA_PMK_NAME_LEN);
2422 sm->pmk_r1_name_valid = 1;
2423 }
2424 #endif /* CONFIG_IEEE80211R_AP */
2425
2426 res = fils_key_auth_sk(ick, ick_len, snonce, anonce,
2427 sm->addr, sm->wpa_auth->addr,
2428 g_sta ? wpabuf_head(g_sta) : NULL,
2429 g_sta ? wpabuf_len(g_sta) : 0,
2430 g_ap ? wpabuf_head(g_ap) : NULL,
2431 g_ap ? wpabuf_len(g_ap) : 0,
2432 sm->wpa_key_mgmt, sm->fils_key_auth_sta,
2433 sm->fils_key_auth_ap,
2434 &sm->fils_key_auth_len);
2435 forced_memzero(ick, sizeof(ick));
2436
2437 /* Store nonces for (Re)Association Request/Response frame processing */
2438 os_memcpy(sm->SNonce, snonce, FILS_NONCE_LEN);
2439 os_memcpy(sm->ANonce, anonce, FILS_NONCE_LEN);
2440
2441 return res;
2442 }
2443
2444
wpa_aead_decrypt(struct wpa_state_machine * sm,struct wpa_ptk * ptk,u8 * buf,size_t buf_len,u16 * _key_data_len)2445 static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
2446 u8 *buf, size_t buf_len, u16 *_key_data_len)
2447 {
2448 struct ieee802_1x_hdr *hdr;
2449 struct wpa_eapol_key *key;
2450 u8 *pos;
2451 u16 key_data_len;
2452 u8 *tmp;
2453 const u8 *aad[1];
2454 size_t aad_len[1];
2455
2456 hdr = (struct ieee802_1x_hdr *) buf;
2457 key = (struct wpa_eapol_key *) (hdr + 1);
2458 pos = (u8 *) (key + 1);
2459 key_data_len = WPA_GET_BE16(pos);
2460 if (key_data_len < AES_BLOCK_SIZE ||
2461 key_data_len > buf_len - sizeof(*hdr) - sizeof(*key) - 2) {
2462 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2463 "No room for AES-SIV data in the frame");
2464 return -1;
2465 }
2466 pos += 2; /* Pointing at the Encrypted Key Data field */
2467
2468 tmp = os_malloc(key_data_len);
2469 if (!tmp)
2470 return -1;
2471
2472 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
2473 * to Key Data (exclusive). */
2474 aad[0] = buf;
2475 aad_len[0] = pos - buf;
2476 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, key_data_len,
2477 1, aad, aad_len, tmp) < 0) {
2478 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2479 "Invalid AES-SIV data in the frame");
2480 bin_clear_free(tmp, key_data_len);
2481 return -1;
2482 }
2483
2484 /* AEAD decryption and validation completed successfully */
2485 key_data_len -= AES_BLOCK_SIZE;
2486 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
2487 tmp, key_data_len);
2488
2489 /* Replace Key Data field with the decrypted version */
2490 os_memcpy(pos, tmp, key_data_len);
2491 pos -= 2; /* Key Data Length field */
2492 WPA_PUT_BE16(pos, key_data_len);
2493 bin_clear_free(tmp, key_data_len);
2494 if (_key_data_len)
2495 *_key_data_len = key_data_len;
2496 return 0;
2497 }
2498
2499
wpa_fils_validate_fils_session(struct wpa_state_machine * sm,const u8 * ies,size_t ies_len,const u8 * fils_session)2500 const u8 * wpa_fils_validate_fils_session(struct wpa_state_machine *sm,
2501 const u8 *ies, size_t ies_len,
2502 const u8 *fils_session)
2503 {
2504 const u8 *ie, *end;
2505 const u8 *session = NULL;
2506
2507 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2508 wpa_printf(MSG_DEBUG,
2509 "FILS: Not a FILS AKM - reject association");
2510 return NULL;
2511 }
2512
2513 /* Verify Session element */
2514 ie = ies;
2515 end = ((const u8 *) ie) + ies_len;
2516 while (ie + 1 < end) {
2517 if (ie + 2 + ie[1] > end)
2518 break;
2519 if (ie[0] == WLAN_EID_EXTENSION &&
2520 ie[1] >= 1 + FILS_SESSION_LEN &&
2521 ie[2] == WLAN_EID_EXT_FILS_SESSION) {
2522 session = ie;
2523 break;
2524 }
2525 ie += 2 + ie[1];
2526 }
2527
2528 if (!session) {
2529 wpa_printf(MSG_DEBUG,
2530 "FILS: %s: Could not find FILS Session element in Assoc Req - reject",
2531 __func__);
2532 return NULL;
2533 }
2534
2535 if (!fils_session) {
2536 wpa_printf(MSG_DEBUG,
2537 "FILS: %s: Could not find FILS Session element in STA entry - reject",
2538 __func__);
2539 return NULL;
2540 }
2541
2542 if (os_memcmp(fils_session, session + 3, FILS_SESSION_LEN) != 0) {
2543 wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
2544 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
2545 fils_session, FILS_SESSION_LEN);
2546 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
2547 session + 3, FILS_SESSION_LEN);
2548 return NULL;
2549 }
2550 return session;
2551 }
2552
2553
wpa_fils_validate_key_confirm(struct wpa_state_machine * sm,const u8 * ies,size_t ies_len)2554 int wpa_fils_validate_key_confirm(struct wpa_state_machine *sm, const u8 *ies,
2555 size_t ies_len)
2556 {
2557 struct ieee802_11_elems elems;
2558
2559 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
2560 wpa_printf(MSG_DEBUG,
2561 "FILS: Failed to parse decrypted elements");
2562 return -1;
2563 }
2564
2565 if (!elems.fils_session) {
2566 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
2567 return -1;
2568 }
2569
2570 if (!elems.fils_key_confirm) {
2571 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
2572 return -1;
2573 }
2574
2575 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
2576 wpa_printf(MSG_DEBUG,
2577 "FILS: Unexpected Key-Auth length %d (expected %zu)",
2578 elems.fils_key_confirm_len,
2579 sm->fils_key_auth_len);
2580 return -1;
2581 }
2582
2583 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_sta,
2584 sm->fils_key_auth_len) != 0) {
2585 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
2586 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
2587 elems.fils_key_confirm, elems.fils_key_confirm_len);
2588 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
2589 sm->fils_key_auth_sta, sm->fils_key_auth_len);
2590 return -1;
2591 }
2592
2593 return 0;
2594 }
2595
2596
fils_decrypt_assoc(struct wpa_state_machine * sm,const u8 * fils_session,const struct ieee80211_mgmt * mgmt,size_t frame_len,u8 * pos,size_t left)2597 int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session,
2598 const struct ieee80211_mgmt *mgmt, size_t frame_len,
2599 u8 *pos, size_t left)
2600 {
2601 u16 fc, stype;
2602 const u8 *end, *ie_start, *ie, *session, *crypt;
2603 const u8 *aad[5];
2604 size_t aad_len[5];
2605
2606 if (!sm || !sm->PTK_valid) {
2607 wpa_printf(MSG_DEBUG,
2608 "FILS: No KEK to decrypt Assocication Request frame");
2609 return -1;
2610 }
2611
2612 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2613 wpa_printf(MSG_DEBUG,
2614 "FILS: Not a FILS AKM - reject association");
2615 return -1;
2616 }
2617
2618 end = ((const u8 *) mgmt) + frame_len;
2619 fc = le_to_host16(mgmt->frame_control);
2620 stype = WLAN_FC_GET_STYPE(fc);
2621 if (stype == WLAN_FC_STYPE_REASSOC_REQ)
2622 ie_start = mgmt->u.reassoc_req.variable;
2623 else
2624 ie_start = mgmt->u.assoc_req.variable;
2625 ie = ie_start;
2626
2627 /*
2628 * Find FILS Session element which is the last unencrypted element in
2629 * the frame.
2630 */
2631 session = wpa_fils_validate_fils_session(sm, ie, end - ie,
2632 fils_session);
2633 if (!session) {
2634 wpa_printf(MSG_DEBUG, "FILS: Session validation failed");
2635 return -1;
2636 }
2637
2638 crypt = session + 2 + session[1];
2639
2640 if (end - crypt < AES_BLOCK_SIZE) {
2641 wpa_printf(MSG_DEBUG,
2642 "FILS: Too short frame to include AES-SIV data");
2643 return -1;
2644 }
2645
2646 /* AES-SIV AAD vectors */
2647
2648 /* The STA's MAC address */
2649 aad[0] = mgmt->sa;
2650 aad_len[0] = ETH_ALEN;
2651 /* The AP's BSSID */
2652 aad[1] = mgmt->da;
2653 aad_len[1] = ETH_ALEN;
2654 /* The STA's nonce */
2655 aad[2] = sm->SNonce;
2656 aad_len[2] = FILS_NONCE_LEN;
2657 /* The AP's nonce */
2658 aad[3] = sm->ANonce;
2659 aad_len[3] = FILS_NONCE_LEN;
2660 /*
2661 * The (Re)Association Request frame from the Capability Information
2662 * field to the FILS Session element (both inclusive).
2663 */
2664 aad[4] = (const u8 *) &mgmt->u.assoc_req.capab_info;
2665 aad_len[4] = crypt - aad[4];
2666
2667 if (aes_siv_decrypt(sm->PTK.kek, sm->PTK.kek_len, crypt, end - crypt,
2668 5, aad, aad_len, pos + (crypt - ie_start)) < 0) {
2669 wpa_printf(MSG_DEBUG,
2670 "FILS: Invalid AES-SIV data in the frame");
2671 return -1;
2672 }
2673 wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Request elements",
2674 pos, left - AES_BLOCK_SIZE);
2675
2676 if (wpa_fils_validate_key_confirm(sm, pos, left - AES_BLOCK_SIZE) < 0) {
2677 wpa_printf(MSG_DEBUG, "FILS: Key Confirm validation failed");
2678 return -1;
2679 }
2680
2681 return left - AES_BLOCK_SIZE;
2682 }
2683
2684
fils_encrypt_assoc(struct wpa_state_machine * sm,u8 * buf,size_t current_len,size_t max_len,const struct wpabuf * hlp)2685 int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf,
2686 size_t current_len, size_t max_len,
2687 const struct wpabuf *hlp)
2688 {
2689 u8 *end = buf + max_len;
2690 u8 *pos = buf + current_len;
2691 struct ieee80211_mgmt *mgmt;
2692 struct wpabuf *plain;
2693 const u8 *aad[5];
2694 size_t aad_len[5];
2695
2696 if (!sm || !sm->PTK_valid)
2697 return -1;
2698
2699 wpa_hexdump(MSG_DEBUG,
2700 "FILS: Association Response frame before FILS processing",
2701 buf, current_len);
2702
2703 mgmt = (struct ieee80211_mgmt *) buf;
2704
2705 /* AES-SIV AAD vectors */
2706
2707 /* The AP's BSSID */
2708 aad[0] = mgmt->sa;
2709 aad_len[0] = ETH_ALEN;
2710 /* The STA's MAC address */
2711 aad[1] = mgmt->da;
2712 aad_len[1] = ETH_ALEN;
2713 /* The AP's nonce */
2714 aad[2] = sm->ANonce;
2715 aad_len[2] = FILS_NONCE_LEN;
2716 /* The STA's nonce */
2717 aad[3] = sm->SNonce;
2718 aad_len[3] = FILS_NONCE_LEN;
2719 /*
2720 * The (Re)Association Response frame from the Capability Information
2721 * field (the same offset in both Association and Reassociation
2722 * Response frames) to the FILS Session element (both inclusive).
2723 */
2724 aad[4] = (const u8 *) &mgmt->u.assoc_resp.capab_info;
2725 aad_len[4] = pos - aad[4];
2726
2727 /* The following elements will be encrypted with AES-SIV */
2728 plain = fils_prepare_plainbuf(sm, hlp);
2729 if (!plain) {
2730 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed");
2731 return -1;
2732 }
2733
2734 if (pos + wpabuf_len(plain) + AES_BLOCK_SIZE > end) {
2735 wpa_printf(MSG_DEBUG,
2736 "FILS: Not enough room for FILS elements");
2737 wpabuf_clear_free(plain);
2738 return -1;
2739 }
2740
2741 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: Association Response plaintext",
2742 plain);
2743
2744 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len,
2745 wpabuf_head(plain), wpabuf_len(plain),
2746 5, aad, aad_len, pos) < 0) {
2747 wpabuf_clear_free(plain);
2748 return -1;
2749 }
2750
2751 wpa_hexdump(MSG_DEBUG,
2752 "FILS: Encrypted Association Response elements",
2753 pos, AES_BLOCK_SIZE + wpabuf_len(plain));
2754 current_len += wpabuf_len(plain) + AES_BLOCK_SIZE;
2755 wpabuf_clear_free(plain);
2756
2757 sm->fils_completed = 1;
2758
2759 return current_len;
2760 }
2761
2762
fils_prepare_plainbuf(struct wpa_state_machine * sm,const struct wpabuf * hlp)2763 static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
2764 const struct wpabuf *hlp)
2765 {
2766 struct wpabuf *plain;
2767 u8 *len, *tmp, *tmp2;
2768 u8 hdr[2];
2769 u8 *gtk, stub_gtk[32];
2770 size_t gtk_len;
2771 struct wpa_group *gsm;
2772 size_t plain_len;
2773 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
2774
2775 plain_len = 1000 + ieee80211w_kde_len(sm);
2776 if (conf->transition_disable)
2777 plain_len += 2 + RSN_SELECTOR_LEN + 1;
2778 plain = wpabuf_alloc(plain_len);
2779 if (!plain)
2780 return NULL;
2781
2782 /* TODO: FILS Public Key */
2783
2784 /* FILS Key Confirmation */
2785 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
2786 wpabuf_put_u8(plain, 1 + sm->fils_key_auth_len); /* Length */
2787 /* Element ID Extension */
2788 wpabuf_put_u8(plain, WLAN_EID_EXT_FILS_KEY_CONFIRM);
2789 wpabuf_put_data(plain, sm->fils_key_auth_ap, sm->fils_key_auth_len);
2790
2791 /* FILS HLP Container */
2792 if (hlp)
2793 wpabuf_put_buf(plain, hlp);
2794
2795 /* TODO: FILS IP Address Assignment */
2796
2797 /* Key Delivery */
2798 gsm = sm->group;
2799 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
2800 len = wpabuf_put(plain, 1);
2801 wpabuf_put_u8(plain, WLAN_EID_EXT_KEY_DELIVERY);
2802 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN,
2803 wpabuf_put(plain, WPA_KEY_RSC_LEN));
2804 /* GTK KDE */
2805 gtk = gsm->GTK[gsm->GN - 1];
2806 gtk_len = gsm->GTK_len;
2807 if (conf->disable_gtk || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
2808 /*
2809 * Provide unique random GTK to each STA to prevent use
2810 * of GTK in the BSS.
2811 */
2812 if (random_get_bytes(stub_gtk, gtk_len) < 0) {
2813 wpabuf_clear_free(plain);
2814 return NULL;
2815 }
2816 gtk = stub_gtk;
2817 }
2818 hdr[0] = gsm->GN & 0x03;
2819 hdr[1] = 0;
2820 tmp = wpabuf_put(plain, 0);
2821 tmp2 = wpa_add_kde(tmp, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2822 gtk, gtk_len);
2823 wpabuf_put(plain, tmp2 - tmp);
2824
2825 /* IGTK KDE and BIGTK KDE */
2826 tmp = wpabuf_put(plain, 0);
2827 tmp2 = ieee80211w_kde_add(sm, tmp);
2828 wpabuf_put(plain, tmp2 - tmp);
2829
2830 if (conf->transition_disable) {
2831 tmp = wpabuf_put(plain, 0);
2832 tmp2 = wpa_add_kde(tmp, WFA_KEY_DATA_TRANSITION_DISABLE,
2833 &conf->transition_disable, 1, NULL, 0);
2834 wpabuf_put(plain, tmp2 - tmp);
2835 }
2836
2837 *len = (u8 *) wpabuf_put(plain, 0) - len - 1;
2838
2839 #ifdef CONFIG_OCV
2840 if (wpa_auth_uses_ocv(sm)) {
2841 struct wpa_channel_info ci;
2842 u8 *pos;
2843
2844 if (wpa_channel_info(sm->wpa_auth, &ci) != 0) {
2845 wpa_printf(MSG_WARNING,
2846 "FILS: Failed to get channel info for OCI element");
2847 wpabuf_clear_free(plain);
2848 return NULL;
2849 }
2850 #ifdef CONFIG_TESTING_OPTIONS
2851 if (conf->oci_freq_override_fils_assoc) {
2852 wpa_printf(MSG_INFO,
2853 "TEST: Override OCI frequency %d -> %u MHz",
2854 ci.frequency,
2855 conf->oci_freq_override_fils_assoc);
2856 ci.frequency = conf->oci_freq_override_fils_assoc;
2857 }
2858 #endif /* CONFIG_TESTING_OPTIONS */
2859
2860 pos = wpabuf_put(plain, OCV_OCI_EXTENDED_LEN);
2861 if (ocv_insert_extended_oci(&ci, pos) < 0) {
2862 wpabuf_clear_free(plain);
2863 return NULL;
2864 }
2865 }
2866 #endif /* CONFIG_OCV */
2867
2868 return plain;
2869 }
2870
2871
fils_set_tk(struct wpa_state_machine * sm)2872 int fils_set_tk(struct wpa_state_machine *sm)
2873 {
2874 enum wpa_alg alg;
2875 int klen;
2876
2877 if (!sm || !sm->PTK_valid) {
2878 wpa_printf(MSG_DEBUG, "FILS: No valid PTK available to set TK");
2879 return -1;
2880 }
2881 if (sm->tk_already_set) {
2882 wpa_printf(MSG_DEBUG, "FILS: TK already set to the driver");
2883 return -1;
2884 }
2885
2886 alg = wpa_cipher_to_alg(sm->pairwise);
2887 klen = wpa_cipher_key_len(sm->pairwise);
2888
2889 wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver");
2890 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
2891 sm->PTK.tk, klen, KEY_FLAG_PAIRWISE_RX_TX)) {
2892 wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver");
2893 return -1;
2894 }
2895 sm->tk_already_set = true;
2896
2897 wpa_auth_store_ptksa(sm->wpa_auth, sm->addr, sm->pairwise,
2898 dot11RSNAConfigPMKLifetime, &sm->PTK);
2899
2900 return 0;
2901 }
2902
2903
hostapd_eid_assoc_fils_session(struct wpa_state_machine * sm,u8 * buf,const u8 * fils_session,struct wpabuf * hlp)2904 u8 * hostapd_eid_assoc_fils_session(struct wpa_state_machine *sm, u8 *buf,
2905 const u8 *fils_session, struct wpabuf *hlp)
2906 {
2907 struct wpabuf *plain;
2908 u8 *pos = buf;
2909
2910 /* FILS Session */
2911 *pos++ = WLAN_EID_EXTENSION; /* Element ID */
2912 *pos++ = 1 + FILS_SESSION_LEN; /* Length */
2913 *pos++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
2914 os_memcpy(pos, fils_session, FILS_SESSION_LEN);
2915 pos += FILS_SESSION_LEN;
2916
2917 plain = fils_prepare_plainbuf(sm, hlp);
2918 if (!plain) {
2919 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed");
2920 return NULL;
2921 }
2922
2923 os_memcpy(pos, wpabuf_head(plain), wpabuf_len(plain));
2924 pos += wpabuf_len(plain);
2925
2926 wpa_printf(MSG_DEBUG, "%s: plain buf_len: %zu", __func__,
2927 wpabuf_len(plain));
2928 wpabuf_clear_free(plain);
2929 sm->fils_completed = 1;
2930 return pos;
2931 }
2932
2933 #endif /* CONFIG_FILS */
2934
2935
2936 #ifdef CONFIG_OCV
get_sta_tx_parameters(struct wpa_state_machine * sm,int ap_max_chanwidth,int ap_seg1_idx,int * bandwidth,int * seg1_idx)2937 int get_sta_tx_parameters(struct wpa_state_machine *sm, int ap_max_chanwidth,
2938 int ap_seg1_idx, int *bandwidth, int *seg1_idx)
2939 {
2940 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2941
2942 if (!wpa_auth->cb->get_sta_tx_params)
2943 return -1;
2944 return wpa_auth->cb->get_sta_tx_params(wpa_auth->cb_ctx, sm->addr,
2945 ap_max_chanwidth, ap_seg1_idx,
2946 bandwidth, seg1_idx);
2947 }
2948 #endif /* CONFIG_OCV */
2949
2950
SM_STATE(WPA_PTK,PTKCALCNEGOTIATING)2951 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
2952 {
2953 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2954 struct wpa_ptk PTK;
2955 int ok = 0, psk_found = 0;
2956 const u8 *pmk = NULL;
2957 size_t pmk_len;
2958 int ft;
2959 const u8 *eapol_key_ie, *key_data, *mic;
2960 u16 key_data_length;
2961 size_t mic_len, eapol_key_ie_len;
2962 struct ieee802_1x_hdr *hdr;
2963 struct wpa_eapol_key *key;
2964 struct wpa_eapol_ie_parse kde;
2965 int vlan_id = 0;
2966 int owe_ptk_workaround = !!wpa_auth->conf.owe_ptk_workaround;
2967
2968 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
2969 sm->EAPOLKeyReceived = false;
2970 sm->update_snonce = false;
2971 os_memset(&PTK, 0, sizeof(PTK));
2972
2973 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
2974
2975 /* WPA with IEEE 802.1X: use the derived PMK from EAP
2976 * WPA-PSK: iterate through possible PSKs and select the one matching
2977 * the packet */
2978 for (;;) {
2979 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
2980 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
2981 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
2982 sm->p2p_dev_addr, pmk, &pmk_len,
2983 &vlan_id);
2984 if (!pmk)
2985 break;
2986 psk_found = 1;
2987 #ifdef CONFIG_IEEE80211R_AP
2988 if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) {
2989 os_memcpy(sm->xxkey, pmk, pmk_len);
2990 sm->xxkey_len = pmk_len;
2991 }
2992 #endif /* CONFIG_IEEE80211R_AP */
2993 } else {
2994 pmk = sm->PMK;
2995 pmk_len = sm->pmk_len;
2996 }
2997
2998 if ((!pmk || !pmk_len) && sm->pmksa) {
2999 wpa_printf(MSG_DEBUG, "WPA: Use PMK from PMKSA cache");
3000 pmk = sm->pmksa->pmk;
3001 pmk_len = sm->pmksa->pmk_len;
3002 }
3003
3004 if (wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK,
3005 owe_ptk_workaround == 2) < 0)
3006 break;
3007
3008 if (mic_len &&
3009 wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
3010 sm->last_rx_eapol_key,
3011 sm->last_rx_eapol_key_len) == 0) {
3012 if (sm->PMK != pmk) {
3013 os_memcpy(sm->PMK, pmk, pmk_len);
3014 sm->pmk_len = pmk_len;
3015 }
3016 ok = 1;
3017 break;
3018 }
3019
3020 #ifdef CONFIG_FILS
3021 if (!mic_len &&
3022 wpa_aead_decrypt(sm, &PTK, sm->last_rx_eapol_key,
3023 sm->last_rx_eapol_key_len, NULL) == 0) {
3024 ok = 1;
3025 break;
3026 }
3027 #endif /* CONFIG_FILS */
3028
3029 #ifdef CONFIG_OWE
3030 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE && pmk_len > 32 &&
3031 owe_ptk_workaround == 1) {
3032 wpa_printf(MSG_DEBUG,
3033 "OWE: Try PTK derivation workaround with SHA256");
3034 owe_ptk_workaround = 2;
3035 continue;
3036 }
3037 #endif /* CONFIG_OWE */
3038
3039 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
3040 wpa_key_mgmt_sae(sm->wpa_key_mgmt))
3041 break;
3042 }
3043
3044 if (!ok && wpa_key_mgmt_wpa_psk_no_sae(sm->wpa_key_mgmt) &&
3045 wpa_auth->conf.radius_psk && wpa_auth->cb->request_radius_psk &&
3046 !sm->waiting_radius_psk) {
3047 wpa_printf(MSG_DEBUG, "No PSK available - ask RADIUS server");
3048 wpa_auth->cb->request_radius_psk(wpa_auth->cb_ctx, sm->addr,
3049 sm->wpa_key_mgmt,
3050 sm->ANonce,
3051 sm->last_rx_eapol_key,
3052 sm->last_rx_eapol_key_len);
3053 sm->waiting_radius_psk = 1;
3054 return;
3055 }
3056
3057 if (!ok) {
3058 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3059 "invalid MIC in msg 2/4 of 4-Way Handshake");
3060 if (psk_found)
3061 wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr);
3062 return;
3063 }
3064
3065 /*
3066 * Note: last_rx_eapol_key length fields have already been validated in
3067 * wpa_receive().
3068 */
3069 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
3070 key = (struct wpa_eapol_key *) (hdr + 1);
3071 mic = (u8 *) (key + 1);
3072 key_data = mic + mic_len + 2;
3073 key_data_length = WPA_GET_BE16(mic + mic_len);
3074 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
3075 sizeof(*key) - mic_len - 2)
3076 return;
3077
3078 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
3079 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
3080 "received EAPOL-Key msg 2/4 with invalid Key Data contents");
3081 return;
3082 }
3083 if (kde.rsn_ie) {
3084 eapol_key_ie = kde.rsn_ie;
3085 eapol_key_ie_len = kde.rsn_ie_len;
3086 } else if (kde.osen) {
3087 eapol_key_ie = kde.osen;
3088 eapol_key_ie_len = kde.osen_len;
3089 } else {
3090 eapol_key_ie = kde.wpa_ie;
3091 eapol_key_ie_len = kde.wpa_ie_len;
3092 }
3093 ft = sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt);
3094 if (!sm->wpa_ie ||
3095 wpa_compare_rsn_ie(ft, sm->wpa_ie, sm->wpa_ie_len,
3096 eapol_key_ie, eapol_key_ie_len)) {
3097 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
3098 "WPA IE from (Re)AssocReq did not match with msg 2/4");
3099 if (sm->wpa_ie) {
3100 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq",
3101 sm->wpa_ie, sm->wpa_ie_len);
3102 }
3103 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4",
3104 eapol_key_ie, eapol_key_ie_len);
3105 /* MLME-DEAUTHENTICATE.request */
3106 wpa_sta_disconnect(wpa_auth, sm->addr,
3107 WLAN_REASON_PREV_AUTH_NOT_VALID);
3108 return;
3109 }
3110 if ((!sm->rsnxe && kde.rsnxe) ||
3111 (sm->rsnxe && !kde.rsnxe) ||
3112 (sm->rsnxe && kde.rsnxe &&
3113 (sm->rsnxe_len != kde.rsnxe_len ||
3114 os_memcmp(sm->rsnxe, kde.rsnxe, sm->rsnxe_len) != 0))) {
3115 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
3116 "RSNXE from (Re)AssocReq did not match the one in EAPOL-Key msg 2/4");
3117 wpa_hexdump(MSG_DEBUG, "RSNXE in AssocReq",
3118 sm->rsnxe, sm->rsnxe_len);
3119 wpa_hexdump(MSG_DEBUG, "RSNXE in EAPOL-Key msg 2/4",
3120 kde.rsnxe, kde.rsnxe_len);
3121 /* MLME-DEAUTHENTICATE.request */
3122 wpa_sta_disconnect(wpa_auth, sm->addr,
3123 WLAN_REASON_PREV_AUTH_NOT_VALID);
3124 return;
3125 }
3126 #ifdef CONFIG_OCV
3127 if (wpa_auth_uses_ocv(sm)) {
3128 struct wpa_channel_info ci;
3129 int tx_chanwidth;
3130 int tx_seg1_idx;
3131 enum oci_verify_result res;
3132
3133 if (wpa_channel_info(wpa_auth, &ci) != 0) {
3134 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
3135 "Failed to get channel info to validate received OCI in EAPOL-Key 2/4");
3136 return;
3137 }
3138
3139 if (get_sta_tx_parameters(sm,
3140 channel_width_to_int(ci.chanwidth),
3141 ci.seg1_idx, &tx_chanwidth,
3142 &tx_seg1_idx) < 0)
3143 return;
3144
3145 res = ocv_verify_tx_params(kde.oci, kde.oci_len, &ci,
3146 tx_chanwidth, tx_seg1_idx);
3147 if (wpa_auth_uses_ocv(sm) == 2 && res == OCI_NOT_FOUND) {
3148 /* Work around misbehaving STAs */
3149 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
3150 "Disable OCV with a STA that does not send OCI");
3151 wpa_auth_set_ocv(sm, 0);
3152 } else if (res != OCI_SUCCESS) {
3153 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
3154 "OCV failed: %s", ocv_errorstr);
3155 if (wpa_auth->conf.msg_ctx)
3156 wpa_msg(wpa_auth->conf.msg_ctx, MSG_INFO,
3157 OCV_FAILURE "addr=" MACSTR
3158 " frame=eapol-key-m2 error=%s",
3159 MAC2STR(sm->addr), ocv_errorstr);
3160 return;
3161 }
3162 }
3163 #endif /* CONFIG_OCV */
3164 #ifdef CONFIG_IEEE80211R_AP
3165 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
3166 wpa_sta_disconnect(wpa_auth, sm->addr,
3167 WLAN_REASON_PREV_AUTH_NOT_VALID);
3168 return;
3169 }
3170 #endif /* CONFIG_IEEE80211R_AP */
3171 #ifdef CONFIG_P2P
3172 if (kde.ip_addr_req && kde.ip_addr_req[0] &&
3173 wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) {
3174 int idx;
3175 wpa_printf(MSG_DEBUG,
3176 "P2P: IP address requested in EAPOL-Key exchange");
3177 idx = bitfield_get_first_zero(wpa_auth->ip_pool);
3178 if (idx >= 0) {
3179 u32 start = WPA_GET_BE32(wpa_auth->conf.ip_addr_start);
3180 bitfield_set(wpa_auth->ip_pool, idx);
3181 WPA_PUT_BE32(sm->ip_addr, start + idx);
3182 wpa_printf(MSG_DEBUG,
3183 "P2P: Assigned IP address %u.%u.%u.%u to "
3184 MACSTR, sm->ip_addr[0], sm->ip_addr[1],
3185 sm->ip_addr[2], sm->ip_addr[3],
3186 MAC2STR(sm->addr));
3187 }
3188 }
3189 #endif /* CONFIG_P2P */
3190
3191 #ifdef CONFIG_DPP2
3192 if (DPP_VERSION > 1 && kde.dpp_kde) {
3193 wpa_printf(MSG_DEBUG,
3194 "DPP: peer Protocol Version %u Flags 0x%x",
3195 kde.dpp_kde[0], kde.dpp_kde[1]);
3196 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP &&
3197 wpa_auth->conf.dpp_pfs != 2 &&
3198 (kde.dpp_kde[1] & DPP_KDE_PFS_ALLOWED) &&
3199 !sm->dpp_z) {
3200 wpa_printf(MSG_INFO,
3201 "DPP: Peer indicated it supports PFS and local configuration allows this, but PFS was not negotiated for the association");
3202 wpa_sta_disconnect(wpa_auth, sm->addr,
3203 WLAN_REASON_PREV_AUTH_NOT_VALID);
3204 return;
3205 }
3206 }
3207 #endif /* CONFIG_DPP2 */
3208
3209 #ifdef CONFIG_IEEE80211R_AP
3210 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
3211 /*
3212 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches
3213 * with the value we derived.
3214 */
3215 if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name,
3216 WPA_PMK_NAME_LEN) != 0) {
3217 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3218 "PMKR1Name mismatch in FT 4-way handshake");
3219 wpa_hexdump(MSG_DEBUG,
3220 "FT: PMKR1Name from Supplicant",
3221 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN);
3222 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
3223 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
3224 return;
3225 }
3226 }
3227 #endif /* CONFIG_IEEE80211R_AP */
3228
3229 if (vlan_id && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
3230 wpa_auth_update_vlan(wpa_auth, sm->addr, vlan_id) < 0) {
3231 wpa_sta_disconnect(wpa_auth, sm->addr,
3232 WLAN_REASON_PREV_AUTH_NOT_VALID);
3233 return;
3234 }
3235
3236 sm->pending_1_of_4_timeout = 0;
3237 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
3238
3239 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) && sm->PMK != pmk) {
3240 /* PSK may have changed from the previous choice, so update
3241 * state machine data based on whatever PSK was selected here.
3242 */
3243 os_memcpy(sm->PMK, pmk, PMK_LEN);
3244 sm->pmk_len = PMK_LEN;
3245 }
3246
3247 sm->MICVerified = true;
3248
3249 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
3250 forced_memzero(&PTK, sizeof(PTK));
3251 sm->PTK_valid = true;
3252 }
3253
3254
SM_STATE(WPA_PTK,PTKCALCNEGOTIATING2)3255 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2)
3256 {
3257 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk);
3258 sm->TimeoutCtr = 0;
3259 }
3260
3261
ieee80211w_kde_len(struct wpa_state_machine * sm)3262 static int ieee80211w_kde_len(struct wpa_state_machine *sm)
3263 {
3264 size_t len = 0;
3265
3266 if (sm->mgmt_frame_prot) {
3267 len += 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN;
3268 len += wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
3269 }
3270 if (sm->mgmt_frame_prot && sm->wpa_auth->conf.beacon_prot) {
3271 len += 2 + RSN_SELECTOR_LEN + WPA_BIGTK_KDE_PREFIX_LEN;
3272 len += wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
3273 }
3274
3275 return len;
3276 }
3277
3278
ieee80211w_kde_add(struct wpa_state_machine * sm,u8 * pos)3279 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
3280 {
3281 struct wpa_igtk_kde igtk;
3282 struct wpa_bigtk_kde bigtk;
3283 struct wpa_group *gsm = sm->group;
3284 u8 rsc[WPA_KEY_RSC_LEN];
3285 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
3286 size_t len = wpa_cipher_key_len(conf->group_mgmt_cipher);
3287
3288 if (!sm->mgmt_frame_prot)
3289 return pos;
3290
3291 igtk.keyid[0] = gsm->GN_igtk;
3292 igtk.keyid[1] = 0;
3293 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
3294 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0)
3295 os_memset(igtk.pn, 0, sizeof(igtk.pn));
3296 else
3297 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn));
3298 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len);
3299 if (conf->disable_gtk || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
3300 /*
3301 * Provide unique random IGTK to each STA to prevent use of
3302 * IGTK in the BSS.
3303 */
3304 if (random_get_bytes(igtk.igtk, len) < 0)
3305 return pos;
3306 }
3307 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK,
3308 (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len,
3309 NULL, 0);
3310 forced_memzero(&igtk, sizeof(igtk));
3311
3312 if (!conf->beacon_prot)
3313 return pos;
3314
3315 bigtk.keyid[0] = gsm->GN_bigtk;
3316 bigtk.keyid[1] = 0;
3317 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
3318 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_bigtk, rsc) < 0)
3319 os_memset(bigtk.pn, 0, sizeof(bigtk.pn));
3320 else
3321 os_memcpy(bigtk.pn, rsc, sizeof(bigtk.pn));
3322 os_memcpy(bigtk.bigtk, gsm->BIGTK[gsm->GN_bigtk - 6], len);
3323 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
3324 /*
3325 * Provide unique random BIGTK to each OSEN STA to prevent use
3326 * of BIGTK in the BSS.
3327 */
3328 if (random_get_bytes(bigtk.bigtk, len) < 0)
3329 return pos;
3330 }
3331 pos = wpa_add_kde(pos, RSN_KEY_DATA_BIGTK,
3332 (const u8 *) &bigtk, WPA_BIGTK_KDE_PREFIX_LEN + len,
3333 NULL, 0);
3334 forced_memzero(&bigtk, sizeof(bigtk));
3335
3336 return pos;
3337 }
3338
3339
ocv_oci_len(struct wpa_state_machine * sm)3340 static int ocv_oci_len(struct wpa_state_machine *sm)
3341 {
3342 #ifdef CONFIG_OCV
3343 if (wpa_auth_uses_ocv(sm))
3344 return OCV_OCI_KDE_LEN;
3345 #endif /* CONFIG_OCV */
3346 return 0;
3347 }
3348
3349
ocv_oci_add(struct wpa_state_machine * sm,u8 ** argpos,unsigned int freq)3350 static int ocv_oci_add(struct wpa_state_machine *sm, u8 **argpos,
3351 unsigned int freq)
3352 {
3353 #ifdef CONFIG_OCV
3354 struct wpa_channel_info ci;
3355
3356 if (!wpa_auth_uses_ocv(sm))
3357 return 0;
3358
3359 if (wpa_channel_info(sm->wpa_auth, &ci) != 0) {
3360 wpa_printf(MSG_WARNING,
3361 "Failed to get channel info for OCI element");
3362 return -1;
3363 }
3364 #ifdef CONFIG_TESTING_OPTIONS
3365 if (freq) {
3366 wpa_printf(MSG_INFO,
3367 "TEST: Override OCI KDE frequency %d -> %u MHz",
3368 ci.frequency, freq);
3369 ci.frequency = freq;
3370 }
3371 #endif /* CONFIG_TESTING_OPTIONS */
3372
3373 return ocv_insert_oci_kde(&ci, argpos);
3374 #else /* CONFIG_OCV */
3375 return 0;
3376 #endif /* CONFIG_OCV */
3377 }
3378
3379
3380 #ifdef CONFIG_TESTING_OPTIONS
replace_ie(const char * name,const u8 * old_buf,size_t * len,u8 eid,const u8 * ie,size_t ie_len)3381 static u8 * replace_ie(const char *name, const u8 *old_buf, size_t *len, u8 eid,
3382 const u8 *ie, size_t ie_len)
3383 {
3384 const u8 *elem;
3385 u8 *buf;
3386
3387 wpa_printf(MSG_DEBUG, "TESTING: %s EAPOL override", name);
3388 wpa_hexdump(MSG_DEBUG, "TESTING: wpa_ie before override",
3389 old_buf, *len);
3390 buf = os_malloc(*len + ie_len);
3391 if (!buf)
3392 return NULL;
3393 os_memcpy(buf, old_buf, *len);
3394 elem = get_ie(buf, *len, eid);
3395 if (elem) {
3396 u8 elem_len = 2 + elem[1];
3397
3398 os_memmove((void *) elem, elem + elem_len,
3399 *len - (elem - buf) - elem_len);
3400 *len -= elem_len;
3401 }
3402 os_memcpy(buf + *len, ie, ie_len);
3403 *len += ie_len;
3404 wpa_hexdump(MSG_DEBUG, "TESTING: wpa_ie after EAPOL override",
3405 buf, *len);
3406
3407 return buf;
3408 }
3409 #endif /* CONFIG_TESTING_OPTIONS */
3410
3411
SM_STATE(WPA_PTK,PTKINITNEGOTIATING)3412 SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
3413 {
3414 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde = NULL, *pos, stub_gtk[32];
3415 size_t gtk_len, kde_len = 0, wpa_ie_len;
3416 struct wpa_group *gsm = sm->group;
3417 u8 *wpa_ie;
3418 int secure, gtkidx, encr = 0;
3419 u8 *wpa_ie_buf = NULL, *wpa_ie_buf2 = NULL;
3420 u8 hdr[2];
3421 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
3422
3423 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk);
3424 sm->TimeoutEvt = false;
3425
3426 sm->TimeoutCtr++;
3427 if (conf->wpa_disable_eapol_key_retries && sm->TimeoutCtr > 1) {
3428 /* Do not allow retransmission of EAPOL-Key msg 3/4 */
3429 return;
3430 }
3431 if (sm->TimeoutCtr > conf->wpa_pairwise_update_count) {
3432 /* No point in sending the EAPOL-Key - we will disconnect
3433 * immediately following this. */
3434 return;
3435 }
3436
3437 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
3438 GTK[GN], IGTK, [BIGTK], [FTIE], [TIE * 2])
3439 */
3440 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
3441 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
3442 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
3443 wpa_ie = sm->wpa_auth->wpa_ie;
3444 wpa_ie_len = sm->wpa_auth->wpa_ie_len;
3445 if (sm->wpa == WPA_VERSION_WPA && (conf->wpa & WPA_PROTO_RSN) &&
3446 wpa_ie_len > wpa_ie[1] + 2U && wpa_ie[0] == WLAN_EID_RSN) {
3447 /* WPA-only STA, remove RSN IE and possible MDIE */
3448 wpa_ie = wpa_ie + wpa_ie[1] + 2;
3449 if (wpa_ie[0] == WLAN_EID_RSNX)
3450 wpa_ie = wpa_ie + wpa_ie[1] + 2;
3451 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
3452 wpa_ie = wpa_ie + wpa_ie[1] + 2;
3453 wpa_ie_len = wpa_ie[1] + 2;
3454 }
3455 #ifdef CONFIG_TESTING_OPTIONS
3456 if (conf->rsne_override_eapol_set) {
3457 wpa_ie_buf2 = replace_ie(
3458 "RSNE", wpa_ie, &wpa_ie_len, WLAN_EID_RSN,
3459 conf->rsne_override_eapol,
3460 conf->rsne_override_eapol_len);
3461 if (!wpa_ie_buf2)
3462 goto done;
3463 wpa_ie = wpa_ie_buf2;
3464 }
3465 if (conf->rsnxe_override_eapol_set) {
3466 wpa_ie_buf = replace_ie(
3467 "RSNXE", wpa_ie, &wpa_ie_len, WLAN_EID_RSNX,
3468 conf->rsnxe_override_eapol,
3469 conf->rsnxe_override_eapol_len);
3470 if (!wpa_ie_buf)
3471 goto done;
3472 wpa_ie = wpa_ie_buf;
3473 }
3474 #endif /* CONFIG_TESTING_OPTIONS */
3475 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3476 "sending 3/4 msg of 4-Way Handshake");
3477 if (sm->wpa == WPA_VERSION_WPA2) {
3478 if (sm->use_ext_key_id && sm->TimeoutCtr == 1 &&
3479 wpa_auth_set_key(sm->wpa_auth, 0,
3480 wpa_cipher_to_alg(sm->pairwise),
3481 sm->addr,
3482 sm->keyidx_active, sm->PTK.tk,
3483 wpa_cipher_key_len(sm->pairwise),
3484 KEY_FLAG_PAIRWISE_RX)) {
3485 wpa_sta_disconnect(sm->wpa_auth, sm->addr,
3486 WLAN_REASON_PREV_AUTH_NOT_VALID);
3487 return;
3488 }
3489
3490 /* WPA2 send GTK in the 4-way handshake */
3491 secure = 1;
3492 gtk = gsm->GTK[gsm->GN - 1];
3493 gtk_len = gsm->GTK_len;
3494 if (conf->disable_gtk ||
3495 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
3496 /*
3497 * Provide unique random GTK to each STA to prevent use
3498 * of GTK in the BSS.
3499 */
3500 if (random_get_bytes(stub_gtk, gtk_len) < 0)
3501 goto done;
3502 gtk = stub_gtk;
3503 }
3504 gtkidx = gsm->GN;
3505 _rsc = rsc;
3506 encr = 1;
3507 } else {
3508 /* WPA does not include GTK in msg 3/4 */
3509 secure = 0;
3510 gtk = NULL;
3511 gtk_len = 0;
3512 _rsc = NULL;
3513 if (sm->rx_eapol_key_secure) {
3514 /*
3515 * It looks like Windows 7 supplicant tries to use
3516 * Secure bit in msg 2/4 after having reported Michael
3517 * MIC failure and it then rejects the 4-way handshake
3518 * if msg 3/4 does not set Secure bit. Work around this
3519 * by setting the Secure bit here even in the case of
3520 * WPA if the supplicant used it first.
3521 */
3522 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3523 "STA used Secure bit in WPA msg 2/4 - set Secure for 3/4 as workaround");
3524 secure = 1;
3525 }
3526 }
3527
3528 kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm);
3529
3530 if (sm->use_ext_key_id)
3531 kde_len += 2 + RSN_SELECTOR_LEN + 2;
3532
3533 if (gtk)
3534 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
3535 #ifdef CONFIG_IEEE80211R_AP
3536 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
3537 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
3538 kde_len += 300; /* FTIE + 2 * TIE */
3539 }
3540 #endif /* CONFIG_IEEE80211R_AP */
3541 #ifdef CONFIG_P2P
3542 if (WPA_GET_BE32(sm->ip_addr) > 0)
3543 kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4;
3544 #endif /* CONFIG_P2P */
3545
3546 if (conf->transition_disable)
3547 kde_len += 2 + RSN_SELECTOR_LEN + 1;
3548
3549 #ifdef CONFIG_DPP2
3550 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP)
3551 kde_len += 2 + RSN_SELECTOR_LEN + 2;
3552 #endif /* CONFIG_DPP2 */
3553
3554 kde = os_malloc(kde_len);
3555 if (!kde)
3556 goto done;
3557
3558 pos = kde;
3559 os_memcpy(pos, wpa_ie, wpa_ie_len);
3560 pos += wpa_ie_len;
3561 #ifdef CONFIG_IEEE80211R_AP
3562 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
3563 int res;
3564 size_t elen;
3565
3566 elen = pos - kde;
3567 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name);
3568 if (res < 0) {
3569 wpa_printf(MSG_ERROR,
3570 "FT: Failed to insert PMKR1Name into RSN IE in EAPOL-Key data");
3571 goto done;
3572 }
3573 pos -= wpa_ie_len;
3574 pos += elen;
3575 }
3576 #endif /* CONFIG_IEEE80211R_AP */
3577 hdr[1] = 0;
3578
3579 if (sm->use_ext_key_id) {
3580 hdr[0] = sm->keyidx_active & 0x01;
3581 pos = wpa_add_kde(pos, RSN_KEY_DATA_KEYID, hdr, 2, NULL, 0);
3582 }
3583
3584 if (gtk) {
3585 hdr[0] = gtkidx & 0x03;
3586 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
3587 gtk, gtk_len);
3588 }
3589 pos = ieee80211w_kde_add(sm, pos);
3590 if (ocv_oci_add(sm, &pos, conf->oci_freq_override_eapol_m3) < 0)
3591 goto done;
3592
3593 #ifdef CONFIG_IEEE80211R_AP
3594 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
3595 int res;
3596
3597 if (sm->assoc_resp_ftie &&
3598 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) {
3599 os_memcpy(pos, sm->assoc_resp_ftie,
3600 2 + sm->assoc_resp_ftie[1]);
3601 res = 2 + sm->assoc_resp_ftie[1];
3602 } else {
3603 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt);
3604
3605 res = wpa_write_ftie(conf, use_sha384,
3606 conf->r0_key_holder,
3607 conf->r0_key_holder_len,
3608 NULL, NULL, pos,
3609 kde + kde_len - pos,
3610 NULL, 0, 0);
3611 }
3612 if (res < 0) {
3613 wpa_printf(MSG_ERROR,
3614 "FT: Failed to insert FTIE into EAPOL-Key Key Data");
3615 goto done;
3616 }
3617 pos += res;
3618
3619 /* TIE[ReassociationDeadline] (TU) */
3620 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
3621 *pos++ = 5;
3622 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
3623 WPA_PUT_LE32(pos, conf->reassociation_deadline);
3624 pos += 4;
3625
3626 /* TIE[KeyLifetime] (seconds) */
3627 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
3628 *pos++ = 5;
3629 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
3630 WPA_PUT_LE32(pos, conf->r0_key_lifetime);
3631 pos += 4;
3632 }
3633 #endif /* CONFIG_IEEE80211R_AP */
3634 #ifdef CONFIG_P2P
3635 if (WPA_GET_BE32(sm->ip_addr) > 0) {
3636 u8 addr[3 * 4];
3637 os_memcpy(addr, sm->ip_addr, 4);
3638 os_memcpy(addr + 4, conf->ip_addr_mask, 4);
3639 os_memcpy(addr + 8, conf->ip_addr_go, 4);
3640 pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC,
3641 addr, sizeof(addr), NULL, 0);
3642 }
3643 #endif /* CONFIG_P2P */
3644
3645 if (conf->transition_disable)
3646 pos = wpa_add_kde(pos, WFA_KEY_DATA_TRANSITION_DISABLE,
3647 &conf->transition_disable, 1, NULL, 0);
3648
3649 #ifdef CONFIG_DPP2
3650 if (DPP_VERSION > 1 && sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) {
3651 u8 payload[2];
3652
3653 payload[0] = DPP_VERSION; /* Protocol Version */
3654 payload[1] = 0; /* Flags */
3655 if (conf->dpp_pfs == 0)
3656 payload[1] |= DPP_KDE_PFS_ALLOWED;
3657 else if (conf->dpp_pfs == 1)
3658 payload[1] |= DPP_KDE_PFS_ALLOWED |
3659 DPP_KDE_PFS_REQUIRED;
3660 pos = wpa_add_kde(pos, WFA_KEY_DATA_DPP,
3661 payload, sizeof(payload), NULL, 0);
3662 }
3663 #endif /* CONFIG_DPP2 */
3664
3665 wpa_send_eapol(sm->wpa_auth, sm,
3666 (secure ? WPA_KEY_INFO_SECURE : 0) |
3667 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
3668 WPA_KEY_INFO_MIC : 0) |
3669 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
3670 WPA_KEY_INFO_KEY_TYPE,
3671 _rsc, sm->ANonce, kde, pos - kde, 0, encr);
3672 done:
3673 bin_clear_free(kde, kde_len);
3674 os_free(wpa_ie_buf);
3675 os_free(wpa_ie_buf2);
3676 }
3677
3678
SM_STATE(WPA_PTK,PTKINITDONE)3679 SM_STATE(WPA_PTK, PTKINITDONE)
3680 {
3681 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk);
3682 sm->EAPOLKeyReceived = false;
3683 if (sm->Pair) {
3684 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
3685 int klen = wpa_cipher_key_len(sm->pairwise);
3686 int res;
3687
3688 if (sm->use_ext_key_id)
3689 res = wpa_auth_set_key(sm->wpa_auth, 0, 0, sm->addr,
3690 sm->keyidx_active, NULL, 0,
3691 KEY_FLAG_PAIRWISE_RX_TX_MODIFY);
3692 else
3693 res = wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr,
3694 0, sm->PTK.tk, klen,
3695 KEY_FLAG_PAIRWISE_RX_TX);
3696 if (res) {
3697 wpa_sta_disconnect(sm->wpa_auth, sm->addr,
3698 WLAN_REASON_PREV_AUTH_NOT_VALID);
3699 return;
3700 }
3701 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
3702 sm->pairwise_set = true;
3703
3704 wpa_auth_set_ptk_rekey_timer(sm);
3705 wpa_auth_store_ptksa(sm->wpa_auth, sm->addr, sm->pairwise,
3706 dot11RSNAConfigPMKLifetime, &sm->PTK);
3707
3708 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
3709 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
3710 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
3711 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
3712 WPA_EAPOL_authorized, 1);
3713 }
3714 }
3715
3716 if (0 /* IBSS == TRUE */) {
3717 sm->keycount++;
3718 if (sm->keycount == 2) {
3719 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
3720 WPA_EAPOL_portValid, 1);
3721 }
3722 } else {
3723 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid,
3724 1);
3725 }
3726 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable,
3727 false);
3728 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, true);
3729 if (sm->wpa == WPA_VERSION_WPA)
3730 sm->PInitAKeys = true;
3731 else
3732 sm->has_GTK = true;
3733 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3734 "pairwise key handshake completed (%s)",
3735 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
3736 wpa_msg(sm->wpa_auth->conf.msg_ctx, MSG_INFO, "EAPOL-4WAY-HS-COMPLETED "
3737 MACSTR, MAC2STR(sm->addr));
3738
3739 #ifdef CONFIG_IEEE80211R_AP
3740 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr);
3741 #endif /* CONFIG_IEEE80211R_AP */
3742
3743 sm->ptkstart_without_success = 0;
3744 }
3745
3746
SM_STEP(WPA_PTK)3747 SM_STEP(WPA_PTK)
3748 {
3749 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
3750 struct wpa_auth_config *conf = &wpa_auth->conf;
3751
3752 if (sm->Init)
3753 SM_ENTER(WPA_PTK, INITIALIZE);
3754 else if (sm->Disconnect
3755 /* || FIX: dot11RSNAConfigSALifetime timeout */) {
3756 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
3757 "WPA_PTK: sm->Disconnect");
3758 SM_ENTER(WPA_PTK, DISCONNECT);
3759 }
3760 else if (sm->DeauthenticationRequest)
3761 SM_ENTER(WPA_PTK, DISCONNECTED);
3762 else if (sm->AuthenticationRequest)
3763 SM_ENTER(WPA_PTK, AUTHENTICATION);
3764 else if (sm->ReAuthenticationRequest)
3765 SM_ENTER(WPA_PTK, AUTHENTICATION2);
3766 else if (sm->PTKRequest) {
3767 if (wpa_auth_sm_ptk_update(sm) < 0)
3768 SM_ENTER(WPA_PTK, DISCONNECTED);
3769 else
3770 SM_ENTER(WPA_PTK, PTKSTART);
3771 } else switch (sm->wpa_ptk_state) {
3772 case WPA_PTK_INITIALIZE:
3773 break;
3774 case WPA_PTK_DISCONNECT:
3775 SM_ENTER(WPA_PTK, DISCONNECTED);
3776 break;
3777 case WPA_PTK_DISCONNECTED:
3778 SM_ENTER(WPA_PTK, INITIALIZE);
3779 break;
3780 case WPA_PTK_AUTHENTICATION:
3781 SM_ENTER(WPA_PTK, AUTHENTICATION2);
3782 break;
3783 case WPA_PTK_AUTHENTICATION2:
3784 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
3785 wpa_auth_get_eapol(wpa_auth, sm->addr,
3786 WPA_EAPOL_keyRun))
3787 SM_ENTER(WPA_PTK, INITPMK);
3788 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
3789 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE
3790 /* FIX: && 802.1X::keyRun */)
3791 SM_ENTER(WPA_PTK, INITPSK);
3792 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP)
3793 SM_ENTER(WPA_PTK, INITPMK);
3794 break;
3795 case WPA_PTK_INITPMK:
3796 if (wpa_auth_get_eapol(wpa_auth, sm->addr,
3797 WPA_EAPOL_keyAvailable)) {
3798 SM_ENTER(WPA_PTK, PTKSTART);
3799 #ifdef CONFIG_DPP
3800 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->pmksa) {
3801 SM_ENTER(WPA_PTK, PTKSTART);
3802 #endif /* CONFIG_DPP */
3803 } else {
3804 wpa_auth->dot11RSNA4WayHandshakeFailures++;
3805 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
3806 "INITPMK - keyAvailable = false");
3807 SM_ENTER(WPA_PTK, DISCONNECT);
3808 }
3809 break;
3810 case WPA_PTK_INITPSK:
3811 if (wpa_auth_get_psk(wpa_auth, sm->addr, sm->p2p_dev_addr,
3812 NULL, NULL, NULL)) {
3813 SM_ENTER(WPA_PTK, PTKSTART);
3814 #ifdef CONFIG_SAE
3815 } else if (wpa_auth_uses_sae(sm) && sm->pmksa) {
3816 SM_ENTER(WPA_PTK, PTKSTART);
3817 #endif /* CONFIG_SAE */
3818 } else if (wpa_key_mgmt_wpa_psk_no_sae(sm->wpa_key_mgmt) &&
3819 wpa_auth->conf.radius_psk) {
3820 wpa_printf(MSG_DEBUG,
3821 "INITPSK: No PSK yet available for STA - use RADIUS later");
3822 SM_ENTER(WPA_PTK, PTKSTART);
3823 } else {
3824 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
3825 "no PSK configured for the STA");
3826 wpa_auth->dot11RSNA4WayHandshakeFailures++;
3827 SM_ENTER(WPA_PTK, DISCONNECT);
3828 }
3829 break;
3830 case WPA_PTK_PTKSTART:
3831 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3832 sm->EAPOLKeyPairwise)
3833 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3834 else if (sm->TimeoutCtr > conf->wpa_pairwise_update_count) {
3835 wpa_auth->dot11RSNA4WayHandshakeFailures++;
3836 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
3837 "PTKSTART: Retry limit %u reached",
3838 conf->wpa_pairwise_update_count);
3839 sm->disconnect_reason =
3840 WLAN_REASON_4WAY_HANDSHAKE_TIMEOUT;
3841 SM_ENTER(WPA_PTK, DISCONNECT);
3842 } else if (sm->TimeoutEvt)
3843 SM_ENTER(WPA_PTK, PTKSTART);
3844 break;
3845 case WPA_PTK_PTKCALCNEGOTIATING:
3846 if (sm->MICVerified)
3847 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2);
3848 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3849 sm->EAPOLKeyPairwise)
3850 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3851 else if (sm->TimeoutEvt)
3852 SM_ENTER(WPA_PTK, PTKSTART);
3853 break;
3854 case WPA_PTK_PTKCALCNEGOTIATING2:
3855 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
3856 break;
3857 case WPA_PTK_PTKINITNEGOTIATING:
3858 if (sm->update_snonce)
3859 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3860 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3861 sm->EAPOLKeyPairwise && sm->MICVerified)
3862 SM_ENTER(WPA_PTK, PTKINITDONE);
3863 else if (sm->TimeoutCtr >
3864 conf->wpa_pairwise_update_count ||
3865 (conf->wpa_disable_eapol_key_retries &&
3866 sm->TimeoutCtr > 1)) {
3867 wpa_auth->dot11RSNA4WayHandshakeFailures++;
3868 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
3869 "PTKINITNEGOTIATING: Retry limit %u reached",
3870 conf->wpa_pairwise_update_count);
3871 sm->disconnect_reason =
3872 WLAN_REASON_4WAY_HANDSHAKE_TIMEOUT;
3873 SM_ENTER(WPA_PTK, DISCONNECT);
3874 } else if (sm->TimeoutEvt)
3875 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
3876 break;
3877 case WPA_PTK_PTKINITDONE:
3878 break;
3879 }
3880 }
3881
3882
SM_STATE(WPA_PTK_GROUP,IDLE)3883 SM_STATE(WPA_PTK_GROUP, IDLE)
3884 {
3885 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group);
3886 if (sm->Init) {
3887 /* Init flag is not cleared here, so avoid busy
3888 * loop by claiming nothing changed. */
3889 sm->changed = false;
3890 }
3891 sm->GTimeoutCtr = 0;
3892 }
3893
3894
SM_STATE(WPA_PTK_GROUP,REKEYNEGOTIATING)3895 SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
3896 {
3897 u8 rsc[WPA_KEY_RSC_LEN];
3898 struct wpa_group *gsm = sm->group;
3899 const u8 *kde;
3900 u8 *kde_buf = NULL, *pos, hdr[2];
3901 size_t kde_len = 0;
3902 u8 *gtk, stub_gtk[32];
3903 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
3904
3905 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
3906
3907 sm->GTimeoutCtr++;
3908 if (conf->wpa_disable_eapol_key_retries && sm->GTimeoutCtr > 1) {
3909 /* Do not allow retransmission of EAPOL-Key group msg 1/2 */
3910 return;
3911 }
3912 if (sm->GTimeoutCtr > conf->wpa_group_update_count) {
3913 /* No point in sending the EAPOL-Key - we will disconnect
3914 * immediately following this. */
3915 return;
3916 }
3917
3918 if (sm->wpa == WPA_VERSION_WPA)
3919 sm->PInitAKeys = false;
3920 sm->TimeoutEvt = false;
3921 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
3922 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
3923 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE)
3924 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
3925 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3926 "sending 1/2 msg of Group Key Handshake");
3927
3928 gtk = gsm->GTK[gsm->GN - 1];
3929 if (conf->disable_gtk || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
3930 /*
3931 * Provide unique random GTK to each STA to prevent use
3932 * of GTK in the BSS.
3933 */
3934 if (random_get_bytes(stub_gtk, gsm->GTK_len) < 0)
3935 return;
3936 gtk = stub_gtk;
3937 }
3938 if (sm->wpa == WPA_VERSION_WPA2) {
3939 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
3940 ieee80211w_kde_len(sm) + ocv_oci_len(sm);
3941 kde_buf = os_malloc(kde_len);
3942 if (!kde_buf)
3943 return;
3944
3945 kde = pos = kde_buf;
3946 hdr[0] = gsm->GN & 0x03;
3947 hdr[1] = 0;
3948 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
3949 gtk, gsm->GTK_len);
3950 pos = ieee80211w_kde_add(sm, pos);
3951 if (ocv_oci_add(sm, &pos,
3952 conf->oci_freq_override_eapol_g1) < 0) {
3953 os_free(kde_buf);
3954 return;
3955 }
3956 kde_len = pos - kde;
3957 } else {
3958 kde = gtk;
3959 kde_len = gsm->GTK_len;
3960 }
3961
3962 wpa_send_eapol(sm->wpa_auth, sm,
3963 WPA_KEY_INFO_SECURE |
3964 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
3965 WPA_KEY_INFO_MIC : 0) |
3966 WPA_KEY_INFO_ACK |
3967 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
3968 rsc, NULL, kde, kde_len, gsm->GN, 1);
3969
3970 bin_clear_free(kde_buf, kde_len);
3971 }
3972
3973
SM_STATE(WPA_PTK_GROUP,REKEYESTABLISHED)3974 SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED)
3975 {
3976 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
3977 #ifdef CONFIG_OCV
3978 const u8 *key_data, *mic;
3979 struct ieee802_1x_hdr *hdr;
3980 struct wpa_eapol_key *key;
3981 struct wpa_eapol_ie_parse kde;
3982 size_t mic_len;
3983 u16 key_data_length;
3984 #endif /* CONFIG_OCV */
3985
3986 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group);
3987 sm->EAPOLKeyReceived = false;
3988
3989 #ifdef CONFIG_OCV
3990 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
3991
3992 /*
3993 * Note: last_rx_eapol_key length fields have already been validated in
3994 * wpa_receive().
3995 */
3996 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
3997 key = (struct wpa_eapol_key *) (hdr + 1);
3998 mic = (u8 *) (key + 1);
3999 key_data = mic + mic_len + 2;
4000 key_data_length = WPA_GET_BE16(mic + mic_len);
4001 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
4002 sizeof(*key) - mic_len - 2)
4003 return;
4004
4005 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
4006 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
4007 "received EAPOL-Key group msg 2/2 with invalid Key Data contents");
4008 return;
4009 }
4010
4011 if (wpa_auth_uses_ocv(sm)) {
4012 struct wpa_channel_info ci;
4013 int tx_chanwidth;
4014 int tx_seg1_idx;
4015
4016 if (wpa_channel_info(wpa_auth, &ci) != 0) {
4017 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
4018 "Failed to get channel info to validate received OCI in EAPOL-Key group 2/2");
4019 return;
4020 }
4021
4022 if (get_sta_tx_parameters(sm,
4023 channel_width_to_int(ci.chanwidth),
4024 ci.seg1_idx, &tx_chanwidth,
4025 &tx_seg1_idx) < 0)
4026 return;
4027
4028 if (ocv_verify_tx_params(kde.oci, kde.oci_len, &ci,
4029 tx_chanwidth, tx_seg1_idx) !=
4030 OCI_SUCCESS) {
4031 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
4032 "OCV failed: %s", ocv_errorstr);
4033 if (wpa_auth->conf.msg_ctx)
4034 wpa_msg(wpa_auth->conf.msg_ctx, MSG_INFO,
4035 OCV_FAILURE "addr=" MACSTR
4036 " frame=eapol-key-g2 error=%s",
4037 MAC2STR(sm->addr), ocv_errorstr);
4038 return;
4039 }
4040 }
4041 #endif /* CONFIG_OCV */
4042
4043 if (sm->GUpdateStationKeys)
4044 sm->group->GKeyDoneStations--;
4045 sm->GUpdateStationKeys = false;
4046 sm->GTimeoutCtr = 0;
4047 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */
4048 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
4049 "group key handshake completed (%s)",
4050 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
4051 sm->has_GTK = true;
4052 }
4053
4054
SM_STATE(WPA_PTK_GROUP,KEYERROR)4055 SM_STATE(WPA_PTK_GROUP, KEYERROR)
4056 {
4057 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group);
4058 if (sm->GUpdateStationKeys)
4059 sm->group->GKeyDoneStations--;
4060 sm->GUpdateStationKeys = false;
4061 sm->Disconnect = true;
4062 sm->disconnect_reason = WLAN_REASON_GROUP_KEY_UPDATE_TIMEOUT;
4063 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
4064 "group key handshake failed (%s) after %u tries",
4065 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN",
4066 sm->wpa_auth->conf.wpa_group_update_count);
4067 }
4068
4069
SM_STEP(WPA_PTK_GROUP)4070 SM_STEP(WPA_PTK_GROUP)
4071 {
4072 if (sm->Init || sm->PtkGroupInit) {
4073 SM_ENTER(WPA_PTK_GROUP, IDLE);
4074 sm->PtkGroupInit = false;
4075 } else switch (sm->wpa_ptk_group_state) {
4076 case WPA_PTK_GROUP_IDLE:
4077 if (sm->GUpdateStationKeys ||
4078 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys))
4079 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
4080 break;
4081 case WPA_PTK_GROUP_REKEYNEGOTIATING:
4082 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
4083 !sm->EAPOLKeyPairwise && sm->MICVerified)
4084 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
4085 else if (sm->GTimeoutCtr >
4086 sm->wpa_auth->conf.wpa_group_update_count ||
4087 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
4088 sm->GTimeoutCtr > 1))
4089 SM_ENTER(WPA_PTK_GROUP, KEYERROR);
4090 else if (sm->TimeoutEvt)
4091 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
4092 break;
4093 case WPA_PTK_GROUP_KEYERROR:
4094 SM_ENTER(WPA_PTK_GROUP, IDLE);
4095 break;
4096 case WPA_PTK_GROUP_REKEYESTABLISHED:
4097 SM_ENTER(WPA_PTK_GROUP, IDLE);
4098 break;
4099 }
4100 }
4101
4102
wpa_gtk_update(struct wpa_authenticator * wpa_auth,struct wpa_group * group)4103 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
4104 struct wpa_group *group)
4105 {
4106 struct wpa_auth_config *conf = &wpa_auth->conf;
4107 int ret = 0;
4108 size_t len;
4109
4110 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
4111 inc_byte_array(group->Counter, WPA_NONCE_LEN);
4112 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion",
4113 wpa_auth->addr, group->GNonce,
4114 group->GTK[group->GN - 1], group->GTK_len) < 0)
4115 ret = -1;
4116 wpa_hexdump_key(MSG_DEBUG, "GTK",
4117 group->GTK[group->GN - 1], group->GTK_len);
4118
4119 if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
4120 len = wpa_cipher_key_len(conf->group_mgmt_cipher);
4121 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
4122 inc_byte_array(group->Counter, WPA_NONCE_LEN);
4123 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion",
4124 wpa_auth->addr, group->GNonce,
4125 group->IGTK[group->GN_igtk - 4], len) < 0)
4126 ret = -1;
4127 wpa_hexdump_key(MSG_DEBUG, "IGTK",
4128 group->IGTK[group->GN_igtk - 4], len);
4129 }
4130
4131 if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION &&
4132 conf->beacon_prot) {
4133 len = wpa_cipher_key_len(conf->group_mgmt_cipher);
4134 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
4135 inc_byte_array(group->Counter, WPA_NONCE_LEN);
4136 if (wpa_gmk_to_gtk(group->GMK, "BIGTK key expansion",
4137 wpa_auth->addr, group->GNonce,
4138 group->BIGTK[group->GN_bigtk - 6], len) < 0)
4139 ret = -1;
4140 wpa_hexdump_key(MSG_DEBUG, "BIGTK",
4141 group->BIGTK[group->GN_bigtk - 6], len);
4142 }
4143
4144 return ret;
4145 }
4146
4147
wpa_group_gtk_init(struct wpa_authenticator * wpa_auth,struct wpa_group * group)4148 static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth,
4149 struct wpa_group *group)
4150 {
4151 wpa_printf(MSG_DEBUG,
4152 "WPA: group state machine entering state GTK_INIT (VLAN-ID %d)",
4153 group->vlan_id);
4154 group->changed = false; /* GInit is not cleared here; avoid loop */
4155 group->wpa_group_state = WPA_GROUP_GTK_INIT;
4156
4157 /* GTK[0..N] = 0 */
4158 os_memset(group->GTK, 0, sizeof(group->GTK));
4159 group->GN = 1;
4160 group->GM = 2;
4161 group->GN_igtk = 4;
4162 group->GM_igtk = 5;
4163 group->GN_bigtk = 6;
4164 group->GM_bigtk = 7;
4165 /* GTK[GN] = CalcGTK() */
4166 wpa_gtk_update(wpa_auth, group);
4167 }
4168
4169
wpa_group_update_sta(struct wpa_state_machine * sm,void * ctx)4170 static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
4171 {
4172 if (ctx != NULL && ctx != sm->group)
4173 return 0;
4174
4175 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) {
4176 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4177 "Not in PTKINITDONE; skip Group Key update");
4178 sm->GUpdateStationKeys = false;
4179 return 0;
4180 }
4181 if (sm->GUpdateStationKeys) {
4182 /*
4183 * This should not really happen, so add a debug log entry.
4184 * Since we clear the GKeyDoneStations before the loop, the
4185 * station needs to be counted here anyway.
4186 */
4187 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4188 "GUpdateStationKeys was already set when marking station for GTK rekeying");
4189 }
4190
4191 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */
4192 if (sm->is_wnmsleep)
4193 return 0;
4194
4195 sm->group->GKeyDoneStations++;
4196 sm->GUpdateStationKeys = true;
4197
4198 wpa_sm_step(sm);
4199 return 0;
4200 }
4201
4202
4203 #ifdef CONFIG_WNM_AP
4204 /* update GTK when exiting WNM-Sleep Mode */
wpa_wnmsleep_rekey_gtk(struct wpa_state_machine * sm)4205 void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm)
4206 {
4207 if (!sm || sm->is_wnmsleep)
4208 return;
4209
4210 wpa_group_update_sta(sm, NULL);
4211 }
4212
4213
wpa_set_wnmsleep(struct wpa_state_machine * sm,int flag)4214 void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag)
4215 {
4216 if (sm)
4217 sm->is_wnmsleep = !!flag;
4218 }
4219
4220
wpa_wnmsleep_gtk_subelem(struct wpa_state_machine * sm,u8 * pos)4221 int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos)
4222 {
4223 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
4224 struct wpa_group *gsm = sm->group;
4225 u8 *start = pos;
4226
4227 /*
4228 * GTK subelement:
4229 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] |
4230 * Key[5..32]
4231 */
4232 *pos++ = WNM_SLEEP_SUBELEM_GTK;
4233 *pos++ = 11 + gsm->GTK_len;
4234 /* Key ID in B0-B1 of Key Info */
4235 WPA_PUT_LE16(pos, gsm->GN & 0x03);
4236 pos += 2;
4237 *pos++ = gsm->GTK_len;
4238 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0)
4239 return 0;
4240 pos += 8;
4241 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len);
4242 if (conf->disable_gtk || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
4243 /*
4244 * Provide unique random GTK to each STA to prevent use
4245 * of GTK in the BSS.
4246 */
4247 if (random_get_bytes(pos, gsm->GTK_len) < 0)
4248 return 0;
4249 }
4250 pos += gsm->GTK_len;
4251
4252 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit",
4253 gsm->GN);
4254 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit",
4255 gsm->GTK[gsm->GN - 1], gsm->GTK_len);
4256
4257 return pos - start;
4258 }
4259
4260
wpa_wnmsleep_igtk_subelem(struct wpa_state_machine * sm,u8 * pos)4261 int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos)
4262 {
4263 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
4264 struct wpa_group *gsm = sm->group;
4265 u8 *start = pos;
4266 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
4267
4268 /*
4269 * IGTK subelement:
4270 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16]
4271 */
4272 *pos++ = WNM_SLEEP_SUBELEM_IGTK;
4273 *pos++ = 2 + 6 + len;
4274 WPA_PUT_LE16(pos, gsm->GN_igtk);
4275 pos += 2;
4276 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0)
4277 return 0;
4278 pos += 6;
4279
4280 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len);
4281 if (conf->disable_gtk || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
4282 /*
4283 * Provide unique random IGTK to each STA to prevent use
4284 * of IGTK in the BSS.
4285 */
4286 if (random_get_bytes(pos, len) < 0)
4287 return 0;
4288 }
4289 pos += len;
4290
4291 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit",
4292 gsm->GN_igtk);
4293 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit",
4294 gsm->IGTK[gsm->GN_igtk - 4], len);
4295
4296 return pos - start;
4297 }
4298
4299
wpa_wnmsleep_bigtk_subelem(struct wpa_state_machine * sm,u8 * pos)4300 int wpa_wnmsleep_bigtk_subelem(struct wpa_state_machine *sm, u8 *pos)
4301 {
4302 struct wpa_group *gsm = sm->group;
4303 u8 *start = pos;
4304 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
4305
4306 /*
4307 * BIGTK subelement:
4308 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16]
4309 */
4310 *pos++ = WNM_SLEEP_SUBELEM_BIGTK;
4311 *pos++ = 2 + 6 + len;
4312 WPA_PUT_LE16(pos, gsm->GN_bigtk);
4313 pos += 2;
4314 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_bigtk, pos) != 0)
4315 return 0;
4316 pos += 6;
4317
4318 os_memcpy(pos, gsm->BIGTK[gsm->GN_bigtk - 6], len);
4319 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
4320 /*
4321 * Provide unique random BIGTK to each STA to prevent use
4322 * of BIGTK in the BSS.
4323 */
4324 if (random_get_bytes(pos, len) < 0)
4325 return 0;
4326 }
4327 pos += len;
4328
4329 wpa_printf(MSG_DEBUG, "WNM: BIGTK Key ID %u in WNM-Sleep Mode exit",
4330 gsm->GN_bigtk);
4331 wpa_hexdump_key(MSG_DEBUG, "WNM: BIGTK in WNM-Sleep Mode exit",
4332 gsm->BIGTK[gsm->GN_bigtk - 6], len);
4333
4334 return pos - start;
4335 }
4336
4337 #endif /* CONFIG_WNM_AP */
4338
4339
wpa_group_setkeys(struct wpa_authenticator * wpa_auth,struct wpa_group * group)4340 static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth,
4341 struct wpa_group *group)
4342 {
4343 int tmp;
4344
4345 wpa_printf(MSG_DEBUG,
4346 "WPA: group state machine entering state SETKEYS (VLAN-ID %d)",
4347 group->vlan_id);
4348 group->changed = true;
4349 group->wpa_group_state = WPA_GROUP_SETKEYS;
4350 group->GTKReKey = false;
4351 tmp = group->GM;
4352 group->GM = group->GN;
4353 group->GN = tmp;
4354 tmp = group->GM_igtk;
4355 group->GM_igtk = group->GN_igtk;
4356 group->GN_igtk = tmp;
4357 tmp = group->GM_bigtk;
4358 group->GM_bigtk = group->GN_bigtk;
4359 group->GN_bigtk = tmp;
4360 /* "GKeyDoneStations = GNoStations" is done in more robust way by
4361 * counting the STAs that are marked with GUpdateStationKeys instead of
4362 * including all STAs that could be in not-yet-completed state. */
4363 wpa_gtk_update(wpa_auth, group);
4364
4365 if (group->GKeyDoneStations) {
4366 wpa_printf(MSG_DEBUG,
4367 "wpa_group_setkeys: Unexpected GKeyDoneStations=%d when starting new GTK rekey",
4368 group->GKeyDoneStations);
4369 group->GKeyDoneStations = 0;
4370 }
4371 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group);
4372 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d",
4373 group->GKeyDoneStations);
4374 }
4375
4376
wpa_group_config_group_keys(struct wpa_authenticator * wpa_auth,struct wpa_group * group)4377 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
4378 struct wpa_group *group)
4379 {
4380 struct wpa_auth_config *conf = &wpa_auth->conf;
4381 int ret = 0;
4382
4383 if (wpa_auth_set_key(wpa_auth, group->vlan_id,
4384 wpa_cipher_to_alg(conf->wpa_group),
4385 broadcast_ether_addr, group->GN,
4386 group->GTK[group->GN - 1], group->GTK_len,
4387 KEY_FLAG_GROUP_TX_DEFAULT) < 0)
4388 ret = -1;
4389
4390 if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
4391 enum wpa_alg alg;
4392 size_t len;
4393
4394 alg = wpa_cipher_to_alg(conf->group_mgmt_cipher);
4395 len = wpa_cipher_key_len(conf->group_mgmt_cipher);
4396
4397 if (ret == 0 &&
4398 wpa_auth_set_key(wpa_auth, group->vlan_id, alg,
4399 broadcast_ether_addr, group->GN_igtk,
4400 group->IGTK[group->GN_igtk - 4], len,
4401 KEY_FLAG_GROUP_TX_DEFAULT) < 0)
4402 ret = -1;
4403
4404 if (ret == 0 && conf->beacon_prot &&
4405 wpa_auth_set_key(wpa_auth, group->vlan_id, alg,
4406 broadcast_ether_addr, group->GN_bigtk,
4407 group->BIGTK[group->GN_bigtk - 6], len,
4408 KEY_FLAG_GROUP_TX_DEFAULT) < 0)
4409 ret = -1;
4410 }
4411
4412 return ret;
4413 }
4414
4415
wpa_group_disconnect_cb(struct wpa_state_machine * sm,void * ctx)4416 static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx)
4417 {
4418 if (sm->group == ctx) {
4419 wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR
4420 " for disconnection due to fatal failure",
4421 MAC2STR(sm->addr));
4422 sm->Disconnect = true;
4423 }
4424
4425 return 0;
4426 }
4427
4428
wpa_group_fatal_failure(struct wpa_authenticator * wpa_auth,struct wpa_group * group)4429 static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth,
4430 struct wpa_group *group)
4431 {
4432 wpa_printf(MSG_DEBUG,
4433 "WPA: group state machine entering state FATAL_FAILURE");
4434 group->changed = true;
4435 group->wpa_group_state = WPA_GROUP_FATAL_FAILURE;
4436 wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group);
4437 }
4438
4439
wpa_group_setkeysdone(struct wpa_authenticator * wpa_auth,struct wpa_group * group)4440 static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
4441 struct wpa_group *group)
4442 {
4443 wpa_printf(MSG_DEBUG,
4444 "WPA: group state machine entering state SETKEYSDONE (VLAN-ID %d)",
4445 group->vlan_id);
4446 group->changed = true;
4447 group->wpa_group_state = WPA_GROUP_SETKEYSDONE;
4448
4449 if (wpa_group_config_group_keys(wpa_auth, group) < 0) {
4450 wpa_group_fatal_failure(wpa_auth, group);
4451 return -1;
4452 }
4453
4454 return 0;
4455 }
4456
4457
wpa_group_sm_step(struct wpa_authenticator * wpa_auth,struct wpa_group * group)4458 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
4459 struct wpa_group *group)
4460 {
4461 if (group->GInit) {
4462 wpa_group_gtk_init(wpa_auth, group);
4463 } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) {
4464 /* Do not allow group operations */
4465 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT &&
4466 group->GTKAuthenticator) {
4467 wpa_group_setkeysdone(wpa_auth, group);
4468 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE &&
4469 group->GTKReKey) {
4470 wpa_group_setkeys(wpa_auth, group);
4471 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) {
4472 if (group->GKeyDoneStations == 0)
4473 wpa_group_setkeysdone(wpa_auth, group);
4474 else if (group->GTKReKey)
4475 wpa_group_setkeys(wpa_auth, group);
4476 }
4477 }
4478
4479
wpa_sm_step(struct wpa_state_machine * sm)4480 static int wpa_sm_step(struct wpa_state_machine *sm)
4481 {
4482 if (!sm)
4483 return 0;
4484
4485 if (sm->in_step_loop) {
4486 /* This should not happen, but if it does, make sure we do not
4487 * end up freeing the state machine too early by exiting the
4488 * recursive call. */
4489 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively");
4490 return 0;
4491 }
4492
4493 sm->in_step_loop = 1;
4494 do {
4495 if (sm->pending_deinit)
4496 break;
4497
4498 sm->changed = false;
4499 sm->wpa_auth->group->changed = false;
4500
4501 SM_STEP_RUN(WPA_PTK);
4502 if (sm->pending_deinit)
4503 break;
4504 SM_STEP_RUN(WPA_PTK_GROUP);
4505 if (sm->pending_deinit)
4506 break;
4507 wpa_group_sm_step(sm->wpa_auth, sm->group);
4508 } while (sm->changed || sm->wpa_auth->group->changed);
4509 sm->in_step_loop = 0;
4510
4511 if (sm->pending_deinit) {
4512 wpa_printf(MSG_DEBUG,
4513 "WPA: Completing pending STA state machine deinit for "
4514 MACSTR, MAC2STR(sm->addr));
4515 wpa_free_sta_sm(sm);
4516 return 1;
4517 }
4518 return 0;
4519 }
4520
4521
wpa_sm_call_step(void * eloop_ctx,void * timeout_ctx)4522 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx)
4523 {
4524 struct wpa_state_machine *sm = eloop_ctx;
4525 wpa_sm_step(sm);
4526 }
4527
4528
wpa_auth_sm_notify(struct wpa_state_machine * sm)4529 void wpa_auth_sm_notify(struct wpa_state_machine *sm)
4530 {
4531 if (!sm)
4532 return;
4533 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
4534 }
4535
4536
wpa_gtk_rekey(struct wpa_authenticator * wpa_auth)4537 void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth)
4538 {
4539 int tmp, i;
4540 struct wpa_group *group;
4541
4542 if (!wpa_auth)
4543 return;
4544
4545 group = wpa_auth->group;
4546
4547 for (i = 0; i < 2; i++) {
4548 tmp = group->GM;
4549 group->GM = group->GN;
4550 group->GN = tmp;
4551 tmp = group->GM_igtk;
4552 group->GM_igtk = group->GN_igtk;
4553 group->GN_igtk = tmp;
4554 tmp = group->GM_bigtk;
4555 group->GM_bigtk = group->GN_bigtk;
4556 group->GN_bigtk = tmp;
4557 wpa_gtk_update(wpa_auth, group);
4558 wpa_group_config_group_keys(wpa_auth, group);
4559 }
4560 }
4561
4562
wpa_bool_txt(int val)4563 static const char * wpa_bool_txt(int val)
4564 {
4565 return val ? "TRUE" : "FALSE";
4566 }
4567
4568
4569 #define RSN_SUITE "%02x-%02x-%02x-%d"
4570 #define RSN_SUITE_ARG(s) \
4571 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
4572
wpa_get_mib(struct wpa_authenticator * wpa_auth,char * buf,size_t buflen)4573 int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen)
4574 {
4575 struct wpa_auth_config *conf;
4576 int len = 0, ret;
4577 char pmkid_txt[PMKID_LEN * 2 + 1];
4578 #ifdef CONFIG_RSN_PREAUTH
4579 const int preauth = 1;
4580 #else /* CONFIG_RSN_PREAUTH */
4581 const int preauth = 0;
4582 #endif /* CONFIG_RSN_PREAUTH */
4583
4584 if (!wpa_auth)
4585 return len;
4586 conf = &wpa_auth->conf;
4587
4588 ret = os_snprintf(buf + len, buflen - len,
4589 "dot11RSNAOptionImplemented=TRUE\n"
4590 "dot11RSNAPreauthenticationImplemented=%s\n"
4591 "dot11RSNAEnabled=%s\n"
4592 "dot11RSNAPreauthenticationEnabled=%s\n",
4593 wpa_bool_txt(preauth),
4594 wpa_bool_txt(conf->wpa & WPA_PROTO_RSN),
4595 wpa_bool_txt(conf->rsn_preauth));
4596 if (os_snprintf_error(buflen - len, ret))
4597 return len;
4598 len += ret;
4599
4600 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
4601 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN);
4602
4603 ret = os_snprintf(
4604 buf + len, buflen - len,
4605 "dot11RSNAConfigVersion=%u\n"
4606 "dot11RSNAConfigPairwiseKeysSupported=9999\n"
4607 /* FIX: dot11RSNAConfigGroupCipher */
4608 /* FIX: dot11RSNAConfigGroupRekeyMethod */
4609 /* FIX: dot11RSNAConfigGroupRekeyTime */
4610 /* FIX: dot11RSNAConfigGroupRekeyPackets */
4611 "dot11RSNAConfigGroupRekeyStrict=%u\n"
4612 "dot11RSNAConfigGroupUpdateCount=%u\n"
4613 "dot11RSNAConfigPairwiseUpdateCount=%u\n"
4614 "dot11RSNAConfigGroupCipherSize=%u\n"
4615 "dot11RSNAConfigPMKLifetime=%u\n"
4616 "dot11RSNAConfigPMKReauthThreshold=%u\n"
4617 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n"
4618 "dot11RSNAConfigSATimeout=%u\n"
4619 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
4620 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
4621 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
4622 "dot11RSNAPMKIDUsed=%s\n"
4623 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
4624 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
4625 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
4626 "dot11RSNATKIPCounterMeasuresInvoked=%u\n"
4627 "dot11RSNA4WayHandshakeFailures=%u\n"
4628 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n",
4629 RSN_VERSION,
4630 !!conf->wpa_strict_rekey,
4631 conf->wpa_group_update_count,
4632 conf->wpa_pairwise_update_count,
4633 wpa_cipher_key_len(conf->wpa_group) * 8,
4634 dot11RSNAConfigPMKLifetime,
4635 dot11RSNAConfigPMKReauthThreshold,
4636 dot11RSNAConfigSATimeout,
4637 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected),
4638 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected),
4639 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected),
4640 pmkid_txt,
4641 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested),
4642 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested),
4643 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested),
4644 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked,
4645 wpa_auth->dot11RSNA4WayHandshakeFailures);
4646 if (os_snprintf_error(buflen - len, ret))
4647 return len;
4648 len += ret;
4649
4650 /* TODO: dot11RSNAConfigPairwiseCiphersTable */
4651 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */
4652
4653 /* Private MIB */
4654 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n",
4655 wpa_auth->group->wpa_group_state);
4656 if (os_snprintf_error(buflen - len, ret))
4657 return len;
4658 len += ret;
4659
4660 return len;
4661 }
4662
4663
wpa_get_mib_sta(struct wpa_state_machine * sm,char * buf,size_t buflen)4664 int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen)
4665 {
4666 int len = 0, ret;
4667 u32 pairwise = 0;
4668
4669 if (!sm)
4670 return 0;
4671
4672 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */
4673
4674 /* dot11RSNAStatsEntry */
4675
4676 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ?
4677 WPA_PROTO_RSN : WPA_PROTO_WPA,
4678 sm->pairwise);
4679 if (pairwise == 0)
4680 return 0;
4681
4682 ret = os_snprintf(
4683 buf + len, buflen - len,
4684 /* TODO: dot11RSNAStatsIndex */
4685 "dot11RSNAStatsSTAAddress=" MACSTR "\n"
4686 "dot11RSNAStatsVersion=1\n"
4687 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n"
4688 /* TODO: dot11RSNAStatsTKIPICVErrors */
4689 "dot11RSNAStatsTKIPLocalMICFailures=%u\n"
4690 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n"
4691 /* TODO: dot11RSNAStatsCCMPReplays */
4692 /* TODO: dot11RSNAStatsCCMPDecryptErrors */
4693 /* TODO: dot11RSNAStatsTKIPReplays */,
4694 MAC2STR(sm->addr),
4695 RSN_SUITE_ARG(pairwise),
4696 sm->dot11RSNAStatsTKIPLocalMICFailures,
4697 sm->dot11RSNAStatsTKIPRemoteMICFailures);
4698 if (os_snprintf_error(buflen - len, ret))
4699 return len;
4700 len += ret;
4701
4702 /* Private MIB */
4703 ret = os_snprintf(buf + len, buflen - len,
4704 "wpa=%d\n"
4705 "AKMSuiteSelector=" RSN_SUITE "\n"
4706 "hostapdWPAPTKState=%d\n"
4707 "hostapdWPAPTKGroupState=%d\n",
4708 sm->wpa,
4709 RSN_SUITE_ARG(wpa_akm_to_suite(sm->wpa_key_mgmt)),
4710 sm->wpa_ptk_state,
4711 sm->wpa_ptk_group_state);
4712 if (os_snprintf_error(buflen - len, ret))
4713 return len;
4714 len += ret;
4715
4716 return len;
4717 }
4718
4719
wpa_auth_countermeasures_start(struct wpa_authenticator * wpa_auth)4720 void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth)
4721 {
4722 if (wpa_auth)
4723 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++;
4724 }
4725
4726
wpa_auth_pairwise_set(struct wpa_state_machine * sm)4727 int wpa_auth_pairwise_set(struct wpa_state_machine *sm)
4728 {
4729 return sm && sm->pairwise_set;
4730 }
4731
4732
wpa_auth_get_pairwise(struct wpa_state_machine * sm)4733 int wpa_auth_get_pairwise(struct wpa_state_machine *sm)
4734 {
4735 return sm->pairwise;
4736 }
4737
4738
wpa_auth_get_pmk(struct wpa_state_machine * sm,int * len)4739 const u8 * wpa_auth_get_pmk(struct wpa_state_machine *sm, int *len)
4740 {
4741 if (!sm)
4742 return NULL;
4743 *len = sm->pmk_len;
4744 return sm->PMK;
4745 }
4746
4747
wpa_auth_sta_key_mgmt(struct wpa_state_machine * sm)4748 int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm)
4749 {
4750 if (!sm)
4751 return -1;
4752 return sm->wpa_key_mgmt;
4753 }
4754
4755
wpa_auth_sta_wpa_version(struct wpa_state_machine * sm)4756 int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
4757 {
4758 if (!sm)
4759 return 0;
4760 return sm->wpa;
4761 }
4762
4763
wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine * sm)4764 int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm)
4765 {
4766 if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt))
4767 return 0;
4768 return sm->tk_already_set;
4769 }
4770
4771
wpa_auth_sta_fils_tk_already_set(struct wpa_state_machine * sm)4772 int wpa_auth_sta_fils_tk_already_set(struct wpa_state_machine *sm)
4773 {
4774 if (!sm || !wpa_key_mgmt_fils(sm->wpa_key_mgmt))
4775 return 0;
4776 return sm->tk_already_set;
4777 }
4778
4779
wpa_auth_sta_clear_pmksa(struct wpa_state_machine * sm,struct rsn_pmksa_cache_entry * entry)4780 int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
4781 struct rsn_pmksa_cache_entry *entry)
4782 {
4783 if (!sm || sm->pmksa != entry)
4784 return -1;
4785 sm->pmksa = NULL;
4786 return 0;
4787 }
4788
4789
4790 struct rsn_pmksa_cache_entry *
wpa_auth_sta_get_pmksa(struct wpa_state_machine * sm)4791 wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm)
4792 {
4793 return sm ? sm->pmksa : NULL;
4794 }
4795
4796
wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine * sm)4797 void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm)
4798 {
4799 if (sm)
4800 sm->dot11RSNAStatsTKIPLocalMICFailures++;
4801 }
4802
4803
wpa_auth_get_wpa_ie(struct wpa_authenticator * wpa_auth,size_t * len)4804 const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
4805 {
4806 if (!wpa_auth)
4807 return NULL;
4808 *len = wpa_auth->wpa_ie_len;
4809 return wpa_auth->wpa_ie;
4810 }
4811
4812
wpa_auth_pmksa_add(struct wpa_state_machine * sm,const u8 * pmk,unsigned int pmk_len,int session_timeout,struct eapol_state_machine * eapol)4813 int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
4814 unsigned int pmk_len,
4815 int session_timeout, struct eapol_state_machine *eapol)
4816 {
4817 if (!sm || sm->wpa != WPA_VERSION_WPA2 ||
4818 sm->wpa_auth->conf.disable_pmksa_caching)
4819 return -1;
4820
4821 #ifdef CONFIG_IEEE80211R_AP
4822 if (pmk_len >= 2 * PMK_LEN && wpa_key_mgmt_ft(sm->wpa_key_mgmt) &&
4823 wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
4824 !wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
4825 /* Cache MPMK/XXKey instead of initial part from MSK */
4826 pmk = pmk + PMK_LEN;
4827 pmk_len = PMK_LEN;
4828 } else
4829 #endif /* CONFIG_IEEE80211R_AP */
4830 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
4831 if (pmk_len > PMK_LEN_SUITE_B_192)
4832 pmk_len = PMK_LEN_SUITE_B_192;
4833 } else if (pmk_len > PMK_LEN) {
4834 pmk_len = PMK_LEN;
4835 }
4836
4837 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK", pmk, pmk_len);
4838 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL,
4839 sm->PTK.kck, sm->PTK.kck_len,
4840 sm->wpa_auth->addr, sm->addr, session_timeout,
4841 eapol, sm->wpa_key_mgmt))
4842 return 0;
4843
4844 return -1;
4845 }
4846
4847
wpa_auth_pmksa_add_preauth(struct wpa_authenticator * wpa_auth,const u8 * pmk,size_t len,const u8 * sta_addr,int session_timeout,struct eapol_state_machine * eapol)4848 int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
4849 const u8 *pmk, size_t len, const u8 *sta_addr,
4850 int session_timeout,
4851 struct eapol_state_machine *eapol)
4852 {
4853 if (!wpa_auth)
4854 return -1;
4855
4856 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK from preauth", pmk, len);
4857 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL,
4858 NULL, 0,
4859 wpa_auth->addr,
4860 sta_addr, session_timeout, eapol,
4861 WPA_KEY_MGMT_IEEE8021X))
4862 return 0;
4863
4864 return -1;
4865 }
4866
4867
wpa_auth_pmksa_add_sae(struct wpa_authenticator * wpa_auth,const u8 * addr,const u8 * pmk,const u8 * pmkid)4868 int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr,
4869 const u8 *pmk, const u8 *pmkid)
4870 {
4871 if (wpa_auth->conf.disable_pmksa_caching)
4872 return -1;
4873
4874 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK from SAE", pmk, PMK_LEN);
4875 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN, pmkid,
4876 NULL, 0,
4877 wpa_auth->addr, addr, 0, NULL,
4878 WPA_KEY_MGMT_SAE))
4879 return 0;
4880
4881 return -1;
4882 }
4883
4884
wpa_auth_add_sae_pmkid(struct wpa_state_machine * sm,const u8 * pmkid)4885 void wpa_auth_add_sae_pmkid(struct wpa_state_machine *sm, const u8 *pmkid)
4886 {
4887 os_memcpy(sm->pmkid, pmkid, PMKID_LEN);
4888 sm->pmkid_set = 1;
4889 }
4890
4891
wpa_auth_pmksa_add2(struct wpa_authenticator * wpa_auth,const u8 * addr,const u8 * pmk,size_t pmk_len,const u8 * pmkid,int session_timeout,int akmp)4892 int wpa_auth_pmksa_add2(struct wpa_authenticator *wpa_auth, const u8 *addr,
4893 const u8 *pmk, size_t pmk_len, const u8 *pmkid,
4894 int session_timeout, int akmp)
4895 {
4896 if (!wpa_auth || wpa_auth->conf.disable_pmksa_caching)
4897 return -1;
4898
4899 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK (2)", pmk, PMK_LEN);
4900 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, pmk_len, pmkid,
4901 NULL, 0, wpa_auth->addr, addr, session_timeout,
4902 NULL, akmp))
4903 return 0;
4904
4905 return -1;
4906 }
4907
4908
wpa_auth_pmksa_remove(struct wpa_authenticator * wpa_auth,const u8 * sta_addr)4909 void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
4910 const u8 *sta_addr)
4911 {
4912 struct rsn_pmksa_cache_entry *pmksa;
4913
4914 if (!wpa_auth || !wpa_auth->pmksa)
4915 return;
4916 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL);
4917 if (pmksa) {
4918 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for "
4919 MACSTR " based on request", MAC2STR(sta_addr));
4920 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa);
4921 }
4922 }
4923
4924
wpa_auth_pmksa_list(struct wpa_authenticator * wpa_auth,char * buf,size_t len)4925 int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf,
4926 size_t len)
4927 {
4928 if (!wpa_auth || !wpa_auth->pmksa)
4929 return 0;
4930 return pmksa_cache_auth_list(wpa_auth->pmksa, buf, len);
4931 }
4932
4933
wpa_auth_pmksa_flush(struct wpa_authenticator * wpa_auth)4934 void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth)
4935 {
4936 if (wpa_auth && wpa_auth->pmksa)
4937 pmksa_cache_auth_flush(wpa_auth->pmksa);
4938 }
4939
4940
4941 #ifdef CONFIG_PMKSA_CACHE_EXTERNAL
4942 #ifdef CONFIG_MESH
4943
wpa_auth_pmksa_list_mesh(struct wpa_authenticator * wpa_auth,const u8 * addr,char * buf,size_t len)4944 int wpa_auth_pmksa_list_mesh(struct wpa_authenticator *wpa_auth, const u8 *addr,
4945 char *buf, size_t len)
4946 {
4947 if (!wpa_auth || !wpa_auth->pmksa)
4948 return 0;
4949
4950 return pmksa_cache_auth_list_mesh(wpa_auth->pmksa, addr, buf, len);
4951 }
4952
4953
4954 struct rsn_pmksa_cache_entry *
wpa_auth_pmksa_create_entry(const u8 * aa,const u8 * spa,const u8 * pmk,const u8 * pmkid,int expiration)4955 wpa_auth_pmksa_create_entry(const u8 *aa, const u8 *spa, const u8 *pmk,
4956 const u8 *pmkid, int expiration)
4957 {
4958 struct rsn_pmksa_cache_entry *entry;
4959 struct os_reltime now;
4960
4961 entry = pmksa_cache_auth_create_entry(pmk, PMK_LEN, pmkid, NULL, 0, aa,
4962 spa, 0, NULL, WPA_KEY_MGMT_SAE);
4963 if (!entry)
4964 return NULL;
4965
4966 os_get_reltime(&now);
4967 entry->expiration = now.sec + expiration;
4968 return entry;
4969 }
4970
4971
wpa_auth_pmksa_add_entry(struct wpa_authenticator * wpa_auth,struct rsn_pmksa_cache_entry * entry)4972 int wpa_auth_pmksa_add_entry(struct wpa_authenticator *wpa_auth,
4973 struct rsn_pmksa_cache_entry *entry)
4974 {
4975 int ret;
4976
4977 if (!wpa_auth || !wpa_auth->pmksa)
4978 return -1;
4979
4980 ret = pmksa_cache_auth_add_entry(wpa_auth->pmksa, entry);
4981 if (ret < 0)
4982 wpa_printf(MSG_DEBUG,
4983 "RSN: Failed to store external PMKSA cache for "
4984 MACSTR, MAC2STR(entry->spa));
4985
4986 return ret;
4987 }
4988
4989 #endif /* CONFIG_MESH */
4990 #endif /* CONFIG_PMKSA_CACHE_EXTERNAL */
4991
4992
4993 struct rsn_pmksa_cache_entry *
wpa_auth_pmksa_get(struct wpa_authenticator * wpa_auth,const u8 * sta_addr,const u8 * pmkid)4994 wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
4995 const u8 *pmkid)
4996 {
4997 if (!wpa_auth || !wpa_auth->pmksa)
4998 return NULL;
4999 return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, pmkid);
5000 }
5001
5002
wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry * pmksa,struct wpa_state_machine * sm,struct wpa_authenticator * wpa_auth,u8 * pmkid,u8 * pmk)5003 void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa,
5004 struct wpa_state_machine *sm,
5005 struct wpa_authenticator *wpa_auth,
5006 u8 *pmkid, u8 *pmk)
5007 {
5008 if (!sm)
5009 return;
5010
5011 sm->pmksa = pmksa;
5012 os_memcpy(pmk, pmksa->pmk, PMK_LEN);
5013 os_memcpy(pmkid, pmksa->pmkid, PMKID_LEN);
5014 os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmksa->pmkid, PMKID_LEN);
5015 }
5016
5017
5018 /*
5019 * Remove and free the group from wpa_authenticator. This is triggered by a
5020 * callback to make sure nobody is currently iterating the group list while it
5021 * gets modified.
5022 */
wpa_group_free(struct wpa_authenticator * wpa_auth,struct wpa_group * group)5023 static void wpa_group_free(struct wpa_authenticator *wpa_auth,
5024 struct wpa_group *group)
5025 {
5026 struct wpa_group *prev = wpa_auth->group;
5027
5028 wpa_printf(MSG_DEBUG, "WPA: Remove group state machine for VLAN-ID %d",
5029 group->vlan_id);
5030
5031 while (prev) {
5032 if (prev->next == group) {
5033 /* This never frees the special first group as needed */
5034 prev->next = group->next;
5035 os_free(group);
5036 break;
5037 }
5038 prev = prev->next;
5039 }
5040
5041 }
5042
5043
5044 /* Increase the reference counter for group */
wpa_group_get(struct wpa_authenticator * wpa_auth,struct wpa_group * group)5045 static void wpa_group_get(struct wpa_authenticator *wpa_auth,
5046 struct wpa_group *group)
5047 {
5048 /* Skip the special first group */
5049 if (wpa_auth->group == group)
5050 return;
5051
5052 group->references++;
5053 }
5054
5055
5056 /* Decrease the reference counter and maybe free the group */
wpa_group_put(struct wpa_authenticator * wpa_auth,struct wpa_group * group)5057 static void wpa_group_put(struct wpa_authenticator *wpa_auth,
5058 struct wpa_group *group)
5059 {
5060 /* Skip the special first group */
5061 if (wpa_auth->group == group)
5062 return;
5063
5064 group->references--;
5065 if (group->references)
5066 return;
5067 wpa_group_free(wpa_auth, group);
5068 }
5069
5070
5071 /*
5072 * Add a group that has its references counter set to zero. Caller needs to
5073 * call wpa_group_get() on the return value to mark the entry in use.
5074 */
5075 static struct wpa_group *
wpa_auth_add_group(struct wpa_authenticator * wpa_auth,int vlan_id)5076 wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id)
5077 {
5078 struct wpa_group *group;
5079
5080 if (!wpa_auth || !wpa_auth->group)
5081 return NULL;
5082
5083 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d",
5084 vlan_id);
5085 group = wpa_group_init(wpa_auth, vlan_id, 0);
5086 if (!group)
5087 return NULL;
5088
5089 group->next = wpa_auth->group->next;
5090 wpa_auth->group->next = group;
5091
5092 return group;
5093 }
5094
5095
5096 /*
5097 * Enforce that the group state machine for the VLAN is running, increase
5098 * reference counter as interface is up. References might have been increased
5099 * even if a negative value is returned.
5100 * Returns: -1 on error (group missing, group already failed); otherwise, 0
5101 */
wpa_auth_ensure_group(struct wpa_authenticator * wpa_auth,int vlan_id)5102 int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id)
5103 {
5104 struct wpa_group *group;
5105
5106 if (!wpa_auth)
5107 return 0;
5108
5109 group = wpa_auth->group;
5110 while (group) {
5111 if (group->vlan_id == vlan_id)
5112 break;
5113 group = group->next;
5114 }
5115
5116 if (!group) {
5117 group = wpa_auth_add_group(wpa_auth, vlan_id);
5118 if (!group)
5119 return -1;
5120 }
5121
5122 wpa_printf(MSG_DEBUG,
5123 "WPA: Ensure group state machine running for VLAN ID %d",
5124 vlan_id);
5125
5126 wpa_group_get(wpa_auth, group);
5127 group->num_setup_iface++;
5128
5129 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
5130 return -1;
5131
5132 return 0;
5133 }
5134
5135
5136 /*
5137 * Decrease reference counter, expected to be zero afterwards.
5138 * returns: -1 on error (group not found, group in fail state)
5139 * -2 if wpa_group is still referenced
5140 * 0 else
5141 */
wpa_auth_release_group(struct wpa_authenticator * wpa_auth,int vlan_id)5142 int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id)
5143 {
5144 struct wpa_group *group;
5145 int ret = 0;
5146
5147 if (!wpa_auth)
5148 return 0;
5149
5150 group = wpa_auth->group;
5151 while (group) {
5152 if (group->vlan_id == vlan_id)
5153 break;
5154 group = group->next;
5155 }
5156
5157 if (!group)
5158 return -1;
5159
5160 wpa_printf(MSG_DEBUG,
5161 "WPA: Try stopping group state machine for VLAN ID %d",
5162 vlan_id);
5163
5164 if (group->num_setup_iface <= 0) {
5165 wpa_printf(MSG_ERROR,
5166 "WPA: wpa_auth_release_group called more often than wpa_auth_ensure_group for VLAN ID %d, skipping.",
5167 vlan_id);
5168 return -1;
5169 }
5170 group->num_setup_iface--;
5171
5172 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
5173 ret = -1;
5174
5175 if (group->references > 1) {
5176 wpa_printf(MSG_DEBUG,
5177 "WPA: Cannot stop group state machine for VLAN ID %d as references are still hold",
5178 vlan_id);
5179 ret = -2;
5180 }
5181
5182 wpa_group_put(wpa_auth, group);
5183
5184 return ret;
5185 }
5186
5187
wpa_auth_sta_set_vlan(struct wpa_state_machine * sm,int vlan_id)5188 int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id)
5189 {
5190 struct wpa_group *group;
5191
5192 if (!sm || !sm->wpa_auth)
5193 return 0;
5194
5195 group = sm->wpa_auth->group;
5196 while (group) {
5197 if (group->vlan_id == vlan_id)
5198 break;
5199 group = group->next;
5200 }
5201
5202 if (!group) {
5203 group = wpa_auth_add_group(sm->wpa_auth, vlan_id);
5204 if (!group)
5205 return -1;
5206 }
5207
5208 if (sm->group == group)
5209 return 0;
5210
5211 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
5212 return -1;
5213
5214 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR
5215 " to use group state machine for VLAN ID %d",
5216 MAC2STR(sm->addr), vlan_id);
5217
5218 wpa_group_get(sm->wpa_auth, group);
5219 wpa_group_put(sm->wpa_auth, sm->group);
5220 sm->group = group;
5221
5222 return 0;
5223 }
5224
5225
wpa_auth_eapol_key_tx_status(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm,int ack)5226 void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
5227 struct wpa_state_machine *sm, int ack)
5228 {
5229 if (!wpa_auth || !sm)
5230 return;
5231 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR
5232 " ack=%d", MAC2STR(sm->addr), ack);
5233 if (sm->pending_1_of_4_timeout && ack) {
5234 /*
5235 * Some deployed supplicant implementations update their SNonce
5236 * for each EAPOL-Key 2/4 message even within the same 4-way
5237 * handshake and then fail to use the first SNonce when
5238 * deriving the PTK. This results in unsuccessful 4-way
5239 * handshake whenever the relatively short initial timeout is
5240 * reached and EAPOL-Key 1/4 is retransmitted. Try to work
5241 * around this by increasing the timeout now that we know that
5242 * the station has received the frame.
5243 */
5244 int timeout_ms = eapol_key_timeout_subseq;
5245 wpa_printf(MSG_DEBUG,
5246 "WPA: Increase initial EAPOL-Key 1/4 timeout by %u ms because of acknowledged frame",
5247 timeout_ms);
5248 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
5249 eloop_register_timeout(timeout_ms / 1000,
5250 (timeout_ms % 1000) * 1000,
5251 wpa_send_eapol_timeout, wpa_auth, sm);
5252 }
5253
5254 #ifdef CONFIG_TESTING_OPTIONS
5255 if (sm->eapol_status_cb) {
5256 sm->eapol_status_cb(sm->eapol_status_cb_ctx1,
5257 sm->eapol_status_cb_ctx2);
5258 sm->eapol_status_cb = NULL;
5259 }
5260 #endif /* CONFIG_TESTING_OPTIONS */
5261 }
5262
5263
wpa_auth_uses_sae(struct wpa_state_machine * sm)5264 int wpa_auth_uses_sae(struct wpa_state_machine *sm)
5265 {
5266 if (!sm)
5267 return 0;
5268 return wpa_key_mgmt_sae(sm->wpa_key_mgmt);
5269 }
5270
5271
wpa_auth_uses_ft_sae(struct wpa_state_machine * sm)5272 int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm)
5273 {
5274 if (!sm)
5275 return 0;
5276 return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE;
5277 }
5278
5279
5280 #ifdef CONFIG_P2P
wpa_auth_get_ip_addr(struct wpa_state_machine * sm,u8 * addr)5281 int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr)
5282 {
5283 if (!sm || WPA_GET_BE32(sm->ip_addr) == 0)
5284 return -1;
5285 os_memcpy(addr, sm->ip_addr, 4);
5286 return 0;
5287 }
5288 #endif /* CONFIG_P2P */
5289
5290
wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator * wpa_auth,struct radius_das_attrs * attr)5291 int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth,
5292 struct radius_das_attrs *attr)
5293 {
5294 return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr);
5295 }
5296
5297
wpa_auth_reconfig_group_keys(struct wpa_authenticator * wpa_auth)5298 void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth)
5299 {
5300 struct wpa_group *group;
5301
5302 if (!wpa_auth)
5303 return;
5304 for (group = wpa_auth->group; group; group = group->next)
5305 wpa_group_config_group_keys(wpa_auth, group);
5306 }
5307
5308
5309 #ifdef CONFIG_FILS
5310
5311 struct wpa_auth_fils_iter_data {
5312 struct wpa_authenticator *auth;
5313 const u8 *cache_id;
5314 struct rsn_pmksa_cache_entry *pmksa;
5315 const u8 *spa;
5316 const u8 *pmkid;
5317 };
5318
5319
wpa_auth_fils_iter(struct wpa_authenticator * a,void * ctx)5320 static int wpa_auth_fils_iter(struct wpa_authenticator *a, void *ctx)
5321 {
5322 struct wpa_auth_fils_iter_data *data = ctx;
5323
5324 if (a == data->auth || !a->conf.fils_cache_id_set ||
5325 os_memcmp(a->conf.fils_cache_id, data->cache_id,
5326 FILS_CACHE_ID_LEN) != 0)
5327 return 0;
5328 data->pmksa = pmksa_cache_auth_get(a->pmksa, data->spa, data->pmkid);
5329 return data->pmksa != NULL;
5330 }
5331
5332
5333 struct rsn_pmksa_cache_entry *
wpa_auth_pmksa_get_fils_cache_id(struct wpa_authenticator * wpa_auth,const u8 * sta_addr,const u8 * pmkid)5334 wpa_auth_pmksa_get_fils_cache_id(struct wpa_authenticator *wpa_auth,
5335 const u8 *sta_addr, const u8 *pmkid)
5336 {
5337 struct wpa_auth_fils_iter_data idata;
5338
5339 if (!wpa_auth->conf.fils_cache_id_set)
5340 return NULL;
5341 idata.auth = wpa_auth;
5342 idata.cache_id = wpa_auth->conf.fils_cache_id;
5343 idata.pmksa = NULL;
5344 idata.spa = sta_addr;
5345 idata.pmkid = pmkid;
5346 wpa_auth_for_each_auth(wpa_auth, wpa_auth_fils_iter, &idata);
5347 return idata.pmksa;
5348 }
5349
5350
5351 #ifdef CONFIG_IEEE80211R_AP
wpa_auth_write_fte(struct wpa_authenticator * wpa_auth,int use_sha384,u8 * buf,size_t len)5352 int wpa_auth_write_fte(struct wpa_authenticator *wpa_auth, int use_sha384,
5353 u8 *buf, size_t len)
5354 {
5355 struct wpa_auth_config *conf = &wpa_auth->conf;
5356
5357 return wpa_write_ftie(conf, use_sha384, conf->r0_key_holder,
5358 conf->r0_key_holder_len,
5359 NULL, NULL, buf, len, NULL, 0, 0);
5360 }
5361 #endif /* CONFIG_IEEE80211R_AP */
5362
5363
wpa_auth_get_fils_aead_params(struct wpa_state_machine * sm,u8 * fils_anonce,u8 * fils_snonce,u8 * fils_kek,size_t * fils_kek_len)5364 void wpa_auth_get_fils_aead_params(struct wpa_state_machine *sm,
5365 u8 *fils_anonce, u8 *fils_snonce,
5366 u8 *fils_kek, size_t *fils_kek_len)
5367 {
5368 os_memcpy(fils_anonce, sm->ANonce, WPA_NONCE_LEN);
5369 os_memcpy(fils_snonce, sm->SNonce, WPA_NONCE_LEN);
5370 os_memcpy(fils_kek, sm->PTK.kek, WPA_KEK_MAX_LEN);
5371 *fils_kek_len = sm->PTK.kek_len;
5372 }
5373
5374
wpa_auth_add_fils_pmk_pmkid(struct wpa_state_machine * sm,const u8 * pmk,size_t pmk_len,const u8 * pmkid)5375 void wpa_auth_add_fils_pmk_pmkid(struct wpa_state_machine *sm, const u8 *pmk,
5376 size_t pmk_len, const u8 *pmkid)
5377 {
5378 os_memcpy(sm->PMK, pmk, pmk_len);
5379 sm->pmk_len = pmk_len;
5380 os_memcpy(sm->pmkid, pmkid, PMKID_LEN);
5381 sm->pmkid_set = 1;
5382 }
5383
5384 #endif /* CONFIG_FILS */
5385
5386
wpa_auth_set_auth_alg(struct wpa_state_machine * sm,u16 auth_alg)5387 void wpa_auth_set_auth_alg(struct wpa_state_machine *sm, u16 auth_alg)
5388 {
5389 if (sm)
5390 sm->auth_alg = auth_alg;
5391 }
5392
5393
5394 #ifdef CONFIG_DPP2
wpa_auth_set_dpp_z(struct wpa_state_machine * sm,const struct wpabuf * z)5395 void wpa_auth_set_dpp_z(struct wpa_state_machine *sm, const struct wpabuf *z)
5396 {
5397 if (sm) {
5398 wpabuf_clear_free(sm->dpp_z);
5399 sm->dpp_z = z ? wpabuf_dup(z) : NULL;
5400 }
5401 }
5402 #endif /* CONFIG_DPP2 */
5403
5404
wpa_auth_set_transition_disable(struct wpa_authenticator * wpa_auth,u8 val)5405 void wpa_auth_set_transition_disable(struct wpa_authenticator *wpa_auth,
5406 u8 val)
5407 {
5408 if (wpa_auth)
5409 wpa_auth->conf.transition_disable = val;
5410 }
5411
5412
5413 #ifdef CONFIG_TESTING_OPTIONS
5414
wpa_auth_resend_m1(struct wpa_state_machine * sm,int change_anonce,void (* cb)(void * ctx1,void * ctx2),void * ctx1,void * ctx2)5415 int wpa_auth_resend_m1(struct wpa_state_machine *sm, int change_anonce,
5416 void (*cb)(void *ctx1, void *ctx2),
5417 void *ctx1, void *ctx2)
5418 {
5419 const u8 *anonce = sm->ANonce;
5420 u8 anonce_buf[WPA_NONCE_LEN];
5421
5422 if (change_anonce) {
5423 if (random_get_bytes(anonce_buf, WPA_NONCE_LEN))
5424 return -1;
5425 anonce = anonce_buf;
5426 }
5427
5428 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
5429 "sending 1/4 msg of 4-Way Handshake (TESTING)");
5430 wpa_send_eapol(sm->wpa_auth, sm,
5431 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
5432 anonce, NULL, 0, 0, 0);
5433 return 0;
5434 }
5435
5436
wpa_auth_resend_m3(struct wpa_state_machine * sm,void (* cb)(void * ctx1,void * ctx2),void * ctx1,void * ctx2)5437 int wpa_auth_resend_m3(struct wpa_state_machine *sm,
5438 void (*cb)(void *ctx1, void *ctx2),
5439 void *ctx1, void *ctx2)
5440 {
5441 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos;
5442 u8 *opos;
5443 size_t gtk_len, kde_len;
5444 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
5445 struct wpa_group *gsm = sm->group;
5446 u8 *wpa_ie;
5447 int wpa_ie_len, secure, gtkidx, encr = 0;
5448 u8 hdr[2];
5449
5450 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
5451 GTK[GN], IGTK, [BIGTK], [FTIE], [TIE * 2])
5452 */
5453
5454 /* Use 0 RSC */
5455 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
5456 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
5457 wpa_ie = sm->wpa_auth->wpa_ie;
5458 wpa_ie_len = sm->wpa_auth->wpa_ie_len;
5459 if (sm->wpa == WPA_VERSION_WPA &&
5460 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
5461 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
5462 /* WPA-only STA, remove RSN IE and possible MDIE */
5463 wpa_ie = wpa_ie + wpa_ie[1] + 2;
5464 if (wpa_ie[0] == WLAN_EID_RSNX)
5465 wpa_ie = wpa_ie + wpa_ie[1] + 2;
5466 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
5467 wpa_ie = wpa_ie + wpa_ie[1] + 2;
5468 wpa_ie_len = wpa_ie[1] + 2;
5469 }
5470 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
5471 "sending 3/4 msg of 4-Way Handshake (TESTING)");
5472 if (sm->wpa == WPA_VERSION_WPA2) {
5473 /* WPA2 send GTK in the 4-way handshake */
5474 secure = 1;
5475 gtk = gsm->GTK[gsm->GN - 1];
5476 gtk_len = gsm->GTK_len;
5477 gtkidx = gsm->GN;
5478 _rsc = rsc;
5479 encr = 1;
5480 } else {
5481 /* WPA does not include GTK in msg 3/4 */
5482 secure = 0;
5483 gtk = NULL;
5484 gtk_len = 0;
5485 _rsc = NULL;
5486 if (sm->rx_eapol_key_secure) {
5487 /*
5488 * It looks like Windows 7 supplicant tries to use
5489 * Secure bit in msg 2/4 after having reported Michael
5490 * MIC failure and it then rejects the 4-way handshake
5491 * if msg 3/4 does not set Secure bit. Work around this
5492 * by setting the Secure bit here even in the case of
5493 * WPA if the supplicant used it first.
5494 */
5495 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
5496 "STA used Secure bit in WPA msg 2/4 - set Secure for 3/4 as workaround");
5497 secure = 1;
5498 }
5499 }
5500
5501 kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm);
5502
5503 if (sm->use_ext_key_id)
5504 kde_len += 2 + RSN_SELECTOR_LEN + 2;
5505
5506 if (gtk)
5507 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
5508 #ifdef CONFIG_IEEE80211R_AP
5509 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
5510 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
5511 kde_len += 300; /* FTIE + 2 * TIE */
5512 }
5513 #endif /* CONFIG_IEEE80211R_AP */
5514 kde = os_malloc(kde_len);
5515 if (!kde)
5516 return -1;
5517
5518 pos = kde;
5519 os_memcpy(pos, wpa_ie, wpa_ie_len);
5520 pos += wpa_ie_len;
5521 #ifdef CONFIG_IEEE80211R_AP
5522 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
5523 int res;
5524 size_t elen;
5525
5526 elen = pos - kde;
5527 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name);
5528 if (res < 0) {
5529 wpa_printf(MSG_ERROR,
5530 "FT: Failed to insert PMKR1Name into RSN IE in EAPOL-Key data");
5531 os_free(kde);
5532 return -1;
5533 }
5534 pos -= wpa_ie_len;
5535 pos += elen;
5536 }
5537 #endif /* CONFIG_IEEE80211R_AP */
5538 hdr[1] = 0;
5539
5540 if (sm->use_ext_key_id) {
5541 hdr[0] = sm->keyidx_active & 0x01;
5542 pos = wpa_add_kde(pos, RSN_KEY_DATA_KEYID, hdr, 2, NULL, 0);
5543 }
5544
5545 if (gtk) {
5546 hdr[0] = gtkidx & 0x03;
5547 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
5548 gtk, gtk_len);
5549 }
5550 opos = pos;
5551 pos = ieee80211w_kde_add(sm, pos);
5552 if (pos - opos >= 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) {
5553 /* skip KDE header and keyid */
5554 opos += 2 + RSN_SELECTOR_LEN + 2;
5555 os_memset(opos, 0, 6); /* clear PN */
5556 }
5557 if (ocv_oci_add(sm, &pos, conf->oci_freq_override_eapol_m3) < 0) {
5558 os_free(kde);
5559 return -1;
5560 }
5561
5562 #ifdef CONFIG_IEEE80211R_AP
5563 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
5564 int res;
5565
5566 if (sm->assoc_resp_ftie &&
5567 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) {
5568 os_memcpy(pos, sm->assoc_resp_ftie,
5569 2 + sm->assoc_resp_ftie[1]);
5570 res = 2 + sm->assoc_resp_ftie[1];
5571 } else {
5572 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt);
5573
5574 res = wpa_write_ftie(conf, use_sha384,
5575 conf->r0_key_holder,
5576 conf->r0_key_holder_len,
5577 NULL, NULL, pos,
5578 kde + kde_len - pos,
5579 NULL, 0, 0);
5580 }
5581 if (res < 0) {
5582 wpa_printf(MSG_ERROR,
5583 "FT: Failed to insert FTIE into EAPOL-Key Key Data");
5584 os_free(kde);
5585 return -1;
5586 }
5587 pos += res;
5588
5589 /* TIE[ReassociationDeadline] (TU) */
5590 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
5591 *pos++ = 5;
5592 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
5593 WPA_PUT_LE32(pos, conf->reassociation_deadline);
5594 pos += 4;
5595
5596 /* TIE[KeyLifetime] (seconds) */
5597 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
5598 *pos++ = 5;
5599 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
5600 WPA_PUT_LE32(pos, conf->r0_key_lifetime);
5601 pos += 4;
5602 }
5603 #endif /* CONFIG_IEEE80211R_AP */
5604
5605 wpa_send_eapol(sm->wpa_auth, sm,
5606 (secure ? WPA_KEY_INFO_SECURE : 0) |
5607 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
5608 WPA_KEY_INFO_MIC : 0) |
5609 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
5610 WPA_KEY_INFO_KEY_TYPE,
5611 _rsc, sm->ANonce, kde, pos - kde, 0, encr);
5612 bin_clear_free(kde, kde_len);
5613 return 0;
5614 }
5615
5616
wpa_auth_resend_group_m1(struct wpa_state_machine * sm,void (* cb)(void * ctx1,void * ctx2),void * ctx1,void * ctx2)5617 int wpa_auth_resend_group_m1(struct wpa_state_machine *sm,
5618 void (*cb)(void *ctx1, void *ctx2),
5619 void *ctx1, void *ctx2)
5620 {
5621 u8 rsc[WPA_KEY_RSC_LEN];
5622 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
5623 struct wpa_group *gsm = sm->group;
5624 const u8 *kde;
5625 u8 *kde_buf = NULL, *pos, hdr[2];
5626 u8 *opos;
5627 size_t kde_len;
5628 u8 *gtk;
5629
5630 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
5631 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
5632 /* Use 0 RSC */
5633 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
5634 "sending 1/2 msg of Group Key Handshake (TESTING)");
5635
5636 gtk = gsm->GTK[gsm->GN - 1];
5637 if (sm->wpa == WPA_VERSION_WPA2) {
5638 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
5639 ieee80211w_kde_len(sm) + ocv_oci_len(sm);
5640 kde_buf = os_malloc(kde_len);
5641 if (!kde_buf)
5642 return -1;
5643
5644 kde = pos = kde_buf;
5645 hdr[0] = gsm->GN & 0x03;
5646 hdr[1] = 0;
5647 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
5648 gtk, gsm->GTK_len);
5649 opos = pos;
5650 pos = ieee80211w_kde_add(sm, pos);
5651 if (pos - opos >=
5652 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) {
5653 /* skip KDE header and keyid */
5654 opos += 2 + RSN_SELECTOR_LEN + 2;
5655 os_memset(opos, 0, 6); /* clear PN */
5656 }
5657 if (ocv_oci_add(sm, &pos,
5658 conf->oci_freq_override_eapol_g1) < 0) {
5659 os_free(kde_buf);
5660 return -1;
5661 }
5662 kde_len = pos - kde;
5663 } else {
5664 kde = gtk;
5665 kde_len = gsm->GTK_len;
5666 }
5667
5668 sm->eapol_status_cb = cb;
5669 sm->eapol_status_cb_ctx1 = ctx1;
5670 sm->eapol_status_cb_ctx2 = ctx2;
5671
5672 wpa_send_eapol(sm->wpa_auth, sm,
5673 WPA_KEY_INFO_SECURE |
5674 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
5675 WPA_KEY_INFO_MIC : 0) |
5676 WPA_KEY_INFO_ACK |
5677 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
5678 rsc, NULL, kde, kde_len, gsm->GN, 1);
5679
5680 bin_clear_free(kde_buf, kde_len);
5681 return 0;
5682 }
5683
5684
wpa_auth_rekey_gtk(struct wpa_authenticator * wpa_auth)5685 int wpa_auth_rekey_gtk(struct wpa_authenticator *wpa_auth)
5686 {
5687 if (!wpa_auth)
5688 return -1;
5689 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
5690 return eloop_register_timeout(0, 0, wpa_rekey_gtk, wpa_auth, NULL);
5691 }
5692
5693
wpa_auth_rekey_ptk(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm)5694 int wpa_auth_rekey_ptk(struct wpa_authenticator *wpa_auth,
5695 struct wpa_state_machine *sm)
5696 {
5697 if (!wpa_auth || !sm)
5698 return -1;
5699 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK");
5700 wpa_request_new_ptk(sm);
5701 wpa_sm_step(sm);
5702 return 0;
5703 }
5704
5705
wpa_auth_set_ft_rsnxe_used(struct wpa_authenticator * wpa_auth,int val)5706 void wpa_auth_set_ft_rsnxe_used(struct wpa_authenticator *wpa_auth, int val)
5707 {
5708 if (wpa_auth)
5709 wpa_auth->conf.ft_rsnxe_used = val;
5710 }
5711
5712
wpa_auth_set_ocv_override_freq(struct wpa_authenticator * wpa_auth,enum wpa_auth_ocv_override_frame frame,unsigned int freq)5713 void wpa_auth_set_ocv_override_freq(struct wpa_authenticator *wpa_auth,
5714 enum wpa_auth_ocv_override_frame frame,
5715 unsigned int freq)
5716 {
5717 if (!wpa_auth)
5718 return;
5719 switch (frame) {
5720 case WPA_AUTH_OCV_OVERRIDE_EAPOL_M3:
5721 wpa_auth->conf.oci_freq_override_eapol_m3 = freq;
5722 break;
5723 case WPA_AUTH_OCV_OVERRIDE_EAPOL_G1:
5724 wpa_auth->conf.oci_freq_override_eapol_g1 = freq;
5725 break;
5726 case WPA_AUTH_OCV_OVERRIDE_FT_ASSOC:
5727 wpa_auth->conf.oci_freq_override_ft_assoc = freq;
5728 break;
5729 case WPA_AUTH_OCV_OVERRIDE_FILS_ASSOC:
5730 wpa_auth->conf.oci_freq_override_fils_assoc = freq;
5731 break;
5732 }
5733 }
5734
wpa_auth_set_skip_send_eapol(struct wpa_authenticator * wpa_auth,u8 val)5735 void wpa_auth_set_skip_send_eapol(struct wpa_authenticator *wpa_auth,
5736 u8 val)
5737 {
5738 if (wpa_auth)
5739 wpa_auth->conf.skip_send_eapol = val;
5740 }
5741
wpa_auth_set_enable_eapol_large_timeout(struct wpa_authenticator * wpa_auth,u8 val)5742 void wpa_auth_set_enable_eapol_large_timeout(struct wpa_authenticator *wpa_auth,
5743 u8 val)
5744 {
5745 if (wpa_auth)
5746 wpa_auth->conf.enable_eapol_large_timeout = val;
5747 }
5748
5749
5750 #endif /* CONFIG_TESTING_OPTIONS */
5751
5752
wpa_auth_sta_radius_psk_resp(struct wpa_state_machine * sm,bool success)5753 void wpa_auth_sta_radius_psk_resp(struct wpa_state_machine *sm, bool success)
5754 {
5755 if (!sm->waiting_radius_psk) {
5756 wpa_printf(MSG_DEBUG,
5757 "Ignore RADIUS PSK response for " MACSTR
5758 " that did not wait one",
5759 MAC2STR(sm->addr));
5760 return;
5761 }
5762
5763 wpa_printf(MSG_DEBUG, "RADIUS PSK response for " MACSTR " (%s)",
5764 MAC2STR(sm->addr), success ? "success" : "fail");
5765 sm->waiting_radius_psk = 0;
5766
5767 if (success) {
5768 /* Try to process the EAPOL-Key msg 2/4 again */
5769 sm->EAPOLKeyReceived = true;
5770 } else {
5771 sm->Disconnect = true;
5772 }
5773
5774 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
5775 }
5776