1 /*
2 * IEEE 802.11 RSN / WPA Authenticator
3 * Copyright (c) 2004-2022, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "utils/state_machine.h"
14 #include "utils/bitfield.h"
15 #include "common/ieee802_11_defs.h"
16 #include "common/ocv.h"
17 #include "common/dpp.h"
18 #include "common/wpa_ctrl.h"
19 #include "crypto/aes.h"
20 #include "crypto/aes_wrap.h"
21 #include "crypto/aes_siv.h"
22 #include "crypto/crypto.h"
23 #include "crypto/sha1.h"
24 #include "crypto/sha256.h"
25 #include "crypto/sha384.h"
26 #include "crypto/sha512.h"
27 #include "crypto/random.h"
28 #include "eapol_auth/eapol_auth_sm.h"
29 #include "drivers/driver.h"
30 #include "ap_config.h"
31 #include "ieee802_11.h"
32 #include "wpa_auth.h"
33 #include "pmksa_cache_auth.h"
34 #include "wpa_auth_i.h"
35 #include "wpa_auth_ie.h"
36
37 #define STATE_MACHINE_DATA struct wpa_state_machine
38 #define STATE_MACHINE_DEBUG_PREFIX "WPA"
39 #define STATE_MACHINE_ADDR wpa_auth_get_spa(sm)
40
41
42 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx);
43 static int wpa_sm_step(struct wpa_state_machine *sm);
44 static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK,
45 u8 *data, size_t data_len);
46 #ifdef CONFIG_FILS
47 static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
48 u8 *buf, size_t buf_len, u16 *_key_data_len);
49 static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
50 const struct wpabuf *hlp);
51 #endif /* CONFIG_FILS */
52 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx);
53 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
54 struct wpa_group *group);
55 static void wpa_request_new_ptk(struct wpa_state_machine *sm);
56 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
57 struct wpa_group *group);
58 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
59 struct wpa_group *group);
60 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
61 const u8 *pmk, unsigned int pmk_len,
62 struct wpa_ptk *ptk, int force_sha256,
63 u8 *pmk_r0, u8 *pmk_r1, u8 *pmk_r0_name,
64 size_t *key_len);
65 static void wpa_group_free(struct wpa_authenticator *wpa_auth,
66 struct wpa_group *group);
67 static void wpa_group_get(struct wpa_authenticator *wpa_auth,
68 struct wpa_group *group);
69 static void wpa_group_put(struct wpa_authenticator *wpa_auth,
70 struct wpa_group *group);
71 static int ieee80211w_kde_len(struct wpa_state_machine *sm);
72 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
73
74 static const u32 eapol_key_timeout_first = 100; /* ms */
75 static const u32 eapol_key_timeout_subseq = 1000; /* ms */
76 static const u32 eapol_key_timeout_first_group = 500; /* ms */
77 static const u32 eapol_key_timeout_no_retrans = 4000; /* ms */
78
79 /* TODO: make these configurable */
80 static const int dot11RSNAConfigPMKLifetime = 43200;
81 static const int dot11RSNAConfigPMKReauthThreshold = 70;
82 static const int dot11RSNAConfigSATimeout = 60;
83
84
wpa_auth_get_aa(const struct wpa_state_machine * sm)85 static const u8 * wpa_auth_get_aa(const struct wpa_state_machine *sm)
86 {
87 return sm->wpa_auth->addr;
88 }
89
90
wpa_auth_get_spa(const struct wpa_state_machine * sm)91 static const u8 * wpa_auth_get_spa(const struct wpa_state_machine *sm)
92 {
93 return sm->addr;
94 }
95
96
wpa_auth_mic_failure_report(struct wpa_authenticator * wpa_auth,const u8 * addr)97 static inline int wpa_auth_mic_failure_report(
98 struct wpa_authenticator *wpa_auth, const u8 *addr)
99 {
100 if (wpa_auth->cb->mic_failure_report)
101 return wpa_auth->cb->mic_failure_report(wpa_auth->cb_ctx, addr);
102 return 0;
103 }
104
105
wpa_auth_psk_failure_report(struct wpa_authenticator * wpa_auth,const u8 * addr)106 static inline void wpa_auth_psk_failure_report(
107 struct wpa_authenticator *wpa_auth, const u8 *addr)
108 {
109 if (wpa_auth->cb->psk_failure_report)
110 wpa_auth->cb->psk_failure_report(wpa_auth->cb_ctx, addr);
111 }
112
113
wpa_auth_set_eapol(struct wpa_authenticator * wpa_auth,const u8 * addr,wpa_eapol_variable var,int value)114 static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth,
115 const u8 *addr, wpa_eapol_variable var,
116 int value)
117 {
118 if (wpa_auth->cb->set_eapol)
119 wpa_auth->cb->set_eapol(wpa_auth->cb_ctx, addr, var, value);
120 }
121
122
wpa_auth_get_eapol(struct wpa_authenticator * wpa_auth,const u8 * addr,wpa_eapol_variable var)123 static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth,
124 const u8 *addr, wpa_eapol_variable var)
125 {
126 if (!wpa_auth->cb->get_eapol)
127 return -1;
128 return wpa_auth->cb->get_eapol(wpa_auth->cb_ctx, addr, var);
129 }
130
131
wpa_auth_get_psk(struct wpa_authenticator * wpa_auth,const u8 * addr,const u8 * p2p_dev_addr,const u8 * prev_psk,size_t * psk_len,int * vlan_id)132 static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth,
133 const u8 *addr,
134 const u8 *p2p_dev_addr,
135 const u8 *prev_psk, size_t *psk_len,
136 int *vlan_id)
137 {
138 if (!wpa_auth->cb->get_psk)
139 return NULL;
140 return wpa_auth->cb->get_psk(wpa_auth->cb_ctx, addr, p2p_dev_addr,
141 prev_psk, psk_len, vlan_id);
142 }
143
144
wpa_auth_get_msk(struct wpa_authenticator * wpa_auth,const u8 * addr,u8 * msk,size_t * len)145 static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth,
146 const u8 *addr, u8 *msk, size_t *len)
147 {
148 if (!wpa_auth->cb->get_msk)
149 return -1;
150 return wpa_auth->cb->get_msk(wpa_auth->cb_ctx, addr, msk, len);
151 }
152
153
wpa_auth_set_key(struct wpa_authenticator * wpa_auth,int vlan_id,enum wpa_alg alg,const u8 * addr,int idx,u8 * key,size_t key_len,enum key_flag key_flag)154 static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
155 int vlan_id,
156 enum wpa_alg alg, const u8 *addr, int idx,
157 u8 *key, size_t key_len,
158 enum key_flag key_flag)
159 {
160 if (!wpa_auth->cb->set_key)
161 return -1;
162 return wpa_auth->cb->set_key(wpa_auth->cb_ctx, vlan_id, alg, addr, idx,
163 key, key_len, key_flag);
164 }
165
166
167 #ifdef CONFIG_PASN
wpa_auth_set_ltf_keyseed(struct wpa_authenticator * wpa_auth,const u8 * peer_addr,const u8 * ltf_keyseed,size_t ltf_keyseed_len)168 static inline int wpa_auth_set_ltf_keyseed(struct wpa_authenticator *wpa_auth,
169 const u8 *peer_addr,
170 const u8 *ltf_keyseed,
171 size_t ltf_keyseed_len)
172 {
173 if (!wpa_auth->cb->set_ltf_keyseed)
174 return -1;
175 return wpa_auth->cb->set_ltf_keyseed(wpa_auth->cb_ctx, peer_addr,
176 ltf_keyseed, ltf_keyseed_len);
177 }
178 #endif /* CONFIG_PASN */
179
180
wpa_auth_get_seqnum(struct wpa_authenticator * wpa_auth,const u8 * addr,int idx,u8 * seq)181 static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth,
182 const u8 *addr, int idx, u8 *seq)
183 {
184 int res;
185
186 if (!wpa_auth->cb->get_seqnum)
187 return -1;
188 res = wpa_auth->cb->get_seqnum(wpa_auth->cb_ctx, addr, idx, seq);
189 #ifdef CONFIG_TESTING_OPTIONS
190 if (!addr && idx < 4 && wpa_auth->conf.gtk_rsc_override_set) {
191 wpa_printf(MSG_DEBUG,
192 "TESTING: Override GTK RSC %016llx --> %016llx",
193 (long long unsigned) WPA_GET_LE64(seq),
194 (long long unsigned)
195 WPA_GET_LE64(wpa_auth->conf.gtk_rsc_override));
196 os_memcpy(seq, wpa_auth->conf.gtk_rsc_override,
197 WPA_KEY_RSC_LEN);
198 }
199 if (!addr && idx >= 4 && idx <= 5 &&
200 wpa_auth->conf.igtk_rsc_override_set) {
201 wpa_printf(MSG_DEBUG,
202 "TESTING: Override IGTK RSC %016llx --> %016llx",
203 (long long unsigned) WPA_GET_LE64(seq),
204 (long long unsigned)
205 WPA_GET_LE64(wpa_auth->conf.igtk_rsc_override));
206 os_memcpy(seq, wpa_auth->conf.igtk_rsc_override,
207 WPA_KEY_RSC_LEN);
208 }
209 #endif /* CONFIG_TESTING_OPTIONS */
210 return res;
211 }
212
213
214 static inline int
wpa_auth_send_eapol(struct wpa_authenticator * wpa_auth,const u8 * addr,const u8 * data,size_t data_len,int encrypt)215 wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr,
216 const u8 *data, size_t data_len, int encrypt)
217 {
218 if (!wpa_auth->cb->send_eapol)
219 return -1;
220 #ifdef CONFIG_TESTING_OPTIONS
221 if (wpa_auth->conf.skip_send_eapol)
222 return 0;
223 #endif
224 return wpa_auth->cb->send_eapol(wpa_auth->cb_ctx, addr, data, data_len,
225 encrypt);
226 }
227
228
229 #ifdef CONFIG_MESH
wpa_auth_start_ampe(struct wpa_authenticator * wpa_auth,const u8 * addr)230 static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth,
231 const u8 *addr)
232 {
233 if (!wpa_auth->cb->start_ampe)
234 return -1;
235 return wpa_auth->cb->start_ampe(wpa_auth->cb_ctx, addr);
236 }
237 #endif /* CONFIG_MESH */
238
239
wpa_auth_for_each_sta(struct wpa_authenticator * wpa_auth,int (* cb)(struct wpa_state_machine * sm,void * ctx),void * cb_ctx)240 int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
241 int (*cb)(struct wpa_state_machine *sm, void *ctx),
242 void *cb_ctx)
243 {
244 if (!wpa_auth->cb->for_each_sta)
245 return 0;
246 return wpa_auth->cb->for_each_sta(wpa_auth->cb_ctx, cb, cb_ctx);
247 }
248
249
wpa_auth_for_each_auth(struct wpa_authenticator * wpa_auth,int (* cb)(struct wpa_authenticator * a,void * ctx),void * cb_ctx)250 int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
251 int (*cb)(struct wpa_authenticator *a, void *ctx),
252 void *cb_ctx)
253 {
254 if (!wpa_auth->cb->for_each_auth)
255 return 0;
256 return wpa_auth->cb->for_each_auth(wpa_auth->cb_ctx, cb, cb_ctx);
257 }
258
259
wpa_auth_store_ptksa(struct wpa_authenticator * wpa_auth,const u8 * addr,int cipher,u32 life_time,const struct wpa_ptk * ptk)260 void wpa_auth_store_ptksa(struct wpa_authenticator *wpa_auth,
261 const u8 *addr, int cipher,
262 u32 life_time, const struct wpa_ptk *ptk)
263 {
264 if (wpa_auth->cb->store_ptksa)
265 wpa_auth->cb->store_ptksa(wpa_auth->cb_ctx, addr, cipher,
266 life_time, ptk);
267 }
268
269
wpa_auth_remove_ptksa(struct wpa_authenticator * wpa_auth,const u8 * addr,int cipher)270 static void wpa_auth_remove_ptksa(struct wpa_authenticator *wpa_auth,
271 const u8 *addr, int cipher)
272 {
273 if (wpa_auth->cb->clear_ptksa)
274 wpa_auth->cb->clear_ptksa(wpa_auth->cb_ctx, addr, cipher);
275 }
276
277
wpa_auth_logger(struct wpa_authenticator * wpa_auth,const u8 * addr,logger_level level,const char * txt)278 void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr,
279 logger_level level, const char *txt)
280 {
281 if (!wpa_auth->cb->logger)
282 return;
283 wpa_auth->cb->logger(wpa_auth->cb_ctx, addr, level, txt);
284 }
285
286
wpa_auth_vlogger(struct wpa_authenticator * wpa_auth,const u8 * addr,logger_level level,const char * fmt,...)287 void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr,
288 logger_level level, const char *fmt, ...)
289 {
290 char *format;
291 int maxlen;
292 va_list ap;
293
294 if (!wpa_auth->cb->logger)
295 return;
296
297 maxlen = os_strlen(fmt) + 100;
298 format = os_malloc(maxlen);
299 if (!format)
300 return;
301
302 va_start(ap, fmt);
303 vsnprintf(format, maxlen, fmt, ap);
304 va_end(ap);
305
306 wpa_auth_logger(wpa_auth, addr, level, format);
307
308 os_free(format);
309 }
310
311
wpa_sta_disconnect(struct wpa_authenticator * wpa_auth,const u8 * addr,u16 reason)312 static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth,
313 const u8 *addr, u16 reason)
314 {
315 if (!wpa_auth->cb->disconnect)
316 return;
317 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR " (reason %u)",
318 MAC2STR(addr), reason);
319 wpa_auth->cb->disconnect(wpa_auth->cb_ctx, addr, reason);
320 }
321
322
323 #ifdef CONFIG_OCV
wpa_channel_info(struct wpa_authenticator * wpa_auth,struct wpa_channel_info * ci)324 static int wpa_channel_info(struct wpa_authenticator *wpa_auth,
325 struct wpa_channel_info *ci)
326 {
327 if (!wpa_auth->cb->channel_info)
328 return -1;
329 return wpa_auth->cb->channel_info(wpa_auth->cb_ctx, ci);
330 }
331 #endif /* CONFIG_OCV */
332
333
wpa_auth_update_vlan(struct wpa_authenticator * wpa_auth,const u8 * addr,int vlan_id)334 static int wpa_auth_update_vlan(struct wpa_authenticator *wpa_auth,
335 const u8 *addr, int vlan_id)
336 {
337 if (!wpa_auth->cb->update_vlan)
338 return -1;
339 return wpa_auth->cb->update_vlan(wpa_auth->cb_ctx, addr, vlan_id);
340 }
341
342
wpa_rekey_gmk(void * eloop_ctx,void * timeout_ctx)343 static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx)
344 {
345 struct wpa_authenticator *wpa_auth = eloop_ctx;
346
347 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) {
348 wpa_printf(MSG_ERROR,
349 "Failed to get random data for WPA initialization.");
350 } else {
351 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd");
352 wpa_hexdump_key(MSG_DEBUG, "GMK",
353 wpa_auth->group->GMK, WPA_GMK_LEN);
354 }
355
356 if (wpa_auth->conf.wpa_gmk_rekey) {
357 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
358 wpa_rekey_gmk, wpa_auth, NULL);
359 }
360 }
361
362
wpa_rekey_gtk(void * eloop_ctx,void * timeout_ctx)363 static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx)
364 {
365 struct wpa_authenticator *wpa_auth = eloop_ctx;
366 struct wpa_group *group, *next;
367
368 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK");
369 group = wpa_auth->group;
370 while (group) {
371 wpa_group_get(wpa_auth, group);
372
373 group->GTKReKey = true;
374 do {
375 group->changed = false;
376 wpa_group_sm_step(wpa_auth, group);
377 } while (group->changed);
378
379 next = group->next;
380 wpa_group_put(wpa_auth, group);
381 group = next;
382 }
383
384 if (wpa_auth->conf.wpa_group_rekey) {
385 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey,
386 0, wpa_rekey_gtk, wpa_auth, NULL);
387 }
388 }
389
390
wpa_rekey_ptk(void * eloop_ctx,void * timeout_ctx)391 static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
392 {
393 struct wpa_authenticator *wpa_auth = eloop_ctx;
394 struct wpa_state_machine *sm = timeout_ctx;
395
396 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
397 "rekeying PTK");
398 wpa_request_new_ptk(sm);
399 wpa_sm_step(sm);
400 }
401
402
wpa_auth_set_ptk_rekey_timer(struct wpa_state_machine * sm)403 void wpa_auth_set_ptk_rekey_timer(struct wpa_state_machine *sm)
404 {
405 if (sm && sm->wpa_auth->conf.wpa_ptk_rekey) {
406 wpa_printf(MSG_DEBUG, "WPA: Start PTK rekeying timer for "
407 MACSTR " (%d seconds)",
408 MAC2STR(wpa_auth_get_spa(sm)),
409 sm->wpa_auth->conf.wpa_ptk_rekey);
410 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
411 eloop_register_timeout(sm->wpa_auth->conf.wpa_ptk_rekey, 0,
412 wpa_rekey_ptk, sm->wpa_auth, sm);
413 }
414 }
415
416
wpa_auth_pmksa_clear_cb(struct wpa_state_machine * sm,void * ctx)417 static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx)
418 {
419 if (sm->pmksa == ctx)
420 sm->pmksa = NULL;
421 return 0;
422 }
423
424
wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry * entry,void * ctx)425 static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
426 void *ctx)
427 {
428 struct wpa_authenticator *wpa_auth = ctx;
429 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry);
430 }
431
432
wpa_group_init_gmk_and_counter(struct wpa_authenticator * wpa_auth,struct wpa_group * group)433 static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth,
434 struct wpa_group *group)
435 {
436 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)];
437 u8 rkey[32];
438 unsigned long ptr;
439
440 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0)
441 return -1;
442 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN);
443
444 /*
445 * Counter = PRF-256(Random number, "Init Counter",
446 * Local MAC Address || Time)
447 */
448 os_memcpy(buf, wpa_auth->addr, ETH_ALEN);
449 wpa_get_ntp_timestamp(buf + ETH_ALEN);
450 ptr = (unsigned long) group;
451 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr));
452 #ifdef TEST_FUZZ
453 os_memset(buf + ETH_ALEN, 0xab, 8);
454 os_memset(buf + ETH_ALEN + 8, 0xcd, sizeof(ptr));
455 #endif /* TEST_FUZZ */
456 if (random_get_bytes(rkey, sizeof(rkey)) < 0)
457 return -1;
458
459 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf),
460 group->Counter, WPA_NONCE_LEN) < 0)
461 return -1;
462 wpa_hexdump_key(MSG_DEBUG, "Key Counter",
463 group->Counter, WPA_NONCE_LEN);
464
465 return 0;
466 }
467
468
wpa_group_init(struct wpa_authenticator * wpa_auth,int vlan_id,int delay_init)469 static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth,
470 int vlan_id, int delay_init)
471 {
472 struct wpa_group *group;
473
474 group = os_zalloc(sizeof(struct wpa_group));
475 if (!group)
476 return NULL;
477
478 group->GTKAuthenticator = true;
479 group->vlan_id = vlan_id;
480 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
481
482 if (random_pool_ready() != 1) {
483 wpa_printf(MSG_INFO,
484 "WPA: Not enough entropy in random pool for secure operations - update keys later when the first station connects");
485 }
486
487 /*
488 * Set initial GMK/Counter value here. The actual values that will be
489 * used in negotiations will be set once the first station tries to
490 * connect. This allows more time for collecting additional randomness
491 * on embedded devices.
492 */
493 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) {
494 wpa_printf(MSG_ERROR,
495 "Failed to get random data for WPA initialization.");
496 os_free(group);
497 return NULL;
498 }
499
500 group->GInit = true;
501 if (delay_init) {
502 wpa_printf(MSG_DEBUG,
503 "WPA: Delay group state machine start until Beacon frames have been configured");
504 /* Initialization is completed in wpa_init_keys(). */
505 } else {
506 wpa_group_sm_step(wpa_auth, group);
507 group->GInit = false;
508 wpa_group_sm_step(wpa_auth, group);
509 }
510
511 return group;
512 }
513
514
515 /**
516 * wpa_init - Initialize WPA authenticator
517 * @addr: Authenticator address
518 * @conf: Configuration for WPA authenticator
519 * @cb: Callback functions for WPA authenticator
520 * Returns: Pointer to WPA authenticator data or %NULL on failure
521 */
wpa_init(const u8 * addr,struct wpa_auth_config * conf,const struct wpa_auth_callbacks * cb,void * cb_ctx)522 struct wpa_authenticator * wpa_init(const u8 *addr,
523 struct wpa_auth_config *conf,
524 const struct wpa_auth_callbacks *cb,
525 void *cb_ctx)
526 {
527 struct wpa_authenticator *wpa_auth;
528
529 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator));
530 if (!wpa_auth)
531 return NULL;
532 os_memcpy(wpa_auth->addr, addr, ETH_ALEN);
533 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
534 wpa_auth->cb = cb;
535 wpa_auth->cb_ctx = cb_ctx;
536
537 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
538 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
539 os_free(wpa_auth);
540 return NULL;
541 }
542
543 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1);
544 if (!wpa_auth->group) {
545 os_free(wpa_auth->wpa_ie);
546 os_free(wpa_auth);
547 return NULL;
548 }
549
550 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb,
551 wpa_auth);
552 if (!wpa_auth->pmksa) {
553 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed.");
554 os_free(wpa_auth->group);
555 os_free(wpa_auth->wpa_ie);
556 os_free(wpa_auth);
557 return NULL;
558 }
559
560 #ifdef CONFIG_IEEE80211R_AP
561 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init();
562 if (!wpa_auth->ft_pmk_cache) {
563 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed.");
564 os_free(wpa_auth->group);
565 os_free(wpa_auth->wpa_ie);
566 pmksa_cache_auth_deinit(wpa_auth->pmksa);
567 os_free(wpa_auth);
568 return NULL;
569 }
570 #endif /* CONFIG_IEEE80211R_AP */
571
572 if (wpa_auth->conf.wpa_gmk_rekey) {
573 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
574 wpa_rekey_gmk, wpa_auth, NULL);
575 }
576
577 if (wpa_auth->conf.wpa_group_rekey) {
578 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0,
579 wpa_rekey_gtk, wpa_auth, NULL);
580 }
581
582 #ifdef CONFIG_P2P
583 if (WPA_GET_BE32(conf->ip_addr_start)) {
584 int count = WPA_GET_BE32(conf->ip_addr_end) -
585 WPA_GET_BE32(conf->ip_addr_start) + 1;
586 if (count > 1000)
587 count = 1000;
588 if (count > 0)
589 wpa_auth->ip_pool = bitfield_alloc(count);
590 }
591 #endif /* CONFIG_P2P */
592
593 return wpa_auth;
594 }
595
596
wpa_init_keys(struct wpa_authenticator * wpa_auth)597 int wpa_init_keys(struct wpa_authenticator *wpa_auth)
598 {
599 struct wpa_group *group = wpa_auth->group;
600
601 wpa_printf(MSG_DEBUG,
602 "WPA: Start group state machine to set initial keys");
603 wpa_group_sm_step(wpa_auth, group);
604 group->GInit = false;
605 wpa_group_sm_step(wpa_auth, group);
606 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
607 return -1;
608 return 0;
609 }
610
611
612 /**
613 * wpa_deinit - Deinitialize WPA authenticator
614 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
615 */
wpa_deinit(struct wpa_authenticator * wpa_auth)616 void wpa_deinit(struct wpa_authenticator *wpa_auth)
617 {
618 struct wpa_group *group, *prev;
619
620 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL);
621 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
622
623 pmksa_cache_auth_deinit(wpa_auth->pmksa);
624
625 #ifdef CONFIG_IEEE80211R_AP
626 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache);
627 wpa_auth->ft_pmk_cache = NULL;
628 wpa_ft_deinit(wpa_auth);
629 #endif /* CONFIG_IEEE80211R_AP */
630
631 #ifdef CONFIG_P2P
632 bitfield_free(wpa_auth->ip_pool);
633 #endif /* CONFIG_P2P */
634
635
636 os_free(wpa_auth->wpa_ie);
637
638 group = wpa_auth->group;
639 while (group) {
640 prev = group;
641 group = group->next;
642 bin_clear_free(prev, sizeof(*prev));
643 }
644
645 os_free(wpa_auth);
646 }
647
648
649 /**
650 * wpa_reconfig - Update WPA authenticator configuration
651 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
652 * @conf: Configuration for WPA authenticator
653 */
wpa_reconfig(struct wpa_authenticator * wpa_auth,struct wpa_auth_config * conf)654 int wpa_reconfig(struct wpa_authenticator *wpa_auth,
655 struct wpa_auth_config *conf)
656 {
657 struct wpa_group *group;
658
659 if (!wpa_auth)
660 return 0;
661
662 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
663 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
664 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
665 return -1;
666 }
667
668 /*
669 * Reinitialize GTK to make sure it is suitable for the new
670 * configuration.
671 */
672 group = wpa_auth->group;
673 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
674 group->GInit = true;
675 wpa_group_sm_step(wpa_auth, group);
676 group->GInit = false;
677 wpa_group_sm_step(wpa_auth, group);
678
679 return 0;
680 }
681
682
683 struct wpa_state_machine *
wpa_auth_sta_init(struct wpa_authenticator * wpa_auth,const u8 * addr,const u8 * p2p_dev_addr)684 wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr,
685 const u8 *p2p_dev_addr)
686 {
687 struct wpa_state_machine *sm;
688
689 if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
690 return NULL;
691
692 sm = os_zalloc(sizeof(struct wpa_state_machine));
693 if (!sm)
694 return NULL;
695 os_memcpy(sm->addr, addr, ETH_ALEN);
696 if (p2p_dev_addr)
697 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN);
698
699 sm->wpa_auth = wpa_auth;
700 sm->group = wpa_auth->group;
701 wpa_group_get(sm->wpa_auth, sm->group);
702
703 return sm;
704 }
705
706
wpa_auth_sta_associated(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm)707 int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
708 struct wpa_state_machine *sm)
709 {
710 if (!wpa_auth || !wpa_auth->conf.wpa || !sm)
711 return -1;
712
713 #ifdef CONFIG_IEEE80211R_AP
714 if (sm->ft_completed) {
715 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
716 "FT authentication already completed - do not start 4-way handshake");
717 /* Go to PTKINITDONE state to allow GTK rekeying */
718 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
719 sm->Pair = true;
720 return 0;
721 }
722 #endif /* CONFIG_IEEE80211R_AP */
723
724 #ifdef CONFIG_FILS
725 if (sm->fils_completed) {
726 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
727 "FILS authentication already completed - do not start 4-way handshake");
728 /* Go to PTKINITDONE state to allow GTK rekeying */
729 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
730 sm->Pair = true;
731 return 0;
732 }
733 #endif /* CONFIG_FILS */
734
735 if (sm->started) {
736 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay));
737 sm->ReAuthenticationRequest = true;
738 return wpa_sm_step(sm);
739 }
740
741 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
742 "start authentication");
743 sm->started = 1;
744
745 sm->Init = true;
746 if (wpa_sm_step(sm) == 1)
747 return 1; /* should not really happen */
748 sm->Init = false;
749 sm->AuthenticationRequest = true;
750 return wpa_sm_step(sm);
751 }
752
753
wpa_auth_sta_no_wpa(struct wpa_state_machine * sm)754 void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm)
755 {
756 /* WPA/RSN was not used - clear WPA state. This is needed if the STA
757 * reassociates back to the same AP while the previous entry for the
758 * STA has not yet been removed. */
759 if (!sm)
760 return;
761
762 sm->wpa_key_mgmt = 0;
763 }
764
765
wpa_free_sta_sm(struct wpa_state_machine * sm)766 static void wpa_free_sta_sm(struct wpa_state_machine *sm)
767 {
768 #ifdef CONFIG_P2P
769 if (WPA_GET_BE32(sm->ip_addr)) {
770 wpa_printf(MSG_DEBUG,
771 "P2P: Free assigned IP address %u.%u.%u.%u from "
772 MACSTR " (bit %u)",
773 sm->ip_addr[0], sm->ip_addr[1],
774 sm->ip_addr[2], sm->ip_addr[3],
775 MAC2STR(wpa_auth_get_spa(sm)),
776 sm->ip_addr_bit);
777 bitfield_clear(sm->wpa_auth->ip_pool, sm->ip_addr_bit);
778 }
779 #endif /* CONFIG_P2P */
780 if (sm->GUpdateStationKeys) {
781 sm->group->GKeyDoneStations--;
782 sm->GUpdateStationKeys = false;
783 }
784 #ifdef CONFIG_IEEE80211R_AP
785 os_free(sm->assoc_resp_ftie);
786 wpabuf_free(sm->ft_pending_req_ies);
787 #endif /* CONFIG_IEEE80211R_AP */
788 os_free(sm->last_rx_eapol_key);
789 os_free(sm->wpa_ie);
790 os_free(sm->rsnxe);
791 wpa_group_put(sm->wpa_auth, sm->group);
792 #ifdef CONFIG_DPP2
793 wpabuf_clear_free(sm->dpp_z);
794 #endif /* CONFIG_DPP2 */
795 bin_clear_free(sm, sizeof(*sm));
796 }
797
798
wpa_auth_sta_deinit(struct wpa_state_machine * sm)799 void wpa_auth_sta_deinit(struct wpa_state_machine *sm)
800 {
801 struct wpa_authenticator *wpa_auth;
802
803 if (!sm)
804 return;
805
806 wpa_auth = sm->wpa_auth;
807 if (wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) {
808 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
809 "strict rekeying - force GTK rekey since STA is leaving");
810 if (eloop_deplete_timeout(0, 500000, wpa_rekey_gtk,
811 wpa_auth, NULL) == -1)
812 eloop_register_timeout(0, 500000, wpa_rekey_gtk,
813 wpa_auth, NULL);
814 }
815
816 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
817 sm->pending_1_of_4_timeout = 0;
818 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL);
819 eloop_cancel_timeout(wpa_rekey_ptk, wpa_auth, sm);
820 #ifdef CONFIG_IEEE80211R_AP
821 wpa_ft_sta_deinit(sm);
822 #endif /* CONFIG_IEEE80211R_AP */
823 if (sm->in_step_loop) {
824 /* Must not free state machine while wpa_sm_step() is running.
825 * Freeing will be completed in the end of wpa_sm_step(). */
826 wpa_printf(MSG_DEBUG,
827 "WPA: Registering pending STA state machine deinit for "
828 MACSTR, MAC2STR(wpa_auth_get_spa(sm)));
829 sm->pending_deinit = 1;
830 } else
831 wpa_free_sta_sm(sm);
832 }
833
834
wpa_request_new_ptk(struct wpa_state_machine * sm)835 static void wpa_request_new_ptk(struct wpa_state_machine *sm)
836 {
837 if (!sm)
838 return;
839
840 if (!sm->use_ext_key_id && sm->wpa_auth->conf.wpa_deny_ptk0_rekey) {
841 wpa_printf(MSG_INFO,
842 "WPA: PTK0 rekey not allowed, disconnect " MACSTR,
843 MAC2STR(wpa_auth_get_spa(sm)));
844 sm->Disconnect = true;
845 /* Try to encourage the STA to reconnect */
846 sm->disconnect_reason =
847 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA;
848 } else {
849 if (sm->use_ext_key_id)
850 sm->keyidx_active ^= 1; /* flip Key ID */
851 sm->PTKRequest = true;
852 sm->PTK_valid = 0;
853 }
854 }
855
856
wpa_replay_counter_valid(struct wpa_key_replay_counter * ctr,const u8 * replay_counter)857 static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr,
858 const u8 *replay_counter)
859 {
860 int i;
861 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
862 if (!ctr[i].valid)
863 break;
864 if (os_memcmp(replay_counter, ctr[i].counter,
865 WPA_REPLAY_COUNTER_LEN) == 0)
866 return 1;
867 }
868 return 0;
869 }
870
871
wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter * ctr,const u8 * replay_counter)872 static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr,
873 const u8 *replay_counter)
874 {
875 int i;
876 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
877 if (ctr[i].valid &&
878 (!replay_counter ||
879 os_memcmp(replay_counter, ctr[i].counter,
880 WPA_REPLAY_COUNTER_LEN) == 0))
881 ctr[i].valid = false;
882 }
883 }
884
885
886 #ifdef CONFIG_IEEE80211R_AP
ft_check_msg_2_of_4(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm,struct wpa_eapol_ie_parse * kde)887 static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth,
888 struct wpa_state_machine *sm,
889 struct wpa_eapol_ie_parse *kde)
890 {
891 struct wpa_ie_data ie;
892 struct rsn_mdie *mdie;
893
894 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 ||
895 ie.num_pmkid != 1 || !ie.pmkid) {
896 wpa_printf(MSG_DEBUG,
897 "FT: No PMKR1Name in FT 4-way handshake message 2/4");
898 return -1;
899 }
900
901 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN);
902 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant",
903 sm->sup_pmk_r1_name, PMKID_LEN);
904
905 if (!kde->mdie || !kde->ftie) {
906 wpa_printf(MSG_DEBUG,
907 "FT: No %s in FT 4-way handshake message 2/4",
908 kde->mdie ? "FTIE" : "MDIE");
909 return -1;
910 }
911
912 mdie = (struct rsn_mdie *) (kde->mdie + 2);
913 if (kde->mdie[1] < sizeof(struct rsn_mdie) ||
914 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain,
915 MOBILITY_DOMAIN_ID_LEN) != 0) {
916 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch");
917 return -1;
918 }
919
920 if (sm->assoc_resp_ftie &&
921 (kde->ftie[1] != sm->assoc_resp_ftie[1] ||
922 os_memcmp(kde->ftie, sm->assoc_resp_ftie,
923 2 + sm->assoc_resp_ftie[1]) != 0)) {
924 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch");
925 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4",
926 kde->ftie, kde->ftie_len);
927 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp",
928 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]);
929 return -1;
930 }
931
932 return 0;
933 }
934 #endif /* CONFIG_IEEE80211R_AP */
935
936
wpa_receive_error_report(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm,int group)937 static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
938 struct wpa_state_machine *sm, int group)
939 {
940 /* Supplicant reported a Michael MIC error */
941 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
942 "received EAPOL-Key Error Request (STA detected Michael MIC failure (group=%d))",
943 group);
944
945 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
946 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
947 "ignore Michael MIC failure report since group cipher is not TKIP");
948 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
949 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
950 "ignore Michael MIC failure report since pairwise cipher is not TKIP");
951 } else {
952 if (wpa_auth_mic_failure_report(wpa_auth,
953 wpa_auth_get_spa(sm)) > 0)
954 return 1; /* STA entry was removed */
955 sm->dot11RSNAStatsTKIPRemoteMICFailures++;
956 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
957 }
958
959 /*
960 * Error report is not a request for a new key handshake, but since
961 * Authenticator may do it, let's change the keys now anyway.
962 */
963 wpa_request_new_ptk(sm);
964 return 0;
965 }
966
967
wpa_try_alt_snonce(struct wpa_state_machine * sm,u8 * data,size_t data_len)968 static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data,
969 size_t data_len)
970 {
971 struct wpa_ptk PTK;
972 int ok = 0;
973 const u8 *pmk = NULL;
974 size_t pmk_len;
975 int vlan_id = 0;
976 u8 pmk_r0[PMK_LEN_MAX], pmk_r0_name[WPA_PMK_NAME_LEN];
977 u8 pmk_r1[PMK_LEN_MAX];
978 size_t key_len;
979 int ret = -1;
980
981 os_memset(&PTK, 0, sizeof(PTK));
982 for (;;) {
983 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
984 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
985 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
986 sm->p2p_dev_addr, pmk, &pmk_len,
987 &vlan_id);
988 if (!pmk)
989 break;
990 #ifdef CONFIG_IEEE80211R_AP
991 if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) {
992 os_memcpy(sm->xxkey, pmk, pmk_len);
993 sm->xxkey_len = pmk_len;
994 }
995 #endif /* CONFIG_IEEE80211R_AP */
996 } else {
997 pmk = sm->PMK;
998 pmk_len = sm->pmk_len;
999 }
1000
1001 if (wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK, 0,
1002 pmk_r0, pmk_r1, pmk_r0_name, &key_len) < 0)
1003 break;
1004
1005 if (wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
1006 data, data_len) == 0) {
1007 if (sm->PMK != pmk) {
1008 os_memcpy(sm->PMK, pmk, pmk_len);
1009 sm->pmk_len = pmk_len;
1010 }
1011 ok = 1;
1012 break;
1013 }
1014
1015 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
1016 wpa_key_mgmt_sae(sm->wpa_key_mgmt))
1017 break;
1018 }
1019
1020 if (!ok) {
1021 wpa_printf(MSG_DEBUG,
1022 "WPA: Earlier SNonce did not result in matching MIC");
1023 goto fail;
1024 }
1025
1026 wpa_printf(MSG_DEBUG,
1027 "WPA: Earlier SNonce resulted in matching MIC");
1028 sm->alt_snonce_valid = 0;
1029
1030 if (vlan_id && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
1031 wpa_auth_update_vlan(sm->wpa_auth, sm->addr, vlan_id) < 0)
1032 goto fail;
1033
1034 #ifdef CONFIG_IEEE80211R_AP
1035 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt) && !sm->ft_completed) {
1036 wpa_printf(MSG_DEBUG, "FT: Store PMK-R0/PMK-R1");
1037 wpa_auth_ft_store_keys(sm, pmk_r0, pmk_r1, pmk_r0_name,
1038 key_len);
1039 }
1040 #endif /* CONFIG_IEEE80211R_AP */
1041
1042 os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN);
1043 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
1044 forced_memzero(&PTK, sizeof(PTK));
1045 sm->PTK_valid = true;
1046
1047 ret = 0;
1048 fail:
1049 forced_memzero(pmk_r0, sizeof(pmk_r0));
1050 forced_memzero(pmk_r1, sizeof(pmk_r1));
1051 return ret;
1052 }
1053
1054
wpa_auth_gtk_rekey_in_process(struct wpa_authenticator * wpa_auth)1055 static bool wpa_auth_gtk_rekey_in_process(struct wpa_authenticator *wpa_auth)
1056 {
1057 struct wpa_group *group;
1058
1059 for (group = wpa_auth->group; group; group = group->next) {
1060 if (group->GKeyDoneStations)
1061 return true;
1062 }
1063 return false;
1064 }
1065
1066
wpa_receive(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm,u8 * data,size_t data_len)1067 void wpa_receive(struct wpa_authenticator *wpa_auth,
1068 struct wpa_state_machine *sm,
1069 u8 *data, size_t data_len)
1070 {
1071 struct ieee802_1x_hdr *hdr;
1072 struct wpa_eapol_key *key;
1073 u16 key_info, key_data_length;
1074 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST } msg;
1075 char *msgtxt;
1076 struct wpa_eapol_ie_parse kde;
1077 const u8 *key_data;
1078 size_t keyhdrlen, mic_len;
1079 u8 *mic;
1080
1081 if (!wpa_auth || !wpa_auth->conf.wpa || !sm)
1082 return;
1083 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL data", data, data_len);
1084
1085 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
1086 keyhdrlen = sizeof(*key) + mic_len + 2;
1087
1088 if (data_len < sizeof(*hdr) + keyhdrlen) {
1089 wpa_printf(MSG_DEBUG, "WPA: Ignore too short EAPOL-Key frame");
1090 return;
1091 }
1092
1093 hdr = (struct ieee802_1x_hdr *) data;
1094 key = (struct wpa_eapol_key *) (hdr + 1);
1095 mic = (u8 *) (key + 1);
1096 key_info = WPA_GET_BE16(key->key_info);
1097 key_data = mic + mic_len + 2;
1098 key_data_length = WPA_GET_BE16(mic + mic_len);
1099 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR
1100 " key_info=0x%x type=%u mic_len=%zu key_data_length=%u",
1101 MAC2STR(wpa_auth_get_spa(sm)), key_info, key->type,
1102 mic_len, key_data_length);
1103 wpa_hexdump(MSG_MSGDUMP,
1104 "WPA: EAPOL-Key header (ending before Key MIC)",
1105 key, sizeof(*key));
1106 wpa_hexdump(MSG_MSGDUMP, "WPA: EAPOL-Key Key MIC",
1107 mic, mic_len);
1108 if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) {
1109 wpa_printf(MSG_INFO,
1110 "WPA: Invalid EAPOL-Key frame - key_data overflow (%d > %zu)",
1111 key_data_length,
1112 data_len - sizeof(*hdr) - keyhdrlen);
1113 return;
1114 }
1115
1116 if (sm->wpa == WPA_VERSION_WPA2) {
1117 if (key->type == EAPOL_KEY_TYPE_WPA) {
1118 /*
1119 * Some deployed station implementations seem to send
1120 * msg 4/4 with incorrect type value in WPA2 mode.
1121 */
1122 wpa_printf(MSG_DEBUG,
1123 "Workaround: Allow EAPOL-Key with unexpected WPA type in RSN mode");
1124 } else if (key->type != EAPOL_KEY_TYPE_RSN) {
1125 wpa_printf(MSG_DEBUG,
1126 "Ignore EAPOL-Key with unexpected type %d in RSN mode",
1127 key->type);
1128 return;
1129 }
1130 } else {
1131 if (key->type != EAPOL_KEY_TYPE_WPA) {
1132 wpa_printf(MSG_DEBUG,
1133 "Ignore EAPOL-Key with unexpected type %d in WPA mode",
1134 key->type);
1135 return;
1136 }
1137 }
1138
1139 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce,
1140 WPA_NONCE_LEN);
1141 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter",
1142 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1143
1144 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
1145 * are set */
1146
1147 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
1148 wpa_printf(MSG_DEBUG, "WPA: Ignore SMK message");
1149 return;
1150 }
1151
1152 if (key_info & WPA_KEY_INFO_REQUEST) {
1153 msg = REQUEST;
1154 msgtxt = "Request";
1155 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) {
1156 msg = GROUP_2;
1157 msgtxt = "2/2 Group";
1158 } else if (key_data_length == 0 ||
1159 (mic_len == 0 && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) &&
1160 key_data_length == AES_BLOCK_SIZE)) {
1161 msg = PAIRWISE_4;
1162 msgtxt = "4/4 Pairwise";
1163 } else {
1164 msg = PAIRWISE_2;
1165 msgtxt = "2/4 Pairwise";
1166 }
1167
1168 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 ||
1169 msg == GROUP_2) {
1170 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
1171 if (sm->pairwise == WPA_CIPHER_CCMP ||
1172 sm->pairwise == WPA_CIPHER_GCMP) {
1173 if (wpa_use_cmac(sm->wpa_key_mgmt) &&
1174 !wpa_use_akm_defined(sm->wpa_key_mgmt) &&
1175 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1176 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1177 LOGGER_WARNING,
1178 "advertised support for AES-128-CMAC, but did not use it");
1179 return;
1180 }
1181
1182 if (!wpa_use_cmac(sm->wpa_key_mgmt) &&
1183 !wpa_use_akm_defined(sm->wpa_key_mgmt) &&
1184 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1185 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1186 LOGGER_WARNING,
1187 "did not use HMAC-SHA1-AES with CCMP/GCMP");
1188 return;
1189 }
1190 }
1191
1192 if (wpa_use_akm_defined(sm->wpa_key_mgmt) &&
1193 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
1194 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1195 LOGGER_WARNING,
1196 "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases");
1197 return;
1198 }
1199 }
1200
1201 if (key_info & WPA_KEY_INFO_REQUEST) {
1202 if (sm->req_replay_counter_used &&
1203 os_memcmp(key->replay_counter, sm->req_replay_counter,
1204 WPA_REPLAY_COUNTER_LEN) <= 0) {
1205 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1206 LOGGER_WARNING,
1207 "received EAPOL-Key request with replayed counter");
1208 return;
1209 }
1210 }
1211
1212 if (!(key_info & WPA_KEY_INFO_REQUEST) &&
1213 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) {
1214 int i;
1215
1216 if (msg == PAIRWISE_2 &&
1217 wpa_replay_counter_valid(sm->prev_key_replay,
1218 key->replay_counter) &&
1219 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1220 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0)
1221 {
1222 /*
1223 * Some supplicant implementations (e.g., Windows XP
1224 * WZC) update SNonce for each EAPOL-Key 2/4. This
1225 * breaks the workaround on accepting any of the
1226 * pending requests, so allow the SNonce to be updated
1227 * even if we have already sent out EAPOL-Key 3/4.
1228 */
1229 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
1230 LOGGER_DEBUG,
1231 "Process SNonce update from STA based on retransmitted EAPOL-Key 1/4");
1232 sm->update_snonce = 1;
1233 os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN);
1234 sm->alt_snonce_valid = true;
1235 os_memcpy(sm->alt_replay_counter,
1236 sm->key_replay[0].counter,
1237 WPA_REPLAY_COUNTER_LEN);
1238 goto continue_processing;
1239 }
1240
1241 if (msg == PAIRWISE_4 && sm->alt_snonce_valid &&
1242 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1243 os_memcmp(key->replay_counter, sm->alt_replay_counter,
1244 WPA_REPLAY_COUNTER_LEN) == 0) {
1245 /*
1246 * Supplicant may still be using the old SNonce since
1247 * there was two EAPOL-Key 2/4 messages and they had
1248 * different SNonce values.
1249 */
1250 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
1251 LOGGER_DEBUG,
1252 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4");
1253 goto continue_processing;
1254 }
1255
1256 if (msg == PAIRWISE_2 &&
1257 wpa_replay_counter_valid(sm->prev_key_replay,
1258 key->replay_counter) &&
1259 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
1260 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
1261 LOGGER_DEBUG,
1262 "ignore retransmitted EAPOL-Key %s - SNonce did not change",
1263 msgtxt);
1264 } else {
1265 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
1266 LOGGER_DEBUG,
1267 "received EAPOL-Key %s with unexpected replay counter",
1268 msgtxt);
1269 }
1270 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
1271 if (!sm->key_replay[i].valid)
1272 break;
1273 wpa_hexdump(MSG_DEBUG, "pending replay counter",
1274 sm->key_replay[i].counter,
1275 WPA_REPLAY_COUNTER_LEN);
1276 }
1277 wpa_hexdump(MSG_DEBUG, "received replay counter",
1278 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1279 return;
1280 }
1281
1282 continue_processing:
1283 #ifdef CONFIG_FILS
1284 if (sm->wpa == WPA_VERSION_WPA2 && mic_len == 0 &&
1285 !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1286 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
1287 "WPA: Encr Key Data bit not set even though AEAD cipher is supposed to be used - drop frame");
1288 return;
1289 }
1290 #endif /* CONFIG_FILS */
1291
1292 switch (msg) {
1293 case PAIRWISE_2:
1294 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART &&
1295 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING &&
1296 (!sm->update_snonce ||
1297 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) {
1298 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
1299 LOGGER_INFO,
1300 "received EAPOL-Key msg 2/4 in invalid state (%d) - dropped",
1301 sm->wpa_ptk_state);
1302 return;
1303 }
1304 random_add_randomness(key->key_nonce, WPA_NONCE_LEN);
1305 if (sm->group->reject_4way_hs_for_entropy) {
1306 /*
1307 * The system did not have enough entropy to generate
1308 * strong random numbers. Reject the first 4-way
1309 * handshake(s) and collect some entropy based on the
1310 * information from it. Once enough entropy is
1311 * available, the next atempt will trigger GMK/Key
1312 * Counter update and the station will be allowed to
1313 * continue.
1314 */
1315 wpa_printf(MSG_DEBUG,
1316 "WPA: Reject 4-way handshake to collect more entropy for random number generation");
1317 random_mark_pool_ready();
1318 wpa_sta_disconnect(wpa_auth, sm->addr,
1319 WLAN_REASON_PREV_AUTH_NOT_VALID);
1320 return;
1321 }
1322 break;
1323 case PAIRWISE_4:
1324 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING ||
1325 !sm->PTK_valid) {
1326 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
1327 LOGGER_INFO,
1328 "received EAPOL-Key msg 4/4 in invalid state (%d) - dropped",
1329 sm->wpa_ptk_state);
1330 return;
1331 }
1332 break;
1333 case GROUP_2:
1334 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING
1335 || !sm->PTK_valid) {
1336 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
1337 LOGGER_INFO,
1338 "received EAPOL-Key msg 2/2 in invalid state (%d) - dropped",
1339 sm->wpa_ptk_group_state);
1340 return;
1341 }
1342 break;
1343 case REQUEST:
1344 break;
1345 }
1346
1347 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
1348 "received EAPOL-Key frame (%s)", msgtxt);
1349
1350 if (key_info & WPA_KEY_INFO_ACK) {
1351 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
1352 "received invalid EAPOL-Key: Key Ack set");
1353 return;
1354 }
1355
1356 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1357 !(key_info & WPA_KEY_INFO_MIC)) {
1358 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
1359 "received invalid EAPOL-Key: Key MIC not set");
1360 return;
1361 }
1362
1363 #ifdef CONFIG_FILS
1364 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1365 (key_info & WPA_KEY_INFO_MIC)) {
1366 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
1367 "received invalid EAPOL-Key: Key MIC set");
1368 return;
1369 }
1370 #endif /* CONFIG_FILS */
1371
1372 sm->MICVerified = false;
1373 if (sm->PTK_valid && !sm->update_snonce) {
1374 if (mic_len &&
1375 wpa_verify_key_mic(sm->wpa_key_mgmt, sm->pmk_len, &sm->PTK,
1376 data, data_len) &&
1377 (msg != PAIRWISE_4 || !sm->alt_snonce_valid ||
1378 wpa_try_alt_snonce(sm, data, data_len))) {
1379 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1380 LOGGER_INFO,
1381 "received EAPOL-Key with invalid MIC");
1382 #ifdef TEST_FUZZ
1383 wpa_printf(MSG_INFO,
1384 "TEST: Ignore Key MIC failure for fuzz testing");
1385 goto continue_fuzz;
1386 #endif /* TEST_FUZZ */
1387 return;
1388 }
1389 #ifdef CONFIG_FILS
1390 if (!mic_len &&
1391 wpa_aead_decrypt(sm, &sm->PTK, data, data_len,
1392 &key_data_length) < 0) {
1393 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1394 LOGGER_INFO,
1395 "received EAPOL-Key with invalid MIC");
1396 #ifdef TEST_FUZZ
1397 wpa_printf(MSG_INFO,
1398 "TEST: Ignore Key MIC failure for fuzz testing");
1399 goto continue_fuzz;
1400 #endif /* TEST_FUZZ */
1401 return;
1402 }
1403 #endif /* CONFIG_FILS */
1404 #ifdef TEST_FUZZ
1405 continue_fuzz:
1406 #endif /* TEST_FUZZ */
1407 sm->MICVerified = true;
1408 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
1409 sm->pending_1_of_4_timeout = 0;
1410 }
1411
1412 if (key_info & WPA_KEY_INFO_REQUEST) {
1413 if (sm->MICVerified) {
1414 sm->req_replay_counter_used = 1;
1415 os_memcpy(sm->req_replay_counter, key->replay_counter,
1416 WPA_REPLAY_COUNTER_LEN);
1417 } else {
1418 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1419 LOGGER_INFO,
1420 "received EAPOL-Key request with invalid MIC");
1421 return;
1422 }
1423
1424 /*
1425 * TODO: should decrypt key data field if encryption was used;
1426 * even though MAC address KDE is not normally encrypted,
1427 * supplicant is allowed to encrypt it.
1428 */
1429 if (key_info & WPA_KEY_INFO_ERROR) {
1430 if (wpa_receive_error_report(
1431 wpa_auth, sm,
1432 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0)
1433 return; /* STA entry was removed */
1434 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) {
1435 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1436 LOGGER_INFO,
1437 "received EAPOL-Key Request for new 4-Way Handshake");
1438 wpa_request_new_ptk(sm);
1439 } else if (key_data_length > 0 &&
1440 wpa_parse_kde_ies(key_data, key_data_length,
1441 &kde) == 0 &&
1442 kde.mac_addr) {
1443 } else {
1444 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1445 LOGGER_INFO,
1446 "received EAPOL-Key Request for GTK rekeying");
1447 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
1448 if (wpa_auth_gtk_rekey_in_process(wpa_auth))
1449 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG,
1450 "skip new GTK rekey - already in process");
1451 else
1452 wpa_rekey_gtk(wpa_auth, NULL);
1453 }
1454 } else {
1455 /* Do not allow the same key replay counter to be reused. */
1456 wpa_replay_counter_mark_invalid(sm->key_replay,
1457 key->replay_counter);
1458
1459 if (msg == PAIRWISE_2) {
1460 /*
1461 * Maintain a copy of the pending EAPOL-Key frames in
1462 * case the EAPOL-Key frame was retransmitted. This is
1463 * needed to allow EAPOL-Key msg 2/4 reply to another
1464 * pending msg 1/4 to update the SNonce to work around
1465 * unexpected supplicant behavior.
1466 */
1467 os_memcpy(sm->prev_key_replay, sm->key_replay,
1468 sizeof(sm->key_replay));
1469 } else {
1470 os_memset(sm->prev_key_replay, 0,
1471 sizeof(sm->prev_key_replay));
1472 }
1473
1474 /*
1475 * Make sure old valid counters are not accepted anymore and
1476 * do not get copied again.
1477 */
1478 wpa_replay_counter_mark_invalid(sm->key_replay, NULL);
1479 }
1480
1481 os_free(sm->last_rx_eapol_key);
1482 sm->last_rx_eapol_key = os_memdup(data, data_len);
1483 if (!sm->last_rx_eapol_key)
1484 return;
1485 sm->last_rx_eapol_key_len = data_len;
1486
1487 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE);
1488 sm->EAPOLKeyReceived = true;
1489 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1490 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST);
1491 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN);
1492 wpa_sm_step(sm);
1493 }
1494
1495
wpa_gmk_to_gtk(const u8 * gmk,const char * label,const u8 * addr,const u8 * gnonce,u8 * gtk,size_t gtk_len)1496 static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr,
1497 const u8 *gnonce, u8 *gtk, size_t gtk_len)
1498 {
1499 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + WPA_GTK_MAX_LEN];
1500 u8 *pos;
1501 int ret = 0;
1502
1503 /* GTK = PRF-X(GMK, "Group key expansion",
1504 * AA || GNonce || Time || random data)
1505 * The example described in the IEEE 802.11 standard uses only AA and
1506 * GNonce as inputs here. Add some more entropy since this derivation
1507 * is done only at the Authenticator and as such, does not need to be
1508 * exactly same.
1509 */
1510 os_memset(data, 0, sizeof(data));
1511 os_memcpy(data, addr, ETH_ALEN);
1512 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN);
1513 pos = data + ETH_ALEN + WPA_NONCE_LEN;
1514 wpa_get_ntp_timestamp(pos);
1515 #ifdef TEST_FUZZ
1516 os_memset(pos, 0xef, 8);
1517 #endif /* TEST_FUZZ */
1518 pos += 8;
1519 if (random_get_bytes(pos, gtk_len) < 0)
1520 ret = -1;
1521
1522 #ifdef CONFIG_SHA384
1523 if (sha384_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
1524 gtk, gtk_len) < 0)
1525 ret = -1;
1526 #else /* CONFIG_SHA384 */
1527 #ifdef CONFIG_SHA256
1528 if (sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
1529 gtk, gtk_len) < 0)
1530 ret = -1;
1531 #else /* CONFIG_SHA256 */
1532 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
1533 gtk, gtk_len) < 0)
1534 ret = -1;
1535 #endif /* CONFIG_SHA256 */
1536 #endif /* CONFIG_SHA384 */
1537
1538 forced_memzero(data, sizeof(data));
1539
1540 return ret;
1541 }
1542
1543
wpa_send_eapol_timeout(void * eloop_ctx,void * timeout_ctx)1544 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx)
1545 {
1546 struct wpa_authenticator *wpa_auth = eloop_ctx;
1547 struct wpa_state_machine *sm = timeout_ctx;
1548
1549 if (sm->waiting_radius_psk) {
1550 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
1551 "Ignore EAPOL-Key timeout while waiting for RADIUS PSK");
1552 return;
1553 }
1554
1555 sm->pending_1_of_4_timeout = 0;
1556 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
1557 "EAPOL-Key timeout");
1558 sm->TimeoutEvt = true;
1559 wpa_sm_step(sm);
1560 }
1561
1562
__wpa_send_eapol(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm,int key_info,const u8 * key_rsc,const u8 * nonce,const u8 * kde,size_t kde_len,int keyidx,int encr,int force_version)1563 void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1564 struct wpa_state_machine *sm, int key_info,
1565 const u8 *key_rsc, const u8 *nonce,
1566 const u8 *kde, size_t kde_len,
1567 int keyidx, int encr, int force_version)
1568 {
1569 struct wpa_auth_config *conf = &wpa_auth->conf;
1570 struct ieee802_1x_hdr *hdr;
1571 struct wpa_eapol_key *key;
1572 size_t len, mic_len, keyhdrlen;
1573 int alg;
1574 int key_data_len, pad_len = 0;
1575 u8 *buf, *pos;
1576 int version, pairwise;
1577 int i;
1578 u8 *key_mic, *key_data;
1579
1580 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
1581 keyhdrlen = sizeof(*key) + mic_len + 2;
1582
1583 len = sizeof(struct ieee802_1x_hdr) + keyhdrlen;
1584
1585 if (force_version)
1586 version = force_version;
1587 else if (wpa_use_akm_defined(sm->wpa_key_mgmt))
1588 version = WPA_KEY_INFO_TYPE_AKM_DEFINED;
1589 else if (wpa_use_cmac(sm->wpa_key_mgmt))
1590 version = WPA_KEY_INFO_TYPE_AES_128_CMAC;
1591 else if (sm->pairwise != WPA_CIPHER_TKIP)
1592 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
1593 else
1594 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
1595
1596 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1597
1598 wpa_printf(MSG_DEBUG,
1599 "WPA: Send EAPOL(version=%d secure=%d mic=%d ack=%d install=%d pairwise=%d kde_len=%zu keyidx=%d encr=%d)",
1600 version,
1601 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0,
1602 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0,
1603 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0,
1604 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0,
1605 pairwise, kde_len, keyidx, encr);
1606
1607 key_data_len = kde_len;
1608
1609 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1610 wpa_use_aes_key_wrap(sm->wpa_key_mgmt) ||
1611 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) {
1612 pad_len = key_data_len % 8;
1613 if (pad_len)
1614 pad_len = 8 - pad_len;
1615 key_data_len += pad_len + 8;
1616 }
1617
1618 len += key_data_len;
1619 if (!mic_len && encr)
1620 len += AES_BLOCK_SIZE;
1621
1622 hdr = os_zalloc(len);
1623 if (!hdr)
1624 return;
1625 hdr->version = conf->eapol_version;
1626 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
1627 hdr->length = host_to_be16(len - sizeof(*hdr));
1628 key = (struct wpa_eapol_key *) (hdr + 1);
1629 key_mic = (u8 *) (key + 1);
1630 key_data = ((u8 *) (hdr + 1)) + keyhdrlen;
1631
1632 key->type = sm->wpa == WPA_VERSION_WPA2 ?
1633 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1634 key_info |= version;
1635 if (encr && sm->wpa == WPA_VERSION_WPA2)
1636 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1637 if (sm->wpa != WPA_VERSION_WPA2)
1638 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT;
1639 WPA_PUT_BE16(key->key_info, key_info);
1640
1641 alg = pairwise ? sm->pairwise : conf->wpa_group;
1642 if (sm->wpa == WPA_VERSION_WPA2 && !pairwise)
1643 WPA_PUT_BE16(key->key_length, 0);
1644 else
1645 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg));
1646
1647 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) {
1648 sm->key_replay[i].valid = sm->key_replay[i - 1].valid;
1649 os_memcpy(sm->key_replay[i].counter,
1650 sm->key_replay[i - 1].counter,
1651 WPA_REPLAY_COUNTER_LEN);
1652 }
1653 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN);
1654 os_memcpy(key->replay_counter, sm->key_replay[0].counter,
1655 WPA_REPLAY_COUNTER_LEN);
1656 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter",
1657 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1658 sm->key_replay[0].valid = true;
1659
1660 if (nonce)
1661 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN);
1662
1663 if (key_rsc)
1664 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN);
1665
1666 if (kde && !encr) {
1667 os_memcpy(key_data, kde, kde_len);
1668 WPA_PUT_BE16(key_mic + mic_len, kde_len);
1669 #ifdef CONFIG_FILS
1670 } else if (!mic_len && kde) {
1671 const u8 *aad[1];
1672 size_t aad_len[1];
1673
1674 WPA_PUT_BE16(key_mic, AES_BLOCK_SIZE + kde_len);
1675 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1676 kde, kde_len);
1677
1678 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK",
1679 sm->PTK.kek, sm->PTK.kek_len);
1680 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
1681 * to Key Data (exclusive). */
1682 aad[0] = (u8 *) hdr;
1683 aad_len[0] = key_mic + 2 - (u8 *) hdr;
1684 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, kde, kde_len,
1685 1, aad, aad_len, key_mic + 2) < 0) {
1686 wpa_printf(MSG_DEBUG, "WPA: AES-SIV encryption failed");
1687 return;
1688 }
1689
1690 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
1691 key_mic + 2, AES_BLOCK_SIZE + kde_len);
1692 #endif /* CONFIG_FILS */
1693 } else if (encr && kde) {
1694 buf = os_zalloc(key_data_len);
1695 if (!buf) {
1696 os_free(hdr);
1697 return;
1698 }
1699 pos = buf;
1700 os_memcpy(pos, kde, kde_len);
1701 pos += kde_len;
1702
1703 if (pad_len)
1704 *pos++ = 0xdd;
1705
1706 wpa_hexdump_key(MSG_DEBUG,
1707 "Plaintext EAPOL-Key Key Data (+ padding)",
1708 buf, key_data_len);
1709 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1710 wpa_use_aes_key_wrap(sm->wpa_key_mgmt) ||
1711 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1712 wpa_hexdump_key(MSG_DEBUG, "RSN: AES-WRAP using KEK",
1713 sm->PTK.kek, sm->PTK.kek_len);
1714 if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len,
1715 (key_data_len - 8) / 8, buf, key_data)) {
1716 os_free(hdr);
1717 bin_clear_free(buf, key_data_len);
1718 return;
1719 }
1720 wpa_hexdump(MSG_DEBUG,
1721 "RSN: Encrypted Key Data from AES-WRAP",
1722 key_data, key_data_len);
1723 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
1724 #if !defined(CONFIG_NO_RC4) && !defined(CONFIG_FIPS)
1725 } else if (sm->PTK.kek_len == 16) {
1726 u8 ek[32];
1727
1728 wpa_printf(MSG_DEBUG,
1729 "WPA: Encrypt Key Data using RC4");
1730 os_memcpy(key->key_iv,
1731 sm->group->Counter + WPA_NONCE_LEN - 16, 16);
1732 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
1733 os_memcpy(ek, key->key_iv, 16);
1734 os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len);
1735 os_memcpy(key_data, buf, key_data_len);
1736 rc4_skip(ek, 32, 256, key_data, key_data_len);
1737 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
1738 #endif /* !(CONFIG_NO_RC4 || CONFIG_FIPS) */
1739 } else {
1740 os_free(hdr);
1741 bin_clear_free(buf, key_data_len);
1742 return;
1743 }
1744 bin_clear_free(buf, key_data_len);
1745 }
1746
1747 if (key_info & WPA_KEY_INFO_MIC) {
1748 if (!sm->PTK_valid || !mic_len) {
1749 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1750 LOGGER_DEBUG,
1751 "PTK not valid when sending EAPOL-Key frame");
1752 os_free(hdr);
1753 return;
1754 }
1755
1756 if (wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len,
1757 sm->wpa_key_mgmt, version,
1758 (u8 *) hdr, len, key_mic) < 0) {
1759 os_free(hdr);
1760 return;
1761 }
1762 #ifdef CONFIG_TESTING_OPTIONS
1763 if (!pairwise &&
1764 conf->corrupt_gtk_rekey_mic_probability > 0.0 &&
1765 drand48() < conf->corrupt_gtk_rekey_mic_probability) {
1766 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1767 LOGGER_INFO,
1768 "Corrupting group EAPOL-Key Key MIC");
1769 key_mic[0]++;
1770 }
1771 #endif /* CONFIG_TESTING_OPTIONS */
1772 }
1773
1774 wpa_auth_set_eapol(wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx, 1);
1775 wpa_hexdump(MSG_DEBUG, "Send EAPOL-Key msg", hdr, len);
1776 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len,
1777 sm->pairwise_set);
1778 os_free(hdr);
1779 }
1780
1781
wpa_send_eapol(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm,int key_info,const u8 * key_rsc,const u8 * nonce,const u8 * kde,size_t kde_len,int keyidx,int encr)1782 static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1783 struct wpa_state_machine *sm, int key_info,
1784 const u8 *key_rsc, const u8 *nonce,
1785 const u8 *kde, size_t kde_len,
1786 int keyidx, int encr)
1787 {
1788 int timeout_ms;
1789 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
1790 u32 ctr;
1791
1792 if (!sm)
1793 return;
1794
1795 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr;
1796
1797 #ifdef CONFIG_TESTING_OPTIONS
1798 /* When delay_eapol_tx is true, delay the EAPOL-Key transmission by
1799 * sending it only on the last attempt after all timeouts for the prior
1800 * skipped attemps. */
1801 if (wpa_auth->conf.delay_eapol_tx &&
1802 ctr != wpa_auth->conf.wpa_pairwise_update_count) {
1803 wpa_msg(sm->wpa_auth->conf.msg_ctx, MSG_INFO,
1804 "DELAY-EAPOL-TX-%d", ctr);
1805 goto skip_tx;
1806 }
1807 #endif /* CONFIG_TESTING_OPTIONS */
1808 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len,
1809 keyidx, encr, 0);
1810 #ifdef CONFIG_TESTING_OPTIONS
1811 skip_tx:
1812 #endif /* CONFIG_TESTING_OPTIONS */
1813
1814 if (ctr == 1 && wpa_auth->conf.tx_status)
1815 timeout_ms = pairwise ? eapol_key_timeout_first :
1816 eapol_key_timeout_first_group;
1817 else
1818 timeout_ms = eapol_key_timeout_subseq;
1819 if (wpa_auth->conf.wpa_disable_eapol_key_retries &&
1820 (!pairwise || (key_info & WPA_KEY_INFO_MIC)))
1821 timeout_ms = eapol_key_timeout_no_retrans;
1822 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
1823 sm->pending_1_of_4_timeout = 1;
1824 #ifdef TEST_FUZZ
1825 timeout_ms = 1;
1826 #endif /* TEST_FUZZ */
1827 #ifdef CONFIG_TESTING_OPTIONS
1828 if(wpa_auth->conf.enable_eapol_large_timeout) {
1829 timeout_ms = 50 * 1000;
1830 }
1831 #endif
1832 wpa_printf(MSG_DEBUG,
1833 "WPA: Use EAPOL-Key timeout of %u ms (retry counter %u)",
1834 timeout_ms, ctr);
1835 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000,
1836 wpa_send_eapol_timeout, wpa_auth, sm);
1837 }
1838
1839
wpa_verify_key_mic(int akmp,size_t pmk_len,struct wpa_ptk * PTK,u8 * data,size_t data_len)1840 static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK,
1841 u8 *data, size_t data_len)
1842 {
1843 struct ieee802_1x_hdr *hdr;
1844 struct wpa_eapol_key *key;
1845 u16 key_info;
1846 int ret = 0;
1847 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN], *mic_pos;
1848 size_t mic_len = wpa_mic_len(akmp, pmk_len);
1849
1850 if (data_len < sizeof(*hdr) + sizeof(*key))
1851 return -1;
1852
1853 hdr = (struct ieee802_1x_hdr *) data;
1854 key = (struct wpa_eapol_key *) (hdr + 1);
1855 mic_pos = (u8 *) (key + 1);
1856 key_info = WPA_GET_BE16(key->key_info);
1857 os_memcpy(mic, mic_pos, mic_len);
1858 os_memset(mic_pos, 0, mic_len);
1859 if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp,
1860 key_info & WPA_KEY_INFO_TYPE_MASK,
1861 data, data_len, mic_pos) ||
1862 os_memcmp_const(mic, mic_pos, mic_len) != 0)
1863 ret = -1;
1864 os_memcpy(mic_pos, mic, mic_len);
1865 return ret;
1866 }
1867
1868
wpa_remove_ptk(struct wpa_state_machine * sm)1869 void wpa_remove_ptk(struct wpa_state_machine *sm)
1870 {
1871 sm->PTK_valid = false;
1872 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1873
1874 wpa_auth_remove_ptksa(sm->wpa_auth, sm->addr, sm->pairwise);
1875
1876 if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL,
1877 0, KEY_FLAG_PAIRWISE))
1878 wpa_printf(MSG_DEBUG,
1879 "RSN: PTK removal from the driver failed");
1880 if (sm->use_ext_key_id &&
1881 wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 1, NULL,
1882 0, KEY_FLAG_PAIRWISE))
1883 wpa_printf(MSG_DEBUG,
1884 "RSN: PTK Key ID 1 removal from the driver failed");
1885 sm->pairwise_set = false;
1886 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
1887 }
1888
1889
wpa_auth_sm_event(struct wpa_state_machine * sm,enum wpa_event event)1890 int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
1891 {
1892 int remove_ptk = 1;
1893
1894 if (!sm)
1895 return -1;
1896
1897 wpa_auth_vlogger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
1898 "event %d notification", event);
1899
1900 switch (event) {
1901 case WPA_AUTH:
1902 #ifdef CONFIG_MESH
1903 /* PTKs are derived through AMPE */
1904 if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) {
1905 /* not mesh */
1906 break;
1907 }
1908 return 0;
1909 #endif /* CONFIG_MESH */
1910 case WPA_ASSOC:
1911 break;
1912 case WPA_DEAUTH:
1913 case WPA_DISASSOC:
1914 sm->DeauthenticationRequest = true;
1915 os_memset(sm->PMK, 0, sizeof(sm->PMK));
1916 sm->pmk_len = 0;
1917 #ifdef CONFIG_IEEE80211R_AP
1918 os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
1919 sm->xxkey_len = 0;
1920 os_memset(sm->pmk_r1, 0, sizeof(sm->pmk_r1));
1921 sm->pmk_r1_len = 0;
1922 #endif /* CONFIG_IEEE80211R_AP */
1923 break;
1924 case WPA_REAUTH:
1925 case WPA_REAUTH_EAPOL:
1926 if (!sm->started) {
1927 /*
1928 * When using WPS, we may end up here if the STA
1929 * manages to re-associate without the previous STA
1930 * entry getting removed. Consequently, we need to make
1931 * sure that the WPA state machines gets initialized
1932 * properly at this point.
1933 */
1934 wpa_printf(MSG_DEBUG,
1935 "WPA state machine had not been started - initialize now");
1936 sm->started = 1;
1937 sm->Init = true;
1938 if (wpa_sm_step(sm) == 1)
1939 return 1; /* should not really happen */
1940 sm->Init = false;
1941 sm->AuthenticationRequest = true;
1942 break;
1943 }
1944
1945 if (sm->ptkstart_without_success > 3) {
1946 wpa_printf(MSG_INFO,
1947 "WPA: Multiple EAP reauth attempts without 4-way handshake completion, disconnect "
1948 MACSTR, MAC2STR(sm->addr));
1949 sm->Disconnect = true;
1950 break;
1951 }
1952
1953 if (!sm->use_ext_key_id &&
1954 sm->wpa_auth->conf.wpa_deny_ptk0_rekey) {
1955 wpa_printf(MSG_INFO,
1956 "WPA: PTK0 rekey not allowed, disconnect "
1957 MACSTR, MAC2STR(wpa_auth_get_spa(sm)));
1958 sm->Disconnect = true;
1959 /* Try to encourage the STA to reconnect */
1960 sm->disconnect_reason =
1961 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA;
1962 break;
1963 }
1964
1965 if (sm->use_ext_key_id)
1966 sm->keyidx_active ^= 1; /* flip Key ID */
1967
1968 if (sm->GUpdateStationKeys) {
1969 /*
1970 * Reauthentication cancels the pending group key
1971 * update for this STA.
1972 */
1973 sm->group->GKeyDoneStations--;
1974 sm->GUpdateStationKeys = false;
1975 sm->PtkGroupInit = true;
1976 }
1977 sm->ReAuthenticationRequest = true;
1978 break;
1979 case WPA_ASSOC_FT:
1980 #ifdef CONFIG_IEEE80211R_AP
1981 wpa_printf(MSG_DEBUG,
1982 "FT: Retry PTK configuration after association");
1983 wpa_ft_install_ptk(sm, 1);
1984
1985 /* Using FT protocol, not WPA auth state machine */
1986 sm->ft_completed = 1;
1987 wpa_auth_set_ptk_rekey_timer(sm);
1988 return 0;
1989 #else /* CONFIG_IEEE80211R_AP */
1990 break;
1991 #endif /* CONFIG_IEEE80211R_AP */
1992 case WPA_ASSOC_FILS:
1993 #ifdef CONFIG_FILS
1994 wpa_printf(MSG_DEBUG,
1995 "FILS: TK configuration after association");
1996 fils_set_tk(sm);
1997 sm->fils_completed = 1;
1998 return 0;
1999 #else /* CONFIG_FILS */
2000 break;
2001 #endif /* CONFIG_FILS */
2002 case WPA_DRV_STA_REMOVED:
2003 sm->tk_already_set = false;
2004 return 0;
2005 }
2006
2007 #ifdef CONFIG_IEEE80211R_AP
2008 sm->ft_completed = 0;
2009 #endif /* CONFIG_IEEE80211R_AP */
2010
2011 if (sm->mgmt_frame_prot && event == WPA_AUTH)
2012 remove_ptk = 0;
2013 #ifdef CONFIG_FILS
2014 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
2015 (event == WPA_AUTH || event == WPA_ASSOC))
2016 remove_ptk = 0;
2017 #endif /* CONFIG_FILS */
2018
2019 if (remove_ptk) {
2020 sm->PTK_valid = false;
2021 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
2022
2023 if (event != WPA_REAUTH_EAPOL)
2024 wpa_remove_ptk(sm);
2025 }
2026
2027 if (sm->in_step_loop) {
2028 /*
2029 * wpa_sm_step() is already running - avoid recursive call to
2030 * it by making the existing loop process the new update.
2031 */
2032 sm->changed = true;
2033 return 0;
2034 }
2035 return wpa_sm_step(sm);
2036 }
2037
2038
SM_STATE(WPA_PTK,INITIALIZE)2039 SM_STATE(WPA_PTK, INITIALIZE)
2040 {
2041 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk);
2042 if (sm->Init) {
2043 /* Init flag is not cleared here, so avoid busy
2044 * loop by claiming nothing changed. */
2045 sm->changed = false;
2046 }
2047
2048 sm->keycount = 0;
2049 if (sm->GUpdateStationKeys)
2050 sm->group->GKeyDoneStations--;
2051 sm->GUpdateStationKeys = false;
2052 if (sm->wpa == WPA_VERSION_WPA)
2053 sm->PInitAKeys = false;
2054 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and
2055 * Local AA > Remote AA)) */) {
2056 sm->Pair = true;
2057 }
2058 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0);
2059 wpa_remove_ptk(sm);
2060 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0);
2061 sm->TimeoutCtr = 0;
2062 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
2063 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
2064 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
2065 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
2066 WPA_EAPOL_authorized, 0);
2067 }
2068 }
2069
2070
SM_STATE(WPA_PTK,DISCONNECT)2071 SM_STATE(WPA_PTK, DISCONNECT)
2072 {
2073 u16 reason = sm->disconnect_reason;
2074
2075 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk);
2076 sm->Disconnect = false;
2077 sm->disconnect_reason = 0;
2078 if (!reason)
2079 reason = WLAN_REASON_PREV_AUTH_NOT_VALID;
2080 wpa_sta_disconnect(sm->wpa_auth, sm->addr, reason);
2081 }
2082
2083
SM_STATE(WPA_PTK,DISCONNECTED)2084 SM_STATE(WPA_PTK, DISCONNECTED)
2085 {
2086 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk);
2087 sm->DeauthenticationRequest = false;
2088 }
2089
2090
SM_STATE(WPA_PTK,AUTHENTICATION)2091 SM_STATE(WPA_PTK, AUTHENTICATION)
2092 {
2093 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk);
2094 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
2095 sm->PTK_valid = false;
2096 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto,
2097 1);
2098 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1);
2099 sm->AuthenticationRequest = false;
2100 }
2101
2102
wpa_group_ensure_init(struct wpa_authenticator * wpa_auth,struct wpa_group * group)2103 static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth,
2104 struct wpa_group *group)
2105 {
2106 if (group->first_sta_seen)
2107 return;
2108 /*
2109 * System has run bit further than at the time hostapd was started
2110 * potentially very early during boot up. This provides better chances
2111 * of collecting more randomness on embedded systems. Re-initialize the
2112 * GMK and Counter here to improve their strength if there was not
2113 * enough entropy available immediately after system startup.
2114 */
2115 wpa_printf(MSG_DEBUG,
2116 "WPA: Re-initialize GMK/Counter on first station");
2117 if (random_pool_ready() != 1) {
2118 wpa_printf(MSG_INFO,
2119 "WPA: Not enough entropy in random pool to proceed - reject first 4-way handshake");
2120 group->reject_4way_hs_for_entropy = true;
2121 } else {
2122 group->first_sta_seen = true;
2123 group->reject_4way_hs_for_entropy = false;
2124 }
2125
2126 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 ||
2127 wpa_gtk_update(wpa_auth, group) < 0 ||
2128 wpa_group_config_group_keys(wpa_auth, group) < 0) {
2129 wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed");
2130 group->first_sta_seen = false;
2131 group->reject_4way_hs_for_entropy = true;
2132 }
2133 }
2134
2135
SM_STATE(WPA_PTK,AUTHENTICATION2)2136 SM_STATE(WPA_PTK, AUTHENTICATION2)
2137 {
2138 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk);
2139
2140 wpa_group_ensure_init(sm->wpa_auth, sm->group);
2141 sm->ReAuthenticationRequest = false;
2142
2143 /*
2144 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
2145 * ambiguous. The Authenticator state machine uses a counter that is
2146 * incremented by one for each 4-way handshake. However, the security
2147 * analysis of 4-way handshake points out that unpredictable nonces
2148 * help in preventing precomputation attacks. Instead of the state
2149 * machine definition, use an unpredictable nonce value here to provide
2150 * stronger protection against potential precomputation attacks.
2151 */
2152 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
2153 wpa_printf(MSG_ERROR,
2154 "WPA: Failed to get random data for ANonce.");
2155 sm->Disconnect = true;
2156 return;
2157 }
2158 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
2159 WPA_NONCE_LEN);
2160 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more
2161 * logical place than INITIALIZE since AUTHENTICATION2 can be
2162 * re-entered on ReAuthenticationRequest without going through
2163 * INITIALIZE. */
2164 sm->TimeoutCtr = 0;
2165 }
2166
2167
wpa_auth_sm_ptk_update(struct wpa_state_machine * sm)2168 static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm)
2169 {
2170 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
2171 wpa_printf(MSG_ERROR,
2172 "WPA: Failed to get random data for ANonce");
2173 sm->Disconnect = true;
2174 return -1;
2175 }
2176 wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce,
2177 WPA_NONCE_LEN);
2178 sm->TimeoutCtr = 0;
2179 return 0;
2180 }
2181
2182
SM_STATE(WPA_PTK,INITPMK)2183 SM_STATE(WPA_PTK, INITPMK)
2184 {
2185 u8 msk[2 * PMK_LEN];
2186 size_t len = 2 * PMK_LEN;
2187
2188 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk);
2189 #ifdef CONFIG_IEEE80211R_AP
2190 sm->xxkey_len = 0;
2191 #endif /* CONFIG_IEEE80211R_AP */
2192 if (sm->pmksa) {
2193 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache");
2194 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
2195 sm->pmk_len = sm->pmksa->pmk_len;
2196 #ifdef CONFIG_DPP
2197 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) {
2198 wpa_printf(MSG_DEBUG,
2199 "DPP: No PMKSA cache entry for STA - reject connection");
2200 sm->Disconnect = true;
2201 sm->disconnect_reason = WLAN_REASON_INVALID_PMKID;
2202 return;
2203 #endif /* CONFIG_DPP */
2204 } else if (wpa_auth_get_msk(sm->wpa_auth, wpa_auth_get_spa(sm),
2205 msk, &len) == 0) {
2206 unsigned int pmk_len;
2207
2208 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt))
2209 pmk_len = PMK_LEN_SUITE_B_192;
2210 else
2211 pmk_len = PMK_LEN;
2212 wpa_printf(MSG_DEBUG,
2213 "WPA: PMK from EAPOL state machine (MSK len=%zu PMK len=%u)",
2214 len, pmk_len);
2215 if (len < pmk_len) {
2216 wpa_printf(MSG_DEBUG,
2217 "WPA: MSK not long enough (%zu) to create PMK (%u)",
2218 len, pmk_len);
2219 sm->Disconnect = true;
2220 return;
2221 }
2222 os_memcpy(sm->PMK, msk, pmk_len);
2223 sm->pmk_len = pmk_len;
2224 #ifdef CONFIG_IEEE80211R_AP
2225 if (len >= 2 * PMK_LEN) {
2226 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
2227 os_memcpy(sm->xxkey, msk, SHA384_MAC_LEN);
2228 sm->xxkey_len = SHA384_MAC_LEN;
2229 } else {
2230 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
2231 sm->xxkey_len = PMK_LEN;
2232 }
2233 }
2234 #endif /* CONFIG_IEEE80211R_AP */
2235 } else {
2236 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p",
2237 sm->wpa_auth->cb->get_msk);
2238 sm->Disconnect = true;
2239 return;
2240 }
2241 forced_memzero(msk, sizeof(msk));
2242
2243 sm->req_replay_counter_used = 0;
2244 /* IEEE 802.11i does not set keyRun to false, but not doing this
2245 * will break reauthentication since EAPOL state machines may not be
2246 * get into AUTHENTICATING state that clears keyRun before WPA state
2247 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK
2248 * state and takes PMK from the previously used AAA Key. This will
2249 * eventually fail in 4-Way Handshake because Supplicant uses PMK
2250 * derived from the new AAA Key. Setting keyRun = false here seems to
2251 * be good workaround for this issue. */
2252 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, false);
2253 }
2254
2255
SM_STATE(WPA_PTK,INITPSK)2256 SM_STATE(WPA_PTK, INITPSK)
2257 {
2258 const u8 *psk;
2259 size_t psk_len;
2260
2261 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk);
2262 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL,
2263 &psk_len, NULL);
2264 if (psk) {
2265 os_memcpy(sm->PMK, psk, psk_len);
2266 sm->pmk_len = psk_len;
2267 #ifdef CONFIG_IEEE80211R_AP
2268 sm->xxkey_len = PMK_LEN;
2269 #ifdef CONFIG_SAE
2270 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY &&
2271 (psk_len == SHA512_MAC_LEN || psk_len == SHA384_MAC_LEN ||
2272 psk_len == SHA256_MAC_LEN))
2273 sm->xxkey_len = psk_len;
2274 #endif /* CONFIG_SAE */
2275 os_memcpy(sm->xxkey, psk, sm->xxkey_len);
2276 #endif /* CONFIG_IEEE80211R_AP */
2277 }
2278 #ifdef CONFIG_SAE
2279 if (wpa_auth_uses_sae(sm) && sm->pmksa) {
2280 wpa_printf(MSG_DEBUG, "SAE: PMK from PMKSA cache (len=%zu)",
2281 sm->pmksa->pmk_len);
2282 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
2283 sm->pmk_len = sm->pmksa->pmk_len;
2284 #ifdef CONFIG_IEEE80211R_AP
2285 os_memcpy(sm->xxkey, sm->pmksa->pmk, sm->pmksa->pmk_len);
2286 sm->xxkey_len = sm->pmksa->pmk_len;
2287 #endif /* CONFIG_IEEE80211R_AP */
2288 }
2289 #endif /* CONFIG_SAE */
2290 sm->req_replay_counter_used = 0;
2291 }
2292
2293
SM_STATE(WPA_PTK,PTKSTART)2294 SM_STATE(WPA_PTK, PTKSTART)
2295 {
2296 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL;
2297 size_t pmkid_len = 0;
2298 u16 key_info;
2299
2300 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk);
2301 sm->PTKRequest = false;
2302 sm->TimeoutEvt = false;
2303 sm->alt_snonce_valid = false;
2304 sm->ptkstart_without_success++;
2305
2306 sm->TimeoutCtr++;
2307 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
2308 /* No point in sending the EAPOL-Key - we will disconnect
2309 * immediately following this. */
2310 return;
2311 }
2312
2313 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
2314 "sending 1/4 msg of 4-Way Handshake");
2315 /*
2316 * For infrastructure BSS cases, it is better for the AP not to include
2317 * the PMKID KDE in EAPOL-Key msg 1/4 since it could be used to initiate
2318 * offline search for the passphrase/PSK without having to be able to
2319 * capture a 4-way handshake from a STA that has access to the network.
2320 *
2321 * For IBSS cases, addition of PMKID KDE could be considered even with
2322 * WPA2-PSK cases that use multiple PSKs, but only if there is a single
2323 * possible PSK for this STA. However, this should not be done unless
2324 * there is support for using that information on the supplicant side.
2325 * The concern about exposing PMKID unnecessarily in infrastructure BSS
2326 * cases would also apply here, but at least in the IBSS case, this
2327 * would cover a potential real use case.
2328 */
2329 if (sm->wpa == WPA_VERSION_WPA2 &&
2330 (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) ||
2331 (sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE && sm->pmksa) ||
2332 wpa_key_mgmt_sae(sm->wpa_key_mgmt)) &&
2333 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) {
2334 pmkid = buf;
2335 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
2336 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC;
2337 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN;
2338 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID);
2339 if (sm->pmksa) {
2340 wpa_hexdump(MSG_DEBUG,
2341 "RSN: Message 1/4 PMKID from PMKSA entry",
2342 sm->pmksa->pmkid, PMKID_LEN);
2343 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2344 sm->pmksa->pmkid, PMKID_LEN);
2345 } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) {
2346 /* No KCK available to derive PMKID */
2347 wpa_printf(MSG_DEBUG,
2348 "RSN: No KCK available to derive PMKID for message 1/4");
2349 pmkid = NULL;
2350 #ifdef CONFIG_FILS
2351 } else if (wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2352 if (sm->pmkid_set) {
2353 wpa_hexdump(MSG_DEBUG,
2354 "RSN: Message 1/4 PMKID from FILS/ERP",
2355 sm->pmkid, PMKID_LEN);
2356 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2357 sm->pmkid, PMKID_LEN);
2358 } else {
2359 /* No PMKID available */
2360 wpa_printf(MSG_DEBUG,
2361 "RSN: No FILS/ERP PMKID available for message 1/4");
2362 pmkid = NULL;
2363 }
2364 #endif /* CONFIG_FILS */
2365 #ifdef CONFIG_IEEE80211R_AP
2366 } else if (wpa_key_mgmt_ft(sm->wpa_key_mgmt) &&
2367 sm->ft_completed) {
2368 wpa_printf(MSG_DEBUG,
2369 "FT: No PMKID in message 1/4 when using FT protocol");
2370 pmkid = NULL;
2371 #endif /* CONFIG_IEEE80211R_AP */
2372 #ifdef CONFIG_SAE
2373 } else if (wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
2374 if (sm->pmkid_set) {
2375 wpa_hexdump(MSG_DEBUG,
2376 "RSN: Message 1/4 PMKID from SAE",
2377 sm->pmkid, PMKID_LEN);
2378 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2379 sm->pmkid, PMKID_LEN);
2380 } else {
2381 /* No PMKID available */
2382 wpa_printf(MSG_DEBUG,
2383 "RSN: No SAE PMKID available for message 1/4");
2384 pmkid = NULL;
2385 }
2386 #endif /* CONFIG_SAE */
2387 } else {
2388 /*
2389 * Calculate PMKID since no PMKSA cache entry was
2390 * available with pre-calculated PMKID.
2391 */
2392 rsn_pmkid(sm->PMK, sm->pmk_len,
2393 wpa_auth_get_aa(sm),
2394 wpa_auth_get_spa(sm),
2395 &pmkid[2 + RSN_SELECTOR_LEN],
2396 sm->wpa_key_mgmt);
2397 wpa_hexdump(MSG_DEBUG,
2398 "RSN: Message 1/4 PMKID derived from PMK",
2399 &pmkid[2 + RSN_SELECTOR_LEN], PMKID_LEN);
2400 }
2401 }
2402 if (!pmkid)
2403 pmkid_len = 0;
2404 key_info = WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE;
2405 if (sm->pairwise_set && sm->wpa != WPA_VERSION_WPA)
2406 key_info |= WPA_KEY_INFO_SECURE;
2407 wpa_send_eapol(sm->wpa_auth, sm, key_info, NULL,
2408 sm->ANonce, pmkid, pmkid_len, 0, 0);
2409 }
2410
2411
wpa_derive_ptk(struct wpa_state_machine * sm,const u8 * snonce,const u8 * pmk,unsigned int pmk_len,struct wpa_ptk * ptk,int force_sha256,u8 * pmk_r0,u8 * pmk_r1,u8 * pmk_r0_name,size_t * key_len)2412 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
2413 const u8 *pmk, unsigned int pmk_len,
2414 struct wpa_ptk *ptk, int force_sha256,
2415 u8 *pmk_r0, u8 *pmk_r1, u8 *pmk_r0_name,
2416 size_t *key_len)
2417 {
2418 const u8 *z = NULL;
2419 size_t z_len = 0, kdk_len;
2420 int akmp;
2421 int ret;
2422
2423 if (sm->wpa_auth->conf.force_kdk_derivation ||
2424 (sm->wpa_auth->conf.secure_ltf &&
2425 ieee802_11_rsnx_capab(sm->rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)))
2426 kdk_len = WPA_KDK_MAX_LEN;
2427 else
2428 kdk_len = 0;
2429
2430 #ifdef CONFIG_IEEE80211R_AP
2431 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2432 if (sm->ft_completed) {
2433 u8 ptk_name[WPA_PMK_NAME_LEN];
2434
2435 ret = wpa_pmk_r1_to_ptk(sm->pmk_r1, sm->pmk_r1_len,
2436 sm->SNonce, sm->ANonce,
2437 wpa_auth_get_spa(sm),
2438 wpa_auth_get_aa(sm),
2439 sm->pmk_r1_name, ptk,
2440 ptk_name, sm->wpa_key_mgmt,
2441 sm->pairwise, kdk_len);
2442 } else {
2443 ret = wpa_auth_derive_ptk_ft(sm, ptk, pmk_r0, pmk_r1,
2444 pmk_r0_name, key_len,
2445 kdk_len);
2446 }
2447 if (ret) {
2448 wpa_printf(MSG_ERROR, "FT: PTK derivation failed");
2449 return ret;
2450 }
2451
2452 #ifdef CONFIG_PASN
2453 if (sm->wpa_auth->conf.secure_ltf &&
2454 ieee802_11_rsnx_capab(sm->rsnxe,
2455 WLAN_RSNX_CAPAB_SECURE_LTF)) {
2456 ret = wpa_ltf_keyseed(ptk, sm->wpa_key_mgmt,
2457 sm->pairwise);
2458 if (ret) {
2459 wpa_printf(MSG_ERROR,
2460 "FT: LTF keyseed derivation failed");
2461 }
2462 }
2463 #endif /* CONFIG_PASN */
2464 return ret;
2465 }
2466 #endif /* CONFIG_IEEE80211R_AP */
2467
2468 #ifdef CONFIG_DPP2
2469 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
2470 z = wpabuf_head(sm->dpp_z);
2471 z_len = wpabuf_len(sm->dpp_z);
2472 }
2473 #endif /* CONFIG_DPP2 */
2474
2475 akmp = sm->wpa_key_mgmt;
2476 if (force_sha256)
2477 akmp |= WPA_KEY_MGMT_PSK_SHA256;
2478 ret = wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion",
2479 wpa_auth_get_aa(sm), wpa_auth_get_spa(sm),
2480 sm->ANonce, snonce, ptk, akmp,
2481 sm->pairwise, z, z_len, kdk_len);
2482 if (ret) {
2483 wpa_printf(MSG_DEBUG,
2484 "WPA: PTK derivation failed");
2485 return ret;
2486 }
2487
2488 #ifdef CONFIG_PASN
2489 if (sm->wpa_auth->conf.secure_ltf &&
2490 ieee802_11_rsnx_capab(sm->rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)) {
2491 ret = wpa_ltf_keyseed(ptk, sm->wpa_key_mgmt, sm->pairwise);
2492 if (ret) {
2493 wpa_printf(MSG_DEBUG,
2494 "WPA: LTF keyseed derivation failed");
2495 }
2496 }
2497 #endif /* CONFIG_PASN */
2498 return ret;
2499 }
2500
2501
2502 #ifdef CONFIG_FILS
2503
fils_auth_pmk_to_ptk(struct wpa_state_machine * sm,const u8 * pmk,size_t pmk_len,const u8 * snonce,const u8 * anonce,const u8 * dhss,size_t dhss_len,struct wpabuf * g_sta,struct wpabuf * g_ap)2504 int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk,
2505 size_t pmk_len, const u8 *snonce, const u8 *anonce,
2506 const u8 *dhss, size_t dhss_len,
2507 struct wpabuf *g_sta, struct wpabuf *g_ap)
2508 {
2509 u8 ick[FILS_ICK_MAX_LEN];
2510 size_t ick_len;
2511 int res;
2512 u8 fils_ft[FILS_FT_MAX_LEN];
2513 size_t fils_ft_len = 0, kdk_len;
2514
2515 if (sm->wpa_auth->conf.force_kdk_derivation ||
2516 (sm->wpa_auth->conf.secure_ltf &&
2517 ieee802_11_rsnx_capab(sm->rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)))
2518 kdk_len = WPA_KDK_MAX_LEN;
2519 else
2520 kdk_len = 0;
2521
2522 res = fils_pmk_to_ptk(pmk, pmk_len, wpa_auth_get_spa(sm),
2523 wpa_auth_get_aa(sm),
2524 snonce, anonce, dhss, dhss_len,
2525 &sm->PTK, ick, &ick_len,
2526 sm->wpa_key_mgmt, sm->pairwise,
2527 fils_ft, &fils_ft_len, kdk_len);
2528 if (res < 0)
2529 return res;
2530
2531 #ifdef CONFIG_PASN
2532 if (sm->wpa_auth->conf.secure_ltf &&
2533 ieee802_11_rsnx_capab(sm->rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)) {
2534 res = wpa_ltf_keyseed(&sm->PTK, sm->wpa_key_mgmt, sm->pairwise);
2535 if (res) {
2536 wpa_printf(MSG_ERROR,
2537 "FILS: LTF keyseed derivation failed");
2538 return res;
2539 }
2540 }
2541 #endif /* CONFIG_PASN */
2542
2543 sm->PTK_valid = true;
2544 sm->tk_already_set = false;
2545
2546 #ifdef CONFIG_IEEE80211R_AP
2547 if (fils_ft_len) {
2548 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2549 struct wpa_auth_config *conf = &wpa_auth->conf;
2550 u8 pmk_r0[PMK_LEN_MAX], pmk_r0_name[WPA_PMK_NAME_LEN];
2551
2552 if (wpa_derive_pmk_r0(fils_ft, fils_ft_len,
2553 conf->ssid, conf->ssid_len,
2554 conf->mobility_domain,
2555 conf->r0_key_holder,
2556 conf->r0_key_holder_len,
2557 wpa_auth_get_spa(sm), pmk_r0, pmk_r0_name,
2558 sm->wpa_key_mgmt) < 0)
2559 return -1;
2560
2561 wpa_ft_store_pmk_fils(sm, pmk_r0, pmk_r0_name);
2562 forced_memzero(fils_ft, sizeof(fils_ft));
2563
2564 res = wpa_derive_pmk_r1_name(pmk_r0_name, conf->r1_key_holder,
2565 wpa_auth_get_spa(sm),
2566 sm->pmk_r1_name,
2567 fils_ft_len);
2568 forced_memzero(pmk_r0, PMK_LEN_MAX);
2569 if (res < 0)
2570 return -1;
2571 wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR1Name", sm->pmk_r1_name,
2572 WPA_PMK_NAME_LEN);
2573 sm->pmk_r1_name_valid = 1;
2574 }
2575 #endif /* CONFIG_IEEE80211R_AP */
2576
2577 res = fils_key_auth_sk(ick, ick_len, snonce, anonce,
2578 wpa_auth_get_spa(sm),
2579 wpa_auth_get_aa(sm),
2580 g_sta ? wpabuf_head(g_sta) : NULL,
2581 g_sta ? wpabuf_len(g_sta) : 0,
2582 g_ap ? wpabuf_head(g_ap) : NULL,
2583 g_ap ? wpabuf_len(g_ap) : 0,
2584 sm->wpa_key_mgmt, sm->fils_key_auth_sta,
2585 sm->fils_key_auth_ap,
2586 &sm->fils_key_auth_len);
2587 forced_memzero(ick, sizeof(ick));
2588
2589 /* Store nonces for (Re)Association Request/Response frame processing */
2590 os_memcpy(sm->SNonce, snonce, FILS_NONCE_LEN);
2591 os_memcpy(sm->ANonce, anonce, FILS_NONCE_LEN);
2592
2593 return res;
2594 }
2595
2596
wpa_aead_decrypt(struct wpa_state_machine * sm,struct wpa_ptk * ptk,u8 * buf,size_t buf_len,u16 * _key_data_len)2597 static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
2598 u8 *buf, size_t buf_len, u16 *_key_data_len)
2599 {
2600 struct ieee802_1x_hdr *hdr;
2601 struct wpa_eapol_key *key;
2602 u8 *pos;
2603 u16 key_data_len;
2604 u8 *tmp;
2605 const u8 *aad[1];
2606 size_t aad_len[1];
2607
2608 hdr = (struct ieee802_1x_hdr *) buf;
2609 key = (struct wpa_eapol_key *) (hdr + 1);
2610 pos = (u8 *) (key + 1);
2611 key_data_len = WPA_GET_BE16(pos);
2612 if (key_data_len < AES_BLOCK_SIZE ||
2613 key_data_len > buf_len - sizeof(*hdr) - sizeof(*key) - 2) {
2614 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
2615 "No room for AES-SIV data in the frame");
2616 return -1;
2617 }
2618 pos += 2; /* Pointing at the Encrypted Key Data field */
2619
2620 tmp = os_malloc(key_data_len);
2621 if (!tmp)
2622 return -1;
2623
2624 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
2625 * to Key Data (exclusive). */
2626 aad[0] = buf;
2627 aad_len[0] = pos - buf;
2628 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, key_data_len,
2629 1, aad, aad_len, tmp) < 0) {
2630 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
2631 "Invalid AES-SIV data in the frame");
2632 bin_clear_free(tmp, key_data_len);
2633 return -1;
2634 }
2635
2636 /* AEAD decryption and validation completed successfully */
2637 key_data_len -= AES_BLOCK_SIZE;
2638 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
2639 tmp, key_data_len);
2640
2641 /* Replace Key Data field with the decrypted version */
2642 os_memcpy(pos, tmp, key_data_len);
2643 pos -= 2; /* Key Data Length field */
2644 WPA_PUT_BE16(pos, key_data_len);
2645 bin_clear_free(tmp, key_data_len);
2646 if (_key_data_len)
2647 *_key_data_len = key_data_len;
2648 return 0;
2649 }
2650
2651
wpa_fils_validate_fils_session(struct wpa_state_machine * sm,const u8 * ies,size_t ies_len,const u8 * fils_session)2652 const u8 * wpa_fils_validate_fils_session(struct wpa_state_machine *sm,
2653 const u8 *ies, size_t ies_len,
2654 const u8 *fils_session)
2655 {
2656 const u8 *ie, *end;
2657 const u8 *session = NULL;
2658
2659 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2660 wpa_printf(MSG_DEBUG,
2661 "FILS: Not a FILS AKM - reject association");
2662 return NULL;
2663 }
2664
2665 /* Verify Session element */
2666 ie = ies;
2667 end = ((const u8 *) ie) + ies_len;
2668 while (ie + 1 < end) {
2669 if (ie + 2 + ie[1] > end)
2670 break;
2671 if (ie[0] == WLAN_EID_EXTENSION &&
2672 ie[1] >= 1 + FILS_SESSION_LEN &&
2673 ie[2] == WLAN_EID_EXT_FILS_SESSION) {
2674 session = ie;
2675 break;
2676 }
2677 ie += 2 + ie[1];
2678 }
2679
2680 if (!session) {
2681 wpa_printf(MSG_DEBUG,
2682 "FILS: %s: Could not find FILS Session element in Assoc Req - reject",
2683 __func__);
2684 return NULL;
2685 }
2686
2687 if (!fils_session) {
2688 wpa_printf(MSG_DEBUG,
2689 "FILS: %s: Could not find FILS Session element in STA entry - reject",
2690 __func__);
2691 return NULL;
2692 }
2693
2694 if (os_memcmp(fils_session, session + 3, FILS_SESSION_LEN) != 0) {
2695 wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
2696 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
2697 fils_session, FILS_SESSION_LEN);
2698 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
2699 session + 3, FILS_SESSION_LEN);
2700 return NULL;
2701 }
2702 return session;
2703 }
2704
2705
wpa_fils_validate_key_confirm(struct wpa_state_machine * sm,const u8 * ies,size_t ies_len)2706 int wpa_fils_validate_key_confirm(struct wpa_state_machine *sm, const u8 *ies,
2707 size_t ies_len)
2708 {
2709 struct ieee802_11_elems elems;
2710
2711 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
2712 wpa_printf(MSG_DEBUG,
2713 "FILS: Failed to parse decrypted elements");
2714 return -1;
2715 }
2716
2717 if (!elems.fils_session) {
2718 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
2719 return -1;
2720 }
2721
2722 if (!elems.fils_key_confirm) {
2723 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
2724 return -1;
2725 }
2726
2727 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
2728 wpa_printf(MSG_DEBUG,
2729 "FILS: Unexpected Key-Auth length %d (expected %zu)",
2730 elems.fils_key_confirm_len,
2731 sm->fils_key_auth_len);
2732 return -1;
2733 }
2734
2735 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_sta,
2736 sm->fils_key_auth_len) != 0) {
2737 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
2738 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
2739 elems.fils_key_confirm, elems.fils_key_confirm_len);
2740 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
2741 sm->fils_key_auth_sta, sm->fils_key_auth_len);
2742 return -1;
2743 }
2744
2745 return 0;
2746 }
2747
2748
fils_decrypt_assoc(struct wpa_state_machine * sm,const u8 * fils_session,const struct ieee80211_mgmt * mgmt,size_t frame_len,u8 * pos,size_t left)2749 int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session,
2750 const struct ieee80211_mgmt *mgmt, size_t frame_len,
2751 u8 *pos, size_t left)
2752 {
2753 u16 fc, stype;
2754 const u8 *end, *ie_start, *ie, *session, *crypt;
2755 const u8 *aad[5];
2756 size_t aad_len[5];
2757
2758 if (!sm || !sm->PTK_valid) {
2759 wpa_printf(MSG_DEBUG,
2760 "FILS: No KEK to decrypt Assocication Request frame");
2761 return -1;
2762 }
2763
2764 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2765 wpa_printf(MSG_DEBUG,
2766 "FILS: Not a FILS AKM - reject association");
2767 return -1;
2768 }
2769
2770 end = ((const u8 *) mgmt) + frame_len;
2771 fc = le_to_host16(mgmt->frame_control);
2772 stype = WLAN_FC_GET_STYPE(fc);
2773 if (stype == WLAN_FC_STYPE_REASSOC_REQ)
2774 ie_start = mgmt->u.reassoc_req.variable;
2775 else
2776 ie_start = mgmt->u.assoc_req.variable;
2777 ie = ie_start;
2778
2779 /*
2780 * Find FILS Session element which is the last unencrypted element in
2781 * the frame.
2782 */
2783 session = wpa_fils_validate_fils_session(sm, ie, end - ie,
2784 fils_session);
2785 if (!session) {
2786 wpa_printf(MSG_DEBUG, "FILS: Session validation failed");
2787 return -1;
2788 }
2789
2790 crypt = session + 2 + session[1];
2791
2792 if (end - crypt < AES_BLOCK_SIZE) {
2793 wpa_printf(MSG_DEBUG,
2794 "FILS: Too short frame to include AES-SIV data");
2795 return -1;
2796 }
2797
2798 /* AES-SIV AAD vectors */
2799
2800 /* The STA's MAC address */
2801 aad[0] = mgmt->sa;
2802 aad_len[0] = ETH_ALEN;
2803 /* The AP's BSSID */
2804 aad[1] = mgmt->da;
2805 aad_len[1] = ETH_ALEN;
2806 /* The STA's nonce */
2807 aad[2] = sm->SNonce;
2808 aad_len[2] = FILS_NONCE_LEN;
2809 /* The AP's nonce */
2810 aad[3] = sm->ANonce;
2811 aad_len[3] = FILS_NONCE_LEN;
2812 /*
2813 * The (Re)Association Request frame from the Capability Information
2814 * field to the FILS Session element (both inclusive).
2815 */
2816 aad[4] = (const u8 *) &mgmt->u.assoc_req.capab_info;
2817 aad_len[4] = crypt - aad[4];
2818
2819 if (aes_siv_decrypt(sm->PTK.kek, sm->PTK.kek_len, crypt, end - crypt,
2820 5, aad, aad_len, pos + (crypt - ie_start)) < 0) {
2821 wpa_printf(MSG_DEBUG,
2822 "FILS: Invalid AES-SIV data in the frame");
2823 return -1;
2824 }
2825 wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Request elements",
2826 pos, left - AES_BLOCK_SIZE);
2827
2828 if (wpa_fils_validate_key_confirm(sm, pos, left - AES_BLOCK_SIZE) < 0) {
2829 wpa_printf(MSG_DEBUG, "FILS: Key Confirm validation failed");
2830 return -1;
2831 }
2832
2833 return left - AES_BLOCK_SIZE;
2834 }
2835
2836
fils_encrypt_assoc(struct wpa_state_machine * sm,u8 * buf,size_t current_len,size_t max_len,const struct wpabuf * hlp)2837 int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf,
2838 size_t current_len, size_t max_len,
2839 const struct wpabuf *hlp)
2840 {
2841 u8 *end = buf + max_len;
2842 u8 *pos = buf + current_len;
2843 struct ieee80211_mgmt *mgmt;
2844 struct wpabuf *plain;
2845 const u8 *aad[5];
2846 size_t aad_len[5];
2847
2848 if (!sm || !sm->PTK_valid)
2849 return -1;
2850
2851 wpa_hexdump(MSG_DEBUG,
2852 "FILS: Association Response frame before FILS processing",
2853 buf, current_len);
2854
2855 mgmt = (struct ieee80211_mgmt *) buf;
2856
2857 /* AES-SIV AAD vectors */
2858
2859 /* The AP's BSSID */
2860 aad[0] = mgmt->sa;
2861 aad_len[0] = ETH_ALEN;
2862 /* The STA's MAC address */
2863 aad[1] = mgmt->da;
2864 aad_len[1] = ETH_ALEN;
2865 /* The AP's nonce */
2866 aad[2] = sm->ANonce;
2867 aad_len[2] = FILS_NONCE_LEN;
2868 /* The STA's nonce */
2869 aad[3] = sm->SNonce;
2870 aad_len[3] = FILS_NONCE_LEN;
2871 /*
2872 * The (Re)Association Response frame from the Capability Information
2873 * field (the same offset in both Association and Reassociation
2874 * Response frames) to the FILS Session element (both inclusive).
2875 */
2876 aad[4] = (const u8 *) &mgmt->u.assoc_resp.capab_info;
2877 aad_len[4] = pos - aad[4];
2878
2879 /* The following elements will be encrypted with AES-SIV */
2880 plain = fils_prepare_plainbuf(sm, hlp);
2881 if (!plain) {
2882 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed");
2883 return -1;
2884 }
2885
2886 if (pos + wpabuf_len(plain) + AES_BLOCK_SIZE > end) {
2887 wpa_printf(MSG_DEBUG,
2888 "FILS: Not enough room for FILS elements");
2889 wpabuf_clear_free(plain);
2890 return -1;
2891 }
2892
2893 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: Association Response plaintext",
2894 plain);
2895
2896 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len,
2897 wpabuf_head(plain), wpabuf_len(plain),
2898 5, aad, aad_len, pos) < 0) {
2899 wpabuf_clear_free(plain);
2900 return -1;
2901 }
2902
2903 wpa_hexdump(MSG_DEBUG,
2904 "FILS: Encrypted Association Response elements",
2905 pos, AES_BLOCK_SIZE + wpabuf_len(plain));
2906 current_len += wpabuf_len(plain) + AES_BLOCK_SIZE;
2907 wpabuf_clear_free(plain);
2908
2909 sm->fils_completed = 1;
2910
2911 return current_len;
2912 }
2913
2914
fils_prepare_plainbuf(struct wpa_state_machine * sm,const struct wpabuf * hlp)2915 static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
2916 const struct wpabuf *hlp)
2917 {
2918 struct wpabuf *plain;
2919 u8 *len, *tmp, *tmp2;
2920 u8 hdr[2];
2921 u8 *gtk, stub_gtk[32];
2922 size_t gtk_len;
2923 struct wpa_group *gsm;
2924 size_t plain_len;
2925 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
2926
2927 plain_len = 1000 + ieee80211w_kde_len(sm);
2928 if (conf->transition_disable)
2929 plain_len += 2 + RSN_SELECTOR_LEN + 1;
2930 plain = wpabuf_alloc(plain_len);
2931 if (!plain)
2932 return NULL;
2933
2934 /* TODO: FILS Public Key */
2935
2936 /* FILS Key Confirmation */
2937 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
2938 wpabuf_put_u8(plain, 1 + sm->fils_key_auth_len); /* Length */
2939 /* Element ID Extension */
2940 wpabuf_put_u8(plain, WLAN_EID_EXT_FILS_KEY_CONFIRM);
2941 wpabuf_put_data(plain, sm->fils_key_auth_ap, sm->fils_key_auth_len);
2942
2943 /* FILS HLP Container */
2944 if (hlp)
2945 wpabuf_put_buf(plain, hlp);
2946
2947 /* TODO: FILS IP Address Assignment */
2948
2949 /* Key Delivery */
2950 gsm = sm->group;
2951 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
2952 len = wpabuf_put(plain, 1);
2953 wpabuf_put_u8(plain, WLAN_EID_EXT_KEY_DELIVERY);
2954 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN,
2955 wpabuf_put(plain, WPA_KEY_RSC_LEN));
2956 /* GTK KDE */
2957 gtk = gsm->GTK[gsm->GN - 1];
2958 gtk_len = gsm->GTK_len;
2959 if (conf->disable_gtk || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
2960 /*
2961 * Provide unique random GTK to each STA to prevent use
2962 * of GTK in the BSS.
2963 */
2964 if (random_get_bytes(stub_gtk, gtk_len) < 0) {
2965 wpabuf_clear_free(plain);
2966 return NULL;
2967 }
2968 gtk = stub_gtk;
2969 }
2970 hdr[0] = gsm->GN & 0x03;
2971 hdr[1] = 0;
2972 tmp = wpabuf_put(plain, 0);
2973 tmp2 = wpa_add_kde(tmp, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2974 gtk, gtk_len);
2975 wpabuf_put(plain, tmp2 - tmp);
2976
2977 /* IGTK KDE and BIGTK KDE */
2978 tmp = wpabuf_put(plain, 0);
2979 tmp2 = ieee80211w_kde_add(sm, tmp);
2980 wpabuf_put(plain, tmp2 - tmp);
2981
2982 if (conf->transition_disable) {
2983 tmp = wpabuf_put(plain, 0);
2984 tmp2 = wpa_add_kde(tmp, WFA_KEY_DATA_TRANSITION_DISABLE,
2985 &conf->transition_disable, 1, NULL, 0);
2986 wpabuf_put(plain, tmp2 - tmp);
2987 }
2988
2989 *len = (u8 *) wpabuf_put(plain, 0) - len - 1;
2990
2991 #ifdef CONFIG_OCV
2992 if (wpa_auth_uses_ocv(sm)) {
2993 struct wpa_channel_info ci;
2994 u8 *pos;
2995
2996 if (wpa_channel_info(sm->wpa_auth, &ci) != 0) {
2997 wpa_printf(MSG_WARNING,
2998 "FILS: Failed to get channel info for OCI element");
2999 wpabuf_clear_free(plain);
3000 return NULL;
3001 }
3002 #ifdef CONFIG_TESTING_OPTIONS
3003 if (conf->oci_freq_override_fils_assoc) {
3004 wpa_printf(MSG_INFO,
3005 "TEST: Override OCI frequency %d -> %u MHz",
3006 ci.frequency,
3007 conf->oci_freq_override_fils_assoc);
3008 ci.frequency = conf->oci_freq_override_fils_assoc;
3009 }
3010 #endif /* CONFIG_TESTING_OPTIONS */
3011
3012 pos = wpabuf_put(plain, OCV_OCI_EXTENDED_LEN);
3013 if (ocv_insert_extended_oci(&ci, pos) < 0) {
3014 wpabuf_clear_free(plain);
3015 return NULL;
3016 }
3017 }
3018 #endif /* CONFIG_OCV */
3019
3020 return plain;
3021 }
3022
3023
fils_set_tk(struct wpa_state_machine * sm)3024 int fils_set_tk(struct wpa_state_machine *sm)
3025 {
3026 enum wpa_alg alg;
3027 int klen;
3028
3029 if (!sm || !sm->PTK_valid) {
3030 wpa_printf(MSG_DEBUG, "FILS: No valid PTK available to set TK");
3031 return -1;
3032 }
3033 if (sm->tk_already_set) {
3034 wpa_printf(MSG_DEBUG, "FILS: TK already set to the driver");
3035 return -1;
3036 }
3037
3038 alg = wpa_cipher_to_alg(sm->pairwise);
3039 klen = wpa_cipher_key_len(sm->pairwise);
3040
3041 wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver");
3042 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
3043 sm->PTK.tk, klen, KEY_FLAG_PAIRWISE_RX_TX)) {
3044 wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver");
3045 return -1;
3046 }
3047
3048 #ifdef CONFIG_PASN
3049 if (sm->wpa_auth->conf.secure_ltf &&
3050 ieee802_11_rsnx_capab(sm->rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF) &&
3051 wpa_auth_set_ltf_keyseed(sm->wpa_auth, sm->addr,
3052 sm->PTK.ltf_keyseed,
3053 sm->PTK.ltf_keyseed_len)) {
3054 wpa_printf(MSG_ERROR,
3055 "FILS: Failed to set LTF keyseed to driver");
3056 return -1;
3057 }
3058 #endif /* CONFIG_PASN */
3059
3060 sm->pairwise_set = true;
3061 sm->tk_already_set = true;
3062
3063 wpa_auth_store_ptksa(sm->wpa_auth, sm->addr, sm->pairwise,
3064 dot11RSNAConfigPMKLifetime, &sm->PTK);
3065
3066 return 0;
3067 }
3068
3069
hostapd_eid_assoc_fils_session(struct wpa_state_machine * sm,u8 * buf,const u8 * fils_session,struct wpabuf * hlp)3070 u8 * hostapd_eid_assoc_fils_session(struct wpa_state_machine *sm, u8 *buf,
3071 const u8 *fils_session, struct wpabuf *hlp)
3072 {
3073 struct wpabuf *plain;
3074 u8 *pos = buf;
3075
3076 /* FILS Session */
3077 *pos++ = WLAN_EID_EXTENSION; /* Element ID */
3078 *pos++ = 1 + FILS_SESSION_LEN; /* Length */
3079 *pos++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
3080 os_memcpy(pos, fils_session, FILS_SESSION_LEN);
3081 pos += FILS_SESSION_LEN;
3082
3083 plain = fils_prepare_plainbuf(sm, hlp);
3084 if (!plain) {
3085 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed");
3086 return NULL;
3087 }
3088
3089 os_memcpy(pos, wpabuf_head(plain), wpabuf_len(plain));
3090 pos += wpabuf_len(plain);
3091
3092 wpa_printf(MSG_DEBUG, "%s: plain buf_len: %zu", __func__,
3093 wpabuf_len(plain));
3094 wpabuf_clear_free(plain);
3095 sm->fils_completed = 1;
3096 return pos;
3097 }
3098
3099 #endif /* CONFIG_FILS */
3100
3101
3102 #ifdef CONFIG_OCV
get_sta_tx_parameters(struct wpa_state_machine * sm,int ap_max_chanwidth,int ap_seg1_idx,int * bandwidth,int * seg1_idx)3103 int get_sta_tx_parameters(struct wpa_state_machine *sm, int ap_max_chanwidth,
3104 int ap_seg1_idx, int *bandwidth, int *seg1_idx)
3105 {
3106 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
3107
3108 if (!wpa_auth->cb->get_sta_tx_params)
3109 return -1;
3110 return wpa_auth->cb->get_sta_tx_params(wpa_auth->cb_ctx, sm->addr,
3111 ap_max_chanwidth, ap_seg1_idx,
3112 bandwidth, seg1_idx);
3113 }
3114 #endif /* CONFIG_OCV */
3115
3116
SM_STATE(WPA_PTK,PTKCALCNEGOTIATING)3117 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
3118 {
3119 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
3120 struct wpa_ptk PTK;
3121 int ok = 0, psk_found = 0;
3122 const u8 *pmk = NULL;
3123 size_t pmk_len;
3124 int ft;
3125 const u8 *eapol_key_ie, *key_data, *mic;
3126 u16 key_data_length;
3127 size_t mic_len, eapol_key_ie_len;
3128 struct ieee802_1x_hdr *hdr;
3129 struct wpa_eapol_key *key;
3130 struct wpa_eapol_ie_parse kde;
3131 int vlan_id = 0;
3132 int owe_ptk_workaround = !!wpa_auth->conf.owe_ptk_workaround;
3133 u8 pmk_r0[PMK_LEN_MAX], pmk_r0_name[WPA_PMK_NAME_LEN];
3134 u8 pmk_r1[PMK_LEN_MAX];
3135 size_t key_len;
3136
3137 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
3138 sm->EAPOLKeyReceived = false;
3139 sm->update_snonce = false;
3140 os_memset(&PTK, 0, sizeof(PTK));
3141
3142 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
3143
3144 /* WPA with IEEE 802.1X: use the derived PMK from EAP
3145 * WPA-PSK: iterate through possible PSKs and select the one matching
3146 * the packet */
3147 for (;;) {
3148 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
3149 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
3150 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
3151 sm->p2p_dev_addr, pmk, &pmk_len,
3152 &vlan_id);
3153 if (!pmk)
3154 break;
3155 psk_found = 1;
3156 #ifdef CONFIG_IEEE80211R_AP
3157 if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) {
3158 os_memcpy(sm->xxkey, pmk, pmk_len);
3159 sm->xxkey_len = pmk_len;
3160 }
3161 #endif /* CONFIG_IEEE80211R_AP */
3162 } else {
3163 pmk = sm->PMK;
3164 pmk_len = sm->pmk_len;
3165 }
3166
3167 if ((!pmk || !pmk_len) && sm->pmksa) {
3168 wpa_printf(MSG_DEBUG, "WPA: Use PMK from PMKSA cache");
3169 pmk = sm->pmksa->pmk;
3170 pmk_len = sm->pmksa->pmk_len;
3171 }
3172
3173 if (wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK,
3174 owe_ptk_workaround == 2, pmk_r0, pmk_r1,
3175 pmk_r0_name, &key_len) < 0)
3176 break;
3177
3178 if (mic_len &&
3179 wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
3180 sm->last_rx_eapol_key,
3181 sm->last_rx_eapol_key_len) == 0) {
3182 if (sm->PMK != pmk) {
3183 os_memcpy(sm->PMK, pmk, pmk_len);
3184 sm->pmk_len = pmk_len;
3185 }
3186 ok = 1;
3187 break;
3188 }
3189
3190 #ifdef CONFIG_FILS
3191 if (!mic_len &&
3192 wpa_aead_decrypt(sm, &PTK, sm->last_rx_eapol_key,
3193 sm->last_rx_eapol_key_len, NULL) == 0) {
3194 ok = 1;
3195 break;
3196 }
3197 #endif /* CONFIG_FILS */
3198
3199 #ifdef CONFIG_OWE
3200 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE && pmk_len > 32 &&
3201 owe_ptk_workaround == 1) {
3202 wpa_printf(MSG_DEBUG,
3203 "OWE: Try PTK derivation workaround with SHA256");
3204 owe_ptk_workaround = 2;
3205 continue;
3206 }
3207 #endif /* CONFIG_OWE */
3208
3209 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
3210 wpa_key_mgmt_sae(sm->wpa_key_mgmt))
3211 break;
3212 }
3213
3214 if (!ok && wpa_key_mgmt_wpa_psk_no_sae(sm->wpa_key_mgmt) &&
3215 wpa_auth->conf.radius_psk && wpa_auth->cb->request_radius_psk &&
3216 !sm->waiting_radius_psk) {
3217 wpa_printf(MSG_DEBUG, "No PSK available - ask RADIUS server");
3218 wpa_auth->cb->request_radius_psk(wpa_auth->cb_ctx, sm->addr,
3219 sm->wpa_key_mgmt,
3220 sm->ANonce,
3221 sm->last_rx_eapol_key,
3222 sm->last_rx_eapol_key_len);
3223 sm->waiting_radius_psk = 1;
3224 goto out;
3225 }
3226
3227 if (!ok) {
3228 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm),
3229 LOGGER_DEBUG,
3230 "invalid MIC in msg 2/4 of 4-Way Handshake");
3231 if (psk_found)
3232 wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr);
3233 goto out;
3234 }
3235
3236 /*
3237 * Note: last_rx_eapol_key length fields have already been validated in
3238 * wpa_receive().
3239 */
3240 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
3241 key = (struct wpa_eapol_key *) (hdr + 1);
3242 mic = (u8 *) (key + 1);
3243 key_data = mic + mic_len + 2;
3244 key_data_length = WPA_GET_BE16(mic + mic_len);
3245 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
3246 sizeof(*key) - mic_len - 2)
3247 goto out;
3248
3249 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
3250 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
3251 "received EAPOL-Key msg 2/4 with invalid Key Data contents");
3252 goto out;
3253 }
3254 if (kde.rsn_ie) {
3255 eapol_key_ie = kde.rsn_ie;
3256 eapol_key_ie_len = kde.rsn_ie_len;
3257 } else if (kde.osen) {
3258 eapol_key_ie = kde.osen;
3259 eapol_key_ie_len = kde.osen_len;
3260 } else {
3261 eapol_key_ie = kde.wpa_ie;
3262 eapol_key_ie_len = kde.wpa_ie_len;
3263 }
3264 ft = sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt);
3265 if (!sm->wpa_ie ||
3266 wpa_compare_rsn_ie(ft, sm->wpa_ie, sm->wpa_ie_len,
3267 eapol_key_ie, eapol_key_ie_len)) {
3268 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
3269 "WPA IE from (Re)AssocReq did not match with msg 2/4");
3270 if (sm->wpa_ie) {
3271 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq",
3272 sm->wpa_ie, sm->wpa_ie_len);
3273 }
3274 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4",
3275 eapol_key_ie, eapol_key_ie_len);
3276 /* MLME-DEAUTHENTICATE.request */
3277 wpa_sta_disconnect(wpa_auth, sm->addr,
3278 WLAN_REASON_PREV_AUTH_NOT_VALID);
3279 goto out;
3280 }
3281 if ((!sm->rsnxe && kde.rsnxe) ||
3282 (sm->rsnxe && !kde.rsnxe) ||
3283 (sm->rsnxe && kde.rsnxe &&
3284 (sm->rsnxe_len != kde.rsnxe_len ||
3285 os_memcmp(sm->rsnxe, kde.rsnxe, sm->rsnxe_len) != 0))) {
3286 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
3287 "RSNXE from (Re)AssocReq did not match the one in EAPOL-Key msg 2/4");
3288 wpa_hexdump(MSG_DEBUG, "RSNXE in AssocReq",
3289 sm->rsnxe, sm->rsnxe_len);
3290 wpa_hexdump(MSG_DEBUG, "RSNXE in EAPOL-Key msg 2/4",
3291 kde.rsnxe, kde.rsnxe_len);
3292 /* MLME-DEAUTHENTICATE.request */
3293 wpa_sta_disconnect(wpa_auth, sm->addr,
3294 WLAN_REASON_PREV_AUTH_NOT_VALID);
3295 goto out;
3296 }
3297 #ifdef CONFIG_OCV
3298 if (wpa_auth_uses_ocv(sm)) {
3299 struct wpa_channel_info ci;
3300 int tx_chanwidth;
3301 int tx_seg1_idx;
3302 enum oci_verify_result res;
3303
3304 if (wpa_channel_info(wpa_auth, &ci) != 0) {
3305 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
3306 LOGGER_INFO,
3307 "Failed to get channel info to validate received OCI in EAPOL-Key 2/4");
3308 goto out;
3309 }
3310
3311 if (get_sta_tx_parameters(sm,
3312 channel_width_to_int(ci.chanwidth),
3313 ci.seg1_idx, &tx_chanwidth,
3314 &tx_seg1_idx) < 0)
3315 goto out;
3316
3317 res = ocv_verify_tx_params(kde.oci, kde.oci_len, &ci,
3318 tx_chanwidth, tx_seg1_idx);
3319 if (wpa_auth_uses_ocv(sm) == 2 && res == OCI_NOT_FOUND) {
3320 /* Work around misbehaving STAs */
3321 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
3322 LOGGER_INFO,
3323 "Disable OCV with a STA that does not send OCI");
3324 wpa_auth_set_ocv(sm, 0);
3325 } else if (res != OCI_SUCCESS) {
3326 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
3327 LOGGER_INFO,
3328 "OCV failed: %s", ocv_errorstr);
3329 if (wpa_auth->conf.msg_ctx)
3330 wpa_msg(wpa_auth->conf.msg_ctx, MSG_INFO,
3331 OCV_FAILURE "addr=" MACSTR
3332 " frame=eapol-key-m2 error=%s",
3333 MAC2STR(wpa_auth_get_spa(sm)),
3334 ocv_errorstr);
3335 goto out;
3336 }
3337 }
3338 #endif /* CONFIG_OCV */
3339 #ifdef CONFIG_IEEE80211R_AP
3340 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
3341 wpa_sta_disconnect(wpa_auth, sm->addr,
3342 WLAN_REASON_PREV_AUTH_NOT_VALID);
3343 goto out;
3344 }
3345 #endif /* CONFIG_IEEE80211R_AP */
3346 #ifdef CONFIG_P2P
3347 if (kde.ip_addr_req && kde.ip_addr_req[0] &&
3348 wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) {
3349 int idx;
3350 wpa_printf(MSG_DEBUG,
3351 "P2P: IP address requested in EAPOL-Key exchange");
3352 idx = bitfield_get_first_zero(wpa_auth->ip_pool);
3353 if (idx >= 0) {
3354 u32 start = WPA_GET_BE32(wpa_auth->conf.ip_addr_start);
3355 bitfield_set(wpa_auth->ip_pool, idx);
3356 sm->ip_addr_bit = idx;
3357 WPA_PUT_BE32(sm->ip_addr, start + idx);
3358 wpa_printf(MSG_DEBUG,
3359 "P2P: Assigned IP address %u.%u.%u.%u to "
3360 MACSTR " (bit %u)",
3361 sm->ip_addr[0], sm->ip_addr[1],
3362 sm->ip_addr[2], sm->ip_addr[3],
3363 MAC2STR(wpa_auth_get_spa(sm)),
3364 sm->ip_addr_bit);
3365 }
3366 }
3367 #endif /* CONFIG_P2P */
3368
3369 #ifdef CONFIG_DPP2
3370 if (DPP_VERSION > 1 && kde.dpp_kde) {
3371 wpa_printf(MSG_DEBUG,
3372 "DPP: peer Protocol Version %u Flags 0x%x",
3373 kde.dpp_kde[0], kde.dpp_kde[1]);
3374 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP &&
3375 wpa_auth->conf.dpp_pfs != 2 &&
3376 (kde.dpp_kde[1] & DPP_KDE_PFS_ALLOWED) &&
3377 !sm->dpp_z) {
3378 wpa_printf(MSG_INFO,
3379 "DPP: Peer indicated it supports PFS and local configuration allows this, but PFS was not negotiated for the association");
3380 wpa_sta_disconnect(wpa_auth, sm->addr,
3381 WLAN_REASON_PREV_AUTH_NOT_VALID);
3382 goto out;
3383 }
3384 }
3385 #endif /* CONFIG_DPP2 */
3386
3387 #ifdef CONFIG_IEEE80211R_AP
3388 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
3389 /*
3390 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches
3391 * with the value we derived.
3392 */
3393 if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name,
3394 WPA_PMK_NAME_LEN) != 0) {
3395 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm),
3396 LOGGER_DEBUG,
3397 "PMKR1Name mismatch in FT 4-way handshake");
3398 wpa_hexdump(MSG_DEBUG,
3399 "FT: PMKR1Name from Supplicant",
3400 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN);
3401 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
3402 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
3403 goto out;
3404 }
3405 }
3406 #endif /* CONFIG_IEEE80211R_AP */
3407
3408 if (vlan_id && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
3409 wpa_auth_update_vlan(wpa_auth, sm->addr, vlan_id) < 0) {
3410 wpa_sta_disconnect(wpa_auth, sm->addr,
3411 WLAN_REASON_PREV_AUTH_NOT_VALID);
3412 goto out;
3413 }
3414
3415 sm->pending_1_of_4_timeout = 0;
3416 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
3417
3418 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) && sm->PMK != pmk) {
3419 /* PSK may have changed from the previous choice, so update
3420 * state machine data based on whatever PSK was selected here.
3421 */
3422 os_memcpy(sm->PMK, pmk, PMK_LEN);
3423 sm->pmk_len = PMK_LEN;
3424 }
3425
3426 sm->MICVerified = true;
3427
3428 #ifdef CONFIG_IEEE80211R_AP
3429 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt) && !sm->ft_completed) {
3430 wpa_printf(MSG_DEBUG, "FT: Store PMK-R0/PMK-R1");
3431 wpa_auth_ft_store_keys(sm, pmk_r0, pmk_r1, pmk_r0_name,
3432 key_len);
3433 }
3434 #endif /* CONFIG_IEEE80211R_AP */
3435
3436 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
3437 forced_memzero(&PTK, sizeof(PTK));
3438 sm->PTK_valid = true;
3439 out:
3440 forced_memzero(pmk_r0, sizeof(pmk_r0));
3441 forced_memzero(pmk_r1, sizeof(pmk_r1));
3442 }
3443
3444
SM_STATE(WPA_PTK,PTKCALCNEGOTIATING2)3445 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2)
3446 {
3447 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk);
3448 sm->TimeoutCtr = 0;
3449 }
3450
3451
ieee80211w_kde_len(struct wpa_state_machine * sm)3452 static int ieee80211w_kde_len(struct wpa_state_machine *sm)
3453 {
3454 size_t len = 0;
3455
3456 if (sm->mgmt_frame_prot) {
3457 len += 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN;
3458 len += wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
3459 }
3460 if (sm->mgmt_frame_prot && sm->wpa_auth->conf.beacon_prot) {
3461 len += 2 + RSN_SELECTOR_LEN + WPA_BIGTK_KDE_PREFIX_LEN;
3462 len += wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
3463 }
3464
3465 return len;
3466 }
3467
3468
ieee80211w_kde_add(struct wpa_state_machine * sm,u8 * pos)3469 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
3470 {
3471 struct wpa_igtk_kde igtk;
3472 struct wpa_bigtk_kde bigtk;
3473 struct wpa_group *gsm = sm->group;
3474 u8 rsc[WPA_KEY_RSC_LEN];
3475 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
3476 size_t len = wpa_cipher_key_len(conf->group_mgmt_cipher);
3477
3478 if (!sm->mgmt_frame_prot)
3479 return pos;
3480
3481 igtk.keyid[0] = gsm->GN_igtk;
3482 igtk.keyid[1] = 0;
3483 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
3484 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0)
3485 os_memset(igtk.pn, 0, sizeof(igtk.pn));
3486 else
3487 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn));
3488 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len);
3489 if (conf->disable_gtk || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
3490 /*
3491 * Provide unique random IGTK to each STA to prevent use of
3492 * IGTK in the BSS.
3493 */
3494 if (random_get_bytes(igtk.igtk, len) < 0)
3495 return pos;
3496 }
3497 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK,
3498 (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len,
3499 NULL, 0);
3500 forced_memzero(&igtk, sizeof(igtk));
3501
3502 if (!conf->beacon_prot)
3503 return pos;
3504
3505 bigtk.keyid[0] = gsm->GN_bigtk;
3506 bigtk.keyid[1] = 0;
3507 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
3508 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_bigtk, rsc) < 0)
3509 os_memset(bigtk.pn, 0, sizeof(bigtk.pn));
3510 else
3511 os_memcpy(bigtk.pn, rsc, sizeof(bigtk.pn));
3512 os_memcpy(bigtk.bigtk, gsm->BIGTK[gsm->GN_bigtk - 6], len);
3513 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
3514 /*
3515 * Provide unique random BIGTK to each OSEN STA to prevent use
3516 * of BIGTK in the BSS.
3517 */
3518 if (random_get_bytes(bigtk.bigtk, len) < 0)
3519 return pos;
3520 }
3521 pos = wpa_add_kde(pos, RSN_KEY_DATA_BIGTK,
3522 (const u8 *) &bigtk, WPA_BIGTK_KDE_PREFIX_LEN + len,
3523 NULL, 0);
3524 forced_memzero(&bigtk, sizeof(bigtk));
3525
3526 return pos;
3527 }
3528
3529
ocv_oci_len(struct wpa_state_machine * sm)3530 static int ocv_oci_len(struct wpa_state_machine *sm)
3531 {
3532 #ifdef CONFIG_OCV
3533 if (wpa_auth_uses_ocv(sm))
3534 return OCV_OCI_KDE_LEN;
3535 #endif /* CONFIG_OCV */
3536 return 0;
3537 }
3538
3539
ocv_oci_add(struct wpa_state_machine * sm,u8 ** argpos,unsigned int freq)3540 static int ocv_oci_add(struct wpa_state_machine *sm, u8 **argpos,
3541 unsigned int freq)
3542 {
3543 #ifdef CONFIG_OCV
3544 struct wpa_channel_info ci;
3545
3546 if (!wpa_auth_uses_ocv(sm))
3547 return 0;
3548
3549 if (wpa_channel_info(sm->wpa_auth, &ci) != 0) {
3550 wpa_printf(MSG_WARNING,
3551 "Failed to get channel info for OCI element");
3552 return -1;
3553 }
3554 #ifdef CONFIG_TESTING_OPTIONS
3555 if (freq) {
3556 wpa_printf(MSG_INFO,
3557 "TEST: Override OCI KDE frequency %d -> %u MHz",
3558 ci.frequency, freq);
3559 ci.frequency = freq;
3560 }
3561 #endif /* CONFIG_TESTING_OPTIONS */
3562
3563 return ocv_insert_oci_kde(&ci, argpos);
3564 #else /* CONFIG_OCV */
3565 return 0;
3566 #endif /* CONFIG_OCV */
3567 }
3568
3569
3570 #ifdef CONFIG_TESTING_OPTIONS
replace_ie(const char * name,const u8 * old_buf,size_t * len,u8 eid,const u8 * ie,size_t ie_len)3571 static u8 * replace_ie(const char *name, const u8 *old_buf, size_t *len, u8 eid,
3572 const u8 *ie, size_t ie_len)
3573 {
3574 const u8 *elem;
3575 u8 *buf;
3576
3577 wpa_printf(MSG_DEBUG, "TESTING: %s EAPOL override", name);
3578 wpa_hexdump(MSG_DEBUG, "TESTING: wpa_ie before override",
3579 old_buf, *len);
3580 buf = os_malloc(*len + ie_len);
3581 if (!buf)
3582 return NULL;
3583 os_memcpy(buf, old_buf, *len);
3584 elem = get_ie(buf, *len, eid);
3585 if (elem) {
3586 u8 elem_len = 2 + elem[1];
3587
3588 os_memmove((void *) elem, elem + elem_len,
3589 *len - (elem - buf) - elem_len);
3590 *len -= elem_len;
3591 }
3592 os_memcpy(buf + *len, ie, ie_len);
3593 *len += ie_len;
3594 wpa_hexdump(MSG_DEBUG, "TESTING: wpa_ie after EAPOL override",
3595 buf, *len);
3596
3597 return buf;
3598 }
3599 #endif /* CONFIG_TESTING_OPTIONS */
3600
3601
SM_STATE(WPA_PTK,PTKINITNEGOTIATING)3602 SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
3603 {
3604 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde = NULL, *pos, stub_gtk[32];
3605 size_t gtk_len, kde_len = 0, wpa_ie_len;
3606 struct wpa_group *gsm = sm->group;
3607 u8 *wpa_ie;
3608 int secure, gtkidx, encr = 0;
3609 u8 *wpa_ie_buf = NULL, *wpa_ie_buf2 = NULL;
3610 u8 hdr[2];
3611 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
3612
3613 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk);
3614 sm->TimeoutEvt = false;
3615
3616 sm->TimeoutCtr++;
3617 if (conf->wpa_disable_eapol_key_retries && sm->TimeoutCtr > 1) {
3618 /* Do not allow retransmission of EAPOL-Key msg 3/4 */
3619 return;
3620 }
3621 if (sm->TimeoutCtr > conf->wpa_pairwise_update_count) {
3622 /* No point in sending the EAPOL-Key - we will disconnect
3623 * immediately following this. */
3624 return;
3625 }
3626
3627 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
3628 GTK[GN], IGTK, [BIGTK], [FTIE], [TIE * 2])
3629 */
3630 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
3631 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
3632 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
3633 wpa_ie = sm->wpa_auth->wpa_ie;
3634 wpa_ie_len = sm->wpa_auth->wpa_ie_len;
3635 if (sm->wpa == WPA_VERSION_WPA && (conf->wpa & WPA_PROTO_RSN) &&
3636 wpa_ie_len > wpa_ie[1] + 2U && wpa_ie[0] == WLAN_EID_RSN) {
3637 /* WPA-only STA, remove RSN IE and possible MDIE */
3638 wpa_ie = wpa_ie + wpa_ie[1] + 2;
3639 if (wpa_ie[0] == WLAN_EID_RSNX)
3640 wpa_ie = wpa_ie + wpa_ie[1] + 2;
3641 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
3642 wpa_ie = wpa_ie + wpa_ie[1] + 2;
3643 wpa_ie_len = wpa_ie[1] + 2;
3644 }
3645 #ifdef CONFIG_TESTING_OPTIONS
3646 if (conf->rsne_override_eapol_set) {
3647 wpa_ie_buf2 = replace_ie(
3648 "RSNE", wpa_ie, &wpa_ie_len, WLAN_EID_RSN,
3649 conf->rsne_override_eapol,
3650 conf->rsne_override_eapol_len);
3651 if (!wpa_ie_buf2)
3652 goto done;
3653 wpa_ie = wpa_ie_buf2;
3654 }
3655 if (conf->rsnxe_override_eapol_set) {
3656 wpa_ie_buf = replace_ie(
3657 "RSNXE", wpa_ie, &wpa_ie_len, WLAN_EID_RSNX,
3658 conf->rsnxe_override_eapol,
3659 conf->rsnxe_override_eapol_len);
3660 if (!wpa_ie_buf)
3661 goto done;
3662 wpa_ie = wpa_ie_buf;
3663 }
3664 #endif /* CONFIG_TESTING_OPTIONS */
3665 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
3666 "sending 3/4 msg of 4-Way Handshake");
3667 if (sm->wpa == WPA_VERSION_WPA2) {
3668 if (sm->use_ext_key_id && sm->TimeoutCtr == 1 &&
3669 wpa_auth_set_key(sm->wpa_auth, 0,
3670 wpa_cipher_to_alg(sm->pairwise),
3671 sm->addr,
3672 sm->keyidx_active, sm->PTK.tk,
3673 wpa_cipher_key_len(sm->pairwise),
3674 KEY_FLAG_PAIRWISE_RX)) {
3675 wpa_sta_disconnect(sm->wpa_auth, sm->addr,
3676 WLAN_REASON_PREV_AUTH_NOT_VALID);
3677 return;
3678 }
3679
3680 #ifdef CONFIG_PASN
3681 if (sm->wpa_auth->conf.secure_ltf &&
3682 ieee802_11_rsnx_capab(sm->rsnxe,
3683 WLAN_RSNX_CAPAB_SECURE_LTF) &&
3684 wpa_auth_set_ltf_keyseed(sm->wpa_auth, sm->addr,
3685 sm->PTK.ltf_keyseed,
3686 sm->PTK.ltf_keyseed_len)) {
3687 wpa_printf(MSG_ERROR,
3688 "WPA: Failed to set LTF keyseed to driver");
3689 wpa_sta_disconnect(sm->wpa_auth, sm->addr,
3690 WLAN_REASON_PREV_AUTH_NOT_VALID);
3691 return;
3692 }
3693 #endif /* CONFIG_PASN */
3694
3695 /* WPA2 send GTK in the 4-way handshake */
3696 secure = 1;
3697 gtk = gsm->GTK[gsm->GN - 1];
3698 gtk_len = gsm->GTK_len;
3699 if (conf->disable_gtk ||
3700 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
3701 /*
3702 * Provide unique random GTK to each STA to prevent use
3703 * of GTK in the BSS.
3704 */
3705 if (random_get_bytes(stub_gtk, gtk_len) < 0)
3706 goto done;
3707 gtk = stub_gtk;
3708 }
3709 gtkidx = gsm->GN;
3710 _rsc = rsc;
3711 encr = 1;
3712 } else {
3713 /* WPA does not include GTK in msg 3/4 */
3714 secure = 0;
3715 gtk = NULL;
3716 gtk_len = 0;
3717 _rsc = NULL;
3718 if (sm->rx_eapol_key_secure) {
3719 /*
3720 * It looks like Windows 7 supplicant tries to use
3721 * Secure bit in msg 2/4 after having reported Michael
3722 * MIC failure and it then rejects the 4-way handshake
3723 * if msg 3/4 does not set Secure bit. Work around this
3724 * by setting the Secure bit here even in the case of
3725 * WPA if the supplicant used it first.
3726 */
3727 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm),
3728 LOGGER_DEBUG,
3729 "STA used Secure bit in WPA msg 2/4 - set Secure for 3/4 as workaround");
3730 secure = 1;
3731 }
3732 }
3733
3734 kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm);
3735
3736 if (sm->use_ext_key_id)
3737 kde_len += 2 + RSN_SELECTOR_LEN + 2;
3738
3739 if (gtk)
3740 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
3741 #ifdef CONFIG_IEEE80211R_AP
3742 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
3743 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
3744 kde_len += 300; /* FTIE + 2 * TIE */
3745 }
3746 #endif /* CONFIG_IEEE80211R_AP */
3747 #ifdef CONFIG_P2P
3748 if (WPA_GET_BE32(sm->ip_addr) > 0)
3749 kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4;
3750 #endif /* CONFIG_P2P */
3751
3752 if (conf->transition_disable)
3753 kde_len += 2 + RSN_SELECTOR_LEN + 1;
3754
3755 #ifdef CONFIG_DPP2
3756 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP)
3757 kde_len += 2 + RSN_SELECTOR_LEN + 2;
3758 #endif /* CONFIG_DPP2 */
3759
3760 kde = os_malloc(kde_len);
3761 if (!kde)
3762 goto done;
3763
3764 pos = kde;
3765 os_memcpy(pos, wpa_ie, wpa_ie_len);
3766 pos += wpa_ie_len;
3767 #ifdef CONFIG_IEEE80211R_AP
3768 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
3769 int res;
3770 size_t elen;
3771
3772 elen = pos - kde;
3773 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name);
3774 if (res < 0) {
3775 wpa_printf(MSG_ERROR,
3776 "FT: Failed to insert PMKR1Name into RSN IE in EAPOL-Key data");
3777 goto done;
3778 }
3779 pos -= wpa_ie_len;
3780 pos += elen;
3781 }
3782 #endif /* CONFIG_IEEE80211R_AP */
3783 hdr[1] = 0;
3784
3785 if (sm->use_ext_key_id) {
3786 hdr[0] = sm->keyidx_active & 0x01;
3787 pos = wpa_add_kde(pos, RSN_KEY_DATA_KEYID, hdr, 2, NULL, 0);
3788 }
3789
3790 if (gtk) {
3791 hdr[0] = gtkidx & 0x03;
3792 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
3793 gtk, gtk_len);
3794 }
3795 pos = ieee80211w_kde_add(sm, pos);
3796 if (ocv_oci_add(sm, &pos, conf->oci_freq_override_eapol_m3) < 0)
3797 goto done;
3798
3799 #ifdef CONFIG_IEEE80211R_AP
3800 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
3801 int res;
3802
3803 if (sm->assoc_resp_ftie &&
3804 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) {
3805 os_memcpy(pos, sm->assoc_resp_ftie,
3806 2 + sm->assoc_resp_ftie[1]);
3807 res = 2 + sm->assoc_resp_ftie[1];
3808 } else {
3809 res = wpa_write_ftie(conf, sm->wpa_key_mgmt,
3810 sm->xxkey_len,
3811 conf->r0_key_holder,
3812 conf->r0_key_holder_len,
3813 NULL, NULL, pos,
3814 kde + kde_len - pos,
3815 NULL, 0, 0);
3816 }
3817 if (res < 0) {
3818 wpa_printf(MSG_ERROR,
3819 "FT: Failed to insert FTIE into EAPOL-Key Key Data");
3820 goto done;
3821 }
3822 pos += res;
3823
3824 /* TIE[ReassociationDeadline] (TU) */
3825 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
3826 *pos++ = 5;
3827 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
3828 WPA_PUT_LE32(pos, conf->reassociation_deadline);
3829 pos += 4;
3830
3831 /* TIE[KeyLifetime] (seconds) */
3832 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
3833 *pos++ = 5;
3834 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
3835 WPA_PUT_LE32(pos, conf->r0_key_lifetime);
3836 pos += 4;
3837 }
3838 #endif /* CONFIG_IEEE80211R_AP */
3839 #ifdef CONFIG_P2P
3840 if (WPA_GET_BE32(sm->ip_addr) > 0) {
3841 u8 addr[3 * 4];
3842 os_memcpy(addr, sm->ip_addr, 4);
3843 os_memcpy(addr + 4, conf->ip_addr_mask, 4);
3844 os_memcpy(addr + 8, conf->ip_addr_go, 4);
3845 pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC,
3846 addr, sizeof(addr), NULL, 0);
3847 }
3848 #endif /* CONFIG_P2P */
3849
3850 if (conf->transition_disable)
3851 pos = wpa_add_kde(pos, WFA_KEY_DATA_TRANSITION_DISABLE,
3852 &conf->transition_disable, 1, NULL, 0);
3853
3854 #ifdef CONFIG_DPP2
3855 if (DPP_VERSION > 1 && sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) {
3856 u8 payload[2];
3857
3858 payload[0] = DPP_VERSION; /* Protocol Version */
3859 payload[1] = 0; /* Flags */
3860 if (conf->dpp_pfs == 0)
3861 payload[1] |= DPP_KDE_PFS_ALLOWED;
3862 else if (conf->dpp_pfs == 1)
3863 payload[1] |= DPP_KDE_PFS_ALLOWED |
3864 DPP_KDE_PFS_REQUIRED;
3865 pos = wpa_add_kde(pos, WFA_KEY_DATA_DPP,
3866 payload, sizeof(payload), NULL, 0);
3867 }
3868 #endif /* CONFIG_DPP2 */
3869
3870 wpa_send_eapol(sm->wpa_auth, sm,
3871 (secure ? WPA_KEY_INFO_SECURE : 0) |
3872 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
3873 WPA_KEY_INFO_MIC : 0) |
3874 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
3875 WPA_KEY_INFO_KEY_TYPE,
3876 _rsc, sm->ANonce, kde, pos - kde, 0, encr);
3877 done:
3878 bin_clear_free(kde, kde_len);
3879 os_free(wpa_ie_buf);
3880 os_free(wpa_ie_buf2);
3881 }
3882
3883
SM_STATE(WPA_PTK,PTKINITDONE)3884 SM_STATE(WPA_PTK, PTKINITDONE)
3885 {
3886 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk);
3887 sm->EAPOLKeyReceived = false;
3888 if (sm->Pair) {
3889 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
3890 int klen = wpa_cipher_key_len(sm->pairwise);
3891 int res;
3892
3893 if (sm->use_ext_key_id)
3894 res = wpa_auth_set_key(sm->wpa_auth, 0, 0, sm->addr,
3895 sm->keyidx_active, NULL, 0,
3896 KEY_FLAG_PAIRWISE_RX_TX_MODIFY);
3897 else
3898 res = wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr,
3899 0, sm->PTK.tk, klen,
3900 KEY_FLAG_PAIRWISE_RX_TX);
3901 if (res) {
3902 wpa_sta_disconnect(sm->wpa_auth, sm->addr,
3903 WLAN_REASON_PREV_AUTH_NOT_VALID);
3904 return;
3905 }
3906
3907 #ifdef CONFIG_PASN
3908 if (sm->wpa_auth->conf.secure_ltf &&
3909 ieee802_11_rsnx_capab(sm->rsnxe,
3910 WLAN_RSNX_CAPAB_SECURE_LTF) &&
3911 wpa_auth_set_ltf_keyseed(sm->wpa_auth, sm->addr,
3912 sm->PTK.ltf_keyseed,
3913 sm->PTK.ltf_keyseed_len)) {
3914 wpa_printf(MSG_ERROR,
3915 "WPA: Failed to set LTF keyseed to driver");
3916 wpa_sta_disconnect(sm->wpa_auth, sm->addr,
3917 WLAN_REASON_PREV_AUTH_NOT_VALID);
3918 return;
3919 }
3920 #endif /* CONFIG_PASN */
3921
3922 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
3923 sm->pairwise_set = true;
3924
3925 wpa_auth_set_ptk_rekey_timer(sm);
3926 wpa_auth_store_ptksa(sm->wpa_auth, sm->addr, sm->pairwise,
3927 dot11RSNAConfigPMKLifetime, &sm->PTK);
3928
3929 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
3930 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
3931 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
3932 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
3933 WPA_EAPOL_authorized, 1);
3934 }
3935 }
3936
3937 if (0 /* IBSS == TRUE */) {
3938 sm->keycount++;
3939 if (sm->keycount == 2) {
3940 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
3941 WPA_EAPOL_portValid, 1);
3942 }
3943 } else {
3944 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid,
3945 1);
3946 }
3947 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable,
3948 false);
3949 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, true);
3950 if (sm->wpa == WPA_VERSION_WPA)
3951 sm->PInitAKeys = true;
3952 else
3953 sm->has_GTK = true;
3954 wpa_auth_vlogger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
3955 "pairwise key handshake completed (%s)",
3956 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
3957 wpa_msg(sm->wpa_auth->conf.msg_ctx, MSG_INFO, "EAPOL-4WAY-HS-COMPLETED "
3958 MACSTR, MAC2STR(sm->addr));
3959
3960 #ifdef CONFIG_IEEE80211R_AP
3961 wpa_ft_push_pmk_r1(sm->wpa_auth, wpa_auth_get_spa(sm));
3962 #endif /* CONFIG_IEEE80211R_AP */
3963
3964 sm->ptkstart_without_success = 0;
3965 }
3966
3967
SM_STEP(WPA_PTK)3968 SM_STEP(WPA_PTK)
3969 {
3970 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
3971 struct wpa_auth_config *conf = &wpa_auth->conf;
3972
3973 if (sm->Init)
3974 SM_ENTER(WPA_PTK, INITIALIZE);
3975 else if (sm->Disconnect
3976 /* || FIX: dot11RSNAConfigSALifetime timeout */) {
3977 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
3978 "WPA_PTK: sm->Disconnect");
3979 SM_ENTER(WPA_PTK, DISCONNECT);
3980 }
3981 else if (sm->DeauthenticationRequest)
3982 SM_ENTER(WPA_PTK, DISCONNECTED);
3983 else if (sm->AuthenticationRequest)
3984 SM_ENTER(WPA_PTK, AUTHENTICATION);
3985 else if (sm->ReAuthenticationRequest)
3986 SM_ENTER(WPA_PTK, AUTHENTICATION2);
3987 else if (sm->PTKRequest) {
3988 if (wpa_auth_sm_ptk_update(sm) < 0)
3989 SM_ENTER(WPA_PTK, DISCONNECTED);
3990 else
3991 SM_ENTER(WPA_PTK, PTKSTART);
3992 } else switch (sm->wpa_ptk_state) {
3993 case WPA_PTK_INITIALIZE:
3994 break;
3995 case WPA_PTK_DISCONNECT:
3996 SM_ENTER(WPA_PTK, DISCONNECTED);
3997 break;
3998 case WPA_PTK_DISCONNECTED:
3999 SM_ENTER(WPA_PTK, INITIALIZE);
4000 break;
4001 case WPA_PTK_AUTHENTICATION:
4002 SM_ENTER(WPA_PTK, AUTHENTICATION2);
4003 break;
4004 case WPA_PTK_AUTHENTICATION2:
4005 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
4006 wpa_auth_get_eapol(wpa_auth, sm->addr,
4007 WPA_EAPOL_keyRun))
4008 SM_ENTER(WPA_PTK, INITPMK);
4009 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
4010 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE
4011 /* FIX: && 802.1X::keyRun */)
4012 SM_ENTER(WPA_PTK, INITPSK);
4013 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP)
4014 SM_ENTER(WPA_PTK, INITPMK);
4015 break;
4016 case WPA_PTK_INITPMK:
4017 if (wpa_auth_get_eapol(wpa_auth, sm->addr,
4018 WPA_EAPOL_keyAvailable)) {
4019 SM_ENTER(WPA_PTK, PTKSTART);
4020 #ifdef CONFIG_DPP
4021 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->pmksa) {
4022 SM_ENTER(WPA_PTK, PTKSTART);
4023 #endif /* CONFIG_DPP */
4024 } else {
4025 wpa_auth->dot11RSNA4WayHandshakeFailures++;
4026 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
4027 LOGGER_INFO,
4028 "INITPMK - keyAvailable = false");
4029 SM_ENTER(WPA_PTK, DISCONNECT);
4030 }
4031 break;
4032 case WPA_PTK_INITPSK:
4033 if (wpa_auth_get_psk(wpa_auth, sm->addr, sm->p2p_dev_addr,
4034 NULL, NULL, NULL)) {
4035 SM_ENTER(WPA_PTK, PTKSTART);
4036 #ifdef CONFIG_SAE
4037 } else if (wpa_auth_uses_sae(sm) && sm->pmksa) {
4038 SM_ENTER(WPA_PTK, PTKSTART);
4039 #endif /* CONFIG_SAE */
4040 } else if (wpa_key_mgmt_wpa_psk_no_sae(sm->wpa_key_mgmt) &&
4041 wpa_auth->conf.radius_psk) {
4042 wpa_printf(MSG_DEBUG,
4043 "INITPSK: No PSK yet available for STA - use RADIUS later");
4044 SM_ENTER(WPA_PTK, PTKSTART);
4045 } else {
4046 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
4047 LOGGER_INFO,
4048 "no PSK configured for the STA");
4049 wpa_auth->dot11RSNA4WayHandshakeFailures++;
4050 SM_ENTER(WPA_PTK, DISCONNECT);
4051 }
4052 break;
4053 case WPA_PTK_PTKSTART:
4054 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
4055 sm->EAPOLKeyPairwise)
4056 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
4057 else if (sm->TimeoutCtr > conf->wpa_pairwise_update_count) {
4058 wpa_auth->dot11RSNA4WayHandshakeFailures++;
4059 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
4060 LOGGER_DEBUG,
4061 "PTKSTART: Retry limit %u reached",
4062 conf->wpa_pairwise_update_count);
4063 sm->disconnect_reason =
4064 WLAN_REASON_4WAY_HANDSHAKE_TIMEOUT;
4065 SM_ENTER(WPA_PTK, DISCONNECT);
4066 } else if (sm->TimeoutEvt)
4067 SM_ENTER(WPA_PTK, PTKSTART);
4068 break;
4069 case WPA_PTK_PTKCALCNEGOTIATING:
4070 if (sm->MICVerified)
4071 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2);
4072 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
4073 sm->EAPOLKeyPairwise)
4074 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
4075 else if (sm->TimeoutEvt)
4076 SM_ENTER(WPA_PTK, PTKSTART);
4077 break;
4078 case WPA_PTK_PTKCALCNEGOTIATING2:
4079 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
4080 break;
4081 case WPA_PTK_PTKINITNEGOTIATING:
4082 if (sm->update_snonce)
4083 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
4084 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
4085 sm->EAPOLKeyPairwise && sm->MICVerified)
4086 SM_ENTER(WPA_PTK, PTKINITDONE);
4087 else if (sm->TimeoutCtr >
4088 conf->wpa_pairwise_update_count ||
4089 (conf->wpa_disable_eapol_key_retries &&
4090 sm->TimeoutCtr > 1)) {
4091 wpa_auth->dot11RSNA4WayHandshakeFailures++;
4092 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
4093 LOGGER_DEBUG,
4094 "PTKINITNEGOTIATING: Retry limit %u reached",
4095 conf->wpa_pairwise_update_count);
4096 sm->disconnect_reason =
4097 WLAN_REASON_4WAY_HANDSHAKE_TIMEOUT;
4098 SM_ENTER(WPA_PTK, DISCONNECT);
4099 } else if (sm->TimeoutEvt)
4100 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
4101 break;
4102 case WPA_PTK_PTKINITDONE:
4103 break;
4104 }
4105 }
4106
4107
SM_STATE(WPA_PTK_GROUP,IDLE)4108 SM_STATE(WPA_PTK_GROUP, IDLE)
4109 {
4110 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group);
4111 if (sm->Init) {
4112 /* Init flag is not cleared here, so avoid busy
4113 * loop by claiming nothing changed. */
4114 sm->changed = false;
4115 }
4116 sm->GTimeoutCtr = 0;
4117 }
4118
4119
SM_STATE(WPA_PTK_GROUP,REKEYNEGOTIATING)4120 SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
4121 {
4122 u8 rsc[WPA_KEY_RSC_LEN];
4123 struct wpa_group *gsm = sm->group;
4124 const u8 *kde;
4125 u8 *kde_buf = NULL, *pos, hdr[2];
4126 size_t kde_len = 0;
4127 u8 *gtk, stub_gtk[32];
4128 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
4129
4130 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
4131
4132 sm->GTimeoutCtr++;
4133 if (conf->wpa_disable_eapol_key_retries && sm->GTimeoutCtr > 1) {
4134 /* Do not allow retransmission of EAPOL-Key group msg 1/2 */
4135 return;
4136 }
4137 if (sm->GTimeoutCtr > conf->wpa_group_update_count) {
4138 /* No point in sending the EAPOL-Key - we will disconnect
4139 * immediately following this. */
4140 return;
4141 }
4142
4143 if (sm->wpa == WPA_VERSION_WPA)
4144 sm->PInitAKeys = false;
4145 sm->TimeoutEvt = false;
4146 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
4147 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
4148 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE)
4149 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
4150 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
4151 "sending 1/2 msg of Group Key Handshake");
4152
4153 gtk = gsm->GTK[gsm->GN - 1];
4154 if (conf->disable_gtk || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
4155 /*
4156 * Provide unique random GTK to each STA to prevent use
4157 * of GTK in the BSS.
4158 */
4159 if (random_get_bytes(stub_gtk, gsm->GTK_len) < 0)
4160 return;
4161 gtk = stub_gtk;
4162 }
4163 if (sm->wpa == WPA_VERSION_WPA2) {
4164 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
4165 ieee80211w_kde_len(sm) + ocv_oci_len(sm);
4166 kde_buf = os_malloc(kde_len);
4167 if (!kde_buf)
4168 return;
4169
4170 kde = pos = kde_buf;
4171 hdr[0] = gsm->GN & 0x03;
4172 hdr[1] = 0;
4173 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
4174 gtk, gsm->GTK_len);
4175 pos = ieee80211w_kde_add(sm, pos);
4176 if (ocv_oci_add(sm, &pos,
4177 conf->oci_freq_override_eapol_g1) < 0) {
4178 os_free(kde_buf);
4179 return;
4180 }
4181 kde_len = pos - kde;
4182 } else {
4183 kde = gtk;
4184 kde_len = gsm->GTK_len;
4185 }
4186
4187 wpa_send_eapol(sm->wpa_auth, sm,
4188 WPA_KEY_INFO_SECURE |
4189 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
4190 WPA_KEY_INFO_MIC : 0) |
4191 WPA_KEY_INFO_ACK |
4192 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
4193 rsc, NULL, kde, kde_len, gsm->GN, 1);
4194
4195 bin_clear_free(kde_buf, kde_len);
4196 }
4197
4198
SM_STATE(WPA_PTK_GROUP,REKEYESTABLISHED)4199 SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED)
4200 {
4201 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
4202 #ifdef CONFIG_OCV
4203 const u8 *key_data, *mic;
4204 struct ieee802_1x_hdr *hdr;
4205 struct wpa_eapol_key *key;
4206 struct wpa_eapol_ie_parse kde;
4207 size_t mic_len;
4208 u16 key_data_length;
4209 #endif /* CONFIG_OCV */
4210
4211 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group);
4212 sm->EAPOLKeyReceived = false;
4213
4214 #ifdef CONFIG_OCV
4215 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
4216
4217 /*
4218 * Note: last_rx_eapol_key length fields have already been validated in
4219 * wpa_receive().
4220 */
4221 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
4222 key = (struct wpa_eapol_key *) (hdr + 1);
4223 mic = (u8 *) (key + 1);
4224 key_data = mic + mic_len + 2;
4225 key_data_length = WPA_GET_BE16(mic + mic_len);
4226 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
4227 sizeof(*key) - mic_len - 2)
4228 return;
4229
4230 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
4231 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
4232 "received EAPOL-Key group msg 2/2 with invalid Key Data contents");
4233 return;
4234 }
4235
4236 if (wpa_auth_uses_ocv(sm)) {
4237 struct wpa_channel_info ci;
4238 int tx_chanwidth;
4239 int tx_seg1_idx;
4240
4241 if (wpa_channel_info(wpa_auth, &ci) != 0) {
4242 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
4243 LOGGER_INFO,
4244 "Failed to get channel info to validate received OCI in EAPOL-Key group 2/2");
4245 return;
4246 }
4247
4248 if (get_sta_tx_parameters(sm,
4249 channel_width_to_int(ci.chanwidth),
4250 ci.seg1_idx, &tx_chanwidth,
4251 &tx_seg1_idx) < 0)
4252 return;
4253
4254 if (ocv_verify_tx_params(kde.oci, kde.oci_len, &ci,
4255 tx_chanwidth, tx_seg1_idx) !=
4256 OCI_SUCCESS) {
4257 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
4258 LOGGER_INFO,
4259 "OCV failed: %s", ocv_errorstr);
4260 if (wpa_auth->conf.msg_ctx)
4261 wpa_msg(wpa_auth->conf.msg_ctx, MSG_INFO,
4262 OCV_FAILURE "addr=" MACSTR
4263 " frame=eapol-key-g2 error=%s",
4264 MAC2STR(wpa_auth_get_spa(sm)),
4265 ocv_errorstr);
4266 return;
4267 }
4268 }
4269 #endif /* CONFIG_OCV */
4270
4271 if (sm->GUpdateStationKeys)
4272 sm->group->GKeyDoneStations--;
4273 sm->GUpdateStationKeys = false;
4274 sm->GTimeoutCtr = 0;
4275 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */
4276 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
4277 "group key handshake completed (%s)",
4278 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
4279 sm->has_GTK = true;
4280 }
4281
4282
SM_STATE(WPA_PTK_GROUP,KEYERROR)4283 SM_STATE(WPA_PTK_GROUP, KEYERROR)
4284 {
4285 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group);
4286 if (sm->GUpdateStationKeys)
4287 sm->group->GKeyDoneStations--;
4288 sm->GUpdateStationKeys = false;
4289 sm->Disconnect = true;
4290 sm->disconnect_reason = WLAN_REASON_GROUP_KEY_UPDATE_TIMEOUT;
4291 wpa_auth_vlogger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
4292 "group key handshake failed (%s) after %u tries",
4293 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN",
4294 sm->wpa_auth->conf.wpa_group_update_count);
4295 }
4296
4297
SM_STEP(WPA_PTK_GROUP)4298 SM_STEP(WPA_PTK_GROUP)
4299 {
4300 if (sm->Init || sm->PtkGroupInit) {
4301 SM_ENTER(WPA_PTK_GROUP, IDLE);
4302 sm->PtkGroupInit = false;
4303 } else switch (sm->wpa_ptk_group_state) {
4304 case WPA_PTK_GROUP_IDLE:
4305 if (sm->GUpdateStationKeys ||
4306 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys))
4307 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
4308 break;
4309 case WPA_PTK_GROUP_REKEYNEGOTIATING:
4310 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
4311 !sm->EAPOLKeyPairwise && sm->MICVerified)
4312 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
4313 else if (sm->GTimeoutCtr >
4314 sm->wpa_auth->conf.wpa_group_update_count ||
4315 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
4316 sm->GTimeoutCtr > 1))
4317 SM_ENTER(WPA_PTK_GROUP, KEYERROR);
4318 else if (sm->TimeoutEvt)
4319 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
4320 break;
4321 case WPA_PTK_GROUP_KEYERROR:
4322 SM_ENTER(WPA_PTK_GROUP, IDLE);
4323 break;
4324 case WPA_PTK_GROUP_REKEYESTABLISHED:
4325 SM_ENTER(WPA_PTK_GROUP, IDLE);
4326 break;
4327 }
4328 }
4329
4330
wpa_gtk_update(struct wpa_authenticator * wpa_auth,struct wpa_group * group)4331 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
4332 struct wpa_group *group)
4333 {
4334 struct wpa_auth_config *conf = &wpa_auth->conf;
4335 int ret = 0;
4336 size_t len;
4337
4338 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
4339 inc_byte_array(group->Counter, WPA_NONCE_LEN);
4340 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion",
4341 wpa_auth->addr, group->GNonce,
4342 group->GTK[group->GN - 1], group->GTK_len) < 0)
4343 ret = -1;
4344 wpa_hexdump_key(MSG_DEBUG, "GTK",
4345 group->GTK[group->GN - 1], group->GTK_len);
4346
4347 if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
4348 len = wpa_cipher_key_len(conf->group_mgmt_cipher);
4349 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
4350 inc_byte_array(group->Counter, WPA_NONCE_LEN);
4351 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion",
4352 wpa_auth->addr, group->GNonce,
4353 group->IGTK[group->GN_igtk - 4], len) < 0)
4354 ret = -1;
4355 wpa_hexdump_key(MSG_DEBUG, "IGTK",
4356 group->IGTK[group->GN_igtk - 4], len);
4357 }
4358
4359 if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION &&
4360 conf->beacon_prot) {
4361 len = wpa_cipher_key_len(conf->group_mgmt_cipher);
4362 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
4363 inc_byte_array(group->Counter, WPA_NONCE_LEN);
4364 if (wpa_gmk_to_gtk(group->GMK, "BIGTK key expansion",
4365 wpa_auth->addr, group->GNonce,
4366 group->BIGTK[group->GN_bigtk - 6], len) < 0)
4367 ret = -1;
4368 wpa_hexdump_key(MSG_DEBUG, "BIGTK",
4369 group->BIGTK[group->GN_bigtk - 6], len);
4370 }
4371
4372 return ret;
4373 }
4374
4375
wpa_group_gtk_init(struct wpa_authenticator * wpa_auth,struct wpa_group * group)4376 static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth,
4377 struct wpa_group *group)
4378 {
4379 wpa_printf(MSG_DEBUG,
4380 "WPA: group state machine entering state GTK_INIT (VLAN-ID %d)",
4381 group->vlan_id);
4382 group->changed = false; /* GInit is not cleared here; avoid loop */
4383 group->wpa_group_state = WPA_GROUP_GTK_INIT;
4384
4385 /* GTK[0..N] = 0 */
4386 os_memset(group->GTK, 0, sizeof(group->GTK));
4387 group->GN = 1;
4388 group->GM = 2;
4389 group->GN_igtk = 4;
4390 group->GM_igtk = 5;
4391 group->GN_bigtk = 6;
4392 group->GM_bigtk = 7;
4393 /* GTK[GN] = CalcGTK() */
4394 wpa_gtk_update(wpa_auth, group);
4395 }
4396
4397
wpa_group_update_sta(struct wpa_state_machine * sm,void * ctx)4398 static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
4399 {
4400 if (ctx != NULL && ctx != sm->group)
4401 return 0;
4402
4403 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) {
4404 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm),
4405 LOGGER_DEBUG,
4406 "Not in PTKINITDONE; skip Group Key update");
4407 sm->GUpdateStationKeys = false;
4408 return 0;
4409 }
4410 if (sm->GUpdateStationKeys) {
4411 /*
4412 * This should not really happen, so add a debug log entry.
4413 * Since we clear the GKeyDoneStations before the loop, the
4414 * station needs to be counted here anyway.
4415 */
4416 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm),
4417 LOGGER_DEBUG,
4418 "GUpdateStationKeys was already set when marking station for GTK rekeying");
4419 }
4420
4421 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */
4422 if (sm->is_wnmsleep)
4423 return 0;
4424
4425 sm->group->GKeyDoneStations++;
4426 sm->GUpdateStationKeys = true;
4427
4428 wpa_sm_step(sm);
4429 return 0;
4430 }
4431
4432
4433 #ifdef CONFIG_WNM_AP
4434 /* update GTK when exiting WNM-Sleep Mode */
wpa_wnmsleep_rekey_gtk(struct wpa_state_machine * sm)4435 void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm)
4436 {
4437 if (!sm || sm->is_wnmsleep)
4438 return;
4439
4440 wpa_group_update_sta(sm, NULL);
4441 }
4442
4443
wpa_set_wnmsleep(struct wpa_state_machine * sm,int flag)4444 void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag)
4445 {
4446 if (sm)
4447 sm->is_wnmsleep = !!flag;
4448 }
4449
4450
wpa_wnmsleep_gtk_subelem(struct wpa_state_machine * sm,u8 * pos)4451 int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos)
4452 {
4453 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
4454 struct wpa_group *gsm = sm->group;
4455 u8 *start = pos;
4456
4457 /*
4458 * GTK subelement:
4459 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] |
4460 * Key[5..32]
4461 */
4462 *pos++ = WNM_SLEEP_SUBELEM_GTK;
4463 *pos++ = 11 + gsm->GTK_len;
4464 /* Key ID in B0-B1 of Key Info */
4465 WPA_PUT_LE16(pos, gsm->GN & 0x03);
4466 pos += 2;
4467 *pos++ = gsm->GTK_len;
4468 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0)
4469 return 0;
4470 pos += 8;
4471 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len);
4472 if (conf->disable_gtk || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
4473 /*
4474 * Provide unique random GTK to each STA to prevent use
4475 * of GTK in the BSS.
4476 */
4477 if (random_get_bytes(pos, gsm->GTK_len) < 0)
4478 return 0;
4479 }
4480 pos += gsm->GTK_len;
4481
4482 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit",
4483 gsm->GN);
4484 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit",
4485 gsm->GTK[gsm->GN - 1], gsm->GTK_len);
4486
4487 return pos - start;
4488 }
4489
4490
wpa_wnmsleep_igtk_subelem(struct wpa_state_machine * sm,u8 * pos)4491 int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos)
4492 {
4493 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
4494 struct wpa_group *gsm = sm->group;
4495 u8 *start = pos;
4496 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
4497
4498 /*
4499 * IGTK subelement:
4500 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16]
4501 */
4502 *pos++ = WNM_SLEEP_SUBELEM_IGTK;
4503 *pos++ = 2 + 6 + len;
4504 WPA_PUT_LE16(pos, gsm->GN_igtk);
4505 pos += 2;
4506 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0)
4507 return 0;
4508 pos += 6;
4509
4510 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len);
4511 if (conf->disable_gtk || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
4512 /*
4513 * Provide unique random IGTK to each STA to prevent use
4514 * of IGTK in the BSS.
4515 */
4516 if (random_get_bytes(pos, len) < 0)
4517 return 0;
4518 }
4519 pos += len;
4520
4521 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit",
4522 gsm->GN_igtk);
4523 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit",
4524 gsm->IGTK[gsm->GN_igtk - 4], len);
4525
4526 return pos - start;
4527 }
4528
4529
wpa_wnmsleep_bigtk_subelem(struct wpa_state_machine * sm,u8 * pos)4530 int wpa_wnmsleep_bigtk_subelem(struct wpa_state_machine *sm, u8 *pos)
4531 {
4532 struct wpa_group *gsm = sm->group;
4533 u8 *start = pos;
4534 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
4535
4536 /*
4537 * BIGTK subelement:
4538 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16]
4539 */
4540 *pos++ = WNM_SLEEP_SUBELEM_BIGTK;
4541 *pos++ = 2 + 6 + len;
4542 WPA_PUT_LE16(pos, gsm->GN_bigtk);
4543 pos += 2;
4544 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_bigtk, pos) != 0)
4545 return 0;
4546 pos += 6;
4547
4548 os_memcpy(pos, gsm->BIGTK[gsm->GN_bigtk - 6], len);
4549 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
4550 /*
4551 * Provide unique random BIGTK to each STA to prevent use
4552 * of BIGTK in the BSS.
4553 */
4554 if (random_get_bytes(pos, len) < 0)
4555 return 0;
4556 }
4557 pos += len;
4558
4559 wpa_printf(MSG_DEBUG, "WNM: BIGTK Key ID %u in WNM-Sleep Mode exit",
4560 gsm->GN_bigtk);
4561 wpa_hexdump_key(MSG_DEBUG, "WNM: BIGTK in WNM-Sleep Mode exit",
4562 gsm->BIGTK[gsm->GN_bigtk - 6], len);
4563
4564 return pos - start;
4565 }
4566
4567 #endif /* CONFIG_WNM_AP */
4568
4569
wpa_group_setkeys(struct wpa_authenticator * wpa_auth,struct wpa_group * group)4570 static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth,
4571 struct wpa_group *group)
4572 {
4573 int tmp;
4574
4575 wpa_printf(MSG_DEBUG,
4576 "WPA: group state machine entering state SETKEYS (VLAN-ID %d)",
4577 group->vlan_id);
4578 group->changed = true;
4579 group->wpa_group_state = WPA_GROUP_SETKEYS;
4580 group->GTKReKey = false;
4581 tmp = group->GM;
4582 group->GM = group->GN;
4583 group->GN = tmp;
4584 tmp = group->GM_igtk;
4585 group->GM_igtk = group->GN_igtk;
4586 group->GN_igtk = tmp;
4587 tmp = group->GM_bigtk;
4588 group->GM_bigtk = group->GN_bigtk;
4589 group->GN_bigtk = tmp;
4590 /* "GKeyDoneStations = GNoStations" is done in more robust way by
4591 * counting the STAs that are marked with GUpdateStationKeys instead of
4592 * including all STAs that could be in not-yet-completed state. */
4593 wpa_gtk_update(wpa_auth, group);
4594
4595 if (group->GKeyDoneStations) {
4596 wpa_printf(MSG_DEBUG,
4597 "wpa_group_setkeys: Unexpected GKeyDoneStations=%d when starting new GTK rekey",
4598 group->GKeyDoneStations);
4599 group->GKeyDoneStations = 0;
4600 }
4601 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group);
4602 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d",
4603 group->GKeyDoneStations);
4604 }
4605
4606
wpa_group_config_group_keys(struct wpa_authenticator * wpa_auth,struct wpa_group * group)4607 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
4608 struct wpa_group *group)
4609 {
4610 struct wpa_auth_config *conf = &wpa_auth->conf;
4611 int ret = 0;
4612
4613 if (wpa_auth_set_key(wpa_auth, group->vlan_id,
4614 wpa_cipher_to_alg(conf->wpa_group),
4615 broadcast_ether_addr, group->GN,
4616 group->GTK[group->GN - 1], group->GTK_len,
4617 KEY_FLAG_GROUP_TX_DEFAULT) < 0)
4618 ret = -1;
4619
4620 if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
4621 enum wpa_alg alg;
4622 size_t len;
4623
4624 alg = wpa_cipher_to_alg(conf->group_mgmt_cipher);
4625 len = wpa_cipher_key_len(conf->group_mgmt_cipher);
4626
4627 if (ret == 0 &&
4628 wpa_auth_set_key(wpa_auth, group->vlan_id, alg,
4629 broadcast_ether_addr, group->GN_igtk,
4630 group->IGTK[group->GN_igtk - 4], len,
4631 KEY_FLAG_GROUP_TX_DEFAULT) < 0)
4632 ret = -1;
4633
4634 if (ret == 0 && conf->beacon_prot &&
4635 wpa_auth_set_key(wpa_auth, group->vlan_id, alg,
4636 broadcast_ether_addr, group->GN_bigtk,
4637 group->BIGTK[group->GN_bigtk - 6], len,
4638 KEY_FLAG_GROUP_TX_DEFAULT) < 0)
4639 ret = -1;
4640 }
4641
4642 return ret;
4643 }
4644
4645
wpa_group_disconnect_cb(struct wpa_state_machine * sm,void * ctx)4646 static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx)
4647 {
4648 if (sm->group == ctx) {
4649 wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR
4650 " for disconnection due to fatal failure",
4651 MAC2STR(wpa_auth_get_spa(sm)));
4652 sm->Disconnect = true;
4653 }
4654
4655 return 0;
4656 }
4657
4658
wpa_group_fatal_failure(struct wpa_authenticator * wpa_auth,struct wpa_group * group)4659 static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth,
4660 struct wpa_group *group)
4661 {
4662 wpa_printf(MSG_DEBUG,
4663 "WPA: group state machine entering state FATAL_FAILURE");
4664 group->changed = true;
4665 group->wpa_group_state = WPA_GROUP_FATAL_FAILURE;
4666 wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group);
4667 }
4668
4669
wpa_group_setkeysdone(struct wpa_authenticator * wpa_auth,struct wpa_group * group)4670 static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
4671 struct wpa_group *group)
4672 {
4673 wpa_printf(MSG_DEBUG,
4674 "WPA: group state machine entering state SETKEYSDONE (VLAN-ID %d)",
4675 group->vlan_id);
4676 group->changed = true;
4677 group->wpa_group_state = WPA_GROUP_SETKEYSDONE;
4678
4679 if (wpa_group_config_group_keys(wpa_auth, group) < 0) {
4680 wpa_group_fatal_failure(wpa_auth, group);
4681 return -1;
4682 }
4683
4684 return 0;
4685 }
4686
4687
wpa_group_sm_step(struct wpa_authenticator * wpa_auth,struct wpa_group * group)4688 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
4689 struct wpa_group *group)
4690 {
4691 if (group->GInit) {
4692 wpa_group_gtk_init(wpa_auth, group);
4693 } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) {
4694 /* Do not allow group operations */
4695 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT &&
4696 group->GTKAuthenticator) {
4697 wpa_group_setkeysdone(wpa_auth, group);
4698 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE &&
4699 group->GTKReKey) {
4700 wpa_group_setkeys(wpa_auth, group);
4701 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) {
4702 if (group->GKeyDoneStations == 0)
4703 wpa_group_setkeysdone(wpa_auth, group);
4704 else if (group->GTKReKey)
4705 wpa_group_setkeys(wpa_auth, group);
4706 }
4707 }
4708
4709
wpa_sm_step(struct wpa_state_machine * sm)4710 static int wpa_sm_step(struct wpa_state_machine *sm)
4711 {
4712 if (!sm)
4713 return 0;
4714
4715 if (sm->in_step_loop) {
4716 /* This should not happen, but if it does, make sure we do not
4717 * end up freeing the state machine too early by exiting the
4718 * recursive call. */
4719 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively");
4720 return 0;
4721 }
4722
4723 sm->in_step_loop = 1;
4724 do {
4725 if (sm->pending_deinit)
4726 break;
4727
4728 sm->changed = false;
4729 sm->wpa_auth->group->changed = false;
4730
4731 SM_STEP_RUN(WPA_PTK);
4732 if (sm->pending_deinit)
4733 break;
4734 SM_STEP_RUN(WPA_PTK_GROUP);
4735 if (sm->pending_deinit)
4736 break;
4737 wpa_group_sm_step(sm->wpa_auth, sm->group);
4738 } while (sm->changed || sm->wpa_auth->group->changed);
4739 sm->in_step_loop = 0;
4740
4741 if (sm->pending_deinit) {
4742 wpa_printf(MSG_DEBUG,
4743 "WPA: Completing pending STA state machine deinit for "
4744 MACSTR, MAC2STR(wpa_auth_get_spa(sm)));
4745 wpa_free_sta_sm(sm);
4746 return 1;
4747 }
4748 return 0;
4749 }
4750
4751
wpa_sm_call_step(void * eloop_ctx,void * timeout_ctx)4752 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx)
4753 {
4754 struct wpa_state_machine *sm = eloop_ctx;
4755 wpa_sm_step(sm);
4756 }
4757
4758
wpa_auth_sm_notify(struct wpa_state_machine * sm)4759 void wpa_auth_sm_notify(struct wpa_state_machine *sm)
4760 {
4761 if (!sm)
4762 return;
4763 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
4764 }
4765
4766
wpa_gtk_rekey(struct wpa_authenticator * wpa_auth)4767 void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth)
4768 {
4769 int tmp, i;
4770 struct wpa_group *group;
4771
4772 if (!wpa_auth)
4773 return;
4774
4775 group = wpa_auth->group;
4776
4777 for (i = 0; i < 2; i++) {
4778 tmp = group->GM;
4779 group->GM = group->GN;
4780 group->GN = tmp;
4781 tmp = group->GM_igtk;
4782 group->GM_igtk = group->GN_igtk;
4783 group->GN_igtk = tmp;
4784 tmp = group->GM_bigtk;
4785 group->GM_bigtk = group->GN_bigtk;
4786 group->GN_bigtk = tmp;
4787 wpa_gtk_update(wpa_auth, group);
4788 wpa_group_config_group_keys(wpa_auth, group);
4789 }
4790 }
4791
4792
wpa_bool_txt(int val)4793 static const char * wpa_bool_txt(int val)
4794 {
4795 return val ? "TRUE" : "FALSE";
4796 }
4797
4798
4799 #define RSN_SUITE "%02x-%02x-%02x-%d"
4800 #define RSN_SUITE_ARG(s) \
4801 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
4802
wpa_get_mib(struct wpa_authenticator * wpa_auth,char * buf,size_t buflen)4803 int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen)
4804 {
4805 struct wpa_auth_config *conf;
4806 int len = 0, ret;
4807 char pmkid_txt[PMKID_LEN * 2 + 1];
4808 #ifdef CONFIG_RSN_PREAUTH
4809 const int preauth = 1;
4810 #else /* CONFIG_RSN_PREAUTH */
4811 const int preauth = 0;
4812 #endif /* CONFIG_RSN_PREAUTH */
4813
4814 if (!wpa_auth)
4815 return len;
4816 conf = &wpa_auth->conf;
4817
4818 ret = os_snprintf(buf + len, buflen - len,
4819 "dot11RSNAOptionImplemented=TRUE\n"
4820 "dot11RSNAPreauthenticationImplemented=%s\n"
4821 "dot11RSNAEnabled=%s\n"
4822 "dot11RSNAPreauthenticationEnabled=%s\n",
4823 wpa_bool_txt(preauth),
4824 wpa_bool_txt(conf->wpa & WPA_PROTO_RSN),
4825 wpa_bool_txt(conf->rsn_preauth));
4826 if (os_snprintf_error(buflen - len, ret))
4827 return len;
4828 len += ret;
4829
4830 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
4831 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN);
4832
4833 ret = os_snprintf(
4834 buf + len, buflen - len,
4835 "dot11RSNAConfigVersion=%u\n"
4836 "dot11RSNAConfigPairwiseKeysSupported=9999\n"
4837 /* FIX: dot11RSNAConfigGroupCipher */
4838 /* FIX: dot11RSNAConfigGroupRekeyMethod */
4839 /* FIX: dot11RSNAConfigGroupRekeyTime */
4840 /* FIX: dot11RSNAConfigGroupRekeyPackets */
4841 "dot11RSNAConfigGroupRekeyStrict=%u\n"
4842 "dot11RSNAConfigGroupUpdateCount=%u\n"
4843 "dot11RSNAConfigPairwiseUpdateCount=%u\n"
4844 "dot11RSNAConfigGroupCipherSize=%u\n"
4845 "dot11RSNAConfigPMKLifetime=%u\n"
4846 "dot11RSNAConfigPMKReauthThreshold=%u\n"
4847 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n"
4848 "dot11RSNAConfigSATimeout=%u\n"
4849 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
4850 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
4851 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
4852 "dot11RSNAPMKIDUsed=%s\n"
4853 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
4854 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
4855 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
4856 "dot11RSNATKIPCounterMeasuresInvoked=%u\n"
4857 "dot11RSNA4WayHandshakeFailures=%u\n"
4858 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n",
4859 RSN_VERSION,
4860 !!conf->wpa_strict_rekey,
4861 conf->wpa_group_update_count,
4862 conf->wpa_pairwise_update_count,
4863 wpa_cipher_key_len(conf->wpa_group) * 8,
4864 dot11RSNAConfigPMKLifetime,
4865 dot11RSNAConfigPMKReauthThreshold,
4866 dot11RSNAConfigSATimeout,
4867 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected),
4868 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected),
4869 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected),
4870 pmkid_txt,
4871 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested),
4872 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested),
4873 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested),
4874 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked,
4875 wpa_auth->dot11RSNA4WayHandshakeFailures);
4876 if (os_snprintf_error(buflen - len, ret))
4877 return len;
4878 len += ret;
4879
4880 /* TODO: dot11RSNAConfigPairwiseCiphersTable */
4881 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */
4882
4883 /* Private MIB */
4884 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n",
4885 wpa_auth->group->wpa_group_state);
4886 if (os_snprintf_error(buflen - len, ret))
4887 return len;
4888 len += ret;
4889
4890 return len;
4891 }
4892
4893
wpa_get_mib_sta(struct wpa_state_machine * sm,char * buf,size_t buflen)4894 int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen)
4895 {
4896 int len = 0, ret;
4897 u32 pairwise = 0;
4898
4899 if (!sm)
4900 return 0;
4901
4902 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */
4903
4904 /* dot11RSNAStatsEntry */
4905
4906 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ?
4907 WPA_PROTO_RSN : WPA_PROTO_WPA,
4908 sm->pairwise);
4909 if (pairwise == 0)
4910 return 0;
4911
4912 ret = os_snprintf(
4913 buf + len, buflen - len,
4914 /* TODO: dot11RSNAStatsIndex */
4915 "dot11RSNAStatsSTAAddress=" MACSTR "\n"
4916 "dot11RSNAStatsVersion=1\n"
4917 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n"
4918 /* TODO: dot11RSNAStatsTKIPICVErrors */
4919 "dot11RSNAStatsTKIPLocalMICFailures=%u\n"
4920 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n"
4921 /* TODO: dot11RSNAStatsCCMPReplays */
4922 /* TODO: dot11RSNAStatsCCMPDecryptErrors */
4923 /* TODO: dot11RSNAStatsTKIPReplays */,
4924 MAC2STR(sm->addr),
4925 RSN_SUITE_ARG(pairwise),
4926 sm->dot11RSNAStatsTKIPLocalMICFailures,
4927 sm->dot11RSNAStatsTKIPRemoteMICFailures);
4928 if (os_snprintf_error(buflen - len, ret))
4929 return len;
4930 len += ret;
4931
4932 /* Private MIB */
4933 ret = os_snprintf(buf + len, buflen - len,
4934 "wpa=%d\n"
4935 "AKMSuiteSelector=" RSN_SUITE "\n"
4936 "hostapdWPAPTKState=%d\n"
4937 "hostapdWPAPTKGroupState=%d\n"
4938 "hostapdMFPR=%d\n",
4939 sm->wpa,
4940 RSN_SUITE_ARG(wpa_akm_to_suite(sm->wpa_key_mgmt)),
4941 sm->wpa_ptk_state,
4942 sm->wpa_ptk_group_state,
4943 sm->mfpr);
4944 if (os_snprintf_error(buflen - len, ret))
4945 return len;
4946 len += ret;
4947
4948 return len;
4949 }
4950
4951
wpa_auth_countermeasures_start(struct wpa_authenticator * wpa_auth)4952 void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth)
4953 {
4954 if (wpa_auth)
4955 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++;
4956 }
4957
4958
wpa_auth_pairwise_set(struct wpa_state_machine * sm)4959 int wpa_auth_pairwise_set(struct wpa_state_machine *sm)
4960 {
4961 return sm && sm->pairwise_set;
4962 }
4963
4964
wpa_auth_get_pairwise(struct wpa_state_machine * sm)4965 int wpa_auth_get_pairwise(struct wpa_state_machine *sm)
4966 {
4967 return sm->pairwise;
4968 }
4969
4970
wpa_auth_get_pmk(struct wpa_state_machine * sm,int * len)4971 const u8 * wpa_auth_get_pmk(struct wpa_state_machine *sm, int *len)
4972 {
4973 if (!sm)
4974 return NULL;
4975 *len = sm->pmk_len;
4976 return sm->PMK;
4977 }
4978
4979
wpa_auth_get_dpp_pkhash(struct wpa_state_machine * sm)4980 const u8 * wpa_auth_get_dpp_pkhash(struct wpa_state_machine *sm)
4981 {
4982 if (!sm || !sm->pmksa)
4983 return NULL;
4984 return sm->pmksa->dpp_pkhash;
4985 }
4986
4987
wpa_auth_sta_key_mgmt(struct wpa_state_machine * sm)4988 int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm)
4989 {
4990 if (!sm)
4991 return -1;
4992 return sm->wpa_key_mgmt;
4993 }
4994
4995
wpa_auth_sta_wpa_version(struct wpa_state_machine * sm)4996 int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
4997 {
4998 if (!sm)
4999 return 0;
5000 return sm->wpa;
5001 }
5002
5003
wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine * sm)5004 int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm)
5005 {
5006 if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt))
5007 return 0;
5008 return sm->tk_already_set;
5009 }
5010
5011
wpa_auth_sta_fils_tk_already_set(struct wpa_state_machine * sm)5012 int wpa_auth_sta_fils_tk_already_set(struct wpa_state_machine *sm)
5013 {
5014 if (!sm || !wpa_key_mgmt_fils(sm->wpa_key_mgmt))
5015 return 0;
5016 return sm->tk_already_set;
5017 }
5018
5019
wpa_auth_sta_clear_pmksa(struct wpa_state_machine * sm,struct rsn_pmksa_cache_entry * entry)5020 int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
5021 struct rsn_pmksa_cache_entry *entry)
5022 {
5023 if (!sm || sm->pmksa != entry)
5024 return -1;
5025 sm->pmksa = NULL;
5026 return 0;
5027 }
5028
5029
5030 struct rsn_pmksa_cache_entry *
wpa_auth_sta_get_pmksa(struct wpa_state_machine * sm)5031 wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm)
5032 {
5033 return sm ? sm->pmksa : NULL;
5034 }
5035
5036
wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine * sm)5037 void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm)
5038 {
5039 if (sm)
5040 sm->dot11RSNAStatsTKIPLocalMICFailures++;
5041 }
5042
5043
wpa_auth_get_wpa_ie(struct wpa_authenticator * wpa_auth,size_t * len)5044 const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
5045 {
5046 if (!wpa_auth)
5047 return NULL;
5048 *len = wpa_auth->wpa_ie_len;
5049 return wpa_auth->wpa_ie;
5050 }
5051
5052
wpa_auth_pmksa_add(struct wpa_state_machine * sm,const u8 * pmk,unsigned int pmk_len,int session_timeout,struct eapol_state_machine * eapol)5053 int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
5054 unsigned int pmk_len,
5055 int session_timeout, struct eapol_state_machine *eapol)
5056 {
5057 if (!sm || sm->wpa != WPA_VERSION_WPA2 ||
5058 sm->wpa_auth->conf.disable_pmksa_caching)
5059 return -1;
5060
5061 #ifdef CONFIG_IEEE80211R_AP
5062 if (pmk_len >= 2 * PMK_LEN && wpa_key_mgmt_ft(sm->wpa_key_mgmt) &&
5063 wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
5064 !wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
5065 /* Cache MPMK/XXKey instead of initial part from MSK */
5066 pmk = pmk + PMK_LEN;
5067 pmk_len = PMK_LEN;
5068 } else
5069 #endif /* CONFIG_IEEE80211R_AP */
5070 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
5071 if (pmk_len > PMK_LEN_SUITE_B_192)
5072 pmk_len = PMK_LEN_SUITE_B_192;
5073 } else if (pmk_len > PMK_LEN) {
5074 pmk_len = PMK_LEN;
5075 }
5076
5077 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK", pmk, pmk_len);
5078 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL,
5079 sm->PTK.kck, sm->PTK.kck_len,
5080 wpa_auth_get_aa(sm),
5081 wpa_auth_get_spa(sm), session_timeout,
5082 eapol, sm->wpa_key_mgmt))
5083 return 0;
5084
5085 return -1;
5086 }
5087
5088
wpa_auth_pmksa_add_preauth(struct wpa_authenticator * wpa_auth,const u8 * pmk,size_t len,const u8 * sta_addr,int session_timeout,struct eapol_state_machine * eapol)5089 int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
5090 const u8 *pmk, size_t len, const u8 *sta_addr,
5091 int session_timeout,
5092 struct eapol_state_machine *eapol)
5093 {
5094 if (!wpa_auth)
5095 return -1;
5096
5097 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK from preauth", pmk, len);
5098 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL,
5099 NULL, 0,
5100 wpa_auth->addr,
5101 sta_addr, session_timeout, eapol,
5102 WPA_KEY_MGMT_IEEE8021X))
5103 return 0;
5104
5105 return -1;
5106 }
5107
5108
wpa_auth_pmksa_add_sae(struct wpa_authenticator * wpa_auth,const u8 * addr,const u8 * pmk,size_t pmk_len,const u8 * pmkid,int akmp)5109 int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr,
5110 const u8 *pmk, size_t pmk_len, const u8 *pmkid,
5111 int akmp)
5112 {
5113 if (wpa_auth->conf.disable_pmksa_caching)
5114 return -1;
5115
5116 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK from SAE", pmk, pmk_len);
5117 if (!akmp)
5118 akmp = WPA_KEY_MGMT_SAE;
5119 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, pmk_len, pmkid,
5120 NULL, 0, wpa_auth->addr, addr, 0, NULL, akmp))
5121 return 0;
5122
5123 return -1;
5124 }
5125
5126
wpa_auth_add_sae_pmkid(struct wpa_state_machine * sm,const u8 * pmkid)5127 void wpa_auth_add_sae_pmkid(struct wpa_state_machine *sm, const u8 *pmkid)
5128 {
5129 os_memcpy(sm->pmkid, pmkid, PMKID_LEN);
5130 sm->pmkid_set = 1;
5131 }
5132
5133
wpa_auth_pmksa_add2(struct wpa_authenticator * wpa_auth,const u8 * addr,const u8 * pmk,size_t pmk_len,const u8 * pmkid,int session_timeout,int akmp)5134 int wpa_auth_pmksa_add2(struct wpa_authenticator *wpa_auth, const u8 *addr,
5135 const u8 *pmk, size_t pmk_len, const u8 *pmkid,
5136 int session_timeout, int akmp)
5137 {
5138 if (!wpa_auth || wpa_auth->conf.disable_pmksa_caching)
5139 return -1;
5140
5141 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK (2)", pmk, PMK_LEN);
5142 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, pmk_len, pmkid,
5143 NULL, 0, wpa_auth->addr, addr, session_timeout,
5144 NULL, akmp))
5145 return 0;
5146
5147 return -1;
5148 }
5149
5150
wpa_auth_pmksa_add3(struct wpa_authenticator * wpa_auth,const u8 * addr,const u8 * pmk,size_t pmk_len,const u8 * pmkid,int session_timeout,int akmp,const u8 * dpp_pkhash)5151 int wpa_auth_pmksa_add3(struct wpa_authenticator *wpa_auth, const u8 *addr,
5152 const u8 *pmk, size_t pmk_len, const u8 *pmkid,
5153 int session_timeout, int akmp, const u8 *dpp_pkhash)
5154 {
5155 struct rsn_pmksa_cache_entry *entry;
5156
5157 if (wpa_auth->conf.disable_pmksa_caching)
5158 return -1;
5159
5160 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK (3)", pmk, PMK_LEN);
5161 entry = pmksa_cache_auth_add(wpa_auth->pmksa, pmk, pmk_len, pmkid,
5162 NULL, 0, wpa_auth->addr, addr, session_timeout,
5163 NULL, akmp);
5164 if (!entry)
5165 return -1;
5166
5167 if (dpp_pkhash)
5168 entry->dpp_pkhash = os_memdup(dpp_pkhash, SHA256_MAC_LEN);
5169
5170 return 0;
5171 }
5172
5173
wpa_auth_pmksa_remove(struct wpa_authenticator * wpa_auth,const u8 * sta_addr)5174 void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
5175 const u8 *sta_addr)
5176 {
5177 struct rsn_pmksa_cache_entry *pmksa;
5178
5179 if (!wpa_auth || !wpa_auth->pmksa)
5180 return;
5181 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL);
5182 if (pmksa) {
5183 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for "
5184 MACSTR " based on request", MAC2STR(sta_addr));
5185 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa);
5186 }
5187 }
5188
5189
wpa_auth_pmksa_list(struct wpa_authenticator * wpa_auth,char * buf,size_t len)5190 int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf,
5191 size_t len)
5192 {
5193 if (!wpa_auth || !wpa_auth->pmksa)
5194 return 0;
5195 return pmksa_cache_auth_list(wpa_auth->pmksa, buf, len);
5196 }
5197
5198
wpa_auth_pmksa_flush(struct wpa_authenticator * wpa_auth)5199 void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth)
5200 {
5201 if (wpa_auth && wpa_auth->pmksa)
5202 pmksa_cache_auth_flush(wpa_auth->pmksa);
5203 }
5204
5205
5206 #ifdef CONFIG_PMKSA_CACHE_EXTERNAL
5207 #ifdef CONFIG_MESH
5208
wpa_auth_pmksa_list_mesh(struct wpa_authenticator * wpa_auth,const u8 * addr,char * buf,size_t len)5209 int wpa_auth_pmksa_list_mesh(struct wpa_authenticator *wpa_auth, const u8 *addr,
5210 char *buf, size_t len)
5211 {
5212 if (!wpa_auth || !wpa_auth->pmksa)
5213 return 0;
5214
5215 return pmksa_cache_auth_list_mesh(wpa_auth->pmksa, addr, buf, len);
5216 }
5217
5218
5219 struct rsn_pmksa_cache_entry *
wpa_auth_pmksa_create_entry(const u8 * aa,const u8 * spa,const u8 * pmk,size_t pmk_len,int akmp,const u8 * pmkid,int expiration)5220 wpa_auth_pmksa_create_entry(const u8 *aa, const u8 *spa, const u8 *pmk,
5221 size_t pmk_len, int akmp,
5222 const u8 *pmkid, int expiration)
5223 {
5224 struct rsn_pmksa_cache_entry *entry;
5225 struct os_reltime now;
5226
5227 entry = pmksa_cache_auth_create_entry(pmk, pmk_len, pmkid, NULL, 0, aa,
5228 spa, 0, NULL, akmp);
5229 if (!entry)
5230 return NULL;
5231
5232 os_get_reltime(&now);
5233 entry->expiration = now.sec + expiration;
5234 return entry;
5235 }
5236
5237
wpa_auth_pmksa_add_entry(struct wpa_authenticator * wpa_auth,struct rsn_pmksa_cache_entry * entry)5238 int wpa_auth_pmksa_add_entry(struct wpa_authenticator *wpa_auth,
5239 struct rsn_pmksa_cache_entry *entry)
5240 {
5241 int ret;
5242
5243 if (!wpa_auth || !wpa_auth->pmksa)
5244 return -1;
5245
5246 ret = pmksa_cache_auth_add_entry(wpa_auth->pmksa, entry);
5247 if (ret < 0)
5248 wpa_printf(MSG_DEBUG,
5249 "RSN: Failed to store external PMKSA cache for "
5250 MACSTR, MAC2STR(entry->spa));
5251
5252 return ret;
5253 }
5254
5255 #endif /* CONFIG_MESH */
5256 #endif /* CONFIG_PMKSA_CACHE_EXTERNAL */
5257
5258
5259 struct rsn_pmksa_cache *
wpa_auth_get_pmksa_cache(struct wpa_authenticator * wpa_auth)5260 wpa_auth_get_pmksa_cache(struct wpa_authenticator *wpa_auth)
5261 {
5262 if (!wpa_auth || !wpa_auth->pmksa)
5263 return NULL;
5264 return wpa_auth->pmksa;
5265 }
5266
5267
5268 struct rsn_pmksa_cache_entry *
wpa_auth_pmksa_get(struct wpa_authenticator * wpa_auth,const u8 * sta_addr,const u8 * pmkid)5269 wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
5270 const u8 *pmkid)
5271 {
5272 if (!wpa_auth || !wpa_auth->pmksa)
5273 return NULL;
5274 return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, pmkid);
5275 }
5276
5277
wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry * pmksa,struct wpa_state_machine * sm,struct wpa_authenticator * wpa_auth,u8 * pmkid,u8 * pmk)5278 void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa,
5279 struct wpa_state_machine *sm,
5280 struct wpa_authenticator *wpa_auth,
5281 u8 *pmkid, u8 *pmk)
5282 {
5283 if (!sm)
5284 return;
5285
5286 sm->pmksa = pmksa;
5287 os_memcpy(pmk, pmksa->pmk, PMK_LEN);
5288 os_memcpy(pmkid, pmksa->pmkid, PMKID_LEN);
5289 os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmksa->pmkid, PMKID_LEN);
5290 }
5291
5292
5293 /*
5294 * Remove and free the group from wpa_authenticator. This is triggered by a
5295 * callback to make sure nobody is currently iterating the group list while it
5296 * gets modified.
5297 */
wpa_group_free(struct wpa_authenticator * wpa_auth,struct wpa_group * group)5298 static void wpa_group_free(struct wpa_authenticator *wpa_auth,
5299 struct wpa_group *group)
5300 {
5301 struct wpa_group *prev = wpa_auth->group;
5302
5303 wpa_printf(MSG_DEBUG, "WPA: Remove group state machine for VLAN-ID %d",
5304 group->vlan_id);
5305
5306 while (prev) {
5307 if (prev->next == group) {
5308 /* This never frees the special first group as needed */
5309 prev->next = group->next;
5310 os_free(group);
5311 break;
5312 }
5313 prev = prev->next;
5314 }
5315
5316 }
5317
5318
5319 /* Increase the reference counter for group */
wpa_group_get(struct wpa_authenticator * wpa_auth,struct wpa_group * group)5320 static void wpa_group_get(struct wpa_authenticator *wpa_auth,
5321 struct wpa_group *group)
5322 {
5323 /* Skip the special first group */
5324 if (wpa_auth->group == group)
5325 return;
5326
5327 group->references++;
5328 }
5329
5330
5331 /* Decrease the reference counter and maybe free the group */
wpa_group_put(struct wpa_authenticator * wpa_auth,struct wpa_group * group)5332 static void wpa_group_put(struct wpa_authenticator *wpa_auth,
5333 struct wpa_group *group)
5334 {
5335 /* Skip the special first group */
5336 if (wpa_auth->group == group)
5337 return;
5338
5339 group->references--;
5340 if (group->references)
5341 return;
5342 wpa_group_free(wpa_auth, group);
5343 }
5344
5345
5346 /*
5347 * Add a group that has its references counter set to zero. Caller needs to
5348 * call wpa_group_get() on the return value to mark the entry in use.
5349 */
5350 static struct wpa_group *
wpa_auth_add_group(struct wpa_authenticator * wpa_auth,int vlan_id)5351 wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id)
5352 {
5353 struct wpa_group *group;
5354
5355 if (!wpa_auth || !wpa_auth->group)
5356 return NULL;
5357
5358 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d",
5359 vlan_id);
5360 group = wpa_group_init(wpa_auth, vlan_id, 0);
5361 if (!group)
5362 return NULL;
5363
5364 group->next = wpa_auth->group->next;
5365 wpa_auth->group->next = group;
5366
5367 return group;
5368 }
5369
5370
5371 /*
5372 * Enforce that the group state machine for the VLAN is running, increase
5373 * reference counter as interface is up. References might have been increased
5374 * even if a negative value is returned.
5375 * Returns: -1 on error (group missing, group already failed); otherwise, 0
5376 */
wpa_auth_ensure_group(struct wpa_authenticator * wpa_auth,int vlan_id)5377 int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id)
5378 {
5379 struct wpa_group *group;
5380
5381 if (!wpa_auth)
5382 return 0;
5383
5384 group = wpa_auth->group;
5385 while (group) {
5386 if (group->vlan_id == vlan_id)
5387 break;
5388 group = group->next;
5389 }
5390
5391 if (!group) {
5392 group = wpa_auth_add_group(wpa_auth, vlan_id);
5393 if (!group)
5394 return -1;
5395 }
5396
5397 wpa_printf(MSG_DEBUG,
5398 "WPA: Ensure group state machine running for VLAN ID %d",
5399 vlan_id);
5400
5401 wpa_group_get(wpa_auth, group);
5402 group->num_setup_iface++;
5403
5404 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
5405 return -1;
5406
5407 return 0;
5408 }
5409
5410
5411 /*
5412 * Decrease reference counter, expected to be zero afterwards.
5413 * returns: -1 on error (group not found, group in fail state)
5414 * -2 if wpa_group is still referenced
5415 * 0 else
5416 */
wpa_auth_release_group(struct wpa_authenticator * wpa_auth,int vlan_id)5417 int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id)
5418 {
5419 struct wpa_group *group;
5420 int ret = 0;
5421
5422 if (!wpa_auth)
5423 return 0;
5424
5425 group = wpa_auth->group;
5426 while (group) {
5427 if (group->vlan_id == vlan_id)
5428 break;
5429 group = group->next;
5430 }
5431
5432 if (!group)
5433 return -1;
5434
5435 wpa_printf(MSG_DEBUG,
5436 "WPA: Try stopping group state machine for VLAN ID %d",
5437 vlan_id);
5438
5439 if (group->num_setup_iface <= 0) {
5440 wpa_printf(MSG_ERROR,
5441 "WPA: wpa_auth_release_group called more often than wpa_auth_ensure_group for VLAN ID %d, skipping.",
5442 vlan_id);
5443 return -1;
5444 }
5445 group->num_setup_iface--;
5446
5447 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
5448 ret = -1;
5449
5450 if (group->references > 1) {
5451 wpa_printf(MSG_DEBUG,
5452 "WPA: Cannot stop group state machine for VLAN ID %d as references are still hold",
5453 vlan_id);
5454 ret = -2;
5455 }
5456
5457 wpa_group_put(wpa_auth, group);
5458
5459 return ret;
5460 }
5461
5462
wpa_auth_sta_set_vlan(struct wpa_state_machine * sm,int vlan_id)5463 int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id)
5464 {
5465 struct wpa_group *group;
5466
5467 if (!sm || !sm->wpa_auth)
5468 return 0;
5469
5470 group = sm->wpa_auth->group;
5471 while (group) {
5472 if (group->vlan_id == vlan_id)
5473 break;
5474 group = group->next;
5475 }
5476
5477 if (!group) {
5478 group = wpa_auth_add_group(sm->wpa_auth, vlan_id);
5479 if (!group)
5480 return -1;
5481 }
5482
5483 if (sm->group == group)
5484 return 0;
5485
5486 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
5487 return -1;
5488
5489 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR
5490 " to use group state machine for VLAN ID %d",
5491 MAC2STR(wpa_auth_get_spa(sm)), vlan_id);
5492
5493 wpa_group_get(sm->wpa_auth, group);
5494 wpa_group_put(sm->wpa_auth, sm->group);
5495 sm->group = group;
5496
5497 return 0;
5498 }
5499
5500
wpa_auth_eapol_key_tx_status(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm,int ack)5501 void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
5502 struct wpa_state_machine *sm, int ack)
5503 {
5504 if (!wpa_auth || !sm)
5505 return;
5506 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR
5507 " ack=%d", MAC2STR(wpa_auth_get_spa(sm)), ack);
5508 if (sm->pending_1_of_4_timeout && ack) {
5509 /*
5510 * Some deployed supplicant implementations update their SNonce
5511 * for each EAPOL-Key 2/4 message even within the same 4-way
5512 * handshake and then fail to use the first SNonce when
5513 * deriving the PTK. This results in unsuccessful 4-way
5514 * handshake whenever the relatively short initial timeout is
5515 * reached and EAPOL-Key 1/4 is retransmitted. Try to work
5516 * around this by increasing the timeout now that we know that
5517 * the station has received the frame.
5518 */
5519 int timeout_ms = eapol_key_timeout_subseq;
5520 wpa_printf(MSG_DEBUG,
5521 "WPA: Increase initial EAPOL-Key 1/4 timeout by %u ms because of acknowledged frame",
5522 timeout_ms);
5523 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
5524 eloop_register_timeout(timeout_ms / 1000,
5525 (timeout_ms % 1000) * 1000,
5526 wpa_send_eapol_timeout, wpa_auth, sm);
5527 }
5528
5529 #ifdef CONFIG_TESTING_OPTIONS
5530 if (sm->eapol_status_cb) {
5531 sm->eapol_status_cb(sm->eapol_status_cb_ctx1,
5532 sm->eapol_status_cb_ctx2);
5533 sm->eapol_status_cb = NULL;
5534 }
5535 #endif /* CONFIG_TESTING_OPTIONS */
5536 }
5537
5538
wpa_auth_uses_sae(struct wpa_state_machine * sm)5539 int wpa_auth_uses_sae(struct wpa_state_machine *sm)
5540 {
5541 if (!sm)
5542 return 0;
5543 return wpa_key_mgmt_sae(sm->wpa_key_mgmt);
5544 }
5545
5546
wpa_auth_uses_ft_sae(struct wpa_state_machine * sm)5547 int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm)
5548 {
5549 if (!sm)
5550 return 0;
5551 return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE ||
5552 sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY;
5553 }
5554
5555
5556 #ifdef CONFIG_P2P
wpa_auth_get_ip_addr(struct wpa_state_machine * sm,u8 * addr)5557 int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr)
5558 {
5559 if (!sm || WPA_GET_BE32(sm->ip_addr) == 0)
5560 return -1;
5561 os_memcpy(addr, sm->ip_addr, 4);
5562 return 0;
5563 }
5564 #endif /* CONFIG_P2P */
5565
5566
wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator * wpa_auth,struct radius_das_attrs * attr)5567 int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth,
5568 struct radius_das_attrs *attr)
5569 {
5570 return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr);
5571 }
5572
5573
wpa_auth_reconfig_group_keys(struct wpa_authenticator * wpa_auth)5574 void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth)
5575 {
5576 struct wpa_group *group;
5577
5578 if (!wpa_auth)
5579 return;
5580 for (group = wpa_auth->group; group; group = group->next)
5581 wpa_group_config_group_keys(wpa_auth, group);
5582 }
5583
5584
5585 #ifdef CONFIG_FILS
5586
5587 struct wpa_auth_fils_iter_data {
5588 struct wpa_authenticator *auth;
5589 const u8 *cache_id;
5590 struct rsn_pmksa_cache_entry *pmksa;
5591 const u8 *spa;
5592 const u8 *pmkid;
5593 };
5594
5595
wpa_auth_fils_iter(struct wpa_authenticator * a,void * ctx)5596 static int wpa_auth_fils_iter(struct wpa_authenticator *a, void *ctx)
5597 {
5598 struct wpa_auth_fils_iter_data *data = ctx;
5599
5600 if (a == data->auth || !a->conf.fils_cache_id_set ||
5601 os_memcmp(a->conf.fils_cache_id, data->cache_id,
5602 FILS_CACHE_ID_LEN) != 0)
5603 return 0;
5604 data->pmksa = pmksa_cache_auth_get(a->pmksa, data->spa, data->pmkid);
5605 return data->pmksa != NULL;
5606 }
5607
5608
5609 struct rsn_pmksa_cache_entry *
wpa_auth_pmksa_get_fils_cache_id(struct wpa_authenticator * wpa_auth,const u8 * sta_addr,const u8 * pmkid)5610 wpa_auth_pmksa_get_fils_cache_id(struct wpa_authenticator *wpa_auth,
5611 const u8 *sta_addr, const u8 *pmkid)
5612 {
5613 struct wpa_auth_fils_iter_data idata;
5614
5615 if (!wpa_auth->conf.fils_cache_id_set)
5616 return NULL;
5617 idata.auth = wpa_auth;
5618 idata.cache_id = wpa_auth->conf.fils_cache_id;
5619 idata.pmksa = NULL;
5620 idata.spa = sta_addr;
5621 idata.pmkid = pmkid;
5622 wpa_auth_for_each_auth(wpa_auth, wpa_auth_fils_iter, &idata);
5623 return idata.pmksa;
5624 }
5625
5626
5627 #ifdef CONFIG_IEEE80211R_AP
wpa_auth_write_fte(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm,u8 * buf,size_t len)5628 int wpa_auth_write_fte(struct wpa_authenticator *wpa_auth,
5629 struct wpa_state_machine *sm,
5630 u8 *buf, size_t len)
5631 {
5632 struct wpa_auth_config *conf = &wpa_auth->conf;
5633
5634 return wpa_write_ftie(conf, sm->wpa_key_mgmt, sm->xxkey_len,
5635 conf->r0_key_holder, conf->r0_key_holder_len,
5636 NULL, NULL, buf, len, NULL, 0, 0);
5637 }
5638 #endif /* CONFIG_IEEE80211R_AP */
5639
5640
wpa_auth_get_fils_aead_params(struct wpa_state_machine * sm,u8 * fils_anonce,u8 * fils_snonce,u8 * fils_kek,size_t * fils_kek_len)5641 void wpa_auth_get_fils_aead_params(struct wpa_state_machine *sm,
5642 u8 *fils_anonce, u8 *fils_snonce,
5643 u8 *fils_kek, size_t *fils_kek_len)
5644 {
5645 os_memcpy(fils_anonce, sm->ANonce, WPA_NONCE_LEN);
5646 os_memcpy(fils_snonce, sm->SNonce, WPA_NONCE_LEN);
5647 os_memcpy(fils_kek, sm->PTK.kek, WPA_KEK_MAX_LEN);
5648 *fils_kek_len = sm->PTK.kek_len;
5649 }
5650
5651
wpa_auth_add_fils_pmk_pmkid(struct wpa_state_machine * sm,const u8 * pmk,size_t pmk_len,const u8 * pmkid)5652 void wpa_auth_add_fils_pmk_pmkid(struct wpa_state_machine *sm, const u8 *pmk,
5653 size_t pmk_len, const u8 *pmkid)
5654 {
5655 os_memcpy(sm->PMK, pmk, pmk_len);
5656 sm->pmk_len = pmk_len;
5657 os_memcpy(sm->pmkid, pmkid, PMKID_LEN);
5658 sm->pmkid_set = 1;
5659 }
5660
5661 #endif /* CONFIG_FILS */
5662
5663
wpa_auth_set_auth_alg(struct wpa_state_machine * sm,u16 auth_alg)5664 void wpa_auth_set_auth_alg(struct wpa_state_machine *sm, u16 auth_alg)
5665 {
5666 if (sm)
5667 sm->auth_alg = auth_alg;
5668 }
5669
5670
5671 #ifdef CONFIG_DPP2
wpa_auth_set_dpp_z(struct wpa_state_machine * sm,const struct wpabuf * z)5672 void wpa_auth_set_dpp_z(struct wpa_state_machine *sm, const struct wpabuf *z)
5673 {
5674 if (sm) {
5675 wpabuf_clear_free(sm->dpp_z);
5676 sm->dpp_z = z ? wpabuf_dup(z) : NULL;
5677 }
5678 }
5679 #endif /* CONFIG_DPP2 */
5680
5681
wpa_auth_set_transition_disable(struct wpa_authenticator * wpa_auth,u8 val)5682 void wpa_auth_set_transition_disable(struct wpa_authenticator *wpa_auth,
5683 u8 val)
5684 {
5685 if (wpa_auth)
5686 wpa_auth->conf.transition_disable = val;
5687 }
5688
5689
5690 #ifdef CONFIG_TESTING_OPTIONS
5691
wpa_auth_resend_m1(struct wpa_state_machine * sm,int change_anonce,void (* cb)(void * ctx1,void * ctx2),void * ctx1,void * ctx2)5692 int wpa_auth_resend_m1(struct wpa_state_machine *sm, int change_anonce,
5693 void (*cb)(void *ctx1, void *ctx2),
5694 void *ctx1, void *ctx2)
5695 {
5696 const u8 *anonce = sm->ANonce;
5697 u8 anonce_buf[WPA_NONCE_LEN];
5698
5699 if (change_anonce) {
5700 if (random_get_bytes(anonce_buf, WPA_NONCE_LEN))
5701 return -1;
5702 anonce = anonce_buf;
5703 }
5704
5705 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
5706 "sending 1/4 msg of 4-Way Handshake (TESTING)");
5707 wpa_send_eapol(sm->wpa_auth, sm,
5708 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
5709 anonce, NULL, 0, 0, 0);
5710 return 0;
5711 }
5712
5713
wpa_auth_resend_m3(struct wpa_state_machine * sm,void (* cb)(void * ctx1,void * ctx2),void * ctx1,void * ctx2)5714 int wpa_auth_resend_m3(struct wpa_state_machine *sm,
5715 void (*cb)(void *ctx1, void *ctx2),
5716 void *ctx1, void *ctx2)
5717 {
5718 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos;
5719 u8 *opos;
5720 size_t gtk_len, kde_len;
5721 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
5722 struct wpa_group *gsm = sm->group;
5723 u8 *wpa_ie;
5724 int wpa_ie_len, secure, gtkidx, encr = 0;
5725 u8 hdr[2];
5726
5727 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
5728 GTK[GN], IGTK, [BIGTK], [FTIE], [TIE * 2])
5729 */
5730
5731 /* Use 0 RSC */
5732 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
5733 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
5734 wpa_ie = sm->wpa_auth->wpa_ie;
5735 wpa_ie_len = sm->wpa_auth->wpa_ie_len;
5736 if (sm->wpa == WPA_VERSION_WPA &&
5737 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
5738 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
5739 /* WPA-only STA, remove RSN IE and possible MDIE */
5740 wpa_ie = wpa_ie + wpa_ie[1] + 2;
5741 if (wpa_ie[0] == WLAN_EID_RSNX)
5742 wpa_ie = wpa_ie + wpa_ie[1] + 2;
5743 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
5744 wpa_ie = wpa_ie + wpa_ie[1] + 2;
5745 wpa_ie_len = wpa_ie[1] + 2;
5746 }
5747 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
5748 "sending 3/4 msg of 4-Way Handshake (TESTING)");
5749 if (sm->wpa == WPA_VERSION_WPA2) {
5750 /* WPA2 send GTK in the 4-way handshake */
5751 secure = 1;
5752 gtk = gsm->GTK[gsm->GN - 1];
5753 gtk_len = gsm->GTK_len;
5754 gtkidx = gsm->GN;
5755 _rsc = rsc;
5756 encr = 1;
5757 } else {
5758 /* WPA does not include GTK in msg 3/4 */
5759 secure = 0;
5760 gtk = NULL;
5761 gtk_len = 0;
5762 _rsc = NULL;
5763 if (sm->rx_eapol_key_secure) {
5764 /*
5765 * It looks like Windows 7 supplicant tries to use
5766 * Secure bit in msg 2/4 after having reported Michael
5767 * MIC failure and it then rejects the 4-way handshake
5768 * if msg 3/4 does not set Secure bit. Work around this
5769 * by setting the Secure bit here even in the case of
5770 * WPA if the supplicant used it first.
5771 */
5772 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm),
5773 LOGGER_DEBUG,
5774 "STA used Secure bit in WPA msg 2/4 - set Secure for 3/4 as workaround");
5775 secure = 1;
5776 }
5777 }
5778
5779 kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm);
5780
5781 if (sm->use_ext_key_id)
5782 kde_len += 2 + RSN_SELECTOR_LEN + 2;
5783
5784 if (gtk)
5785 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
5786 #ifdef CONFIG_IEEE80211R_AP
5787 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
5788 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
5789 kde_len += 300; /* FTIE + 2 * TIE */
5790 }
5791 #endif /* CONFIG_IEEE80211R_AP */
5792 kde = os_malloc(kde_len);
5793 if (!kde)
5794 return -1;
5795
5796 pos = kde;
5797 os_memcpy(pos, wpa_ie, wpa_ie_len);
5798 pos += wpa_ie_len;
5799 #ifdef CONFIG_IEEE80211R_AP
5800 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
5801 int res;
5802 size_t elen;
5803
5804 elen = pos - kde;
5805 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name);
5806 if (res < 0) {
5807 wpa_printf(MSG_ERROR,
5808 "FT: Failed to insert PMKR1Name into RSN IE in EAPOL-Key data");
5809 os_free(kde);
5810 return -1;
5811 }
5812 pos -= wpa_ie_len;
5813 pos += elen;
5814 }
5815 #endif /* CONFIG_IEEE80211R_AP */
5816 hdr[1] = 0;
5817
5818 if (sm->use_ext_key_id) {
5819 hdr[0] = sm->keyidx_active & 0x01;
5820 pos = wpa_add_kde(pos, RSN_KEY_DATA_KEYID, hdr, 2, NULL, 0);
5821 }
5822
5823 if (gtk) {
5824 hdr[0] = gtkidx & 0x03;
5825 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
5826 gtk, gtk_len);
5827 }
5828 opos = pos;
5829 pos = ieee80211w_kde_add(sm, pos);
5830 if (pos - opos >= 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) {
5831 /* skip KDE header and keyid */
5832 opos += 2 + RSN_SELECTOR_LEN + 2;
5833 os_memset(opos, 0, 6); /* clear PN */
5834 }
5835 if (ocv_oci_add(sm, &pos, conf->oci_freq_override_eapol_m3) < 0) {
5836 os_free(kde);
5837 return -1;
5838 }
5839
5840 #ifdef CONFIG_IEEE80211R_AP
5841 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
5842 int res;
5843
5844 if (sm->assoc_resp_ftie &&
5845 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) {
5846 os_memcpy(pos, sm->assoc_resp_ftie,
5847 2 + sm->assoc_resp_ftie[1]);
5848 res = 2 + sm->assoc_resp_ftie[1];
5849 } else {
5850 res = wpa_write_ftie(conf, sm->wpa_key_mgmt,
5851 sm->xxkey_len,
5852 conf->r0_key_holder,
5853 conf->r0_key_holder_len,
5854 NULL, NULL, pos,
5855 kde + kde_len - pos,
5856 NULL, 0, 0);
5857 }
5858 if (res < 0) {
5859 wpa_printf(MSG_ERROR,
5860 "FT: Failed to insert FTIE into EAPOL-Key Key Data");
5861 os_free(kde);
5862 return -1;
5863 }
5864 pos += res;
5865
5866 /* TIE[ReassociationDeadline] (TU) */
5867 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
5868 *pos++ = 5;
5869 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
5870 WPA_PUT_LE32(pos, conf->reassociation_deadline);
5871 pos += 4;
5872
5873 /* TIE[KeyLifetime] (seconds) */
5874 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
5875 *pos++ = 5;
5876 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
5877 WPA_PUT_LE32(pos, conf->r0_key_lifetime);
5878 pos += 4;
5879 }
5880 #endif /* CONFIG_IEEE80211R_AP */
5881
5882 wpa_send_eapol(sm->wpa_auth, sm,
5883 (secure ? WPA_KEY_INFO_SECURE : 0) |
5884 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
5885 WPA_KEY_INFO_MIC : 0) |
5886 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
5887 WPA_KEY_INFO_KEY_TYPE,
5888 _rsc, sm->ANonce, kde, pos - kde, 0, encr);
5889 bin_clear_free(kde, kde_len);
5890 return 0;
5891 }
5892
5893
wpa_auth_resend_group_m1(struct wpa_state_machine * sm,void (* cb)(void * ctx1,void * ctx2),void * ctx1,void * ctx2)5894 int wpa_auth_resend_group_m1(struct wpa_state_machine *sm,
5895 void (*cb)(void *ctx1, void *ctx2),
5896 void *ctx1, void *ctx2)
5897 {
5898 u8 rsc[WPA_KEY_RSC_LEN];
5899 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
5900 struct wpa_group *gsm = sm->group;
5901 const u8 *kde;
5902 u8 *kde_buf = NULL, *pos, hdr[2];
5903 u8 *opos;
5904 size_t kde_len;
5905 u8 *gtk;
5906
5907 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
5908 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
5909 /* Use 0 RSC */
5910 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
5911 "sending 1/2 msg of Group Key Handshake (TESTING)");
5912
5913 gtk = gsm->GTK[gsm->GN - 1];
5914 if (sm->wpa == WPA_VERSION_WPA2) {
5915 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
5916 ieee80211w_kde_len(sm) + ocv_oci_len(sm);
5917 kde_buf = os_malloc(kde_len);
5918 if (!kde_buf)
5919 return -1;
5920
5921 kde = pos = kde_buf;
5922 hdr[0] = gsm->GN & 0x03;
5923 hdr[1] = 0;
5924 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
5925 gtk, gsm->GTK_len);
5926 opos = pos;
5927 pos = ieee80211w_kde_add(sm, pos);
5928 if (pos - opos >=
5929 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) {
5930 /* skip KDE header and keyid */
5931 opos += 2 + RSN_SELECTOR_LEN + 2;
5932 os_memset(opos, 0, 6); /* clear PN */
5933 }
5934 if (ocv_oci_add(sm, &pos,
5935 conf->oci_freq_override_eapol_g1) < 0) {
5936 os_free(kde_buf);
5937 return -1;
5938 }
5939 kde_len = pos - kde;
5940 } else {
5941 kde = gtk;
5942 kde_len = gsm->GTK_len;
5943 }
5944
5945 sm->eapol_status_cb = cb;
5946 sm->eapol_status_cb_ctx1 = ctx1;
5947 sm->eapol_status_cb_ctx2 = ctx2;
5948
5949 wpa_send_eapol(sm->wpa_auth, sm,
5950 WPA_KEY_INFO_SECURE |
5951 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
5952 WPA_KEY_INFO_MIC : 0) |
5953 WPA_KEY_INFO_ACK |
5954 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
5955 rsc, NULL, kde, kde_len, gsm->GN, 1);
5956
5957 bin_clear_free(kde_buf, kde_len);
5958 return 0;
5959 }
5960
5961
wpa_auth_rekey_gtk(struct wpa_authenticator * wpa_auth)5962 int wpa_auth_rekey_gtk(struct wpa_authenticator *wpa_auth)
5963 {
5964 if (!wpa_auth)
5965 return -1;
5966 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
5967 return eloop_register_timeout(0, 0, wpa_rekey_gtk, wpa_auth, NULL);
5968 }
5969
5970
wpa_auth_rekey_ptk(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm)5971 int wpa_auth_rekey_ptk(struct wpa_authenticator *wpa_auth,
5972 struct wpa_state_machine *sm)
5973 {
5974 if (!wpa_auth || !sm)
5975 return -1;
5976 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK");
5977 wpa_request_new_ptk(sm);
5978 wpa_sm_step(sm);
5979 return 0;
5980 }
5981
5982
wpa_auth_set_ft_rsnxe_used(struct wpa_authenticator * wpa_auth,int val)5983 void wpa_auth_set_ft_rsnxe_used(struct wpa_authenticator *wpa_auth, int val)
5984 {
5985 if (wpa_auth)
5986 wpa_auth->conf.ft_rsnxe_used = val;
5987 }
5988
5989
wpa_auth_set_ocv_override_freq(struct wpa_authenticator * wpa_auth,enum wpa_auth_ocv_override_frame frame,unsigned int freq)5990 void wpa_auth_set_ocv_override_freq(struct wpa_authenticator *wpa_auth,
5991 enum wpa_auth_ocv_override_frame frame,
5992 unsigned int freq)
5993 {
5994 if (!wpa_auth)
5995 return;
5996 switch (frame) {
5997 case WPA_AUTH_OCV_OVERRIDE_EAPOL_M3:
5998 wpa_auth->conf.oci_freq_override_eapol_m3 = freq;
5999 break;
6000 case WPA_AUTH_OCV_OVERRIDE_EAPOL_G1:
6001 wpa_auth->conf.oci_freq_override_eapol_g1 = freq;
6002 break;
6003 case WPA_AUTH_OCV_OVERRIDE_FT_ASSOC:
6004 wpa_auth->conf.oci_freq_override_ft_assoc = freq;
6005 break;
6006 case WPA_AUTH_OCV_OVERRIDE_FILS_ASSOC:
6007 wpa_auth->conf.oci_freq_override_fils_assoc = freq;
6008 break;
6009 }
6010 }
6011
wpa_auth_set_skip_send_eapol(struct wpa_authenticator * wpa_auth,u8 val)6012 void wpa_auth_set_skip_send_eapol(struct wpa_authenticator *wpa_auth,
6013 u8 val)
6014 {
6015 if (wpa_auth)
6016 wpa_auth->conf.skip_send_eapol = val;
6017 }
6018
wpa_auth_set_enable_eapol_large_timeout(struct wpa_authenticator * wpa_auth,u8 val)6019 void wpa_auth_set_enable_eapol_large_timeout(struct wpa_authenticator *wpa_auth,
6020 u8 val)
6021 {
6022 if (wpa_auth)
6023 wpa_auth->conf.enable_eapol_large_timeout = val;
6024 }
6025
6026
6027 #endif /* CONFIG_TESTING_OPTIONS */
6028
6029
wpa_auth_sta_radius_psk_resp(struct wpa_state_machine * sm,bool success)6030 void wpa_auth_sta_radius_psk_resp(struct wpa_state_machine *sm, bool success)
6031 {
6032 if (!sm->waiting_radius_psk) {
6033 wpa_printf(MSG_DEBUG,
6034 "Ignore RADIUS PSK response for " MACSTR
6035 " that did not wait one",
6036 MAC2STR(sm->addr));
6037 return;
6038 }
6039
6040 wpa_printf(MSG_DEBUG, "RADIUS PSK response for " MACSTR " (%s)",
6041 MAC2STR(sm->addr), success ? "success" : "fail");
6042 sm->waiting_radius_psk = 0;
6043
6044 if (success) {
6045 /* Try to process the EAPOL-Key msg 2/4 again */
6046 sm->EAPOLKeyReceived = true;
6047 } else {
6048 sm->Disconnect = true;
6049 }
6050
6051 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
6052 }
6053