1 /*
2 * WPA Supplicant - WPA state machine and EAPOL-Key processing
3 * Copyright (c) 2003-2018, Jouni Malinen <j@w1.fi>
4 * Copyright(c) 2015 Intel Deutschland GmbH
5 *
6 * This software may be distributed under the terms of the BSD license.
7 * See README for more details.
8 */
9
10 #include "includes.h"
11
12 #include "common.h"
13 #include "crypto/aes.h"
14 #include "crypto/aes_wrap.h"
15 #include "crypto/crypto.h"
16 #include "crypto/random.h"
17 #include "crypto/aes_siv.h"
18 #include "crypto/sha256.h"
19 #include "crypto/sha384.h"
20 #include "crypto/sha512.h"
21 #include "common/ieee802_11_defs.h"
22 #include "common/ieee802_11_common.h"
23 #include "common/ocv.h"
24 #include "common/dpp.h"
25 #include "common/wpa_ctrl.h"
26 #include "eap_common/eap_defs.h"
27 #include "eapol_supp/eapol_supp_sm.h"
28 #include "drivers/driver.h"
29 #include "wpa.h"
30 #include "eloop.h"
31 #include "preauth.h"
32 #include "pmksa_cache.h"
33 #include "wpa_i.h"
34 #include "wpa_ie.h"
35 #include "wpa_supplicant_i.h"
36 #include "driver_i.h"
37
38 static const u8 null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
39
40
_wpa_hexdump_link(int level,u8 link_id,const char * title,const void * buf,size_t len,bool key)41 static void _wpa_hexdump_link(int level, u8 link_id, const char *title,
42 const void *buf, size_t len, bool key)
43 {
44 char *link_title = NULL;
45
46 if (link_id >= MAX_NUM_MLD_LINKS)
47 goto out;
48
49 link_title = os_malloc(os_strlen(title) + 20);
50 if (!link_title)
51 goto out;
52
53 os_snprintf(link_title, os_strlen(title) + 20, "MLO link[%u]: %s",
54 link_id, title);
55
56 out:
57 if (key)
58 wpa_hexdump_key(level, link_title ? link_title : title, buf,
59 len);
60 else
61 wpa_hexdump(level, link_title ? link_title : title, buf, len);
62 os_free(link_title);
63 }
64
65
wpa_hexdump_link(int level,u8 link_id,const char * title,const void * buf,size_t len)66 static void wpa_hexdump_link(int level, u8 link_id, const char *title,
67 const void *buf, size_t len)
68 {
69 _wpa_hexdump_link(level, link_id, title, buf, len, false);
70 }
71
72
wpa_hexdump_link_key(int level,u8 link_id,const char * title,const void * buf,size_t len)73 static void wpa_hexdump_link_key(int level, u8 link_id, const char *title,
74 const void *buf, size_t len)
75 {
76 _wpa_hexdump_link(level, link_id, title, buf, len, true);
77 }
78
79
80 /**
81 * wpa_eapol_key_send - Send WPA/RSN EAPOL-Key message
82 * @sm: Pointer to WPA state machine data from wpa_sm_init()
83 * @ptk: PTK for Key Confirmation/Encryption Key
84 * @ver: Version field from Key Info
85 * @dest: Destination address for the frame
86 * @proto: Ethertype (usually ETH_P_EAPOL)
87 * @msg: EAPOL-Key message
88 * @msg_len: Length of message
89 * @key_mic: Pointer to the buffer to which the EAPOL-Key MIC is written
90 * Returns: >= 0 on success, < 0 on failure
91 */
wpa_eapol_key_send(struct wpa_sm * sm,struct wpa_ptk * ptk,int ver,const u8 * dest,u16 proto,u8 * msg,size_t msg_len,u8 * key_mic)92 int wpa_eapol_key_send(struct wpa_sm *sm, struct wpa_ptk *ptk,
93 int ver, const u8 *dest, u16 proto,
94 u8 *msg, size_t msg_len, u8 *key_mic)
95 {
96 int ret = -1;
97 size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
98
99 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL-Key frame to " MACSTR
100 " ver=%d mic_len=%d key_mgmt=0x%x",
101 MAC2STR(dest), ver, (int) mic_len, sm->key_mgmt);
102 if (is_zero_ether_addr(dest) && is_zero_ether_addr(sm->bssid)) {
103 /*
104 * Association event was not yet received; try to fetch
105 * BSSID from the driver.
106 */
107 if (wpa_sm_get_bssid(sm, sm->bssid) < 0) {
108 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
109 "WPA: Failed to read BSSID for "
110 "EAPOL-Key destination address");
111 } else {
112 dest = sm->bssid;
113 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
114 "WPA: Use BSSID (" MACSTR
115 ") as the destination for EAPOL-Key",
116 MAC2STR(dest));
117 }
118 }
119
120 if (mic_len) {
121 if (key_mic && (!ptk || !ptk->kck_len))
122 goto out;
123
124 if (key_mic &&
125 wpa_eapol_key_mic(ptk->kck, ptk->kck_len, sm->key_mgmt, ver,
126 msg, msg_len, key_mic)) {
127 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
128 "WPA: Failed to generate EAPOL-Key version %d key_mgmt 0x%x MIC",
129 ver, sm->key_mgmt);
130 goto out;
131 }
132 if (ptk)
133 wpa_hexdump_key(MSG_DEBUG, "WPA: KCK",
134 ptk->kck, ptk->kck_len);
135 wpa_hexdump(MSG_DEBUG, "WPA: Derived Key MIC",
136 key_mic, mic_len);
137 } else {
138 #ifdef CONFIG_FILS
139 /* AEAD cipher - Key MIC field not used */
140 struct ieee802_1x_hdr *s_hdr, *hdr;
141 struct wpa_eapol_key *s_key, *key;
142 u8 *buf, *s_key_data, *key_data;
143 size_t buf_len = msg_len + AES_BLOCK_SIZE;
144 size_t key_data_len;
145 u16 eapol_len;
146 const u8 *aad[1];
147 size_t aad_len[1];
148
149 if (!ptk || !ptk->kek_len)
150 goto out;
151
152 key_data_len = msg_len - sizeof(struct ieee802_1x_hdr) -
153 sizeof(struct wpa_eapol_key) - 2;
154
155 buf = os_malloc(buf_len);
156 if (!buf)
157 goto out;
158
159 os_memcpy(buf, msg, msg_len);
160 hdr = (struct ieee802_1x_hdr *) buf;
161 key = (struct wpa_eapol_key *) (hdr + 1);
162 key_data = ((u8 *) (key + 1)) + 2;
163
164 /* Update EAPOL header to include AES-SIV overhead */
165 eapol_len = be_to_host16(hdr->length);
166 eapol_len += AES_BLOCK_SIZE;
167 hdr->length = host_to_be16(eapol_len);
168
169 /* Update Key Data Length field to include AES-SIV overhead */
170 WPA_PUT_BE16((u8 *) (key + 1), AES_BLOCK_SIZE + key_data_len);
171
172 s_hdr = (struct ieee802_1x_hdr *) msg;
173 s_key = (struct wpa_eapol_key *) (s_hdr + 1);
174 s_key_data = ((u8 *) (s_key + 1)) + 2;
175
176 wpa_hexdump_key(MSG_DEBUG, "WPA: Plaintext Key Data",
177 s_key_data, key_data_len);
178
179 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len);
180 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
181 * to Key Data (exclusive). */
182 aad[0] = buf;
183 aad_len[0] = key_data - buf;
184 if (aes_siv_encrypt(ptk->kek, ptk->kek_len,
185 s_key_data, key_data_len,
186 1, aad, aad_len, key_data) < 0) {
187 os_free(buf);
188 goto out;
189 }
190
191 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
192 key_data, AES_BLOCK_SIZE + key_data_len);
193
194 os_free(msg);
195 msg = buf;
196 msg_len = buf_len;
197 #else /* CONFIG_FILS */
198 goto out;
199 #endif /* CONFIG_FILS */
200 }
201
202 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key", msg, msg_len);
203 ret = wpa_sm_ether_send(sm, dest, proto, msg, msg_len);
204 eapol_sm_notify_tx_eapol_key(sm->eapol);
205 out:
206 os_free(msg);
207 return ret;
208 }
209
210
211 /**
212 * wpa_sm_key_request - Send EAPOL-Key Request
213 * @sm: Pointer to WPA state machine data from wpa_sm_init()
214 * @error: Indicate whether this is an Michael MIC error report
215 * @pairwise: 1 = error report for pairwise packet, 0 = for group packet
216 *
217 * Send an EAPOL-Key Request to the current authenticator. This function is
218 * used to request rekeying and it is usually called when a local Michael MIC
219 * failure is detected.
220 */
wpa_sm_key_request(struct wpa_sm * sm,int error,int pairwise)221 void wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise)
222 {
223 size_t mic_len, hdrlen, rlen;
224 struct wpa_eapol_key *reply;
225 int key_info, ver;
226 u8 bssid[ETH_ALEN], *rbuf, *key_mic, *mic;
227
228 if (pairwise && sm->wpa_deny_ptk0_rekey && !sm->use_ext_key_id &&
229 wpa_sm_get_state(sm) == WPA_COMPLETED && !error) {
230 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
231 "WPA: PTK0 rekey not allowed, reconnecting");
232 wpa_sm_reconnect(sm);
233 return;
234 }
235
236 if (wpa_use_akm_defined(sm->key_mgmt))
237 ver = WPA_KEY_INFO_TYPE_AKM_DEFINED;
238 else if (wpa_key_mgmt_ft(sm->key_mgmt) ||
239 wpa_key_mgmt_sha256(sm->key_mgmt))
240 ver = WPA_KEY_INFO_TYPE_AES_128_CMAC;
241 else if (sm->pairwise_cipher != WPA_CIPHER_TKIP)
242 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
243 else
244 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
245
246 if (wpa_sm_get_bssid(sm, bssid) < 0) {
247 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
248 "Failed to read BSSID for EAPOL-Key request");
249 return;
250 }
251
252 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
253 hdrlen = sizeof(*reply) + mic_len + 2;
254 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
255 hdrlen, &rlen, (void *) &reply);
256 if (rbuf == NULL)
257 return;
258
259 reply->type = (sm->proto == WPA_PROTO_RSN ||
260 sm->proto == WPA_PROTO_OSEN) ?
261 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
262 key_info = WPA_KEY_INFO_REQUEST | ver;
263 if (sm->ptk_set)
264 key_info |= WPA_KEY_INFO_SECURE;
265 if (sm->ptk_set && mic_len)
266 key_info |= WPA_KEY_INFO_MIC;
267 if (error)
268 key_info |= WPA_KEY_INFO_ERROR;
269 if (pairwise)
270 key_info |= WPA_KEY_INFO_KEY_TYPE;
271 WPA_PUT_BE16(reply->key_info, key_info);
272 WPA_PUT_BE16(reply->key_length, 0);
273 os_memcpy(reply->replay_counter, sm->request_counter,
274 WPA_REPLAY_COUNTER_LEN);
275 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
276
277 mic = (u8 *) (reply + 1);
278 WPA_PUT_BE16(mic + mic_len, 0);
279 if (!(key_info & WPA_KEY_INFO_MIC))
280 key_mic = NULL;
281 else
282 key_mic = mic;
283
284 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
285 "WPA: Sending EAPOL-Key Request (error=%d "
286 "pairwise=%d ptk_set=%d len=%lu)",
287 error, pairwise, sm->ptk_set, (unsigned long) rlen);
288 wpa_eapol_key_send(sm, &sm->ptk, ver, bssid, ETH_P_EAPOL, rbuf, rlen,
289 key_mic);
290 }
291
292
wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm * sm)293 static void wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm *sm)
294 {
295 #ifdef CONFIG_IEEE80211R
296 if (sm->key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X) {
297 if (wpa_sm_key_mgmt_set_pmk(sm, sm->xxkey, sm->xxkey_len))
298 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
299 "RSN: Cannot set low order 256 bits of MSK for key management offload");
300 } else {
301 #endif /* CONFIG_IEEE80211R */
302 if (wpa_sm_key_mgmt_set_pmk(sm, sm->pmk, sm->pmk_len))
303 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
304 "RSN: Cannot set PMK for key management offload");
305 #ifdef CONFIG_IEEE80211R
306 }
307 #endif /* CONFIG_IEEE80211R */
308 }
309
310
wpa_supplicant_get_pmk(struct wpa_sm * sm,const unsigned char * src_addr,const u8 * pmkid)311 static int wpa_supplicant_get_pmk(struct wpa_sm *sm,
312 const unsigned char *src_addr,
313 const u8 *pmkid)
314 {
315 int abort_cached = 0;
316
317 if (pmkid && !sm->cur_pmksa) {
318 /* When using drivers that generate RSN IE, wpa_supplicant may
319 * not have enough time to get the association information
320 * event before receiving this 1/4 message, so try to find a
321 * matching PMKSA cache entry here. */
322 sm->cur_pmksa = pmksa_cache_get(sm->pmksa, src_addr,
323 sm->own_addr, pmkid,
324 NULL, 0);
325 if (sm->cur_pmksa) {
326 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
327 "RSN: found matching PMKID from PMKSA cache");
328 } else {
329 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
330 "RSN: no matching PMKID found");
331 abort_cached = 1;
332 }
333 }
334
335 if (pmkid && sm->cur_pmksa &&
336 os_memcmp_const(pmkid, sm->cur_pmksa->pmkid, PMKID_LEN) == 0) {
337 wpa_hexdump(MSG_DEBUG, "RSN: matched PMKID", pmkid, PMKID_LEN);
338 wpa_sm_set_pmk_from_pmksa(sm);
339 wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from PMKSA cache",
340 sm->pmk, sm->pmk_len);
341 eapol_sm_notify_cached(sm->eapol);
342 #ifdef CONFIG_IEEE80211R
343 sm->xxkey_len = 0;
344 #ifdef CONFIG_SAE
345 if ((sm->key_mgmt == WPA_KEY_MGMT_FT_SAE ||
346 sm->key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY) &&
347 sm->pmk_len == PMK_LEN) {
348 /* Need to allow FT key derivation to proceed with
349 * PMK from SAE being used as the XXKey in cases where
350 * the PMKID in msg 1/4 matches the PMKSA entry that was
351 * just added based on SAE authentication for the
352 * initial mobility domain association. */
353 os_memcpy(sm->xxkey, sm->pmk, sm->pmk_len);
354 sm->xxkey_len = sm->pmk_len;
355 }
356 #endif /* CONFIG_SAE */
357 #endif /* CONFIG_IEEE80211R */
358 } else if (wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && sm->eapol) {
359 int res, pmk_len;
360 #ifdef CONFIG_IEEE80211R
361 u8 buf[2 * PMK_LEN];
362 #endif /* CONFIG_IEEE80211R */
363
364 if (wpa_key_mgmt_sha384(sm->key_mgmt))
365 pmk_len = PMK_LEN_SUITE_B_192;
366 else
367 pmk_len = PMK_LEN;
368 res = eapol_sm_get_key(sm->eapol, sm->pmk, pmk_len);
369 if (res) {
370 if (pmk_len == PMK_LEN) {
371 /*
372 * EAP-LEAP is an exception from other EAP
373 * methods: it uses only 16-byte PMK.
374 */
375 res = eapol_sm_get_key(sm->eapol, sm->pmk, 16);
376 pmk_len = 16;
377 }
378 }
379 #ifdef CONFIG_IEEE80211R
380 if (res == 0 &&
381 eapol_sm_get_key(sm->eapol, buf, 2 * PMK_LEN) == 0) {
382 if (wpa_key_mgmt_sha384(sm->key_mgmt)) {
383 os_memcpy(sm->xxkey, buf, SHA384_MAC_LEN);
384 sm->xxkey_len = SHA384_MAC_LEN;
385 } else {
386 os_memcpy(sm->xxkey, buf + PMK_LEN, PMK_LEN);
387 sm->xxkey_len = PMK_LEN;
388 }
389 forced_memzero(buf, sizeof(buf));
390 if (sm->proto == WPA_PROTO_RSN &&
391 wpa_key_mgmt_ft(sm->key_mgmt)) {
392 struct rsn_pmksa_cache_entry *sa = NULL;
393 const u8 *fils_cache_id = NULL;
394
395 #ifdef CONFIG_FILS
396 if (sm->fils_cache_id_set)
397 fils_cache_id = sm->fils_cache_id;
398 #endif /* CONFIG_FILS */
399 wpa_hexdump_key(MSG_DEBUG,
400 "FT: Cache XXKey/MPMK",
401 sm->xxkey, sm->xxkey_len);
402 sa = pmksa_cache_add(sm->pmksa,
403 sm->xxkey, sm->xxkey_len,
404 NULL, NULL, 0,
405 src_addr, sm->own_addr,
406 sm->network_ctx,
407 sm->key_mgmt,
408 fils_cache_id);
409 if (!sm->cur_pmksa)
410 sm->cur_pmksa = sa;
411 }
412 }
413 #endif /* CONFIG_IEEE80211R */
414 if (res == 0) {
415 struct rsn_pmksa_cache_entry *sa = NULL;
416 const u8 *fils_cache_id = NULL;
417
418 #ifdef CONFIG_FILS
419 if (sm->fils_cache_id_set)
420 fils_cache_id = sm->fils_cache_id;
421 #endif /* CONFIG_FILS */
422
423 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK from EAPOL state "
424 "machines", sm->pmk, pmk_len);
425 sm->pmk_len = pmk_len;
426 wpa_supplicant_key_mgmt_set_pmk(sm);
427 if (sm->proto == WPA_PROTO_RSN &&
428 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
429 !wpa_key_mgmt_ft(sm->key_mgmt)) {
430 sa = pmksa_cache_add(sm->pmksa,
431 sm->pmk, pmk_len, NULL,
432 NULL, 0,
433 src_addr, sm->own_addr,
434 sm->network_ctx,
435 sm->key_mgmt,
436 fils_cache_id);
437 }
438 if (!sm->cur_pmksa && pmkid &&
439 pmksa_cache_get(sm->pmksa, src_addr, sm->own_addr,
440 pmkid, NULL, 0)) {
441 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
442 "RSN: the new PMK matches with the "
443 "PMKID");
444 abort_cached = 0;
445 } else if (sa && !sm->cur_pmksa && pmkid) {
446 /*
447 * It looks like the authentication server
448 * derived mismatching MSK. This should not
449 * really happen, but bugs happen.. There is not
450 * much we can do here without knowing what
451 * exactly caused the server to misbehave.
452 */
453 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
454 "RSN: PMKID mismatch - authentication server may have derived different MSK?!");
455 return -1;
456 }
457
458 if (!sm->cur_pmksa)
459 sm->cur_pmksa = sa;
460 #ifdef CONFIG_IEEE80211R
461 } else if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->ft_protocol) {
462 wpa_printf(MSG_DEBUG,
463 "FT: Continue 4-way handshake without PMK/PMKID for association using FT protocol");
464 #endif /* CONFIG_IEEE80211R */
465 } else {
466 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
467 "WPA: Failed to get master session key from "
468 "EAPOL state machines - key handshake "
469 "aborted");
470 if (sm->cur_pmksa) {
471 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
472 "RSN: Cancelled PMKSA caching "
473 "attempt");
474 sm->cur_pmksa = NULL;
475 abort_cached = 1;
476 } else if (!abort_cached) {
477 return -1;
478 }
479 }
480 }
481
482 if (abort_cached && wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) &&
483 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
484 !wpa_key_mgmt_ft(sm->key_mgmt) && sm->key_mgmt != WPA_KEY_MGMT_OSEN)
485 {
486 /* Send EAPOL-Start to trigger full EAP authentication. */
487 u8 *buf;
488 size_t buflen;
489
490 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
491 "RSN: no PMKSA entry found - trigger "
492 "full EAP authentication");
493 buf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_START,
494 NULL, 0, &buflen, NULL);
495 if (buf) {
496 /* Set and reset eapFail to allow EAP state machine to
497 * proceed with new authentication. */
498 eapol_sm_notify_eap_fail(sm->eapol, true);
499 eapol_sm_notify_eap_fail(sm->eapol, false);
500 wpa_sm_ether_send(sm, sm->bssid, ETH_P_EAPOL,
501 buf, buflen);
502 os_free(buf);
503 return -2;
504 }
505
506 return -1;
507 }
508
509 return 0;
510 }
511
512
513 /**
514 * wpa_supplicant_send_2_of_4 - Send message 2 of WPA/RSN 4-Way Handshake
515 * @sm: Pointer to WPA state machine data from wpa_sm_init()
516 * @dst: Destination address for the frame
517 * @key: Pointer to the EAPOL-Key frame header
518 * @ver: Version bits from EAPOL-Key Key Info
519 * @nonce: Nonce value for the EAPOL-Key frame
520 * @wpa_ie: WPA/RSN IE
521 * @wpa_ie_len: Length of the WPA/RSN IE
522 * @ptk: PTK to use for keyed hash and encryption
523 * Returns: >= 0 on success, < 0 on failure
524 */
wpa_supplicant_send_2_of_4(struct wpa_sm * sm,const unsigned char * dst,const struct wpa_eapol_key * key,int ver,const u8 * nonce,const u8 * wpa_ie,size_t wpa_ie_len,struct wpa_ptk * ptk)525 int wpa_supplicant_send_2_of_4(struct wpa_sm *sm, const unsigned char *dst,
526 const struct wpa_eapol_key *key,
527 int ver, const u8 *nonce,
528 const u8 *wpa_ie, size_t wpa_ie_len,
529 struct wpa_ptk *ptk)
530 {
531 size_t mic_len, hdrlen, rlen;
532 struct wpa_eapol_key *reply;
533 u8 *rbuf, *key_mic;
534 u8 *rsn_ie_buf = NULL;
535 u16 key_info;
536
537 if (wpa_ie == NULL) {
538 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No wpa_ie set - "
539 "cannot generate msg 2/4");
540 return -1;
541 }
542
543 #ifdef CONFIG_IEEE80211R
544 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
545 int res;
546
547 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE before FT processing",
548 wpa_ie, wpa_ie_len);
549 /*
550 * Add PMKR1Name into RSN IE (PMKID-List) and add MDIE and
551 * FTIE from (Re)Association Response.
552 */
553 rsn_ie_buf = os_malloc(wpa_ie_len + 2 + 2 + PMKID_LEN +
554 sm->assoc_resp_ies_len);
555 if (rsn_ie_buf == NULL)
556 return -1;
557 os_memcpy(rsn_ie_buf, wpa_ie, wpa_ie_len);
558 res = wpa_insert_pmkid(rsn_ie_buf, &wpa_ie_len,
559 sm->pmk_r1_name);
560 if (res < 0) {
561 os_free(rsn_ie_buf);
562 return -1;
563 }
564 wpa_hexdump(MSG_DEBUG,
565 "WPA: WPA IE after PMKID[PMKR1Name] addition into RSNE",
566 rsn_ie_buf, wpa_ie_len);
567
568 if (sm->assoc_resp_ies) {
569 wpa_hexdump(MSG_DEBUG, "WPA: Add assoc_resp_ies",
570 sm->assoc_resp_ies,
571 sm->assoc_resp_ies_len);
572 os_memcpy(rsn_ie_buf + wpa_ie_len, sm->assoc_resp_ies,
573 sm->assoc_resp_ies_len);
574 wpa_ie_len += sm->assoc_resp_ies_len;
575 }
576
577 wpa_ie = rsn_ie_buf;
578 }
579 #endif /* CONFIG_IEEE80211R */
580
581 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE for msg 2/4", wpa_ie, wpa_ie_len);
582
583 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
584 hdrlen = sizeof(*reply) + mic_len + 2;
585 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY,
586 NULL, hdrlen + wpa_ie_len,
587 &rlen, (void *) &reply);
588 if (rbuf == NULL) {
589 os_free(rsn_ie_buf);
590 return -1;
591 }
592
593 reply->type = (sm->proto == WPA_PROTO_RSN ||
594 sm->proto == WPA_PROTO_OSEN) ?
595 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
596 key_info = ver | WPA_KEY_INFO_KEY_TYPE;
597 if (sm->ptk_set && sm->proto != WPA_PROTO_WPA)
598 key_info |= WPA_KEY_INFO_SECURE;
599 if (mic_len)
600 key_info |= WPA_KEY_INFO_MIC;
601 else
602 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
603 WPA_PUT_BE16(reply->key_info, key_info);
604 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
605 WPA_PUT_BE16(reply->key_length, 0);
606 else
607 os_memcpy(reply->key_length, key->key_length, 2);
608 os_memcpy(reply->replay_counter, key->replay_counter,
609 WPA_REPLAY_COUNTER_LEN);
610 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", reply->replay_counter,
611 WPA_REPLAY_COUNTER_LEN);
612
613 key_mic = (u8 *) (reply + 1);
614 WPA_PUT_BE16(key_mic + mic_len, wpa_ie_len); /* Key Data Length */
615 os_memcpy(key_mic + mic_len + 2, wpa_ie, wpa_ie_len); /* Key Data */
616 os_free(rsn_ie_buf);
617
618 os_memcpy(reply->key_nonce, nonce, WPA_NONCE_LEN);
619
620 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Sending EAPOL-Key 2/4");
621 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
622 key_mic);
623 }
624
625
wpa_derive_ptk(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,struct wpa_ptk * ptk)626 static int wpa_derive_ptk(struct wpa_sm *sm, const unsigned char *src_addr,
627 const struct wpa_eapol_key *key, struct wpa_ptk *ptk)
628 {
629 int ret;
630 const u8 *z = NULL;
631 size_t z_len = 0, kdk_len;
632 int akmp;
633
634 #ifdef CONFIG_IEEE80211R
635 if (wpa_key_mgmt_ft(sm->key_mgmt))
636 return wpa_derive_ptk_ft(sm, src_addr, key, ptk);
637 #endif /* CONFIG_IEEE80211R */
638
639 #ifdef CONFIG_DPP2
640 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
641 z = wpabuf_head(sm->dpp_z);
642 z_len = wpabuf_len(sm->dpp_z);
643 }
644 #endif /* CONFIG_DPP2 */
645
646 akmp = sm->key_mgmt;
647 #ifdef CONFIG_OWE
648 if (sm->owe_ptk_workaround && akmp == WPA_KEY_MGMT_OWE &&
649 sm->pmk_len > 32) {
650 wpa_printf(MSG_DEBUG,
651 "OWE: Force SHA256 for PTK derivation");
652 akmp |= WPA_KEY_MGMT_PSK_SHA256;
653 }
654 #endif /* CONFIG_OWE */
655
656 if (sm->force_kdk_derivation ||
657 (sm->secure_ltf &&
658 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)))
659 kdk_len = WPA_KDK_MAX_LEN;
660 else
661 kdk_len = 0;
662
663 ret = wpa_pmk_to_ptk(sm->pmk, sm->pmk_len, "Pairwise key expansion",
664 sm->own_addr, wpa_sm_get_auth_addr(sm), sm->snonce,
665 key->key_nonce, ptk, akmp,
666 sm->pairwise_cipher, z, z_len,
667 kdk_len);
668 if (ret) {
669 wpa_printf(MSG_ERROR, "WPA: PTK derivation failed");
670 return ret;
671 }
672
673 #ifdef CONFIG_PASN
674 if (sm->secure_ltf &&
675 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF))
676 ret = wpa_ltf_keyseed(ptk, akmp, sm->pairwise_cipher);
677 #endif /* CONFIG_PASN */
678
679 return ret;
680 }
681
682
wpa_handle_ext_key_id(struct wpa_sm * sm,struct wpa_eapol_ie_parse * kde)683 static int wpa_handle_ext_key_id(struct wpa_sm *sm,
684 struct wpa_eapol_ie_parse *kde)
685 {
686 if (sm->ext_key_id) {
687 u16 key_id;
688
689 if (!kde->key_id) {
690 wpa_msg(sm->ctx->msg_ctx,
691 sm->use_ext_key_id ? MSG_INFO : MSG_DEBUG,
692 "RSN: No Key ID in Extended Key ID handshake");
693 sm->keyidx_active = 0;
694 return sm->use_ext_key_id ? -1 : 0;
695 }
696
697 key_id = kde->key_id[0] & 0x03;
698 if (key_id > 1) {
699 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
700 "RSN: Invalid Extended Key ID: %d", key_id);
701 return -1;
702 }
703 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
704 "RSN: Using Extended Key ID %d", key_id);
705 sm->keyidx_active = key_id;
706 sm->use_ext_key_id = 1;
707 } else {
708 if (kde->key_id && (kde->key_id[0] & 0x03)) {
709 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
710 "RSN: Non-zero Extended Key ID Key ID in PTK0 handshake");
711 return -1;
712 }
713
714 if (kde->key_id) {
715 /* This is not supposed to be included here, but ignore
716 * the case of matching Key ID 0 just in case. */
717 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
718 "RSN: Extended Key ID Key ID 0 in PTK0 handshake");
719 }
720 sm->keyidx_active = 0;
721 sm->use_ext_key_id = 0;
722 }
723
724 return 0;
725 }
726
727
rsn_add_kde(u8 * pos,u32 kde,const u8 * data,size_t data_len)728 static u8 * rsn_add_kde(u8 *pos, u32 kde, const u8 *data, size_t data_len)
729 {
730 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
731 *pos++ = RSN_SELECTOR_LEN + data_len;
732 RSN_SELECTOR_PUT(pos, kde);
733 pos += RSN_SELECTOR_LEN;
734 os_memcpy(pos, data, data_len);
735 pos += data_len;
736
737 return pos;
738 }
739
740
wpa_mlo_link_kde_len(struct wpa_sm * sm)741 static size_t wpa_mlo_link_kde_len(struct wpa_sm *sm)
742 {
743 int i;
744 unsigned int num_links = 0;
745
746 for (i = 0; i < MAX_NUM_MLO_LINKS; i++) {
747 if (sm->mlo.assoc_link_id != i && (sm->mlo.req_links & BIT(i)))
748 num_links++;
749 }
750
751 return num_links * (RSN_SELECTOR_LEN + 1 + ETH_ALEN + 2);
752 }
753
754
wpa_mlo_link_kde(struct wpa_sm * sm,u8 * pos)755 static u8 * wpa_mlo_link_kde(struct wpa_sm *sm, u8 *pos)
756 {
757 int i;
758 u8 hdr[1 + ETH_ALEN];
759
760 for (i = 0; i < MAX_NUM_MLO_LINKS; i++) {
761 if (sm->mlo.assoc_link_id == i || !(sm->mlo.req_links & BIT(i)))
762 continue;
763
764 wpa_printf(MSG_DEBUG,
765 "MLO: Add MLO Link %d KDE in EAPOL-Key 2/4", i);
766 hdr[0] = i & 0xF; /* LinkID; no RSNE or RSNXE */
767 os_memcpy(&hdr[1], sm->mlo.links[i].addr, ETH_ALEN);
768 pos = rsn_add_kde(pos, RSN_KEY_DATA_MLO_LINK, hdr, sizeof(hdr));
769 }
770
771 return pos;
772 }
773
774
is_valid_ap_mld_mac_kde(struct wpa_sm * sm,const u8 * mac_kde)775 static bool is_valid_ap_mld_mac_kde(struct wpa_sm *sm, const u8 *mac_kde)
776 {
777 return mac_kde &&
778 os_memcmp(mac_kde, sm->mlo.ap_mld_addr, ETH_ALEN) == 0;
779 }
780
781
wpas_swap_tkip_mic_keys(struct wpa_ptk * ptk)782 static void wpas_swap_tkip_mic_keys(struct wpa_ptk *ptk)
783 {
784 u8 buf[8];
785
786 /* Supplicant: swap tx/rx Mic keys */
787 os_memcpy(buf, &ptk->tk[16], 8);
788 os_memcpy(&ptk->tk[16], &ptk->tk[24], 8);
789 os_memcpy(&ptk->tk[24], buf, 8);
790 forced_memzero(buf, sizeof(buf));
791 }
792
793
wpa_supplicant_process_1_of_4_wpa(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len,enum frame_encryption encrypted)794 static void wpa_supplicant_process_1_of_4_wpa(struct wpa_sm *sm,
795 const unsigned char *src_addr,
796 const struct wpa_eapol_key *key,
797 u16 ver, const u8 *key_data,
798 size_t key_data_len,
799 enum frame_encryption encrypted)
800 {
801 struct wpa_eapol_ie_parse ie;
802 struct wpa_ptk *ptk;
803 int res;
804
805 if (wpa_sm_get_network_ctx(sm) == NULL) {
806 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
807 "WPA: No SSID info found (msg 1 of 4)");
808 return;
809 }
810
811 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
812 "WPA: RX message 1 of 4-Way Handshake from " MACSTR
813 " (ver=%d)", MAC2STR(src_addr), ver);
814
815 os_memset(&ie, 0, sizeof(ie));
816
817 res = wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid);
818 if (res == -2) {
819 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
820 "WPA: Do not reply to msg 1/4 - requesting full EAP authentication");
821 return;
822 }
823 if (res)
824 goto failed;
825
826 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
827
828 if (sm->renew_snonce) {
829 if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) {
830 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
831 "WPA: Failed to get random data for SNonce");
832 goto failed;
833 }
834 sm->renew_snonce = 0;
835 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce",
836 sm->snonce, WPA_NONCE_LEN);
837 }
838
839 /* Calculate PTK which will be stored as a temporary PTK until it has
840 * been verified when processing message 3/4. */
841 ptk = &sm->tptk;
842 if (wpa_derive_ptk(sm, src_addr, key, ptk) < 0)
843 goto failed;
844 if (sm->pairwise_cipher == WPA_CIPHER_TKIP)
845 wpas_swap_tkip_mic_keys(ptk);
846 sm->tptk_set = 1;
847
848 if (wpa_supplicant_send_2_of_4(sm, wpa_sm_get_auth_addr(sm), key, ver,
849 sm->snonce, sm->assoc_wpa_ie,
850 sm->assoc_wpa_ie_len, ptk) < 0)
851 goto failed;
852
853 os_memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN);
854 return;
855
856 failed:
857 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
858 }
859
860
wpa_supplicant_process_1_of_4(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len,enum frame_encryption encrypted)861 static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
862 const unsigned char *src_addr,
863 const struct wpa_eapol_key *key,
864 u16 ver, const u8 *key_data,
865 size_t key_data_len,
866 enum frame_encryption encrypted)
867 {
868 struct wpa_eapol_ie_parse ie;
869 struct wpa_ptk *ptk;
870 int res;
871 u8 *kde, *kde_buf = NULL;
872 size_t kde_len;
873 size_t mlo_kde_len = 0;
874
875 if (encrypted == FRAME_NOT_ENCRYPTED && sm->tk_set &&
876 wpa_sm_pmf_enabled(sm)) {
877 wpa_printf(MSG_DEBUG,
878 "RSN: Discard unencrypted EAPOL-Key msg 1/4 when TK is set and PMF is enabled");
879 return;
880 }
881
882 if (wpa_sm_get_network_ctx(sm) == NULL) {
883 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No SSID info "
884 "found (msg 1 of 4)");
885 return;
886 }
887
888 if (sm->wpa_deny_ptk0_rekey && !sm->use_ext_key_id &&
889 wpa_sm_get_state(sm) == WPA_COMPLETED) {
890 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
891 "WPA: PTK0 rekey not allowed, reconnecting");
892 wpa_sm_reconnect(sm);
893 return;
894 }
895
896 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO, "WPA: RX message 1 of 4-Way "
897 "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
898
899 os_memset(&ie, 0, sizeof(ie));
900
901 /* RSN: msg 1/4 should contain PMKID for the selected PMK */
902 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data", key_data, key_data_len);
903 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0) {
904 wpa_printf(MSG_DEBUG,
905 "RSN: Discard EAPOL-Key msg 1/4 with invalid IEs/KDEs");
906 return;
907 }
908 if (ie.pmkid) {
909 wpa_hexdump(MSG_DEBUG, "RSN: PMKID from Authenticator",
910 ie.pmkid, PMKID_LEN);
911 }
912
913 if (sm->mlo.valid_links && !is_valid_ap_mld_mac_kde(sm, ie.mac_addr)) {
914 wpa_printf(MSG_INFO,
915 "RSN: Discard EAPOL-Key msg 1/4 with invalid AP MLD MAC address KDE");
916 return;
917 }
918
919 res = wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid);
920 if (res == -2) {
921 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: Do not reply to "
922 "msg 1/4 - requesting full EAP authentication");
923 return;
924 }
925 if (res)
926 goto failed;
927
928 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
929
930 if (sm->renew_snonce) {
931 if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) {
932 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
933 "WPA: Failed to get random data for SNonce");
934 goto failed;
935 }
936 sm->renew_snonce = 0;
937 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce",
938 sm->snonce, WPA_NONCE_LEN);
939 }
940
941 /* Calculate PTK which will be stored as a temporary PTK until it has
942 * been verified when processing message 3/4. */
943 ptk = &sm->tptk;
944 if (wpa_derive_ptk(sm, src_addr, key, ptk) < 0)
945 goto failed;
946 if (sm->pairwise_cipher == WPA_CIPHER_TKIP)
947 wpas_swap_tkip_mic_keys(ptk);
948 sm->tptk_set = 1;
949
950 /* Add MLO Link KDE and MAC KDE in M2 for ML connection */
951 if (sm->mlo.valid_links)
952 mlo_kde_len = wpa_mlo_link_kde_len(sm) +
953 RSN_SELECTOR_LEN + ETH_ALEN + 2;
954
955 kde = sm->assoc_wpa_ie;
956 kde_len = sm->assoc_wpa_ie_len;
957 kde_buf = os_malloc(kde_len +
958 2 + RSN_SELECTOR_LEN + 3 +
959 sm->assoc_rsnxe_len +
960 2 + RSN_SELECTOR_LEN + 1 +
961 2 + RSN_SELECTOR_LEN + 2 + mlo_kde_len);
962
963 if (!kde_buf)
964 goto failed;
965 os_memcpy(kde_buf, kde, kde_len);
966 kde = kde_buf;
967
968 #ifdef CONFIG_OCV
969 if (wpa_sm_ocv_enabled(sm)) {
970 struct wpa_channel_info ci;
971 u8 *pos;
972
973 pos = kde + kde_len;
974 if (wpa_sm_channel_info(sm, &ci) != 0) {
975 wpa_printf(MSG_WARNING,
976 "Failed to get channel info for OCI element in EAPOL-Key 2/4");
977 goto failed;
978 }
979 #ifdef CONFIG_TESTING_OPTIONS
980 if (sm->oci_freq_override_eapol) {
981 wpa_printf(MSG_INFO,
982 "TEST: Override OCI KDE frequency %d -> %d MHz",
983 ci.frequency, sm->oci_freq_override_eapol);
984 ci.frequency = sm->oci_freq_override_eapol;
985 }
986 #endif /* CONFIG_TESTING_OPTIONS */
987
988 if (ocv_insert_oci_kde(&ci, &pos) < 0)
989 goto failed;
990 kde_len = pos - kde;
991 }
992 #endif /* CONFIG_OCV */
993
994 if (sm->assoc_rsnxe && sm->assoc_rsnxe_len) {
995 os_memcpy(kde + kde_len, sm->assoc_rsnxe, sm->assoc_rsnxe_len);
996 kde_len += sm->assoc_rsnxe_len;
997 }
998
999 #ifdef CONFIG_P2P
1000 if (sm->p2p) {
1001 u8 *pos;
1002
1003 wpa_printf(MSG_DEBUG,
1004 "P2P: Add IP Address Request KDE into EAPOL-Key 2/4");
1005 pos = kde + kde_len;
1006 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
1007 *pos++ = RSN_SELECTOR_LEN + 1;
1008 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_IP_ADDR_REQ);
1009 pos += RSN_SELECTOR_LEN;
1010 *pos++ = 0x01;
1011 kde_len = pos - kde;
1012 }
1013 #endif /* CONFIG_P2P */
1014
1015 #ifdef CONFIG_DPP2
1016 if (DPP_VERSION > 1 && sm->key_mgmt == WPA_KEY_MGMT_DPP) {
1017 u8 *pos;
1018
1019 wpa_printf(MSG_DEBUG, "DPP: Add DPP KDE into EAPOL-Key 2/4");
1020 pos = kde + kde_len;
1021 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
1022 *pos++ = RSN_SELECTOR_LEN + 2;
1023 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_DPP);
1024 pos += RSN_SELECTOR_LEN;
1025 *pos++ = DPP_VERSION; /* Protocol Version */
1026 *pos = 0; /* Flags */
1027 if (sm->dpp_pfs == 0)
1028 *pos |= DPP_KDE_PFS_ALLOWED;
1029 else if (sm->dpp_pfs == 1)
1030 *pos |= DPP_KDE_PFS_ALLOWED | DPP_KDE_PFS_REQUIRED;
1031 pos++;
1032 kde_len = pos - kde;
1033 }
1034 #endif /* CONFIG_DPP2 */
1035
1036 if (sm->mlo.valid_links) {
1037 u8 *pos;
1038
1039 /* Add MAC KDE */
1040 wpa_printf(MSG_DEBUG, "MLO: Add MAC KDE into EAPOL-Key 2/4");
1041 pos = kde + kde_len;
1042 pos = rsn_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, sm->own_addr,
1043 ETH_ALEN);
1044
1045 /* Add MLO Link KDE */
1046 wpa_printf(MSG_DEBUG, "Add MLO Link KDE(s) into EAPOL-Key 2/4");
1047 pos = wpa_mlo_link_kde(sm, pos);
1048 kde_len = pos - kde;
1049 }
1050
1051 if (wpa_supplicant_send_2_of_4(sm, wpa_sm_get_auth_addr(sm), key, ver,
1052 sm->snonce, kde, kde_len, ptk) < 0)
1053 goto failed;
1054
1055 os_free(kde_buf);
1056 os_memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN);
1057 return;
1058
1059 failed:
1060 os_free(kde_buf);
1061 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
1062 }
1063
1064
wpa_sm_start_preauth(void * eloop_ctx,void * timeout_ctx)1065 static void wpa_sm_start_preauth(void *eloop_ctx, void *timeout_ctx)
1066 {
1067 struct wpa_sm *sm = eloop_ctx;
1068 rsn_preauth_candidate_process(sm);
1069 }
1070
1071
wpa_supplicant_key_neg_complete(struct wpa_sm * sm,const u8 * addr,int secure)1072 static void wpa_supplicant_key_neg_complete(struct wpa_sm *sm,
1073 const u8 *addr, int secure)
1074 {
1075 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1076 "WPA: Key negotiation completed with "
1077 MACSTR " [PTK=%s GTK=%s]", MAC2STR(addr),
1078 wpa_cipher_txt(sm->pairwise_cipher),
1079 wpa_cipher_txt(sm->group_cipher));
1080 wpa_sm_cancel_auth_timeout(sm);
1081 wpa_sm_set_state(sm, WPA_COMPLETED);
1082
1083 if (secure) {
1084 wpa_sm_mlme_setprotection(
1085 sm, addr, MLME_SETPROTECTION_PROTECT_TYPE_RX_TX,
1086 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
1087 eapol_sm_notify_portValid(sm->eapol, true);
1088 if (wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
1089 sm->key_mgmt == WPA_KEY_MGMT_DPP ||
1090 sm->key_mgmt == WPA_KEY_MGMT_OWE)
1091 eapol_sm_notify_eap_success(sm->eapol, true);
1092 /*
1093 * Start preauthentication after a short wait to avoid a
1094 * possible race condition between the data receive and key
1095 * configuration after the 4-Way Handshake. This increases the
1096 * likelihood of the first preauth EAPOL-Start frame getting to
1097 * the target AP.
1098 */
1099 if (!dl_list_empty(&sm->pmksa_candidates))
1100 eloop_register_timeout(1, 0, wpa_sm_start_preauth,
1101 sm, NULL);
1102 }
1103
1104 if (sm->cur_pmksa && sm->cur_pmksa->opportunistic) {
1105 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1106 "RSN: Authenticator accepted "
1107 "opportunistic PMKSA entry - marking it valid");
1108 sm->cur_pmksa->opportunistic = 0;
1109 }
1110
1111 #ifdef CONFIG_IEEE80211R
1112 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
1113 /* Prepare for the next transition */
1114 wpa_ft_prepare_auth_request(sm, NULL);
1115 }
1116 #endif /* CONFIG_IEEE80211R */
1117 }
1118
1119
wpa_sm_rekey_ptk(void * eloop_ctx,void * timeout_ctx)1120 static void wpa_sm_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
1121 {
1122 struct wpa_sm *sm = eloop_ctx;
1123 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Request PTK rekeying");
1124 wpa_sm_key_request(sm, 0, 1);
1125 }
1126
1127
wpa_supplicant_install_ptk(struct wpa_sm * sm,const struct wpa_eapol_key * key,enum key_flag key_flag)1128 static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
1129 const struct wpa_eapol_key *key,
1130 enum key_flag key_flag)
1131 {
1132 int keylen, rsclen;
1133 enum wpa_alg alg;
1134 const u8 *key_rsc;
1135
1136 if (sm->ptk.installed) {
1137 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1138 "WPA: Do not re-install same PTK to the driver");
1139 return 0;
1140 }
1141
1142 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1143 "WPA: Installing PTK to the driver");
1144
1145 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
1146 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Pairwise Cipher "
1147 "Suite: NONE - do not use pairwise keys");
1148 return 0;
1149 }
1150
1151 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
1152 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1153 "WPA: Unsupported pairwise cipher %d",
1154 sm->pairwise_cipher);
1155 return -1;
1156 }
1157
1158 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
1159 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
1160 if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) {
1161 wpa_printf(MSG_DEBUG, "WPA: TK length mismatch: %d != %lu",
1162 keylen, (long unsigned int) sm->ptk.tk_len);
1163 return -1;
1164 }
1165 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
1166
1167 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
1168 key_rsc = null_rsc;
1169 } else {
1170 key_rsc = key->key_rsc;
1171 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen);
1172 }
1173
1174 if (wpa_sm_set_key(sm, -1, alg, wpa_sm_get_auth_addr(sm),
1175 sm->keyidx_active, 1, key_rsc, rsclen, sm->ptk.tk,
1176 keylen, KEY_FLAG_PAIRWISE | key_flag) < 0) {
1177 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1178 "WPA: Failed to set PTK to the driver (alg=%d keylen=%d auth_addr="
1179 MACSTR " idx=%d key_flag=0x%x)",
1180 alg, keylen, MAC2STR(wpa_sm_get_auth_addr(sm)),
1181 sm->keyidx_active, key_flag);
1182 return -1;
1183 }
1184
1185 #ifdef CONFIG_PASN
1186 if (sm->secure_ltf &&
1187 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF) &&
1188 wpa_sm_set_ltf_keyseed(sm, sm->own_addr, sm->bssid,
1189 sm->ptk.ltf_keyseed_len,
1190 sm->ptk.ltf_keyseed) < 0) {
1191 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1192 "WPA: Failed to set LTF keyseed to the driver (keylen=%zu bssid="
1193 MACSTR ")", sm->ptk.ltf_keyseed_len,
1194 MAC2STR(sm->bssid));
1195 return -1;
1196 }
1197 #endif /* CONFIG_PASN */
1198
1199 wpa_sm_store_ptk(sm, sm->bssid, sm->pairwise_cipher,
1200 sm->dot11RSNAConfigPMKLifetime, &sm->ptk);
1201
1202 /* TK is not needed anymore in supplicant */
1203 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
1204 sm->ptk.tk_len = 0;
1205 sm->ptk.installed = 1;
1206 sm->tk_set = true;
1207
1208 if (sm->wpa_ptk_rekey) {
1209 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
1210 eloop_register_timeout(sm->wpa_ptk_rekey, 0, wpa_sm_rekey_ptk,
1211 sm, NULL);
1212 }
1213 return 0;
1214 }
1215
1216
wpa_supplicant_activate_ptk(struct wpa_sm * sm)1217 static int wpa_supplicant_activate_ptk(struct wpa_sm *sm)
1218 {
1219 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1220 "WPA: Activate PTK (idx=%d auth_addr=" MACSTR ")",
1221 sm->keyidx_active, MAC2STR(wpa_sm_get_auth_addr(sm)));
1222
1223 if (wpa_sm_set_key(sm, -1, 0, wpa_sm_get_auth_addr(sm),
1224 sm->keyidx_active, 0, NULL, 0, NULL, 0,
1225 KEY_FLAG_PAIRWISE_RX_TX_MODIFY) < 0) {
1226 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1227 "WPA: Failed to activate PTK for TX (idx=%d auth_addr="
1228 MACSTR ")", sm->keyidx_active,
1229 MAC2STR(wpa_sm_get_auth_addr(sm)));
1230 return -1;
1231 }
1232 return 0;
1233 }
1234
1235
wpa_supplicant_check_group_cipher(struct wpa_sm * sm,int group_cipher,int keylen,int maxkeylen,int * key_rsc_len,enum wpa_alg * alg)1236 static int wpa_supplicant_check_group_cipher(struct wpa_sm *sm,
1237 int group_cipher,
1238 int keylen, int maxkeylen,
1239 int *key_rsc_len,
1240 enum wpa_alg *alg)
1241 {
1242 int klen;
1243
1244 *alg = wpa_cipher_to_alg(group_cipher);
1245 if (*alg == WPA_ALG_NONE) {
1246 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1247 "WPA: Unsupported Group Cipher %d",
1248 group_cipher);
1249 return -1;
1250 }
1251 *key_rsc_len = wpa_cipher_rsc_len(group_cipher);
1252
1253 klen = wpa_cipher_key_len(group_cipher);
1254 if (keylen != klen || maxkeylen < klen) {
1255 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1256 "WPA: Unsupported %s Group Cipher key length %d (%d)",
1257 wpa_cipher_txt(group_cipher), keylen, maxkeylen);
1258 return -1;
1259 }
1260 return 0;
1261 }
1262
1263
1264 struct wpa_gtk_data {
1265 enum wpa_alg alg;
1266 int tx, key_rsc_len, keyidx;
1267 u8 gtk[32];
1268 int gtk_len;
1269 };
1270
1271
wpa_supplicant_install_gtk(struct wpa_sm * sm,const struct wpa_gtk_data * gd,const u8 * key_rsc,int wnm_sleep)1272 static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
1273 const struct wpa_gtk_data *gd,
1274 const u8 *key_rsc, int wnm_sleep)
1275 {
1276 const u8 *_gtk = gd->gtk;
1277 u8 gtk_buf[32];
1278
1279 /* Detect possible key reinstallation */
1280 if ((sm->gtk.gtk_len == (size_t) gd->gtk_len &&
1281 os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) ||
1282 (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len &&
1283 os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk,
1284 sm->gtk_wnm_sleep.gtk_len) == 0)) {
1285 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1286 "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
1287 gd->keyidx, gd->tx, gd->gtk_len);
1288 return 0;
1289 }
1290
1291 wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
1292 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1293 "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
1294 gd->keyidx, gd->tx, gd->gtk_len);
1295 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, gd->key_rsc_len);
1296 if (sm->group_cipher == WPA_CIPHER_TKIP) {
1297 /* Swap Tx/Rx keys for Michael MIC */
1298 os_memcpy(gtk_buf, gd->gtk, 16);
1299 os_memcpy(gtk_buf + 16, gd->gtk + 24, 8);
1300 os_memcpy(gtk_buf + 24, gd->gtk + 16, 8);
1301 _gtk = gtk_buf;
1302 }
1303 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
1304 if (wpa_sm_set_key(sm, -1, gd->alg, NULL,
1305 gd->keyidx, 1, key_rsc, gd->key_rsc_len,
1306 _gtk, gd->gtk_len,
1307 KEY_FLAG_GROUP_RX_TX_DEFAULT) < 0) {
1308 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1309 "WPA: Failed to set GTK to the driver "
1310 "(Group only)");
1311 forced_memzero(gtk_buf, sizeof(gtk_buf));
1312 return -1;
1313 }
1314 } else if (wpa_sm_set_key(sm, -1, gd->alg, broadcast_ether_addr,
1315 gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len,
1316 _gtk, gd->gtk_len, KEY_FLAG_GROUP_RX) < 0) {
1317 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1318 "WPA: Failed to set GTK to "
1319 "the driver (alg=%d keylen=%d keyidx=%d)",
1320 gd->alg, gd->gtk_len, gd->keyidx);
1321 forced_memzero(gtk_buf, sizeof(gtk_buf));
1322 return -1;
1323 }
1324 forced_memzero(gtk_buf, sizeof(gtk_buf));
1325
1326 if (wnm_sleep) {
1327 sm->gtk_wnm_sleep.gtk_len = gd->gtk_len;
1328 os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk,
1329 sm->gtk_wnm_sleep.gtk_len);
1330 } else {
1331 sm->gtk.gtk_len = gd->gtk_len;
1332 os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
1333 }
1334
1335 return 0;
1336 }
1337
1338
wpa_supplicant_install_mlo_gtk(struct wpa_sm * sm,u8 link_id,const struct wpa_gtk_data * gd,const u8 * key_rsc,int wnm_sleep)1339 static int wpa_supplicant_install_mlo_gtk(struct wpa_sm *sm, u8 link_id,
1340 const struct wpa_gtk_data *gd,
1341 const u8 *key_rsc, int wnm_sleep)
1342 {
1343 const u8 *gtk = gd->gtk;
1344
1345 /* Detect possible key reinstallation */
1346 if ((sm->mlo.links[link_id].gtk.gtk_len == (size_t) gd->gtk_len &&
1347 os_memcmp(sm->mlo.links[link_id].gtk.gtk, gd->gtk,
1348 sm->mlo.links[link_id].gtk.gtk_len) == 0) ||
1349 (sm->mlo.links[link_id].gtk_wnm_sleep.gtk_len ==
1350 (size_t) gd->gtk_len &&
1351 os_memcmp(sm->mlo.links[link_id].gtk_wnm_sleep.gtk, gd->gtk,
1352 sm->mlo.links[link_id].gtk_wnm_sleep.gtk_len) == 0)) {
1353 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1354 "RSN: Not reinstalling already in-use GTK to the driver (link_id=%d keyidx=%d tx=%d len=%d)",
1355 link_id, gd->keyidx, gd->tx, gd->gtk_len);
1356 return 0;
1357 }
1358
1359 wpa_hexdump_link_key(MSG_DEBUG, link_id, "RSN: Group Key", gd->gtk,
1360 gd->gtk_len);
1361 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1362 "RSN: Installing GTK to the driver (link_id=%d keyidx=%d tx=%d len=%d)",
1363 link_id, gd->keyidx, gd->tx, gd->gtk_len);
1364 wpa_hexdump_link(MSG_DEBUG, link_id, "RSN: RSC",
1365 key_rsc, gd->key_rsc_len);
1366 if (wpa_sm_set_key(sm, link_id, gd->alg, broadcast_ether_addr,
1367 gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len, gtk,
1368 gd->gtk_len, KEY_FLAG_GROUP_RX) < 0) {
1369 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1370 "RSN: Failed to set GTK to the driver (link_id=%d alg=%d keylen=%d keyidx=%d)",
1371 link_id, gd->alg, gd->gtk_len, gd->keyidx);
1372 return -1;
1373 }
1374
1375 if (wnm_sleep) {
1376 sm->mlo.links[link_id].gtk_wnm_sleep.gtk_len = gd->gtk_len;
1377 os_memcpy(sm->mlo.links[link_id].gtk_wnm_sleep.gtk, gd->gtk,
1378 sm->mlo.links[link_id].gtk_wnm_sleep.gtk_len);
1379 } else {
1380 sm->mlo.links[link_id].gtk.gtk_len = gd->gtk_len;
1381 os_memcpy(sm->mlo.links[link_id].gtk.gtk, gd->gtk,
1382 sm->mlo.links[link_id].gtk.gtk_len);
1383 }
1384
1385 return 0;
1386 }
1387
1388
wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm * sm,int tx)1389 static int wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm *sm,
1390 int tx)
1391 {
1392 if (tx && sm->pairwise_cipher != WPA_CIPHER_NONE) {
1393 /* Ignore Tx bit for GTK if a pairwise key is used. One AP
1394 * seemed to set this bit (incorrectly, since Tx is only when
1395 * doing Group Key only APs) and without this workaround, the
1396 * data connection does not work because wpa_supplicant
1397 * configured non-zero keyidx to be used for unicast. */
1398 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1399 "WPA: Tx bit set for GTK, but pairwise "
1400 "keys are used - ignore Tx bit");
1401 return 0;
1402 }
1403 return tx;
1404 }
1405
1406
wpa_supplicant_rsc_relaxation(const struct wpa_sm * sm,const u8 * rsc)1407 static int wpa_supplicant_rsc_relaxation(const struct wpa_sm *sm,
1408 const u8 *rsc)
1409 {
1410 int rsclen;
1411
1412 if (!sm->wpa_rsc_relaxation)
1413 return 0;
1414
1415 rsclen = wpa_cipher_rsc_len(sm->group_cipher);
1416
1417 /*
1418 * Try to detect RSC (endian) corruption issue where the AP sends
1419 * the RSC bytes in EAPOL-Key message in the wrong order, both if
1420 * it's actually a 6-byte field (as it should be) and if it treats
1421 * it as an 8-byte field.
1422 * An AP model known to have this bug is the Sapido RB-1632.
1423 */
1424 if (rsclen == 6 && ((rsc[5] && !rsc[0]) || rsc[6] || rsc[7])) {
1425 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1426 "RSC %02x%02x%02x%02x%02x%02x%02x%02x is likely bogus, using 0",
1427 rsc[0], rsc[1], rsc[2], rsc[3],
1428 rsc[4], rsc[5], rsc[6], rsc[7]);
1429
1430 return 1;
1431 }
1432
1433 return 0;
1434 }
1435
1436
wpa_supplicant_mlo_gtk(struct wpa_sm * sm,u8 link_id,const u8 * gtk,size_t gtk_len,int key_info)1437 static int wpa_supplicant_mlo_gtk(struct wpa_sm *sm, u8 link_id, const u8 *gtk,
1438 size_t gtk_len, int key_info)
1439 {
1440 struct wpa_gtk_data gd;
1441 const u8 *key_rsc;
1442 int ret;
1443
1444 /*
1445 * MLO GTK KDE format:
1446 * KeyID[bits 0-1], Tx [bit 2], Reserved [bit 3], link id [4-7]
1447 * PN
1448 * GTK
1449 */
1450 os_memset(&gd, 0, sizeof(gd));
1451 wpa_hexdump_link_key(MSG_DEBUG, link_id,
1452 "RSN: received GTK in pairwise handshake",
1453 gtk, gtk_len);
1454
1455 if (gtk_len < RSN_MLO_GTK_KDE_PREFIX_LENGTH ||
1456 gtk_len - RSN_MLO_GTK_KDE_PREFIX_LENGTH > sizeof(gd.gtk))
1457 return -1;
1458
1459 gd.keyidx = gtk[0] & 0x3;
1460 gtk += 1;
1461 gtk_len -= 1;
1462
1463 key_rsc = gtk;
1464
1465 gtk += 6;
1466 gtk_len -= 6;
1467
1468 os_memcpy(gd.gtk, gtk, gtk_len);
1469 gd.gtk_len = gtk_len;
1470
1471 ret = 0;
1472 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, gtk_len,
1473 gtk_len, &gd.key_rsc_len,
1474 &gd.alg) ||
1475 wpa_supplicant_install_mlo_gtk(sm, link_id, &gd, key_rsc, 0)) {
1476 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1477 "RSN: Failed to install GTK for MLO Link ID %u",
1478 link_id);
1479 ret = -1;
1480 goto out;
1481 }
1482
1483 out:
1484 forced_memzero(&gd, sizeof(gd));
1485 return ret;
1486 }
1487
1488
wpa_supplicant_pairwise_mlo_gtk(struct wpa_sm * sm,const struct wpa_eapol_key * key,struct wpa_eapol_ie_parse * ie,int key_info)1489 static int wpa_supplicant_pairwise_mlo_gtk(struct wpa_sm *sm,
1490 const struct wpa_eapol_key *key,
1491 struct wpa_eapol_ie_parse *ie,
1492 int key_info)
1493 {
1494 u8 i;
1495
1496 for (i = 0; i < MAX_NUM_MLO_LINKS; i++) {
1497 if (!(sm->mlo.valid_links & BIT(i)))
1498 continue;
1499
1500 if (!ie->mlo_gtk[i]) {
1501 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
1502 "MLO RSN: GTK not found for link ID %u", i);
1503 return -1;
1504 }
1505
1506 if (wpa_supplicant_mlo_gtk(sm, i, ie->mlo_gtk[i],
1507 ie->mlo_gtk_len[i], key_info))
1508 return -1;
1509 }
1510
1511 return 0;
1512 }
1513
1514
wpa_supplicant_pairwise_gtk(struct wpa_sm * sm,const struct wpa_eapol_key * key,const u8 * gtk,size_t gtk_len,int key_info)1515 static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
1516 const struct wpa_eapol_key *key,
1517 const u8 *gtk, size_t gtk_len,
1518 int key_info)
1519 {
1520 struct wpa_gtk_data gd;
1521 const u8 *key_rsc;
1522
1523 /*
1524 * IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames - Figure 43x
1525 * GTK KDE format:
1526 * KeyID[bits 0-1], Tx [bit 2], Reserved [bits 3-7]
1527 * Reserved [bits 0-7]
1528 * GTK
1529 */
1530
1531 os_memset(&gd, 0, sizeof(gd));
1532 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in pairwise handshake",
1533 gtk, gtk_len);
1534
1535 if (gtk_len < 2 || gtk_len - 2 > sizeof(gd.gtk))
1536 return -1;
1537
1538 gd.keyidx = gtk[0] & 0x3;
1539 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
1540 !!(gtk[0] & BIT(2)));
1541 gtk += 2;
1542 gtk_len -= 2;
1543
1544 os_memcpy(gd.gtk, gtk, gtk_len);
1545 gd.gtk_len = gtk_len;
1546
1547 key_rsc = key->key_rsc;
1548 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
1549 key_rsc = null_rsc;
1550
1551 if (sm->group_cipher != WPA_CIPHER_GTK_NOT_USED &&
1552 (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
1553 gtk_len, gtk_len,
1554 &gd.key_rsc_len, &gd.alg) ||
1555 wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) {
1556 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1557 "RSN: Failed to install GTK");
1558 forced_memzero(&gd, sizeof(gd));
1559 return -1;
1560 }
1561 forced_memzero(&gd, sizeof(gd));
1562
1563 return 0;
1564 }
1565
1566
wpa_supplicant_install_igtk(struct wpa_sm * sm,const struct wpa_igtk_kde * igtk,int wnm_sleep)1567 static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
1568 const struct wpa_igtk_kde *igtk,
1569 int wnm_sleep)
1570 {
1571 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1572 u16 keyidx = WPA_GET_LE16(igtk->keyid);
1573
1574 /* Detect possible key reinstallation */
1575 if ((sm->igtk.igtk_len == len &&
1576 os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) ||
1577 (sm->igtk_wnm_sleep.igtk_len == len &&
1578 os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk,
1579 sm->igtk_wnm_sleep.igtk_len) == 0)) {
1580 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1581 "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
1582 keyidx);
1583 return 0;
1584 }
1585
1586 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1587 "WPA: IGTK keyid %d pn " COMPACT_MACSTR,
1588 keyidx, MAC2STR(igtk->pn));
1589 wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len);
1590 if (keyidx > 4095) {
1591 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1592 "WPA: Invalid IGTK KeyID %d", keyidx);
1593 return -1;
1594 }
1595 if (wpa_sm_set_key(sm, -1, wpa_cipher_to_alg(sm->mgmt_group_cipher),
1596 broadcast_ether_addr,
1597 keyidx, 0, igtk->pn, sizeof(igtk->pn),
1598 igtk->igtk, len, KEY_FLAG_GROUP_RX) < 0) {
1599 if (keyidx == 0x0400 || keyidx == 0x0500) {
1600 /* Assume the AP has broken PMF implementation since it
1601 * seems to have swapped the KeyID bytes. The AP cannot
1602 * be trusted to implement BIP correctly or provide a
1603 * valid IGTK, so do not try to configure this key with
1604 * swapped KeyID bytes. Instead, continue without
1605 * configuring the IGTK so that the driver can drop any
1606 * received group-addressed robust management frames due
1607 * to missing keys.
1608 *
1609 * Normally, this error behavior would result in us
1610 * disconnecting, but there are number of deployed APs
1611 * with this broken behavior, so as an interoperability
1612 * workaround, allow the connection to proceed. */
1613 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1614 "WPA: Ignore IGTK configuration error due to invalid IGTK KeyID byte order");
1615 } else {
1616 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1617 "WPA: Failed to configure IGTK to the driver");
1618 return -1;
1619 }
1620 }
1621
1622 if (wnm_sleep) {
1623 sm->igtk_wnm_sleep.igtk_len = len;
1624 os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk,
1625 sm->igtk_wnm_sleep.igtk_len);
1626 } else {
1627 sm->igtk.igtk_len = len;
1628 os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
1629 }
1630
1631 return 0;
1632 }
1633
1634
wpa_supplicant_install_bigtk(struct wpa_sm * sm,const struct wpa_bigtk_kde * bigtk,int wnm_sleep)1635 static int wpa_supplicant_install_bigtk(struct wpa_sm *sm,
1636 const struct wpa_bigtk_kde *bigtk,
1637 int wnm_sleep)
1638 {
1639 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1640 u16 keyidx = WPA_GET_LE16(bigtk->keyid);
1641
1642 /* Detect possible key reinstallation */
1643 if ((sm->bigtk.bigtk_len == len &&
1644 os_memcmp(sm->bigtk.bigtk, bigtk->bigtk,
1645 sm->bigtk.bigtk_len) == 0) ||
1646 (sm->bigtk_wnm_sleep.bigtk_len == len &&
1647 os_memcmp(sm->bigtk_wnm_sleep.bigtk, bigtk->bigtk,
1648 sm->bigtk_wnm_sleep.bigtk_len) == 0)) {
1649 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1650 "WPA: Not reinstalling already in-use BIGTK to the driver (keyidx=%d)",
1651 keyidx);
1652 return 0;
1653 }
1654
1655 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1656 "WPA: BIGTK keyid %d pn " COMPACT_MACSTR,
1657 keyidx, MAC2STR(bigtk->pn));
1658 wpa_hexdump_key(MSG_DEBUG, "WPA: BIGTK", bigtk->bigtk, len);
1659 if (keyidx < 6 || keyidx > 7) {
1660 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1661 "WPA: Invalid BIGTK KeyID %d", keyidx);
1662 return -1;
1663 }
1664 if (wpa_sm_set_key(sm, -1, wpa_cipher_to_alg(sm->mgmt_group_cipher),
1665 broadcast_ether_addr,
1666 keyidx, 0, bigtk->pn, sizeof(bigtk->pn),
1667 bigtk->bigtk, len, KEY_FLAG_GROUP_RX) < 0) {
1668 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1669 "WPA: Failed to configure BIGTK to the driver");
1670 return -1;
1671 }
1672
1673 if (wnm_sleep) {
1674 sm->bigtk_wnm_sleep.bigtk_len = len;
1675 os_memcpy(sm->bigtk_wnm_sleep.bigtk, bigtk->bigtk,
1676 sm->bigtk_wnm_sleep.bigtk_len);
1677 } else {
1678 sm->bigtk.bigtk_len = len;
1679 os_memcpy(sm->bigtk.bigtk, bigtk->bigtk, sm->bigtk.bigtk_len);
1680 }
1681
1682 return 0;
1683 }
1684
1685
wpa_supplicant_install_mlo_igtk(struct wpa_sm * sm,u8 link_id,const struct rsn_mlo_igtk_kde * igtk,int wnm_sleep)1686 static int wpa_supplicant_install_mlo_igtk(struct wpa_sm *sm, u8 link_id,
1687 const struct rsn_mlo_igtk_kde *igtk,
1688 int wnm_sleep)
1689 {
1690 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1691 u16 keyidx = WPA_GET_LE16(igtk->keyid);
1692
1693 /* Detect possible key reinstallation */
1694 if ((sm->mlo.links[link_id].igtk.igtk_len == len &&
1695 os_memcmp(sm->mlo.links[link_id].igtk.igtk, igtk->igtk,
1696 sm->mlo.links[link_id].igtk.igtk_len) == 0) ||
1697 (sm->mlo.links[link_id].igtk_wnm_sleep.igtk_len == len &&
1698 os_memcmp(sm->mlo.links[link_id].igtk_wnm_sleep.igtk, igtk->igtk,
1699 sm->mlo.links[link_id].igtk_wnm_sleep.igtk_len) == 0)) {
1700 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1701 "RSN: Not reinstalling already in-use IGTK to the driver (link_id=%d keyidx=%d)",
1702 link_id, keyidx);
1703 return 0;
1704 }
1705
1706 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1707 "RSN: MLO Link %u IGTK keyid %d pn " COMPACT_MACSTR,
1708 link_id, keyidx, MAC2STR(igtk->pn));
1709 wpa_hexdump_link_key(MSG_DEBUG, link_id, "RSN: IGTK", igtk->igtk, len);
1710 if (keyidx > 4095) {
1711 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1712 "RSN: Invalid MLO Link %d IGTK KeyID %d", link_id,
1713 keyidx);
1714 return -1;
1715 }
1716 if (wpa_sm_set_key(sm, link_id,
1717 wpa_cipher_to_alg(sm->mgmt_group_cipher),
1718 broadcast_ether_addr, keyidx, 0, igtk->pn,
1719 sizeof(igtk->pn), igtk->igtk, len,
1720 KEY_FLAG_GROUP_RX) < 0) {
1721 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1722 "RSN: Failed to configure MLO Link %d IGTK to the driver",
1723 link_id);
1724 return -1;
1725 }
1726
1727 if (wnm_sleep) {
1728 sm->mlo.links[link_id].igtk_wnm_sleep.igtk_len = len;
1729 os_memcpy(sm->mlo.links[link_id].igtk_wnm_sleep.igtk,
1730 igtk->igtk,
1731 sm->mlo.links[link_id].igtk_wnm_sleep.igtk_len);
1732 } else {
1733 sm->mlo.links[link_id].igtk.igtk_len = len;
1734 os_memcpy(sm->mlo.links[link_id].igtk.igtk, igtk->igtk,
1735 sm->mlo.links[link_id].igtk.igtk_len);
1736 }
1737
1738 return 0;
1739 }
1740
1741
1742 static int
wpa_supplicant_install_mlo_bigtk(struct wpa_sm * sm,u8 link_id,const struct rsn_mlo_bigtk_kde * bigtk,int wnm_sleep)1743 wpa_supplicant_install_mlo_bigtk(struct wpa_sm *sm, u8 link_id,
1744 const struct rsn_mlo_bigtk_kde *bigtk,
1745 int wnm_sleep)
1746 {
1747 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1748 u16 keyidx = WPA_GET_LE16(bigtk->keyid);
1749
1750 /* Detect possible key reinstallation */
1751 if ((sm->mlo.links[link_id].bigtk.bigtk_len == len &&
1752 os_memcmp(sm->mlo.links[link_id].bigtk.bigtk, bigtk->bigtk,
1753 sm->mlo.links[link_id].bigtk.bigtk_len) == 0) ||
1754 (sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk_len == len &&
1755 os_memcmp(sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk,
1756 bigtk->bigtk,
1757 sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk_len) ==
1758 0)) {
1759 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1760 "RSN: Not reinstalling already in-use BIGTK to the driver (link_id=%d keyidx=%d)",
1761 link_id, keyidx);
1762 return 0;
1763 }
1764
1765 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1766 "RSN: MLO Link %u BIGTK keyid %d pn " COMPACT_MACSTR,
1767 link_id, keyidx, MAC2STR(bigtk->pn));
1768 wpa_hexdump_link_key(MSG_DEBUG, link_id, "RSN: BIGTK", bigtk->bigtk,
1769 len);
1770 if (keyidx < 6 || keyidx > 7) {
1771 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1772 "RSN: Invalid MLO Link %d BIGTK KeyID %d", link_id,
1773 keyidx);
1774 return -1;
1775 }
1776 if (wpa_sm_set_key(sm, link_id,
1777 wpa_cipher_to_alg(sm->mgmt_group_cipher),
1778 broadcast_ether_addr, keyidx, 0, bigtk->pn,
1779 sizeof(bigtk->pn), bigtk->bigtk, len,
1780 KEY_FLAG_GROUP_RX) < 0) {
1781 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1782 "RSN: Failed to configure MLO Link %d BIGTK to the driver",
1783 link_id);
1784 return -1;
1785 }
1786
1787 if (wnm_sleep) {
1788 sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk_len = len;
1789 os_memcpy(sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk,
1790 bigtk->bigtk,
1791 sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk_len);
1792 } else {
1793 sm->mlo.links[link_id].bigtk.bigtk_len = len;
1794 os_memcpy(sm->mlo.links[link_id].bigtk.bigtk, bigtk->bigtk,
1795 sm->mlo.links[link_id].bigtk.bigtk_len);
1796 }
1797
1798 return 0;
1799 }
1800
1801
_mlo_ieee80211w_set_keys(struct wpa_sm * sm,u8 link_id,struct wpa_eapol_ie_parse * ie)1802 static int _mlo_ieee80211w_set_keys(struct wpa_sm *sm, u8 link_id,
1803 struct wpa_eapol_ie_parse *ie)
1804 {
1805 size_t len;
1806
1807 if (ie->mlo_igtk[link_id]) {
1808 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1809 if (ie->mlo_igtk_len[link_id] !=
1810 RSN_MLO_IGTK_KDE_PREFIX_LENGTH + len)
1811 return -1;
1812
1813 if (wpa_supplicant_install_mlo_igtk(
1814 sm, link_id,
1815 (const struct rsn_mlo_igtk_kde *)
1816 ie->mlo_igtk[link_id],
1817 0) < 0)
1818 return -1;
1819 }
1820
1821 if (ie->mlo_bigtk[link_id] && sm->beacon_prot) {
1822 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1823 if (ie->mlo_bigtk_len[link_id] !=
1824 RSN_MLO_BIGTK_KDE_PREFIX_LENGTH + len)
1825 return -1;
1826
1827 if (wpa_supplicant_install_mlo_bigtk(
1828 sm, link_id,
1829 (const struct rsn_mlo_bigtk_kde *)
1830 ie->mlo_bigtk[link_id],
1831 0) < 0)
1832 return -1;
1833 }
1834
1835 return 0;
1836 }
1837
1838
mlo_ieee80211w_set_keys(struct wpa_sm * sm,struct wpa_eapol_ie_parse * ie)1839 static int mlo_ieee80211w_set_keys(struct wpa_sm *sm,
1840 struct wpa_eapol_ie_parse *ie)
1841 {
1842 u8 i;
1843
1844 if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) ||
1845 sm->mgmt_group_cipher == WPA_CIPHER_GTK_NOT_USED)
1846 return 0;
1847
1848 for (i = 0; i < MAX_NUM_MLO_LINKS; i++) {
1849 if (!(sm->mlo.valid_links & BIT(i)))
1850 continue;
1851
1852 if (_mlo_ieee80211w_set_keys(sm, i, ie))
1853 return -1;
1854 }
1855
1856 return 0;
1857 }
1858
1859
ieee80211w_set_keys(struct wpa_sm * sm,struct wpa_eapol_ie_parse * ie)1860 static int ieee80211w_set_keys(struct wpa_sm *sm,
1861 struct wpa_eapol_ie_parse *ie)
1862 {
1863 size_t len;
1864
1865 if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) ||
1866 sm->mgmt_group_cipher == WPA_CIPHER_GTK_NOT_USED)
1867 return 0;
1868
1869 if (ie->igtk) {
1870 const struct wpa_igtk_kde *igtk;
1871
1872 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1873 if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
1874 return -1;
1875
1876 igtk = (const struct wpa_igtk_kde *) ie->igtk;
1877 if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0)
1878 return -1;
1879 }
1880
1881 if (ie->bigtk && sm->beacon_prot) {
1882 const struct wpa_bigtk_kde *bigtk;
1883
1884 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1885 if (ie->bigtk_len != WPA_BIGTK_KDE_PREFIX_LEN + len)
1886 return -1;
1887
1888 bigtk = (const struct wpa_bigtk_kde *) ie->bigtk;
1889 if (wpa_supplicant_install_bigtk(sm, bigtk, 0) < 0)
1890 return -1;
1891 }
1892
1893 return 0;
1894 }
1895
1896
wpa_report_ie_mismatch(struct wpa_sm * sm,const char * reason,const u8 * src_addr,const u8 * wpa_ie,size_t wpa_ie_len,const u8 * rsn_ie,size_t rsn_ie_len)1897 static void wpa_report_ie_mismatch(struct wpa_sm *sm,
1898 const char *reason, const u8 *src_addr,
1899 const u8 *wpa_ie, size_t wpa_ie_len,
1900 const u8 *rsn_ie, size_t rsn_ie_len)
1901 {
1902 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: %s (src=" MACSTR ")",
1903 reason, MAC2STR(src_addr));
1904
1905 if (sm->ap_wpa_ie) {
1906 wpa_hexdump(MSG_INFO, "WPA: WPA IE in Beacon/ProbeResp",
1907 sm->ap_wpa_ie, sm->ap_wpa_ie_len);
1908 }
1909 if (wpa_ie) {
1910 if (!sm->ap_wpa_ie) {
1911 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1912 "WPA: No WPA IE in Beacon/ProbeResp");
1913 }
1914 wpa_hexdump(MSG_INFO, "WPA: WPA IE in 3/4 msg",
1915 wpa_ie, wpa_ie_len);
1916 }
1917
1918 if (sm->ap_rsn_ie) {
1919 wpa_hexdump(MSG_INFO, "WPA: RSN IE in Beacon/ProbeResp",
1920 sm->ap_rsn_ie, sm->ap_rsn_ie_len);
1921 }
1922 if (rsn_ie) {
1923 if (!sm->ap_rsn_ie) {
1924 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1925 "WPA: No RSN IE in Beacon/ProbeResp");
1926 }
1927 wpa_hexdump(MSG_INFO, "WPA: RSN IE in 3/4 msg",
1928 rsn_ie, rsn_ie_len);
1929 }
1930
1931 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
1932 }
1933
1934
1935 #ifdef CONFIG_IEEE80211R
1936
ft_validate_mdie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie,const u8 * assoc_resp_mdie)1937 static int ft_validate_mdie(struct wpa_sm *sm,
1938 const unsigned char *src_addr,
1939 struct wpa_eapol_ie_parse *ie,
1940 const u8 *assoc_resp_mdie)
1941 {
1942 struct rsn_mdie *mdie;
1943
1944 mdie = (struct rsn_mdie *) (ie->mdie + 2);
1945 if (ie->mdie == NULL || ie->mdie_len < 2 + sizeof(*mdie) ||
1946 os_memcmp(mdie->mobility_domain, sm->mobility_domain,
1947 MOBILITY_DOMAIN_ID_LEN) != 0) {
1948 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE in msg 3/4 did "
1949 "not match with the current mobility domain");
1950 return -1;
1951 }
1952
1953 if (assoc_resp_mdie &&
1954 (assoc_resp_mdie[1] != ie->mdie[1] ||
1955 os_memcmp(assoc_resp_mdie, ie->mdie, 2 + ie->mdie[1]) != 0)) {
1956 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE mismatch");
1957 wpa_hexdump(MSG_DEBUG, "FT: MDIE in EAPOL-Key msg 3/4",
1958 ie->mdie, 2 + ie->mdie[1]);
1959 wpa_hexdump(MSG_DEBUG, "FT: MDIE in (Re)Association Response",
1960 assoc_resp_mdie, 2 + assoc_resp_mdie[1]);
1961 return -1;
1962 }
1963
1964 return 0;
1965 }
1966
1967
ft_validate_ftie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie,const u8 * assoc_resp_ftie)1968 static int ft_validate_ftie(struct wpa_sm *sm,
1969 const unsigned char *src_addr,
1970 struct wpa_eapol_ie_parse *ie,
1971 const u8 *assoc_resp_ftie)
1972 {
1973 if (ie->ftie == NULL) {
1974 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1975 "FT: No FTIE in EAPOL-Key msg 3/4");
1976 return -1;
1977 }
1978
1979 if (assoc_resp_ftie == NULL)
1980 return 0;
1981
1982 if (assoc_resp_ftie[1] != ie->ftie[1] ||
1983 os_memcmp(assoc_resp_ftie, ie->ftie, 2 + ie->ftie[1]) != 0) {
1984 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: FTIE mismatch");
1985 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 3/4",
1986 ie->ftie, 2 + ie->ftie[1]);
1987 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)Association Response",
1988 assoc_resp_ftie, 2 + assoc_resp_ftie[1]);
1989 return -1;
1990 }
1991
1992 return 0;
1993 }
1994
1995
ft_validate_rsnie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie)1996 static int ft_validate_rsnie(struct wpa_sm *sm,
1997 const unsigned char *src_addr,
1998 struct wpa_eapol_ie_parse *ie)
1999 {
2000 struct wpa_ie_data rsn;
2001
2002 if (!ie->rsn_ie)
2003 return 0;
2004
2005 /*
2006 * Verify that PMKR1Name from EAPOL-Key message 3/4
2007 * matches with the value we derived.
2008 */
2009 if (wpa_parse_wpa_ie_rsn(ie->rsn_ie, ie->rsn_ie_len, &rsn) < 0 ||
2010 rsn.num_pmkid != 1 || rsn.pmkid == NULL) {
2011 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: No PMKR1Name in "
2012 "FT 4-way handshake message 3/4");
2013 return -1;
2014 }
2015
2016 if (os_memcmp_const(rsn.pmkid, sm->pmk_r1_name, WPA_PMK_NAME_LEN) != 0)
2017 {
2018 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2019 "FT: PMKR1Name mismatch in "
2020 "FT 4-way handshake message 3/4");
2021 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Authenticator",
2022 rsn.pmkid, WPA_PMK_NAME_LEN);
2023 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
2024 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
2025 return -1;
2026 }
2027
2028 return 0;
2029 }
2030
2031
wpa_supplicant_validate_ie_ft(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie)2032 static int wpa_supplicant_validate_ie_ft(struct wpa_sm *sm,
2033 const unsigned char *src_addr,
2034 struct wpa_eapol_ie_parse *ie)
2035 {
2036 const u8 *pos, *end, *mdie = NULL, *ftie = NULL;
2037
2038 if (sm->assoc_resp_ies) {
2039 pos = sm->assoc_resp_ies;
2040 end = pos + sm->assoc_resp_ies_len;
2041 while (end - pos > 2) {
2042 if (2 + pos[1] > end - pos)
2043 break;
2044 switch (*pos) {
2045 case WLAN_EID_MOBILITY_DOMAIN:
2046 mdie = pos;
2047 break;
2048 case WLAN_EID_FAST_BSS_TRANSITION:
2049 ftie = pos;
2050 break;
2051 }
2052 pos += 2 + pos[1];
2053 }
2054 }
2055
2056 if (ft_validate_mdie(sm, src_addr, ie, mdie) < 0 ||
2057 ft_validate_ftie(sm, src_addr, ie, ftie) < 0 ||
2058 ft_validate_rsnie(sm, src_addr, ie) < 0)
2059 return -1;
2060
2061 return 0;
2062 }
2063
2064 #endif /* CONFIG_IEEE80211R */
2065
2066
wpa_supplicant_validate_ie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie)2067 static int wpa_supplicant_validate_ie(struct wpa_sm *sm,
2068 const unsigned char *src_addr,
2069 struct wpa_eapol_ie_parse *ie)
2070 {
2071 if (sm->ap_wpa_ie == NULL && sm->ap_rsn_ie == NULL) {
2072 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2073 "WPA: No WPA/RSN IE for this AP known. "
2074 "Trying to get from scan results");
2075 if (wpa_sm_get_beacon_ie(sm) < 0) {
2076 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2077 "WPA: Could not find AP from "
2078 "the scan results");
2079 return -1;
2080 }
2081 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
2082 "WPA: Found the current AP from updated scan results");
2083 }
2084
2085 if (ie->wpa_ie == NULL && ie->rsn_ie == NULL &&
2086 (sm->ap_wpa_ie || sm->ap_rsn_ie)) {
2087 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
2088 "with IE in Beacon/ProbeResp (no IE?)",
2089 src_addr, ie->wpa_ie, ie->wpa_ie_len,
2090 ie->rsn_ie, ie->rsn_ie_len);
2091 return -1;
2092 }
2093
2094 if ((ie->wpa_ie && sm->ap_wpa_ie &&
2095 (ie->wpa_ie_len != sm->ap_wpa_ie_len ||
2096 os_memcmp(ie->wpa_ie, sm->ap_wpa_ie, ie->wpa_ie_len) != 0)) ||
2097 (ie->rsn_ie && sm->ap_rsn_ie &&
2098 wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
2099 sm->ap_rsn_ie, sm->ap_rsn_ie_len,
2100 ie->rsn_ie, ie->rsn_ie_len))) {
2101 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
2102 "with IE in Beacon/ProbeResp",
2103 src_addr, ie->wpa_ie, ie->wpa_ie_len,
2104 ie->rsn_ie, ie->rsn_ie_len);
2105 return -1;
2106 }
2107
2108 if (sm->proto == WPA_PROTO_WPA &&
2109 ie->rsn_ie && sm->ap_rsn_ie == NULL && sm->rsn_enabled) {
2110 wpa_report_ie_mismatch(sm, "Possible downgrade attack "
2111 "detected - RSN was enabled and RSN IE "
2112 "was in msg 3/4, but not in "
2113 "Beacon/ProbeResp",
2114 src_addr, ie->wpa_ie, ie->wpa_ie_len,
2115 ie->rsn_ie, ie->rsn_ie_len);
2116 return -1;
2117 }
2118
2119 if (sm->proto == WPA_PROTO_RSN &&
2120 ((sm->ap_rsnxe && !ie->rsnxe) ||
2121 (!sm->ap_rsnxe && ie->rsnxe) ||
2122 (sm->ap_rsnxe && ie->rsnxe &&
2123 (sm->ap_rsnxe_len != ie->rsnxe_len ||
2124 os_memcmp(sm->ap_rsnxe, ie->rsnxe, sm->ap_rsnxe_len) != 0)))) {
2125 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2126 "WPA: RSNXE mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4");
2127 wpa_hexdump(MSG_INFO, "RSNXE in Beacon/ProbeResp",
2128 sm->ap_rsnxe, sm->ap_rsnxe_len);
2129 wpa_hexdump(MSG_INFO, "RSNXE in EAPOL-Key msg 3/4",
2130 ie->rsnxe, ie->rsnxe_len);
2131 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
2132 return -1;
2133 }
2134
2135 #ifdef CONFIG_IEEE80211R
2136 if (wpa_key_mgmt_ft(sm->key_mgmt) &&
2137 wpa_supplicant_validate_ie_ft(sm, src_addr, ie) < 0)
2138 return -1;
2139 #endif /* CONFIG_IEEE80211R */
2140
2141 return 0;
2142 }
2143
2144
2145 /**
2146 * wpa_supplicant_send_4_of_4 - Send message 4 of WPA/RSN 4-Way Handshake
2147 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2148 * @dst: Destination address for the frame
2149 * @key: Pointer to the EAPOL-Key frame header
2150 * @ver: Version bits from EAPOL-Key Key Info
2151 * @key_info: Key Info
2152 * @ptk: PTK to use for keyed hash and encryption
2153 * Returns: >= 0 on success, < 0 on failure
2154 */
wpa_supplicant_send_4_of_4(struct wpa_sm * sm,const unsigned char * dst,const struct wpa_eapol_key * key,u16 ver,u16 key_info,struct wpa_ptk * ptk)2155 int wpa_supplicant_send_4_of_4(struct wpa_sm *sm, const unsigned char *dst,
2156 const struct wpa_eapol_key *key,
2157 u16 ver, u16 key_info,
2158 struct wpa_ptk *ptk)
2159 {
2160 size_t mic_len, hdrlen, rlen;
2161 struct wpa_eapol_key *reply;
2162 u8 *rbuf, *key_mic;
2163 u8 *kde = NULL;
2164 size_t kde_len = 0;
2165
2166 if (sm->mlo.valid_links) {
2167 u8 *pos;
2168
2169 kde = os_malloc(RSN_SELECTOR_LEN + ETH_ALEN + 2);
2170 if (!kde)
2171 return -1;
2172
2173 /* Add MAC KDE */
2174 wpa_printf(MSG_DEBUG, "MLO: Add MAC KDE into EAPOL-Key 4/4");
2175 pos = kde;
2176 pos = rsn_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, sm->own_addr,
2177 ETH_ALEN);
2178 kde_len = pos - kde;
2179 }
2180
2181 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
2182 hdrlen = sizeof(*reply) + mic_len + 2;
2183 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
2184 hdrlen + kde_len, &rlen, (void *) &reply);
2185 if (!rbuf) {
2186 os_free(kde);
2187 return -1;
2188 }
2189
2190 reply->type = (sm->proto == WPA_PROTO_RSN ||
2191 sm->proto == WPA_PROTO_OSEN) ?
2192 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
2193 key_info &= WPA_KEY_INFO_SECURE;
2194 key_info |= ver | WPA_KEY_INFO_KEY_TYPE;
2195 if (mic_len)
2196 key_info |= WPA_KEY_INFO_MIC;
2197 else
2198 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
2199 WPA_PUT_BE16(reply->key_info, key_info);
2200 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
2201 WPA_PUT_BE16(reply->key_length, 0);
2202 else
2203 os_memcpy(reply->key_length, key->key_length, 2);
2204 os_memcpy(reply->replay_counter, key->replay_counter,
2205 WPA_REPLAY_COUNTER_LEN);
2206
2207 key_mic = (u8 *) (reply + 1);
2208 WPA_PUT_BE16(key_mic + mic_len, kde_len); /* Key Data length */
2209 if (kde) {
2210 os_memcpy(key_mic + mic_len + 2, kde, kde_len); /* Key Data */
2211 os_free(kde);
2212 }
2213
2214 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Sending EAPOL-Key 4/4");
2215 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
2216 key_mic);
2217 }
2218
2219
wpa_supplicant_validate_link_kde(struct wpa_sm * sm,u8 link_id,const u8 * link_kde,size_t link_kde_len)2220 static int wpa_supplicant_validate_link_kde(struct wpa_sm *sm, u8 link_id,
2221 const u8 *link_kde,
2222 size_t link_kde_len)
2223 {
2224 size_t rsne_len = 0, rsnxe_len = 0;
2225 const u8 *rsne = NULL, *rsnxe = NULL;
2226
2227 if (!link_kde ||
2228 link_kde_len < RSN_MLO_LINK_KDE_LINK_MAC_INDEX + ETH_ALEN) {
2229 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2230 "RSN: MLO Link KDE is not found for link ID %d",
2231 link_id);
2232 return -1;
2233 }
2234
2235 if (os_memcmp(sm->mlo.links[link_id].bssid,
2236 &link_kde[RSN_MLO_LINK_KDE_LINK_MAC_INDEX],
2237 ETH_ALEN) != 0) {
2238 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2239 "RSN: MLO Link %u MAC address (" MACSTR
2240 ") not matching association response (" MACSTR ")",
2241 link_id,
2242 MAC2STR(&link_kde[RSN_MLO_LINK_KDE_LINK_MAC_INDEX]),
2243 MAC2STR(sm->mlo.links[link_id].bssid));
2244 return -1;
2245 }
2246
2247 if (link_kde[0] & RSN_MLO_LINK_KDE_LI_RSNE_INFO) {
2248 rsne = link_kde + RSN_MLO_LINK_KDE_FIXED_LENGTH;
2249 if (link_kde_len < RSN_MLO_LINK_KDE_FIXED_LENGTH + 2 ||
2250 link_kde_len <
2251 (size_t) (RSN_MLO_LINK_KDE_FIXED_LENGTH + 2 + rsne[1])) {
2252 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2253 "RSN: No room for link %u RSNE in MLO Link KDE",
2254 link_id);
2255 return -1;
2256 }
2257
2258 rsne_len = rsne[1] + 2;
2259 }
2260
2261 if (!rsne) {
2262 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2263 "RSN: RSNE not present in MLO Link %u KDE", link_id);
2264 return -1;
2265 }
2266
2267 if (link_kde[0] & RSN_MLO_LINK_KDE_LI_RSNXE_INFO) {
2268 rsnxe = link_kde + RSN_MLO_LINK_KDE_FIXED_LENGTH + rsne_len;
2269 if (link_kde_len <
2270 (RSN_MLO_LINK_KDE_FIXED_LENGTH + rsne_len + 2) ||
2271 link_kde_len <
2272 (RSN_MLO_LINK_KDE_FIXED_LENGTH + rsne_len + 2 + rsnxe[1])) {
2273 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2274 "RSN: No room for link %u RSNXE in MLO Link KDE",
2275 link_id);
2276 return -1;
2277 }
2278
2279 rsnxe_len = rsnxe[1] + 2;
2280 }
2281
2282 if (wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
2283 sm->mlo.links[link_id].ap_rsne,
2284 sm->mlo.links[link_id].ap_rsne_len,
2285 rsne, rsne_len)) {
2286 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2287 "RSN MLO: IE in 3/4 msg does not match with IE in Beacon/ProbeResp for link ID %u",
2288 link_id);
2289 wpa_hexdump(MSG_INFO, "RSNE in Beacon/ProbeResp",
2290 sm->mlo.links[link_id].ap_rsne,
2291 sm->mlo.links[link_id].ap_rsne_len);
2292 wpa_hexdump(MSG_INFO, "RSNE in EAPOL-Key msg 3/4",
2293 rsne, rsne_len);
2294 return -1;
2295 }
2296
2297 if ((sm->mlo.links[link_id].ap_rsnxe && !rsnxe) ||
2298 (!sm->mlo.links[link_id].ap_rsnxe && rsnxe) ||
2299 (sm->mlo.links[link_id].ap_rsnxe && rsnxe &&
2300 (sm->mlo.links[link_id].ap_rsnxe_len != rsnxe_len ||
2301 os_memcmp(sm->mlo.links[link_id].ap_rsnxe, rsnxe,
2302 sm->mlo.links[link_id].ap_rsnxe_len) != 0))) {
2303 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2304 "RSN MLO: RSNXE mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4 for link ID %u",
2305 link_id);
2306 wpa_hexdump(MSG_INFO, "RSNXE in Beacon/ProbeResp",
2307 sm->mlo.links[link_id].ap_rsnxe,
2308 sm->mlo.links[link_id].ap_rsnxe_len);
2309 wpa_hexdump(MSG_INFO, "RSNXE in EAPOL-Key msg 3/4",
2310 rsnxe, rsnxe_len);
2311 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
2312 return -1;
2313 }
2314
2315 return 0;
2316 }
2317
2318
wpa_validate_mlo_ieee80211w_kdes(struct wpa_sm * sm,u8 link_id,struct wpa_eapol_ie_parse * ie)2319 static int wpa_validate_mlo_ieee80211w_kdes(struct wpa_sm *sm,
2320 u8 link_id,
2321 struct wpa_eapol_ie_parse *ie)
2322 {
2323 if (ie->mlo_igtk[link_id] &&
2324 ie->mlo_igtk_len[link_id] != RSN_MLO_IGTK_KDE_PREFIX_LENGTH +
2325 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
2326 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2327 "RSN MLO: Invalid IGTK KDE length %lu for link ID %u",
2328 (unsigned long) ie->mlo_igtk_len, link_id);
2329 return -1;
2330 }
2331
2332 if (!sm->beacon_prot)
2333 return 0;
2334
2335 if (ie->mlo_bigtk[link_id] &&
2336 ie->mlo_bigtk_len[link_id] != RSN_MLO_BIGTK_KDE_PREFIX_LENGTH +
2337 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
2338 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2339 "RSN MLO: Invalid BIGTK KDE length %lu for link ID %u",
2340 (unsigned long) ie->mlo_bigtk_len, link_id);
2341 return -1;
2342 }
2343
2344 return 0;
2345 }
2346
2347
wpa_supplicant_process_3_of_4_wpa(struct wpa_sm * sm,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len)2348 static void wpa_supplicant_process_3_of_4_wpa(struct wpa_sm *sm,
2349 const struct wpa_eapol_key *key,
2350 u16 ver, const u8 *key_data,
2351 size_t key_data_len)
2352 {
2353 u16 key_info, keylen;
2354 struct wpa_eapol_ie_parse ie;
2355
2356 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
2357 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2358 "WPA: RX message 3 of 4-Way Handshake from " MACSTR
2359 " (ver=%d)", MAC2STR(sm->bssid), ver);
2360
2361 key_info = WPA_GET_BE16(key->key_info);
2362
2363 wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", key_data, key_data_len);
2364 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
2365 goto failed;
2366
2367 if (wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0)
2368 goto failed;
2369
2370 if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
2371 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2372 "WPA: ANonce from message 1 of 4-Way Handshake differs from 3 of 4-Way Handshake - drop packet (src="
2373 MACSTR ")", MAC2STR(sm->bssid));
2374 goto failed;
2375 }
2376
2377 keylen = WPA_GET_BE16(key->key_length);
2378 if (keylen != wpa_cipher_key_len(sm->pairwise_cipher)) {
2379 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2380 "WPA: Invalid %s key length %d (src=" MACSTR ")",
2381 wpa_cipher_txt(sm->pairwise_cipher), keylen,
2382 MAC2STR(sm->bssid));
2383 goto failed;
2384 }
2385
2386 if (wpa_supplicant_send_4_of_4(sm, wpa_sm_get_auth_addr(sm), key, ver,
2387 key_info, &sm->ptk) < 0)
2388 goto failed;
2389
2390 /* SNonce was successfully used in msg 3/4, so mark it to be renewed
2391 * for the next 4-Way Handshake. If msg 3 is received again, the old
2392 * SNonce will still be used to avoid changing PTK. */
2393 sm->renew_snonce = 1;
2394
2395 if ((key_info & WPA_KEY_INFO_INSTALL) &&
2396 wpa_supplicant_install_ptk(sm, key, KEY_FLAG_RX_TX))
2397 goto failed;
2398
2399 if (key_info & WPA_KEY_INFO_SECURE) {
2400 wpa_sm_mlme_setprotection(
2401 sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX,
2402 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
2403 eapol_sm_notify_portValid(sm->eapol, true);
2404 }
2405 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
2406
2407 sm->msg_3_of_4_ok = 1;
2408 return;
2409
2410 failed:
2411 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
2412 }
2413
2414
wpa_supplicant_process_3_of_4(struct wpa_sm * sm,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len)2415 static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
2416 const struct wpa_eapol_key *key,
2417 u16 ver, const u8 *key_data,
2418 size_t key_data_len)
2419 {
2420 u16 key_info, keylen;
2421 struct wpa_eapol_ie_parse ie;
2422 bool mlo = sm->mlo.valid_links;
2423 int i;
2424
2425 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
2426 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO,
2427 "RSN: RX message 3 of 4-Way Handshake from " MACSTR
2428 " (ver=%d)%s", MAC2STR(sm->bssid), ver, mlo ? " (MLO)" : "");
2429
2430 key_info = WPA_GET_BE16(key->key_info);
2431
2432 wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", key_data, key_data_len);
2433 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
2434 goto failed;
2435
2436 if (mlo && !ie.valid_mlo_gtks) {
2437 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2438 "MLO RSN: No GTK KDE included in EAPOL-Key msg 3/4");
2439 goto failed;
2440 }
2441 if (mlo &&
2442 (key_info &
2443 (WPA_KEY_INFO_ENCR_KEY_DATA | WPA_KEY_INFO_INSTALL |
2444 WPA_KEY_INFO_SECURE)) !=
2445 (WPA_KEY_INFO_ENCR_KEY_DATA | WPA_KEY_INFO_INSTALL |
2446 WPA_KEY_INFO_SECURE)) {
2447 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2448 "RSN MLO: Invalid key info (0x%x) in EAPOL-Key msg 3/4",
2449 key_info);
2450 goto failed;
2451 }
2452
2453 if (mlo && !is_valid_ap_mld_mac_kde(sm, ie.mac_addr)) {
2454 wpa_printf(MSG_DEBUG, "RSN: Invalid AP MLD MAC address KDE");
2455 goto failed;
2456 }
2457
2458 for (i = 0; mlo && i < MAX_NUM_MLD_LINKS; i++) {
2459 if (!(sm->mlo.req_links & BIT(i)))
2460 continue;
2461
2462 if (wpa_supplicant_validate_link_kde(sm, i, ie.mlo_link[i],
2463 ie.mlo_link_len[i]) < 0)
2464 goto failed;
2465
2466 if (!(sm->mlo.valid_links & BIT(i)))
2467 continue;
2468
2469 if (!ie.mlo_gtk[i]) {
2470 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
2471 "RSN: GTK not found for link ID %u", i);
2472 goto failed;
2473 }
2474
2475 if (sm->mgmt_group_cipher != WPA_CIPHER_GTK_NOT_USED &&
2476 wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) &&
2477 wpa_validate_mlo_ieee80211w_kdes(sm, i, &ie) < 0)
2478 goto failed;
2479 }
2480
2481 #ifdef CONFIG_IEEE80211R
2482 if (mlo && wpa_key_mgmt_ft(sm->key_mgmt) &&
2483 wpa_supplicant_validate_ie_ft(sm, sm->bssid, &ie) < 0)
2484 goto failed;
2485 #endif /* CONFIG_IEEE80211R */
2486
2487 if (!mlo && ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
2488 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2489 "WPA: GTK IE in unencrypted key data");
2490 goto failed;
2491 }
2492 if (!mlo && ie.igtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
2493 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2494 "WPA: IGTK KDE in unencrypted key data");
2495 goto failed;
2496 }
2497
2498 if (!mlo && ie.igtk &&
2499 sm->mgmt_group_cipher != WPA_CIPHER_GTK_NOT_USED &&
2500 wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) &&
2501 ie.igtk_len != WPA_IGTK_KDE_PREFIX_LEN +
2502 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
2503 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2504 "WPA: Invalid IGTK KDE length %lu",
2505 (unsigned long) ie.igtk_len);
2506 goto failed;
2507 }
2508
2509 if (!mlo && wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0)
2510 goto failed;
2511
2512 if (wpa_handle_ext_key_id(sm, &ie))
2513 goto failed;
2514
2515 if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
2516 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2517 "WPA: ANonce from message 1 of 4-Way Handshake "
2518 "differs from 3 of 4-Way Handshake - drop packet (src="
2519 MACSTR ")", MAC2STR(sm->bssid));
2520 goto failed;
2521 }
2522
2523 keylen = WPA_GET_BE16(key->key_length);
2524 if (keylen != wpa_cipher_key_len(sm->pairwise_cipher)) {
2525 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2526 "WPA: Invalid %s key length %d (src=" MACSTR
2527 ")", wpa_cipher_txt(sm->pairwise_cipher), keylen,
2528 MAC2STR(sm->bssid));
2529 goto failed;
2530 }
2531
2532 #ifdef CONFIG_P2P
2533 if (ie.ip_addr_alloc) {
2534 os_memcpy(sm->p2p_ip_addr, ie.ip_addr_alloc, 3 * 4);
2535 wpa_hexdump(MSG_DEBUG, "P2P: IP address info",
2536 sm->p2p_ip_addr, sizeof(sm->p2p_ip_addr));
2537 }
2538 #endif /* CONFIG_P2P */
2539
2540 #ifdef CONFIG_OCV
2541 if (wpa_sm_ocv_enabled(sm)) {
2542 struct wpa_channel_info ci;
2543
2544 if (wpa_sm_channel_info(sm, &ci) != 0) {
2545 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2546 "Failed to get channel info to validate received OCI in EAPOL-Key 3/4");
2547 return;
2548 }
2549
2550 if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci,
2551 channel_width_to_int(ci.chanwidth),
2552 ci.seg1_idx) != OCI_SUCCESS) {
2553 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
2554 "addr=" MACSTR " frame=eapol-key-m3 error=%s",
2555 MAC2STR(sm->bssid), ocv_errorstr);
2556 return;
2557 }
2558 }
2559 #endif /* CONFIG_OCV */
2560
2561 #ifdef CONFIG_DPP2
2562 if (DPP_VERSION > 1 && ie.dpp_kde) {
2563 wpa_printf(MSG_DEBUG,
2564 "DPP: peer Protocol Version %u Flags 0x%x",
2565 ie.dpp_kde[0], ie.dpp_kde[1]);
2566 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_pfs != 2 &&
2567 (ie.dpp_kde[1] & DPP_KDE_PFS_ALLOWED) && !sm->dpp_z) {
2568 wpa_printf(MSG_INFO,
2569 "DPP: Peer indicated it supports PFS and local configuration allows this, but PFS was not negotiated for the association");
2570 goto failed;
2571 }
2572 }
2573 #endif /* CONFIG_DPP2 */
2574
2575 if (sm->use_ext_key_id &&
2576 wpa_supplicant_install_ptk(sm, key, KEY_FLAG_RX))
2577 goto failed;
2578
2579 if (wpa_supplicant_send_4_of_4(sm, wpa_sm_get_auth_addr(sm), key, ver,
2580 key_info, &sm->ptk) < 0)
2581 goto failed;
2582
2583 /* SNonce was successfully used in msg 3/4, so mark it to be renewed
2584 * for the next 4-Way Handshake. If msg 3 is received again, the old
2585 * SNonce will still be used to avoid changing PTK. */
2586 sm->renew_snonce = 1;
2587
2588 if (key_info & WPA_KEY_INFO_INSTALL) {
2589 int res;
2590
2591 if (sm->use_ext_key_id)
2592 res = wpa_supplicant_activate_ptk(sm);
2593 else
2594 res = wpa_supplicant_install_ptk(sm, key,
2595 KEY_FLAG_RX_TX);
2596 if (res)
2597 goto failed;
2598 }
2599
2600 if (key_info & WPA_KEY_INFO_SECURE) {
2601 wpa_sm_mlme_setprotection(
2602 sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX,
2603 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
2604 eapol_sm_notify_portValid(sm->eapol, true);
2605 }
2606 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
2607
2608 if (mlo) {
2609 if (wpa_supplicant_pairwise_mlo_gtk(sm, key, &ie,
2610 key_info) < 0) {
2611 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2612 "MLO RSN: Failed to configure MLO GTKs");
2613 goto failed;
2614 }
2615 } else if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED) {
2616 /* No GTK to be set to the driver */
2617 } else if (!ie.gtk && sm->proto == WPA_PROTO_RSN) {
2618 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2619 "RSN: No GTK KDE included in EAPOL-Key msg 3/4");
2620 goto failed;
2621 } else if (ie.gtk &&
2622 wpa_supplicant_pairwise_gtk(sm, key,
2623 ie.gtk, ie.gtk_len, key_info) < 0) {
2624 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2625 "RSN: Failed to configure GTK");
2626 goto failed;
2627 }
2628
2629 if ((mlo && mlo_ieee80211w_set_keys(sm, &ie) < 0) ||
2630 (!mlo && ieee80211w_set_keys(sm, &ie) < 0)) {
2631 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2632 "RSN: Failed to configure IGTK");
2633 goto failed;
2634 }
2635
2636 if (mlo || sm->group_cipher == WPA_CIPHER_GTK_NOT_USED || ie.gtk)
2637 wpa_supplicant_key_neg_complete(sm, sm->bssid,
2638 key_info & WPA_KEY_INFO_SECURE);
2639
2640 if (mlo || ie.gtk)
2641 wpa_sm_set_rekey_offload(sm);
2642
2643 /* Add PMKSA cache entry for Suite B AKMs here since PMKID can be
2644 * calculated only after KCK has been derived. Though, do not replace an
2645 * existing PMKSA entry after each 4-way handshake (i.e., new KCK/PMKID)
2646 * to avoid unnecessary changes of PMKID while continuing to use the
2647 * same PMK. */
2648 if (sm->proto == WPA_PROTO_RSN && wpa_key_mgmt_suite_b(sm->key_mgmt) &&
2649 !sm->cur_pmksa) {
2650 struct rsn_pmksa_cache_entry *sa;
2651
2652 sa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, NULL,
2653 sm->ptk.kck, sm->ptk.kck_len,
2654 wpa_sm_get_auth_addr(sm), sm->own_addr,
2655 sm->network_ctx, sm->key_mgmt, NULL);
2656 if (!sm->cur_pmksa)
2657 sm->cur_pmksa = sa;
2658 }
2659
2660 if (ie.transition_disable)
2661 wpa_sm_transition_disable(sm, ie.transition_disable[0]);
2662 sm->msg_3_of_4_ok = 1;
2663 return;
2664
2665 failed:
2666 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
2667 }
2668
2669
wpa_supplicant_send_2_of_2(struct wpa_sm * sm,const struct wpa_eapol_key * key,int ver,u16 key_info)2670 static int wpa_supplicant_send_2_of_2(struct wpa_sm *sm,
2671 const struct wpa_eapol_key *key,
2672 int ver, u16 key_info)
2673 {
2674 size_t mic_len, hdrlen, rlen;
2675 struct wpa_eapol_key *reply;
2676 u8 *rbuf, *key_mic;
2677 size_t kde_len = 0;
2678
2679 #ifdef CONFIG_TESTING_OPTIONS
2680 if (sm->disable_eapol_g2_tx) {
2681 wpa_printf(MSG_INFO, "TEST: Disable sending EAPOL-Key 2/2");
2682 return 0;
2683 }
2684 #endif /* CONFIG_TESTING_OPTIONS */
2685
2686 #ifdef CONFIG_OCV
2687 if (wpa_sm_ocv_enabled(sm))
2688 kde_len = OCV_OCI_KDE_LEN;
2689 #endif /* CONFIG_OCV */
2690
2691 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
2692 hdrlen = sizeof(*reply) + mic_len + 2;
2693 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
2694 hdrlen + kde_len, &rlen, (void *) &reply);
2695 if (rbuf == NULL)
2696 return -1;
2697
2698 reply->type = (sm->proto == WPA_PROTO_RSN ||
2699 sm->proto == WPA_PROTO_OSEN) ?
2700 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
2701 key_info &= WPA_KEY_INFO_KEY_INDEX_MASK;
2702 key_info |= ver | WPA_KEY_INFO_SECURE;
2703 if (mic_len)
2704 key_info |= WPA_KEY_INFO_MIC;
2705 else
2706 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
2707 WPA_PUT_BE16(reply->key_info, key_info);
2708 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
2709 WPA_PUT_BE16(reply->key_length, 0);
2710 else
2711 os_memcpy(reply->key_length, key->key_length, 2);
2712 os_memcpy(reply->replay_counter, key->replay_counter,
2713 WPA_REPLAY_COUNTER_LEN);
2714
2715 key_mic = (u8 *) (reply + 1);
2716 WPA_PUT_BE16(key_mic + mic_len, kde_len); /* Key Data Length */
2717
2718 #ifdef CONFIG_OCV
2719 if (wpa_sm_ocv_enabled(sm)) {
2720 struct wpa_channel_info ci;
2721 u8 *pos;
2722
2723 if (wpa_sm_channel_info(sm, &ci) != 0) {
2724 wpa_printf(MSG_WARNING,
2725 "Failed to get channel info for OCI element in EAPOL-Key 2/2");
2726 os_free(rbuf);
2727 return -1;
2728 }
2729 #ifdef CONFIG_TESTING_OPTIONS
2730 if (sm->oci_freq_override_eapol_g2) {
2731 wpa_printf(MSG_INFO,
2732 "TEST: Override OCI KDE frequency %d -> %d MHz",
2733 ci.frequency,
2734 sm->oci_freq_override_eapol_g2);
2735 ci.frequency = sm->oci_freq_override_eapol_g2;
2736 }
2737 #endif /* CONFIG_TESTING_OPTIONS */
2738
2739 pos = key_mic + mic_len + 2; /* Key Data */
2740 if (ocv_insert_oci_kde(&ci, &pos) < 0) {
2741 os_free(rbuf);
2742 return -1;
2743 }
2744 }
2745 #endif /* CONFIG_OCV */
2746
2747 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/2");
2748 return wpa_eapol_key_send(sm, &sm->ptk, ver, sm->bssid, ETH_P_EAPOL,
2749 rbuf, rlen, key_mic);
2750 }
2751
2752
wpa_supplicant_process_mlo_1_of_2(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,const u8 * key_data,size_t key_data_len,u16 ver)2753 static void wpa_supplicant_process_mlo_1_of_2(struct wpa_sm *sm,
2754 const unsigned char *src_addr,
2755 const struct wpa_eapol_key *key,
2756 const u8 *key_data,
2757 size_t key_data_len, u16 ver)
2758 {
2759 u16 key_info;
2760 u8 i;
2761 struct wpa_eapol_ie_parse ie;
2762
2763 if (!sm->msg_3_of_4_ok && !wpa_fils_is_completed(sm)) {
2764 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2765 "MLO RSN: Group Key Handshake started prior to completion of 4-way handshake");
2766 goto failed;
2767 }
2768
2769 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "MLO RSN: RX message 1 of Group "
2770 "Key Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr),
2771 ver);
2772
2773 key_info = WPA_GET_BE16(key->key_info);
2774
2775 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
2776
2777 wpa_hexdump_key(MSG_DEBUG, "MLO RSN: msg 1/2 key data", key_data,
2778 key_data_len);
2779 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
2780 goto failed;
2781
2782 if (!ie.valid_mlo_gtks) {
2783 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2784 "MLO RSN: No MLO GTK KDE in Group Key msg 1/2");
2785 goto failed;
2786 }
2787
2788 if (!(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
2789 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2790 "MLO RSN: MLO GTK KDE in unencrypted key data");
2791 goto failed;
2792 }
2793
2794 #ifdef CONFIG_OCV
2795 if (wpa_sm_ocv_enabled(sm)) {
2796 struct wpa_channel_info ci;
2797
2798 if (wpa_sm_channel_info(sm, &ci) != 0) {
2799 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2800 "Failed to get channel info to validate received OCI in EAPOL-Key group msg 1/2");
2801 goto failed;
2802 }
2803
2804 if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci,
2805 channel_width_to_int(ci.chanwidth),
2806 ci.seg1_idx) != OCI_SUCCESS) {
2807 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
2808 "addr=" MACSTR " frame=eapol-key-g1 error=%s",
2809 MAC2STR(sm->bssid), ocv_errorstr);
2810 goto failed;
2811 }
2812 }
2813 #endif /* CONFIG_OCV */
2814
2815 if (mlo_ieee80211w_set_keys(sm, &ie) < 0)
2816 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2817 "MLO RSN: Failed to configure MLO IGTK");
2818
2819 for (i = 0; i < MAX_NUM_MLO_LINKS; i++) {
2820 if (!(sm->mlo.valid_links & BIT(i)))
2821 continue;
2822
2823 /*
2824 * AP may send group keys for subset of the all links during
2825 * rekey
2826 */
2827 if (!ie.mlo_gtk[i])
2828 continue;
2829
2830 if (wpa_supplicant_mlo_gtk(sm, i, ie.mlo_gtk[i],
2831 ie.mlo_gtk_len[i], key_info))
2832 goto failed;
2833 }
2834
2835 if (wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
2836 goto failed;
2837
2838 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "MLO RSN: Group rekeying completed "
2839 "with " MACSTR " [GTK=%s]", MAC2STR(sm->mlo.ap_mld_addr),
2840 wpa_cipher_txt(sm->group_cipher));
2841 wpa_sm_cancel_auth_timeout(sm);
2842 wpa_sm_set_state(sm, WPA_COMPLETED);
2843
2844 wpa_sm_set_rekey_offload(sm);
2845
2846 return;
2847
2848 failed:
2849 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
2850 }
2851
2852
wpa_supplicant_process_1_of_2_wpa(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,const u8 * key_data,size_t key_data_len,u16 ver)2853 static void wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm,
2854 const unsigned char *src_addr,
2855 const struct wpa_eapol_key *key,
2856 const u8 *key_data,
2857 size_t key_data_len, u16 ver)
2858 {
2859 u16 key_info;
2860 int rekey;
2861 struct wpa_gtk_data gd;
2862 const u8 *key_rsc;
2863 size_t maxkeylen;
2864 u16 gtk_len;
2865
2866 if (!sm->msg_3_of_4_ok) {
2867 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2868 "WPA: Group Key Handshake started prior to completion of 4-way handshake");
2869 goto failed;
2870 }
2871
2872 os_memset(&gd, 0, sizeof(gd));
2873
2874 rekey = wpa_sm_get_state(sm) == WPA_COMPLETED;
2875 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2876 "WPA: RX message 1 of Group Key Handshake from " MACSTR
2877 " (ver=%d)", MAC2STR(src_addr), ver);
2878
2879 key_info = WPA_GET_BE16(key->key_info);
2880
2881 gtk_len = WPA_GET_BE16(key->key_length);
2882 maxkeylen = key_data_len;
2883 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
2884 if (maxkeylen < 8) {
2885 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2886 "WPA: Too short maxkeylen (%lu)",
2887 (unsigned long) maxkeylen);
2888 goto failed;
2889 }
2890 maxkeylen -= 8;
2891 }
2892
2893 if (gtk_len > maxkeylen ||
2894 wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
2895 gtk_len, maxkeylen,
2896 &gd.key_rsc_len, &gd.alg))
2897 goto failed;
2898
2899 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
2900
2901 gd.gtk_len = gtk_len;
2902 gd.keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
2903 WPA_KEY_INFO_KEY_INDEX_SHIFT;
2904 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
2905 #if defined(CONFIG_NO_RC4) || defined(CONFIG_FIPS)
2906 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2907 "WPA: RC4 not supported in the build");
2908 goto failed;
2909 #else /* CONFIG_NO_RC4 || CONFIG_FIPS */
2910 u8 ek[32];
2911 if (key_data_len > sizeof(gd.gtk)) {
2912 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2913 "WPA: RC4 key data too long (%lu)",
2914 (unsigned long) key_data_len);
2915 goto failed;
2916 }
2917 os_memcpy(ek, key->key_iv, 16);
2918 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
2919 os_memcpy(gd.gtk, key_data, key_data_len);
2920 if (rc4_skip(ek, 32, 256, gd.gtk, key_data_len)) {
2921 forced_memzero(ek, sizeof(ek));
2922 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
2923 "WPA: RC4 failed");
2924 goto failed;
2925 }
2926 forced_memzero(ek, sizeof(ek));
2927 #endif /* CONFIG_NO_RC4 || CONFIG_FIPS */
2928 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
2929 if (maxkeylen % 8) {
2930 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2931 "WPA: Unsupported AES-WRAP len %lu",
2932 (unsigned long) maxkeylen);
2933 goto failed;
2934 }
2935 if (maxkeylen > sizeof(gd.gtk)) {
2936 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2937 "WPA: AES-WRAP key data "
2938 "too long (keydatalen=%lu maxkeylen=%lu)",
2939 (unsigned long) key_data_len,
2940 (unsigned long) maxkeylen);
2941 goto failed;
2942 }
2943 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, maxkeylen / 8,
2944 key_data, gd.gtk)) {
2945 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2946 "WPA: AES unwrap failed - could not decrypt "
2947 "GTK");
2948 goto failed;
2949 }
2950 } else {
2951 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2952 "WPA: Unsupported key_info type %d", ver);
2953 goto failed;
2954 }
2955 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(
2956 sm, !!(key_info & WPA_KEY_INFO_TXRX));
2957
2958 key_rsc = key->key_rsc;
2959 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
2960 key_rsc = null_rsc;
2961
2962 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
2963 wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
2964 goto failed;
2965 forced_memzero(&gd, sizeof(gd));
2966
2967 if (rekey) {
2968 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2969 "WPA: Group rekeying completed with " MACSTR
2970 " [GTK=%s]",
2971 MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher));
2972 wpa_sm_cancel_auth_timeout(sm);
2973 wpa_sm_set_state(sm, WPA_COMPLETED);
2974 } else {
2975 wpa_supplicant_key_neg_complete(sm, sm->bssid,
2976 key_info & WPA_KEY_INFO_SECURE);
2977 }
2978
2979 wpa_sm_set_rekey_offload(sm);
2980
2981 return;
2982
2983 failed:
2984 forced_memzero(&gd, sizeof(gd));
2985 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
2986 }
2987
2988
wpa_supplicant_process_1_of_2(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,const u8 * key_data,size_t key_data_len,u16 ver)2989 static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
2990 const unsigned char *src_addr,
2991 const struct wpa_eapol_key *key,
2992 const u8 *key_data,
2993 size_t key_data_len, u16 ver)
2994 {
2995 u16 key_info;
2996 struct wpa_gtk_data gd;
2997 const u8 *key_rsc;
2998 int maxkeylen;
2999 struct wpa_eapol_ie_parse ie;
3000 u16 gtk_len;
3001
3002 if (!sm->msg_3_of_4_ok && !wpa_fils_is_completed(sm)) {
3003 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3004 "RSN: Group Key Handshake started prior to completion of 4-way handshake");
3005 goto failed;
3006 }
3007
3008 os_memset(&gd, 0, sizeof(gd));
3009
3010 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3011 "RSN: RX message 1 of Group Key Handshake from " MACSTR
3012 " (ver=%d)", MAC2STR(src_addr), ver);
3013
3014 key_info = WPA_GET_BE16(key->key_info);
3015
3016 wpa_hexdump_key(MSG_DEBUG, "RSN: msg 1/2 key data",
3017 key_data, key_data_len);
3018 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
3019 goto failed;
3020
3021 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
3022
3023 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
3024 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3025 "RSN: GTK KDE in unencrypted key data");
3026 goto failed;
3027 }
3028 if (!ie.gtk) {
3029 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3030 "RSN: No GTK KDE in Group Key msg 1/2");
3031 goto failed;
3032 }
3033 gtk_len = ie.gtk_len;
3034 if (gtk_len < 2) {
3035 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3036 "RSN: Invalid GTK KDE length (%u) in Group Key msg 1/2",
3037 gtk_len);
3038 goto failed;
3039 }
3040 gtk_len -= 2;
3041 if (gtk_len > sizeof(gd.gtk)) {
3042 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3043 "RSN: Too long GTK in GTK KDE (len=%u)", gtk_len);
3044 goto failed;
3045 }
3046 maxkeylen = gd.gtk_len = gtk_len;
3047
3048 #ifdef CONFIG_OCV
3049 if (wpa_sm_ocv_enabled(sm)) {
3050 struct wpa_channel_info ci;
3051
3052 if (wpa_sm_channel_info(sm, &ci) != 0) {
3053 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3054 "Failed to get channel info to validate received OCI in EAPOL-Key group msg 1/2");
3055 goto failed;
3056 }
3057
3058 if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci,
3059 channel_width_to_int(ci.chanwidth),
3060 ci.seg1_idx) != OCI_SUCCESS) {
3061 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
3062 "addr=" MACSTR " frame=eapol-key-g1 error=%s",
3063 MAC2STR(sm->bssid), ocv_errorstr);
3064 goto failed;
3065 }
3066 }
3067 #endif /* CONFIG_OCV */
3068
3069 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
3070 gtk_len, maxkeylen,
3071 &gd.key_rsc_len, &gd.alg))
3072 goto failed;
3073
3074 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in group key handshake",
3075 ie.gtk, 2 + gtk_len);
3076 gd.keyidx = ie.gtk[0] & 0x3;
3077 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
3078 !!(ie.gtk[0] & BIT(2)));
3079 os_memcpy(gd.gtk, ie.gtk + 2, gtk_len);
3080
3081 if (ieee80211w_set_keys(sm, &ie) < 0)
3082 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3083 "RSN: Failed to configure IGTK");
3084
3085 key_rsc = key->key_rsc;
3086 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
3087 key_rsc = null_rsc;
3088
3089 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
3090 wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
3091 goto failed;
3092 forced_memzero(&gd, sizeof(gd));
3093
3094 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3095 "RSN: Group rekeying completed with " MACSTR " [GTK=%s]",
3096 MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher));
3097 wpa_sm_cancel_auth_timeout(sm);
3098 wpa_sm_set_state(sm, WPA_COMPLETED);
3099
3100 wpa_sm_set_rekey_offload(sm);
3101
3102 return;
3103
3104 failed:
3105 forced_memzero(&gd, sizeof(gd));
3106 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
3107 }
3108
3109
wpa_supplicant_verify_eapol_key_mic(struct wpa_sm * sm,struct wpa_eapol_key * key,u16 ver,const u8 * buf,size_t len)3110 static int wpa_supplicant_verify_eapol_key_mic(struct wpa_sm *sm,
3111 struct wpa_eapol_key *key,
3112 u16 ver,
3113 const u8 *buf, size_t len)
3114 {
3115 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN];
3116 int ok = 0;
3117 size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
3118
3119 os_memcpy(mic, key + 1, mic_len);
3120 if (sm->tptk_set) {
3121 os_memset(key + 1, 0, mic_len);
3122 if (wpa_eapol_key_mic(sm->tptk.kck, sm->tptk.kck_len,
3123 sm->key_mgmt,
3124 ver, buf, len, (u8 *) (key + 1)) < 0 ||
3125 os_memcmp_const(mic, key + 1, mic_len) != 0) {
3126 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3127 "WPA: Invalid EAPOL-Key MIC "
3128 "when using TPTK - ignoring TPTK");
3129 #ifdef TEST_FUZZ
3130 wpa_printf(MSG_INFO,
3131 "TEST: Ignore Key MIC failure for fuzz testing");
3132 goto continue_fuzz;
3133 #endif /* TEST_FUZZ */
3134 } else {
3135 #ifdef TEST_FUZZ
3136 continue_fuzz:
3137 #endif /* TEST_FUZZ */
3138 ok = 1;
3139 sm->tptk_set = 0;
3140 sm->ptk_set = 1;
3141 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
3142 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
3143 /*
3144 * This assures the same TPTK in sm->tptk can never be
3145 * copied twice to sm->ptk as the new PTK. In
3146 * combination with the installed flag in the wpa_ptk
3147 * struct, this assures the same PTK is only installed
3148 * once.
3149 */
3150 sm->renew_snonce = 1;
3151 }
3152 }
3153
3154 if (!ok && sm->ptk_set) {
3155 os_memset(key + 1, 0, mic_len);
3156 if (wpa_eapol_key_mic(sm->ptk.kck, sm->ptk.kck_len,
3157 sm->key_mgmt,
3158 ver, buf, len, (u8 *) (key + 1)) < 0 ||
3159 os_memcmp_const(mic, key + 1, mic_len) != 0) {
3160 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3161 "WPA: Invalid EAPOL-Key MIC - "
3162 "dropping packet");
3163 #ifdef TEST_FUZZ
3164 wpa_printf(MSG_INFO,
3165 "TEST: Ignore Key MIC failure for fuzz testing");
3166 goto continue_fuzz2;
3167 #endif /* TEST_FUZZ */
3168 return -1;
3169 }
3170 #ifdef TEST_FUZZ
3171 continue_fuzz2:
3172 #endif /* TEST_FUZZ */
3173 ok = 1;
3174 }
3175
3176 if (!ok) {
3177 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3178 "WPA: Could not verify EAPOL-Key MIC - "
3179 "dropping packet");
3180 return -1;
3181 }
3182
3183 os_memcpy(sm->rx_replay_counter, key->replay_counter,
3184 WPA_REPLAY_COUNTER_LEN);
3185 sm->rx_replay_counter_set = 1;
3186 return 0;
3187 }
3188
3189
3190 /* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */
wpa_supplicant_decrypt_key_data(struct wpa_sm * sm,struct wpa_eapol_key * key,size_t mic_len,u16 ver,u8 * key_data,size_t * key_data_len)3191 static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm,
3192 struct wpa_eapol_key *key,
3193 size_t mic_len, u16 ver,
3194 u8 *key_data, size_t *key_data_len)
3195 {
3196 wpa_hexdump(MSG_DEBUG, "RSN: encrypted key data",
3197 key_data, *key_data_len);
3198 if (!sm->ptk_set) {
3199 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3200 "WPA: PTK not available, cannot decrypt EAPOL-Key Key "
3201 "Data");
3202 return -1;
3203 }
3204
3205 /* Decrypt key data here so that this operation does not need
3206 * to be implemented separately for each message type. */
3207 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
3208 #if defined(CONFIG_NO_RC4) || defined(CONFIG_FIPS)
3209 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3210 "WPA: RC4 not supported in the build");
3211 return -1;
3212 #else /* CONFIG_NO_RC4 || CONFIG_FIPS */
3213 u8 ek[32];
3214
3215 wpa_printf(MSG_DEBUG, "WPA: Decrypt Key Data using RC4");
3216 os_memcpy(ek, key->key_iv, 16);
3217 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
3218 if (rc4_skip(ek, 32, 256, key_data, *key_data_len)) {
3219 forced_memzero(ek, sizeof(ek));
3220 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
3221 "WPA: RC4 failed");
3222 return -1;
3223 }
3224 forced_memzero(ek, sizeof(ek));
3225 #endif /* CONFIG_NO_RC4 || CONFIG_FIPS */
3226 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
3227 ver == WPA_KEY_INFO_TYPE_AES_128_CMAC ||
3228 wpa_use_aes_key_wrap(sm->key_mgmt)) {
3229 u8 *buf;
3230
3231 wpa_printf(MSG_DEBUG,
3232 "WPA: Decrypt Key Data using AES-UNWRAP (KEK length %u)",
3233 (unsigned int) sm->ptk.kek_len);
3234 if (*key_data_len < 8 || *key_data_len % 8) {
3235 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3236 "WPA: Unsupported AES-WRAP len %u",
3237 (unsigned int) *key_data_len);
3238 return -1;
3239 }
3240 *key_data_len -= 8; /* AES-WRAP adds 8 bytes */
3241 buf = os_malloc(*key_data_len);
3242 if (buf == NULL) {
3243 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3244 "WPA: No memory for AES-UNWRAP buffer");
3245 return -1;
3246 }
3247 #ifdef TEST_FUZZ
3248 os_memset(buf, 0x11, *key_data_len);
3249 #endif /* TEST_FUZZ */
3250 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, *key_data_len / 8,
3251 key_data, buf)) {
3252 #ifdef TEST_FUZZ
3253 wpa_printf(MSG_INFO,
3254 "TEST: Ignore AES unwrap failure for fuzz testing");
3255 goto continue_fuzz;
3256 #endif /* TEST_FUZZ */
3257 bin_clear_free(buf, *key_data_len);
3258 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3259 "WPA: AES unwrap failed - "
3260 "could not decrypt EAPOL-Key key data");
3261 return -1;
3262 }
3263 #ifdef TEST_FUZZ
3264 continue_fuzz:
3265 #endif /* TEST_FUZZ */
3266 os_memcpy(key_data, buf, *key_data_len);
3267 bin_clear_free(buf, *key_data_len);
3268 WPA_PUT_BE16(((u8 *) (key + 1)) + mic_len, *key_data_len);
3269 } else {
3270 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3271 "WPA: Unsupported key_info type %d", ver);
3272 return -1;
3273 }
3274 wpa_hexdump_key(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data",
3275 key_data, *key_data_len);
3276 return 0;
3277 }
3278
3279
3280 /**
3281 * wpa_sm_aborted_cached - Notify WPA that PMKSA caching was aborted
3282 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3283 */
wpa_sm_aborted_cached(struct wpa_sm * sm)3284 void wpa_sm_aborted_cached(struct wpa_sm *sm)
3285 {
3286 if (sm && sm->cur_pmksa) {
3287 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3288 "RSN: Cancelling PMKSA caching attempt");
3289 sm->cur_pmksa = NULL;
3290 }
3291 }
3292
3293
wpa_sm_aborted_external_cached(struct wpa_sm * sm)3294 void wpa_sm_aborted_external_cached(struct wpa_sm *sm)
3295 {
3296 if (sm && sm->cur_pmksa && sm->cur_pmksa->external) {
3297 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3298 "RSN: Cancelling external PMKSA caching attempt");
3299 sm->cur_pmksa = NULL;
3300 }
3301 }
3302
3303
wpa_eapol_key_dump(struct wpa_sm * sm,const struct wpa_eapol_key * key,unsigned int key_data_len,const u8 * mic,unsigned int mic_len)3304 static void wpa_eapol_key_dump(struct wpa_sm *sm,
3305 const struct wpa_eapol_key *key,
3306 unsigned int key_data_len,
3307 const u8 *mic, unsigned int mic_len)
3308 {
3309 #ifndef CONFIG_NO_STDOUT_DEBUG
3310 u16 key_info = WPA_GET_BE16(key->key_info);
3311
3312 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, " EAPOL-Key type=%d", key->type);
3313 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3314 " key_info 0x%x (ver=%d keyidx=%d rsvd=%d %s%s%s%s%s%s%s%s)",
3315 key_info, key_info & WPA_KEY_INFO_TYPE_MASK,
3316 (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
3317 WPA_KEY_INFO_KEY_INDEX_SHIFT,
3318 (key_info & (BIT(13) | BIT(14) | BIT(15))) >> 13,
3319 key_info & WPA_KEY_INFO_KEY_TYPE ? "Pairwise" : "Group",
3320 key_info & WPA_KEY_INFO_INSTALL ? " Install" : "",
3321 key_info & WPA_KEY_INFO_ACK ? " Ack" : "",
3322 key_info & WPA_KEY_INFO_MIC ? " MIC" : "",
3323 key_info & WPA_KEY_INFO_SECURE ? " Secure" : "",
3324 key_info & WPA_KEY_INFO_ERROR ? " Error" : "",
3325 key_info & WPA_KEY_INFO_REQUEST ? " Request" : "",
3326 key_info & WPA_KEY_INFO_ENCR_KEY_DATA ? " Encr" : "");
3327 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3328 " key_length=%u key_data_length=%u",
3329 WPA_GET_BE16(key->key_length), key_data_len);
3330 wpa_hexdump(MSG_DEBUG, " replay_counter",
3331 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
3332 wpa_hexdump(MSG_DEBUG, " key_nonce", key->key_nonce, WPA_NONCE_LEN);
3333 wpa_hexdump(MSG_DEBUG, " key_iv", key->key_iv, 16);
3334 wpa_hexdump(MSG_DEBUG, " key_rsc", key->key_rsc, 8);
3335 wpa_hexdump(MSG_DEBUG, " key_id (reserved)", key->key_id, 8);
3336 wpa_hexdump(MSG_DEBUG, " key_mic", mic, mic_len);
3337 #endif /* CONFIG_NO_STDOUT_DEBUG */
3338 }
3339
3340
3341 #ifdef CONFIG_FILS
wpa_supp_aead_decrypt(struct wpa_sm * sm,u8 * buf,size_t buf_len,size_t * key_data_len)3342 static int wpa_supp_aead_decrypt(struct wpa_sm *sm, u8 *buf, size_t buf_len,
3343 size_t *key_data_len)
3344 {
3345 struct wpa_ptk *ptk;
3346 struct ieee802_1x_hdr *hdr;
3347 struct wpa_eapol_key *key;
3348 u8 *pos, *tmp;
3349 const u8 *aad[1];
3350 size_t aad_len[1];
3351
3352 if (*key_data_len < AES_BLOCK_SIZE) {
3353 wpa_printf(MSG_INFO, "No room for AES-SIV data in the frame");
3354 return -1;
3355 }
3356
3357 if (sm->tptk_set)
3358 ptk = &sm->tptk;
3359 else if (sm->ptk_set)
3360 ptk = &sm->ptk;
3361 else
3362 return -1;
3363
3364 hdr = (struct ieee802_1x_hdr *) buf;
3365 key = (struct wpa_eapol_key *) (hdr + 1);
3366 pos = (u8 *) (key + 1);
3367 pos += 2; /* Pointing at the Encrypted Key Data field */
3368
3369 tmp = os_malloc(*key_data_len);
3370 if (!tmp)
3371 return -1;
3372
3373 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
3374 * to Key Data (exclusive). */
3375 aad[0] = buf;
3376 aad_len[0] = pos - buf;
3377 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, *key_data_len,
3378 1, aad, aad_len, tmp) < 0) {
3379 wpa_printf(MSG_INFO, "Invalid AES-SIV data in the frame");
3380 bin_clear_free(tmp, *key_data_len);
3381 return -1;
3382 }
3383
3384 /* AEAD decryption and validation completed successfully */
3385 (*key_data_len) -= AES_BLOCK_SIZE;
3386 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
3387 tmp, *key_data_len);
3388
3389 /* Replace Key Data field with the decrypted version */
3390 os_memcpy(pos, tmp, *key_data_len);
3391 pos -= 2; /* Key Data Length field */
3392 WPA_PUT_BE16(pos, *key_data_len);
3393 bin_clear_free(tmp, *key_data_len);
3394
3395 if (sm->tptk_set) {
3396 sm->tptk_set = 0;
3397 sm->ptk_set = 1;
3398 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
3399 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
3400 }
3401
3402 os_memcpy(sm->rx_replay_counter, key->replay_counter,
3403 WPA_REPLAY_COUNTER_LEN);
3404 sm->rx_replay_counter_set = 1;
3405
3406 return 0;
3407 }
3408 #endif /* CONFIG_FILS */
3409
3410
wpa_sm_rx_eapol_wpa(struct wpa_sm * sm,const u8 * src_addr,struct wpa_eapol_key * key,enum frame_encryption encrypted,const u8 * tmp,size_t data_len,u8 * key_data,size_t key_data_len)3411 static int wpa_sm_rx_eapol_wpa(struct wpa_sm *sm, const u8 *src_addr,
3412 struct wpa_eapol_key *key,
3413 enum frame_encryption encrypted,
3414 const u8 *tmp, size_t data_len,
3415 u8 *key_data, size_t key_data_len)
3416 {
3417 u16 key_info, ver;
3418
3419 key_info = WPA_GET_BE16(key->key_info);
3420
3421 if (key->type != EAPOL_KEY_TYPE_WPA) {
3422 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3423 "WPA: Unsupported EAPOL-Key type %d", key->type);
3424 return -1;
3425 }
3426
3427 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
3428 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
3429 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
3430 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3431 "WPA: Unsupported EAPOL-Key descriptor version %d",
3432 ver);
3433 return -1;
3434 }
3435
3436 if (sm->pairwise_cipher == WPA_CIPHER_CCMP &&
3437 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
3438 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3439 "WPA: CCMP is used, but EAPOL-Key descriptor version (%d) is not 2",
3440 ver);
3441 if (sm->group_cipher != WPA_CIPHER_CCMP &&
3442 !(key_info & WPA_KEY_INFO_KEY_TYPE)) {
3443 /* Earlier versions of IEEE 802.11i did not explicitly
3444 * require version 2 descriptor for all EAPOL-Key
3445 * packets, so allow group keys to use version 1 if
3446 * CCMP is not used for them. */
3447 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3448 "WPA: Backwards compatibility: allow invalid version for non-CCMP group keys");
3449 } else
3450 return -1;
3451 }
3452
3453 if ((key_info & WPA_KEY_INFO_MIC) &&
3454 wpa_supplicant_verify_eapol_key_mic(sm, key, ver, tmp, data_len))
3455 return -1;
3456
3457 if (key_info & WPA_KEY_INFO_KEY_TYPE) {
3458 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) {
3459 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3460 "WPA: Ignored EAPOL-Key (Pairwise) with non-zero key index");
3461 return -1;
3462 }
3463 if (key_info & (WPA_KEY_INFO_MIC |
3464 WPA_KEY_INFO_ENCR_KEY_DATA)) {
3465 /* 3/4 4-Way Handshake */
3466 wpa_supplicant_process_3_of_4_wpa(sm, key, ver,
3467 key_data,
3468 key_data_len);
3469 } else {
3470 /* 1/4 4-Way Handshake */
3471 wpa_supplicant_process_1_of_4_wpa(sm, src_addr, key,
3472 ver, key_data,
3473 key_data_len,
3474 encrypted);
3475 }
3476 } else {
3477 if (key_info & WPA_KEY_INFO_MIC) {
3478 /* 1/2 Group Key Handshake */
3479 wpa_supplicant_process_1_of_2_wpa(sm, src_addr, key,
3480 key_data,
3481 key_data_len,
3482 ver);
3483 } else {
3484 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3485 "WPA: EAPOL-Key (Group) without Mic/Encr bit - dropped");
3486 }
3487 }
3488
3489 return 1;
3490 }
3491
3492
3493 /**
3494 * wpa_sm_rx_eapol - Process received WPA EAPOL frames
3495 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3496 * @src_addr: Source MAC address of the EAPOL packet
3497 * @buf: Pointer to the beginning of the EAPOL data (EAPOL header)
3498 * @len: Length of the EAPOL frame
3499 * @encrypted: Whether the frame was encrypted
3500 * Returns: 1 = WPA EAPOL-Key processed, 0 = not a WPA EAPOL-Key, -1 failure
3501 *
3502 * This function is called for each received EAPOL frame. Other than EAPOL-Key
3503 * frames can be skipped if filtering is done elsewhere. wpa_sm_rx_eapol() is
3504 * only processing WPA and WPA2 EAPOL-Key frames.
3505 *
3506 * The received EAPOL-Key packets are validated and valid packets are replied
3507 * to. In addition, key material (PTK, GTK) is configured at the end of a
3508 * successful key handshake.
3509 */
wpa_sm_rx_eapol(struct wpa_sm * sm,const u8 * src_addr,const u8 * buf,size_t len,enum frame_encryption encrypted)3510 int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr,
3511 const u8 *buf, size_t len, enum frame_encryption encrypted)
3512 {
3513 size_t plen, data_len, key_data_len;
3514 const struct ieee802_1x_hdr *hdr;
3515 struct wpa_eapol_key *key;
3516 u16 key_info, ver;
3517 u8 *tmp = NULL;
3518 int ret = -1;
3519 u8 *mic, *key_data;
3520 size_t mic_len, keyhdrlen, pmk_len;
3521
3522 #ifdef CONFIG_IEEE80211R
3523 sm->ft_completed = 0;
3524 #endif /* CONFIG_IEEE80211R */
3525
3526 pmk_len = sm->pmk_len;
3527 if (!pmk_len && sm->cur_pmksa)
3528 pmk_len = sm->cur_pmksa->pmk_len;
3529 mic_len = wpa_mic_len(sm->key_mgmt, pmk_len);
3530 keyhdrlen = sizeof(*key) + mic_len + 2;
3531
3532 if (len < sizeof(*hdr) + keyhdrlen) {
3533 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3534 "WPA: EAPOL frame too short to be a WPA "
3535 "EAPOL-Key (len %lu, expecting at least %lu)",
3536 (unsigned long) len,
3537 (unsigned long) sizeof(*hdr) + keyhdrlen);
3538 return 0;
3539 }
3540
3541 hdr = (const struct ieee802_1x_hdr *) buf;
3542 plen = be_to_host16(hdr->length);
3543 data_len = plen + sizeof(*hdr);
3544 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3545 "IEEE 802.1X RX: version=%d type=%d length=%lu",
3546 hdr->version, hdr->type, (unsigned long) plen);
3547
3548 if (hdr->version < EAPOL_VERSION) {
3549 /* TODO: backwards compatibility */
3550 }
3551 if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) {
3552 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3553 "WPA: EAPOL frame (type %u) discarded, "
3554 "not a Key frame", hdr->type);
3555 ret = 0;
3556 goto out;
3557 }
3558 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", buf, len);
3559 if (plen > len - sizeof(*hdr) || plen < keyhdrlen) {
3560 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3561 "WPA: EAPOL frame payload size %lu "
3562 "invalid (frame size %lu)",
3563 (unsigned long) plen, (unsigned long) len);
3564 ret = 0;
3565 goto out;
3566 }
3567 if (data_len < len) {
3568 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3569 "WPA: ignoring %lu bytes after the IEEE 802.1X data",
3570 (unsigned long) len - data_len);
3571 }
3572
3573 /*
3574 * Make a copy of the frame since we need to modify the buffer during
3575 * MAC validation and Key Data decryption.
3576 */
3577 tmp = os_memdup(buf, data_len);
3578 if (tmp == NULL)
3579 goto out;
3580 key = (struct wpa_eapol_key *) (tmp + sizeof(struct ieee802_1x_hdr));
3581 mic = (u8 *) (key + 1);
3582 key_data = mic + mic_len + 2;
3583
3584 if (key->type != EAPOL_KEY_TYPE_WPA && key->type != EAPOL_KEY_TYPE_RSN)
3585 {
3586 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3587 "WPA: EAPOL-Key type (%d) unknown, discarded",
3588 key->type);
3589 ret = 0;
3590 goto out;
3591 }
3592
3593 key_data_len = WPA_GET_BE16(mic + mic_len);
3594 wpa_eapol_key_dump(sm, key, key_data_len, mic, mic_len);
3595
3596 if (key_data_len > plen - keyhdrlen) {
3597 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Invalid EAPOL-Key "
3598 "frame - key_data overflow (%u > %u)",
3599 (unsigned int) key_data_len,
3600 (unsigned int) (plen - keyhdrlen));
3601 goto out;
3602 }
3603
3604 if (sm->rx_replay_counter_set &&
3605 os_memcmp(key->replay_counter, sm->rx_replay_counter,
3606 WPA_REPLAY_COUNTER_LEN) <= 0) {
3607 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3608 "WPA: EAPOL-Key Replay Counter did not increase - dropping packet");
3609 goto out;
3610 }
3611
3612 eapol_sm_notify_lower_layer_success(sm->eapol, 0);
3613
3614 key_info = WPA_GET_BE16(key->key_info);
3615
3616 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
3617 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3618 "WPA: Unsupported SMK bit in key_info");
3619 goto out;
3620 }
3621
3622 if (!(key_info & WPA_KEY_INFO_ACK)) {
3623 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3624 "WPA: No Ack bit in key_info");
3625 goto out;
3626 }
3627
3628 if (key_info & WPA_KEY_INFO_REQUEST) {
3629 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3630 "WPA: EAPOL-Key with Request bit - dropped");
3631 goto out;
3632 }
3633
3634 if (sm->proto == WPA_PROTO_WPA) {
3635 ret = wpa_sm_rx_eapol_wpa(sm, src_addr, key, encrypted,
3636 tmp, data_len,
3637 key_data, key_data_len);
3638 goto out;
3639 }
3640
3641 if (key->type != EAPOL_KEY_TYPE_RSN) {
3642 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3643 "RSN: Unsupported EAPOL-Key type %d", key->type);
3644 goto out;
3645 }
3646
3647 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
3648 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
3649 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
3650 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES &&
3651 !wpa_use_akm_defined(sm->key_mgmt)) {
3652 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3653 "RSN: Unsupported EAPOL-Key descriptor version %d",
3654 ver);
3655 goto out;
3656 }
3657
3658 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
3659 sm->pairwise_cipher != WPA_CIPHER_TKIP) {
3660 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3661 "RSN: EAPOL-Key descriptor version %d not allowed without TKIP as the pairwise cipher",
3662 ver);
3663 goto out;
3664 }
3665
3666 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES &&
3667 (sm->key_mgmt != WPA_KEY_MGMT_IEEE8021X &&
3668 sm->key_mgmt != WPA_KEY_MGMT_PSK)) {
3669 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3670 "RSN: EAPOL-Key descriptor version %d not allowed due to negotiated AKM (0x%x)",
3671 ver, sm->key_mgmt);
3672 goto out;
3673 }
3674
3675 if (wpa_use_akm_defined(sm->key_mgmt) &&
3676 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
3677 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3678 "RSN: Unsupported EAPOL-Key descriptor version %d (expected AKM defined = 0)",
3679 ver);
3680 goto out;
3681 }
3682
3683 #ifdef CONFIG_IEEE80211R
3684 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
3685 /* IEEE 802.11r uses a new key_info type (AES-128-CMAC). */
3686 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
3687 !wpa_use_akm_defined(sm->key_mgmt)) {
3688 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3689 "FT: AP did not use AES-128-CMAC");
3690 goto out;
3691 }
3692 } else
3693 #endif /* CONFIG_IEEE80211R */
3694 if (wpa_key_mgmt_sha256(sm->key_mgmt)) {
3695 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
3696 !wpa_use_akm_defined(sm->key_mgmt)) {
3697 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3698 "RSN: AP did not use the negotiated AES-128-CMAC");
3699 goto out;
3700 }
3701 } else if (sm->pairwise_cipher == WPA_CIPHER_CCMP &&
3702 !wpa_use_akm_defined(sm->key_mgmt) &&
3703 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
3704 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3705 "RSN: CCMP is used, but EAPOL-Key descriptor version (%d) is not 2", ver);
3706 if (ver == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
3707 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3708 "RSN: Interoperability workaround: allow incorrect (should have been HMAC-SHA1), but stronger (is AES-128-CMAC), descriptor version to be used");
3709 } else {
3710 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3711 "RSN: Unexpected descriptor version %u", ver);
3712 goto out;
3713 }
3714 } else if (sm->pairwise_cipher == WPA_CIPHER_GCMP &&
3715 !wpa_use_akm_defined(sm->key_mgmt) &&
3716 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
3717 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3718 "RSN: GCMP is used, but EAPOL-Key descriptor version (%d) is not 2",
3719 ver);
3720 goto out;
3721 }
3722
3723 if ((key_info & WPA_KEY_INFO_MIC) &&
3724 wpa_supplicant_verify_eapol_key_mic(sm, key, ver, tmp, data_len))
3725 goto out;
3726
3727 #ifdef CONFIG_FILS
3728 if (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
3729 if (wpa_supp_aead_decrypt(sm, tmp, data_len, &key_data_len))
3730 goto out;
3731 }
3732 #endif /* CONFIG_FILS */
3733
3734 if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
3735 (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && mic_len) {
3736 /*
3737 * Only decrypt the Key Data field if the frame's authenticity
3738 * was verified. When using AES-SIV (FILS), the MIC flag is not
3739 * set, so this check should only be performed if mic_len != 0
3740 * which is the case in this code branch.
3741 */
3742 if (!(key_info & WPA_KEY_INFO_MIC)) {
3743 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3744 "WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
3745 goto out;
3746 }
3747 if (wpa_supplicant_decrypt_key_data(sm, key, mic_len,
3748 ver, key_data,
3749 &key_data_len))
3750 goto out;
3751 }
3752
3753 if (key_info & WPA_KEY_INFO_KEY_TYPE) {
3754 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) {
3755 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3756 "RSN: Ignored EAPOL-Key (Pairwise) with non-zero key index");
3757 goto out;
3758 }
3759 if (key_info & (WPA_KEY_INFO_MIC |
3760 WPA_KEY_INFO_ENCR_KEY_DATA)) {
3761 /* 3/4 4-Way Handshake */
3762 wpa_supplicant_process_3_of_4(sm, key, ver, key_data,
3763 key_data_len);
3764 } else {
3765 /* 1/4 4-Way Handshake */
3766 wpa_supplicant_process_1_of_4(sm, src_addr, key,
3767 ver, key_data,
3768 key_data_len,
3769 encrypted);
3770 }
3771 } else {
3772 if ((mic_len && (key_info & WPA_KEY_INFO_MIC)) ||
3773 (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA))) {
3774 /* 1/2 Group Key Handshake */
3775 if (sm->mlo.valid_links)
3776 wpa_supplicant_process_mlo_1_of_2(sm, src_addr,
3777 key, key_data,
3778 key_data_len,
3779 ver);
3780 else
3781 wpa_supplicant_process_1_of_2(sm, src_addr, key,
3782 key_data,
3783 key_data_len,
3784 ver);
3785 } else {
3786 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3787 "RSN: EAPOL-Key (Group) without Mic/Encr bit - dropped");
3788 }
3789 }
3790
3791 ret = 1;
3792
3793 out:
3794 bin_clear_free(tmp, data_len);
3795 return ret;
3796 }
3797
3798
3799 #ifdef CONFIG_CTRL_IFACE
wpa_key_mgmt_suite(struct wpa_sm * sm)3800 static u32 wpa_key_mgmt_suite(struct wpa_sm *sm)
3801 {
3802 switch (sm->key_mgmt) {
3803 case WPA_KEY_MGMT_IEEE8021X:
3804 return ((sm->proto == WPA_PROTO_RSN ||
3805 sm->proto == WPA_PROTO_OSEN) ?
3806 RSN_AUTH_KEY_MGMT_UNSPEC_802_1X :
3807 WPA_AUTH_KEY_MGMT_UNSPEC_802_1X);
3808 case WPA_KEY_MGMT_PSK:
3809 return (sm->proto == WPA_PROTO_RSN ?
3810 RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X :
3811 WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X);
3812 #ifdef CONFIG_IEEE80211R
3813 case WPA_KEY_MGMT_FT_IEEE8021X:
3814 return RSN_AUTH_KEY_MGMT_FT_802_1X;
3815 case WPA_KEY_MGMT_FT_PSK:
3816 return RSN_AUTH_KEY_MGMT_FT_PSK;
3817 #endif /* CONFIG_IEEE80211R */
3818 case WPA_KEY_MGMT_IEEE8021X_SHA256:
3819 return RSN_AUTH_KEY_MGMT_802_1X_SHA256;
3820 case WPA_KEY_MGMT_PSK_SHA256:
3821 return RSN_AUTH_KEY_MGMT_PSK_SHA256;
3822 case WPA_KEY_MGMT_CCKM:
3823 return (sm->proto == WPA_PROTO_RSN ?
3824 RSN_AUTH_KEY_MGMT_CCKM:
3825 WPA_AUTH_KEY_MGMT_CCKM);
3826 case WPA_KEY_MGMT_WPA_NONE:
3827 return WPA_AUTH_KEY_MGMT_NONE;
3828 case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
3829 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B;
3830 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
3831 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192;
3832 default:
3833 return 0;
3834 }
3835 }
3836
3837
3838 #define RSN_SUITE "%02x-%02x-%02x-%d"
3839 #define RSN_SUITE_ARG(s) \
3840 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
3841
3842 /**
3843 * wpa_sm_get_mib - Dump text list of MIB entries
3844 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3845 * @buf: Buffer for the list
3846 * @buflen: Length of the buffer
3847 * Returns: Number of bytes written to buffer
3848 *
3849 * This function is used fetch dot11 MIB variables.
3850 */
wpa_sm_get_mib(struct wpa_sm * sm,char * buf,size_t buflen)3851 int wpa_sm_get_mib(struct wpa_sm *sm, char *buf, size_t buflen)
3852 {
3853 char pmkid_txt[PMKID_LEN * 2 + 1];
3854 bool rsna;
3855 int ret;
3856 size_t len;
3857
3858 if (sm->cur_pmksa) {
3859 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
3860 sm->cur_pmksa->pmkid, PMKID_LEN);
3861 } else
3862 pmkid_txt[0] = '\0';
3863
3864 rsna = (wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
3865 wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt)) &&
3866 sm->proto == WPA_PROTO_RSN;
3867
3868 ret = os_snprintf(buf, buflen,
3869 "dot11RSNAOptionImplemented=TRUE\n"
3870 "dot11RSNAPreauthenticationImplemented=TRUE\n"
3871 "dot11RSNAEnabled=%s\n"
3872 "dot11RSNAPreauthenticationEnabled=%s\n"
3873 "dot11RSNAConfigVersion=%d\n"
3874 "dot11RSNAConfigPairwiseKeysSupported=5\n"
3875 "dot11RSNAConfigGroupCipherSize=%d\n"
3876 "dot11RSNAConfigPMKLifetime=%d\n"
3877 "dot11RSNAConfigPMKReauthThreshold=%d\n"
3878 "dot11RSNAConfigNumberOfPTKSAReplayCounters=1\n"
3879 "dot11RSNAConfigSATimeout=%d\n",
3880 rsna ? "TRUE" : "FALSE",
3881 rsna ? "TRUE" : "FALSE",
3882 RSN_VERSION,
3883 wpa_cipher_key_len(sm->group_cipher) * 8,
3884 sm->dot11RSNAConfigPMKLifetime,
3885 sm->dot11RSNAConfigPMKReauthThreshold,
3886 sm->dot11RSNAConfigSATimeout);
3887 if (os_snprintf_error(buflen, ret))
3888 return 0;
3889 len = ret;
3890
3891 ret = os_snprintf(
3892 buf + len, buflen - len,
3893 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
3894 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
3895 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
3896 "dot11RSNAPMKIDUsed=%s\n"
3897 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
3898 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
3899 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
3900 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n"
3901 "dot11RSNA4WayHandshakeFailures=%u\n",
3902 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
3903 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
3904 sm->pairwise_cipher)),
3905 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
3906 sm->group_cipher)),
3907 pmkid_txt,
3908 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
3909 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
3910 sm->pairwise_cipher)),
3911 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
3912 sm->group_cipher)),
3913 sm->dot11RSNA4WayHandshakeFailures);
3914 if (!os_snprintf_error(buflen - len, ret))
3915 len += ret;
3916
3917 return (int) len;
3918 }
3919 #endif /* CONFIG_CTRL_IFACE */
3920
3921
wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry * entry,void * ctx,enum pmksa_free_reason reason)3922 static void wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
3923 void *ctx, enum pmksa_free_reason reason)
3924 {
3925 struct wpa_sm *sm = ctx;
3926 int deauth = 0;
3927
3928 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: PMKSA cache entry free_cb: "
3929 MACSTR " reason=%d", MAC2STR(entry->aa), reason);
3930
3931 if (sm->cur_pmksa == entry) {
3932 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3933 "RSN: %s current PMKSA entry",
3934 reason == PMKSA_REPLACE ? "replaced" : "removed");
3935 pmksa_cache_clear_current(sm);
3936
3937 /*
3938 * If an entry is simply being replaced, there's no need to
3939 * deauthenticate because it will be immediately re-added.
3940 * This happens when EAP authentication is completed again
3941 * (reauth or failed PMKSA caching attempt).
3942 */
3943 if (reason != PMKSA_REPLACE)
3944 deauth = 1;
3945 }
3946
3947 if (reason == PMKSA_EXPIRE &&
3948 (sm->pmk_len == entry->pmk_len &&
3949 os_memcmp(sm->pmk, entry->pmk, sm->pmk_len) == 0)) {
3950 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3951 "RSN: deauthenticating due to expired PMK");
3952 pmksa_cache_clear_current(sm);
3953 deauth = 1;
3954 }
3955
3956 if (deauth) {
3957 sm->pmk_len = 0;
3958 os_memset(sm->pmk, 0, sizeof(sm->pmk));
3959 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
3960 }
3961 }
3962
3963
wpa_sm_pmksa_is_current_cb(struct rsn_pmksa_cache_entry * entry,void * ctx)3964 static bool wpa_sm_pmksa_is_current_cb(struct rsn_pmksa_cache_entry *entry,
3965 void *ctx)
3966 {
3967 struct wpa_sm *sm = ctx;
3968
3969 return sm->cur_pmksa == entry;
3970 }
3971
3972
wpa_sm_pmksa_notify_cb(struct rsn_pmksa_cache_entry * entry,void * ctx)3973 static void wpa_sm_pmksa_notify_cb(struct rsn_pmksa_cache_entry *entry,
3974 void *ctx)
3975 {
3976 struct wpa_sm *sm = ctx;
3977
3978 wpa_sm_notify_pmksa_cache_entry(sm, entry);
3979 }
3980
3981
3982 /**
3983 * wpa_sm_init - Initialize WPA state machine
3984 * @ctx: Context pointer for callbacks; this needs to be an allocated buffer
3985 * Returns: Pointer to the allocated WPA state machine data
3986 *
3987 * This function is used to allocate a new WPA state machine and the returned
3988 * value is passed to all WPA state machine calls.
3989 */
wpa_sm_init(struct wpa_sm_ctx * ctx)3990 struct wpa_sm * wpa_sm_init(struct wpa_sm_ctx *ctx)
3991 {
3992 struct wpa_sm *sm;
3993
3994 sm = os_zalloc(sizeof(*sm));
3995 if (sm == NULL)
3996 return NULL;
3997 dl_list_init(&sm->pmksa_candidates);
3998 sm->renew_snonce = 1;
3999 sm->ctx = ctx;
4000
4001 sm->dot11RSNAConfigPMKLifetime = 43200;
4002 sm->dot11RSNAConfigPMKReauthThreshold = 70;
4003 sm->dot11RSNAConfigSATimeout = 60;
4004
4005 sm->pmksa = pmksa_cache_init(wpa_sm_pmksa_free_cb,
4006 wpa_sm_pmksa_is_current_cb,
4007 wpa_sm_pmksa_notify_cb, sm, sm);
4008 if (sm->pmksa == NULL) {
4009 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
4010 "RSN: PMKSA cache initialization failed");
4011 os_free(sm);
4012 return NULL;
4013 }
4014
4015 return sm;
4016 }
4017
4018
4019 /**
4020 * wpa_sm_deinit - Deinitialize WPA state machine
4021 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4022 */
wpa_sm_deinit(struct wpa_sm * sm)4023 void wpa_sm_deinit(struct wpa_sm *sm)
4024 {
4025 int i;
4026
4027 if (sm == NULL)
4028 return;
4029 pmksa_cache_deinit(sm->pmksa);
4030 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
4031 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
4032 os_free(sm->assoc_wpa_ie);
4033 os_free(sm->assoc_rsnxe);
4034 os_free(sm->ap_wpa_ie);
4035 os_free(sm->ap_rsn_ie);
4036 os_free(sm->ap_rsnxe);
4037 for (i = 0; i < MAX_NUM_MLD_LINKS; i++) {
4038 os_free(sm->mlo.links[i].ap_rsne);
4039 os_free(sm->mlo.links[i].ap_rsnxe);
4040 }
4041 wpa_sm_drop_sa(sm);
4042 os_free(sm->ctx);
4043 #ifdef CONFIG_IEEE80211R
4044 os_free(sm->assoc_resp_ies);
4045 #endif /* CONFIG_IEEE80211R */
4046 #ifdef CONFIG_TESTING_OPTIONS
4047 wpabuf_free(sm->test_assoc_ie);
4048 #endif /* CONFIG_TESTING_OPTIONS */
4049 #ifdef CONFIG_FILS_SK_PFS
4050 crypto_ecdh_deinit(sm->fils_ecdh);
4051 #endif /* CONFIG_FILS_SK_PFS */
4052 #ifdef CONFIG_FILS
4053 wpabuf_free(sm->fils_ft_ies);
4054 #endif /* CONFIG_FILS */
4055 #ifdef CONFIG_OWE
4056 crypto_ecdh_deinit(sm->owe_ecdh);
4057 #endif /* CONFIG_OWE */
4058 #ifdef CONFIG_DPP2
4059 wpabuf_clear_free(sm->dpp_z);
4060 #endif /* CONFIG_DPP2 */
4061 os_free(sm);
4062 }
4063
4064
wpa_sm_clear_ptk(struct wpa_sm * sm)4065 static void wpa_sm_clear_ptk(struct wpa_sm *sm)
4066 {
4067 int i;
4068
4069 sm->ptk_set = 0;
4070 os_memset(&sm->ptk, 0, sizeof(sm->ptk));
4071 sm->tptk_set = 0;
4072 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
4073 os_memset(&sm->gtk, 0, sizeof(sm->gtk));
4074 os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
4075 os_memset(&sm->igtk, 0, sizeof(sm->igtk));
4076 os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
4077 sm->tk_set = false;
4078 for (i = 0; i < MAX_NUM_MLD_LINKS; i++) {
4079 os_memset(&sm->mlo.links[i].gtk, 0,
4080 sizeof(sm->mlo.links[i].gtk));
4081 os_memset(&sm->mlo.links[i].gtk_wnm_sleep, 0,
4082 sizeof(sm->mlo.links[i].gtk_wnm_sleep));
4083 os_memset(&sm->mlo.links[i].igtk, 0,
4084 sizeof(sm->mlo.links[i].igtk));
4085 os_memset(&sm->mlo.links[i].igtk_wnm_sleep, 0,
4086 sizeof(sm->mlo.links[i].igtk_wnm_sleep));
4087 }
4088 }
4089
4090
4091 /**
4092 * wpa_sm_notify_assoc - Notify WPA state machine about association
4093 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4094 * @bssid: The BSSID of the new association
4095 *
4096 * This function is called to let WPA state machine know that the connection
4097 * was established.
4098 */
wpa_sm_notify_assoc(struct wpa_sm * sm,const u8 * bssid)4099 void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
4100 {
4101 int clear_keys = 1;
4102
4103 if (sm == NULL)
4104 return;
4105
4106 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4107 "WPA: Association event - clear replay counter");
4108 os_memcpy(sm->bssid, bssid, ETH_ALEN);
4109 os_memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN);
4110 sm->rx_replay_counter_set = 0;
4111 sm->renew_snonce = 1;
4112 if (os_memcmp(sm->preauth_bssid, bssid, ETH_ALEN) == 0)
4113 rsn_preauth_deinit(sm);
4114
4115 #ifdef CONFIG_IEEE80211R
4116 if (wpa_ft_is_completed(sm)) {
4117 /*
4118 * Clear portValid to kick EAPOL state machine to re-enter
4119 * AUTHENTICATED state to get the EAPOL port Authorized.
4120 */
4121 eapol_sm_notify_portValid(sm->eapol, false);
4122 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
4123
4124 /* Prepare for the next transition */
4125 wpa_ft_prepare_auth_request(sm, NULL);
4126
4127 clear_keys = 0;
4128 sm->ft_protocol = 1;
4129 } else {
4130 sm->ft_protocol = 0;
4131 }
4132 #endif /* CONFIG_IEEE80211R */
4133 #ifdef CONFIG_FILS
4134 if (sm->fils_completed) {
4135 /*
4136 * Clear portValid to kick EAPOL state machine to re-enter
4137 * AUTHENTICATED state to get the EAPOL port Authorized.
4138 */
4139 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
4140 clear_keys = 0;
4141 }
4142 #endif /* CONFIG_FILS */
4143
4144 if (clear_keys) {
4145 /*
4146 * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
4147 * this is not part of a Fast BSS Transition.
4148 */
4149 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PTK");
4150 wpa_sm_clear_ptk(sm);
4151 }
4152
4153 #ifdef CONFIG_TDLS
4154 wpa_tdls_assoc(sm);
4155 #endif /* CONFIG_TDLS */
4156
4157 #ifdef CONFIG_P2P
4158 os_memset(sm->p2p_ip_addr, 0, sizeof(sm->p2p_ip_addr));
4159 #endif /* CONFIG_P2P */
4160
4161 sm->keyidx_active = 0;
4162 }
4163
4164
4165 /**
4166 * wpa_sm_notify_disassoc - Notify WPA state machine about disassociation
4167 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4168 *
4169 * This function is called to let WPA state machine know that the connection
4170 * was lost. This will abort any existing pre-authentication session.
4171 */
wpa_sm_notify_disassoc(struct wpa_sm * sm)4172 void wpa_sm_notify_disassoc(struct wpa_sm *sm)
4173 {
4174 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
4175 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
4176 rsn_preauth_deinit(sm);
4177 pmksa_cache_clear_current(sm);
4178 if (wpa_sm_get_state(sm) == WPA_4WAY_HANDSHAKE)
4179 sm->dot11RSNA4WayHandshakeFailures++;
4180 #ifdef CONFIG_TDLS
4181 wpa_tdls_disassoc(sm);
4182 #endif /* CONFIG_TDLS */
4183 #ifdef CONFIG_FILS
4184 sm->fils_completed = 0;
4185 #endif /* CONFIG_FILS */
4186 #ifdef CONFIG_IEEE80211R
4187 sm->ft_reassoc_completed = 0;
4188 sm->ft_protocol = 0;
4189 #endif /* CONFIG_IEEE80211R */
4190
4191 /* Keys are not needed in the WPA state machine anymore */
4192 wpa_sm_drop_sa(sm);
4193 sm->keyidx_active = 0;
4194
4195 sm->msg_3_of_4_ok = 0;
4196 os_memset(sm->bssid, 0, ETH_ALEN);
4197 }
4198
4199
4200 /**
4201 * wpa_sm_set_pmk - Set PMK
4202 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4203 * @pmk: The new PMK
4204 * @pmk_len: The length of the new PMK in bytes
4205 * @pmkid: Calculated PMKID
4206 * @bssid: AA to add into PMKSA cache or %NULL to not cache the PMK
4207 *
4208 * Configure the PMK for WPA state machine.
4209 */
wpa_sm_set_pmk(struct wpa_sm * sm,const u8 * pmk,size_t pmk_len,const u8 * pmkid,const u8 * bssid)4210 void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
4211 const u8 *pmkid, const u8 *bssid)
4212 {
4213 if (sm == NULL)
4214 return;
4215
4216 wpa_hexdump_key(MSG_DEBUG, "WPA: Set PMK based on external data",
4217 pmk, pmk_len);
4218 sm->pmk_len = pmk_len;
4219 os_memcpy(sm->pmk, pmk, pmk_len);
4220
4221 #ifdef CONFIG_IEEE80211R
4222 /* Set XXKey to be PSK for FT key derivation */
4223 sm->xxkey_len = pmk_len;
4224 os_memcpy(sm->xxkey, pmk, pmk_len);
4225 #endif /* CONFIG_IEEE80211R */
4226
4227 if (bssid) {
4228 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len,
4229 pmkid, NULL, 0, bssid,
4230 sm->own_addr,
4231 sm->network_ctx, sm->key_mgmt,
4232 NULL);
4233 }
4234 }
4235
4236
4237 /**
4238 * wpa_sm_set_pmk_from_pmksa - Set PMK based on the current PMKSA
4239 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4240 *
4241 * Take the PMK from the current PMKSA into use. If no PMKSA is active, the PMK
4242 * will be cleared.
4243 */
wpa_sm_set_pmk_from_pmksa(struct wpa_sm * sm)4244 void wpa_sm_set_pmk_from_pmksa(struct wpa_sm *sm)
4245 {
4246 if (sm == NULL)
4247 return;
4248
4249 if (sm->cur_pmksa) {
4250 wpa_hexdump_key(MSG_DEBUG,
4251 "WPA: Set PMK based on current PMKSA",
4252 sm->cur_pmksa->pmk, sm->cur_pmksa->pmk_len);
4253 sm->pmk_len = sm->cur_pmksa->pmk_len;
4254 os_memcpy(sm->pmk, sm->cur_pmksa->pmk, sm->pmk_len);
4255 } else {
4256 wpa_printf(MSG_DEBUG, "WPA: No current PMKSA - clear PMK");
4257 sm->pmk_len = 0;
4258 os_memset(sm->pmk, 0, PMK_LEN_MAX);
4259 }
4260 }
4261
4262
4263 /**
4264 * wpa_sm_set_fast_reauth - Set fast reauthentication (EAP) enabled/disabled
4265 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4266 * @fast_reauth: Whether fast reauthentication (EAP) is allowed
4267 */
wpa_sm_set_fast_reauth(struct wpa_sm * sm,int fast_reauth)4268 void wpa_sm_set_fast_reauth(struct wpa_sm *sm, int fast_reauth)
4269 {
4270 if (sm)
4271 sm->fast_reauth = fast_reauth;
4272 }
4273
4274
4275 /**
4276 * wpa_sm_set_scard_ctx - Set context pointer for smartcard callbacks
4277 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4278 * @scard_ctx: Context pointer for smartcard related callback functions
4279 */
wpa_sm_set_scard_ctx(struct wpa_sm * sm,void * scard_ctx)4280 void wpa_sm_set_scard_ctx(struct wpa_sm *sm, void *scard_ctx)
4281 {
4282 if (sm == NULL)
4283 return;
4284 sm->scard_ctx = scard_ctx;
4285 if (sm->preauth_eapol)
4286 eapol_sm_register_scard_ctx(sm->preauth_eapol, scard_ctx);
4287 }
4288
4289
4290 /**
4291 * wpa_sm_set_config - Notification of current configuration change
4292 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4293 * @config: Pointer to current network configuration
4294 *
4295 * Notify WPA state machine that configuration has changed. config will be
4296 * stored as a backpointer to network configuration. This can be %NULL to clear
4297 * the stored pointed.
4298 */
wpa_sm_set_config(struct wpa_sm * sm,struct rsn_supp_config * config)4299 void wpa_sm_set_config(struct wpa_sm *sm, struct rsn_supp_config *config)
4300 {
4301 if (!sm)
4302 return;
4303
4304 if (config) {
4305 sm->network_ctx = config->network_ctx;
4306 sm->allowed_pairwise_cipher = config->allowed_pairwise_cipher;
4307 sm->proactive_key_caching = config->proactive_key_caching;
4308 sm->eap_workaround = config->eap_workaround;
4309 sm->eap_conf_ctx = config->eap_conf_ctx;
4310 if (config->ssid) {
4311 os_memcpy(sm->ssid, config->ssid, config->ssid_len);
4312 sm->ssid_len = config->ssid_len;
4313 } else
4314 sm->ssid_len = 0;
4315 sm->wpa_ptk_rekey = config->wpa_ptk_rekey;
4316 sm->p2p = config->p2p;
4317 sm->wpa_rsc_relaxation = config->wpa_rsc_relaxation;
4318 sm->owe_ptk_workaround = config->owe_ptk_workaround;
4319 sm->force_kdk_derivation = config->force_kdk_derivation;
4320 #ifdef CONFIG_FILS
4321 if (config->fils_cache_id) {
4322 sm->fils_cache_id_set = 1;
4323 os_memcpy(sm->fils_cache_id, config->fils_cache_id,
4324 FILS_CACHE_ID_LEN);
4325 } else {
4326 sm->fils_cache_id_set = 0;
4327 }
4328 #endif /* CONFIG_FILS */
4329 sm->beacon_prot = config->beacon_prot;
4330 } else {
4331 sm->network_ctx = NULL;
4332 sm->allowed_pairwise_cipher = 0;
4333 sm->proactive_key_caching = 0;
4334 sm->eap_workaround = 0;
4335 sm->eap_conf_ctx = NULL;
4336 sm->ssid_len = 0;
4337 sm->wpa_ptk_rekey = 0;
4338 sm->p2p = 0;
4339 sm->wpa_rsc_relaxation = 0;
4340 sm->owe_ptk_workaround = 0;
4341 sm->beacon_prot = 0;
4342 sm->force_kdk_derivation = false;
4343 }
4344 }
4345
4346
wpa_sm_set_mlo_params(struct wpa_sm * sm,const struct wpa_sm_mlo * mlo)4347 int wpa_sm_set_mlo_params(struct wpa_sm *sm, const struct wpa_sm_mlo *mlo)
4348 {
4349 int i;
4350
4351 if (!sm)
4352 return -1;
4353
4354 os_memcpy(sm->mlo.ap_mld_addr, mlo->ap_mld_addr, ETH_ALEN);
4355 sm->mlo.assoc_link_id = mlo->assoc_link_id;
4356 sm->mlo.valid_links = mlo->valid_links;
4357 sm->mlo.req_links = mlo->req_links;
4358
4359 for (i = 0; i < MAX_NUM_MLD_LINKS; i++) {
4360 const u8 *ie;
4361 size_t len;
4362
4363 if (sm->mlo.req_links & BIT(i)) {
4364 if (!mlo->links[i].ap_rsne ||
4365 mlo->links[i].ap_rsne_len == 0) {
4366 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO,
4367 "RSN: No RSNE for AP MLO link %d with BSSID "
4368 MACSTR,
4369 i, MAC2STR(mlo->links[i].bssid));
4370 return -1;
4371
4372 }
4373 os_memcpy(sm->mlo.links[i].addr, mlo->links[i].addr,
4374 ETH_ALEN);
4375 os_memcpy(sm->mlo.links[i].bssid, mlo->links[i].bssid,
4376 ETH_ALEN);
4377 }
4378
4379 ie = mlo->links[i].ap_rsne;
4380 len = mlo->links[i].ap_rsne_len;
4381 os_free(sm->mlo.links[i].ap_rsne);
4382 if (!ie || len == 0) {
4383 if (sm->mlo.links[i].ap_rsne)
4384 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4385 "RSN: Clearing MLO link[%u] AP RSNE",
4386 i);
4387 sm->mlo.links[i].ap_rsne = NULL;
4388 sm->mlo.links[i].ap_rsne_len = 0;
4389 } else {
4390 wpa_hexdump_link(MSG_DEBUG, i, "RSN: Set AP RSNE",
4391 ie, len);
4392 sm->mlo.links[i].ap_rsne = os_memdup(ie, len);
4393 if (!sm->mlo.links[i].ap_rsne) {
4394 sm->mlo.links[i].ap_rsne_len = 0;
4395 return -1;
4396 }
4397 sm->mlo.links[i].ap_rsne_len = len;
4398 }
4399
4400 ie = mlo->links[i].ap_rsnxe;
4401 len = mlo->links[i].ap_rsnxe_len;
4402 os_free(sm->mlo.links[i].ap_rsnxe);
4403 if (!ie || len == 0) {
4404 if (sm->mlo.links[i].ap_rsnxe)
4405 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4406 "RSN: Clearing MLO link[%u] AP RSNXE",
4407 i);
4408 sm->mlo.links[i].ap_rsnxe = NULL;
4409 sm->mlo.links[i].ap_rsnxe_len = 0;
4410 } else {
4411 wpa_hexdump_link(MSG_DEBUG, i, "RSN: Set AP RSNXE", ie,
4412 len);
4413 sm->mlo.links[i].ap_rsnxe = os_memdup(ie, len);
4414 if (!sm->mlo.links[i].ap_rsnxe) {
4415 sm->mlo.links[i].ap_rsnxe_len = 0;
4416 return -1;
4417 }
4418 sm->mlo.links[i].ap_rsnxe_len = len;
4419 }
4420 }
4421
4422 return 0;
4423 }
4424
4425
4426 /**
4427 * wpa_sm_set_own_addr - Set own MAC address
4428 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4429 * @addr: Own MAC address
4430 */
wpa_sm_set_own_addr(struct wpa_sm * sm,const u8 * addr)4431 void wpa_sm_set_own_addr(struct wpa_sm *sm, const u8 *addr)
4432 {
4433 if (sm)
4434 os_memcpy(sm->own_addr, addr, ETH_ALEN);
4435 }
4436
4437
4438 /**
4439 * wpa_sm_set_ifname - Set network interface name
4440 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4441 * @ifname: Interface name
4442 * @bridge_ifname: Optional bridge interface name (for pre-auth)
4443 */
wpa_sm_set_ifname(struct wpa_sm * sm,const char * ifname,const char * bridge_ifname)4444 void wpa_sm_set_ifname(struct wpa_sm *sm, const char *ifname,
4445 const char *bridge_ifname)
4446 {
4447 if (sm) {
4448 sm->ifname = ifname;
4449 sm->bridge_ifname = bridge_ifname;
4450 }
4451 }
4452
4453
4454 /**
4455 * wpa_sm_set_eapol - Set EAPOL state machine pointer
4456 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4457 * @eapol: Pointer to EAPOL state machine allocated with eapol_sm_init()
4458 */
wpa_sm_set_eapol(struct wpa_sm * sm,struct eapol_sm * eapol)4459 void wpa_sm_set_eapol(struct wpa_sm *sm, struct eapol_sm *eapol)
4460 {
4461 if (sm)
4462 sm->eapol = eapol;
4463 }
4464
4465
4466 /**
4467 * wpa_sm_set_param - Set WPA state machine parameters
4468 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4469 * @param: Parameter field
4470 * @value: Parameter value
4471 * Returns: 0 on success, -1 on failure
4472 */
wpa_sm_set_param(struct wpa_sm * sm,enum wpa_sm_conf_params param,unsigned int value)4473 int wpa_sm_set_param(struct wpa_sm *sm, enum wpa_sm_conf_params param,
4474 unsigned int value)
4475 {
4476 int ret = 0;
4477
4478 if (sm == NULL)
4479 return -1;
4480
4481 switch (param) {
4482 case RSNA_PMK_LIFETIME:
4483 if (value > 0)
4484 sm->dot11RSNAConfigPMKLifetime = value;
4485 else
4486 ret = -1;
4487 break;
4488 case RSNA_PMK_REAUTH_THRESHOLD:
4489 if (value > 0 && value <= 100)
4490 sm->dot11RSNAConfigPMKReauthThreshold = value;
4491 else
4492 ret = -1;
4493 break;
4494 case RSNA_SA_TIMEOUT:
4495 if (value > 0)
4496 sm->dot11RSNAConfigSATimeout = value;
4497 else
4498 ret = -1;
4499 break;
4500 case WPA_PARAM_PROTO:
4501 sm->proto = value;
4502 break;
4503 case WPA_PARAM_PAIRWISE:
4504 sm->pairwise_cipher = value;
4505 break;
4506 case WPA_PARAM_GROUP:
4507 sm->group_cipher = value;
4508 break;
4509 case WPA_PARAM_KEY_MGMT:
4510 sm->key_mgmt = value;
4511 break;
4512 case WPA_PARAM_MGMT_GROUP:
4513 sm->mgmt_group_cipher = value;
4514 break;
4515 case WPA_PARAM_RSN_ENABLED:
4516 sm->rsn_enabled = value;
4517 break;
4518 case WPA_PARAM_MFP:
4519 sm->mfp = value;
4520 break;
4521 case WPA_PARAM_OCV:
4522 sm->ocv = value;
4523 break;
4524 case WPA_PARAM_SAE_PWE:
4525 sm->sae_pwe = value;
4526 break;
4527 case WPA_PARAM_SAE_PK:
4528 sm->sae_pk = value;
4529 break;
4530 case WPA_PARAM_DENY_PTK0_REKEY:
4531 sm->wpa_deny_ptk0_rekey = value;
4532 break;
4533 case WPA_PARAM_EXT_KEY_ID:
4534 sm->ext_key_id = value;
4535 break;
4536 case WPA_PARAM_USE_EXT_KEY_ID:
4537 sm->use_ext_key_id = value;
4538 break;
4539 #ifdef CONFIG_TESTING_OPTIONS
4540 case WPA_PARAM_FT_RSNXE_USED:
4541 sm->ft_rsnxe_used = value;
4542 break;
4543 case WPA_PARAM_OCI_FREQ_EAPOL:
4544 sm->oci_freq_override_eapol = value;
4545 break;
4546 case WPA_PARAM_OCI_FREQ_EAPOL_G2:
4547 sm->oci_freq_override_eapol_g2 = value;
4548 break;
4549 case WPA_PARAM_OCI_FREQ_FT_ASSOC:
4550 sm->oci_freq_override_ft_assoc = value;
4551 break;
4552 case WPA_PARAM_OCI_FREQ_FILS_ASSOC:
4553 sm->oci_freq_override_fils_assoc = value;
4554 break;
4555 case WPA_PARAM_DISABLE_EAPOL_G2_TX:
4556 sm->disable_eapol_g2_tx = value;
4557 break;
4558 #endif /* CONFIG_TESTING_OPTIONS */
4559 #ifdef CONFIG_DPP2
4560 case WPA_PARAM_DPP_PFS:
4561 sm->dpp_pfs = value;
4562 break;
4563 #endif /* CONFIG_DPP2 */
4564 case WPA_PARAM_WMM_ENABLED:
4565 sm->wmm_enabled = value;
4566 break;
4567 default:
4568 break;
4569 }
4570
4571 return ret;
4572 }
4573
4574
4575 /**
4576 * wpa_sm_get_status - Get WPA state machine
4577 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4578 * @buf: Buffer for status information
4579 * @buflen: Maximum buffer length
4580 * @verbose: Whether to include verbose status information
4581 * Returns: Number of bytes written to buf.
4582 *
4583 * Query WPA state machine for status information. This function fills in
4584 * a text area with current status information. If the buffer (buf) is not
4585 * large enough, status information will be truncated to fit the buffer.
4586 */
wpa_sm_get_status(struct wpa_sm * sm,char * buf,size_t buflen,int verbose)4587 int wpa_sm_get_status(struct wpa_sm *sm, char *buf, size_t buflen,
4588 int verbose)
4589 {
4590 char *pos = buf, *end = buf + buflen;
4591 int ret;
4592
4593 ret = os_snprintf(pos, end - pos,
4594 "pairwise_cipher=%s\n"
4595 "group_cipher=%s\n"
4596 "key_mgmt=%s\n",
4597 wpa_cipher_txt(sm->pairwise_cipher),
4598 wpa_cipher_txt(sm->group_cipher),
4599 wpa_key_mgmt_txt(sm->key_mgmt, sm->proto));
4600 if (os_snprintf_error(end - pos, ret))
4601 return pos - buf;
4602 pos += ret;
4603
4604 #ifdef CONFIG_DPP2
4605 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
4606 ret = os_snprintf(pos, end - pos, "dpp_pfs=1\n");
4607 if (os_snprintf_error(end - pos, ret))
4608 return pos - buf;
4609 pos += ret;
4610 }
4611 #endif /* CONFIG_DPP2 */
4612
4613 if (sm->mfp != NO_MGMT_FRAME_PROTECTION && sm->ap_rsn_ie) {
4614 struct wpa_ie_data rsn;
4615 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn)
4616 >= 0 &&
4617 rsn.capabilities & (WPA_CAPABILITY_MFPR |
4618 WPA_CAPABILITY_MFPC)) {
4619 ret = os_snprintf(pos, end - pos, "pmf=%d\n"
4620 "mgmt_group_cipher=%s\n",
4621 (rsn.capabilities &
4622 WPA_CAPABILITY_MFPR) ? 2 : 1,
4623 wpa_cipher_txt(
4624 sm->mgmt_group_cipher));
4625 if (os_snprintf_error(end - pos, ret))
4626 return pos - buf;
4627 pos += ret;
4628 }
4629 }
4630
4631 return pos - buf;
4632 }
4633
4634
wpa_sm_pmf_enabled(struct wpa_sm * sm)4635 int wpa_sm_pmf_enabled(struct wpa_sm *sm)
4636 {
4637 struct wpa_ie_data rsn;
4638
4639 if (sm->mfp == NO_MGMT_FRAME_PROTECTION || !sm->ap_rsn_ie)
4640 return 0;
4641
4642 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn) >= 0 &&
4643 rsn.capabilities & (WPA_CAPABILITY_MFPR | WPA_CAPABILITY_MFPC))
4644 return 1;
4645
4646 return 0;
4647 }
4648
4649
wpa_sm_ext_key_id(struct wpa_sm * sm)4650 int wpa_sm_ext_key_id(struct wpa_sm *sm)
4651 {
4652 return sm ? sm->ext_key_id : 0;
4653 }
4654
4655
wpa_sm_ext_key_id_active(struct wpa_sm * sm)4656 int wpa_sm_ext_key_id_active(struct wpa_sm *sm)
4657 {
4658 return sm ? sm->use_ext_key_id : 0;
4659 }
4660
4661
wpa_sm_ocv_enabled(struct wpa_sm * sm)4662 int wpa_sm_ocv_enabled(struct wpa_sm *sm)
4663 {
4664 struct wpa_ie_data rsn;
4665
4666 if (!sm->ocv || !sm->ap_rsn_ie)
4667 return 0;
4668
4669 return wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len,
4670 &rsn) >= 0 &&
4671 (rsn.capabilities & WPA_CAPABILITY_OCVC);
4672 }
4673
4674
4675 /**
4676 * wpa_sm_set_assoc_wpa_ie_default - Generate own WPA/RSN IE from configuration
4677 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4678 * @wpa_ie: Pointer to buffer for WPA/RSN IE
4679 * @wpa_ie_len: Pointer to the length of the wpa_ie buffer
4680 * Returns: 0 on success, -1 on failure
4681 */
wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm * sm,u8 * wpa_ie,size_t * wpa_ie_len)4682 int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm *sm, u8 *wpa_ie,
4683 size_t *wpa_ie_len)
4684 {
4685 int res;
4686
4687 if (sm == NULL)
4688 return -1;
4689
4690 #ifdef CONFIG_TESTING_OPTIONS
4691 if (sm->test_assoc_ie) {
4692 wpa_printf(MSG_DEBUG,
4693 "TESTING: Replace association WPA/RSN IE");
4694 if (*wpa_ie_len < wpabuf_len(sm->test_assoc_ie))
4695 return -1;
4696 os_memcpy(wpa_ie, wpabuf_head(sm->test_assoc_ie),
4697 wpabuf_len(sm->test_assoc_ie));
4698 res = wpabuf_len(sm->test_assoc_ie);
4699 } else
4700 #endif /* CONFIG_TESTING_OPTIONS */
4701 res = wpa_gen_wpa_ie(sm, wpa_ie, *wpa_ie_len);
4702 if (res < 0)
4703 return -1;
4704 *wpa_ie_len = res;
4705
4706 wpa_hexdump(MSG_DEBUG, "WPA: Set own WPA IE default",
4707 wpa_ie, *wpa_ie_len);
4708
4709 if (sm->assoc_wpa_ie == NULL) {
4710 /*
4711 * Make a copy of the WPA/RSN IE so that 4-Way Handshake gets
4712 * the correct version of the IE even if PMKSA caching is
4713 * aborted (which would remove PMKID from IE generation).
4714 */
4715 sm->assoc_wpa_ie = os_memdup(wpa_ie, *wpa_ie_len);
4716 if (sm->assoc_wpa_ie == NULL)
4717 return -1;
4718
4719 sm->assoc_wpa_ie_len = *wpa_ie_len;
4720 } else {
4721 wpa_hexdump(MSG_DEBUG,
4722 "WPA: Leave previously set WPA IE default",
4723 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
4724 }
4725
4726 return 0;
4727 }
4728
4729
4730 /**
4731 * wpa_sm_set_assoc_wpa_ie - Set own WPA/RSN IE from (Re)AssocReq
4732 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4733 * @ie: Pointer to IE data (starting from id)
4734 * @len: IE length
4735 * Returns: 0 on success, -1 on failure
4736 *
4737 * Inform WPA state machine about the WPA/RSN IE used in (Re)Association
4738 * Request frame. The IE will be used to override the default value generated
4739 * with wpa_sm_set_assoc_wpa_ie_default().
4740 */
wpa_sm_set_assoc_wpa_ie(struct wpa_sm * sm,const u8 * ie,size_t len)4741 int wpa_sm_set_assoc_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
4742 {
4743 if (sm == NULL)
4744 return -1;
4745
4746 os_free(sm->assoc_wpa_ie);
4747 if (ie == NULL || len == 0) {
4748 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4749 "WPA: clearing own WPA/RSN IE");
4750 sm->assoc_wpa_ie = NULL;
4751 sm->assoc_wpa_ie_len = 0;
4752 } else {
4753 wpa_hexdump(MSG_DEBUG, "WPA: set own WPA/RSN IE", ie, len);
4754 sm->assoc_wpa_ie = os_memdup(ie, len);
4755 if (sm->assoc_wpa_ie == NULL)
4756 return -1;
4757
4758 sm->assoc_wpa_ie_len = len;
4759 }
4760
4761 return 0;
4762 }
4763
4764
4765 /**
4766 * wpa_sm_set_assoc_rsnxe_default - Generate own RSNXE from configuration
4767 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4768 * @rsnxe: Pointer to buffer for RSNXE
4769 * @rsnxe_len: Pointer to the length of the rsne buffer
4770 * Returns: 0 on success, -1 on failure
4771 */
wpa_sm_set_assoc_rsnxe_default(struct wpa_sm * sm,u8 * rsnxe,size_t * rsnxe_len)4772 int wpa_sm_set_assoc_rsnxe_default(struct wpa_sm *sm, u8 *rsnxe,
4773 size_t *rsnxe_len)
4774 {
4775 int res;
4776
4777 if (!sm)
4778 return -1;
4779
4780 res = wpa_gen_rsnxe(sm, rsnxe, *rsnxe_len);
4781 if (res < 0)
4782 return -1;
4783 *rsnxe_len = res;
4784
4785 wpa_hexdump(MSG_DEBUG, "RSN: Set own RSNXE default", rsnxe, *rsnxe_len);
4786
4787 if (sm->assoc_rsnxe) {
4788 wpa_hexdump(MSG_DEBUG,
4789 "RSN: Leave previously set RSNXE default",
4790 sm->assoc_rsnxe, sm->assoc_rsnxe_len);
4791 } else if (*rsnxe_len > 0) {
4792 /*
4793 * Make a copy of the RSNXE so that 4-Way Handshake gets the
4794 * correct version of the IE even if it gets changed.
4795 */
4796 sm->assoc_rsnxe = os_memdup(rsnxe, *rsnxe_len);
4797 if (!sm->assoc_rsnxe)
4798 return -1;
4799
4800 sm->assoc_rsnxe_len = *rsnxe_len;
4801 }
4802
4803 return 0;
4804 }
4805
4806
4807 /**
4808 * wpa_sm_set_assoc_rsnxe - Set own RSNXE from (Re)AssocReq
4809 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4810 * @ie: Pointer to IE data (starting from id)
4811 * @len: IE length
4812 * Returns: 0 on success, -1 on failure
4813 *
4814 * Inform WPA state machine about the RSNXE used in (Re)Association Request
4815 * frame. The IE will be used to override the default value generated
4816 * with wpa_sm_set_assoc_rsnxe_default().
4817 */
wpa_sm_set_assoc_rsnxe(struct wpa_sm * sm,const u8 * ie,size_t len)4818 int wpa_sm_set_assoc_rsnxe(struct wpa_sm *sm, const u8 *ie, size_t len)
4819 {
4820 if (!sm)
4821 return -1;
4822
4823 os_free(sm->assoc_rsnxe);
4824 if (!ie || len == 0) {
4825 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4826 "RSN: clearing own RSNXE");
4827 sm->assoc_rsnxe = NULL;
4828 sm->assoc_rsnxe_len = 0;
4829 } else {
4830 wpa_hexdump(MSG_DEBUG, "RSN: set own RSNXE", ie, len);
4831 sm->assoc_rsnxe = os_memdup(ie, len);
4832 if (!sm->assoc_rsnxe)
4833 return -1;
4834
4835 sm->assoc_rsnxe_len = len;
4836 }
4837
4838 return 0;
4839 }
4840
4841
4842 /**
4843 * wpa_sm_set_ap_wpa_ie - Set AP WPA IE from Beacon/ProbeResp
4844 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4845 * @ie: Pointer to IE data (starting from id)
4846 * @len: IE length
4847 * Returns: 0 on success, -1 on failure
4848 *
4849 * Inform WPA state machine about the WPA IE used in Beacon / Probe Response
4850 * frame.
4851 */
wpa_sm_set_ap_wpa_ie(struct wpa_sm * sm,const u8 * ie,size_t len)4852 int wpa_sm_set_ap_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
4853 {
4854 if (sm == NULL)
4855 return -1;
4856
4857 os_free(sm->ap_wpa_ie);
4858 if (ie == NULL || len == 0) {
4859 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4860 "WPA: clearing AP WPA IE");
4861 sm->ap_wpa_ie = NULL;
4862 sm->ap_wpa_ie_len = 0;
4863 } else {
4864 wpa_hexdump(MSG_DEBUG, "WPA: set AP WPA IE", ie, len);
4865 sm->ap_wpa_ie = os_memdup(ie, len);
4866 if (sm->ap_wpa_ie == NULL)
4867 return -1;
4868
4869 sm->ap_wpa_ie_len = len;
4870 }
4871
4872 return 0;
4873 }
4874
4875
4876 /**
4877 * wpa_sm_set_ap_rsn_ie - Set AP RSN IE from Beacon/ProbeResp
4878 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4879 * @ie: Pointer to IE data (starting from id)
4880 * @len: IE length
4881 * Returns: 0 on success, -1 on failure
4882 *
4883 * Inform WPA state machine about the RSN IE used in Beacon / Probe Response
4884 * frame.
4885 */
wpa_sm_set_ap_rsn_ie(struct wpa_sm * sm,const u8 * ie,size_t len)4886 int wpa_sm_set_ap_rsn_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
4887 {
4888 if (sm == NULL)
4889 return -1;
4890
4891 os_free(sm->ap_rsn_ie);
4892 if (ie == NULL || len == 0) {
4893 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4894 "WPA: clearing AP RSN IE");
4895 sm->ap_rsn_ie = NULL;
4896 sm->ap_rsn_ie_len = 0;
4897 } else {
4898 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSN IE", ie, len);
4899 sm->ap_rsn_ie = os_memdup(ie, len);
4900 if (sm->ap_rsn_ie == NULL)
4901 return -1;
4902
4903 sm->ap_rsn_ie_len = len;
4904 }
4905
4906 return 0;
4907 }
4908
4909
4910 /**
4911 * wpa_sm_set_ap_rsnxe - Set AP RSNXE from Beacon/ProbeResp
4912 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4913 * @ie: Pointer to IE data (starting from id)
4914 * @len: IE length
4915 * Returns: 0 on success, -1 on failure
4916 *
4917 * Inform WPA state machine about the RSNXE used in Beacon / Probe Response
4918 * frame.
4919 */
wpa_sm_set_ap_rsnxe(struct wpa_sm * sm,const u8 * ie,size_t len)4920 int wpa_sm_set_ap_rsnxe(struct wpa_sm *sm, const u8 *ie, size_t len)
4921 {
4922 if (!sm)
4923 return -1;
4924
4925 os_free(sm->ap_rsnxe);
4926 if (!ie || len == 0) {
4927 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: clearing AP RSNXE");
4928 sm->ap_rsnxe = NULL;
4929 sm->ap_rsnxe_len = 0;
4930 } else {
4931 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSNXE", ie, len);
4932 sm->ap_rsnxe = os_memdup(ie, len);
4933 if (!sm->ap_rsnxe)
4934 return -1;
4935
4936 sm->ap_rsnxe_len = len;
4937 }
4938
4939 return 0;
4940 }
4941
4942
4943 /**
4944 * wpa_sm_parse_own_wpa_ie - Parse own WPA/RSN IE
4945 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4946 * @data: Pointer to data area for parsing results
4947 * Returns: 0 on success, -1 if IE is not known, or -2 on parsing failure
4948 *
4949 * Parse the contents of the own WPA or RSN IE from (Re)AssocReq and write the
4950 * parsed data into data.
4951 */
wpa_sm_parse_own_wpa_ie(struct wpa_sm * sm,struct wpa_ie_data * data)4952 int wpa_sm_parse_own_wpa_ie(struct wpa_sm *sm, struct wpa_ie_data *data)
4953 {
4954 if (sm == NULL)
4955 return -1;
4956
4957 if (sm->assoc_wpa_ie == NULL) {
4958 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4959 "WPA: No WPA/RSN IE available from association info");
4960 return -1;
4961 }
4962 if (wpa_parse_wpa_ie(sm->assoc_wpa_ie, sm->assoc_wpa_ie_len, data))
4963 return -2;
4964 return 0;
4965 }
4966
4967
wpa_sm_pmksa_cache_list(struct wpa_sm * sm,char * buf,size_t len)4968 int wpa_sm_pmksa_cache_list(struct wpa_sm *sm, char *buf, size_t len)
4969 {
4970 return pmksa_cache_list(sm->pmksa, buf, len);
4971 }
4972
4973
wpa_sm_pmksa_cache_head(struct wpa_sm * sm)4974 struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_head(struct wpa_sm *sm)
4975 {
4976 return pmksa_cache_head(sm->pmksa);
4977 }
4978
4979
4980 struct rsn_pmksa_cache_entry *
wpa_sm_pmksa_cache_add_entry(struct wpa_sm * sm,struct rsn_pmksa_cache_entry * entry)4981 wpa_sm_pmksa_cache_add_entry(struct wpa_sm *sm,
4982 struct rsn_pmksa_cache_entry * entry)
4983 {
4984 return pmksa_cache_add_entry(sm->pmksa, entry);
4985 }
4986
4987
wpa_sm_pmksa_cache_add(struct wpa_sm * sm,const u8 * pmk,size_t pmk_len,const u8 * pmkid,const u8 * bssid,const u8 * fils_cache_id)4988 void wpa_sm_pmksa_cache_add(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
4989 const u8 *pmkid, const u8 *bssid,
4990 const u8 *fils_cache_id)
4991 {
4992 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0,
4993 bssid, sm->own_addr, sm->network_ctx,
4994 sm->key_mgmt, fils_cache_id);
4995 }
4996
4997
wpa_sm_pmksa_exists(struct wpa_sm * sm,const u8 * bssid,const u8 * own_addr,const void * network_ctx)4998 int wpa_sm_pmksa_exists(struct wpa_sm *sm, const u8 *bssid, const u8 *own_addr,
4999 const void *network_ctx)
5000 {
5001 return pmksa_cache_get(sm->pmksa, bssid, own_addr, NULL, network_ctx,
5002 0) != NULL;
5003 }
5004
5005
wpa_sm_pmksa_cache_get(struct wpa_sm * sm,const u8 * aa,const u8 * pmkid,const void * network_ctx,int akmp)5006 struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_get(struct wpa_sm *sm,
5007 const u8 *aa,
5008 const u8 *pmkid,
5009 const void *network_ctx,
5010 int akmp)
5011 {
5012 return pmksa_cache_get(sm->pmksa, aa, sm->own_addr, pmkid, network_ctx,
5013 akmp);
5014 }
5015
5016
wpa_sm_pmksa_cache_remove(struct wpa_sm * sm,struct rsn_pmksa_cache_entry * entry)5017 void wpa_sm_pmksa_cache_remove(struct wpa_sm *sm,
5018 struct rsn_pmksa_cache_entry *entry)
5019 {
5020 if (sm && sm->pmksa)
5021 pmksa_cache_remove(sm->pmksa, entry);
5022 }
5023
5024
wpa_sm_drop_sa(struct wpa_sm * sm)5025 void wpa_sm_drop_sa(struct wpa_sm *sm)
5026 {
5027 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PMK and PTK");
5028 wpa_sm_clear_ptk(sm);
5029 sm->pmk_len = 0;
5030 os_memset(sm->pmk, 0, sizeof(sm->pmk));
5031 #ifdef CONFIG_IEEE80211R
5032 os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
5033 sm->xxkey_len = 0;
5034 os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
5035 sm->pmk_r0_len = 0;
5036 os_memset(sm->pmk_r1, 0, sizeof(sm->pmk_r1));
5037 sm->pmk_r1_len = 0;
5038 #ifdef CONFIG_PASN
5039 os_free(sm->pasn_r1kh);
5040 sm->pasn_r1kh = NULL;
5041 sm->n_pasn_r1kh = 0;
5042 #endif /* CONFIG_PASN */
5043 #endif /* CONFIG_IEEE80211R */
5044 }
5045
5046
5047 #ifdef CONFIG_IEEE80211R
wpa_sm_has_ft_keys(struct wpa_sm * sm,const u8 * md)5048 bool wpa_sm_has_ft_keys(struct wpa_sm *sm, const u8 *md)
5049 {
5050 if (!sm)
5051 return false;
5052 if (!wpa_key_mgmt_ft(sm->key_mgmt) ||
5053 os_memcmp(md, sm->key_mobility_domain,
5054 MOBILITY_DOMAIN_ID_LEN) != 0) {
5055 /* Do not allow FT protocol to be used even if we were to have
5056 * an PTK since the mobility domain has changed. */
5057 return false;
5058 }
5059 return sm->ptk_set;
5060 }
5061 #endif /* CONFIG_IEEE80211R */
5062
5063
wpa_sm_has_ptk_installed(struct wpa_sm * sm)5064 int wpa_sm_has_ptk_installed(struct wpa_sm *sm)
5065 {
5066 if (!sm)
5067 return 0;
5068 return sm->tk_set || sm->ptk.installed;
5069 }
5070
5071
wpa_sm_update_replay_ctr(struct wpa_sm * sm,const u8 * replay_ctr)5072 void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr)
5073 {
5074 os_memcpy(sm->rx_replay_counter, replay_ctr, WPA_REPLAY_COUNTER_LEN);
5075 }
5076
5077
wpa_sm_pmksa_cache_flush(struct wpa_sm * sm,void * network_ctx)5078 void wpa_sm_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx)
5079 {
5080 pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0, false);
5081 }
5082
5083
wpa_sm_external_pmksa_cache_flush(struct wpa_sm * sm,void * network_ctx)5084 void wpa_sm_external_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx)
5085 {
5086 pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0, true);
5087 }
5088
5089 #if defined(CONFIG_DRIVER_NL80211_BRCM) || defined(CONFIG_DRIVER_NL80211_SYNA)
wpa_sm_install_pmk(struct wpa_sm * sm)5090 void wpa_sm_install_pmk(struct wpa_sm *sm)
5091 {
5092 /* In case the driver wants to handle re-assocs, pass it down the PMK. */
5093 if (wpa_sm_set_key(sm, -1, wpa_cipher_to_alg(sm->pairwise_cipher), NULL, 0, 0, NULL, 0,
5094 (u8*)sm->pmk, sm->pmk_len, KEY_FLAG_PMK) < 0) {
5095 wpa_hexdump(MSG_DEBUG, "PSK: Install PMK to the driver for driver reassociations",
5096 (u8*)sm->pmk, sm->pmk_len);
5097 /* No harm if the driver doesn't support. */
5098 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
5099 "WPA: Failed to set PMK to the driver");
5100 }
5101 }
5102
wpa_sm_notify_brcm_ft_reassoc(struct wpa_sm * sm,const u8 * bssid)5103 void wpa_sm_notify_brcm_ft_reassoc(struct wpa_sm *sm, const u8 *bssid)
5104 {
5105 u8 buf[256];
5106 struct wpa_supplicant *wpa_s = sm->ctx->ctx;
5107
5108 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5109 "WPA: BRCM FT Reassociation event - clear replay counter");
5110 os_memcpy(sm->bssid, bssid, ETH_ALEN);
5111 os_memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN);
5112 sm->rx_replay_counter_set = 0;
5113
5114 if (wpa_drv_driver_cmd(wpa_s, "GET_FTKEY", (char *)buf, sizeof(buf)) < 0) {
5115 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
5116 "WPA: Failed to get FT KEY information");
5117 wpa_supplicant_deauthenticate(
5118 wpa_s, WLAN_REASON_DEAUTH_LEAVING);
5119
5120 } else {
5121 /* update kck and kek */
5122 os_memcpy(sm->ptk.kck, buf, 16);
5123 os_memcpy(sm->ptk.kek, buf + 16, 16);
5124 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
5125 "WPA: Updated KCK and KEK after FT reassoc");
5126 }
5127 }
5128 #endif /* CONFIG_DRIVER_NL80211_BRCM || CONFIG_DRIVER_NL80211_SYNA */
5129
5130
5131 #ifdef CONFIG_WNM
wpa_wnmsleep_install_key(struct wpa_sm * sm,u8 subelem_id,u8 * buf)5132 int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
5133 {
5134 u16 keyinfo;
5135 u8 keylen; /* plaintext key len */
5136 u8 *key_rsc;
5137
5138 if (subelem_id == WNM_SLEEP_SUBELEM_GTK) {
5139 struct wpa_gtk_data gd;
5140
5141 os_memset(&gd, 0, sizeof(gd));
5142 keylen = wpa_cipher_key_len(sm->group_cipher);
5143 gd.key_rsc_len = wpa_cipher_rsc_len(sm->group_cipher);
5144 gd.alg = wpa_cipher_to_alg(sm->group_cipher);
5145 if (gd.alg == WPA_ALG_NONE) {
5146 wpa_printf(MSG_DEBUG, "Unsupported group cipher suite");
5147 return -1;
5148 }
5149
5150 key_rsc = buf + 5;
5151 keyinfo = WPA_GET_LE16(buf + 2);
5152 gd.gtk_len = keylen;
5153 if (gd.gtk_len != buf[4]) {
5154 wpa_printf(MSG_DEBUG, "GTK len mismatch len %d vs %d",
5155 gd.gtk_len, buf[4]);
5156 return -1;
5157 }
5158 gd.keyidx = keyinfo & 0x03; /* B0 - B1 */
5159 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(
5160 sm, !!(keyinfo & WPA_KEY_INFO_TXRX));
5161
5162 os_memcpy(gd.gtk, buf + 13, gd.gtk_len);
5163
5164 wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)",
5165 gd.gtk, gd.gtk_len);
5166 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) {
5167 forced_memzero(&gd, sizeof(gd));
5168 wpa_printf(MSG_DEBUG, "Failed to install the GTK in "
5169 "WNM mode");
5170 return -1;
5171 }
5172 forced_memzero(&gd, sizeof(gd));
5173 } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
5174 const struct wpa_igtk_kde *igtk;
5175
5176 igtk = (const struct wpa_igtk_kde *) (buf + 2);
5177 if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0)
5178 return -1;
5179 } else if (subelem_id == WNM_SLEEP_SUBELEM_BIGTK) {
5180 const struct wpa_bigtk_kde *bigtk;
5181
5182 bigtk = (const struct wpa_bigtk_kde *) (buf + 2);
5183 if (sm->beacon_prot &&
5184 wpa_supplicant_install_bigtk(sm, bigtk, 1) < 0)
5185 return -1;
5186 } else {
5187 wpa_printf(MSG_DEBUG, "Unknown element id");
5188 return -1;
5189 }
5190
5191 return 0;
5192 }
5193 #endif /* CONFIG_WNM */
5194
5195
5196 #ifdef CONFIG_P2P
5197
wpa_sm_get_p2p_ip_addr(struct wpa_sm * sm,u8 * buf)5198 int wpa_sm_get_p2p_ip_addr(struct wpa_sm *sm, u8 *buf)
5199 {
5200 if (sm == NULL || WPA_GET_BE32(sm->p2p_ip_addr) == 0)
5201 return -1;
5202 os_memcpy(buf, sm->p2p_ip_addr, 3 * 4);
5203 return 0;
5204 }
5205
5206 #endif /* CONFIG_P2P */
5207
5208
wpa_sm_set_rx_replay_ctr(struct wpa_sm * sm,const u8 * rx_replay_counter)5209 void wpa_sm_set_rx_replay_ctr(struct wpa_sm *sm, const u8 *rx_replay_counter)
5210 {
5211 if (rx_replay_counter == NULL)
5212 return;
5213
5214 os_memcpy(sm->rx_replay_counter, rx_replay_counter,
5215 WPA_REPLAY_COUNTER_LEN);
5216 sm->rx_replay_counter_set = 1;
5217 wpa_printf(MSG_DEBUG, "Updated key replay counter");
5218 }
5219
5220
wpa_sm_set_ptk_kck_kek(struct wpa_sm * sm,const u8 * ptk_kck,size_t ptk_kck_len,const u8 * ptk_kek,size_t ptk_kek_len)5221 void wpa_sm_set_ptk_kck_kek(struct wpa_sm *sm,
5222 const u8 *ptk_kck, size_t ptk_kck_len,
5223 const u8 *ptk_kek, size_t ptk_kek_len)
5224 {
5225 if (ptk_kck && ptk_kck_len <= WPA_KCK_MAX_LEN) {
5226 os_memcpy(sm->ptk.kck, ptk_kck, ptk_kck_len);
5227 sm->ptk.kck_len = ptk_kck_len;
5228 wpa_printf(MSG_DEBUG, "Updated PTK KCK");
5229 }
5230 if (ptk_kek && ptk_kek_len <= WPA_KEK_MAX_LEN) {
5231 os_memcpy(sm->ptk.kek, ptk_kek, ptk_kek_len);
5232 sm->ptk.kek_len = ptk_kek_len;
5233 wpa_printf(MSG_DEBUG, "Updated PTK KEK");
5234 }
5235 sm->ptk_set = 1;
5236 }
5237
5238
5239 #ifdef CONFIG_TESTING_OPTIONS
5240
wpa_sm_set_test_assoc_ie(struct wpa_sm * sm,struct wpabuf * buf)5241 void wpa_sm_set_test_assoc_ie(struct wpa_sm *sm, struct wpabuf *buf)
5242 {
5243 wpabuf_free(sm->test_assoc_ie);
5244 sm->test_assoc_ie = buf;
5245 }
5246
5247
wpa_sm_get_anonce(struct wpa_sm * sm)5248 const u8 * wpa_sm_get_anonce(struct wpa_sm *sm)
5249 {
5250 return sm->anonce;
5251 }
5252
5253 #endif /* CONFIG_TESTING_OPTIONS */
5254
5255
wpa_sm_get_key_mgmt(struct wpa_sm * sm)5256 unsigned int wpa_sm_get_key_mgmt(struct wpa_sm *sm)
5257 {
5258 return sm->key_mgmt;
5259 }
5260
5261
wpa_sm_get_auth_addr(struct wpa_sm * sm)5262 const u8 * wpa_sm_get_auth_addr(struct wpa_sm *sm)
5263 {
5264 return sm->mlo.valid_links ? sm->mlo.ap_mld_addr : sm->bssid;
5265 }
5266
5267
5268 #ifdef CONFIG_FILS
5269
fils_build_auth(struct wpa_sm * sm,int dh_group,const u8 * md)5270 struct wpabuf * fils_build_auth(struct wpa_sm *sm, int dh_group, const u8 *md)
5271 {
5272 struct wpabuf *buf = NULL;
5273 struct wpabuf *erp_msg;
5274 struct wpabuf *pub = NULL;
5275
5276 erp_msg = eapol_sm_build_erp_reauth_start(sm->eapol);
5277 if (!erp_msg && !sm->cur_pmksa) {
5278 wpa_printf(MSG_DEBUG,
5279 "FILS: Neither ERP EAP-Initiate/Re-auth nor PMKSA cache entry is available - skip FILS");
5280 goto fail;
5281 }
5282
5283 wpa_printf(MSG_DEBUG, "FILS: Try to use FILS (erp=%d pmksa_cache=%d)",
5284 erp_msg != NULL, sm->cur_pmksa != NULL);
5285
5286 sm->fils_completed = 0;
5287
5288 if (!sm->assoc_wpa_ie) {
5289 wpa_printf(MSG_INFO, "FILS: No own RSN IE set for FILS");
5290 goto fail;
5291 }
5292
5293 if (random_get_bytes(sm->fils_nonce, FILS_NONCE_LEN) < 0 ||
5294 random_get_bytes(sm->fils_session, FILS_SESSION_LEN) < 0)
5295 goto fail;
5296
5297 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Nonce",
5298 sm->fils_nonce, FILS_NONCE_LEN);
5299 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Session",
5300 sm->fils_session, FILS_SESSION_LEN);
5301
5302 #ifdef CONFIG_FILS_SK_PFS
5303 sm->fils_dh_group = dh_group;
5304 if (dh_group) {
5305 crypto_ecdh_deinit(sm->fils_ecdh);
5306 sm->fils_ecdh = crypto_ecdh_init(dh_group);
5307 if (!sm->fils_ecdh) {
5308 wpa_printf(MSG_INFO,
5309 "FILS: Could not initialize ECDH with group %d",
5310 dh_group);
5311 goto fail;
5312 }
5313 pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1);
5314 if (!pub)
5315 goto fail;
5316 wpa_hexdump_buf(MSG_DEBUG, "FILS: Element (DH public key)",
5317 pub);
5318 sm->fils_dh_elem_len = wpabuf_len(pub);
5319 }
5320 #endif /* CONFIG_FILS_SK_PFS */
5321
5322 buf = wpabuf_alloc(1000 + sm->assoc_wpa_ie_len +
5323 (pub ? wpabuf_len(pub) : 0));
5324 if (!buf)
5325 goto fail;
5326
5327 /* Fields following the Authentication algorithm number field */
5328
5329 /* Authentication Transaction seq# */
5330 wpabuf_put_le16(buf, 1);
5331
5332 /* Status Code */
5333 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
5334
5335 /* TODO: FILS PK */
5336 #ifdef CONFIG_FILS_SK_PFS
5337 if (dh_group) {
5338 /* Finite Cyclic Group */
5339 wpabuf_put_le16(buf, dh_group);
5340 /* Element */
5341 wpabuf_put_buf(buf, pub);
5342 }
5343 #endif /* CONFIG_FILS_SK_PFS */
5344
5345 /* RSNE */
5346 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in FILS Authentication frame",
5347 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
5348 wpabuf_put_data(buf, sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
5349
5350 if (md) {
5351 /* MDE when using FILS for FT initial association */
5352 struct rsn_mdie *mdie;
5353
5354 wpabuf_put_u8(buf, WLAN_EID_MOBILITY_DOMAIN);
5355 wpabuf_put_u8(buf, sizeof(*mdie));
5356 mdie = wpabuf_put(buf, sizeof(*mdie));
5357 os_memcpy(mdie->mobility_domain, md, MOBILITY_DOMAIN_ID_LEN);
5358 mdie->ft_capab = 0;
5359 }
5360
5361 /* FILS Nonce */
5362 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
5363 wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN); /* Length */
5364 /* Element ID Extension */
5365 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
5366 wpabuf_put_data(buf, sm->fils_nonce, FILS_NONCE_LEN);
5367
5368 /* FILS Session */
5369 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
5370 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
5371 /* Element ID Extension */
5372 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
5373 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
5374
5375 /* Wrapped Data */
5376 sm->fils_erp_pmkid_set = 0;
5377 if (erp_msg) {
5378 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
5379 wpabuf_put_u8(buf, 1 + wpabuf_len(erp_msg)); /* Length */
5380 /* Element ID Extension */
5381 wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA);
5382 wpabuf_put_buf(buf, erp_msg);
5383 /* Calculate pending PMKID here so that we do not need to
5384 * maintain a copy of the EAP-Initiate/Reauth message. */
5385 if (fils_pmkid_erp(sm->key_mgmt, wpabuf_head(erp_msg),
5386 wpabuf_len(erp_msg),
5387 sm->fils_erp_pmkid) == 0)
5388 sm->fils_erp_pmkid_set = 1;
5389 }
5390
5391 wpa_hexdump_buf(MSG_DEBUG, "RSN: FILS fields for Authentication frame",
5392 buf);
5393
5394 fail:
5395 wpabuf_free(erp_msg);
5396 wpabuf_free(pub);
5397 return buf;
5398 }
5399
5400
fils_process_auth(struct wpa_sm * sm,const u8 * bssid,const u8 * data,size_t len)5401 int fils_process_auth(struct wpa_sm *sm, const u8 *bssid, const u8 *data,
5402 size_t len)
5403 {
5404 const u8 *pos, *end;
5405 struct ieee802_11_elems elems;
5406 struct wpa_ie_data rsn;
5407 int pmkid_match = 0;
5408 u8 ick[FILS_ICK_MAX_LEN];
5409 size_t ick_len;
5410 int res;
5411 struct wpabuf *dh_ss = NULL;
5412 const u8 *g_sta = NULL;
5413 size_t g_sta_len = 0;
5414 const u8 *g_ap = NULL;
5415 size_t g_ap_len = 0, kdk_len;
5416 struct wpabuf *pub = NULL;
5417
5418 os_memcpy(sm->bssid, bssid, ETH_ALEN);
5419
5420 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
5421 data, len);
5422 pos = data;
5423 end = data + len;
5424
5425 /* TODO: FILS PK */
5426 #ifdef CONFIG_FILS_SK_PFS
5427 if (sm->fils_dh_group) {
5428 u16 group;
5429
5430 /* Using FILS PFS */
5431
5432 /* Finite Cyclic Group */
5433 if (end - pos < 2) {
5434 wpa_printf(MSG_DEBUG,
5435 "FILS: No room for Finite Cyclic Group");
5436 goto fail;
5437 }
5438 group = WPA_GET_LE16(pos);
5439 pos += 2;
5440 if (group != sm->fils_dh_group) {
5441 wpa_printf(MSG_DEBUG,
5442 "FILS: Unexpected change in Finite Cyclic Group: %u (expected %u)",
5443 group, sm->fils_dh_group);
5444 goto fail;
5445 }
5446
5447 /* Element */
5448 if ((size_t) (end - pos) < sm->fils_dh_elem_len) {
5449 wpa_printf(MSG_DEBUG, "FILS: No room for Element");
5450 goto fail;
5451 }
5452
5453 if (!sm->fils_ecdh) {
5454 wpa_printf(MSG_DEBUG, "FILS: No ECDH state available");
5455 goto fail;
5456 }
5457 dh_ss = crypto_ecdh_set_peerkey(sm->fils_ecdh, 1, pos,
5458 sm->fils_dh_elem_len);
5459 if (!dh_ss) {
5460 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
5461 goto fail;
5462 }
5463 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", dh_ss);
5464 g_ap = pos;
5465 g_ap_len = sm->fils_dh_elem_len;
5466 pos += sm->fils_dh_elem_len;
5467 }
5468 #endif /* CONFIG_FILS_SK_PFS */
5469
5470 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
5471 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
5472 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
5473 goto fail;
5474 }
5475
5476 /* RSNE */
5477 wpa_hexdump(MSG_DEBUG, "FILS: RSN element", elems.rsn_ie,
5478 elems.rsn_ie_len);
5479 if (!elems.rsn_ie ||
5480 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
5481 &rsn) < 0) {
5482 wpa_printf(MSG_DEBUG, "FILS: No RSN element");
5483 goto fail;
5484 }
5485
5486 if (!elems.fils_nonce) {
5487 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
5488 goto fail;
5489 }
5490 os_memcpy(sm->fils_anonce, elems.fils_nonce, FILS_NONCE_LEN);
5491 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", sm->fils_anonce, FILS_NONCE_LEN);
5492
5493 #ifdef CONFIG_IEEE80211R
5494 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
5495 struct wpa_ft_ies parse;
5496
5497 if (!elems.mdie || !elems.ftie) {
5498 wpa_printf(MSG_DEBUG, "FILS+FT: No MDE or FTE");
5499 goto fail;
5500 }
5501
5502 if (wpa_ft_parse_ies(pos, end - pos, &parse,
5503 sm->key_mgmt) < 0) {
5504 wpa_printf(MSG_DEBUG, "FILS+FT: Failed to parse IEs");
5505 goto fail;
5506 }
5507
5508 if (!parse.r0kh_id) {
5509 wpa_printf(MSG_DEBUG,
5510 "FILS+FT: No R0KH-ID subelem in FTE");
5511 goto fail;
5512 }
5513 os_memcpy(sm->r0kh_id, parse.r0kh_id, parse.r0kh_id_len);
5514 sm->r0kh_id_len = parse.r0kh_id_len;
5515 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID",
5516 sm->r0kh_id, sm->r0kh_id_len);
5517
5518 if (!parse.r1kh_id) {
5519 wpa_printf(MSG_DEBUG,
5520 "FILS+FT: No R1KH-ID subelem in FTE");
5521 goto fail;
5522 }
5523 os_memcpy(sm->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN);
5524 wpa_hexdump(MSG_DEBUG, "FILS+FT: R1KH-ID",
5525 sm->r1kh_id, FT_R1KH_ID_LEN);
5526
5527 /* TODO: Check MDE and FTE payload */
5528
5529 wpabuf_free(sm->fils_ft_ies);
5530 sm->fils_ft_ies = wpabuf_alloc(2 + elems.mdie_len +
5531 2 + elems.ftie_len);
5532 if (!sm->fils_ft_ies)
5533 goto fail;
5534 wpabuf_put_data(sm->fils_ft_ies, elems.mdie - 2,
5535 2 + elems.mdie_len);
5536 wpabuf_put_data(sm->fils_ft_ies, elems.ftie - 2,
5537 2 + elems.ftie_len);
5538 } else {
5539 wpabuf_free(sm->fils_ft_ies);
5540 sm->fils_ft_ies = NULL;
5541 }
5542 #endif /* CONFIG_IEEE80211R */
5543
5544 /* PMKID List */
5545 if (rsn.pmkid && rsn.num_pmkid > 0) {
5546 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
5547 rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
5548
5549 if (rsn.num_pmkid != 1) {
5550 wpa_printf(MSG_DEBUG, "FILS: Invalid PMKID selection");
5551 goto fail;
5552 }
5553 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", rsn.pmkid, PMKID_LEN);
5554 if (os_memcmp(sm->cur_pmksa->pmkid, rsn.pmkid, PMKID_LEN) != 0)
5555 {
5556 wpa_printf(MSG_DEBUG, "FILS: PMKID mismatch");
5557 wpa_hexdump(MSG_DEBUG, "FILS: Expected PMKID",
5558 sm->cur_pmksa->pmkid, PMKID_LEN);
5559 goto fail;
5560 }
5561 wpa_printf(MSG_DEBUG,
5562 "FILS: Matching PMKID - continue using PMKSA caching");
5563 pmkid_match = 1;
5564 }
5565 if (!pmkid_match && sm->cur_pmksa) {
5566 wpa_printf(MSG_DEBUG,
5567 "FILS: No PMKID match - cannot use cached PMKSA entry");
5568 sm->cur_pmksa = NULL;
5569 }
5570
5571 /* FILS Session */
5572 if (!elems.fils_session) {
5573 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
5574 goto fail;
5575 }
5576 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
5577 FILS_SESSION_LEN);
5578 if (os_memcmp(sm->fils_session, elems.fils_session, FILS_SESSION_LEN)
5579 != 0) {
5580 wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
5581 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
5582 sm->fils_session, FILS_SESSION_LEN);
5583 goto fail;
5584 }
5585
5586 /* Wrapped Data */
5587 if (!sm->cur_pmksa && elems.wrapped_data) {
5588 u8 rmsk[ERP_MAX_KEY_LEN];
5589 size_t rmsk_len;
5590
5591 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
5592 elems.wrapped_data,
5593 elems.wrapped_data_len);
5594 eapol_sm_process_erp_finish(sm->eapol, elems.wrapped_data,
5595 elems.wrapped_data_len);
5596 if (eapol_sm_failed(sm->eapol))
5597 goto fail;
5598
5599 rmsk_len = ERP_MAX_KEY_LEN;
5600 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
5601 if (res == PMK_LEN) {
5602 rmsk_len = PMK_LEN;
5603 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
5604 }
5605 if (res)
5606 goto fail;
5607
5608 res = fils_rmsk_to_pmk(sm->key_mgmt, rmsk, rmsk_len,
5609 sm->fils_nonce, sm->fils_anonce,
5610 dh_ss ? wpabuf_head(dh_ss) : NULL,
5611 dh_ss ? wpabuf_len(dh_ss) : 0,
5612 sm->pmk, &sm->pmk_len);
5613 forced_memzero(rmsk, sizeof(rmsk));
5614
5615 /* Don't use DHss in PTK derivation if PMKSA caching is not
5616 * used. */
5617 wpabuf_clear_free(dh_ss);
5618 dh_ss = NULL;
5619
5620 if (res)
5621 goto fail;
5622
5623 if (!sm->fils_erp_pmkid_set) {
5624 wpa_printf(MSG_DEBUG, "FILS: PMKID not available");
5625 goto fail;
5626 }
5627 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", sm->fils_erp_pmkid,
5628 PMKID_LEN);
5629 wpa_printf(MSG_DEBUG, "FILS: ERP processing succeeded - add PMKSA cache entry for the result");
5630 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len,
5631 sm->fils_erp_pmkid, NULL, 0,
5632 sm->bssid, sm->own_addr,
5633 sm->network_ctx, sm->key_mgmt,
5634 NULL);
5635 }
5636
5637 if (!sm->cur_pmksa) {
5638 wpa_printf(MSG_DEBUG,
5639 "FILS: No remaining options to continue FILS authentication");
5640 goto fail;
5641 }
5642
5643 if (sm->force_kdk_derivation ||
5644 (sm->secure_ltf &&
5645 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)))
5646 kdk_len = WPA_KDK_MAX_LEN;
5647 else
5648 kdk_len = 0;
5649
5650 if (fils_pmk_to_ptk(sm->pmk, sm->pmk_len, sm->own_addr,
5651 wpa_sm_get_auth_addr(sm),
5652 sm->fils_nonce, sm->fils_anonce,
5653 dh_ss ? wpabuf_head(dh_ss) : NULL,
5654 dh_ss ? wpabuf_len(dh_ss) : 0,
5655 &sm->ptk, ick, &ick_len,
5656 sm->key_mgmt, sm->pairwise_cipher,
5657 sm->fils_ft, &sm->fils_ft_len,
5658 kdk_len) < 0) {
5659 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PTK");
5660 goto fail;
5661 }
5662
5663 #ifdef CONFIG_PASN
5664 if (sm->secure_ltf &&
5665 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF) &&
5666 wpa_ltf_keyseed(&sm->ptk, sm->key_mgmt, sm->pairwise_cipher)) {
5667 wpa_printf(MSG_DEBUG, "FILS: Failed to derive LTF keyseed");
5668 goto fail;
5669 }
5670 #endif /* CONFIG_PASN */
5671
5672 wpabuf_clear_free(dh_ss);
5673 dh_ss = NULL;
5674
5675 sm->ptk_set = 1;
5676 sm->tptk_set = 0;
5677 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
5678
5679 #ifdef CONFIG_FILS_SK_PFS
5680 if (sm->fils_dh_group) {
5681 if (!sm->fils_ecdh) {
5682 wpa_printf(MSG_INFO, "FILS: ECDH not initialized");
5683 goto fail;
5684 }
5685 pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1);
5686 if (!pub)
5687 goto fail;
5688 wpa_hexdump_buf(MSG_DEBUG, "FILS: gSTA", pub);
5689 g_sta = wpabuf_head(pub);
5690 g_sta_len = wpabuf_len(pub);
5691 if (!g_ap) {
5692 wpa_printf(MSG_INFO, "FILS: gAP not available");
5693 goto fail;
5694 }
5695 wpa_hexdump(MSG_DEBUG, "FILS: gAP", g_ap, g_ap_len);
5696 }
5697 #endif /* CONFIG_FILS_SK_PFS */
5698
5699 res = fils_key_auth_sk(ick, ick_len, sm->fils_nonce,
5700 sm->fils_anonce, sm->own_addr, sm->bssid,
5701 g_sta, g_sta_len, g_ap, g_ap_len,
5702 sm->key_mgmt, sm->fils_key_auth_sta,
5703 sm->fils_key_auth_ap,
5704 &sm->fils_key_auth_len);
5705 wpabuf_free(pub);
5706 forced_memzero(ick, sizeof(ick));
5707 return res;
5708 fail:
5709 wpabuf_free(pub);
5710 wpabuf_clear_free(dh_ss);
5711 return -1;
5712 }
5713
5714
5715 #ifdef CONFIG_IEEE80211R
fils_ft_build_assoc_req_rsne(struct wpa_sm * sm,struct wpabuf * buf)5716 static int fils_ft_build_assoc_req_rsne(struct wpa_sm *sm, struct wpabuf *buf)
5717 {
5718 struct rsn_ie_hdr *rsnie;
5719 u16 capab;
5720 u8 *pos;
5721 int use_sha384 = wpa_key_mgmt_sha384(sm->key_mgmt);
5722
5723 /* RSNIE[PMKR0Name/PMKR1Name] */
5724 rsnie = wpabuf_put(buf, sizeof(*rsnie));
5725 rsnie->elem_id = WLAN_EID_RSN;
5726 WPA_PUT_LE16(rsnie->version, RSN_VERSION);
5727
5728 /* Group Suite Selector */
5729 if (!wpa_cipher_valid_group(sm->group_cipher)) {
5730 wpa_printf(MSG_WARNING, "FT: Invalid group cipher (%d)",
5731 sm->group_cipher);
5732 return -1;
5733 }
5734 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
5735 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
5736 sm->group_cipher));
5737
5738 /* Pairwise Suite Count */
5739 wpabuf_put_le16(buf, 1);
5740
5741 /* Pairwise Suite List */
5742 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
5743 wpa_printf(MSG_WARNING, "FT: Invalid pairwise cipher (%d)",
5744 sm->pairwise_cipher);
5745 return -1;
5746 }
5747 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
5748 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
5749 sm->pairwise_cipher));
5750
5751 /* Authenticated Key Management Suite Count */
5752 wpabuf_put_le16(buf, 1);
5753
5754 /* Authenticated Key Management Suite List */
5755 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
5756 if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA256)
5757 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA256);
5758 else if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA384)
5759 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA384);
5760 else {
5761 wpa_printf(MSG_WARNING,
5762 "FILS+FT: Invalid key management type (%d)",
5763 sm->key_mgmt);
5764 return -1;
5765 }
5766
5767 /* RSN Capabilities */
5768 capab = 0;
5769 if (sm->mfp)
5770 capab |= WPA_CAPABILITY_MFPC;
5771 if (sm->mfp == 2)
5772 capab |= WPA_CAPABILITY_MFPR;
5773 if (sm->ocv)
5774 capab |= WPA_CAPABILITY_OCVC;
5775 if (sm->ext_key_id)
5776 capab |= WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST;
5777 wpabuf_put_le16(buf, capab);
5778
5779 /* PMKID Count */
5780 wpabuf_put_le16(buf, 1);
5781
5782 /* PMKID List [PMKR1Name] */
5783 wpa_hexdump_key(MSG_DEBUG, "FILS+FT: XXKey (FILS-FT)",
5784 sm->fils_ft, sm->fils_ft_len);
5785 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: SSID", sm->ssid, sm->ssid_len);
5786 wpa_hexdump(MSG_DEBUG, "FILS+FT: MDID",
5787 sm->mobility_domain, MOBILITY_DOMAIN_ID_LEN);
5788 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID",
5789 sm->r0kh_id, sm->r0kh_id_len);
5790 if (wpa_derive_pmk_r0(sm->fils_ft, sm->fils_ft_len, sm->ssid,
5791 sm->ssid_len, sm->mobility_domain,
5792 sm->r0kh_id, sm->r0kh_id_len, sm->own_addr,
5793 sm->pmk_r0, sm->pmk_r0_name, sm->key_mgmt) < 0) {
5794 wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMK-R0");
5795 return -1;
5796 }
5797 if (wpa_key_mgmt_sae_ext_key(sm->key_mgmt))
5798 sm->pmk_r0_len = sm->fils_ft_len;
5799 else
5800 sm->pmk_r0_len = use_sha384 ? SHA384_MAC_LEN : PMK_LEN;
5801 wpa_printf(MSG_DEBUG, "FILS+FT: R1KH-ID: " MACSTR,
5802 MAC2STR(sm->r1kh_id));
5803 pos = wpabuf_put(buf, WPA_PMK_NAME_LEN);
5804 if (wpa_derive_pmk_r1_name(sm->pmk_r0_name, sm->r1kh_id, sm->own_addr,
5805 sm->pmk_r1_name, sm->fils_ft_len) < 0) {
5806 wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMKR1Name");
5807 return -1;
5808 }
5809 os_memcpy(pos, sm->pmk_r1_name, WPA_PMK_NAME_LEN);
5810
5811 os_memcpy(sm->key_mobility_domain, sm->mobility_domain,
5812 MOBILITY_DOMAIN_ID_LEN);
5813
5814 if (sm->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC) {
5815 /* Management Group Cipher Suite */
5816 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
5817 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_AES_128_CMAC);
5818 }
5819
5820 rsnie->len = ((u8 *) wpabuf_put(buf, 0) - (u8 *) rsnie) - 2;
5821 return 0;
5822 }
5823 #endif /* CONFIG_IEEE80211R */
5824
5825
fils_build_assoc_req(struct wpa_sm * sm,const u8 ** kek,size_t * kek_len,const u8 ** snonce,const u8 ** anonce,const struct wpabuf ** hlp,unsigned int num_hlp)5826 struct wpabuf * fils_build_assoc_req(struct wpa_sm *sm, const u8 **kek,
5827 size_t *kek_len, const u8 **snonce,
5828 const u8 **anonce,
5829 const struct wpabuf **hlp,
5830 unsigned int num_hlp)
5831 {
5832 struct wpabuf *buf;
5833 size_t len;
5834 unsigned int i;
5835
5836 len = 1000;
5837 #ifdef CONFIG_IEEE80211R
5838 if (sm->fils_ft_ies)
5839 len += wpabuf_len(sm->fils_ft_ies);
5840 if (wpa_key_mgmt_ft(sm->key_mgmt))
5841 len += 256;
5842 #endif /* CONFIG_IEEE80211R */
5843 for (i = 0; hlp && i < num_hlp; i++)
5844 len += 10 + wpabuf_len(hlp[i]);
5845 buf = wpabuf_alloc(len);
5846 if (!buf)
5847 return NULL;
5848
5849 #ifdef CONFIG_IEEE80211R
5850 if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) {
5851 /* MDE and FTE when using FILS+FT */
5852 wpabuf_put_buf(buf, sm->fils_ft_ies);
5853 /* RSNE with PMKR1Name in PMKID field */
5854 if (fils_ft_build_assoc_req_rsne(sm, buf) < 0) {
5855 wpabuf_free(buf);
5856 return NULL;
5857 }
5858 }
5859 #endif /* CONFIG_IEEE80211R */
5860
5861 /* FILS Session */
5862 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
5863 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
5864 /* Element ID Extension */
5865 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
5866 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
5867
5868 /* Everything after FILS Session element gets encrypted in the driver
5869 * with KEK. The buffer returned from here is the plaintext version. */
5870
5871 /* TODO: FILS Public Key */
5872
5873 /* FILS Key Confirm */
5874 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
5875 wpabuf_put_u8(buf, 1 + sm->fils_key_auth_len); /* Length */
5876 /* Element ID Extension */
5877 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_KEY_CONFIRM);
5878 wpabuf_put_data(buf, sm->fils_key_auth_sta, sm->fils_key_auth_len);
5879
5880 /* FILS HLP Container */
5881 for (i = 0; hlp && i < num_hlp; i++) {
5882 const u8 *pos = wpabuf_head(hlp[i]);
5883 size_t left = wpabuf_len(hlp[i]);
5884
5885 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
5886 if (left <= 254)
5887 len = 1 + left;
5888 else
5889 len = 255;
5890 wpabuf_put_u8(buf, len); /* Length */
5891 /* Element ID Extension */
5892 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_HLP_CONTAINER);
5893 /* Destination MAC Address, Source MAC Address, HLP Packet.
5894 * HLP Packet is in MSDU format (i.e., included the LLC/SNAP
5895 * header when LPD is used). */
5896 wpabuf_put_data(buf, pos, len - 1);
5897 pos += len - 1;
5898 left -= len - 1;
5899 while (left) {
5900 wpabuf_put_u8(buf, WLAN_EID_FRAGMENT);
5901 len = left > 255 ? 255 : left;
5902 wpabuf_put_u8(buf, len);
5903 wpabuf_put_data(buf, pos, len);
5904 pos += len;
5905 left -= len;
5906 }
5907 }
5908
5909 /* TODO: FILS IP Address Assignment */
5910
5911 #ifdef CONFIG_OCV
5912 if (wpa_sm_ocv_enabled(sm)) {
5913 struct wpa_channel_info ci;
5914 u8 *pos;
5915
5916 if (wpa_sm_channel_info(sm, &ci) != 0) {
5917 wpa_printf(MSG_WARNING,
5918 "FILS: Failed to get channel info for OCI element");
5919 wpabuf_free(buf);
5920 return NULL;
5921 }
5922 #ifdef CONFIG_TESTING_OPTIONS
5923 if (sm->oci_freq_override_fils_assoc) {
5924 wpa_printf(MSG_INFO,
5925 "TEST: Override OCI KDE frequency %d -> %d MHz",
5926 ci.frequency,
5927 sm->oci_freq_override_fils_assoc);
5928 ci.frequency = sm->oci_freq_override_fils_assoc;
5929 }
5930 #endif /* CONFIG_TESTING_OPTIONS */
5931
5932 pos = wpabuf_put(buf, OCV_OCI_EXTENDED_LEN);
5933 if (ocv_insert_extended_oci(&ci, pos) < 0) {
5934 wpabuf_free(buf);
5935 return NULL;
5936 }
5937 }
5938 #endif /* CONFIG_OCV */
5939
5940 wpa_hexdump_buf(MSG_DEBUG, "FILS: Association Request plaintext", buf);
5941
5942 *kek = sm->ptk.kek;
5943 *kek_len = sm->ptk.kek_len;
5944 wpa_hexdump_key(MSG_DEBUG, "FILS: KEK for AEAD", *kek, *kek_len);
5945 *snonce = sm->fils_nonce;
5946 wpa_hexdump(MSG_DEBUG, "FILS: SNonce for AEAD AAD",
5947 *snonce, FILS_NONCE_LEN);
5948 *anonce = sm->fils_anonce;
5949 wpa_hexdump(MSG_DEBUG, "FILS: ANonce for AEAD AAD",
5950 *anonce, FILS_NONCE_LEN);
5951
5952 return buf;
5953 }
5954
5955
fils_process_hlp_resp(struct wpa_sm * sm,const u8 * resp,size_t len)5956 static void fils_process_hlp_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
5957 {
5958 const u8 *pos, *end;
5959
5960 wpa_hexdump(MSG_MSGDUMP, "FILS: HLP response", resp, len);
5961 if (len < 2 * ETH_ALEN)
5962 return;
5963 pos = resp + 2 * ETH_ALEN;
5964 end = resp + len;
5965 if (end - pos >= 6 &&
5966 os_memcmp(pos, "\xaa\xaa\x03\x00\x00\x00", 6) == 0)
5967 pos += 6; /* Remove SNAP/LLC header */
5968 wpa_sm_fils_hlp_rx(sm, resp, resp + ETH_ALEN, pos, end - pos);
5969 }
5970
5971
fils_process_hlp_container(struct wpa_sm * sm,const u8 * pos,size_t len)5972 static void fils_process_hlp_container(struct wpa_sm *sm, const u8 *pos,
5973 size_t len)
5974 {
5975 const u8 *end = pos + len;
5976 u8 *tmp, *tmp_pos;
5977
5978 /* Check if there are any FILS HLP Container elements */
5979 while (end - pos >= 2) {
5980 if (2 + pos[1] > end - pos)
5981 return;
5982 if (pos[0] == WLAN_EID_EXTENSION &&
5983 pos[1] >= 1 + 2 * ETH_ALEN &&
5984 pos[2] == WLAN_EID_EXT_FILS_HLP_CONTAINER)
5985 break;
5986 pos += 2 + pos[1];
5987 }
5988 if (end - pos < 2)
5989 return; /* No FILS HLP Container elements */
5990
5991 tmp = os_malloc(end - pos);
5992 if (!tmp)
5993 return;
5994
5995 while (end - pos >= 2) {
5996 if (2 + pos[1] > end - pos ||
5997 pos[0] != WLAN_EID_EXTENSION ||
5998 pos[1] < 1 + 2 * ETH_ALEN ||
5999 pos[2] != WLAN_EID_EXT_FILS_HLP_CONTAINER)
6000 break;
6001 tmp_pos = tmp;
6002 os_memcpy(tmp_pos, pos + 3, pos[1] - 1);
6003 tmp_pos += pos[1] - 1;
6004 pos += 2 + pos[1];
6005
6006 /* Add possible fragments */
6007 while (end - pos >= 2 && pos[0] == WLAN_EID_FRAGMENT &&
6008 2 + pos[1] <= end - pos) {
6009 os_memcpy(tmp_pos, pos + 2, pos[1]);
6010 tmp_pos += pos[1];
6011 pos += 2 + pos[1];
6012 }
6013
6014 fils_process_hlp_resp(sm, tmp, tmp_pos - tmp);
6015 }
6016
6017 os_free(tmp);
6018 }
6019
6020
fils_process_assoc_resp(struct wpa_sm * sm,const u8 * resp,size_t len)6021 int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
6022 {
6023 const struct ieee80211_mgmt *mgmt;
6024 const u8 *end, *ie_start;
6025 struct ieee802_11_elems elems;
6026 int keylen, rsclen;
6027 enum wpa_alg alg;
6028 struct wpa_gtk_data gd;
6029 int maxkeylen;
6030 struct wpa_eapol_ie_parse kde;
6031
6032 if (!sm || !sm->ptk_set) {
6033 wpa_printf(MSG_DEBUG, "FILS: No KEK available");
6034 return -1;
6035 }
6036
6037 if (!wpa_key_mgmt_fils(sm->key_mgmt)) {
6038 wpa_printf(MSG_DEBUG, "FILS: Not a FILS AKM");
6039 return -1;
6040 }
6041
6042 if (sm->fils_completed) {
6043 wpa_printf(MSG_DEBUG,
6044 "FILS: Association has already been completed for this FILS authentication - ignore unexpected retransmission");
6045 return -1;
6046 }
6047
6048 wpa_hexdump(MSG_DEBUG, "FILS: (Re)Association Response frame",
6049 resp, len);
6050
6051 mgmt = (const struct ieee80211_mgmt *) resp;
6052 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_resp))
6053 return -1;
6054
6055 end = resp + len;
6056 /* Same offset for Association Response and Reassociation Response */
6057 ie_start = mgmt->u.assoc_resp.variable;
6058
6059 if (ieee802_11_parse_elems(ie_start, end - ie_start, &elems, 1) ==
6060 ParseFailed) {
6061 wpa_printf(MSG_DEBUG,
6062 "FILS: Failed to parse decrypted elements");
6063 goto fail;
6064 }
6065
6066 if (!elems.fils_session) {
6067 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
6068 return -1;
6069 }
6070 if (os_memcmp(elems.fils_session, sm->fils_session,
6071 FILS_SESSION_LEN) != 0) {
6072 wpa_printf(MSG_DEBUG, "FILS: FILS Session mismatch");
6073 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
6074 elems.fils_session, FILS_SESSION_LEN);
6075 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
6076 sm->fils_session, FILS_SESSION_LEN);
6077 }
6078
6079 if (!elems.rsn_ie) {
6080 wpa_printf(MSG_DEBUG,
6081 "FILS: No RSNE in (Re)Association Response");
6082 /* As an interop workaround, allow this for now since IEEE Std
6083 * 802.11ai-2016 did not include all the needed changes to make
6084 * a FILS AP include RSNE in the frame. This workaround might
6085 * eventually be removed and replaced with rejection (goto fail)
6086 * to follow a strict interpretation of the standard. */
6087 } else if (wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
6088 sm->ap_rsn_ie, sm->ap_rsn_ie_len,
6089 elems.rsn_ie - 2, elems.rsn_ie_len + 2)) {
6090 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
6091 "FILS: RSNE mismatch between Beacon/Probe Response and (Re)Association Response");
6092 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in Beacon/Probe Response",
6093 sm->ap_rsn_ie, sm->ap_rsn_ie_len);
6094 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in (Re)Association Response",
6095 elems.rsn_ie, elems.rsn_ie_len);
6096 goto fail;
6097 }
6098
6099 /* TODO: FILS Public Key */
6100
6101 if (!elems.fils_key_confirm) {
6102 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
6103 goto fail;
6104 }
6105 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
6106 wpa_printf(MSG_DEBUG,
6107 "FILS: Unexpected Key-Auth length %d (expected %d)",
6108 elems.fils_key_confirm_len,
6109 (int) sm->fils_key_auth_len);
6110 goto fail;
6111 }
6112 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_ap,
6113 sm->fils_key_auth_len) != 0) {
6114 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
6115 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
6116 elems.fils_key_confirm,
6117 elems.fils_key_confirm_len);
6118 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
6119 sm->fils_key_auth_ap, sm->fils_key_auth_len);
6120 goto fail;
6121 }
6122
6123 #ifdef CONFIG_OCV
6124 if (wpa_sm_ocv_enabled(sm)) {
6125 struct wpa_channel_info ci;
6126
6127 if (wpa_sm_channel_info(sm, &ci) != 0) {
6128 wpa_printf(MSG_WARNING,
6129 "Failed to get channel info to validate received OCI in FILS (Re)Association Response frame");
6130 goto fail;
6131 }
6132
6133 if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci,
6134 channel_width_to_int(ci.chanwidth),
6135 ci.seg1_idx) != OCI_SUCCESS) {
6136 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
6137 "addr=" MACSTR " frame=fils-assoc error=%s",
6138 MAC2STR(sm->bssid), ocv_errorstr);
6139 goto fail;
6140 }
6141 }
6142 #endif /* CONFIG_OCV */
6143
6144 #ifdef CONFIG_IEEE80211R
6145 if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) {
6146 struct wpa_ie_data rsn;
6147
6148 /* Check that PMKR1Name derived by the AP matches */
6149 if (!elems.rsn_ie ||
6150 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
6151 &rsn) < 0 ||
6152 !rsn.pmkid || rsn.num_pmkid != 1 ||
6153 os_memcmp(rsn.pmkid, sm->pmk_r1_name,
6154 WPA_PMK_NAME_LEN) != 0) {
6155 wpa_printf(MSG_DEBUG,
6156 "FILS+FT: No RSNE[PMKR1Name] match in AssocResp");
6157 goto fail;
6158 }
6159 }
6160 #endif /* CONFIG_IEEE80211R */
6161
6162 /* Key Delivery */
6163 if (!elems.key_delivery) {
6164 wpa_printf(MSG_DEBUG, "FILS: No Key Delivery element");
6165 goto fail;
6166 }
6167
6168 /* Parse GTK and set the key to the driver */
6169 os_memset(&gd, 0, sizeof(gd));
6170 if (wpa_supplicant_parse_ies(elems.key_delivery + WPA_KEY_RSC_LEN,
6171 elems.key_delivery_len - WPA_KEY_RSC_LEN,
6172 &kde) < 0) {
6173 wpa_printf(MSG_DEBUG, "FILS: Failed to parse KDEs");
6174 goto fail;
6175 }
6176 if (!kde.gtk) {
6177 wpa_printf(MSG_DEBUG, "FILS: No GTK KDE");
6178 goto fail;
6179 }
6180 maxkeylen = gd.gtk_len = kde.gtk_len - 2;
6181 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
6182 gd.gtk_len, maxkeylen,
6183 &gd.key_rsc_len, &gd.alg))
6184 goto fail;
6185
6186 wpa_hexdump_key(MSG_DEBUG, "FILS: Received GTK", kde.gtk, kde.gtk_len);
6187 gd.keyidx = kde.gtk[0] & 0x3;
6188 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
6189 !!(kde.gtk[0] & BIT(2)));
6190 if (kde.gtk_len - 2 > sizeof(gd.gtk)) {
6191 wpa_printf(MSG_DEBUG, "FILS: Too long GTK in GTK KDE (len=%lu)",
6192 (unsigned long) kde.gtk_len - 2);
6193 goto fail;
6194 }
6195 os_memcpy(gd.gtk, kde.gtk + 2, kde.gtk_len - 2);
6196
6197 wpa_printf(MSG_DEBUG, "FILS: Set GTK to driver");
6198 if (wpa_supplicant_install_gtk(sm, &gd, elems.key_delivery, 0) < 0) {
6199 wpa_printf(MSG_DEBUG, "FILS: Failed to set GTK");
6200 goto fail;
6201 }
6202
6203 if (ieee80211w_set_keys(sm, &kde) < 0) {
6204 wpa_printf(MSG_DEBUG, "FILS: Failed to set IGTK");
6205 goto fail;
6206 }
6207
6208 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
6209 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
6210 if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) {
6211 wpa_printf(MSG_DEBUG, "FILS: TK length mismatch: %u != %lu",
6212 keylen, (long unsigned int) sm->ptk.tk_len);
6213 goto fail;
6214 }
6215
6216 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
6217 wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver",
6218 sm->ptk.tk, keylen);
6219 if (wpa_sm_set_key(sm, -1, alg, wpa_sm_get_auth_addr(sm), 0, 1,
6220 null_rsc, rsclen,
6221 sm->ptk.tk, keylen, KEY_FLAG_PAIRWISE_RX_TX) < 0) {
6222 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
6223 "FILS: Failed to set PTK to the driver (alg=%d keylen=%d auth_addr="
6224 MACSTR ")",
6225 alg, keylen, MAC2STR(wpa_sm_get_auth_addr(sm)));
6226 goto fail;
6227 }
6228
6229 wpa_sm_store_ptk(sm, sm->bssid, sm->pairwise_cipher,
6230 sm->dot11RSNAConfigPMKLifetime, &sm->ptk);
6231
6232 /* TODO: TK could be cleared after auth frame exchange now that driver
6233 * takes care of association frame encryption/decryption. */
6234 /* TK is not needed anymore in supplicant */
6235 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
6236 sm->ptk.tk_len = 0;
6237 sm->ptk.installed = 1;
6238 sm->tk_set = true;
6239
6240 /* FILS HLP Container */
6241 fils_process_hlp_container(sm, ie_start, end - ie_start);
6242
6243 /* TODO: FILS IP Address Assignment */
6244
6245 wpa_printf(MSG_DEBUG, "FILS: Auth+Assoc completed successfully");
6246 sm->fils_completed = 1;
6247 forced_memzero(&gd, sizeof(gd));
6248
6249 if (kde.transition_disable)
6250 wpa_sm_transition_disable(sm, kde.transition_disable[0]);
6251
6252 return 0;
6253 fail:
6254 forced_memzero(&gd, sizeof(gd));
6255 return -1;
6256 }
6257
6258
wpa_sm_set_reset_fils_completed(struct wpa_sm * sm,int set)6259 void wpa_sm_set_reset_fils_completed(struct wpa_sm *sm, int set)
6260 {
6261 if (sm)
6262 sm->fils_completed = !!set;
6263 }
6264
6265 #endif /* CONFIG_FILS */
6266
6267
wpa_fils_is_completed(struct wpa_sm * sm)6268 int wpa_fils_is_completed(struct wpa_sm *sm)
6269 {
6270 #ifdef CONFIG_FILS
6271 return sm && sm->fils_completed;
6272 #else /* CONFIG_FILS */
6273 return 0;
6274 #endif /* CONFIG_FILS */
6275 }
6276
6277
6278 #ifdef CONFIG_OWE
6279
owe_build_assoc_req(struct wpa_sm * sm,u16 group)6280 struct wpabuf * owe_build_assoc_req(struct wpa_sm *sm, u16 group)
6281 {
6282 struct wpabuf *ie = NULL, *pub = NULL;
6283 size_t prime_len;
6284
6285 if (group == 19)
6286 prime_len = 32;
6287 else if (group == 20)
6288 prime_len = 48;
6289 else if (group == 21)
6290 prime_len = 66;
6291 else
6292 return NULL;
6293
6294 crypto_ecdh_deinit(sm->owe_ecdh);
6295 sm->owe_ecdh = crypto_ecdh_init(group);
6296 if (!sm->owe_ecdh)
6297 goto fail;
6298 sm->owe_group = group;
6299 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
6300 pub = wpabuf_zeropad(pub, prime_len);
6301 if (!pub)
6302 goto fail;
6303
6304 ie = wpabuf_alloc(5 + wpabuf_len(pub));
6305 if (!ie)
6306 goto fail;
6307 wpabuf_put_u8(ie, WLAN_EID_EXTENSION);
6308 wpabuf_put_u8(ie, 1 + 2 + wpabuf_len(pub));
6309 wpabuf_put_u8(ie, WLAN_EID_EXT_OWE_DH_PARAM);
6310 wpabuf_put_le16(ie, group);
6311 wpabuf_put_buf(ie, pub);
6312 wpabuf_free(pub);
6313 wpa_hexdump_buf(MSG_DEBUG, "OWE: Diffie-Hellman Parameter element",
6314 ie);
6315
6316 return ie;
6317 fail:
6318 wpabuf_free(pub);
6319 crypto_ecdh_deinit(sm->owe_ecdh);
6320 sm->owe_ecdh = NULL;
6321 return NULL;
6322 }
6323
6324
owe_process_assoc_resp(struct wpa_sm * sm,const u8 * bssid,const u8 * resp_ies,size_t resp_ies_len)6325 int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *bssid,
6326 const u8 *resp_ies, size_t resp_ies_len)
6327 {
6328 struct ieee802_11_elems elems;
6329 u16 group;
6330 struct wpabuf *secret, *pub, *hkey;
6331 int res;
6332 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
6333 const char *info = "OWE Key Generation";
6334 const u8 *addr[2];
6335 size_t len[2];
6336 size_t hash_len, prime_len;
6337 struct wpa_ie_data data;
6338
6339 if (!resp_ies ||
6340 ieee802_11_parse_elems(resp_ies, resp_ies_len, &elems, 1) ==
6341 ParseFailed) {
6342 wpa_printf(MSG_INFO,
6343 "OWE: Could not parse Association Response frame elements");
6344 return -1;
6345 }
6346
6347 if (sm->cur_pmksa && elems.rsn_ie &&
6348 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, 2 + elems.rsn_ie_len,
6349 &data) == 0 &&
6350 data.num_pmkid == 1 && data.pmkid &&
6351 os_memcmp(sm->cur_pmksa->pmkid, data.pmkid, PMKID_LEN) == 0) {
6352 wpa_printf(MSG_DEBUG, "OWE: Use PMKSA caching");
6353 wpa_sm_set_pmk_from_pmksa(sm);
6354 return 0;
6355 }
6356
6357 if (!elems.owe_dh) {
6358 wpa_printf(MSG_INFO,
6359 "OWE: No Diffie-Hellman Parameter element found in Association Response frame");
6360 return -1;
6361 }
6362
6363 group = WPA_GET_LE16(elems.owe_dh);
6364 if (group != sm->owe_group) {
6365 wpa_printf(MSG_INFO,
6366 "OWE: Unexpected Diffie-Hellman group in response: %u",
6367 group);
6368 return -1;
6369 }
6370
6371 if (!sm->owe_ecdh) {
6372 wpa_printf(MSG_INFO, "OWE: No ECDH state available");
6373 return -1;
6374 }
6375
6376 if (group == 19)
6377 prime_len = 32;
6378 else if (group == 20)
6379 prime_len = 48;
6380 else if (group == 21)
6381 prime_len = 66;
6382 else
6383 return -1;
6384
6385 secret = crypto_ecdh_set_peerkey(sm->owe_ecdh, 0,
6386 elems.owe_dh + 2,
6387 elems.owe_dh_len - 2);
6388 secret = wpabuf_zeropad(secret, prime_len);
6389 if (!secret) {
6390 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
6391 return -1;
6392 }
6393 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
6394
6395 /* prk = HKDF-extract(C | A | group, z) */
6396
6397 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
6398 if (!pub) {
6399 wpabuf_clear_free(secret);
6400 return -1;
6401 }
6402
6403 /* PMKID = Truncate-128(Hash(C | A)) */
6404 addr[0] = wpabuf_head(pub);
6405 len[0] = wpabuf_len(pub);
6406 addr[1] = elems.owe_dh + 2;
6407 len[1] = elems.owe_dh_len - 2;
6408 if (group == 19) {
6409 res = sha256_vector(2, addr, len, pmkid);
6410 hash_len = SHA256_MAC_LEN;
6411 } else if (group == 20) {
6412 res = sha384_vector(2, addr, len, pmkid);
6413 hash_len = SHA384_MAC_LEN;
6414 } else if (group == 21) {
6415 res = sha512_vector(2, addr, len, pmkid);
6416 hash_len = SHA512_MAC_LEN;
6417 } else {
6418 res = -1;
6419 hash_len = 0;
6420 }
6421 pub = wpabuf_zeropad(pub, prime_len);
6422 if (res < 0 || !pub) {
6423 wpabuf_free(pub);
6424 wpabuf_clear_free(secret);
6425 return -1;
6426 }
6427
6428 hkey = wpabuf_alloc(wpabuf_len(pub) + elems.owe_dh_len - 2 + 2);
6429 if (!hkey) {
6430 wpabuf_free(pub);
6431 wpabuf_clear_free(secret);
6432 return -1;
6433 }
6434
6435 wpabuf_put_buf(hkey, pub); /* C */
6436 wpabuf_free(pub);
6437 wpabuf_put_data(hkey, elems.owe_dh + 2, elems.owe_dh_len - 2); /* A */
6438 wpabuf_put_le16(hkey, sm->owe_group); /* group */
6439 if (group == 19)
6440 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
6441 wpabuf_head(secret), wpabuf_len(secret), prk);
6442 else if (group == 20)
6443 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
6444 wpabuf_head(secret), wpabuf_len(secret), prk);
6445 else if (group == 21)
6446 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
6447 wpabuf_head(secret), wpabuf_len(secret), prk);
6448 wpabuf_clear_free(hkey);
6449 wpabuf_clear_free(secret);
6450 if (res < 0)
6451 return -1;
6452
6453 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
6454
6455 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
6456
6457 if (group == 19)
6458 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
6459 os_strlen(info), sm->pmk, hash_len);
6460 else if (group == 20)
6461 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
6462 os_strlen(info), sm->pmk, hash_len);
6463 else if (group == 21)
6464 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
6465 os_strlen(info), sm->pmk, hash_len);
6466 forced_memzero(prk, SHA512_MAC_LEN);
6467 if (res < 0) {
6468 sm->pmk_len = 0;
6469 return -1;
6470 }
6471 sm->pmk_len = hash_len;
6472
6473 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sm->pmk, sm->pmk_len);
6474 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
6475 pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, pmkid, NULL, 0,
6476 bssid, sm->own_addr, sm->network_ctx, sm->key_mgmt,
6477 NULL);
6478
6479 return 0;
6480 }
6481
6482 #endif /* CONFIG_OWE */
6483
6484
wpa_sm_set_fils_cache_id(struct wpa_sm * sm,const u8 * fils_cache_id)6485 void wpa_sm_set_fils_cache_id(struct wpa_sm *sm, const u8 *fils_cache_id)
6486 {
6487 #ifdef CONFIG_FILS
6488 if (sm && fils_cache_id) {
6489 sm->fils_cache_id_set = 1;
6490 os_memcpy(sm->fils_cache_id, fils_cache_id, FILS_CACHE_ID_LEN);
6491 }
6492 #endif /* CONFIG_FILS */
6493 }
6494
6495
6496 #ifdef CONFIG_DPP2
wpa_sm_set_dpp_z(struct wpa_sm * sm,const struct wpabuf * z)6497 void wpa_sm_set_dpp_z(struct wpa_sm *sm, const struct wpabuf *z)
6498 {
6499 if (sm) {
6500 wpabuf_clear_free(sm->dpp_z);
6501 sm->dpp_z = z ? wpabuf_dup(z) : NULL;
6502 }
6503 }
6504 #endif /* CONFIG_DPP2 */
6505
6506
6507 #ifdef CONFIG_PASN
6508
wpa_pasn_sm_set_caps(struct wpa_sm * sm,unsigned int flags2)6509 void wpa_pasn_sm_set_caps(struct wpa_sm *sm, unsigned int flags2)
6510 {
6511 if (flags2 & WPA_DRIVER_FLAGS2_SEC_LTF_STA)
6512 sm->secure_ltf = 1;
6513 if (flags2 & WPA_DRIVER_FLAGS2_SEC_RTT_STA)
6514 sm->secure_rtt = 1;
6515 if (flags2 & WPA_DRIVER_FLAGS2_PROT_RANGE_NEG_STA)
6516 sm->prot_range_neg = 1;
6517 }
6518
6519 #endif /* CONFIG_PASN */
6520
6521
wpa_sm_pmksa_cache_reconfig(struct wpa_sm * sm)6522 void wpa_sm_pmksa_cache_reconfig(struct wpa_sm *sm)
6523 {
6524 if (sm)
6525 pmksa_cache_reconfig(sm->pmksa);
6526 }
6527
6528
wpa_sm_get_pmksa_cache(struct wpa_sm * sm)6529 struct rsn_pmksa_cache * wpa_sm_get_pmksa_cache(struct wpa_sm *sm)
6530 {
6531 return sm ? sm->pmksa : NULL;
6532 }
6533
6534
wpa_sm_set_cur_pmksa(struct wpa_sm * sm,struct rsn_pmksa_cache_entry * entry)6535 void wpa_sm_set_cur_pmksa(struct wpa_sm *sm,
6536 struct rsn_pmksa_cache_entry *entry)
6537 {
6538 if (sm)
6539 sm->cur_pmksa = entry;
6540 }
6541