1 /*
2 * WPA Supplicant - WPA state machine and EAPOL-Key processing
3 * Copyright (c) 2003-2018, Jouni Malinen <j@w1.fi>
4 * Copyright(c) 2015 Intel Deutschland GmbH
5 *
6 * This software may be distributed under the terms of the BSD license.
7 * See README for more details.
8 */
9
10 #include "includes.h"
11
12 #include "common.h"
13 #include "crypto/aes.h"
14 #include "crypto/aes_wrap.h"
15 #include "crypto/crypto.h"
16 #include "crypto/random.h"
17 #include "crypto/aes_siv.h"
18 #include "crypto/sha256.h"
19 #include "crypto/sha384.h"
20 #include "crypto/sha512.h"
21 #include "common/ieee802_11_defs.h"
22 #include "common/ieee802_11_common.h"
23 #include "common/ocv.h"
24 #include "common/dpp.h"
25 #include "common/wpa_ctrl.h"
26 #include "eap_common/eap_defs.h"
27 #include "eapol_supp/eapol_supp_sm.h"
28 #include "drivers/driver.h"
29 #include "wpa.h"
30 #include "eloop.h"
31 #include "preauth.h"
32 #include "pmksa_cache.h"
33 #include "wpa_i.h"
34 #include "wpa_ie.h"
35 #include "wpa_supplicant_i.h"
36 #include "driver_i.h"
37
38 static const u8 null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
39
40
_wpa_hexdump_link(int level,u8 link_id,const char * title,const void * buf,size_t len,bool key)41 static void _wpa_hexdump_link(int level, u8 link_id, const char *title,
42 const void *buf, size_t len, bool key)
43 {
44 char *link_title = NULL;
45
46 if (link_id >= MAX_NUM_MLD_LINKS)
47 goto out;
48
49 link_title = os_malloc(os_strlen(title) + 20);
50 if (!link_title)
51 goto out;
52
53 os_snprintf(link_title, os_strlen(title) + 20, "MLO link[%u]: %s",
54 link_id, title);
55
56 out:
57 if (key)
58 wpa_hexdump_key(level, link_title ? link_title : title, buf,
59 len);
60 else
61 wpa_hexdump(level, link_title ? link_title : title, buf, len);
62 os_free(link_title);
63 }
64
65
wpa_hexdump_link(int level,u8 link_id,const char * title,const void * buf,size_t len)66 static void wpa_hexdump_link(int level, u8 link_id, const char *title,
67 const void *buf, size_t len)
68 {
69 _wpa_hexdump_link(level, link_id, title, buf, len, false);
70 }
71
72
wpa_hexdump_link_key(int level,u8 link_id,const char * title,const void * buf,size_t len)73 static void wpa_hexdump_link_key(int level, u8 link_id, const char *title,
74 const void *buf, size_t len)
75 {
76 _wpa_hexdump_link(level, link_id, title, buf, len, true);
77 }
78
79
80 /**
81 * wpa_eapol_key_send - Send WPA/RSN EAPOL-Key message
82 * @sm: Pointer to WPA state machine data from wpa_sm_init()
83 * @ptk: PTK for Key Confirmation/Encryption Key
84 * @ver: Version field from Key Info
85 * @dest: Destination address for the frame
86 * @proto: Ethertype (usually ETH_P_EAPOL)
87 * @msg: EAPOL-Key message
88 * @msg_len: Length of message
89 * @key_mic: Pointer to the buffer to which the EAPOL-Key MIC is written
90 * Returns: >= 0 on success, < 0 on failure
91 */
wpa_eapol_key_send(struct wpa_sm * sm,struct wpa_ptk * ptk,int ver,const u8 * dest,u16 proto,u8 * msg,size_t msg_len,u8 * key_mic)92 int wpa_eapol_key_send(struct wpa_sm *sm, struct wpa_ptk *ptk,
93 int ver, const u8 *dest, u16 proto,
94 u8 *msg, size_t msg_len, u8 *key_mic)
95 {
96 int ret = -1;
97 size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
98
99 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL-Key frame to " MACSTR
100 " ver=%d mic_len=%d key_mgmt=0x%x",
101 MAC2STR(dest), ver, (int) mic_len, sm->key_mgmt);
102 if (is_zero_ether_addr(dest) && is_zero_ether_addr(sm->bssid)) {
103 /*
104 * Association event was not yet received; try to fetch
105 * BSSID from the driver.
106 */
107 if (wpa_sm_get_bssid(sm, sm->bssid) < 0) {
108 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
109 "WPA: Failed to read BSSID for "
110 "EAPOL-Key destination address");
111 } else {
112 dest = sm->bssid;
113 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
114 "WPA: Use BSSID (" MACSTR
115 ") as the destination for EAPOL-Key",
116 MAC2STR(dest));
117 }
118 }
119
120 if (mic_len) {
121 if (key_mic && (!ptk || !ptk->kck_len))
122 goto out;
123
124 if (key_mic &&
125 wpa_eapol_key_mic(ptk->kck, ptk->kck_len, sm->key_mgmt, ver,
126 msg, msg_len, key_mic)) {
127 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
128 "WPA: Failed to generate EAPOL-Key version %d key_mgmt 0x%x MIC",
129 ver, sm->key_mgmt);
130 goto out;
131 }
132 if (ptk)
133 wpa_hexdump_key(MSG_DEBUG, "WPA: KCK",
134 ptk->kck, ptk->kck_len);
135 wpa_hexdump(MSG_DEBUG, "WPA: Derived Key MIC",
136 key_mic, mic_len);
137 } else {
138 #ifdef CONFIG_FILS
139 /* AEAD cipher - Key MIC field not used */
140 struct ieee802_1x_hdr *s_hdr, *hdr;
141 struct wpa_eapol_key *s_key, *key;
142 u8 *buf, *s_key_data, *key_data;
143 size_t buf_len = msg_len + AES_BLOCK_SIZE;
144 size_t key_data_len;
145 u16 eapol_len;
146 const u8 *aad[1];
147 size_t aad_len[1];
148
149 if (!ptk || !ptk->kek_len)
150 goto out;
151
152 key_data_len = msg_len - sizeof(struct ieee802_1x_hdr) -
153 sizeof(struct wpa_eapol_key) - 2;
154
155 buf = os_malloc(buf_len);
156 if (!buf)
157 goto out;
158
159 os_memcpy(buf, msg, msg_len);
160 hdr = (struct ieee802_1x_hdr *) buf;
161 key = (struct wpa_eapol_key *) (hdr + 1);
162 key_data = ((u8 *) (key + 1)) + 2;
163
164 /* Update EAPOL header to include AES-SIV overhead */
165 eapol_len = be_to_host16(hdr->length);
166 eapol_len += AES_BLOCK_SIZE;
167 hdr->length = host_to_be16(eapol_len);
168
169 /* Update Key Data Length field to include AES-SIV overhead */
170 WPA_PUT_BE16((u8 *) (key + 1), AES_BLOCK_SIZE + key_data_len);
171
172 s_hdr = (struct ieee802_1x_hdr *) msg;
173 s_key = (struct wpa_eapol_key *) (s_hdr + 1);
174 s_key_data = ((u8 *) (s_key + 1)) + 2;
175
176 wpa_hexdump_key(MSG_DEBUG, "WPA: Plaintext Key Data",
177 s_key_data, key_data_len);
178
179 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len);
180 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
181 * to Key Data (exclusive). */
182 aad[0] = buf;
183 aad_len[0] = key_data - buf;
184 if (aes_siv_encrypt(ptk->kek, ptk->kek_len,
185 s_key_data, key_data_len,
186 1, aad, aad_len, key_data) < 0) {
187 os_free(buf);
188 goto out;
189 }
190
191 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
192 key_data, AES_BLOCK_SIZE + key_data_len);
193
194 os_free(msg);
195 msg = buf;
196 msg_len = buf_len;
197 #else /* CONFIG_FILS */
198 goto out;
199 #endif /* CONFIG_FILS */
200 }
201
202 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key", msg, msg_len);
203 ret = wpa_sm_ether_send(sm, dest, proto, msg, msg_len);
204 eapol_sm_notify_tx_eapol_key(sm->eapol);
205 out:
206 os_free(msg);
207 return ret;
208 }
209
210
211 /**
212 * wpa_sm_key_request - Send EAPOL-Key Request
213 * @sm: Pointer to WPA state machine data from wpa_sm_init()
214 * @error: Indicate whether this is an Michael MIC error report
215 * @pairwise: 1 = error report for pairwise packet, 0 = for group packet
216 *
217 * Send an EAPOL-Key Request to the current authenticator. This function is
218 * used to request rekeying and it is usually called when a local Michael MIC
219 * failure is detected.
220 */
wpa_sm_key_request(struct wpa_sm * sm,int error,int pairwise)221 void wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise)
222 {
223 size_t mic_len, hdrlen, rlen;
224 struct wpa_eapol_key *reply;
225 int key_info, ver;
226 u8 *rbuf, *key_mic, *mic;
227
228 if (pairwise && sm->wpa_deny_ptk0_rekey && !sm->use_ext_key_id &&
229 wpa_sm_get_state(sm) == WPA_COMPLETED && !error) {
230 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
231 "WPA: PTK0 rekey not allowed, reconnecting");
232 wpa_sm_reconnect(sm);
233 return;
234 }
235
236 if (wpa_use_akm_defined(sm->key_mgmt))
237 ver = WPA_KEY_INFO_TYPE_AKM_DEFINED;
238 else if (wpa_key_mgmt_ft(sm->key_mgmt) ||
239 wpa_key_mgmt_sha256(sm->key_mgmt))
240 ver = WPA_KEY_INFO_TYPE_AES_128_CMAC;
241 else if (sm->pairwise_cipher != WPA_CIPHER_TKIP)
242 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
243 else
244 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
245
246 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
247 hdrlen = sizeof(*reply) + mic_len + 2;
248 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
249 hdrlen, &rlen, (void *) &reply);
250 if (rbuf == NULL)
251 return;
252
253 reply->type = (sm->proto == WPA_PROTO_RSN ||
254 sm->proto == WPA_PROTO_OSEN) ?
255 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
256 key_info = WPA_KEY_INFO_REQUEST | ver;
257 if (sm->ptk_set)
258 key_info |= WPA_KEY_INFO_SECURE;
259 if (sm->ptk_set && mic_len)
260 key_info |= WPA_KEY_INFO_MIC;
261 if (error)
262 key_info |= WPA_KEY_INFO_ERROR;
263 if (pairwise)
264 key_info |= WPA_KEY_INFO_KEY_TYPE;
265 WPA_PUT_BE16(reply->key_info, key_info);
266 WPA_PUT_BE16(reply->key_length, 0);
267 os_memcpy(reply->replay_counter, sm->request_counter,
268 WPA_REPLAY_COUNTER_LEN);
269 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
270
271 mic = (u8 *) (reply + 1);
272 WPA_PUT_BE16(mic + mic_len, 0);
273 if (!(key_info & WPA_KEY_INFO_MIC))
274 key_mic = NULL;
275 else
276 key_mic = mic;
277
278 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
279 "WPA: Sending EAPOL-Key Request (error=%d "
280 "pairwise=%d ptk_set=%d len=%lu)",
281 error, pairwise, sm->ptk_set, (unsigned long) rlen);
282 wpa_eapol_key_send(sm, &sm->ptk, ver, wpa_sm_get_auth_addr(sm),
283 ETH_P_EAPOL, rbuf, rlen, key_mic);
284 }
285
286
wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm * sm)287 static void wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm *sm)
288 {
289 #ifdef CONFIG_IEEE80211R
290 if (sm->key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X) {
291 if (wpa_sm_key_mgmt_set_pmk(sm, sm->xxkey, sm->xxkey_len))
292 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
293 "RSN: Cannot set low order 256 bits of MSK for key management offload");
294 } else {
295 #endif /* CONFIG_IEEE80211R */
296 if (wpa_sm_key_mgmt_set_pmk(sm, sm->pmk, sm->pmk_len))
297 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
298 "RSN: Cannot set PMK for key management offload");
299 #ifdef CONFIG_IEEE80211R
300 }
301 #endif /* CONFIG_IEEE80211R */
302 }
303
304
wpa_supplicant_get_pmk(struct wpa_sm * sm,const unsigned char * src_addr,const u8 * pmkid)305 static int wpa_supplicant_get_pmk(struct wpa_sm *sm,
306 const unsigned char *src_addr,
307 const u8 *pmkid)
308 {
309 int abort_cached = 0;
310
311 if (pmkid && !sm->cur_pmksa) {
312 /* When using drivers that generate RSN IE, wpa_supplicant may
313 * not have enough time to get the association information
314 * event before receiving this 1/4 message, so try to find a
315 * matching PMKSA cache entry here. */
316 sm->cur_pmksa = pmksa_cache_get(sm->pmksa, src_addr,
317 sm->own_addr, pmkid,
318 NULL, 0);
319 if (sm->cur_pmksa) {
320 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
321 "RSN: found matching PMKID from PMKSA cache");
322 } else {
323 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
324 "RSN: no matching PMKID found");
325 abort_cached = 1;
326 }
327 }
328
329 if (pmkid && sm->cur_pmksa &&
330 os_memcmp_const(pmkid, sm->cur_pmksa->pmkid, PMKID_LEN) == 0) {
331 wpa_hexdump(MSG_DEBUG, "RSN: matched PMKID", pmkid, PMKID_LEN);
332 wpa_sm_set_pmk_from_pmksa(sm);
333 wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from PMKSA cache",
334 sm->pmk, sm->pmk_len);
335 eapol_sm_notify_cached(sm->eapol);
336 #ifdef CONFIG_IEEE80211R
337 sm->xxkey_len = 0;
338 #ifdef CONFIG_SAE
339 if ((sm->key_mgmt == WPA_KEY_MGMT_FT_SAE ||
340 sm->key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY) &&
341 sm->pmk_len == PMK_LEN) {
342 /* Need to allow FT key derivation to proceed with
343 * PMK from SAE being used as the XXKey in cases where
344 * the PMKID in msg 1/4 matches the PMKSA entry that was
345 * just added based on SAE authentication for the
346 * initial mobility domain association. */
347 os_memcpy(sm->xxkey, sm->pmk, sm->pmk_len);
348 sm->xxkey_len = sm->pmk_len;
349 }
350 #endif /* CONFIG_SAE */
351 #endif /* CONFIG_IEEE80211R */
352 } else if (wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && sm->eapol) {
353 int res, pmk_len;
354 #ifdef CONFIG_IEEE80211R
355 u8 buf[2 * PMK_LEN];
356 #endif /* CONFIG_IEEE80211R */
357
358 if (wpa_key_mgmt_sha384(sm->key_mgmt))
359 pmk_len = PMK_LEN_SUITE_B_192;
360 else
361 pmk_len = PMK_LEN;
362 res = eapol_sm_get_key(sm->eapol, sm->pmk, pmk_len);
363 if (res) {
364 if (pmk_len == PMK_LEN) {
365 /*
366 * EAP-LEAP is an exception from other EAP
367 * methods: it uses only 16-byte PMK.
368 */
369 res = eapol_sm_get_key(sm->eapol, sm->pmk, 16);
370 pmk_len = 16;
371 }
372 }
373 #ifdef CONFIG_IEEE80211R
374 if (res == 0 &&
375 eapol_sm_get_key(sm->eapol, buf, 2 * PMK_LEN) == 0) {
376 if (wpa_key_mgmt_sha384(sm->key_mgmt)) {
377 os_memcpy(sm->xxkey, buf, SHA384_MAC_LEN);
378 sm->xxkey_len = SHA384_MAC_LEN;
379 } else {
380 os_memcpy(sm->xxkey, buf + PMK_LEN, PMK_LEN);
381 sm->xxkey_len = PMK_LEN;
382 }
383 forced_memzero(buf, sizeof(buf));
384 if (sm->proto == WPA_PROTO_RSN &&
385 wpa_key_mgmt_ft(sm->key_mgmt)) {
386 struct rsn_pmksa_cache_entry *sa = NULL;
387 const u8 *fils_cache_id = NULL;
388
389 #ifdef CONFIG_FILS
390 if (sm->fils_cache_id_set)
391 fils_cache_id = sm->fils_cache_id;
392 #endif /* CONFIG_FILS */
393 wpa_hexdump_key(MSG_DEBUG,
394 "FT: Cache XXKey/MPMK",
395 sm->xxkey, sm->xxkey_len);
396 sa = pmksa_cache_add(sm->pmksa,
397 sm->xxkey, sm->xxkey_len,
398 NULL, NULL, 0,
399 src_addr, sm->own_addr,
400 sm->network_ctx,
401 sm->key_mgmt,
402 fils_cache_id);
403 if (!sm->cur_pmksa)
404 sm->cur_pmksa = sa;
405 }
406 }
407 #endif /* CONFIG_IEEE80211R */
408 if (res == 0) {
409 struct rsn_pmksa_cache_entry *sa = NULL;
410 const u8 *fils_cache_id = NULL;
411
412 #ifdef CONFIG_FILS
413 if (sm->fils_cache_id_set)
414 fils_cache_id = sm->fils_cache_id;
415 #endif /* CONFIG_FILS */
416
417 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK from EAPOL state "
418 "machines", sm->pmk, pmk_len);
419 sm->pmk_len = pmk_len;
420 wpa_supplicant_key_mgmt_set_pmk(sm);
421 if (sm->proto == WPA_PROTO_RSN &&
422 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
423 !wpa_key_mgmt_ft(sm->key_mgmt)) {
424 sa = pmksa_cache_add(sm->pmksa,
425 sm->pmk, pmk_len, NULL,
426 NULL, 0,
427 src_addr, sm->own_addr,
428 sm->network_ctx,
429 sm->key_mgmt,
430 fils_cache_id);
431 }
432 if (!sm->cur_pmksa && pmkid &&
433 pmksa_cache_get(sm->pmksa, src_addr, sm->own_addr,
434 pmkid, NULL, 0)) {
435 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
436 "RSN: the new PMK matches with the "
437 "PMKID");
438 abort_cached = 0;
439 } else if (sa && !sm->cur_pmksa && pmkid) {
440 /*
441 * It looks like the authentication server
442 * derived mismatching MSK. This should not
443 * really happen, but bugs happen.. There is not
444 * much we can do here without knowing what
445 * exactly caused the server to misbehave.
446 */
447 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
448 "RSN: PMKID mismatch - authentication server may have derived different MSK?!");
449 return -1;
450 }
451
452 if (!sm->cur_pmksa)
453 sm->cur_pmksa = sa;
454 #ifdef CONFIG_IEEE80211R
455 } else if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->ft_protocol) {
456 wpa_printf(MSG_DEBUG,
457 "FT: Continue 4-way handshake without PMK/PMKID for association using FT protocol");
458 #endif /* CONFIG_IEEE80211R */
459 } else {
460 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
461 "WPA: Failed to get master session key from "
462 "EAPOL state machines - key handshake "
463 "aborted");
464 if (sm->cur_pmksa) {
465 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
466 "RSN: Cancelled PMKSA caching "
467 "attempt");
468 sm->cur_pmksa = NULL;
469 abort_cached = 1;
470 } else if (!abort_cached) {
471 return -1;
472 }
473 }
474 }
475
476 if (abort_cached && wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) &&
477 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
478 !wpa_key_mgmt_ft(sm->key_mgmt) && sm->key_mgmt != WPA_KEY_MGMT_OSEN)
479 {
480 /* Send EAPOL-Start to trigger full EAP authentication. */
481 u8 *buf;
482 size_t buflen;
483
484 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
485 "RSN: no PMKSA entry found - trigger "
486 "full EAP authentication");
487 buf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_START,
488 NULL, 0, &buflen, NULL);
489 if (buf) {
490 /* Set and reset eapFail to allow EAP state machine to
491 * proceed with new authentication. */
492 eapol_sm_notify_eap_fail(sm->eapol, true);
493 eapol_sm_notify_eap_fail(sm->eapol, false);
494 wpa_sm_ether_send(sm, sm->bssid, ETH_P_EAPOL,
495 buf, buflen);
496 os_free(buf);
497 return -2;
498 }
499
500 return -1;
501 }
502
503 return 0;
504 }
505
506
507 /**
508 * wpa_supplicant_send_2_of_4 - Send message 2 of WPA/RSN 4-Way Handshake
509 * @sm: Pointer to WPA state machine data from wpa_sm_init()
510 * @dst: Destination address for the frame
511 * @key: Pointer to the EAPOL-Key frame header
512 * @ver: Version bits from EAPOL-Key Key Info
513 * @nonce: Nonce value for the EAPOL-Key frame
514 * @wpa_ie: WPA/RSN IE
515 * @wpa_ie_len: Length of the WPA/RSN IE
516 * @ptk: PTK to use for keyed hash and encryption
517 * Returns: >= 0 on success, < 0 on failure
518 */
wpa_supplicant_send_2_of_4(struct wpa_sm * sm,const unsigned char * dst,const struct wpa_eapol_key * key,int ver,const u8 * nonce,const u8 * wpa_ie,size_t wpa_ie_len,struct wpa_ptk * ptk)519 int wpa_supplicant_send_2_of_4(struct wpa_sm *sm, const unsigned char *dst,
520 const struct wpa_eapol_key *key,
521 int ver, const u8 *nonce,
522 const u8 *wpa_ie, size_t wpa_ie_len,
523 struct wpa_ptk *ptk)
524 {
525 size_t mic_len, hdrlen, rlen;
526 struct wpa_eapol_key *reply;
527 u8 *rbuf, *key_mic;
528 u8 *rsn_ie_buf = NULL;
529 u16 key_info;
530
531 if (wpa_ie == NULL) {
532 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No wpa_ie set - "
533 "cannot generate msg 2/4");
534 return -1;
535 }
536
537 #ifdef CONFIG_IEEE80211R
538 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
539 int res;
540
541 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE before FT processing",
542 wpa_ie, wpa_ie_len);
543 /*
544 * Add PMKR1Name into RSN IE (PMKID-List) and add MDIE and
545 * FTIE from (Re)Association Response.
546 */
547 rsn_ie_buf = os_malloc(wpa_ie_len + 2 + 2 + PMKID_LEN +
548 sm->assoc_resp_ies_len);
549 if (rsn_ie_buf == NULL)
550 return -1;
551 os_memcpy(rsn_ie_buf, wpa_ie, wpa_ie_len);
552 res = wpa_insert_pmkid(rsn_ie_buf, &wpa_ie_len,
553 sm->pmk_r1_name);
554 if (res < 0) {
555 os_free(rsn_ie_buf);
556 return -1;
557 }
558 wpa_hexdump(MSG_DEBUG,
559 "WPA: WPA IE after PMKID[PMKR1Name] addition into RSNE",
560 rsn_ie_buf, wpa_ie_len);
561
562 if (sm->assoc_resp_ies) {
563 wpa_hexdump(MSG_DEBUG, "WPA: Add assoc_resp_ies",
564 sm->assoc_resp_ies,
565 sm->assoc_resp_ies_len);
566 os_memcpy(rsn_ie_buf + wpa_ie_len, sm->assoc_resp_ies,
567 sm->assoc_resp_ies_len);
568 wpa_ie_len += sm->assoc_resp_ies_len;
569 }
570
571 wpa_ie = rsn_ie_buf;
572 }
573 #endif /* CONFIG_IEEE80211R */
574
575 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE for msg 2/4", wpa_ie, wpa_ie_len);
576
577 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
578 hdrlen = sizeof(*reply) + mic_len + 2;
579 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY,
580 NULL, hdrlen + wpa_ie_len,
581 &rlen, (void *) &reply);
582 if (rbuf == NULL) {
583 os_free(rsn_ie_buf);
584 return -1;
585 }
586
587 reply->type = (sm->proto == WPA_PROTO_RSN ||
588 sm->proto == WPA_PROTO_OSEN) ?
589 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
590 key_info = ver | WPA_KEY_INFO_KEY_TYPE;
591 if (sm->ptk_set && sm->proto != WPA_PROTO_WPA)
592 key_info |= WPA_KEY_INFO_SECURE;
593 if (mic_len)
594 key_info |= WPA_KEY_INFO_MIC;
595 else
596 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
597 WPA_PUT_BE16(reply->key_info, key_info);
598 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
599 WPA_PUT_BE16(reply->key_length, 0);
600 else
601 os_memcpy(reply->key_length, key->key_length, 2);
602 os_memcpy(reply->replay_counter, key->replay_counter,
603 WPA_REPLAY_COUNTER_LEN);
604 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", reply->replay_counter,
605 WPA_REPLAY_COUNTER_LEN);
606
607 key_mic = (u8 *) (reply + 1);
608 WPA_PUT_BE16(key_mic + mic_len, wpa_ie_len); /* Key Data Length */
609 os_memcpy(key_mic + mic_len + 2, wpa_ie, wpa_ie_len); /* Key Data */
610 os_free(rsn_ie_buf);
611
612 os_memcpy(reply->key_nonce, nonce, WPA_NONCE_LEN);
613
614 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Sending EAPOL-Key 2/4");
615 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
616 key_mic);
617 }
618
619
wpa_derive_ptk(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,struct wpa_ptk * ptk)620 static int wpa_derive_ptk(struct wpa_sm *sm, const unsigned char *src_addr,
621 const struct wpa_eapol_key *key, struct wpa_ptk *ptk)
622 {
623 int ret;
624 const u8 *z = NULL;
625 size_t z_len = 0, kdk_len;
626 int akmp;
627
628 #ifdef CONFIG_IEEE80211R
629 if (wpa_key_mgmt_ft(sm->key_mgmt))
630 return wpa_derive_ptk_ft(sm, src_addr, key, ptk);
631 #endif /* CONFIG_IEEE80211R */
632
633 #ifdef CONFIG_DPP2
634 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
635 z = wpabuf_head(sm->dpp_z);
636 z_len = wpabuf_len(sm->dpp_z);
637 }
638 #endif /* CONFIG_DPP2 */
639
640 akmp = sm->key_mgmt;
641 #ifdef CONFIG_OWE
642 if (sm->owe_ptk_workaround && akmp == WPA_KEY_MGMT_OWE &&
643 sm->pmk_len > 32) {
644 wpa_printf(MSG_DEBUG,
645 "OWE: Force SHA256 for PTK derivation");
646 akmp |= WPA_KEY_MGMT_PSK_SHA256;
647 }
648 #endif /* CONFIG_OWE */
649
650 if (sm->force_kdk_derivation ||
651 (sm->secure_ltf &&
652 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)))
653 kdk_len = WPA_KDK_MAX_LEN;
654 else
655 kdk_len = 0;
656
657 ret = wpa_pmk_to_ptk(sm->pmk, sm->pmk_len, "Pairwise key expansion",
658 sm->own_addr, wpa_sm_get_auth_addr(sm), sm->snonce,
659 key->key_nonce, ptk, akmp,
660 sm->pairwise_cipher, z, z_len,
661 kdk_len);
662 if (ret) {
663 wpa_printf(MSG_ERROR, "WPA: PTK derivation failed");
664 return ret;
665 }
666
667 #ifdef CONFIG_PASN
668 if (sm->secure_ltf &&
669 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF))
670 ret = wpa_ltf_keyseed(ptk, akmp, sm->pairwise_cipher);
671 #endif /* CONFIG_PASN */
672
673 return ret;
674 }
675
676
wpa_handle_ext_key_id(struct wpa_sm * sm,struct wpa_eapol_ie_parse * kde)677 static int wpa_handle_ext_key_id(struct wpa_sm *sm,
678 struct wpa_eapol_ie_parse *kde)
679 {
680 if (sm->ext_key_id) {
681 u16 key_id;
682
683 if (!kde->key_id) {
684 wpa_msg(sm->ctx->msg_ctx,
685 sm->use_ext_key_id ? MSG_INFO : MSG_DEBUG,
686 "RSN: No Key ID in Extended Key ID handshake");
687 sm->keyidx_active = 0;
688 return sm->use_ext_key_id ? -1 : 0;
689 }
690
691 key_id = kde->key_id[0] & 0x03;
692 if (key_id > 1) {
693 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
694 "RSN: Invalid Extended Key ID: %d", key_id);
695 return -1;
696 }
697 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
698 "RSN: Using Extended Key ID %d", key_id);
699 sm->keyidx_active = key_id;
700 sm->use_ext_key_id = 1;
701 } else {
702 if (kde->key_id && (kde->key_id[0] & 0x03)) {
703 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
704 "RSN: Non-zero Extended Key ID Key ID in PTK0 handshake");
705 return -1;
706 }
707
708 if (kde->key_id) {
709 /* This is not supposed to be included here, but ignore
710 * the case of matching Key ID 0 just in case. */
711 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
712 "RSN: Extended Key ID Key ID 0 in PTK0 handshake");
713 }
714 sm->keyidx_active = 0;
715 sm->use_ext_key_id = 0;
716 }
717
718 return 0;
719 }
720
721
rsn_add_kde(u8 * pos,u32 kde,const u8 * data,size_t data_len)722 static u8 * rsn_add_kde(u8 *pos, u32 kde, const u8 *data, size_t data_len)
723 {
724 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
725 *pos++ = RSN_SELECTOR_LEN + data_len;
726 RSN_SELECTOR_PUT(pos, kde);
727 pos += RSN_SELECTOR_LEN;
728 os_memcpy(pos, data, data_len);
729 pos += data_len;
730
731 return pos;
732 }
733
734
wpa_mlo_link_kde_len(struct wpa_sm * sm)735 static size_t wpa_mlo_link_kde_len(struct wpa_sm *sm)
736 {
737 int i;
738 unsigned int num_links = 0;
739
740 for (i = 0; i < MAX_NUM_MLO_LINKS; i++) {
741 if (sm->mlo.assoc_link_id != i && (sm->mlo.req_links & BIT(i)))
742 num_links++;
743 }
744
745 return num_links * (RSN_SELECTOR_LEN + 1 + ETH_ALEN + 2);
746 }
747
748
wpa_mlo_link_kde(struct wpa_sm * sm,u8 * pos)749 static u8 * wpa_mlo_link_kde(struct wpa_sm *sm, u8 *pos)
750 {
751 int i;
752 u8 hdr[1 + ETH_ALEN];
753
754 for (i = 0; i < MAX_NUM_MLO_LINKS; i++) {
755 if (sm->mlo.assoc_link_id == i || !(sm->mlo.req_links & BIT(i)))
756 continue;
757
758 wpa_printf(MSG_DEBUG,
759 "MLO: Add MLO Link %d KDE in EAPOL-Key 2/4", i);
760 hdr[0] = i & 0xF; /* LinkID; no RSNE or RSNXE */
761 os_memcpy(&hdr[1], sm->mlo.links[i].addr, ETH_ALEN);
762 pos = rsn_add_kde(pos, RSN_KEY_DATA_MLO_LINK, hdr, sizeof(hdr));
763 }
764
765 return pos;
766 }
767
768
is_valid_ap_mld_mac_kde(struct wpa_sm * sm,const u8 * mac_kde)769 static bool is_valid_ap_mld_mac_kde(struct wpa_sm *sm, const u8 *mac_kde)
770 {
771 return mac_kde &&
772 os_memcmp(mac_kde, sm->mlo.ap_mld_addr, ETH_ALEN) == 0;
773 }
774
775
wpas_swap_tkip_mic_keys(struct wpa_ptk * ptk)776 static void wpas_swap_tkip_mic_keys(struct wpa_ptk *ptk)
777 {
778 u8 buf[8];
779
780 /* Supplicant: swap tx/rx Mic keys */
781 os_memcpy(buf, &ptk->tk[16], 8);
782 os_memcpy(&ptk->tk[16], &ptk->tk[24], 8);
783 os_memcpy(&ptk->tk[24], buf, 8);
784 forced_memzero(buf, sizeof(buf));
785 }
786
787
wpa_supplicant_process_1_of_4_wpa(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len,enum frame_encryption encrypted)788 static void wpa_supplicant_process_1_of_4_wpa(struct wpa_sm *sm,
789 const unsigned char *src_addr,
790 const struct wpa_eapol_key *key,
791 u16 ver, const u8 *key_data,
792 size_t key_data_len,
793 enum frame_encryption encrypted)
794 {
795 struct wpa_eapol_ie_parse ie;
796 struct wpa_ptk *ptk;
797 int res;
798
799 if (wpa_sm_get_network_ctx(sm) == NULL) {
800 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
801 "WPA: No SSID info found (msg 1 of 4)");
802 return;
803 }
804
805 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
806 "WPA: RX message 1 of 4-Way Handshake from " MACSTR
807 " (ver=%d)", MAC2STR(src_addr), ver);
808
809 os_memset(&ie, 0, sizeof(ie));
810
811 res = wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid);
812 if (res == -2) {
813 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
814 "WPA: Do not reply to msg 1/4 - requesting full EAP authentication");
815 return;
816 }
817 if (res)
818 goto failed;
819
820 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
821
822 if (sm->renew_snonce) {
823 if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) {
824 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
825 "WPA: Failed to get random data for SNonce");
826 goto failed;
827 }
828 sm->renew_snonce = 0;
829 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce",
830 sm->snonce, WPA_NONCE_LEN);
831 }
832
833 /* Calculate PTK which will be stored as a temporary PTK until it has
834 * been verified when processing message 3/4. */
835 ptk = &sm->tptk;
836 if (wpa_derive_ptk(sm, src_addr, key, ptk) < 0)
837 goto failed;
838 if (sm->pairwise_cipher == WPA_CIPHER_TKIP)
839 wpas_swap_tkip_mic_keys(ptk);
840 sm->tptk_set = 1;
841
842 if (wpa_supplicant_send_2_of_4(sm, wpa_sm_get_auth_addr(sm), key, ver,
843 sm->snonce, sm->assoc_wpa_ie,
844 sm->assoc_wpa_ie_len, ptk) < 0)
845 goto failed;
846
847 os_memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN);
848 return;
849
850 failed:
851 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
852 }
853
854
wpa_supplicant_process_1_of_4(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len,enum frame_encryption encrypted)855 static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
856 const unsigned char *src_addr,
857 const struct wpa_eapol_key *key,
858 u16 ver, const u8 *key_data,
859 size_t key_data_len,
860 enum frame_encryption encrypted)
861 {
862 struct wpa_eapol_ie_parse ie;
863 struct wpa_ptk *ptk;
864 int res;
865 u8 *kde, *kde_buf = NULL;
866 size_t kde_len;
867 size_t mlo_kde_len = 0;
868
869 if (encrypted == FRAME_NOT_ENCRYPTED && sm->tk_set &&
870 wpa_sm_pmf_enabled(sm)) {
871 wpa_printf(MSG_DEBUG,
872 "RSN: Discard unencrypted EAPOL-Key msg 1/4 when TK is set and PMF is enabled");
873 return;
874 }
875
876 if (wpa_sm_get_network_ctx(sm) == NULL) {
877 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No SSID info "
878 "found (msg 1 of 4)");
879 return;
880 }
881
882 if (sm->wpa_deny_ptk0_rekey && !sm->use_ext_key_id &&
883 wpa_sm_get_state(sm) == WPA_COMPLETED) {
884 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
885 "WPA: PTK0 rekey not allowed, reconnecting");
886 wpa_sm_reconnect(sm);
887 return;
888 }
889
890 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO, "WPA: RX message 1 of 4-Way "
891 "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
892
893 os_memset(&ie, 0, sizeof(ie));
894
895 /* RSN: msg 1/4 should contain PMKID for the selected PMK */
896 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data", key_data, key_data_len);
897 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0) {
898 wpa_printf(MSG_DEBUG,
899 "RSN: Discard EAPOL-Key msg 1/4 with invalid IEs/KDEs");
900 return;
901 }
902 if (ie.pmkid) {
903 wpa_hexdump(MSG_DEBUG, "RSN: PMKID from Authenticator",
904 ie.pmkid, PMKID_LEN);
905 }
906
907 if (sm->mlo.valid_links && !is_valid_ap_mld_mac_kde(sm, ie.mac_addr)) {
908 wpa_printf(MSG_INFO,
909 "RSN: Discard EAPOL-Key msg 1/4 with invalid AP MLD MAC address KDE");
910 return;
911 }
912
913 res = wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid);
914 if (res == -2) {
915 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: Do not reply to "
916 "msg 1/4 - requesting full EAP authentication");
917 return;
918 }
919 if (res)
920 goto failed;
921
922 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
923
924 if (sm->renew_snonce) {
925 if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) {
926 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
927 "WPA: Failed to get random data for SNonce");
928 goto failed;
929 }
930 sm->renew_snonce = 0;
931 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce",
932 sm->snonce, WPA_NONCE_LEN);
933 }
934
935 /* Calculate PTK which will be stored as a temporary PTK until it has
936 * been verified when processing message 3/4. */
937 ptk = &sm->tptk;
938 if (wpa_derive_ptk(sm, src_addr, key, ptk) < 0)
939 goto failed;
940 if (sm->pairwise_cipher == WPA_CIPHER_TKIP)
941 wpas_swap_tkip_mic_keys(ptk);
942 sm->tptk_set = 1;
943
944 /* Add MLO Link KDE and MAC KDE in M2 for ML connection */
945 if (sm->mlo.valid_links)
946 mlo_kde_len = wpa_mlo_link_kde_len(sm) +
947 RSN_SELECTOR_LEN + ETH_ALEN + 2;
948
949 kde = sm->assoc_wpa_ie;
950 kde_len = sm->assoc_wpa_ie_len;
951 kde_buf = os_malloc(kde_len +
952 2 + RSN_SELECTOR_LEN + 3 +
953 sm->assoc_rsnxe_len +
954 2 + RSN_SELECTOR_LEN + 1 +
955 2 + RSN_SELECTOR_LEN + 2 + mlo_kde_len);
956
957 if (!kde_buf)
958 goto failed;
959 os_memcpy(kde_buf, kde, kde_len);
960 kde = kde_buf;
961
962 #ifdef CONFIG_OCV
963 if (wpa_sm_ocv_enabled(sm)) {
964 struct wpa_channel_info ci;
965 u8 *pos;
966
967 pos = kde + kde_len;
968 if (wpa_sm_channel_info(sm, &ci) != 0) {
969 wpa_printf(MSG_WARNING,
970 "Failed to get channel info for OCI element in EAPOL-Key 2/4");
971 goto failed;
972 }
973 #ifdef CONFIG_TESTING_OPTIONS
974 if (sm->oci_freq_override_eapol) {
975 wpa_printf(MSG_INFO,
976 "TEST: Override OCI KDE frequency %d -> %d MHz",
977 ci.frequency, sm->oci_freq_override_eapol);
978 ci.frequency = sm->oci_freq_override_eapol;
979 }
980 #endif /* CONFIG_TESTING_OPTIONS */
981
982 if (ocv_insert_oci_kde(&ci, &pos) < 0)
983 goto failed;
984 kde_len = pos - kde;
985 }
986 #endif /* CONFIG_OCV */
987
988 if (sm->assoc_rsnxe && sm->assoc_rsnxe_len) {
989 os_memcpy(kde + kde_len, sm->assoc_rsnxe, sm->assoc_rsnxe_len);
990 kde_len += sm->assoc_rsnxe_len;
991 }
992
993 #ifdef CONFIG_P2P
994 if (sm->p2p) {
995 u8 *pos;
996
997 wpa_printf(MSG_DEBUG,
998 "P2P: Add IP Address Request KDE into EAPOL-Key 2/4");
999 pos = kde + kde_len;
1000 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
1001 *pos++ = RSN_SELECTOR_LEN + 1;
1002 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_IP_ADDR_REQ);
1003 pos += RSN_SELECTOR_LEN;
1004 *pos++ = 0x01;
1005 kde_len = pos - kde;
1006 }
1007 #endif /* CONFIG_P2P */
1008
1009 #ifdef CONFIG_DPP2
1010 if (DPP_VERSION > 1 && sm->key_mgmt == WPA_KEY_MGMT_DPP) {
1011 u8 *pos;
1012
1013 wpa_printf(MSG_DEBUG, "DPP: Add DPP KDE into EAPOL-Key 2/4");
1014 pos = kde + kde_len;
1015 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
1016 *pos++ = RSN_SELECTOR_LEN + 2;
1017 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_DPP);
1018 pos += RSN_SELECTOR_LEN;
1019 *pos++ = DPP_VERSION; /* Protocol Version */
1020 *pos = 0; /* Flags */
1021 if (sm->dpp_pfs == 0)
1022 *pos |= DPP_KDE_PFS_ALLOWED;
1023 else if (sm->dpp_pfs == 1)
1024 *pos |= DPP_KDE_PFS_ALLOWED | DPP_KDE_PFS_REQUIRED;
1025 pos++;
1026 kde_len = pos - kde;
1027 }
1028 #endif /* CONFIG_DPP2 */
1029
1030 if (sm->mlo.valid_links) {
1031 u8 *pos;
1032
1033 /* Add MAC KDE */
1034 wpa_printf(MSG_DEBUG, "MLO: Add MAC KDE into EAPOL-Key 2/4");
1035 pos = kde + kde_len;
1036 pos = rsn_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, sm->own_addr,
1037 ETH_ALEN);
1038
1039 /* Add MLO Link KDE */
1040 wpa_printf(MSG_DEBUG, "Add MLO Link KDE(s) into EAPOL-Key 2/4");
1041 pos = wpa_mlo_link_kde(sm, pos);
1042 kde_len = pos - kde;
1043 }
1044
1045 if (wpa_supplicant_send_2_of_4(sm, wpa_sm_get_auth_addr(sm), key, ver,
1046 sm->snonce, kde, kde_len, ptk) < 0)
1047 goto failed;
1048
1049 os_free(kde_buf);
1050 os_memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN);
1051 return;
1052
1053 failed:
1054 os_free(kde_buf);
1055 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
1056 }
1057
1058
wpa_sm_start_preauth(void * eloop_ctx,void * timeout_ctx)1059 static void wpa_sm_start_preauth(void *eloop_ctx, void *timeout_ctx)
1060 {
1061 struct wpa_sm *sm = eloop_ctx;
1062 rsn_preauth_candidate_process(sm);
1063 }
1064
1065
wpa_supplicant_key_neg_complete(struct wpa_sm * sm,const u8 * addr,int secure)1066 static void wpa_supplicant_key_neg_complete(struct wpa_sm *sm,
1067 const u8 *addr, int secure)
1068 {
1069 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1070 "WPA: Key negotiation completed with "
1071 MACSTR " [PTK=%s GTK=%s]", MAC2STR(addr),
1072 wpa_cipher_txt(sm->pairwise_cipher),
1073 wpa_cipher_txt(sm->group_cipher));
1074 wpa_sm_cancel_auth_timeout(sm);
1075 wpa_sm_set_state(sm, WPA_COMPLETED);
1076
1077 if (secure) {
1078 wpa_sm_mlme_setprotection(
1079 sm, addr, MLME_SETPROTECTION_PROTECT_TYPE_RX_TX,
1080 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
1081 eapol_sm_notify_portValid(sm->eapol, true);
1082 if (wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
1083 sm->key_mgmt == WPA_KEY_MGMT_DPP ||
1084 sm->key_mgmt == WPA_KEY_MGMT_OWE)
1085 eapol_sm_notify_eap_success(sm->eapol, true);
1086 /*
1087 * Start preauthentication after a short wait to avoid a
1088 * possible race condition between the data receive and key
1089 * configuration after the 4-Way Handshake. This increases the
1090 * likelihood of the first preauth EAPOL-Start frame getting to
1091 * the target AP.
1092 */
1093 if (!dl_list_empty(&sm->pmksa_candidates))
1094 eloop_register_timeout(1, 0, wpa_sm_start_preauth,
1095 sm, NULL);
1096 }
1097
1098 if (sm->cur_pmksa && sm->cur_pmksa->opportunistic) {
1099 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1100 "RSN: Authenticator accepted "
1101 "opportunistic PMKSA entry - marking it valid");
1102 sm->cur_pmksa->opportunistic = 0;
1103 }
1104
1105 #ifdef CONFIG_IEEE80211R
1106 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
1107 /* Prepare for the next transition */
1108 wpa_ft_prepare_auth_request(sm, NULL);
1109 }
1110 #endif /* CONFIG_IEEE80211R */
1111 }
1112
1113
wpa_sm_rekey_ptk(void * eloop_ctx,void * timeout_ctx)1114 static void wpa_sm_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
1115 {
1116 struct wpa_sm *sm = eloop_ctx;
1117 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Request PTK rekeying");
1118 wpa_sm_key_request(sm, 0, 1);
1119 }
1120
1121
wpa_supplicant_install_ptk(struct wpa_sm * sm,const struct wpa_eapol_key * key,enum key_flag key_flag)1122 static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
1123 const struct wpa_eapol_key *key,
1124 enum key_flag key_flag)
1125 {
1126 int keylen, rsclen;
1127 enum wpa_alg alg;
1128 const u8 *key_rsc;
1129
1130 if (sm->ptk.installed) {
1131 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1132 "WPA: Do not re-install same PTK to the driver");
1133 return 0;
1134 }
1135
1136 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1137 "WPA: Installing PTK to the driver");
1138
1139 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
1140 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Pairwise Cipher "
1141 "Suite: NONE - do not use pairwise keys");
1142 return 0;
1143 }
1144
1145 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
1146 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1147 "WPA: Unsupported pairwise cipher %d",
1148 sm->pairwise_cipher);
1149 return -1;
1150 }
1151
1152 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
1153 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
1154 if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) {
1155 wpa_printf(MSG_DEBUG, "WPA: TK length mismatch: %d != %lu",
1156 keylen, (long unsigned int) sm->ptk.tk_len);
1157 return -1;
1158 }
1159 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
1160
1161 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
1162 key_rsc = null_rsc;
1163 } else {
1164 key_rsc = key->key_rsc;
1165 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen);
1166 }
1167
1168 if (wpa_sm_set_key(sm, -1, alg, wpa_sm_get_auth_addr(sm),
1169 sm->keyidx_active, 1, key_rsc, rsclen, sm->ptk.tk,
1170 keylen, KEY_FLAG_PAIRWISE | key_flag) < 0) {
1171 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1172 "WPA: Failed to set PTK to the driver (alg=%d keylen=%d auth_addr="
1173 MACSTR " idx=%d key_flag=0x%x)",
1174 alg, keylen, MAC2STR(wpa_sm_get_auth_addr(sm)),
1175 sm->keyidx_active, key_flag);
1176 return -1;
1177 }
1178
1179 #ifdef CONFIG_PASN
1180 if (sm->secure_ltf &&
1181 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF) &&
1182 wpa_sm_set_ltf_keyseed(sm, sm->own_addr, sm->bssid,
1183 sm->ptk.ltf_keyseed_len,
1184 sm->ptk.ltf_keyseed) < 0) {
1185 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1186 "WPA: Failed to set LTF keyseed to the driver (keylen=%zu bssid="
1187 MACSTR ")", sm->ptk.ltf_keyseed_len,
1188 MAC2STR(sm->bssid));
1189 return -1;
1190 }
1191 #endif /* CONFIG_PASN */
1192
1193 wpa_sm_store_ptk(sm, sm->bssid, sm->pairwise_cipher,
1194 sm->dot11RSNAConfigPMKLifetime, &sm->ptk);
1195
1196 /* TK is not needed anymore in supplicant */
1197 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
1198 sm->ptk.tk_len = 0;
1199 sm->ptk.installed = 1;
1200 sm->tk_set = true;
1201
1202 if (sm->wpa_ptk_rekey) {
1203 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
1204 eloop_register_timeout(sm->wpa_ptk_rekey, 0, wpa_sm_rekey_ptk,
1205 sm, NULL);
1206 }
1207 return 0;
1208 }
1209
1210
wpa_supplicant_activate_ptk(struct wpa_sm * sm)1211 static int wpa_supplicant_activate_ptk(struct wpa_sm *sm)
1212 {
1213 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1214 "WPA: Activate PTK (idx=%d auth_addr=" MACSTR ")",
1215 sm->keyidx_active, MAC2STR(wpa_sm_get_auth_addr(sm)));
1216
1217 if (wpa_sm_set_key(sm, -1, 0, wpa_sm_get_auth_addr(sm),
1218 sm->keyidx_active, 0, NULL, 0, NULL, 0,
1219 KEY_FLAG_PAIRWISE_RX_TX_MODIFY) < 0) {
1220 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1221 "WPA: Failed to activate PTK for TX (idx=%d auth_addr="
1222 MACSTR ")", sm->keyidx_active,
1223 MAC2STR(wpa_sm_get_auth_addr(sm)));
1224 return -1;
1225 }
1226 return 0;
1227 }
1228
1229
wpa_supplicant_check_group_cipher(struct wpa_sm * sm,int group_cipher,int keylen,int maxkeylen,int * key_rsc_len,enum wpa_alg * alg)1230 static int wpa_supplicant_check_group_cipher(struct wpa_sm *sm,
1231 int group_cipher,
1232 int keylen, int maxkeylen,
1233 int *key_rsc_len,
1234 enum wpa_alg *alg)
1235 {
1236 int klen;
1237
1238 *alg = wpa_cipher_to_alg(group_cipher);
1239 if (*alg == WPA_ALG_NONE) {
1240 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1241 "WPA: Unsupported Group Cipher %d",
1242 group_cipher);
1243 return -1;
1244 }
1245 *key_rsc_len = wpa_cipher_rsc_len(group_cipher);
1246
1247 klen = wpa_cipher_key_len(group_cipher);
1248 if (keylen != klen || maxkeylen < klen) {
1249 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1250 "WPA: Unsupported %s Group Cipher key length %d (%d)",
1251 wpa_cipher_txt(group_cipher), keylen, maxkeylen);
1252 return -1;
1253 }
1254 return 0;
1255 }
1256
1257
1258 struct wpa_gtk_data {
1259 enum wpa_alg alg;
1260 int tx, key_rsc_len, keyidx;
1261 u8 gtk[32];
1262 int gtk_len;
1263 };
1264
1265
wpa_supplicant_install_gtk(struct wpa_sm * sm,const struct wpa_gtk_data * gd,const u8 * key_rsc,int wnm_sleep)1266 static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
1267 const struct wpa_gtk_data *gd,
1268 const u8 *key_rsc, int wnm_sleep)
1269 {
1270 const u8 *_gtk = gd->gtk;
1271 u8 gtk_buf[32];
1272
1273 /* Detect possible key reinstallation */
1274 if ((sm->gtk.gtk_len == (size_t) gd->gtk_len &&
1275 os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) ||
1276 (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len &&
1277 os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk,
1278 sm->gtk_wnm_sleep.gtk_len) == 0)) {
1279 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1280 "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
1281 gd->keyidx, gd->tx, gd->gtk_len);
1282 return 0;
1283 }
1284
1285 wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
1286 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1287 "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
1288 gd->keyidx, gd->tx, gd->gtk_len);
1289 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, gd->key_rsc_len);
1290 if (sm->group_cipher == WPA_CIPHER_TKIP) {
1291 /* Swap Tx/Rx keys for Michael MIC */
1292 os_memcpy(gtk_buf, gd->gtk, 16);
1293 os_memcpy(gtk_buf + 16, gd->gtk + 24, 8);
1294 os_memcpy(gtk_buf + 24, gd->gtk + 16, 8);
1295 _gtk = gtk_buf;
1296 }
1297 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
1298 if (wpa_sm_set_key(sm, -1, gd->alg, NULL,
1299 gd->keyidx, 1, key_rsc, gd->key_rsc_len,
1300 _gtk, gd->gtk_len,
1301 KEY_FLAG_GROUP_RX_TX_DEFAULT) < 0) {
1302 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1303 "WPA: Failed to set GTK to the driver "
1304 "(Group only)");
1305 forced_memzero(gtk_buf, sizeof(gtk_buf));
1306 return -1;
1307 }
1308 } else if (wpa_sm_set_key(sm, -1, gd->alg, broadcast_ether_addr,
1309 gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len,
1310 _gtk, gd->gtk_len, KEY_FLAG_GROUP_RX) < 0) {
1311 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1312 "WPA: Failed to set GTK to "
1313 "the driver (alg=%d keylen=%d keyidx=%d)",
1314 gd->alg, gd->gtk_len, gd->keyidx);
1315 forced_memzero(gtk_buf, sizeof(gtk_buf));
1316 return -1;
1317 }
1318 forced_memzero(gtk_buf, sizeof(gtk_buf));
1319
1320 if (wnm_sleep) {
1321 sm->gtk_wnm_sleep.gtk_len = gd->gtk_len;
1322 os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk,
1323 sm->gtk_wnm_sleep.gtk_len);
1324 } else {
1325 sm->gtk.gtk_len = gd->gtk_len;
1326 os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
1327 }
1328
1329 return 0;
1330 }
1331
1332
wpa_supplicant_install_mlo_gtk(struct wpa_sm * sm,u8 link_id,const struct wpa_gtk_data * gd,const u8 * key_rsc,int wnm_sleep)1333 static int wpa_supplicant_install_mlo_gtk(struct wpa_sm *sm, u8 link_id,
1334 const struct wpa_gtk_data *gd,
1335 const u8 *key_rsc, int wnm_sleep)
1336 {
1337 const u8 *gtk = gd->gtk;
1338
1339 /* Detect possible key reinstallation */
1340 if ((sm->mlo.links[link_id].gtk.gtk_len == (size_t) gd->gtk_len &&
1341 os_memcmp(sm->mlo.links[link_id].gtk.gtk, gd->gtk,
1342 sm->mlo.links[link_id].gtk.gtk_len) == 0) ||
1343 (sm->mlo.links[link_id].gtk_wnm_sleep.gtk_len ==
1344 (size_t) gd->gtk_len &&
1345 os_memcmp(sm->mlo.links[link_id].gtk_wnm_sleep.gtk, gd->gtk,
1346 sm->mlo.links[link_id].gtk_wnm_sleep.gtk_len) == 0)) {
1347 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1348 "RSN: Not reinstalling already in-use GTK to the driver (link_id=%d keyidx=%d tx=%d len=%d)",
1349 link_id, gd->keyidx, gd->tx, gd->gtk_len);
1350 return 0;
1351 }
1352
1353 wpa_hexdump_link_key(MSG_DEBUG, link_id, "RSN: Group Key", gd->gtk,
1354 gd->gtk_len);
1355 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1356 "RSN: Installing GTK to the driver (link_id=%d keyidx=%d tx=%d len=%d)",
1357 link_id, gd->keyidx, gd->tx, gd->gtk_len);
1358 wpa_hexdump_link(MSG_DEBUG, link_id, "RSN: RSC",
1359 key_rsc, gd->key_rsc_len);
1360 if (wpa_sm_set_key(sm, link_id, gd->alg, broadcast_ether_addr,
1361 gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len, gtk,
1362 gd->gtk_len, KEY_FLAG_GROUP_RX) < 0) {
1363 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1364 "RSN: Failed to set GTK to the driver (link_id=%d alg=%d keylen=%d keyidx=%d)",
1365 link_id, gd->alg, gd->gtk_len, gd->keyidx);
1366 return -1;
1367 }
1368
1369 if (wnm_sleep) {
1370 sm->mlo.links[link_id].gtk_wnm_sleep.gtk_len = gd->gtk_len;
1371 os_memcpy(sm->mlo.links[link_id].gtk_wnm_sleep.gtk, gd->gtk,
1372 sm->mlo.links[link_id].gtk_wnm_sleep.gtk_len);
1373 } else {
1374 sm->mlo.links[link_id].gtk.gtk_len = gd->gtk_len;
1375 os_memcpy(sm->mlo.links[link_id].gtk.gtk, gd->gtk,
1376 sm->mlo.links[link_id].gtk.gtk_len);
1377 }
1378
1379 return 0;
1380 }
1381
1382
wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm * sm,int tx)1383 static int wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm *sm,
1384 int tx)
1385 {
1386 if (tx && sm->pairwise_cipher != WPA_CIPHER_NONE) {
1387 /* Ignore Tx bit for GTK if a pairwise key is used. One AP
1388 * seemed to set this bit (incorrectly, since Tx is only when
1389 * doing Group Key only APs) and without this workaround, the
1390 * data connection does not work because wpa_supplicant
1391 * configured non-zero keyidx to be used for unicast. */
1392 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1393 "WPA: Tx bit set for GTK, but pairwise "
1394 "keys are used - ignore Tx bit");
1395 return 0;
1396 }
1397 return tx;
1398 }
1399
1400
wpa_supplicant_rsc_relaxation(const struct wpa_sm * sm,const u8 * rsc)1401 static int wpa_supplicant_rsc_relaxation(const struct wpa_sm *sm,
1402 const u8 *rsc)
1403 {
1404 int rsclen;
1405
1406 if (!sm->wpa_rsc_relaxation)
1407 return 0;
1408
1409 rsclen = wpa_cipher_rsc_len(sm->group_cipher);
1410
1411 /*
1412 * Try to detect RSC (endian) corruption issue where the AP sends
1413 * the RSC bytes in EAPOL-Key message in the wrong order, both if
1414 * it's actually a 6-byte field (as it should be) and if it treats
1415 * it as an 8-byte field.
1416 * An AP model known to have this bug is the Sapido RB-1632.
1417 */
1418 if (rsclen == 6 && ((rsc[5] && !rsc[0]) || rsc[6] || rsc[7])) {
1419 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1420 "RSC %02x%02x%02x%02x%02x%02x%02x%02x is likely bogus, using 0",
1421 rsc[0], rsc[1], rsc[2], rsc[3],
1422 rsc[4], rsc[5], rsc[6], rsc[7]);
1423
1424 return 1;
1425 }
1426
1427 return 0;
1428 }
1429
1430
wpa_supplicant_mlo_gtk(struct wpa_sm * sm,u8 link_id,const u8 * gtk,size_t gtk_len,int key_info)1431 static int wpa_supplicant_mlo_gtk(struct wpa_sm *sm, u8 link_id, const u8 *gtk,
1432 size_t gtk_len, int key_info)
1433 {
1434 struct wpa_gtk_data gd;
1435 const u8 *key_rsc;
1436 int ret;
1437
1438 /*
1439 * MLO GTK KDE format:
1440 * KeyID[bits 0-1], Tx [bit 2], Reserved [bit 3], link id [4-7]
1441 * PN
1442 * GTK
1443 */
1444 os_memset(&gd, 0, sizeof(gd));
1445 wpa_hexdump_link_key(MSG_DEBUG, link_id,
1446 "RSN: received GTK in pairwise handshake",
1447 gtk, gtk_len);
1448
1449 if (gtk_len < RSN_MLO_GTK_KDE_PREFIX_LENGTH ||
1450 gtk_len - RSN_MLO_GTK_KDE_PREFIX_LENGTH > sizeof(gd.gtk))
1451 return -1;
1452
1453 gd.keyidx = gtk[0] & 0x3;
1454 gtk += 1;
1455 gtk_len -= 1;
1456
1457 key_rsc = gtk;
1458
1459 gtk += 6;
1460 gtk_len -= 6;
1461
1462 os_memcpy(gd.gtk, gtk, gtk_len);
1463 gd.gtk_len = gtk_len;
1464
1465 ret = 0;
1466 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, gtk_len,
1467 gtk_len, &gd.key_rsc_len,
1468 &gd.alg) ||
1469 wpa_supplicant_install_mlo_gtk(sm, link_id, &gd, key_rsc, 0)) {
1470 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1471 "RSN: Failed to install GTK for MLO Link ID %u",
1472 link_id);
1473 ret = -1;
1474 goto out;
1475 }
1476
1477 out:
1478 forced_memzero(&gd, sizeof(gd));
1479 return ret;
1480 }
1481
1482
wpa_supplicant_pairwise_mlo_gtk(struct wpa_sm * sm,const struct wpa_eapol_key * key,struct wpa_eapol_ie_parse * ie,int key_info)1483 static int wpa_supplicant_pairwise_mlo_gtk(struct wpa_sm *sm,
1484 const struct wpa_eapol_key *key,
1485 struct wpa_eapol_ie_parse *ie,
1486 int key_info)
1487 {
1488 u8 i;
1489
1490 for (i = 0; i < MAX_NUM_MLO_LINKS; i++) {
1491 if (!(sm->mlo.valid_links & BIT(i)))
1492 continue;
1493
1494 if (!ie->mlo_gtk[i]) {
1495 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
1496 "MLO RSN: GTK not found for link ID %u", i);
1497 return -1;
1498 }
1499
1500 if (wpa_supplicant_mlo_gtk(sm, i, ie->mlo_gtk[i],
1501 ie->mlo_gtk_len[i], key_info))
1502 return -1;
1503 }
1504
1505 return 0;
1506 }
1507
1508
wpa_supplicant_pairwise_gtk(struct wpa_sm * sm,const struct wpa_eapol_key * key,const u8 * gtk,size_t gtk_len,int key_info)1509 static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
1510 const struct wpa_eapol_key *key,
1511 const u8 *gtk, size_t gtk_len,
1512 int key_info)
1513 {
1514 struct wpa_gtk_data gd;
1515 const u8 *key_rsc;
1516
1517 /*
1518 * IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames - Figure 43x
1519 * GTK KDE format:
1520 * KeyID[bits 0-1], Tx [bit 2], Reserved [bits 3-7]
1521 * Reserved [bits 0-7]
1522 * GTK
1523 */
1524
1525 os_memset(&gd, 0, sizeof(gd));
1526 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in pairwise handshake",
1527 gtk, gtk_len);
1528
1529 if (gtk_len < 2 || gtk_len - 2 > sizeof(gd.gtk))
1530 return -1;
1531
1532 gd.keyidx = gtk[0] & 0x3;
1533 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
1534 !!(gtk[0] & BIT(2)));
1535 gtk += 2;
1536 gtk_len -= 2;
1537
1538 os_memcpy(gd.gtk, gtk, gtk_len);
1539 gd.gtk_len = gtk_len;
1540
1541 key_rsc = key->key_rsc;
1542 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
1543 key_rsc = null_rsc;
1544
1545 if (sm->group_cipher != WPA_CIPHER_GTK_NOT_USED &&
1546 (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
1547 gtk_len, gtk_len,
1548 &gd.key_rsc_len, &gd.alg) ||
1549 wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) {
1550 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1551 "RSN: Failed to install GTK");
1552 forced_memzero(&gd, sizeof(gd));
1553 return -1;
1554 }
1555 forced_memzero(&gd, sizeof(gd));
1556
1557 return 0;
1558 }
1559
1560
wpa_supplicant_install_igtk(struct wpa_sm * sm,const struct wpa_igtk_kde * igtk,int wnm_sleep)1561 static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
1562 const struct wpa_igtk_kde *igtk,
1563 int wnm_sleep)
1564 {
1565 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1566 u16 keyidx = WPA_GET_LE16(igtk->keyid);
1567
1568 /* Detect possible key reinstallation */
1569 if ((sm->igtk.igtk_len == len &&
1570 os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) ||
1571 (sm->igtk_wnm_sleep.igtk_len == len &&
1572 os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk,
1573 sm->igtk_wnm_sleep.igtk_len) == 0)) {
1574 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1575 "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
1576 keyidx);
1577 return 0;
1578 }
1579
1580 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1581 "WPA: IGTK keyid %d pn " COMPACT_MACSTR,
1582 keyidx, MAC2STR(igtk->pn));
1583 wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len);
1584 if (keyidx > 4095) {
1585 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1586 "WPA: Invalid IGTK KeyID %d", keyidx);
1587 return -1;
1588 }
1589 if (wpa_sm_set_key(sm, -1, wpa_cipher_to_alg(sm->mgmt_group_cipher),
1590 broadcast_ether_addr,
1591 keyidx, 0, igtk->pn, sizeof(igtk->pn),
1592 igtk->igtk, len, KEY_FLAG_GROUP_RX) < 0) {
1593 if (keyidx == 0x0400 || keyidx == 0x0500) {
1594 /* Assume the AP has broken PMF implementation since it
1595 * seems to have swapped the KeyID bytes. The AP cannot
1596 * be trusted to implement BIP correctly or provide a
1597 * valid IGTK, so do not try to configure this key with
1598 * swapped KeyID bytes. Instead, continue without
1599 * configuring the IGTK so that the driver can drop any
1600 * received group-addressed robust management frames due
1601 * to missing keys.
1602 *
1603 * Normally, this error behavior would result in us
1604 * disconnecting, but there are number of deployed APs
1605 * with this broken behavior, so as an interoperability
1606 * workaround, allow the connection to proceed. */
1607 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1608 "WPA: Ignore IGTK configuration error due to invalid IGTK KeyID byte order");
1609 } else {
1610 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1611 "WPA: Failed to configure IGTK to the driver");
1612 return -1;
1613 }
1614 }
1615
1616 if (wnm_sleep) {
1617 sm->igtk_wnm_sleep.igtk_len = len;
1618 os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk,
1619 sm->igtk_wnm_sleep.igtk_len);
1620 } else {
1621 sm->igtk.igtk_len = len;
1622 os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
1623 }
1624
1625 return 0;
1626 }
1627
1628
wpa_supplicant_install_bigtk(struct wpa_sm * sm,const struct wpa_bigtk_kde * bigtk,int wnm_sleep)1629 static int wpa_supplicant_install_bigtk(struct wpa_sm *sm,
1630 const struct wpa_bigtk_kde *bigtk,
1631 int wnm_sleep)
1632 {
1633 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1634 u16 keyidx = WPA_GET_LE16(bigtk->keyid);
1635
1636 /* Detect possible key reinstallation */
1637 if ((sm->bigtk.bigtk_len == len &&
1638 os_memcmp(sm->bigtk.bigtk, bigtk->bigtk,
1639 sm->bigtk.bigtk_len) == 0) ||
1640 (sm->bigtk_wnm_sleep.bigtk_len == len &&
1641 os_memcmp(sm->bigtk_wnm_sleep.bigtk, bigtk->bigtk,
1642 sm->bigtk_wnm_sleep.bigtk_len) == 0)) {
1643 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1644 "WPA: Not reinstalling already in-use BIGTK to the driver (keyidx=%d)",
1645 keyidx);
1646 return 0;
1647 }
1648
1649 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1650 "WPA: BIGTK keyid %d pn " COMPACT_MACSTR,
1651 keyidx, MAC2STR(bigtk->pn));
1652 wpa_hexdump_key(MSG_DEBUG, "WPA: BIGTK", bigtk->bigtk, len);
1653 if (keyidx < 6 || keyidx > 7) {
1654 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1655 "WPA: Invalid BIGTK KeyID %d", keyidx);
1656 return -1;
1657 }
1658 if (wpa_sm_set_key(sm, -1, wpa_cipher_to_alg(sm->mgmt_group_cipher),
1659 broadcast_ether_addr,
1660 keyidx, 0, bigtk->pn, sizeof(bigtk->pn),
1661 bigtk->bigtk, len, KEY_FLAG_GROUP_RX) < 0) {
1662 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1663 "WPA: Failed to configure BIGTK to the driver");
1664 return -1;
1665 }
1666
1667 if (wnm_sleep) {
1668 sm->bigtk_wnm_sleep.bigtk_len = len;
1669 os_memcpy(sm->bigtk_wnm_sleep.bigtk, bigtk->bigtk,
1670 sm->bigtk_wnm_sleep.bigtk_len);
1671 } else {
1672 sm->bigtk.bigtk_len = len;
1673 os_memcpy(sm->bigtk.bigtk, bigtk->bigtk, sm->bigtk.bigtk_len);
1674 }
1675
1676 return 0;
1677 }
1678
1679
wpa_supplicant_install_mlo_igtk(struct wpa_sm * sm,u8 link_id,const struct rsn_mlo_igtk_kde * igtk,int wnm_sleep)1680 static int wpa_supplicant_install_mlo_igtk(struct wpa_sm *sm, u8 link_id,
1681 const struct rsn_mlo_igtk_kde *igtk,
1682 int wnm_sleep)
1683 {
1684 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1685 u16 keyidx = WPA_GET_LE16(igtk->keyid);
1686
1687 /* Detect possible key reinstallation */
1688 if ((sm->mlo.links[link_id].igtk.igtk_len == len &&
1689 os_memcmp(sm->mlo.links[link_id].igtk.igtk, igtk->igtk,
1690 sm->mlo.links[link_id].igtk.igtk_len) == 0) ||
1691 (sm->mlo.links[link_id].igtk_wnm_sleep.igtk_len == len &&
1692 os_memcmp(sm->mlo.links[link_id].igtk_wnm_sleep.igtk, igtk->igtk,
1693 sm->mlo.links[link_id].igtk_wnm_sleep.igtk_len) == 0)) {
1694 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1695 "RSN: Not reinstalling already in-use IGTK to the driver (link_id=%d keyidx=%d)",
1696 link_id, keyidx);
1697 return 0;
1698 }
1699
1700 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1701 "RSN: MLO Link %u IGTK keyid %d pn " COMPACT_MACSTR,
1702 link_id, keyidx, MAC2STR(igtk->pn));
1703 wpa_hexdump_link_key(MSG_DEBUG, link_id, "RSN: IGTK", igtk->igtk, len);
1704 if (keyidx > 4095) {
1705 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1706 "RSN: Invalid MLO Link %d IGTK KeyID %d", link_id,
1707 keyidx);
1708 return -1;
1709 }
1710 if (wpa_sm_set_key(sm, link_id,
1711 wpa_cipher_to_alg(sm->mgmt_group_cipher),
1712 broadcast_ether_addr, keyidx, 0, igtk->pn,
1713 sizeof(igtk->pn), igtk->igtk, len,
1714 KEY_FLAG_GROUP_RX) < 0) {
1715 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1716 "RSN: Failed to configure MLO Link %d IGTK to the driver",
1717 link_id);
1718 return -1;
1719 }
1720
1721 if (wnm_sleep) {
1722 sm->mlo.links[link_id].igtk_wnm_sleep.igtk_len = len;
1723 os_memcpy(sm->mlo.links[link_id].igtk_wnm_sleep.igtk,
1724 igtk->igtk,
1725 sm->mlo.links[link_id].igtk_wnm_sleep.igtk_len);
1726 } else {
1727 sm->mlo.links[link_id].igtk.igtk_len = len;
1728 os_memcpy(sm->mlo.links[link_id].igtk.igtk, igtk->igtk,
1729 sm->mlo.links[link_id].igtk.igtk_len);
1730 }
1731
1732 return 0;
1733 }
1734
1735
1736 static int
wpa_supplicant_install_mlo_bigtk(struct wpa_sm * sm,u8 link_id,const struct rsn_mlo_bigtk_kde * bigtk,int wnm_sleep)1737 wpa_supplicant_install_mlo_bigtk(struct wpa_sm *sm, u8 link_id,
1738 const struct rsn_mlo_bigtk_kde *bigtk,
1739 int wnm_sleep)
1740 {
1741 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1742 u16 keyidx = WPA_GET_LE16(bigtk->keyid);
1743
1744 /* Detect possible key reinstallation */
1745 if ((sm->mlo.links[link_id].bigtk.bigtk_len == len &&
1746 os_memcmp(sm->mlo.links[link_id].bigtk.bigtk, bigtk->bigtk,
1747 sm->mlo.links[link_id].bigtk.bigtk_len) == 0) ||
1748 (sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk_len == len &&
1749 os_memcmp(sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk,
1750 bigtk->bigtk,
1751 sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk_len) ==
1752 0)) {
1753 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1754 "RSN: Not reinstalling already in-use BIGTK to the driver (link_id=%d keyidx=%d)",
1755 link_id, keyidx);
1756 return 0;
1757 }
1758
1759 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1760 "RSN: MLO Link %u BIGTK keyid %d pn " COMPACT_MACSTR,
1761 link_id, keyidx, MAC2STR(bigtk->pn));
1762 wpa_hexdump_link_key(MSG_DEBUG, link_id, "RSN: BIGTK", bigtk->bigtk,
1763 len);
1764 if (keyidx < 6 || keyidx > 7) {
1765 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1766 "RSN: Invalid MLO Link %d BIGTK KeyID %d", link_id,
1767 keyidx);
1768 return -1;
1769 }
1770 if (wpa_sm_set_key(sm, link_id,
1771 wpa_cipher_to_alg(sm->mgmt_group_cipher),
1772 broadcast_ether_addr, keyidx, 0, bigtk->pn,
1773 sizeof(bigtk->pn), bigtk->bigtk, len,
1774 KEY_FLAG_GROUP_RX) < 0) {
1775 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1776 "RSN: Failed to configure MLO Link %d BIGTK to the driver",
1777 link_id);
1778 return -1;
1779 }
1780
1781 if (wnm_sleep) {
1782 sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk_len = len;
1783 os_memcpy(sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk,
1784 bigtk->bigtk,
1785 sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk_len);
1786 } else {
1787 sm->mlo.links[link_id].bigtk.bigtk_len = len;
1788 os_memcpy(sm->mlo.links[link_id].bigtk.bigtk, bigtk->bigtk,
1789 sm->mlo.links[link_id].bigtk.bigtk_len);
1790 }
1791
1792 return 0;
1793 }
1794
1795
_mlo_ieee80211w_set_keys(struct wpa_sm * sm,u8 link_id,struct wpa_eapol_ie_parse * ie)1796 static int _mlo_ieee80211w_set_keys(struct wpa_sm *sm, u8 link_id,
1797 struct wpa_eapol_ie_parse *ie)
1798 {
1799 size_t len;
1800
1801 if (ie->mlo_igtk[link_id]) {
1802 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1803 if (ie->mlo_igtk_len[link_id] !=
1804 RSN_MLO_IGTK_KDE_PREFIX_LENGTH + len)
1805 return -1;
1806
1807 if (wpa_supplicant_install_mlo_igtk(
1808 sm, link_id,
1809 (const struct rsn_mlo_igtk_kde *)
1810 ie->mlo_igtk[link_id],
1811 0) < 0)
1812 return -1;
1813 }
1814
1815 if (ie->mlo_bigtk[link_id] && sm->beacon_prot) {
1816 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1817 if (ie->mlo_bigtk_len[link_id] !=
1818 RSN_MLO_BIGTK_KDE_PREFIX_LENGTH + len)
1819 return -1;
1820
1821 if (wpa_supplicant_install_mlo_bigtk(
1822 sm, link_id,
1823 (const struct rsn_mlo_bigtk_kde *)
1824 ie->mlo_bigtk[link_id],
1825 0) < 0)
1826 return -1;
1827 }
1828
1829 return 0;
1830 }
1831
1832
mlo_ieee80211w_set_keys(struct wpa_sm * sm,struct wpa_eapol_ie_parse * ie)1833 static int mlo_ieee80211w_set_keys(struct wpa_sm *sm,
1834 struct wpa_eapol_ie_parse *ie)
1835 {
1836 u8 i;
1837
1838 if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) ||
1839 sm->mgmt_group_cipher == WPA_CIPHER_GTK_NOT_USED)
1840 return 0;
1841
1842 for (i = 0; i < MAX_NUM_MLO_LINKS; i++) {
1843 if (!(sm->mlo.valid_links & BIT(i)))
1844 continue;
1845
1846 if (_mlo_ieee80211w_set_keys(sm, i, ie))
1847 return -1;
1848 }
1849
1850 return 0;
1851 }
1852
1853
ieee80211w_set_keys(struct wpa_sm * sm,struct wpa_eapol_ie_parse * ie)1854 static int ieee80211w_set_keys(struct wpa_sm *sm,
1855 struct wpa_eapol_ie_parse *ie)
1856 {
1857 size_t len;
1858
1859 if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) ||
1860 sm->mgmt_group_cipher == WPA_CIPHER_GTK_NOT_USED)
1861 return 0;
1862
1863 if (ie->igtk) {
1864 const struct wpa_igtk_kde *igtk;
1865
1866 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1867 if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
1868 return -1;
1869
1870 igtk = (const struct wpa_igtk_kde *) ie->igtk;
1871 if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0)
1872 return -1;
1873 }
1874
1875 if (ie->bigtk && sm->beacon_prot) {
1876 const struct wpa_bigtk_kde *bigtk;
1877
1878 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1879 if (ie->bigtk_len != WPA_BIGTK_KDE_PREFIX_LEN + len)
1880 return -1;
1881
1882 bigtk = (const struct wpa_bigtk_kde *) ie->bigtk;
1883 if (wpa_supplicant_install_bigtk(sm, bigtk, 0) < 0)
1884 return -1;
1885 }
1886
1887 return 0;
1888 }
1889
1890
wpa_report_ie_mismatch(struct wpa_sm * sm,const char * reason,const u8 * src_addr,const u8 * wpa_ie,size_t wpa_ie_len,const u8 * rsn_ie,size_t rsn_ie_len)1891 static void wpa_report_ie_mismatch(struct wpa_sm *sm,
1892 const char *reason, const u8 *src_addr,
1893 const u8 *wpa_ie, size_t wpa_ie_len,
1894 const u8 *rsn_ie, size_t rsn_ie_len)
1895 {
1896 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: %s (src=" MACSTR ")",
1897 reason, MAC2STR(src_addr));
1898
1899 if (sm->ap_wpa_ie) {
1900 wpa_hexdump(MSG_INFO, "WPA: WPA IE in Beacon/ProbeResp",
1901 sm->ap_wpa_ie, sm->ap_wpa_ie_len);
1902 }
1903 if (wpa_ie) {
1904 if (!sm->ap_wpa_ie) {
1905 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1906 "WPA: No WPA IE in Beacon/ProbeResp");
1907 }
1908 wpa_hexdump(MSG_INFO, "WPA: WPA IE in 3/4 msg",
1909 wpa_ie, wpa_ie_len);
1910 }
1911
1912 if (sm->ap_rsn_ie) {
1913 wpa_hexdump(MSG_INFO, "WPA: RSN IE in Beacon/ProbeResp",
1914 sm->ap_rsn_ie, sm->ap_rsn_ie_len);
1915 }
1916 if (rsn_ie) {
1917 if (!sm->ap_rsn_ie) {
1918 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1919 "WPA: No RSN IE in Beacon/ProbeResp");
1920 }
1921 wpa_hexdump(MSG_INFO, "WPA: RSN IE in 3/4 msg",
1922 rsn_ie, rsn_ie_len);
1923 }
1924
1925 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
1926 }
1927
1928
1929 #ifdef CONFIG_IEEE80211R
1930
ft_validate_mdie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie,const u8 * assoc_resp_mdie)1931 static int ft_validate_mdie(struct wpa_sm *sm,
1932 const unsigned char *src_addr,
1933 struct wpa_eapol_ie_parse *ie,
1934 const u8 *assoc_resp_mdie)
1935 {
1936 struct rsn_mdie *mdie;
1937
1938 mdie = (struct rsn_mdie *) (ie->mdie + 2);
1939 if (ie->mdie == NULL || ie->mdie_len < 2 + sizeof(*mdie) ||
1940 os_memcmp(mdie->mobility_domain, sm->mobility_domain,
1941 MOBILITY_DOMAIN_ID_LEN) != 0) {
1942 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE in msg 3/4 did "
1943 "not match with the current mobility domain");
1944 return -1;
1945 }
1946
1947 if (assoc_resp_mdie &&
1948 (assoc_resp_mdie[1] != ie->mdie[1] ||
1949 os_memcmp(assoc_resp_mdie, ie->mdie, 2 + ie->mdie[1]) != 0)) {
1950 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE mismatch");
1951 wpa_hexdump(MSG_DEBUG, "FT: MDIE in EAPOL-Key msg 3/4",
1952 ie->mdie, 2 + ie->mdie[1]);
1953 wpa_hexdump(MSG_DEBUG, "FT: MDIE in (Re)Association Response",
1954 assoc_resp_mdie, 2 + assoc_resp_mdie[1]);
1955 return -1;
1956 }
1957
1958 return 0;
1959 }
1960
1961
ft_validate_ftie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie,const u8 * assoc_resp_ftie)1962 static int ft_validate_ftie(struct wpa_sm *sm,
1963 const unsigned char *src_addr,
1964 struct wpa_eapol_ie_parse *ie,
1965 const u8 *assoc_resp_ftie)
1966 {
1967 if (ie->ftie == NULL) {
1968 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1969 "FT: No FTIE in EAPOL-Key msg 3/4");
1970 return -1;
1971 }
1972
1973 if (assoc_resp_ftie == NULL)
1974 return 0;
1975
1976 if (assoc_resp_ftie[1] != ie->ftie[1] ||
1977 os_memcmp(assoc_resp_ftie, ie->ftie, 2 + ie->ftie[1]) != 0) {
1978 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: FTIE mismatch");
1979 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 3/4",
1980 ie->ftie, 2 + ie->ftie[1]);
1981 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)Association Response",
1982 assoc_resp_ftie, 2 + assoc_resp_ftie[1]);
1983 return -1;
1984 }
1985
1986 return 0;
1987 }
1988
1989
ft_validate_rsnie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie)1990 static int ft_validate_rsnie(struct wpa_sm *sm,
1991 const unsigned char *src_addr,
1992 struct wpa_eapol_ie_parse *ie)
1993 {
1994 struct wpa_ie_data rsn;
1995
1996 if (!ie->rsn_ie)
1997 return 0;
1998
1999 /*
2000 * Verify that PMKR1Name from EAPOL-Key message 3/4
2001 * matches with the value we derived.
2002 */
2003 if (wpa_parse_wpa_ie_rsn(ie->rsn_ie, ie->rsn_ie_len, &rsn) < 0 ||
2004 rsn.num_pmkid != 1 || rsn.pmkid == NULL) {
2005 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: No PMKR1Name in "
2006 "FT 4-way handshake message 3/4");
2007 return -1;
2008 }
2009
2010 if (os_memcmp_const(rsn.pmkid, sm->pmk_r1_name, WPA_PMK_NAME_LEN) != 0)
2011 {
2012 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2013 "FT: PMKR1Name mismatch in "
2014 "FT 4-way handshake message 3/4");
2015 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Authenticator",
2016 rsn.pmkid, WPA_PMK_NAME_LEN);
2017 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
2018 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
2019 return -1;
2020 }
2021
2022 return 0;
2023 }
2024
2025
wpa_supplicant_validate_ie_ft(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie)2026 static int wpa_supplicant_validate_ie_ft(struct wpa_sm *sm,
2027 const unsigned char *src_addr,
2028 struct wpa_eapol_ie_parse *ie)
2029 {
2030 const u8 *pos, *end, *mdie = NULL, *ftie = NULL;
2031
2032 if (sm->assoc_resp_ies) {
2033 pos = sm->assoc_resp_ies;
2034 end = pos + sm->assoc_resp_ies_len;
2035 while (end - pos > 2) {
2036 if (2 + pos[1] > end - pos)
2037 break;
2038 switch (*pos) {
2039 case WLAN_EID_MOBILITY_DOMAIN:
2040 mdie = pos;
2041 break;
2042 case WLAN_EID_FAST_BSS_TRANSITION:
2043 ftie = pos;
2044 break;
2045 }
2046 pos += 2 + pos[1];
2047 }
2048 }
2049
2050 if (ft_validate_mdie(sm, src_addr, ie, mdie) < 0 ||
2051 ft_validate_ftie(sm, src_addr, ie, ftie) < 0 ||
2052 ft_validate_rsnie(sm, src_addr, ie) < 0)
2053 return -1;
2054
2055 return 0;
2056 }
2057
2058 #endif /* CONFIG_IEEE80211R */
2059
2060
wpa_supplicant_validate_ie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie)2061 static int wpa_supplicant_validate_ie(struct wpa_sm *sm,
2062 const unsigned char *src_addr,
2063 struct wpa_eapol_ie_parse *ie)
2064 {
2065 if (sm->ap_wpa_ie == NULL && sm->ap_rsn_ie == NULL) {
2066 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2067 "WPA: No WPA/RSN IE for this AP known. "
2068 "Trying to get from scan results");
2069 if (wpa_sm_get_beacon_ie(sm) < 0) {
2070 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2071 "WPA: Could not find AP from "
2072 "the scan results");
2073 return -1;
2074 }
2075 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
2076 "WPA: Found the current AP from updated scan results");
2077 }
2078
2079 if (ie->wpa_ie == NULL && ie->rsn_ie == NULL &&
2080 (sm->ap_wpa_ie || sm->ap_rsn_ie)) {
2081 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
2082 "with IE in Beacon/ProbeResp (no IE?)",
2083 src_addr, ie->wpa_ie, ie->wpa_ie_len,
2084 ie->rsn_ie, ie->rsn_ie_len);
2085 return -1;
2086 }
2087
2088 if ((ie->wpa_ie && sm->ap_wpa_ie &&
2089 (ie->wpa_ie_len != sm->ap_wpa_ie_len ||
2090 os_memcmp(ie->wpa_ie, sm->ap_wpa_ie, ie->wpa_ie_len) != 0)) ||
2091 (ie->rsn_ie && sm->ap_rsn_ie &&
2092 wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
2093 sm->ap_rsn_ie, sm->ap_rsn_ie_len,
2094 ie->rsn_ie, ie->rsn_ie_len))) {
2095 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
2096 "with IE in Beacon/ProbeResp",
2097 src_addr, ie->wpa_ie, ie->wpa_ie_len,
2098 ie->rsn_ie, ie->rsn_ie_len);
2099 return -1;
2100 }
2101
2102 if (sm->proto == WPA_PROTO_WPA &&
2103 ie->rsn_ie && sm->ap_rsn_ie == NULL && sm->rsn_enabled) {
2104 wpa_report_ie_mismatch(sm, "Possible downgrade attack "
2105 "detected - RSN was enabled and RSN IE "
2106 "was in msg 3/4, but not in "
2107 "Beacon/ProbeResp",
2108 src_addr, ie->wpa_ie, ie->wpa_ie_len,
2109 ie->rsn_ie, ie->rsn_ie_len);
2110 return -1;
2111 }
2112
2113 if (sm->proto == WPA_PROTO_RSN &&
2114 ((sm->ap_rsnxe && !ie->rsnxe) ||
2115 (!sm->ap_rsnxe && ie->rsnxe) ||
2116 (sm->ap_rsnxe && ie->rsnxe &&
2117 (sm->ap_rsnxe_len != ie->rsnxe_len ||
2118 os_memcmp(sm->ap_rsnxe, ie->rsnxe, sm->ap_rsnxe_len) != 0)))) {
2119 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2120 "WPA: RSNXE mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4");
2121 wpa_hexdump(MSG_INFO, "RSNXE in Beacon/ProbeResp",
2122 sm->ap_rsnxe, sm->ap_rsnxe_len);
2123 wpa_hexdump(MSG_INFO, "RSNXE in EAPOL-Key msg 3/4",
2124 ie->rsnxe, ie->rsnxe_len);
2125 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
2126 return -1;
2127 }
2128
2129 #ifdef CONFIG_IEEE80211R
2130 if (wpa_key_mgmt_ft(sm->key_mgmt) &&
2131 wpa_supplicant_validate_ie_ft(sm, src_addr, ie) < 0)
2132 return -1;
2133 #endif /* CONFIG_IEEE80211R */
2134
2135 return 0;
2136 }
2137
2138
2139 /**
2140 * wpa_supplicant_send_4_of_4 - Send message 4 of WPA/RSN 4-Way Handshake
2141 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2142 * @dst: Destination address for the frame
2143 * @key: Pointer to the EAPOL-Key frame header
2144 * @ver: Version bits from EAPOL-Key Key Info
2145 * @key_info: Key Info
2146 * @ptk: PTK to use for keyed hash and encryption
2147 * Returns: >= 0 on success, < 0 on failure
2148 */
wpa_supplicant_send_4_of_4(struct wpa_sm * sm,const unsigned char * dst,const struct wpa_eapol_key * key,u16 ver,u16 key_info,struct wpa_ptk * ptk)2149 int wpa_supplicant_send_4_of_4(struct wpa_sm *sm, const unsigned char *dst,
2150 const struct wpa_eapol_key *key,
2151 u16 ver, u16 key_info,
2152 struct wpa_ptk *ptk)
2153 {
2154 size_t mic_len, hdrlen, rlen;
2155 struct wpa_eapol_key *reply;
2156 u8 *rbuf, *key_mic;
2157 u8 *kde = NULL;
2158 size_t kde_len = 0;
2159
2160 if (sm->mlo.valid_links) {
2161 u8 *pos;
2162
2163 kde = os_malloc(RSN_SELECTOR_LEN + ETH_ALEN + 2);
2164 if (!kde)
2165 return -1;
2166
2167 /* Add MAC KDE */
2168 wpa_printf(MSG_DEBUG, "MLO: Add MAC KDE into EAPOL-Key 4/4");
2169 pos = kde;
2170 pos = rsn_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, sm->own_addr,
2171 ETH_ALEN);
2172 kde_len = pos - kde;
2173 }
2174
2175 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
2176 hdrlen = sizeof(*reply) + mic_len + 2;
2177 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
2178 hdrlen + kde_len, &rlen, (void *) &reply);
2179 if (!rbuf) {
2180 os_free(kde);
2181 return -1;
2182 }
2183
2184 reply->type = (sm->proto == WPA_PROTO_RSN ||
2185 sm->proto == WPA_PROTO_OSEN) ?
2186 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
2187 key_info &= WPA_KEY_INFO_SECURE;
2188 key_info |= ver | WPA_KEY_INFO_KEY_TYPE;
2189 if (mic_len)
2190 key_info |= WPA_KEY_INFO_MIC;
2191 else
2192 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
2193 WPA_PUT_BE16(reply->key_info, key_info);
2194 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
2195 WPA_PUT_BE16(reply->key_length, 0);
2196 else
2197 os_memcpy(reply->key_length, key->key_length, 2);
2198 os_memcpy(reply->replay_counter, key->replay_counter,
2199 WPA_REPLAY_COUNTER_LEN);
2200
2201 key_mic = (u8 *) (reply + 1);
2202 WPA_PUT_BE16(key_mic + mic_len, kde_len); /* Key Data length */
2203 if (kde) {
2204 os_memcpy(key_mic + mic_len + 2, kde, kde_len); /* Key Data */
2205 os_free(kde);
2206 }
2207
2208 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Sending EAPOL-Key 4/4");
2209 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
2210 key_mic);
2211 }
2212
2213
wpa_supplicant_validate_link_kde(struct wpa_sm * sm,u8 link_id,const u8 * link_kde,size_t link_kde_len)2214 static int wpa_supplicant_validate_link_kde(struct wpa_sm *sm, u8 link_id,
2215 const u8 *link_kde,
2216 size_t link_kde_len)
2217 {
2218 size_t rsne_len = 0, rsnxe_len = 0;
2219 const u8 *rsne = NULL, *rsnxe = NULL;
2220
2221 if (!link_kde ||
2222 link_kde_len < RSN_MLO_LINK_KDE_LINK_MAC_INDEX + ETH_ALEN) {
2223 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2224 "RSN: MLO Link KDE is not found for link ID %d",
2225 link_id);
2226 return -1;
2227 }
2228
2229 if (os_memcmp(sm->mlo.links[link_id].bssid,
2230 &link_kde[RSN_MLO_LINK_KDE_LINK_MAC_INDEX],
2231 ETH_ALEN) != 0) {
2232 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2233 "RSN: MLO Link %u MAC address (" MACSTR
2234 ") not matching association response (" MACSTR ")",
2235 link_id,
2236 MAC2STR(&link_kde[RSN_MLO_LINK_KDE_LINK_MAC_INDEX]),
2237 MAC2STR(sm->mlo.links[link_id].bssid));
2238 return -1;
2239 }
2240
2241 if (link_kde[0] & RSN_MLO_LINK_KDE_LI_RSNE_INFO) {
2242 rsne = link_kde + RSN_MLO_LINK_KDE_FIXED_LENGTH;
2243 if (link_kde_len < RSN_MLO_LINK_KDE_FIXED_LENGTH + 2 ||
2244 link_kde_len <
2245 (size_t) (RSN_MLO_LINK_KDE_FIXED_LENGTH + 2 + rsne[1])) {
2246 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2247 "RSN: No room for link %u RSNE in MLO Link KDE",
2248 link_id);
2249 return -1;
2250 }
2251
2252 rsne_len = rsne[1] + 2;
2253 }
2254
2255 if (!rsne) {
2256 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2257 "RSN: RSNE not present in MLO Link %u KDE", link_id);
2258 return -1;
2259 }
2260
2261 if (link_kde[0] & RSN_MLO_LINK_KDE_LI_RSNXE_INFO) {
2262 rsnxe = link_kde + RSN_MLO_LINK_KDE_FIXED_LENGTH + rsne_len;
2263 if (link_kde_len <
2264 (RSN_MLO_LINK_KDE_FIXED_LENGTH + rsne_len + 2) ||
2265 link_kde_len <
2266 (RSN_MLO_LINK_KDE_FIXED_LENGTH + rsne_len + 2 + rsnxe[1])) {
2267 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2268 "RSN: No room for link %u RSNXE in MLO Link KDE",
2269 link_id);
2270 return -1;
2271 }
2272
2273 rsnxe_len = rsnxe[1] + 2;
2274 }
2275
2276 if (wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
2277 sm->mlo.links[link_id].ap_rsne,
2278 sm->mlo.links[link_id].ap_rsne_len,
2279 rsne, rsne_len)) {
2280 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2281 "RSN MLO: IE in 3/4 msg does not match with IE in Beacon/ProbeResp for link ID %u",
2282 link_id);
2283 wpa_hexdump(MSG_INFO, "RSNE in Beacon/ProbeResp",
2284 sm->mlo.links[link_id].ap_rsne,
2285 sm->mlo.links[link_id].ap_rsne_len);
2286 wpa_hexdump(MSG_INFO, "RSNE in EAPOL-Key msg 3/4",
2287 rsne, rsne_len);
2288 return -1;
2289 }
2290
2291 if ((sm->mlo.links[link_id].ap_rsnxe && !rsnxe) ||
2292 (!sm->mlo.links[link_id].ap_rsnxe && rsnxe) ||
2293 (sm->mlo.links[link_id].ap_rsnxe && rsnxe &&
2294 (sm->mlo.links[link_id].ap_rsnxe_len != rsnxe_len ||
2295 os_memcmp(sm->mlo.links[link_id].ap_rsnxe, rsnxe,
2296 sm->mlo.links[link_id].ap_rsnxe_len) != 0))) {
2297 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2298 "RSN MLO: RSNXE mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4 for link ID %u",
2299 link_id);
2300 wpa_hexdump(MSG_INFO, "RSNXE in Beacon/ProbeResp",
2301 sm->mlo.links[link_id].ap_rsnxe,
2302 sm->mlo.links[link_id].ap_rsnxe_len);
2303 wpa_hexdump(MSG_INFO, "RSNXE in EAPOL-Key msg 3/4",
2304 rsnxe, rsnxe_len);
2305 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
2306 return -1;
2307 }
2308
2309 return 0;
2310 }
2311
2312
wpa_validate_mlo_ieee80211w_kdes(struct wpa_sm * sm,u8 link_id,struct wpa_eapol_ie_parse * ie)2313 static int wpa_validate_mlo_ieee80211w_kdes(struct wpa_sm *sm,
2314 u8 link_id,
2315 struct wpa_eapol_ie_parse *ie)
2316 {
2317 if (ie->mlo_igtk[link_id] &&
2318 ie->mlo_igtk_len[link_id] != RSN_MLO_IGTK_KDE_PREFIX_LENGTH +
2319 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
2320 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2321 "RSN MLO: Invalid IGTK KDE length %lu for link ID %u",
2322 (unsigned long) ie->mlo_igtk_len, link_id);
2323 return -1;
2324 }
2325
2326 if (!sm->beacon_prot)
2327 return 0;
2328
2329 if (ie->mlo_bigtk[link_id] &&
2330 ie->mlo_bigtk_len[link_id] != RSN_MLO_BIGTK_KDE_PREFIX_LENGTH +
2331 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
2332 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2333 "RSN MLO: Invalid BIGTK KDE length %lu for link ID %u",
2334 (unsigned long) ie->mlo_bigtk_len, link_id);
2335 return -1;
2336 }
2337
2338 return 0;
2339 }
2340
2341
wpa_supplicant_process_3_of_4_wpa(struct wpa_sm * sm,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len)2342 static void wpa_supplicant_process_3_of_4_wpa(struct wpa_sm *sm,
2343 const struct wpa_eapol_key *key,
2344 u16 ver, const u8 *key_data,
2345 size_t key_data_len)
2346 {
2347 u16 key_info, keylen;
2348 struct wpa_eapol_ie_parse ie;
2349
2350 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
2351 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2352 "WPA: RX message 3 of 4-Way Handshake from " MACSTR
2353 " (ver=%d)", MAC2STR(sm->bssid), ver);
2354
2355 key_info = WPA_GET_BE16(key->key_info);
2356
2357 wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", key_data, key_data_len);
2358 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
2359 goto failed;
2360
2361 if (wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0)
2362 goto failed;
2363
2364 if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
2365 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2366 "WPA: ANonce from message 1 of 4-Way Handshake differs from 3 of 4-Way Handshake - drop packet (src="
2367 MACSTR ")", MAC2STR(sm->bssid));
2368 goto failed;
2369 }
2370
2371 keylen = WPA_GET_BE16(key->key_length);
2372 if (keylen != wpa_cipher_key_len(sm->pairwise_cipher)) {
2373 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2374 "WPA: Invalid %s key length %d (src=" MACSTR ")",
2375 wpa_cipher_txt(sm->pairwise_cipher), keylen,
2376 MAC2STR(sm->bssid));
2377 goto failed;
2378 }
2379
2380 if (wpa_supplicant_send_4_of_4(sm, wpa_sm_get_auth_addr(sm), key, ver,
2381 key_info, &sm->ptk) < 0)
2382 goto failed;
2383
2384 /* SNonce was successfully used in msg 3/4, so mark it to be renewed
2385 * for the next 4-Way Handshake. If msg 3 is received again, the old
2386 * SNonce will still be used to avoid changing PTK. */
2387 sm->renew_snonce = 1;
2388
2389 if ((key_info & WPA_KEY_INFO_INSTALL) &&
2390 wpa_supplicant_install_ptk(sm, key, KEY_FLAG_RX_TX))
2391 goto failed;
2392
2393 if (key_info & WPA_KEY_INFO_SECURE) {
2394 wpa_sm_mlme_setprotection(
2395 sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX,
2396 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
2397 eapol_sm_notify_portValid(sm->eapol, true);
2398 }
2399 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
2400
2401 sm->msg_3_of_4_ok = 1;
2402 return;
2403
2404 failed:
2405 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
2406 }
2407
2408
wpa_supplicant_process_3_of_4(struct wpa_sm * sm,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len)2409 static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
2410 const struct wpa_eapol_key *key,
2411 u16 ver, const u8 *key_data,
2412 size_t key_data_len)
2413 {
2414 u16 key_info, keylen;
2415 struct wpa_eapol_ie_parse ie;
2416 bool mlo = sm->mlo.valid_links;
2417 int i;
2418
2419 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
2420 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO,
2421 "RSN: RX message 3 of 4-Way Handshake from " MACSTR
2422 " (ver=%d)%s", MAC2STR(sm->bssid), ver, mlo ? " (MLO)" : "");
2423
2424 key_info = WPA_GET_BE16(key->key_info);
2425
2426 wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", key_data, key_data_len);
2427 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
2428 goto failed;
2429
2430 if (mlo && !ie.valid_mlo_gtks) {
2431 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2432 "MLO RSN: No GTK KDE included in EAPOL-Key msg 3/4");
2433 goto failed;
2434 }
2435 if (mlo &&
2436 (key_info &
2437 (WPA_KEY_INFO_ENCR_KEY_DATA | WPA_KEY_INFO_INSTALL |
2438 WPA_KEY_INFO_SECURE)) !=
2439 (WPA_KEY_INFO_ENCR_KEY_DATA | WPA_KEY_INFO_INSTALL |
2440 WPA_KEY_INFO_SECURE)) {
2441 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2442 "RSN MLO: Invalid key info (0x%x) in EAPOL-Key msg 3/4",
2443 key_info);
2444 goto failed;
2445 }
2446
2447 if (mlo && !is_valid_ap_mld_mac_kde(sm, ie.mac_addr)) {
2448 wpa_printf(MSG_DEBUG, "RSN: Invalid AP MLD MAC address KDE");
2449 goto failed;
2450 }
2451
2452 for (i = 0; mlo && i < MAX_NUM_MLD_LINKS; i++) {
2453 if (!(sm->mlo.req_links & BIT(i)))
2454 continue;
2455
2456 if (wpa_supplicant_validate_link_kde(sm, i, ie.mlo_link[i],
2457 ie.mlo_link_len[i]) < 0)
2458 goto failed;
2459
2460 if (!(sm->mlo.valid_links & BIT(i)))
2461 continue;
2462
2463 if (!ie.mlo_gtk[i]) {
2464 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
2465 "RSN: GTK not found for link ID %u", i);
2466 goto failed;
2467 }
2468
2469 if (sm->mgmt_group_cipher != WPA_CIPHER_GTK_NOT_USED &&
2470 wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) &&
2471 wpa_validate_mlo_ieee80211w_kdes(sm, i, &ie) < 0)
2472 goto failed;
2473 }
2474
2475 #ifdef CONFIG_IEEE80211R
2476 if (mlo && wpa_key_mgmt_ft(sm->key_mgmt) &&
2477 wpa_supplicant_validate_ie_ft(sm, sm->bssid, &ie) < 0)
2478 goto failed;
2479 #endif /* CONFIG_IEEE80211R */
2480
2481 if (!mlo && ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
2482 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2483 "WPA: GTK IE in unencrypted key data");
2484 goto failed;
2485 }
2486 if (!mlo && ie.igtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
2487 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2488 "WPA: IGTK KDE in unencrypted key data");
2489 goto failed;
2490 }
2491
2492 if (!mlo && ie.igtk &&
2493 sm->mgmt_group_cipher != WPA_CIPHER_GTK_NOT_USED &&
2494 wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) &&
2495 ie.igtk_len != WPA_IGTK_KDE_PREFIX_LEN +
2496 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
2497 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2498 "WPA: Invalid IGTK KDE length %lu",
2499 (unsigned long) ie.igtk_len);
2500 goto failed;
2501 }
2502
2503 if (!mlo && wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0)
2504 goto failed;
2505
2506 if (wpa_handle_ext_key_id(sm, &ie))
2507 goto failed;
2508
2509 if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
2510 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2511 "WPA: ANonce from message 1 of 4-Way Handshake "
2512 "differs from 3 of 4-Way Handshake - drop packet (src="
2513 MACSTR ")", MAC2STR(sm->bssid));
2514 goto failed;
2515 }
2516
2517 keylen = WPA_GET_BE16(key->key_length);
2518 if (keylen != wpa_cipher_key_len(sm->pairwise_cipher)) {
2519 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2520 "WPA: Invalid %s key length %d (src=" MACSTR
2521 ")", wpa_cipher_txt(sm->pairwise_cipher), keylen,
2522 MAC2STR(sm->bssid));
2523 goto failed;
2524 }
2525
2526 #ifdef CONFIG_P2P
2527 if (ie.ip_addr_alloc) {
2528 os_memcpy(sm->p2p_ip_addr, ie.ip_addr_alloc, 3 * 4);
2529 wpa_hexdump(MSG_DEBUG, "P2P: IP address info",
2530 sm->p2p_ip_addr, sizeof(sm->p2p_ip_addr));
2531 }
2532 #endif /* CONFIG_P2P */
2533
2534 #ifdef CONFIG_OCV
2535 if (wpa_sm_ocv_enabled(sm)) {
2536 struct wpa_channel_info ci;
2537
2538 if (wpa_sm_channel_info(sm, &ci) != 0) {
2539 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2540 "Failed to get channel info to validate received OCI in EAPOL-Key 3/4");
2541 return;
2542 }
2543
2544 if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci,
2545 channel_width_to_int(ci.chanwidth),
2546 ci.seg1_idx) != OCI_SUCCESS) {
2547 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
2548 "addr=" MACSTR " frame=eapol-key-m3 error=%s",
2549 MAC2STR(sm->bssid), ocv_errorstr);
2550 return;
2551 }
2552 }
2553 #endif /* CONFIG_OCV */
2554
2555 #ifdef CONFIG_DPP2
2556 if (DPP_VERSION > 1 && ie.dpp_kde) {
2557 wpa_printf(MSG_DEBUG,
2558 "DPP: peer Protocol Version %u Flags 0x%x",
2559 ie.dpp_kde[0], ie.dpp_kde[1]);
2560 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_pfs != 2 &&
2561 (ie.dpp_kde[1] & DPP_KDE_PFS_ALLOWED) && !sm->dpp_z) {
2562 wpa_printf(MSG_INFO,
2563 "DPP: Peer indicated it supports PFS and local configuration allows this, but PFS was not negotiated for the association");
2564 goto failed;
2565 }
2566 }
2567 #endif /* CONFIG_DPP2 */
2568
2569 if (sm->use_ext_key_id &&
2570 wpa_supplicant_install_ptk(sm, key, KEY_FLAG_RX))
2571 goto failed;
2572
2573 if (wpa_supplicant_send_4_of_4(sm, wpa_sm_get_auth_addr(sm), key, ver,
2574 key_info, &sm->ptk) < 0)
2575 goto failed;
2576
2577 /* SNonce was successfully used in msg 3/4, so mark it to be renewed
2578 * for the next 4-Way Handshake. If msg 3 is received again, the old
2579 * SNonce will still be used to avoid changing PTK. */
2580 sm->renew_snonce = 1;
2581
2582 if (key_info & WPA_KEY_INFO_INSTALL) {
2583 int res;
2584
2585 if (sm->use_ext_key_id)
2586 res = wpa_supplicant_activate_ptk(sm);
2587 else
2588 res = wpa_supplicant_install_ptk(sm, key,
2589 KEY_FLAG_RX_TX);
2590 if (res)
2591 goto failed;
2592 }
2593
2594 if (key_info & WPA_KEY_INFO_SECURE) {
2595 wpa_sm_mlme_setprotection(
2596 sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX,
2597 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
2598 eapol_sm_notify_portValid(sm->eapol, true);
2599 }
2600 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
2601
2602 if (mlo) {
2603 if (wpa_supplicant_pairwise_mlo_gtk(sm, key, &ie,
2604 key_info) < 0) {
2605 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2606 "MLO RSN: Failed to configure MLO GTKs");
2607 goto failed;
2608 }
2609 } else if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED) {
2610 /* No GTK to be set to the driver */
2611 } else if (!ie.gtk && sm->proto == WPA_PROTO_RSN) {
2612 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2613 "RSN: No GTK KDE included in EAPOL-Key msg 3/4");
2614 goto failed;
2615 } else if (ie.gtk &&
2616 wpa_supplicant_pairwise_gtk(sm, key,
2617 ie.gtk, ie.gtk_len, key_info) < 0) {
2618 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2619 "RSN: Failed to configure GTK");
2620 goto failed;
2621 }
2622
2623 if ((mlo && mlo_ieee80211w_set_keys(sm, &ie) < 0) ||
2624 (!mlo && ieee80211w_set_keys(sm, &ie) < 0)) {
2625 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2626 "RSN: Failed to configure IGTK");
2627 goto failed;
2628 }
2629
2630 if (mlo || sm->group_cipher == WPA_CIPHER_GTK_NOT_USED || ie.gtk)
2631 wpa_supplicant_key_neg_complete(sm, sm->bssid,
2632 key_info & WPA_KEY_INFO_SECURE);
2633
2634 if (mlo || ie.gtk)
2635 wpa_sm_set_rekey_offload(sm);
2636
2637 /* Add PMKSA cache entry for Suite B AKMs here since PMKID can be
2638 * calculated only after KCK has been derived. Though, do not replace an
2639 * existing PMKSA entry after each 4-way handshake (i.e., new KCK/PMKID)
2640 * to avoid unnecessary changes of PMKID while continuing to use the
2641 * same PMK. */
2642 if (sm->proto == WPA_PROTO_RSN && wpa_key_mgmt_suite_b(sm->key_mgmt) &&
2643 !sm->cur_pmksa) {
2644 struct rsn_pmksa_cache_entry *sa;
2645
2646 sa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, NULL,
2647 sm->ptk.kck, sm->ptk.kck_len,
2648 wpa_sm_get_auth_addr(sm), sm->own_addr,
2649 sm->network_ctx, sm->key_mgmt, NULL);
2650 if (!sm->cur_pmksa)
2651 sm->cur_pmksa = sa;
2652 }
2653
2654 if (ie.transition_disable)
2655 wpa_sm_transition_disable(sm, ie.transition_disable[0]);
2656 sm->msg_3_of_4_ok = 1;
2657 return;
2658
2659 failed:
2660 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
2661 }
2662
2663
wpa_supplicant_send_2_of_2(struct wpa_sm * sm,const struct wpa_eapol_key * key,int ver,u16 key_info)2664 static int wpa_supplicant_send_2_of_2(struct wpa_sm *sm,
2665 const struct wpa_eapol_key *key,
2666 int ver, u16 key_info)
2667 {
2668 size_t mic_len, hdrlen, rlen;
2669 struct wpa_eapol_key *reply;
2670 u8 *rbuf, *key_mic;
2671 size_t kde_len = 0;
2672
2673 #ifdef CONFIG_TESTING_OPTIONS
2674 if (sm->disable_eapol_g2_tx) {
2675 wpa_printf(MSG_INFO, "TEST: Disable sending EAPOL-Key 2/2");
2676 return 0;
2677 }
2678 #endif /* CONFIG_TESTING_OPTIONS */
2679
2680 #ifdef CONFIG_OCV
2681 if (wpa_sm_ocv_enabled(sm))
2682 kde_len = OCV_OCI_KDE_LEN;
2683 #endif /* CONFIG_OCV */
2684
2685 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
2686 hdrlen = sizeof(*reply) + mic_len + 2;
2687 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
2688 hdrlen + kde_len, &rlen, (void *) &reply);
2689 if (rbuf == NULL)
2690 return -1;
2691
2692 reply->type = (sm->proto == WPA_PROTO_RSN ||
2693 sm->proto == WPA_PROTO_OSEN) ?
2694 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
2695 key_info &= WPA_KEY_INFO_KEY_INDEX_MASK;
2696 key_info |= ver | WPA_KEY_INFO_SECURE;
2697 if (mic_len)
2698 key_info |= WPA_KEY_INFO_MIC;
2699 else
2700 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
2701 WPA_PUT_BE16(reply->key_info, key_info);
2702 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
2703 WPA_PUT_BE16(reply->key_length, 0);
2704 else
2705 os_memcpy(reply->key_length, key->key_length, 2);
2706 os_memcpy(reply->replay_counter, key->replay_counter,
2707 WPA_REPLAY_COUNTER_LEN);
2708
2709 key_mic = (u8 *) (reply + 1);
2710 WPA_PUT_BE16(key_mic + mic_len, kde_len); /* Key Data Length */
2711
2712 #ifdef CONFIG_OCV
2713 if (wpa_sm_ocv_enabled(sm)) {
2714 struct wpa_channel_info ci;
2715 u8 *pos;
2716
2717 if (wpa_sm_channel_info(sm, &ci) != 0) {
2718 wpa_printf(MSG_WARNING,
2719 "Failed to get channel info for OCI element in EAPOL-Key 2/2");
2720 os_free(rbuf);
2721 return -1;
2722 }
2723 #ifdef CONFIG_TESTING_OPTIONS
2724 if (sm->oci_freq_override_eapol_g2) {
2725 wpa_printf(MSG_INFO,
2726 "TEST: Override OCI KDE frequency %d -> %d MHz",
2727 ci.frequency,
2728 sm->oci_freq_override_eapol_g2);
2729 ci.frequency = sm->oci_freq_override_eapol_g2;
2730 }
2731 #endif /* CONFIG_TESTING_OPTIONS */
2732
2733 pos = key_mic + mic_len + 2; /* Key Data */
2734 if (ocv_insert_oci_kde(&ci, &pos) < 0) {
2735 os_free(rbuf);
2736 return -1;
2737 }
2738 }
2739 #endif /* CONFIG_OCV */
2740
2741 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/2");
2742 return wpa_eapol_key_send(sm, &sm->ptk, ver, wpa_sm_get_auth_addr(sm),
2743 ETH_P_EAPOL, rbuf, rlen, key_mic);
2744 }
2745
2746
wpa_supplicant_process_mlo_1_of_2(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,const u8 * key_data,size_t key_data_len,u16 ver)2747 static void wpa_supplicant_process_mlo_1_of_2(struct wpa_sm *sm,
2748 const unsigned char *src_addr,
2749 const struct wpa_eapol_key *key,
2750 const u8 *key_data,
2751 size_t key_data_len, u16 ver)
2752 {
2753 u16 key_info;
2754 u8 i;
2755 struct wpa_eapol_ie_parse ie;
2756
2757 if (!sm->msg_3_of_4_ok && !wpa_fils_is_completed(sm)) {
2758 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2759 "MLO RSN: Group Key Handshake started prior to completion of 4-way handshake");
2760 goto failed;
2761 }
2762
2763 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "MLO RSN: RX message 1 of Group "
2764 "Key Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr),
2765 ver);
2766
2767 key_info = WPA_GET_BE16(key->key_info);
2768
2769 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
2770
2771 wpa_hexdump_key(MSG_DEBUG, "MLO RSN: msg 1/2 key data", key_data,
2772 key_data_len);
2773 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
2774 goto failed;
2775
2776 if (!ie.valid_mlo_gtks) {
2777 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2778 "MLO RSN: No MLO GTK KDE in Group Key msg 1/2");
2779 goto failed;
2780 }
2781
2782 if (!(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
2783 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2784 "MLO RSN: MLO GTK KDE in unencrypted key data");
2785 goto failed;
2786 }
2787
2788 #ifdef CONFIG_OCV
2789 if (wpa_sm_ocv_enabled(sm)) {
2790 struct wpa_channel_info ci;
2791
2792 if (wpa_sm_channel_info(sm, &ci) != 0) {
2793 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2794 "Failed to get channel info to validate received OCI in EAPOL-Key group msg 1/2");
2795 goto failed;
2796 }
2797
2798 if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci,
2799 channel_width_to_int(ci.chanwidth),
2800 ci.seg1_idx) != OCI_SUCCESS) {
2801 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
2802 "addr=" MACSTR " frame=eapol-key-g1 error=%s",
2803 MAC2STR(sm->bssid), ocv_errorstr);
2804 goto failed;
2805 }
2806 }
2807 #endif /* CONFIG_OCV */
2808
2809 if (mlo_ieee80211w_set_keys(sm, &ie) < 0)
2810 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2811 "MLO RSN: Failed to configure MLO IGTK");
2812
2813 for (i = 0; i < MAX_NUM_MLO_LINKS; i++) {
2814 if (!(sm->mlo.valid_links & BIT(i)))
2815 continue;
2816
2817 /*
2818 * AP may send group keys for subset of the all links during
2819 * rekey
2820 */
2821 if (!ie.mlo_gtk[i])
2822 continue;
2823
2824 if (wpa_supplicant_mlo_gtk(sm, i, ie.mlo_gtk[i],
2825 ie.mlo_gtk_len[i], key_info))
2826 goto failed;
2827 }
2828
2829 if (wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
2830 goto failed;
2831
2832 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "MLO RSN: Group rekeying completed "
2833 "with " MACSTR " [GTK=%s]", MAC2STR(sm->mlo.ap_mld_addr),
2834 wpa_cipher_txt(sm->group_cipher));
2835 wpa_sm_cancel_auth_timeout(sm);
2836 wpa_sm_set_state(sm, WPA_COMPLETED);
2837
2838 wpa_sm_set_rekey_offload(sm);
2839
2840 return;
2841
2842 failed:
2843 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
2844 }
2845
2846
wpa_supplicant_process_1_of_2_wpa(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,const u8 * key_data,size_t key_data_len,u16 ver)2847 static void wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm,
2848 const unsigned char *src_addr,
2849 const struct wpa_eapol_key *key,
2850 const u8 *key_data,
2851 size_t key_data_len, u16 ver)
2852 {
2853 u16 key_info;
2854 int rekey;
2855 struct wpa_gtk_data gd;
2856 const u8 *key_rsc;
2857 size_t maxkeylen;
2858 u16 gtk_len;
2859
2860 if (!sm->msg_3_of_4_ok) {
2861 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2862 "WPA: Group Key Handshake started prior to completion of 4-way handshake");
2863 goto failed;
2864 }
2865
2866 os_memset(&gd, 0, sizeof(gd));
2867
2868 rekey = wpa_sm_get_state(sm) == WPA_COMPLETED;
2869 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2870 "WPA: RX message 1 of Group Key Handshake from " MACSTR
2871 " (ver=%d)", MAC2STR(src_addr), ver);
2872
2873 key_info = WPA_GET_BE16(key->key_info);
2874
2875 gtk_len = WPA_GET_BE16(key->key_length);
2876 maxkeylen = key_data_len;
2877 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
2878 if (maxkeylen < 8) {
2879 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2880 "WPA: Too short maxkeylen (%lu)",
2881 (unsigned long) maxkeylen);
2882 goto failed;
2883 }
2884 maxkeylen -= 8;
2885 }
2886
2887 if (gtk_len > maxkeylen ||
2888 wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
2889 gtk_len, maxkeylen,
2890 &gd.key_rsc_len, &gd.alg))
2891 goto failed;
2892
2893 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
2894
2895 gd.gtk_len = gtk_len;
2896 gd.keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
2897 WPA_KEY_INFO_KEY_INDEX_SHIFT;
2898 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
2899 #if defined(CONFIG_NO_RC4) || defined(CONFIG_FIPS)
2900 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2901 "WPA: RC4 not supported in the build");
2902 goto failed;
2903 #else /* CONFIG_NO_RC4 || CONFIG_FIPS */
2904 u8 ek[32];
2905 if (key_data_len > sizeof(gd.gtk)) {
2906 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2907 "WPA: RC4 key data too long (%lu)",
2908 (unsigned long) key_data_len);
2909 goto failed;
2910 }
2911 os_memcpy(ek, key->key_iv, 16);
2912 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
2913 os_memcpy(gd.gtk, key_data, key_data_len);
2914 if (rc4_skip(ek, 32, 256, gd.gtk, key_data_len)) {
2915 forced_memzero(ek, sizeof(ek));
2916 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
2917 "WPA: RC4 failed");
2918 goto failed;
2919 }
2920 forced_memzero(ek, sizeof(ek));
2921 #endif /* CONFIG_NO_RC4 || CONFIG_FIPS */
2922 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
2923 if (maxkeylen % 8) {
2924 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2925 "WPA: Unsupported AES-WRAP len %lu",
2926 (unsigned long) maxkeylen);
2927 goto failed;
2928 }
2929 if (maxkeylen > sizeof(gd.gtk)) {
2930 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2931 "WPA: AES-WRAP key data "
2932 "too long (keydatalen=%lu maxkeylen=%lu)",
2933 (unsigned long) key_data_len,
2934 (unsigned long) maxkeylen);
2935 goto failed;
2936 }
2937 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, maxkeylen / 8,
2938 key_data, gd.gtk)) {
2939 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2940 "WPA: AES unwrap failed - could not decrypt "
2941 "GTK");
2942 goto failed;
2943 }
2944 } else {
2945 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2946 "WPA: Unsupported key_info type %d", ver);
2947 goto failed;
2948 }
2949 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(
2950 sm, !!(key_info & WPA_KEY_INFO_TXRX));
2951
2952 key_rsc = key->key_rsc;
2953 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
2954 key_rsc = null_rsc;
2955
2956 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
2957 wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
2958 goto failed;
2959 forced_memzero(&gd, sizeof(gd));
2960
2961 if (rekey) {
2962 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2963 "WPA: Group rekeying completed with " MACSTR
2964 " [GTK=%s]",
2965 MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher));
2966 wpa_sm_cancel_auth_timeout(sm);
2967 wpa_sm_set_state(sm, WPA_COMPLETED);
2968 } else {
2969 wpa_supplicant_key_neg_complete(sm, sm->bssid,
2970 key_info & WPA_KEY_INFO_SECURE);
2971 }
2972
2973 wpa_sm_set_rekey_offload(sm);
2974
2975 return;
2976
2977 failed:
2978 forced_memzero(&gd, sizeof(gd));
2979 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
2980 }
2981
2982
wpa_supplicant_process_1_of_2(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,const u8 * key_data,size_t key_data_len,u16 ver)2983 static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
2984 const unsigned char *src_addr,
2985 const struct wpa_eapol_key *key,
2986 const u8 *key_data,
2987 size_t key_data_len, u16 ver)
2988 {
2989 u16 key_info;
2990 struct wpa_gtk_data gd;
2991 const u8 *key_rsc;
2992 int maxkeylen;
2993 struct wpa_eapol_ie_parse ie;
2994 u16 gtk_len;
2995
2996 if (!sm->msg_3_of_4_ok && !wpa_fils_is_completed(sm)) {
2997 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2998 "RSN: Group Key Handshake started prior to completion of 4-way handshake");
2999 goto failed;
3000 }
3001
3002 os_memset(&gd, 0, sizeof(gd));
3003
3004 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3005 "RSN: RX message 1 of Group Key Handshake from " MACSTR
3006 " (ver=%d)", MAC2STR(src_addr), ver);
3007
3008 key_info = WPA_GET_BE16(key->key_info);
3009
3010 wpa_hexdump_key(MSG_DEBUG, "RSN: msg 1/2 key data",
3011 key_data, key_data_len);
3012 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
3013 goto failed;
3014
3015 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
3016
3017 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
3018 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3019 "RSN: GTK KDE in unencrypted key data");
3020 goto failed;
3021 }
3022 if (!ie.gtk) {
3023 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3024 "RSN: No GTK KDE in Group Key msg 1/2");
3025 goto failed;
3026 }
3027 gtk_len = ie.gtk_len;
3028 if (gtk_len < 2) {
3029 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3030 "RSN: Invalid GTK KDE length (%u) in Group Key msg 1/2",
3031 gtk_len);
3032 goto failed;
3033 }
3034 gtk_len -= 2;
3035 if (gtk_len > sizeof(gd.gtk)) {
3036 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3037 "RSN: Too long GTK in GTK KDE (len=%u)", gtk_len);
3038 goto failed;
3039 }
3040 maxkeylen = gd.gtk_len = gtk_len;
3041
3042 #ifdef CONFIG_OCV
3043 if (wpa_sm_ocv_enabled(sm)) {
3044 struct wpa_channel_info ci;
3045
3046 if (wpa_sm_channel_info(sm, &ci) != 0) {
3047 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3048 "Failed to get channel info to validate received OCI in EAPOL-Key group msg 1/2");
3049 goto failed;
3050 }
3051
3052 if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci,
3053 channel_width_to_int(ci.chanwidth),
3054 ci.seg1_idx) != OCI_SUCCESS) {
3055 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
3056 "addr=" MACSTR " frame=eapol-key-g1 error=%s",
3057 MAC2STR(sm->bssid), ocv_errorstr);
3058 goto failed;
3059 }
3060 }
3061 #endif /* CONFIG_OCV */
3062
3063 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
3064 gtk_len, maxkeylen,
3065 &gd.key_rsc_len, &gd.alg))
3066 goto failed;
3067
3068 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in group key handshake",
3069 ie.gtk, 2 + gtk_len);
3070 gd.keyidx = ie.gtk[0] & 0x3;
3071 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
3072 !!(ie.gtk[0] & BIT(2)));
3073 os_memcpy(gd.gtk, ie.gtk + 2, gtk_len);
3074
3075 if (ieee80211w_set_keys(sm, &ie) < 0)
3076 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3077 "RSN: Failed to configure IGTK");
3078
3079 key_rsc = key->key_rsc;
3080 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
3081 key_rsc = null_rsc;
3082
3083 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
3084 wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
3085 goto failed;
3086 forced_memzero(&gd, sizeof(gd));
3087
3088 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3089 "RSN: Group rekeying completed with " MACSTR " [GTK=%s]",
3090 MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher));
3091 wpa_sm_cancel_auth_timeout(sm);
3092 wpa_sm_set_state(sm, WPA_COMPLETED);
3093
3094 wpa_sm_set_rekey_offload(sm);
3095
3096 return;
3097
3098 failed:
3099 forced_memzero(&gd, sizeof(gd));
3100 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
3101 }
3102
3103
wpa_supplicant_verify_eapol_key_mic(struct wpa_sm * sm,struct wpa_eapol_key * key,u16 ver,const u8 * buf,size_t len)3104 static int wpa_supplicant_verify_eapol_key_mic(struct wpa_sm *sm,
3105 struct wpa_eapol_key *key,
3106 u16 ver,
3107 const u8 *buf, size_t len)
3108 {
3109 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN];
3110 int ok = 0;
3111 size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
3112
3113 os_memcpy(mic, key + 1, mic_len);
3114 if (sm->tptk_set) {
3115 os_memset(key + 1, 0, mic_len);
3116 if (wpa_eapol_key_mic(sm->tptk.kck, sm->tptk.kck_len,
3117 sm->key_mgmt,
3118 ver, buf, len, (u8 *) (key + 1)) < 0 ||
3119 os_memcmp_const(mic, key + 1, mic_len) != 0) {
3120 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3121 "WPA: Invalid EAPOL-Key MIC "
3122 "when using TPTK - ignoring TPTK");
3123 #ifdef TEST_FUZZ
3124 wpa_printf(MSG_INFO,
3125 "TEST: Ignore Key MIC failure for fuzz testing");
3126 goto continue_fuzz;
3127 #endif /* TEST_FUZZ */
3128 } else {
3129 #ifdef TEST_FUZZ
3130 continue_fuzz:
3131 #endif /* TEST_FUZZ */
3132 ok = 1;
3133 sm->tptk_set = 0;
3134 sm->ptk_set = 1;
3135 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
3136 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
3137 /*
3138 * This assures the same TPTK in sm->tptk can never be
3139 * copied twice to sm->ptk as the new PTK. In
3140 * combination with the installed flag in the wpa_ptk
3141 * struct, this assures the same PTK is only installed
3142 * once.
3143 */
3144 sm->renew_snonce = 1;
3145 }
3146 }
3147
3148 if (!ok && sm->ptk_set) {
3149 os_memset(key + 1, 0, mic_len);
3150 if (wpa_eapol_key_mic(sm->ptk.kck, sm->ptk.kck_len,
3151 sm->key_mgmt,
3152 ver, buf, len, (u8 *) (key + 1)) < 0 ||
3153 os_memcmp_const(mic, key + 1, mic_len) != 0) {
3154 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3155 "WPA: Invalid EAPOL-Key MIC - "
3156 "dropping packet");
3157 #ifdef TEST_FUZZ
3158 wpa_printf(MSG_INFO,
3159 "TEST: Ignore Key MIC failure for fuzz testing");
3160 goto continue_fuzz2;
3161 #endif /* TEST_FUZZ */
3162 return -1;
3163 }
3164 #ifdef TEST_FUZZ
3165 continue_fuzz2:
3166 #endif /* TEST_FUZZ */
3167 ok = 1;
3168 }
3169
3170 if (!ok) {
3171 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3172 "WPA: Could not verify EAPOL-Key MIC - "
3173 "dropping packet");
3174 return -1;
3175 }
3176
3177 os_memcpy(sm->rx_replay_counter, key->replay_counter,
3178 WPA_REPLAY_COUNTER_LEN);
3179 sm->rx_replay_counter_set = 1;
3180 return 0;
3181 }
3182
3183
3184 /* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */
wpa_supplicant_decrypt_key_data(struct wpa_sm * sm,struct wpa_eapol_key * key,size_t mic_len,u16 ver,u8 * key_data,size_t * key_data_len)3185 static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm,
3186 struct wpa_eapol_key *key,
3187 size_t mic_len, u16 ver,
3188 u8 *key_data, size_t *key_data_len)
3189 {
3190 wpa_hexdump(MSG_DEBUG, "RSN: encrypted key data",
3191 key_data, *key_data_len);
3192 if (!sm->ptk_set) {
3193 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3194 "WPA: PTK not available, cannot decrypt EAPOL-Key Key "
3195 "Data");
3196 return -1;
3197 }
3198
3199 /* Decrypt key data here so that this operation does not need
3200 * to be implemented separately for each message type. */
3201 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
3202 #if defined(CONFIG_NO_RC4) || defined(CONFIG_FIPS)
3203 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3204 "WPA: RC4 not supported in the build");
3205 return -1;
3206 #else /* CONFIG_NO_RC4 || CONFIG_FIPS */
3207 u8 ek[32];
3208
3209 wpa_printf(MSG_DEBUG, "WPA: Decrypt Key Data using RC4");
3210 os_memcpy(ek, key->key_iv, 16);
3211 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
3212 if (rc4_skip(ek, 32, 256, key_data, *key_data_len)) {
3213 forced_memzero(ek, sizeof(ek));
3214 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
3215 "WPA: RC4 failed");
3216 return -1;
3217 }
3218 forced_memzero(ek, sizeof(ek));
3219 #endif /* CONFIG_NO_RC4 || CONFIG_FIPS */
3220 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
3221 ver == WPA_KEY_INFO_TYPE_AES_128_CMAC ||
3222 wpa_use_aes_key_wrap(sm->key_mgmt)) {
3223 u8 *buf;
3224
3225 wpa_printf(MSG_DEBUG,
3226 "WPA: Decrypt Key Data using AES-UNWRAP (KEK length %u)",
3227 (unsigned int) sm->ptk.kek_len);
3228 if (*key_data_len < 8 || *key_data_len % 8) {
3229 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3230 "WPA: Unsupported AES-WRAP len %u",
3231 (unsigned int) *key_data_len);
3232 return -1;
3233 }
3234 *key_data_len -= 8; /* AES-WRAP adds 8 bytes */
3235 buf = os_malloc(*key_data_len);
3236 if (buf == NULL) {
3237 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3238 "WPA: No memory for AES-UNWRAP buffer");
3239 return -1;
3240 }
3241 #ifdef TEST_FUZZ
3242 os_memset(buf, 0x11, *key_data_len);
3243 #endif /* TEST_FUZZ */
3244 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, *key_data_len / 8,
3245 key_data, buf)) {
3246 #ifdef TEST_FUZZ
3247 wpa_printf(MSG_INFO,
3248 "TEST: Ignore AES unwrap failure for fuzz testing");
3249 goto continue_fuzz;
3250 #endif /* TEST_FUZZ */
3251 bin_clear_free(buf, *key_data_len);
3252 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3253 "WPA: AES unwrap failed - "
3254 "could not decrypt EAPOL-Key key data");
3255 return -1;
3256 }
3257 #ifdef TEST_FUZZ
3258 continue_fuzz:
3259 #endif /* TEST_FUZZ */
3260 os_memcpy(key_data, buf, *key_data_len);
3261 bin_clear_free(buf, *key_data_len);
3262 WPA_PUT_BE16(((u8 *) (key + 1)) + mic_len, *key_data_len);
3263 } else {
3264 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3265 "WPA: Unsupported key_info type %d", ver);
3266 return -1;
3267 }
3268 wpa_hexdump_key(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data",
3269 key_data, *key_data_len);
3270 return 0;
3271 }
3272
3273
3274 /**
3275 * wpa_sm_aborted_cached - Notify WPA that PMKSA caching was aborted
3276 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3277 */
wpa_sm_aborted_cached(struct wpa_sm * sm)3278 void wpa_sm_aborted_cached(struct wpa_sm *sm)
3279 {
3280 if (sm && sm->cur_pmksa) {
3281 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3282 "RSN: Cancelling PMKSA caching attempt");
3283 sm->cur_pmksa = NULL;
3284 }
3285 }
3286
3287
wpa_sm_aborted_external_cached(struct wpa_sm * sm)3288 void wpa_sm_aborted_external_cached(struct wpa_sm *sm)
3289 {
3290 if (sm && sm->cur_pmksa && sm->cur_pmksa->external) {
3291 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3292 "RSN: Cancelling external PMKSA caching attempt");
3293 sm->cur_pmksa = NULL;
3294 }
3295 }
3296
3297
wpa_eapol_key_dump(struct wpa_sm * sm,const struct wpa_eapol_key * key,unsigned int key_data_len,const u8 * mic,unsigned int mic_len)3298 static void wpa_eapol_key_dump(struct wpa_sm *sm,
3299 const struct wpa_eapol_key *key,
3300 unsigned int key_data_len,
3301 const u8 *mic, unsigned int mic_len)
3302 {
3303 #ifndef CONFIG_NO_STDOUT_DEBUG
3304 u16 key_info = WPA_GET_BE16(key->key_info);
3305
3306 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, " EAPOL-Key type=%d", key->type);
3307 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3308 " key_info 0x%x (ver=%d keyidx=%d rsvd=%d %s%s%s%s%s%s%s%s)",
3309 key_info, key_info & WPA_KEY_INFO_TYPE_MASK,
3310 (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
3311 WPA_KEY_INFO_KEY_INDEX_SHIFT,
3312 (key_info & (BIT(13) | BIT(14) | BIT(15))) >> 13,
3313 key_info & WPA_KEY_INFO_KEY_TYPE ? "Pairwise" : "Group",
3314 key_info & WPA_KEY_INFO_INSTALL ? " Install" : "",
3315 key_info & WPA_KEY_INFO_ACK ? " Ack" : "",
3316 key_info & WPA_KEY_INFO_MIC ? " MIC" : "",
3317 key_info & WPA_KEY_INFO_SECURE ? " Secure" : "",
3318 key_info & WPA_KEY_INFO_ERROR ? " Error" : "",
3319 key_info & WPA_KEY_INFO_REQUEST ? " Request" : "",
3320 key_info & WPA_KEY_INFO_ENCR_KEY_DATA ? " Encr" : "");
3321 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3322 " key_length=%u key_data_length=%u",
3323 WPA_GET_BE16(key->key_length), key_data_len);
3324 wpa_hexdump(MSG_DEBUG, " replay_counter",
3325 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
3326 wpa_hexdump(MSG_DEBUG, " key_nonce", key->key_nonce, WPA_NONCE_LEN);
3327 wpa_hexdump(MSG_DEBUG, " key_iv", key->key_iv, 16);
3328 wpa_hexdump(MSG_DEBUG, " key_rsc", key->key_rsc, 8);
3329 wpa_hexdump(MSG_DEBUG, " key_id (reserved)", key->key_id, 8);
3330 wpa_hexdump(MSG_DEBUG, " key_mic", mic, mic_len);
3331 #endif /* CONFIG_NO_STDOUT_DEBUG */
3332 }
3333
3334
3335 #ifdef CONFIG_FILS
wpa_supp_aead_decrypt(struct wpa_sm * sm,u8 * buf,size_t buf_len,size_t * key_data_len)3336 static int wpa_supp_aead_decrypt(struct wpa_sm *sm, u8 *buf, size_t buf_len,
3337 size_t *key_data_len)
3338 {
3339 struct wpa_ptk *ptk;
3340 struct ieee802_1x_hdr *hdr;
3341 struct wpa_eapol_key *key;
3342 u8 *pos, *tmp;
3343 const u8 *aad[1];
3344 size_t aad_len[1];
3345
3346 if (*key_data_len < AES_BLOCK_SIZE) {
3347 wpa_printf(MSG_INFO, "No room for AES-SIV data in the frame");
3348 return -1;
3349 }
3350
3351 if (sm->tptk_set)
3352 ptk = &sm->tptk;
3353 else if (sm->ptk_set)
3354 ptk = &sm->ptk;
3355 else
3356 return -1;
3357
3358 hdr = (struct ieee802_1x_hdr *) buf;
3359 key = (struct wpa_eapol_key *) (hdr + 1);
3360 pos = (u8 *) (key + 1);
3361 pos += 2; /* Pointing at the Encrypted Key Data field */
3362
3363 tmp = os_malloc(*key_data_len);
3364 if (!tmp)
3365 return -1;
3366
3367 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
3368 * to Key Data (exclusive). */
3369 aad[0] = buf;
3370 aad_len[0] = pos - buf;
3371 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, *key_data_len,
3372 1, aad, aad_len, tmp) < 0) {
3373 wpa_printf(MSG_INFO, "Invalid AES-SIV data in the frame");
3374 bin_clear_free(tmp, *key_data_len);
3375 return -1;
3376 }
3377
3378 /* AEAD decryption and validation completed successfully */
3379 (*key_data_len) -= AES_BLOCK_SIZE;
3380 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
3381 tmp, *key_data_len);
3382
3383 /* Replace Key Data field with the decrypted version */
3384 os_memcpy(pos, tmp, *key_data_len);
3385 pos -= 2; /* Key Data Length field */
3386 WPA_PUT_BE16(pos, *key_data_len);
3387 bin_clear_free(tmp, *key_data_len);
3388
3389 if (sm->tptk_set) {
3390 sm->tptk_set = 0;
3391 sm->ptk_set = 1;
3392 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
3393 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
3394 }
3395
3396 os_memcpy(sm->rx_replay_counter, key->replay_counter,
3397 WPA_REPLAY_COUNTER_LEN);
3398 sm->rx_replay_counter_set = 1;
3399
3400 return 0;
3401 }
3402 #endif /* CONFIG_FILS */
3403
3404
wpa_sm_rx_eapol_wpa(struct wpa_sm * sm,const u8 * src_addr,struct wpa_eapol_key * key,enum frame_encryption encrypted,const u8 * tmp,size_t data_len,u8 * key_data,size_t key_data_len)3405 static int wpa_sm_rx_eapol_wpa(struct wpa_sm *sm, const u8 *src_addr,
3406 struct wpa_eapol_key *key,
3407 enum frame_encryption encrypted,
3408 const u8 *tmp, size_t data_len,
3409 u8 *key_data, size_t key_data_len)
3410 {
3411 u16 key_info, ver;
3412
3413 key_info = WPA_GET_BE16(key->key_info);
3414
3415 if (key->type != EAPOL_KEY_TYPE_WPA) {
3416 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3417 "WPA: Unsupported EAPOL-Key type %d", key->type);
3418 return -1;
3419 }
3420
3421 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
3422 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
3423 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
3424 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3425 "WPA: Unsupported EAPOL-Key descriptor version %d",
3426 ver);
3427 return -1;
3428 }
3429
3430 if (sm->pairwise_cipher == WPA_CIPHER_CCMP &&
3431 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
3432 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3433 "WPA: CCMP is used, but EAPOL-Key descriptor version (%d) is not 2",
3434 ver);
3435 if (sm->group_cipher != WPA_CIPHER_CCMP &&
3436 !(key_info & WPA_KEY_INFO_KEY_TYPE)) {
3437 /* Earlier versions of IEEE 802.11i did not explicitly
3438 * require version 2 descriptor for all EAPOL-Key
3439 * packets, so allow group keys to use version 1 if
3440 * CCMP is not used for them. */
3441 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3442 "WPA: Backwards compatibility: allow invalid version for non-CCMP group keys");
3443 } else
3444 return -1;
3445 }
3446
3447 if ((key_info & WPA_KEY_INFO_MIC) &&
3448 wpa_supplicant_verify_eapol_key_mic(sm, key, ver, tmp, data_len))
3449 return -1;
3450
3451 if (key_info & WPA_KEY_INFO_KEY_TYPE) {
3452 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) {
3453 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3454 "WPA: Ignored EAPOL-Key (Pairwise) with non-zero key index");
3455 return -1;
3456 }
3457 if (key_info & (WPA_KEY_INFO_MIC |
3458 WPA_KEY_INFO_ENCR_KEY_DATA)) {
3459 /* 3/4 4-Way Handshake */
3460 wpa_supplicant_process_3_of_4_wpa(sm, key, ver,
3461 key_data,
3462 key_data_len);
3463 } else {
3464 /* 1/4 4-Way Handshake */
3465 wpa_supplicant_process_1_of_4_wpa(sm, src_addr, key,
3466 ver, key_data,
3467 key_data_len,
3468 encrypted);
3469 }
3470 } else {
3471 if (key_info & WPA_KEY_INFO_MIC) {
3472 /* 1/2 Group Key Handshake */
3473 wpa_supplicant_process_1_of_2_wpa(sm, src_addr, key,
3474 key_data,
3475 key_data_len,
3476 ver);
3477 } else {
3478 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3479 "WPA: EAPOL-Key (Group) without Mic/Encr bit - dropped");
3480 }
3481 }
3482
3483 return 1;
3484 }
3485
3486
3487 /**
3488 * wpa_sm_rx_eapol - Process received WPA EAPOL frames
3489 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3490 * @src_addr: Source MAC address of the EAPOL packet
3491 * @buf: Pointer to the beginning of the EAPOL data (EAPOL header)
3492 * @len: Length of the EAPOL frame
3493 * @encrypted: Whether the frame was encrypted
3494 * Returns: 1 = WPA EAPOL-Key processed, 0 = not a WPA EAPOL-Key, -1 failure
3495 *
3496 * This function is called for each received EAPOL frame. Other than EAPOL-Key
3497 * frames can be skipped if filtering is done elsewhere. wpa_sm_rx_eapol() is
3498 * only processing WPA and WPA2 EAPOL-Key frames.
3499 *
3500 * The received EAPOL-Key packets are validated and valid packets are replied
3501 * to. In addition, key material (PTK, GTK) is configured at the end of a
3502 * successful key handshake.
3503 */
wpa_sm_rx_eapol(struct wpa_sm * sm,const u8 * src_addr,const u8 * buf,size_t len,enum frame_encryption encrypted)3504 int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr,
3505 const u8 *buf, size_t len, enum frame_encryption encrypted)
3506 {
3507 size_t plen, data_len, key_data_len;
3508 const struct ieee802_1x_hdr *hdr;
3509 struct wpa_eapol_key *key;
3510 u16 key_info, ver;
3511 u8 *tmp = NULL;
3512 int ret = -1;
3513 u8 *mic, *key_data;
3514 size_t mic_len, keyhdrlen, pmk_len;
3515
3516 #ifdef CONFIG_IEEE80211R
3517 sm->ft_completed = 0;
3518 #endif /* CONFIG_IEEE80211R */
3519
3520 pmk_len = sm->pmk_len;
3521 if (!pmk_len && sm->cur_pmksa)
3522 pmk_len = sm->cur_pmksa->pmk_len;
3523 mic_len = wpa_mic_len(sm->key_mgmt, pmk_len);
3524 keyhdrlen = sizeof(*key) + mic_len + 2;
3525
3526 if (len < sizeof(*hdr) + keyhdrlen) {
3527 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3528 "WPA: EAPOL frame too short to be a WPA "
3529 "EAPOL-Key (len %lu, expecting at least %lu)",
3530 (unsigned long) len,
3531 (unsigned long) sizeof(*hdr) + keyhdrlen);
3532 return 0;
3533 }
3534
3535 hdr = (const struct ieee802_1x_hdr *) buf;
3536 plen = be_to_host16(hdr->length);
3537 data_len = plen + sizeof(*hdr);
3538 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3539 "IEEE 802.1X RX: version=%d type=%d length=%lu",
3540 hdr->version, hdr->type, (unsigned long) plen);
3541
3542 if (hdr->version < EAPOL_VERSION) {
3543 /* TODO: backwards compatibility */
3544 }
3545 if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) {
3546 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3547 "WPA: EAPOL frame (type %u) discarded, "
3548 "not a Key frame", hdr->type);
3549 ret = 0;
3550 goto out;
3551 }
3552 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", buf, len);
3553 if (plen > len - sizeof(*hdr) || plen < keyhdrlen) {
3554 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3555 "WPA: EAPOL frame payload size %lu "
3556 "invalid (frame size %lu)",
3557 (unsigned long) plen, (unsigned long) len);
3558 ret = 0;
3559 goto out;
3560 }
3561 if (data_len < len) {
3562 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3563 "WPA: ignoring %lu bytes after the IEEE 802.1X data",
3564 (unsigned long) len - data_len);
3565 }
3566
3567 /*
3568 * Make a copy of the frame since we need to modify the buffer during
3569 * MAC validation and Key Data decryption.
3570 */
3571 tmp = os_memdup(buf, data_len);
3572 if (tmp == NULL)
3573 goto out;
3574 key = (struct wpa_eapol_key *) (tmp + sizeof(struct ieee802_1x_hdr));
3575 mic = (u8 *) (key + 1);
3576 key_data = mic + mic_len + 2;
3577
3578 if (key->type != EAPOL_KEY_TYPE_WPA && key->type != EAPOL_KEY_TYPE_RSN)
3579 {
3580 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3581 "WPA: EAPOL-Key type (%d) unknown, discarded",
3582 key->type);
3583 ret = 0;
3584 goto out;
3585 }
3586
3587 key_data_len = WPA_GET_BE16(mic + mic_len);
3588 wpa_eapol_key_dump(sm, key, key_data_len, mic, mic_len);
3589
3590 if (key_data_len > plen - keyhdrlen) {
3591 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Invalid EAPOL-Key "
3592 "frame - key_data overflow (%u > %u)",
3593 (unsigned int) key_data_len,
3594 (unsigned int) (plen - keyhdrlen));
3595 goto out;
3596 }
3597
3598 if (sm->rx_replay_counter_set &&
3599 os_memcmp(key->replay_counter, sm->rx_replay_counter,
3600 WPA_REPLAY_COUNTER_LEN) <= 0) {
3601 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3602 "WPA: EAPOL-Key Replay Counter did not increase - dropping packet");
3603 goto out;
3604 }
3605
3606 eapol_sm_notify_lower_layer_success(sm->eapol, 0);
3607
3608 key_info = WPA_GET_BE16(key->key_info);
3609
3610 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
3611 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3612 "WPA: Unsupported SMK bit in key_info");
3613 goto out;
3614 }
3615
3616 if (!(key_info & WPA_KEY_INFO_ACK)) {
3617 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3618 "WPA: No Ack bit in key_info");
3619 goto out;
3620 }
3621
3622 if (key_info & WPA_KEY_INFO_REQUEST) {
3623 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3624 "WPA: EAPOL-Key with Request bit - dropped");
3625 goto out;
3626 }
3627
3628 if (sm->proto == WPA_PROTO_WPA) {
3629 ret = wpa_sm_rx_eapol_wpa(sm, src_addr, key, encrypted,
3630 tmp, data_len,
3631 key_data, key_data_len);
3632 goto out;
3633 }
3634
3635 if (key->type != EAPOL_KEY_TYPE_RSN) {
3636 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3637 "RSN: Unsupported EAPOL-Key type %d", key->type);
3638 goto out;
3639 }
3640
3641 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
3642 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
3643 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
3644 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES &&
3645 !wpa_use_akm_defined(sm->key_mgmt)) {
3646 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3647 "RSN: Unsupported EAPOL-Key descriptor version %d",
3648 ver);
3649 goto out;
3650 }
3651
3652 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
3653 sm->pairwise_cipher != WPA_CIPHER_TKIP) {
3654 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3655 "RSN: EAPOL-Key descriptor version %d not allowed without TKIP as the pairwise cipher",
3656 ver);
3657 goto out;
3658 }
3659
3660 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES &&
3661 (sm->key_mgmt != WPA_KEY_MGMT_IEEE8021X &&
3662 sm->key_mgmt != WPA_KEY_MGMT_PSK)) {
3663 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3664 "RSN: EAPOL-Key descriptor version %d not allowed due to negotiated AKM (0x%x)",
3665 ver, sm->key_mgmt);
3666 goto out;
3667 }
3668
3669 if (wpa_use_akm_defined(sm->key_mgmt) &&
3670 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
3671 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3672 "RSN: Unsupported EAPOL-Key descriptor version %d (expected AKM defined = 0)",
3673 ver);
3674 goto out;
3675 }
3676
3677 #ifdef CONFIG_IEEE80211R
3678 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
3679 /* IEEE 802.11r uses a new key_info type (AES-128-CMAC). */
3680 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
3681 !wpa_use_akm_defined(sm->key_mgmt)) {
3682 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3683 "FT: AP did not use AES-128-CMAC");
3684 goto out;
3685 }
3686 } else
3687 #endif /* CONFIG_IEEE80211R */
3688 if (wpa_key_mgmt_sha256(sm->key_mgmt)) {
3689 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
3690 !wpa_use_akm_defined(sm->key_mgmt)) {
3691 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3692 "RSN: AP did not use the negotiated AES-128-CMAC");
3693 goto out;
3694 }
3695 } else if (sm->pairwise_cipher == WPA_CIPHER_CCMP &&
3696 !wpa_use_akm_defined(sm->key_mgmt) &&
3697 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
3698 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3699 "RSN: CCMP is used, but EAPOL-Key descriptor version (%d) is not 2", ver);
3700 if (ver == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
3701 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3702 "RSN: Interoperability workaround: allow incorrect (should have been HMAC-SHA1), but stronger (is AES-128-CMAC), descriptor version to be used");
3703 } else {
3704 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3705 "RSN: Unexpected descriptor version %u", ver);
3706 goto out;
3707 }
3708 } else if (sm->pairwise_cipher == WPA_CIPHER_GCMP &&
3709 !wpa_use_akm_defined(sm->key_mgmt) &&
3710 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
3711 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3712 "RSN: GCMP is used, but EAPOL-Key descriptor version (%d) is not 2",
3713 ver);
3714 goto out;
3715 }
3716
3717 if ((key_info & WPA_KEY_INFO_MIC) &&
3718 wpa_supplicant_verify_eapol_key_mic(sm, key, ver, tmp, data_len))
3719 goto out;
3720
3721 #ifdef CONFIG_FILS
3722 if (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
3723 if (wpa_supp_aead_decrypt(sm, tmp, data_len, &key_data_len))
3724 goto out;
3725 }
3726 #endif /* CONFIG_FILS */
3727
3728 if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
3729 (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && mic_len) {
3730 /*
3731 * Only decrypt the Key Data field if the frame's authenticity
3732 * was verified. When using AES-SIV (FILS), the MIC flag is not
3733 * set, so this check should only be performed if mic_len != 0
3734 * which is the case in this code branch.
3735 */
3736 if (!(key_info & WPA_KEY_INFO_MIC)) {
3737 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3738 "WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
3739 goto out;
3740 }
3741 if (wpa_supplicant_decrypt_key_data(sm, key, mic_len,
3742 ver, key_data,
3743 &key_data_len))
3744 goto out;
3745 }
3746
3747 if (key_info & WPA_KEY_INFO_KEY_TYPE) {
3748 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) {
3749 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3750 "RSN: Ignored EAPOL-Key (Pairwise) with non-zero key index");
3751 goto out;
3752 }
3753 if (key_info & (WPA_KEY_INFO_MIC |
3754 WPA_KEY_INFO_ENCR_KEY_DATA)) {
3755 /* 3/4 4-Way Handshake */
3756 wpa_supplicant_process_3_of_4(sm, key, ver, key_data,
3757 key_data_len);
3758 } else {
3759 /* 1/4 4-Way Handshake */
3760 wpa_supplicant_process_1_of_4(sm, src_addr, key,
3761 ver, key_data,
3762 key_data_len,
3763 encrypted);
3764 }
3765 } else {
3766 if ((mic_len && (key_info & WPA_KEY_INFO_MIC)) ||
3767 (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA))) {
3768 /* 1/2 Group Key Handshake */
3769 if (sm->mlo.valid_links)
3770 wpa_supplicant_process_mlo_1_of_2(sm, src_addr,
3771 key, key_data,
3772 key_data_len,
3773 ver);
3774 else
3775 wpa_supplicant_process_1_of_2(sm, src_addr, key,
3776 key_data,
3777 key_data_len,
3778 ver);
3779 } else {
3780 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3781 "RSN: EAPOL-Key (Group) without Mic/Encr bit - dropped");
3782 }
3783 }
3784
3785 ret = 1;
3786
3787 out:
3788 bin_clear_free(tmp, data_len);
3789 return ret;
3790 }
3791
3792
3793 #ifdef CONFIG_CTRL_IFACE
wpa_key_mgmt_suite(struct wpa_sm * sm)3794 static u32 wpa_key_mgmt_suite(struct wpa_sm *sm)
3795 {
3796 switch (sm->key_mgmt) {
3797 case WPA_KEY_MGMT_IEEE8021X:
3798 return ((sm->proto == WPA_PROTO_RSN ||
3799 sm->proto == WPA_PROTO_OSEN) ?
3800 RSN_AUTH_KEY_MGMT_UNSPEC_802_1X :
3801 WPA_AUTH_KEY_MGMT_UNSPEC_802_1X);
3802 case WPA_KEY_MGMT_PSK:
3803 return (sm->proto == WPA_PROTO_RSN ?
3804 RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X :
3805 WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X);
3806 #ifdef CONFIG_IEEE80211R
3807 case WPA_KEY_MGMT_FT_IEEE8021X:
3808 return RSN_AUTH_KEY_MGMT_FT_802_1X;
3809 case WPA_KEY_MGMT_FT_PSK:
3810 return RSN_AUTH_KEY_MGMT_FT_PSK;
3811 #endif /* CONFIG_IEEE80211R */
3812 case WPA_KEY_MGMT_IEEE8021X_SHA256:
3813 return RSN_AUTH_KEY_MGMT_802_1X_SHA256;
3814 case WPA_KEY_MGMT_PSK_SHA256:
3815 return RSN_AUTH_KEY_MGMT_PSK_SHA256;
3816 case WPA_KEY_MGMT_CCKM:
3817 return (sm->proto == WPA_PROTO_RSN ?
3818 RSN_AUTH_KEY_MGMT_CCKM:
3819 WPA_AUTH_KEY_MGMT_CCKM);
3820 case WPA_KEY_MGMT_WPA_NONE:
3821 return WPA_AUTH_KEY_MGMT_NONE;
3822 case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
3823 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B;
3824 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
3825 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192;
3826 case WPA_KEY_MGMT_IEEE8021X_SHA384:
3827 return RSN_AUTH_KEY_MGMT_802_1X_SHA384;
3828 default:
3829 return 0;
3830 }
3831 }
3832
3833
3834 #define RSN_SUITE "%02x-%02x-%02x-%d"
3835 #define RSN_SUITE_ARG(s) \
3836 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
3837
3838 /**
3839 * wpa_sm_get_mib - Dump text list of MIB entries
3840 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3841 * @buf: Buffer for the list
3842 * @buflen: Length of the buffer
3843 * Returns: Number of bytes written to buffer
3844 *
3845 * This function is used fetch dot11 MIB variables.
3846 */
wpa_sm_get_mib(struct wpa_sm * sm,char * buf,size_t buflen)3847 int wpa_sm_get_mib(struct wpa_sm *sm, char *buf, size_t buflen)
3848 {
3849 char pmkid_txt[PMKID_LEN * 2 + 1];
3850 bool rsna;
3851 int ret;
3852 size_t len;
3853
3854 if (sm->cur_pmksa) {
3855 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
3856 sm->cur_pmksa->pmkid, PMKID_LEN);
3857 } else
3858 pmkid_txt[0] = '\0';
3859
3860 rsna = (wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
3861 wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt)) &&
3862 sm->proto == WPA_PROTO_RSN;
3863
3864 ret = os_snprintf(buf, buflen,
3865 "dot11RSNAOptionImplemented=TRUE\n"
3866 "dot11RSNAPreauthenticationImplemented=TRUE\n"
3867 "dot11RSNAEnabled=%s\n"
3868 "dot11RSNAPreauthenticationEnabled=%s\n"
3869 "dot11RSNAConfigVersion=%d\n"
3870 "dot11RSNAConfigPairwiseKeysSupported=5\n"
3871 "dot11RSNAConfigGroupCipherSize=%d\n"
3872 "dot11RSNAConfigPMKLifetime=%d\n"
3873 "dot11RSNAConfigPMKReauthThreshold=%d\n"
3874 "dot11RSNAConfigNumberOfPTKSAReplayCounters=1\n"
3875 "dot11RSNAConfigSATimeout=%d\n",
3876 rsna ? "TRUE" : "FALSE",
3877 rsna ? "TRUE" : "FALSE",
3878 RSN_VERSION,
3879 wpa_cipher_key_len(sm->group_cipher) * 8,
3880 sm->dot11RSNAConfigPMKLifetime,
3881 sm->dot11RSNAConfigPMKReauthThreshold,
3882 sm->dot11RSNAConfigSATimeout);
3883 if (os_snprintf_error(buflen, ret))
3884 return 0;
3885 len = ret;
3886
3887 ret = os_snprintf(
3888 buf + len, buflen - len,
3889 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
3890 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
3891 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
3892 "dot11RSNAPMKIDUsed=%s\n"
3893 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
3894 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
3895 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
3896 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n"
3897 "dot11RSNA4WayHandshakeFailures=%u\n",
3898 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
3899 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
3900 sm->pairwise_cipher)),
3901 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
3902 sm->group_cipher)),
3903 pmkid_txt,
3904 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
3905 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
3906 sm->pairwise_cipher)),
3907 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
3908 sm->group_cipher)),
3909 sm->dot11RSNA4WayHandshakeFailures);
3910 if (!os_snprintf_error(buflen - len, ret))
3911 len += ret;
3912
3913 return (int) len;
3914 }
3915 #endif /* CONFIG_CTRL_IFACE */
3916
3917
wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry * entry,void * ctx,enum pmksa_free_reason reason)3918 static void wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
3919 void *ctx, enum pmksa_free_reason reason)
3920 {
3921 struct wpa_sm *sm = ctx;
3922 int deauth = 0;
3923
3924 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: PMKSA cache entry free_cb: "
3925 MACSTR " reason=%d", MAC2STR(entry->aa), reason);
3926
3927 if (sm->cur_pmksa == entry) {
3928 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3929 "RSN: %s current PMKSA entry",
3930 reason == PMKSA_REPLACE ? "replaced" : "removed");
3931 pmksa_cache_clear_current(sm);
3932
3933 /*
3934 * If an entry is simply being replaced, there's no need to
3935 * deauthenticate because it will be immediately re-added.
3936 * This happens when EAP authentication is completed again
3937 * (reauth or failed PMKSA caching attempt).
3938 */
3939 if (reason != PMKSA_REPLACE)
3940 deauth = 1;
3941 }
3942
3943 if (reason == PMKSA_EXPIRE &&
3944 (sm->pmk_len == entry->pmk_len &&
3945 os_memcmp(sm->pmk, entry->pmk, sm->pmk_len) == 0)) {
3946 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3947 "RSN: deauthenticating due to expired PMK");
3948 pmksa_cache_clear_current(sm);
3949 deauth = 1;
3950 }
3951
3952 if (deauth) {
3953 sm->pmk_len = 0;
3954 os_memset(sm->pmk, 0, sizeof(sm->pmk));
3955 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
3956 }
3957 }
3958
3959
wpa_sm_pmksa_is_current_cb(struct rsn_pmksa_cache_entry * entry,void * ctx)3960 static bool wpa_sm_pmksa_is_current_cb(struct rsn_pmksa_cache_entry *entry,
3961 void *ctx)
3962 {
3963 struct wpa_sm *sm = ctx;
3964
3965 return sm->cur_pmksa == entry;
3966 }
3967
3968
wpa_sm_pmksa_notify_cb(struct rsn_pmksa_cache_entry * entry,void * ctx)3969 static void wpa_sm_pmksa_notify_cb(struct rsn_pmksa_cache_entry *entry,
3970 void *ctx)
3971 {
3972 struct wpa_sm *sm = ctx;
3973
3974 wpa_sm_notify_pmksa_cache_entry(sm, entry);
3975 }
3976
3977
3978 /**
3979 * wpa_sm_init - Initialize WPA state machine
3980 * @ctx: Context pointer for callbacks; this needs to be an allocated buffer
3981 * Returns: Pointer to the allocated WPA state machine data
3982 *
3983 * This function is used to allocate a new WPA state machine and the returned
3984 * value is passed to all WPA state machine calls.
3985 */
wpa_sm_init(struct wpa_sm_ctx * ctx)3986 struct wpa_sm * wpa_sm_init(struct wpa_sm_ctx *ctx)
3987 {
3988 struct wpa_sm *sm;
3989
3990 sm = os_zalloc(sizeof(*sm));
3991 if (sm == NULL)
3992 return NULL;
3993 dl_list_init(&sm->pmksa_candidates);
3994 sm->renew_snonce = 1;
3995 sm->ctx = ctx;
3996
3997 sm->dot11RSNAConfigPMKLifetime = 43200;
3998 sm->dot11RSNAConfigPMKReauthThreshold = 70;
3999 sm->dot11RSNAConfigSATimeout = 60;
4000
4001 sm->pmksa = pmksa_cache_init(wpa_sm_pmksa_free_cb,
4002 wpa_sm_pmksa_is_current_cb,
4003 wpa_sm_pmksa_notify_cb, sm, sm);
4004 if (sm->pmksa == NULL) {
4005 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
4006 "RSN: PMKSA cache initialization failed");
4007 os_free(sm);
4008 return NULL;
4009 }
4010
4011 return sm;
4012 }
4013
4014
4015 /**
4016 * wpa_sm_deinit - Deinitialize WPA state machine
4017 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4018 */
wpa_sm_deinit(struct wpa_sm * sm)4019 void wpa_sm_deinit(struct wpa_sm *sm)
4020 {
4021 int i;
4022
4023 if (sm == NULL)
4024 return;
4025 pmksa_cache_deinit(sm->pmksa);
4026 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
4027 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
4028 os_free(sm->assoc_wpa_ie);
4029 os_free(sm->assoc_rsnxe);
4030 os_free(sm->ap_wpa_ie);
4031 os_free(sm->ap_rsn_ie);
4032 os_free(sm->ap_rsnxe);
4033 for (i = 0; i < MAX_NUM_MLD_LINKS; i++) {
4034 os_free(sm->mlo.links[i].ap_rsne);
4035 os_free(sm->mlo.links[i].ap_rsnxe);
4036 }
4037 wpa_sm_drop_sa(sm);
4038 os_free(sm->ctx);
4039 #ifdef CONFIG_IEEE80211R
4040 os_free(sm->assoc_resp_ies);
4041 #endif /* CONFIG_IEEE80211R */
4042 #ifdef CONFIG_TESTING_OPTIONS
4043 wpabuf_free(sm->test_assoc_ie);
4044 #endif /* CONFIG_TESTING_OPTIONS */
4045 #ifdef CONFIG_FILS_SK_PFS
4046 crypto_ecdh_deinit(sm->fils_ecdh);
4047 #endif /* CONFIG_FILS_SK_PFS */
4048 #ifdef CONFIG_FILS
4049 wpabuf_free(sm->fils_ft_ies);
4050 #endif /* CONFIG_FILS */
4051 #ifdef CONFIG_OWE
4052 crypto_ecdh_deinit(sm->owe_ecdh);
4053 #endif /* CONFIG_OWE */
4054 #ifdef CONFIG_DPP2
4055 wpabuf_clear_free(sm->dpp_z);
4056 #endif /* CONFIG_DPP2 */
4057 os_free(sm);
4058 }
4059
4060
wpa_sm_clear_ptk(struct wpa_sm * sm)4061 static void wpa_sm_clear_ptk(struct wpa_sm *sm)
4062 {
4063 int i;
4064
4065 sm->ptk_set = 0;
4066 os_memset(&sm->ptk, 0, sizeof(sm->ptk));
4067 sm->tptk_set = 0;
4068 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
4069 os_memset(&sm->gtk, 0, sizeof(sm->gtk));
4070 os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
4071 os_memset(&sm->igtk, 0, sizeof(sm->igtk));
4072 os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
4073 os_memset(&sm->bigtk, 0, sizeof(sm->bigtk));
4074 os_memset(&sm->bigtk_wnm_sleep, 0, sizeof(sm->bigtk_wnm_sleep));
4075 sm->tk_set = false;
4076 for (i = 0; i < MAX_NUM_MLD_LINKS; i++) {
4077 os_memset(&sm->mlo.links[i].gtk, 0,
4078 sizeof(sm->mlo.links[i].gtk));
4079 os_memset(&sm->mlo.links[i].gtk_wnm_sleep, 0,
4080 sizeof(sm->mlo.links[i].gtk_wnm_sleep));
4081 os_memset(&sm->mlo.links[i].igtk, 0,
4082 sizeof(sm->mlo.links[i].igtk));
4083 os_memset(&sm->mlo.links[i].igtk_wnm_sleep, 0,
4084 sizeof(sm->mlo.links[i].igtk_wnm_sleep));
4085 os_memset(&sm->mlo.links[i].bigtk, 0,
4086 sizeof(sm->mlo.links[i].bigtk));
4087 os_memset(&sm->mlo.links[i].bigtk_wnm_sleep, 0,
4088 sizeof(sm->mlo.links[i].bigtk_wnm_sleep));
4089 }
4090 }
4091
4092
4093 /**
4094 * wpa_sm_notify_assoc - Notify WPA state machine about association
4095 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4096 * @bssid: The BSSID of the new association
4097 *
4098 * This function is called to let WPA state machine know that the connection
4099 * was established.
4100 */
wpa_sm_notify_assoc(struct wpa_sm * sm,const u8 * bssid)4101 void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
4102 {
4103 int clear_keys = 1;
4104
4105 if (sm == NULL)
4106 return;
4107
4108 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4109 "WPA: Association event - clear replay counter");
4110 os_memcpy(sm->bssid, bssid, ETH_ALEN);
4111 os_memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN);
4112 sm->rx_replay_counter_set = 0;
4113 sm->renew_snonce = 1;
4114 if (os_memcmp(sm->preauth_bssid, bssid, ETH_ALEN) == 0)
4115 rsn_preauth_deinit(sm);
4116
4117 #ifdef CONFIG_IEEE80211R
4118 if (wpa_ft_is_completed(sm)) {
4119 /*
4120 * Clear portValid to kick EAPOL state machine to re-enter
4121 * AUTHENTICATED state to get the EAPOL port Authorized.
4122 */
4123 eapol_sm_notify_portValid(sm->eapol, false);
4124 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
4125
4126 /* Prepare for the next transition */
4127 wpa_ft_prepare_auth_request(sm, NULL);
4128
4129 clear_keys = 0;
4130 sm->ft_protocol = 1;
4131 } else {
4132 sm->ft_protocol = 0;
4133 }
4134 #endif /* CONFIG_IEEE80211R */
4135 #ifdef CONFIG_FILS
4136 if (sm->fils_completed) {
4137 /*
4138 * Clear portValid to kick EAPOL state machine to re-enter
4139 * AUTHENTICATED state to get the EAPOL port Authorized.
4140 */
4141 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
4142 clear_keys = 0;
4143 }
4144 #endif /* CONFIG_FILS */
4145
4146 if (clear_keys) {
4147 /*
4148 * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
4149 * this is not part of a Fast BSS Transition.
4150 */
4151 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PTK");
4152 wpa_sm_clear_ptk(sm);
4153 }
4154
4155 #ifdef CONFIG_TDLS
4156 wpa_tdls_assoc(sm);
4157 #endif /* CONFIG_TDLS */
4158
4159 #ifdef CONFIG_P2P
4160 os_memset(sm->p2p_ip_addr, 0, sizeof(sm->p2p_ip_addr));
4161 #endif /* CONFIG_P2P */
4162
4163 sm->keyidx_active = 0;
4164 }
4165
4166
4167 /**
4168 * wpa_sm_notify_disassoc - Notify WPA state machine about disassociation
4169 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4170 *
4171 * This function is called to let WPA state machine know that the connection
4172 * was lost. This will abort any existing pre-authentication session.
4173 */
wpa_sm_notify_disassoc(struct wpa_sm * sm)4174 void wpa_sm_notify_disassoc(struct wpa_sm *sm)
4175 {
4176 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
4177 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
4178 rsn_preauth_deinit(sm);
4179 pmksa_cache_clear_current(sm);
4180 if (wpa_sm_get_state(sm) == WPA_4WAY_HANDSHAKE)
4181 sm->dot11RSNA4WayHandshakeFailures++;
4182 #ifdef CONFIG_TDLS
4183 wpa_tdls_disassoc(sm);
4184 #endif /* CONFIG_TDLS */
4185 #ifdef CONFIG_FILS
4186 sm->fils_completed = 0;
4187 #endif /* CONFIG_FILS */
4188 #ifdef CONFIG_IEEE80211R
4189 sm->ft_reassoc_completed = 0;
4190 sm->ft_protocol = 0;
4191 #endif /* CONFIG_IEEE80211R */
4192
4193 /* Keys are not needed in the WPA state machine anymore */
4194 wpa_sm_drop_sa(sm);
4195 sm->keyidx_active = 0;
4196
4197 sm->msg_3_of_4_ok = 0;
4198 os_memset(sm->bssid, 0, ETH_ALEN);
4199 }
4200
4201
4202 /**
4203 * wpa_sm_set_pmk - Set PMK
4204 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4205 * @pmk: The new PMK
4206 * @pmk_len: The length of the new PMK in bytes
4207 * @pmkid: Calculated PMKID
4208 * @bssid: AA to add into PMKSA cache or %NULL to not cache the PMK
4209 *
4210 * Configure the PMK for WPA state machine.
4211 */
wpa_sm_set_pmk(struct wpa_sm * sm,const u8 * pmk,size_t pmk_len,const u8 * pmkid,const u8 * bssid)4212 void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
4213 const u8 *pmkid, const u8 *bssid)
4214 {
4215 if (sm == NULL)
4216 return;
4217
4218 wpa_hexdump_key(MSG_DEBUG, "WPA: Set PMK based on external data",
4219 pmk, pmk_len);
4220 sm->pmk_len = pmk_len;
4221 os_memcpy(sm->pmk, pmk, pmk_len);
4222
4223 #ifdef CONFIG_IEEE80211R
4224 /* Set XXKey to be PSK for FT key derivation */
4225 sm->xxkey_len = pmk_len;
4226 os_memcpy(sm->xxkey, pmk, pmk_len);
4227 #endif /* CONFIG_IEEE80211R */
4228
4229 if (bssid) {
4230 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len,
4231 pmkid, NULL, 0, bssid,
4232 sm->own_addr,
4233 sm->network_ctx, sm->key_mgmt,
4234 NULL);
4235 }
4236 }
4237
4238
4239 /**
4240 * wpa_sm_set_pmk_from_pmksa - Set PMK based on the current PMKSA
4241 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4242 *
4243 * Take the PMK from the current PMKSA into use. If no PMKSA is active, the PMK
4244 * will be cleared.
4245 */
wpa_sm_set_pmk_from_pmksa(struct wpa_sm * sm)4246 void wpa_sm_set_pmk_from_pmksa(struct wpa_sm *sm)
4247 {
4248 if (sm == NULL)
4249 return;
4250
4251 if (sm->cur_pmksa) {
4252 wpa_hexdump_key(MSG_DEBUG,
4253 "WPA: Set PMK based on current PMKSA",
4254 sm->cur_pmksa->pmk, sm->cur_pmksa->pmk_len);
4255 sm->pmk_len = sm->cur_pmksa->pmk_len;
4256 os_memcpy(sm->pmk, sm->cur_pmksa->pmk, sm->pmk_len);
4257 } else {
4258 wpa_printf(MSG_DEBUG, "WPA: No current PMKSA - clear PMK");
4259 sm->pmk_len = 0;
4260 os_memset(sm->pmk, 0, PMK_LEN_MAX);
4261 }
4262 }
4263
4264
4265 /**
4266 * wpa_sm_set_fast_reauth - Set fast reauthentication (EAP) enabled/disabled
4267 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4268 * @fast_reauth: Whether fast reauthentication (EAP) is allowed
4269 */
wpa_sm_set_fast_reauth(struct wpa_sm * sm,int fast_reauth)4270 void wpa_sm_set_fast_reauth(struct wpa_sm *sm, int fast_reauth)
4271 {
4272 if (sm)
4273 sm->fast_reauth = fast_reauth;
4274 }
4275
4276
4277 /**
4278 * wpa_sm_set_scard_ctx - Set context pointer for smartcard callbacks
4279 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4280 * @scard_ctx: Context pointer for smartcard related callback functions
4281 */
wpa_sm_set_scard_ctx(struct wpa_sm * sm,void * scard_ctx)4282 void wpa_sm_set_scard_ctx(struct wpa_sm *sm, void *scard_ctx)
4283 {
4284 if (sm == NULL)
4285 return;
4286 sm->scard_ctx = scard_ctx;
4287 if (sm->preauth_eapol)
4288 eapol_sm_register_scard_ctx(sm->preauth_eapol, scard_ctx);
4289 }
4290
4291
4292 /**
4293 * wpa_sm_set_config - Notification of current configuration change
4294 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4295 * @config: Pointer to current network configuration
4296 *
4297 * Notify WPA state machine that configuration has changed. config will be
4298 * stored as a backpointer to network configuration. This can be %NULL to clear
4299 * the stored pointed.
4300 */
wpa_sm_set_config(struct wpa_sm * sm,struct rsn_supp_config * config)4301 void wpa_sm_set_config(struct wpa_sm *sm, struct rsn_supp_config *config)
4302 {
4303 if (!sm)
4304 return;
4305
4306 if (config) {
4307 sm->network_ctx = config->network_ctx;
4308 sm->allowed_pairwise_cipher = config->allowed_pairwise_cipher;
4309 sm->proactive_key_caching = config->proactive_key_caching;
4310 sm->eap_workaround = config->eap_workaround;
4311 sm->eap_conf_ctx = config->eap_conf_ctx;
4312 if (config->ssid) {
4313 os_memcpy(sm->ssid, config->ssid, config->ssid_len);
4314 sm->ssid_len = config->ssid_len;
4315 } else
4316 sm->ssid_len = 0;
4317 sm->wpa_ptk_rekey = config->wpa_ptk_rekey;
4318 sm->p2p = config->p2p;
4319 sm->wpa_rsc_relaxation = config->wpa_rsc_relaxation;
4320 sm->owe_ptk_workaround = config->owe_ptk_workaround;
4321 sm->force_kdk_derivation = config->force_kdk_derivation;
4322 #ifdef CONFIG_FILS
4323 if (config->fils_cache_id) {
4324 sm->fils_cache_id_set = 1;
4325 os_memcpy(sm->fils_cache_id, config->fils_cache_id,
4326 FILS_CACHE_ID_LEN);
4327 } else {
4328 sm->fils_cache_id_set = 0;
4329 }
4330 #endif /* CONFIG_FILS */
4331 sm->beacon_prot = config->beacon_prot;
4332 } else {
4333 sm->network_ctx = NULL;
4334 sm->allowed_pairwise_cipher = 0;
4335 sm->proactive_key_caching = 0;
4336 sm->eap_workaround = 0;
4337 sm->eap_conf_ctx = NULL;
4338 sm->ssid_len = 0;
4339 sm->wpa_ptk_rekey = 0;
4340 sm->p2p = 0;
4341 sm->wpa_rsc_relaxation = 0;
4342 sm->owe_ptk_workaround = 0;
4343 sm->beacon_prot = 0;
4344 sm->force_kdk_derivation = false;
4345 }
4346 }
4347
4348
wpa_sm_set_mlo_params(struct wpa_sm * sm,const struct wpa_sm_mlo * mlo)4349 int wpa_sm_set_mlo_params(struct wpa_sm *sm, const struct wpa_sm_mlo *mlo)
4350 {
4351 int i;
4352
4353 if (!sm)
4354 return -1;
4355
4356 os_memcpy(sm->mlo.ap_mld_addr, mlo->ap_mld_addr, ETH_ALEN);
4357 sm->mlo.assoc_link_id = mlo->assoc_link_id;
4358 sm->mlo.valid_links = mlo->valid_links;
4359 sm->mlo.req_links = mlo->req_links;
4360
4361 for (i = 0; i < MAX_NUM_MLD_LINKS; i++) {
4362 const u8 *ie;
4363 size_t len;
4364
4365 if (sm->mlo.req_links & BIT(i)) {
4366 if (!mlo->links[i].ap_rsne ||
4367 mlo->links[i].ap_rsne_len == 0) {
4368 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO,
4369 "RSN: No RSNE for AP MLO link %d with BSSID "
4370 MACSTR,
4371 i, MAC2STR(mlo->links[i].bssid));
4372 return -1;
4373
4374 }
4375 os_memcpy(sm->mlo.links[i].addr, mlo->links[i].addr,
4376 ETH_ALEN);
4377 os_memcpy(sm->mlo.links[i].bssid, mlo->links[i].bssid,
4378 ETH_ALEN);
4379 }
4380
4381 ie = mlo->links[i].ap_rsne;
4382 len = mlo->links[i].ap_rsne_len;
4383 os_free(sm->mlo.links[i].ap_rsne);
4384 if (!ie || len == 0) {
4385 if (sm->mlo.links[i].ap_rsne)
4386 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4387 "RSN: Clearing MLO link[%u] AP RSNE",
4388 i);
4389 sm->mlo.links[i].ap_rsne = NULL;
4390 sm->mlo.links[i].ap_rsne_len = 0;
4391 } else {
4392 wpa_hexdump_link(MSG_DEBUG, i, "RSN: Set AP RSNE",
4393 ie, len);
4394 sm->mlo.links[i].ap_rsne = os_memdup(ie, len);
4395 if (!sm->mlo.links[i].ap_rsne) {
4396 sm->mlo.links[i].ap_rsne_len = 0;
4397 return -1;
4398 }
4399 sm->mlo.links[i].ap_rsne_len = len;
4400 }
4401
4402 ie = mlo->links[i].ap_rsnxe;
4403 len = mlo->links[i].ap_rsnxe_len;
4404 os_free(sm->mlo.links[i].ap_rsnxe);
4405 if (!ie || len == 0) {
4406 if (sm->mlo.links[i].ap_rsnxe)
4407 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4408 "RSN: Clearing MLO link[%u] AP RSNXE",
4409 i);
4410 sm->mlo.links[i].ap_rsnxe = NULL;
4411 sm->mlo.links[i].ap_rsnxe_len = 0;
4412 } else {
4413 wpa_hexdump_link(MSG_DEBUG, i, "RSN: Set AP RSNXE", ie,
4414 len);
4415 sm->mlo.links[i].ap_rsnxe = os_memdup(ie, len);
4416 if (!sm->mlo.links[i].ap_rsnxe) {
4417 sm->mlo.links[i].ap_rsnxe_len = 0;
4418 return -1;
4419 }
4420 sm->mlo.links[i].ap_rsnxe_len = len;
4421 }
4422 }
4423
4424 return 0;
4425 }
4426
4427
4428 /**
4429 * wpa_sm_set_own_addr - Set own MAC address
4430 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4431 * @addr: Own MAC address
4432 */
wpa_sm_set_own_addr(struct wpa_sm * sm,const u8 * addr)4433 void wpa_sm_set_own_addr(struct wpa_sm *sm, const u8 *addr)
4434 {
4435 if (sm)
4436 os_memcpy(sm->own_addr, addr, ETH_ALEN);
4437 }
4438
4439
4440 /**
4441 * wpa_sm_set_ifname - Set network interface name
4442 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4443 * @ifname: Interface name
4444 * @bridge_ifname: Optional bridge interface name (for pre-auth)
4445 */
wpa_sm_set_ifname(struct wpa_sm * sm,const char * ifname,const char * bridge_ifname)4446 void wpa_sm_set_ifname(struct wpa_sm *sm, const char *ifname,
4447 const char *bridge_ifname)
4448 {
4449 if (sm) {
4450 sm->ifname = ifname;
4451 sm->bridge_ifname = bridge_ifname;
4452 }
4453 }
4454
4455
4456 /**
4457 * wpa_sm_set_eapol - Set EAPOL state machine pointer
4458 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4459 * @eapol: Pointer to EAPOL state machine allocated with eapol_sm_init()
4460 */
wpa_sm_set_eapol(struct wpa_sm * sm,struct eapol_sm * eapol)4461 void wpa_sm_set_eapol(struct wpa_sm *sm, struct eapol_sm *eapol)
4462 {
4463 if (sm)
4464 sm->eapol = eapol;
4465 }
4466
4467
4468 /**
4469 * wpa_sm_set_param - Set WPA state machine parameters
4470 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4471 * @param: Parameter field
4472 * @value: Parameter value
4473 * Returns: 0 on success, -1 on failure
4474 */
wpa_sm_set_param(struct wpa_sm * sm,enum wpa_sm_conf_params param,unsigned int value)4475 int wpa_sm_set_param(struct wpa_sm *sm, enum wpa_sm_conf_params param,
4476 unsigned int value)
4477 {
4478 int ret = 0;
4479
4480 if (sm == NULL)
4481 return -1;
4482
4483 switch (param) {
4484 case RSNA_PMK_LIFETIME:
4485 if (value > 0)
4486 sm->dot11RSNAConfigPMKLifetime = value;
4487 else
4488 ret = -1;
4489 break;
4490 case RSNA_PMK_REAUTH_THRESHOLD:
4491 if (value > 0 && value <= 100)
4492 sm->dot11RSNAConfigPMKReauthThreshold = value;
4493 else
4494 ret = -1;
4495 break;
4496 case RSNA_SA_TIMEOUT:
4497 if (value > 0)
4498 sm->dot11RSNAConfigSATimeout = value;
4499 else
4500 ret = -1;
4501 break;
4502 case WPA_PARAM_PROTO:
4503 sm->proto = value;
4504 break;
4505 case WPA_PARAM_PAIRWISE:
4506 sm->pairwise_cipher = value;
4507 break;
4508 case WPA_PARAM_GROUP:
4509 sm->group_cipher = value;
4510 break;
4511 case WPA_PARAM_KEY_MGMT:
4512 sm->key_mgmt = value;
4513 break;
4514 case WPA_PARAM_MGMT_GROUP:
4515 sm->mgmt_group_cipher = value;
4516 break;
4517 case WPA_PARAM_RSN_ENABLED:
4518 sm->rsn_enabled = value;
4519 break;
4520 case WPA_PARAM_MFP:
4521 sm->mfp = value;
4522 break;
4523 case WPA_PARAM_OCV:
4524 sm->ocv = value;
4525 break;
4526 case WPA_PARAM_SAE_PWE:
4527 sm->sae_pwe = value;
4528 break;
4529 case WPA_PARAM_SAE_PK:
4530 sm->sae_pk = value;
4531 break;
4532 case WPA_PARAM_DENY_PTK0_REKEY:
4533 sm->wpa_deny_ptk0_rekey = value;
4534 break;
4535 case WPA_PARAM_EXT_KEY_ID:
4536 sm->ext_key_id = value;
4537 break;
4538 case WPA_PARAM_USE_EXT_KEY_ID:
4539 sm->use_ext_key_id = value;
4540 break;
4541 #ifdef CONFIG_TESTING_OPTIONS
4542 case WPA_PARAM_FT_RSNXE_USED:
4543 sm->ft_rsnxe_used = value;
4544 break;
4545 case WPA_PARAM_OCI_FREQ_EAPOL:
4546 sm->oci_freq_override_eapol = value;
4547 break;
4548 case WPA_PARAM_OCI_FREQ_EAPOL_G2:
4549 sm->oci_freq_override_eapol_g2 = value;
4550 break;
4551 case WPA_PARAM_OCI_FREQ_FT_ASSOC:
4552 sm->oci_freq_override_ft_assoc = value;
4553 break;
4554 case WPA_PARAM_OCI_FREQ_FILS_ASSOC:
4555 sm->oci_freq_override_fils_assoc = value;
4556 break;
4557 case WPA_PARAM_DISABLE_EAPOL_G2_TX:
4558 sm->disable_eapol_g2_tx = value;
4559 break;
4560 #endif /* CONFIG_TESTING_OPTIONS */
4561 #ifdef CONFIG_DPP2
4562 case WPA_PARAM_DPP_PFS:
4563 sm->dpp_pfs = value;
4564 break;
4565 #endif /* CONFIG_DPP2 */
4566 case WPA_PARAM_WMM_ENABLED:
4567 sm->wmm_enabled = value;
4568 break;
4569 default:
4570 break;
4571 }
4572
4573 return ret;
4574 }
4575
4576
4577 /**
4578 * wpa_sm_get_status - Get WPA state machine
4579 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4580 * @buf: Buffer for status information
4581 * @buflen: Maximum buffer length
4582 * @verbose: Whether to include verbose status information
4583 * Returns: Number of bytes written to buf.
4584 *
4585 * Query WPA state machine for status information. This function fills in
4586 * a text area with current status information. If the buffer (buf) is not
4587 * large enough, status information will be truncated to fit the buffer.
4588 */
wpa_sm_get_status(struct wpa_sm * sm,char * buf,size_t buflen,int verbose)4589 int wpa_sm_get_status(struct wpa_sm *sm, char *buf, size_t buflen,
4590 int verbose)
4591 {
4592 char *pos = buf, *end = buf + buflen;
4593 int ret;
4594
4595 ret = os_snprintf(pos, end - pos,
4596 "pairwise_cipher=%s\n"
4597 "group_cipher=%s\n"
4598 "key_mgmt=%s\n",
4599 wpa_cipher_txt(sm->pairwise_cipher),
4600 wpa_cipher_txt(sm->group_cipher),
4601 wpa_key_mgmt_txt(sm->key_mgmt, sm->proto));
4602 if (os_snprintf_error(end - pos, ret))
4603 return pos - buf;
4604 pos += ret;
4605
4606 #ifdef CONFIG_DPP2
4607 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
4608 ret = os_snprintf(pos, end - pos, "dpp_pfs=1\n");
4609 if (os_snprintf_error(end - pos, ret))
4610 return pos - buf;
4611 pos += ret;
4612 }
4613 #endif /* CONFIG_DPP2 */
4614
4615 if (sm->mfp != NO_MGMT_FRAME_PROTECTION && sm->ap_rsn_ie) {
4616 struct wpa_ie_data rsn;
4617 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn)
4618 >= 0 &&
4619 rsn.capabilities & (WPA_CAPABILITY_MFPR |
4620 WPA_CAPABILITY_MFPC)) {
4621 ret = os_snprintf(pos, end - pos, "pmf=%d\n"
4622 "mgmt_group_cipher=%s\n",
4623 (rsn.capabilities &
4624 WPA_CAPABILITY_MFPR) ? 2 : 1,
4625 wpa_cipher_txt(
4626 sm->mgmt_group_cipher));
4627 if (os_snprintf_error(end - pos, ret))
4628 return pos - buf;
4629 pos += ret;
4630 }
4631 }
4632
4633 return pos - buf;
4634 }
4635
4636
wpa_sm_pmf_enabled(struct wpa_sm * sm)4637 int wpa_sm_pmf_enabled(struct wpa_sm *sm)
4638 {
4639 struct wpa_ie_data rsn;
4640
4641 if (sm->mfp == NO_MGMT_FRAME_PROTECTION || !sm->ap_rsn_ie)
4642 return 0;
4643
4644 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn) >= 0 &&
4645 rsn.capabilities & (WPA_CAPABILITY_MFPR | WPA_CAPABILITY_MFPC))
4646 return 1;
4647
4648 return 0;
4649 }
4650
4651
wpa_sm_ext_key_id(struct wpa_sm * sm)4652 int wpa_sm_ext_key_id(struct wpa_sm *sm)
4653 {
4654 return sm ? sm->ext_key_id : 0;
4655 }
4656
4657
wpa_sm_ext_key_id_active(struct wpa_sm * sm)4658 int wpa_sm_ext_key_id_active(struct wpa_sm *sm)
4659 {
4660 return sm ? sm->use_ext_key_id : 0;
4661 }
4662
4663
wpa_sm_ocv_enabled(struct wpa_sm * sm)4664 int wpa_sm_ocv_enabled(struct wpa_sm *sm)
4665 {
4666 struct wpa_ie_data rsn;
4667
4668 if (!sm->ocv || !sm->ap_rsn_ie)
4669 return 0;
4670
4671 return wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len,
4672 &rsn) >= 0 &&
4673 (rsn.capabilities & WPA_CAPABILITY_OCVC);
4674 }
4675
4676
4677 /**
4678 * wpa_sm_set_assoc_wpa_ie_default - Generate own WPA/RSN IE from configuration
4679 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4680 * @wpa_ie: Pointer to buffer for WPA/RSN IE
4681 * @wpa_ie_len: Pointer to the length of the wpa_ie buffer
4682 * Returns: 0 on success, -1 on failure
4683 */
wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm * sm,u8 * wpa_ie,size_t * wpa_ie_len)4684 int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm *sm, u8 *wpa_ie,
4685 size_t *wpa_ie_len)
4686 {
4687 int res;
4688
4689 if (sm == NULL)
4690 return -1;
4691
4692 #ifdef CONFIG_TESTING_OPTIONS
4693 if (sm->test_assoc_ie) {
4694 wpa_printf(MSG_DEBUG,
4695 "TESTING: Replace association WPA/RSN IE");
4696 if (*wpa_ie_len < wpabuf_len(sm->test_assoc_ie))
4697 return -1;
4698 os_memcpy(wpa_ie, wpabuf_head(sm->test_assoc_ie),
4699 wpabuf_len(sm->test_assoc_ie));
4700 res = wpabuf_len(sm->test_assoc_ie);
4701 } else
4702 #endif /* CONFIG_TESTING_OPTIONS */
4703 res = wpa_gen_wpa_ie(sm, wpa_ie, *wpa_ie_len);
4704 if (res < 0)
4705 return -1;
4706 *wpa_ie_len = res;
4707
4708 wpa_hexdump(MSG_DEBUG, "WPA: Set own WPA IE default",
4709 wpa_ie, *wpa_ie_len);
4710
4711 if (sm->assoc_wpa_ie == NULL) {
4712 /*
4713 * Make a copy of the WPA/RSN IE so that 4-Way Handshake gets
4714 * the correct version of the IE even if PMKSA caching is
4715 * aborted (which would remove PMKID from IE generation).
4716 */
4717 sm->assoc_wpa_ie = os_memdup(wpa_ie, *wpa_ie_len);
4718 if (sm->assoc_wpa_ie == NULL)
4719 return -1;
4720
4721 sm->assoc_wpa_ie_len = *wpa_ie_len;
4722 } else {
4723 wpa_hexdump(MSG_DEBUG,
4724 "WPA: Leave previously set WPA IE default",
4725 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
4726 }
4727
4728 return 0;
4729 }
4730
4731
4732 /**
4733 * wpa_sm_set_assoc_wpa_ie - Set own WPA/RSN IE from (Re)AssocReq
4734 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4735 * @ie: Pointer to IE data (starting from id)
4736 * @len: IE length
4737 * Returns: 0 on success, -1 on failure
4738 *
4739 * Inform WPA state machine about the WPA/RSN IE used in (Re)Association
4740 * Request frame. The IE will be used to override the default value generated
4741 * with wpa_sm_set_assoc_wpa_ie_default().
4742 */
wpa_sm_set_assoc_wpa_ie(struct wpa_sm * sm,const u8 * ie,size_t len)4743 int wpa_sm_set_assoc_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
4744 {
4745 if (sm == NULL)
4746 return -1;
4747
4748 os_free(sm->assoc_wpa_ie);
4749 if (ie == NULL || len == 0) {
4750 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4751 "WPA: clearing own WPA/RSN IE");
4752 sm->assoc_wpa_ie = NULL;
4753 sm->assoc_wpa_ie_len = 0;
4754 } else {
4755 wpa_hexdump(MSG_DEBUG, "WPA: set own WPA/RSN IE", ie, len);
4756 sm->assoc_wpa_ie = os_memdup(ie, len);
4757 if (sm->assoc_wpa_ie == NULL)
4758 return -1;
4759
4760 sm->assoc_wpa_ie_len = len;
4761 }
4762
4763 return 0;
4764 }
4765
4766
4767 /**
4768 * wpa_sm_set_assoc_rsnxe_default - Generate own RSNXE from configuration
4769 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4770 * @rsnxe: Pointer to buffer for RSNXE
4771 * @rsnxe_len: Pointer to the length of the rsne buffer
4772 * Returns: 0 on success, -1 on failure
4773 */
wpa_sm_set_assoc_rsnxe_default(struct wpa_sm * sm,u8 * rsnxe,size_t * rsnxe_len)4774 int wpa_sm_set_assoc_rsnxe_default(struct wpa_sm *sm, u8 *rsnxe,
4775 size_t *rsnxe_len)
4776 {
4777 int res;
4778
4779 if (!sm)
4780 return -1;
4781
4782 res = wpa_gen_rsnxe(sm, rsnxe, *rsnxe_len);
4783 if (res < 0)
4784 return -1;
4785 *rsnxe_len = res;
4786
4787 wpa_hexdump(MSG_DEBUG, "RSN: Set own RSNXE default", rsnxe, *rsnxe_len);
4788
4789 if (sm->assoc_rsnxe) {
4790 wpa_hexdump(MSG_DEBUG,
4791 "RSN: Leave previously set RSNXE default",
4792 sm->assoc_rsnxe, sm->assoc_rsnxe_len);
4793 } else if (*rsnxe_len > 0) {
4794 /*
4795 * Make a copy of the RSNXE so that 4-Way Handshake gets the
4796 * correct version of the IE even if it gets changed.
4797 */
4798 sm->assoc_rsnxe = os_memdup(rsnxe, *rsnxe_len);
4799 if (!sm->assoc_rsnxe)
4800 return -1;
4801
4802 sm->assoc_rsnxe_len = *rsnxe_len;
4803 }
4804
4805 return 0;
4806 }
4807
4808
4809 /**
4810 * wpa_sm_set_assoc_rsnxe - Set own RSNXE from (Re)AssocReq
4811 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4812 * @ie: Pointer to IE data (starting from id)
4813 * @len: IE length
4814 * Returns: 0 on success, -1 on failure
4815 *
4816 * Inform WPA state machine about the RSNXE used in (Re)Association Request
4817 * frame. The IE will be used to override the default value generated
4818 * with wpa_sm_set_assoc_rsnxe_default().
4819 */
wpa_sm_set_assoc_rsnxe(struct wpa_sm * sm,const u8 * ie,size_t len)4820 int wpa_sm_set_assoc_rsnxe(struct wpa_sm *sm, const u8 *ie, size_t len)
4821 {
4822 if (!sm)
4823 return -1;
4824
4825 os_free(sm->assoc_rsnxe);
4826 if (!ie || len == 0) {
4827 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4828 "RSN: clearing own RSNXE");
4829 sm->assoc_rsnxe = NULL;
4830 sm->assoc_rsnxe_len = 0;
4831 } else {
4832 wpa_hexdump(MSG_DEBUG, "RSN: set own RSNXE", ie, len);
4833 sm->assoc_rsnxe = os_memdup(ie, len);
4834 if (!sm->assoc_rsnxe)
4835 return -1;
4836
4837 sm->assoc_rsnxe_len = len;
4838 }
4839
4840 return 0;
4841 }
4842
4843
4844 /**
4845 * wpa_sm_set_ap_wpa_ie - Set AP WPA IE from Beacon/ProbeResp
4846 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4847 * @ie: Pointer to IE data (starting from id)
4848 * @len: IE length
4849 * Returns: 0 on success, -1 on failure
4850 *
4851 * Inform WPA state machine about the WPA IE used in Beacon / Probe Response
4852 * frame.
4853 */
wpa_sm_set_ap_wpa_ie(struct wpa_sm * sm,const u8 * ie,size_t len)4854 int wpa_sm_set_ap_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
4855 {
4856 if (sm == NULL)
4857 return -1;
4858
4859 os_free(sm->ap_wpa_ie);
4860 if (ie == NULL || len == 0) {
4861 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4862 "WPA: clearing AP WPA IE");
4863 sm->ap_wpa_ie = NULL;
4864 sm->ap_wpa_ie_len = 0;
4865 } else {
4866 wpa_hexdump(MSG_DEBUG, "WPA: set AP WPA IE", ie, len);
4867 sm->ap_wpa_ie = os_memdup(ie, len);
4868 if (sm->ap_wpa_ie == NULL)
4869 return -1;
4870
4871 sm->ap_wpa_ie_len = len;
4872 }
4873
4874 return 0;
4875 }
4876
4877
4878 /**
4879 * wpa_sm_set_ap_rsn_ie - Set AP RSN IE from Beacon/ProbeResp
4880 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4881 * @ie: Pointer to IE data (starting from id)
4882 * @len: IE length
4883 * Returns: 0 on success, -1 on failure
4884 *
4885 * Inform WPA state machine about the RSN IE used in Beacon / Probe Response
4886 * frame.
4887 */
wpa_sm_set_ap_rsn_ie(struct wpa_sm * sm,const u8 * ie,size_t len)4888 int wpa_sm_set_ap_rsn_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
4889 {
4890 if (sm == NULL)
4891 return -1;
4892
4893 os_free(sm->ap_rsn_ie);
4894 if (ie == NULL || len == 0) {
4895 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4896 "WPA: clearing AP RSN IE");
4897 sm->ap_rsn_ie = NULL;
4898 sm->ap_rsn_ie_len = 0;
4899 } else {
4900 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSN IE", ie, len);
4901 sm->ap_rsn_ie = os_memdup(ie, len);
4902 if (sm->ap_rsn_ie == NULL)
4903 return -1;
4904
4905 sm->ap_rsn_ie_len = len;
4906 }
4907
4908 return 0;
4909 }
4910
4911
4912 /**
4913 * wpa_sm_set_ap_rsnxe - Set AP RSNXE from Beacon/ProbeResp
4914 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4915 * @ie: Pointer to IE data (starting from id)
4916 * @len: IE length
4917 * Returns: 0 on success, -1 on failure
4918 *
4919 * Inform WPA state machine about the RSNXE used in Beacon / Probe Response
4920 * frame.
4921 */
wpa_sm_set_ap_rsnxe(struct wpa_sm * sm,const u8 * ie,size_t len)4922 int wpa_sm_set_ap_rsnxe(struct wpa_sm *sm, const u8 *ie, size_t len)
4923 {
4924 if (!sm)
4925 return -1;
4926
4927 os_free(sm->ap_rsnxe);
4928 if (!ie || len == 0) {
4929 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: clearing AP RSNXE");
4930 sm->ap_rsnxe = NULL;
4931 sm->ap_rsnxe_len = 0;
4932 } else {
4933 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSNXE", ie, len);
4934 sm->ap_rsnxe = os_memdup(ie, len);
4935 if (!sm->ap_rsnxe)
4936 return -1;
4937
4938 sm->ap_rsnxe_len = len;
4939 }
4940
4941 return 0;
4942 }
4943
4944
4945 /**
4946 * wpa_sm_parse_own_wpa_ie - Parse own WPA/RSN IE
4947 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4948 * @data: Pointer to data area for parsing results
4949 * Returns: 0 on success, -1 if IE is not known, or -2 on parsing failure
4950 *
4951 * Parse the contents of the own WPA or RSN IE from (Re)AssocReq and write the
4952 * parsed data into data.
4953 */
wpa_sm_parse_own_wpa_ie(struct wpa_sm * sm,struct wpa_ie_data * data)4954 int wpa_sm_parse_own_wpa_ie(struct wpa_sm *sm, struct wpa_ie_data *data)
4955 {
4956 if (sm == NULL)
4957 return -1;
4958
4959 if (sm->assoc_wpa_ie == NULL) {
4960 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4961 "WPA: No WPA/RSN IE available from association info");
4962 return -1;
4963 }
4964 if (wpa_parse_wpa_ie(sm->assoc_wpa_ie, sm->assoc_wpa_ie_len, data))
4965 return -2;
4966 return 0;
4967 }
4968
4969
wpa_sm_pmksa_cache_list(struct wpa_sm * sm,char * buf,size_t len)4970 int wpa_sm_pmksa_cache_list(struct wpa_sm *sm, char *buf, size_t len)
4971 {
4972 return pmksa_cache_list(sm->pmksa, buf, len);
4973 }
4974
4975
wpa_sm_pmksa_cache_head(struct wpa_sm * sm)4976 struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_head(struct wpa_sm *sm)
4977 {
4978 return pmksa_cache_head(sm->pmksa);
4979 }
4980
4981
4982 struct rsn_pmksa_cache_entry *
wpa_sm_pmksa_cache_add_entry(struct wpa_sm * sm,struct rsn_pmksa_cache_entry * entry)4983 wpa_sm_pmksa_cache_add_entry(struct wpa_sm *sm,
4984 struct rsn_pmksa_cache_entry * entry)
4985 {
4986 return pmksa_cache_add_entry(sm->pmksa, entry);
4987 }
4988
4989
wpa_sm_pmksa_cache_add(struct wpa_sm * sm,const u8 * pmk,size_t pmk_len,const u8 * pmkid,const u8 * bssid,const u8 * fils_cache_id)4990 void wpa_sm_pmksa_cache_add(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
4991 const u8 *pmkid, const u8 *bssid,
4992 const u8 *fils_cache_id)
4993 {
4994 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0,
4995 bssid, sm->own_addr, sm->network_ctx,
4996 sm->key_mgmt, fils_cache_id);
4997 }
4998
4999
wpa_sm_pmksa_exists(struct wpa_sm * sm,const u8 * bssid,const u8 * own_addr,const void * network_ctx)5000 int wpa_sm_pmksa_exists(struct wpa_sm *sm, const u8 *bssid, const u8 *own_addr,
5001 const void *network_ctx)
5002 {
5003 return pmksa_cache_get(sm->pmksa, bssid, own_addr, NULL, network_ctx,
5004 0) != NULL;
5005 }
5006
5007
wpa_sm_pmksa_cache_get(struct wpa_sm * sm,const u8 * aa,const u8 * pmkid,const void * network_ctx,int akmp)5008 struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_get(struct wpa_sm *sm,
5009 const u8 *aa,
5010 const u8 *pmkid,
5011 const void *network_ctx,
5012 int akmp)
5013 {
5014 return pmksa_cache_get(sm->pmksa, aa, sm->own_addr, pmkid, network_ctx,
5015 akmp);
5016 }
5017
5018
wpa_sm_pmksa_cache_remove(struct wpa_sm * sm,struct rsn_pmksa_cache_entry * entry)5019 void wpa_sm_pmksa_cache_remove(struct wpa_sm *sm,
5020 struct rsn_pmksa_cache_entry *entry)
5021 {
5022 if (sm && sm->pmksa)
5023 pmksa_cache_remove(sm->pmksa, entry);
5024 }
5025
5026
wpa_sm_drop_sa(struct wpa_sm * sm)5027 void wpa_sm_drop_sa(struct wpa_sm *sm)
5028 {
5029 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PMK and PTK");
5030 wpa_sm_clear_ptk(sm);
5031 sm->pmk_len = 0;
5032 os_memset(sm->pmk, 0, sizeof(sm->pmk));
5033 #ifdef CONFIG_IEEE80211R
5034 os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
5035 sm->xxkey_len = 0;
5036 os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
5037 sm->pmk_r0_len = 0;
5038 os_memset(sm->pmk_r1, 0, sizeof(sm->pmk_r1));
5039 sm->pmk_r1_len = 0;
5040 #ifdef CONFIG_PASN
5041 os_free(sm->pasn_r1kh);
5042 sm->pasn_r1kh = NULL;
5043 sm->n_pasn_r1kh = 0;
5044 #endif /* CONFIG_PASN */
5045 #endif /* CONFIG_IEEE80211R */
5046 }
5047
5048
5049 #ifdef CONFIG_IEEE80211R
wpa_sm_has_ft_keys(struct wpa_sm * sm,const u8 * md)5050 bool wpa_sm_has_ft_keys(struct wpa_sm *sm, const u8 *md)
5051 {
5052 if (!sm)
5053 return false;
5054 if (!wpa_key_mgmt_ft(sm->key_mgmt) ||
5055 os_memcmp(md, sm->key_mobility_domain,
5056 MOBILITY_DOMAIN_ID_LEN) != 0) {
5057 /* Do not allow FT protocol to be used even if we were to have
5058 * an PTK since the mobility domain has changed. */
5059 return false;
5060 }
5061 return sm->ptk_set;
5062 }
5063 #endif /* CONFIG_IEEE80211R */
5064
5065
wpa_sm_has_ptk_installed(struct wpa_sm * sm)5066 int wpa_sm_has_ptk_installed(struct wpa_sm *sm)
5067 {
5068 if (!sm)
5069 return 0;
5070 return sm->tk_set || sm->ptk.installed;
5071 }
5072
5073
wpa_sm_update_replay_ctr(struct wpa_sm * sm,const u8 * replay_ctr)5074 void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr)
5075 {
5076 os_memcpy(sm->rx_replay_counter, replay_ctr, WPA_REPLAY_COUNTER_LEN);
5077 }
5078
5079
wpa_sm_pmksa_cache_flush(struct wpa_sm * sm,void * network_ctx)5080 void wpa_sm_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx)
5081 {
5082 pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0, false);
5083 }
5084
5085
wpa_sm_external_pmksa_cache_flush(struct wpa_sm * sm,void * network_ctx)5086 void wpa_sm_external_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx)
5087 {
5088 pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0, true);
5089 }
5090
5091 #if defined(CONFIG_DRIVER_NL80211_BRCM) || defined(CONFIG_DRIVER_NL80211_SYNA)
wpa_sm_install_pmk(struct wpa_sm * sm)5092 void wpa_sm_install_pmk(struct wpa_sm *sm)
5093 {
5094 /* In case the driver wants to handle re-assocs, pass it down the PMK. */
5095 if (wpa_sm_set_key(sm, -1, wpa_cipher_to_alg(sm->pairwise_cipher), NULL, 0, 0, NULL, 0,
5096 (u8*)sm->pmk, sm->pmk_len, KEY_FLAG_PMK) < 0) {
5097 wpa_hexdump(MSG_DEBUG, "PSK: Install PMK to the driver for driver reassociations",
5098 (u8*)sm->pmk, sm->pmk_len);
5099 /* No harm if the driver doesn't support. */
5100 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
5101 "WPA: Failed to set PMK to the driver");
5102 }
5103 }
5104
wpa_sm_notify_brcm_ft_reassoc(struct wpa_sm * sm,const u8 * bssid)5105 void wpa_sm_notify_brcm_ft_reassoc(struct wpa_sm *sm, const u8 *bssid)
5106 {
5107 u8 buf[256];
5108 struct wpa_supplicant *wpa_s = sm->ctx->ctx;
5109
5110 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5111 "WPA: BRCM FT Reassociation event - clear replay counter");
5112 os_memcpy(sm->bssid, bssid, ETH_ALEN);
5113 os_memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN);
5114 sm->rx_replay_counter_set = 0;
5115
5116 if (wpa_drv_driver_cmd(wpa_s, "GET_FTKEY", (char *)buf, sizeof(buf)) < 0) {
5117 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
5118 "WPA: Failed to get FT KEY information");
5119 wpa_supplicant_deauthenticate(
5120 wpa_s, WLAN_REASON_DEAUTH_LEAVING);
5121
5122 } else {
5123 /* update kck and kek */
5124 os_memcpy(sm->ptk.kck, buf, 16);
5125 os_memcpy(sm->ptk.kek, buf + 16, 16);
5126 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
5127 "WPA: Updated KCK and KEK after FT reassoc");
5128 }
5129 }
5130 #endif /* CONFIG_DRIVER_NL80211_BRCM || CONFIG_DRIVER_NL80211_SYNA */
5131
5132
5133 #ifdef CONFIG_WNM
wpa_wnmsleep_install_key(struct wpa_sm * sm,u8 subelem_id,u8 * buf)5134 int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
5135 {
5136 u16 keyinfo;
5137 u8 keylen; /* plaintext key len */
5138 u8 *key_rsc;
5139
5140 if (subelem_id == WNM_SLEEP_SUBELEM_GTK) {
5141 struct wpa_gtk_data gd;
5142
5143 os_memset(&gd, 0, sizeof(gd));
5144 keylen = wpa_cipher_key_len(sm->group_cipher);
5145 gd.key_rsc_len = wpa_cipher_rsc_len(sm->group_cipher);
5146 gd.alg = wpa_cipher_to_alg(sm->group_cipher);
5147 if (gd.alg == WPA_ALG_NONE) {
5148 wpa_printf(MSG_DEBUG, "Unsupported group cipher suite");
5149 return -1;
5150 }
5151
5152 key_rsc = buf + 5;
5153 keyinfo = WPA_GET_LE16(buf + 2);
5154 gd.gtk_len = keylen;
5155 if (gd.gtk_len != buf[4]) {
5156 wpa_printf(MSG_DEBUG, "GTK len mismatch len %d vs %d",
5157 gd.gtk_len, buf[4]);
5158 return -1;
5159 }
5160 gd.keyidx = keyinfo & 0x03; /* B0 - B1 */
5161 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(
5162 sm, !!(keyinfo & WPA_KEY_INFO_TXRX));
5163
5164 os_memcpy(gd.gtk, buf + 13, gd.gtk_len);
5165
5166 wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)",
5167 gd.gtk, gd.gtk_len);
5168 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) {
5169 forced_memzero(&gd, sizeof(gd));
5170 wpa_printf(MSG_DEBUG, "Failed to install the GTK in "
5171 "WNM mode");
5172 return -1;
5173 }
5174 forced_memzero(&gd, sizeof(gd));
5175 } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
5176 const struct wpa_igtk_kde *igtk;
5177
5178 igtk = (const struct wpa_igtk_kde *) (buf + 2);
5179 if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0)
5180 return -1;
5181 } else if (subelem_id == WNM_SLEEP_SUBELEM_BIGTK) {
5182 const struct wpa_bigtk_kde *bigtk;
5183
5184 bigtk = (const struct wpa_bigtk_kde *) (buf + 2);
5185 if (sm->beacon_prot &&
5186 wpa_supplicant_install_bigtk(sm, bigtk, 1) < 0)
5187 return -1;
5188 } else {
5189 wpa_printf(MSG_DEBUG, "Unknown element id");
5190 return -1;
5191 }
5192
5193 return 0;
5194 }
5195 #endif /* CONFIG_WNM */
5196
5197
5198 #ifdef CONFIG_P2P
5199
wpa_sm_get_p2p_ip_addr(struct wpa_sm * sm,u8 * buf)5200 int wpa_sm_get_p2p_ip_addr(struct wpa_sm *sm, u8 *buf)
5201 {
5202 if (sm == NULL || WPA_GET_BE32(sm->p2p_ip_addr) == 0)
5203 return -1;
5204 os_memcpy(buf, sm->p2p_ip_addr, 3 * 4);
5205 return 0;
5206 }
5207
5208 #endif /* CONFIG_P2P */
5209
5210
wpa_sm_set_rx_replay_ctr(struct wpa_sm * sm,const u8 * rx_replay_counter)5211 void wpa_sm_set_rx_replay_ctr(struct wpa_sm *sm, const u8 *rx_replay_counter)
5212 {
5213 if (rx_replay_counter == NULL)
5214 return;
5215
5216 os_memcpy(sm->rx_replay_counter, rx_replay_counter,
5217 WPA_REPLAY_COUNTER_LEN);
5218 sm->rx_replay_counter_set = 1;
5219 wpa_printf(MSG_DEBUG, "Updated key replay counter");
5220 }
5221
5222
wpa_sm_set_ptk_kck_kek(struct wpa_sm * sm,const u8 * ptk_kck,size_t ptk_kck_len,const u8 * ptk_kek,size_t ptk_kek_len)5223 void wpa_sm_set_ptk_kck_kek(struct wpa_sm *sm,
5224 const u8 *ptk_kck, size_t ptk_kck_len,
5225 const u8 *ptk_kek, size_t ptk_kek_len)
5226 {
5227 if (ptk_kck && ptk_kck_len <= WPA_KCK_MAX_LEN) {
5228 os_memcpy(sm->ptk.kck, ptk_kck, ptk_kck_len);
5229 sm->ptk.kck_len = ptk_kck_len;
5230 wpa_printf(MSG_DEBUG, "Updated PTK KCK");
5231 }
5232 if (ptk_kek && ptk_kek_len <= WPA_KEK_MAX_LEN) {
5233 os_memcpy(sm->ptk.kek, ptk_kek, ptk_kek_len);
5234 sm->ptk.kek_len = ptk_kek_len;
5235 wpa_printf(MSG_DEBUG, "Updated PTK KEK");
5236 }
5237 sm->ptk_set = 1;
5238 }
5239
5240
5241 #ifdef CONFIG_TESTING_OPTIONS
5242
wpa_sm_set_test_assoc_ie(struct wpa_sm * sm,struct wpabuf * buf)5243 void wpa_sm_set_test_assoc_ie(struct wpa_sm *sm, struct wpabuf *buf)
5244 {
5245 wpabuf_free(sm->test_assoc_ie);
5246 sm->test_assoc_ie = buf;
5247 }
5248
5249
wpa_sm_get_anonce(struct wpa_sm * sm)5250 const u8 * wpa_sm_get_anonce(struct wpa_sm *sm)
5251 {
5252 return sm->anonce;
5253 }
5254
5255 #endif /* CONFIG_TESTING_OPTIONS */
5256
5257
wpa_sm_get_key_mgmt(struct wpa_sm * sm)5258 unsigned int wpa_sm_get_key_mgmt(struct wpa_sm *sm)
5259 {
5260 return sm->key_mgmt;
5261 }
5262
5263
wpa_sm_get_auth_addr(struct wpa_sm * sm)5264 const u8 * wpa_sm_get_auth_addr(struct wpa_sm *sm)
5265 {
5266 return sm->mlo.valid_links ? sm->mlo.ap_mld_addr : sm->bssid;
5267 }
5268
5269
5270 #ifdef CONFIG_FILS
5271
fils_build_auth(struct wpa_sm * sm,int dh_group,const u8 * md)5272 struct wpabuf * fils_build_auth(struct wpa_sm *sm, int dh_group, const u8 *md)
5273 {
5274 struct wpabuf *buf = NULL;
5275 struct wpabuf *erp_msg;
5276 struct wpabuf *pub = NULL;
5277
5278 erp_msg = eapol_sm_build_erp_reauth_start(sm->eapol);
5279 if (!erp_msg && !sm->cur_pmksa) {
5280 wpa_printf(MSG_DEBUG,
5281 "FILS: Neither ERP EAP-Initiate/Re-auth nor PMKSA cache entry is available - skip FILS");
5282 goto fail;
5283 }
5284
5285 wpa_printf(MSG_DEBUG, "FILS: Try to use FILS (erp=%d pmksa_cache=%d)",
5286 erp_msg != NULL, sm->cur_pmksa != NULL);
5287
5288 sm->fils_completed = 0;
5289
5290 if (!sm->assoc_wpa_ie) {
5291 wpa_printf(MSG_INFO, "FILS: No own RSN IE set for FILS");
5292 goto fail;
5293 }
5294
5295 if (random_get_bytes(sm->fils_nonce, FILS_NONCE_LEN) < 0 ||
5296 random_get_bytes(sm->fils_session, FILS_SESSION_LEN) < 0)
5297 goto fail;
5298
5299 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Nonce",
5300 sm->fils_nonce, FILS_NONCE_LEN);
5301 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Session",
5302 sm->fils_session, FILS_SESSION_LEN);
5303
5304 #ifdef CONFIG_FILS_SK_PFS
5305 sm->fils_dh_group = dh_group;
5306 if (dh_group) {
5307 crypto_ecdh_deinit(sm->fils_ecdh);
5308 sm->fils_ecdh = crypto_ecdh_init(dh_group);
5309 if (!sm->fils_ecdh) {
5310 wpa_printf(MSG_INFO,
5311 "FILS: Could not initialize ECDH with group %d",
5312 dh_group);
5313 goto fail;
5314 }
5315 pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1);
5316 if (!pub)
5317 goto fail;
5318 wpa_hexdump_buf(MSG_DEBUG, "FILS: Element (DH public key)",
5319 pub);
5320 sm->fils_dh_elem_len = wpabuf_len(pub);
5321 }
5322 #endif /* CONFIG_FILS_SK_PFS */
5323
5324 buf = wpabuf_alloc(1000 + sm->assoc_wpa_ie_len +
5325 (pub ? wpabuf_len(pub) : 0));
5326 if (!buf)
5327 goto fail;
5328
5329 /* Fields following the Authentication algorithm number field */
5330
5331 /* Authentication Transaction seq# */
5332 wpabuf_put_le16(buf, 1);
5333
5334 /* Status Code */
5335 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
5336
5337 /* TODO: FILS PK */
5338 #ifdef CONFIG_FILS_SK_PFS
5339 if (dh_group) {
5340 /* Finite Cyclic Group */
5341 wpabuf_put_le16(buf, dh_group);
5342 /* Element */
5343 wpabuf_put_buf(buf, pub);
5344 }
5345 #endif /* CONFIG_FILS_SK_PFS */
5346
5347 /* RSNE */
5348 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in FILS Authentication frame",
5349 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
5350 wpabuf_put_data(buf, sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
5351
5352 if (md) {
5353 /* MDE when using FILS for FT initial association */
5354 struct rsn_mdie *mdie;
5355
5356 wpabuf_put_u8(buf, WLAN_EID_MOBILITY_DOMAIN);
5357 wpabuf_put_u8(buf, sizeof(*mdie));
5358 mdie = wpabuf_put(buf, sizeof(*mdie));
5359 os_memcpy(mdie->mobility_domain, md, MOBILITY_DOMAIN_ID_LEN);
5360 mdie->ft_capab = 0;
5361 }
5362
5363 /* FILS Nonce */
5364 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
5365 wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN); /* Length */
5366 /* Element ID Extension */
5367 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
5368 wpabuf_put_data(buf, sm->fils_nonce, FILS_NONCE_LEN);
5369
5370 /* FILS Session */
5371 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
5372 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
5373 /* Element ID Extension */
5374 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
5375 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
5376
5377 /* Wrapped Data */
5378 sm->fils_erp_pmkid_set = 0;
5379 if (erp_msg) {
5380 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
5381 wpabuf_put_u8(buf, 1 + wpabuf_len(erp_msg)); /* Length */
5382 /* Element ID Extension */
5383 wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA);
5384 wpabuf_put_buf(buf, erp_msg);
5385 /* Calculate pending PMKID here so that we do not need to
5386 * maintain a copy of the EAP-Initiate/Reauth message. */
5387 if (fils_pmkid_erp(sm->key_mgmt, wpabuf_head(erp_msg),
5388 wpabuf_len(erp_msg),
5389 sm->fils_erp_pmkid) == 0)
5390 sm->fils_erp_pmkid_set = 1;
5391 }
5392
5393 wpa_hexdump_buf(MSG_DEBUG, "RSN: FILS fields for Authentication frame",
5394 buf);
5395
5396 fail:
5397 wpabuf_free(erp_msg);
5398 wpabuf_free(pub);
5399 return buf;
5400 }
5401
5402
fils_process_auth(struct wpa_sm * sm,const u8 * bssid,const u8 * data,size_t len)5403 int fils_process_auth(struct wpa_sm *sm, const u8 *bssid, const u8 *data,
5404 size_t len)
5405 {
5406 const u8 *pos, *end;
5407 struct ieee802_11_elems elems;
5408 struct wpa_ie_data rsn;
5409 int pmkid_match = 0;
5410 u8 ick[FILS_ICK_MAX_LEN];
5411 size_t ick_len;
5412 int res;
5413 struct wpabuf *dh_ss = NULL;
5414 const u8 *g_sta = NULL;
5415 size_t g_sta_len = 0;
5416 const u8 *g_ap = NULL;
5417 size_t g_ap_len = 0, kdk_len;
5418 struct wpabuf *pub = NULL;
5419 #ifdef CONFIG_IEEE80211R
5420 struct wpa_ft_ies parse;
5421
5422 os_memset(&parse, 0, sizeof(parse));
5423 #endif /* CONFIG_IEEE80211R */
5424
5425 os_memcpy(sm->bssid, bssid, ETH_ALEN);
5426
5427 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
5428 data, len);
5429 pos = data;
5430 end = data + len;
5431
5432 /* TODO: FILS PK */
5433 #ifdef CONFIG_FILS_SK_PFS
5434 if (sm->fils_dh_group) {
5435 u16 group;
5436
5437 /* Using FILS PFS */
5438
5439 /* Finite Cyclic Group */
5440 if (end - pos < 2) {
5441 wpa_printf(MSG_DEBUG,
5442 "FILS: No room for Finite Cyclic Group");
5443 goto fail;
5444 }
5445 group = WPA_GET_LE16(pos);
5446 pos += 2;
5447 if (group != sm->fils_dh_group) {
5448 wpa_printf(MSG_DEBUG,
5449 "FILS: Unexpected change in Finite Cyclic Group: %u (expected %u)",
5450 group, sm->fils_dh_group);
5451 goto fail;
5452 }
5453
5454 /* Element */
5455 if ((size_t) (end - pos) < sm->fils_dh_elem_len) {
5456 wpa_printf(MSG_DEBUG, "FILS: No room for Element");
5457 goto fail;
5458 }
5459
5460 if (!sm->fils_ecdh) {
5461 wpa_printf(MSG_DEBUG, "FILS: No ECDH state available");
5462 goto fail;
5463 }
5464 dh_ss = crypto_ecdh_set_peerkey(sm->fils_ecdh, 1, pos,
5465 sm->fils_dh_elem_len);
5466 if (!dh_ss) {
5467 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
5468 goto fail;
5469 }
5470 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", dh_ss);
5471 g_ap = pos;
5472 g_ap_len = sm->fils_dh_elem_len;
5473 pos += sm->fils_dh_elem_len;
5474 }
5475 #endif /* CONFIG_FILS_SK_PFS */
5476
5477 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
5478 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
5479 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
5480 goto fail;
5481 }
5482
5483 /* RSNE */
5484 wpa_hexdump(MSG_DEBUG, "FILS: RSN element", elems.rsn_ie,
5485 elems.rsn_ie_len);
5486 if (!elems.rsn_ie ||
5487 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
5488 &rsn) < 0) {
5489 wpa_printf(MSG_DEBUG, "FILS: No RSN element");
5490 goto fail;
5491 }
5492
5493 if (!elems.fils_nonce) {
5494 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
5495 goto fail;
5496 }
5497 os_memcpy(sm->fils_anonce, elems.fils_nonce, FILS_NONCE_LEN);
5498 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", sm->fils_anonce, FILS_NONCE_LEN);
5499
5500 #ifdef CONFIG_IEEE80211R
5501 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
5502 if (!elems.mdie || !elems.ftie) {
5503 wpa_printf(MSG_DEBUG, "FILS+FT: No MDE or FTE");
5504 goto fail;
5505 }
5506
5507 if (wpa_ft_parse_ies(pos, end - pos, &parse,
5508 sm->key_mgmt, false) < 0) {
5509 wpa_printf(MSG_DEBUG, "FILS+FT: Failed to parse IEs");
5510 goto fail;
5511 }
5512
5513 if (!parse.r0kh_id) {
5514 wpa_printf(MSG_DEBUG,
5515 "FILS+FT: No R0KH-ID subelem in FTE");
5516 goto fail;
5517 }
5518 os_memcpy(sm->r0kh_id, parse.r0kh_id, parse.r0kh_id_len);
5519 sm->r0kh_id_len = parse.r0kh_id_len;
5520 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID",
5521 sm->r0kh_id, sm->r0kh_id_len);
5522
5523 if (!parse.r1kh_id) {
5524 wpa_printf(MSG_DEBUG,
5525 "FILS+FT: No R1KH-ID subelem in FTE");
5526 goto fail;
5527 }
5528 os_memcpy(sm->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN);
5529 wpa_hexdump(MSG_DEBUG, "FILS+FT: R1KH-ID",
5530 sm->r1kh_id, FT_R1KH_ID_LEN);
5531
5532 /* TODO: Check MDE and FTE payload */
5533
5534 wpabuf_free(sm->fils_ft_ies);
5535 sm->fils_ft_ies = wpabuf_alloc(2 + elems.mdie_len +
5536 2 + elems.ftie_len);
5537 if (!sm->fils_ft_ies)
5538 goto fail;
5539 wpabuf_put_data(sm->fils_ft_ies, elems.mdie - 2,
5540 2 + elems.mdie_len);
5541 wpabuf_put_data(sm->fils_ft_ies, elems.ftie - 2,
5542 2 + elems.ftie_len);
5543 } else {
5544 wpabuf_free(sm->fils_ft_ies);
5545 sm->fils_ft_ies = NULL;
5546 }
5547 #endif /* CONFIG_IEEE80211R */
5548
5549 /* PMKID List */
5550 if (rsn.pmkid && rsn.num_pmkid > 0) {
5551 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
5552 rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
5553
5554 if (rsn.num_pmkid != 1) {
5555 wpa_printf(MSG_DEBUG, "FILS: Invalid PMKID selection");
5556 goto fail;
5557 }
5558 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", rsn.pmkid, PMKID_LEN);
5559 if (os_memcmp(sm->cur_pmksa->pmkid, rsn.pmkid, PMKID_LEN) != 0)
5560 {
5561 wpa_printf(MSG_DEBUG, "FILS: PMKID mismatch");
5562 wpa_hexdump(MSG_DEBUG, "FILS: Expected PMKID",
5563 sm->cur_pmksa->pmkid, PMKID_LEN);
5564 goto fail;
5565 }
5566 wpa_printf(MSG_DEBUG,
5567 "FILS: Matching PMKID - continue using PMKSA caching");
5568 pmkid_match = 1;
5569 }
5570 if (!pmkid_match && sm->cur_pmksa) {
5571 wpa_printf(MSG_DEBUG,
5572 "FILS: No PMKID match - cannot use cached PMKSA entry");
5573 sm->cur_pmksa = NULL;
5574 }
5575
5576 /* FILS Session */
5577 if (!elems.fils_session) {
5578 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
5579 goto fail;
5580 }
5581 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
5582 FILS_SESSION_LEN);
5583 if (os_memcmp(sm->fils_session, elems.fils_session, FILS_SESSION_LEN)
5584 != 0) {
5585 wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
5586 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
5587 sm->fils_session, FILS_SESSION_LEN);
5588 goto fail;
5589 }
5590
5591 /* Wrapped Data */
5592 if (!sm->cur_pmksa && elems.wrapped_data) {
5593 u8 rmsk[ERP_MAX_KEY_LEN];
5594 size_t rmsk_len;
5595
5596 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
5597 elems.wrapped_data,
5598 elems.wrapped_data_len);
5599 eapol_sm_process_erp_finish(sm->eapol, elems.wrapped_data,
5600 elems.wrapped_data_len);
5601 if (eapol_sm_failed(sm->eapol))
5602 goto fail;
5603
5604 rmsk_len = ERP_MAX_KEY_LEN;
5605 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
5606 if (res == PMK_LEN) {
5607 rmsk_len = PMK_LEN;
5608 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
5609 }
5610 if (res)
5611 goto fail;
5612
5613 res = fils_rmsk_to_pmk(sm->key_mgmt, rmsk, rmsk_len,
5614 sm->fils_nonce, sm->fils_anonce,
5615 dh_ss ? wpabuf_head(dh_ss) : NULL,
5616 dh_ss ? wpabuf_len(dh_ss) : 0,
5617 sm->pmk, &sm->pmk_len);
5618 forced_memzero(rmsk, sizeof(rmsk));
5619
5620 /* Don't use DHss in PTK derivation if PMKSA caching is not
5621 * used. */
5622 wpabuf_clear_free(dh_ss);
5623 dh_ss = NULL;
5624
5625 if (res)
5626 goto fail;
5627
5628 if (!sm->fils_erp_pmkid_set) {
5629 wpa_printf(MSG_DEBUG, "FILS: PMKID not available");
5630 goto fail;
5631 }
5632 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", sm->fils_erp_pmkid,
5633 PMKID_LEN);
5634 wpa_printf(MSG_DEBUG, "FILS: ERP processing succeeded - add PMKSA cache entry for the result");
5635 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len,
5636 sm->fils_erp_pmkid, NULL, 0,
5637 sm->bssid, sm->own_addr,
5638 sm->network_ctx, sm->key_mgmt,
5639 NULL);
5640 }
5641
5642 if (!sm->cur_pmksa) {
5643 wpa_printf(MSG_DEBUG,
5644 "FILS: No remaining options to continue FILS authentication");
5645 goto fail;
5646 }
5647
5648 if (sm->force_kdk_derivation ||
5649 (sm->secure_ltf &&
5650 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)))
5651 kdk_len = WPA_KDK_MAX_LEN;
5652 else
5653 kdk_len = 0;
5654
5655 if (fils_pmk_to_ptk(sm->pmk, sm->pmk_len, sm->own_addr,
5656 wpa_sm_get_auth_addr(sm),
5657 sm->fils_nonce, sm->fils_anonce,
5658 dh_ss ? wpabuf_head(dh_ss) : NULL,
5659 dh_ss ? wpabuf_len(dh_ss) : 0,
5660 &sm->ptk, ick, &ick_len,
5661 sm->key_mgmt, sm->pairwise_cipher,
5662 sm->fils_ft, &sm->fils_ft_len,
5663 kdk_len) < 0) {
5664 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PTK");
5665 goto fail;
5666 }
5667
5668 #ifdef CONFIG_PASN
5669 if (sm->secure_ltf &&
5670 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF) &&
5671 wpa_ltf_keyseed(&sm->ptk, sm->key_mgmt, sm->pairwise_cipher)) {
5672 wpa_printf(MSG_DEBUG, "FILS: Failed to derive LTF keyseed");
5673 goto fail;
5674 }
5675 #endif /* CONFIG_PASN */
5676
5677 wpabuf_clear_free(dh_ss);
5678 dh_ss = NULL;
5679
5680 sm->ptk_set = 1;
5681 sm->tptk_set = 0;
5682 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
5683
5684 #ifdef CONFIG_FILS_SK_PFS
5685 if (sm->fils_dh_group) {
5686 if (!sm->fils_ecdh) {
5687 wpa_printf(MSG_INFO, "FILS: ECDH not initialized");
5688 goto fail;
5689 }
5690 pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1);
5691 if (!pub)
5692 goto fail;
5693 wpa_hexdump_buf(MSG_DEBUG, "FILS: gSTA", pub);
5694 g_sta = wpabuf_head(pub);
5695 g_sta_len = wpabuf_len(pub);
5696 if (!g_ap) {
5697 wpa_printf(MSG_INFO, "FILS: gAP not available");
5698 goto fail;
5699 }
5700 wpa_hexdump(MSG_DEBUG, "FILS: gAP", g_ap, g_ap_len);
5701 }
5702 #endif /* CONFIG_FILS_SK_PFS */
5703
5704 res = fils_key_auth_sk(ick, ick_len, sm->fils_nonce,
5705 sm->fils_anonce, sm->own_addr, sm->bssid,
5706 g_sta, g_sta_len, g_ap, g_ap_len,
5707 sm->key_mgmt, sm->fils_key_auth_sta,
5708 sm->fils_key_auth_ap,
5709 &sm->fils_key_auth_len);
5710 wpabuf_free(pub);
5711 forced_memzero(ick, sizeof(ick));
5712 #ifdef CONFIG_IEEE80211R
5713 wpa_ft_parse_ies_free(&parse);
5714 #endif /* CONFIG_IEEE80211R */
5715 return res;
5716 fail:
5717 wpabuf_free(pub);
5718 wpabuf_clear_free(dh_ss);
5719 #ifdef CONFIG_IEEE80211R
5720 wpa_ft_parse_ies_free(&parse);
5721 #endif /* CONFIG_IEEE80211R */
5722 return -1;
5723 }
5724
5725
5726 #ifdef CONFIG_IEEE80211R
fils_ft_build_assoc_req_rsne(struct wpa_sm * sm,struct wpabuf * buf)5727 static int fils_ft_build_assoc_req_rsne(struct wpa_sm *sm, struct wpabuf *buf)
5728 {
5729 struct rsn_ie_hdr *rsnie;
5730 u16 capab;
5731 u8 *pos;
5732 int use_sha384 = wpa_key_mgmt_sha384(sm->key_mgmt);
5733
5734 /* RSNIE[PMKR0Name/PMKR1Name] */
5735 rsnie = wpabuf_put(buf, sizeof(*rsnie));
5736 rsnie->elem_id = WLAN_EID_RSN;
5737 WPA_PUT_LE16(rsnie->version, RSN_VERSION);
5738
5739 /* Group Suite Selector */
5740 if (!wpa_cipher_valid_group(sm->group_cipher)) {
5741 wpa_printf(MSG_WARNING, "FT: Invalid group cipher (%d)",
5742 sm->group_cipher);
5743 return -1;
5744 }
5745 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
5746 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
5747 sm->group_cipher));
5748
5749 /* Pairwise Suite Count */
5750 wpabuf_put_le16(buf, 1);
5751
5752 /* Pairwise Suite List */
5753 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
5754 wpa_printf(MSG_WARNING, "FT: Invalid pairwise cipher (%d)",
5755 sm->pairwise_cipher);
5756 return -1;
5757 }
5758 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
5759 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
5760 sm->pairwise_cipher));
5761
5762 /* Authenticated Key Management Suite Count */
5763 wpabuf_put_le16(buf, 1);
5764
5765 /* Authenticated Key Management Suite List */
5766 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
5767 if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA256)
5768 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA256);
5769 else if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA384)
5770 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA384);
5771 else {
5772 wpa_printf(MSG_WARNING,
5773 "FILS+FT: Invalid key management type (%d)",
5774 sm->key_mgmt);
5775 return -1;
5776 }
5777
5778 /* RSN Capabilities */
5779 capab = 0;
5780 if (sm->mfp)
5781 capab |= WPA_CAPABILITY_MFPC;
5782 if (sm->mfp == 2)
5783 capab |= WPA_CAPABILITY_MFPR;
5784 if (sm->ocv)
5785 capab |= WPA_CAPABILITY_OCVC;
5786 if (sm->ext_key_id)
5787 capab |= WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST;
5788 wpabuf_put_le16(buf, capab);
5789
5790 /* PMKID Count */
5791 wpabuf_put_le16(buf, 1);
5792
5793 /* PMKID List [PMKR1Name] */
5794 wpa_hexdump_key(MSG_DEBUG, "FILS+FT: XXKey (FILS-FT)",
5795 sm->fils_ft, sm->fils_ft_len);
5796 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: SSID", sm->ssid, sm->ssid_len);
5797 wpa_hexdump(MSG_DEBUG, "FILS+FT: MDID",
5798 sm->mobility_domain, MOBILITY_DOMAIN_ID_LEN);
5799 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID",
5800 sm->r0kh_id, sm->r0kh_id_len);
5801 if (wpa_derive_pmk_r0(sm->fils_ft, sm->fils_ft_len, sm->ssid,
5802 sm->ssid_len, sm->mobility_domain,
5803 sm->r0kh_id, sm->r0kh_id_len, sm->own_addr,
5804 sm->pmk_r0, sm->pmk_r0_name, sm->key_mgmt) < 0) {
5805 wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMK-R0");
5806 return -1;
5807 }
5808 if (wpa_key_mgmt_sae_ext_key(sm->key_mgmt))
5809 sm->pmk_r0_len = sm->fils_ft_len;
5810 else
5811 sm->pmk_r0_len = use_sha384 ? SHA384_MAC_LEN : PMK_LEN;
5812 wpa_printf(MSG_DEBUG, "FILS+FT: R1KH-ID: " MACSTR,
5813 MAC2STR(sm->r1kh_id));
5814 pos = wpabuf_put(buf, WPA_PMK_NAME_LEN);
5815 if (wpa_derive_pmk_r1_name(sm->pmk_r0_name, sm->r1kh_id, sm->own_addr,
5816 sm->pmk_r1_name, sm->fils_ft_len) < 0) {
5817 wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMKR1Name");
5818 return -1;
5819 }
5820 os_memcpy(pos, sm->pmk_r1_name, WPA_PMK_NAME_LEN);
5821
5822 os_memcpy(sm->key_mobility_domain, sm->mobility_domain,
5823 MOBILITY_DOMAIN_ID_LEN);
5824
5825 if (sm->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC) {
5826 /* Management Group Cipher Suite */
5827 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
5828 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_AES_128_CMAC);
5829 }
5830
5831 rsnie->len = ((u8 *) wpabuf_put(buf, 0) - (u8 *) rsnie) - 2;
5832 return 0;
5833 }
5834 #endif /* CONFIG_IEEE80211R */
5835
5836
fils_build_assoc_req(struct wpa_sm * sm,const u8 ** kek,size_t * kek_len,const u8 ** snonce,const u8 ** anonce,const struct wpabuf ** hlp,unsigned int num_hlp)5837 struct wpabuf * fils_build_assoc_req(struct wpa_sm *sm, const u8 **kek,
5838 size_t *kek_len, const u8 **snonce,
5839 const u8 **anonce,
5840 const struct wpabuf **hlp,
5841 unsigned int num_hlp)
5842 {
5843 struct wpabuf *buf;
5844 size_t len;
5845 unsigned int i;
5846
5847 len = 1000;
5848 #ifdef CONFIG_IEEE80211R
5849 if (sm->fils_ft_ies)
5850 len += wpabuf_len(sm->fils_ft_ies);
5851 if (wpa_key_mgmt_ft(sm->key_mgmt))
5852 len += 256;
5853 #endif /* CONFIG_IEEE80211R */
5854 for (i = 0; hlp && i < num_hlp; i++)
5855 len += 10 + wpabuf_len(hlp[i]);
5856 buf = wpabuf_alloc(len);
5857 if (!buf)
5858 return NULL;
5859
5860 #ifdef CONFIG_IEEE80211R
5861 if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) {
5862 /* MDE and FTE when using FILS+FT */
5863 wpabuf_put_buf(buf, sm->fils_ft_ies);
5864 /* RSNE with PMKR1Name in PMKID field */
5865 if (fils_ft_build_assoc_req_rsne(sm, buf) < 0) {
5866 wpabuf_free(buf);
5867 return NULL;
5868 }
5869 }
5870 #endif /* CONFIG_IEEE80211R */
5871
5872 /* FILS Session */
5873 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
5874 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
5875 /* Element ID Extension */
5876 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
5877 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
5878
5879 /* Everything after FILS Session element gets encrypted in the driver
5880 * with KEK. The buffer returned from here is the plaintext version. */
5881
5882 /* TODO: FILS Public Key */
5883
5884 /* FILS Key Confirm */
5885 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
5886 wpabuf_put_u8(buf, 1 + sm->fils_key_auth_len); /* Length */
5887 /* Element ID Extension */
5888 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_KEY_CONFIRM);
5889 wpabuf_put_data(buf, sm->fils_key_auth_sta, sm->fils_key_auth_len);
5890
5891 /* FILS HLP Container */
5892 for (i = 0; hlp && i < num_hlp; i++) {
5893 const u8 *pos = wpabuf_head(hlp[i]);
5894 size_t left = wpabuf_len(hlp[i]);
5895
5896 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
5897 if (left <= 254)
5898 len = 1 + left;
5899 else
5900 len = 255;
5901 wpabuf_put_u8(buf, len); /* Length */
5902 /* Element ID Extension */
5903 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_HLP_CONTAINER);
5904 /* Destination MAC Address, Source MAC Address, HLP Packet.
5905 * HLP Packet is in MSDU format (i.e., included the LLC/SNAP
5906 * header when LPD is used). */
5907 wpabuf_put_data(buf, pos, len - 1);
5908 pos += len - 1;
5909 left -= len - 1;
5910 while (left) {
5911 wpabuf_put_u8(buf, WLAN_EID_FRAGMENT);
5912 len = left > 255 ? 255 : left;
5913 wpabuf_put_u8(buf, len);
5914 wpabuf_put_data(buf, pos, len);
5915 pos += len;
5916 left -= len;
5917 }
5918 }
5919
5920 /* TODO: FILS IP Address Assignment */
5921
5922 #ifdef CONFIG_OCV
5923 if (wpa_sm_ocv_enabled(sm)) {
5924 struct wpa_channel_info ci;
5925 u8 *pos;
5926
5927 if (wpa_sm_channel_info(sm, &ci) != 0) {
5928 wpa_printf(MSG_WARNING,
5929 "FILS: Failed to get channel info for OCI element");
5930 wpabuf_free(buf);
5931 return NULL;
5932 }
5933 #ifdef CONFIG_TESTING_OPTIONS
5934 if (sm->oci_freq_override_fils_assoc) {
5935 wpa_printf(MSG_INFO,
5936 "TEST: Override OCI KDE frequency %d -> %d MHz",
5937 ci.frequency,
5938 sm->oci_freq_override_fils_assoc);
5939 ci.frequency = sm->oci_freq_override_fils_assoc;
5940 }
5941 #endif /* CONFIG_TESTING_OPTIONS */
5942
5943 pos = wpabuf_put(buf, OCV_OCI_EXTENDED_LEN);
5944 if (ocv_insert_extended_oci(&ci, pos) < 0) {
5945 wpabuf_free(buf);
5946 return NULL;
5947 }
5948 }
5949 #endif /* CONFIG_OCV */
5950
5951 wpa_hexdump_buf(MSG_DEBUG, "FILS: Association Request plaintext", buf);
5952
5953 *kek = sm->ptk.kek;
5954 *kek_len = sm->ptk.kek_len;
5955 wpa_hexdump_key(MSG_DEBUG, "FILS: KEK for AEAD", *kek, *kek_len);
5956 *snonce = sm->fils_nonce;
5957 wpa_hexdump(MSG_DEBUG, "FILS: SNonce for AEAD AAD",
5958 *snonce, FILS_NONCE_LEN);
5959 *anonce = sm->fils_anonce;
5960 wpa_hexdump(MSG_DEBUG, "FILS: ANonce for AEAD AAD",
5961 *anonce, FILS_NONCE_LEN);
5962
5963 return buf;
5964 }
5965
5966
fils_process_hlp_resp(struct wpa_sm * sm,const u8 * resp,size_t len)5967 static void fils_process_hlp_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
5968 {
5969 const u8 *pos, *end;
5970
5971 wpa_hexdump(MSG_MSGDUMP, "FILS: HLP response", resp, len);
5972 if (len < 2 * ETH_ALEN)
5973 return;
5974 pos = resp + 2 * ETH_ALEN;
5975 end = resp + len;
5976 if (end - pos >= 6 &&
5977 os_memcmp(pos, "\xaa\xaa\x03\x00\x00\x00", 6) == 0)
5978 pos += 6; /* Remove SNAP/LLC header */
5979 wpa_sm_fils_hlp_rx(sm, resp, resp + ETH_ALEN, pos, end - pos);
5980 }
5981
5982
fils_process_hlp_container(struct wpa_sm * sm,const u8 * pos,size_t len)5983 static void fils_process_hlp_container(struct wpa_sm *sm, const u8 *pos,
5984 size_t len)
5985 {
5986 const u8 *end = pos + len;
5987 u8 *tmp, *tmp_pos;
5988
5989 /* Check if there are any FILS HLP Container elements */
5990 while (end - pos >= 2) {
5991 if (2 + pos[1] > end - pos)
5992 return;
5993 if (pos[0] == WLAN_EID_EXTENSION &&
5994 pos[1] >= 1 + 2 * ETH_ALEN &&
5995 pos[2] == WLAN_EID_EXT_FILS_HLP_CONTAINER)
5996 break;
5997 pos += 2 + pos[1];
5998 }
5999 if (end - pos < 2)
6000 return; /* No FILS HLP Container elements */
6001
6002 tmp = os_malloc(end - pos);
6003 if (!tmp)
6004 return;
6005
6006 while (end - pos >= 2) {
6007 if (2 + pos[1] > end - pos ||
6008 pos[0] != WLAN_EID_EXTENSION ||
6009 pos[1] < 1 + 2 * ETH_ALEN ||
6010 pos[2] != WLAN_EID_EXT_FILS_HLP_CONTAINER)
6011 break;
6012 tmp_pos = tmp;
6013 os_memcpy(tmp_pos, pos + 3, pos[1] - 1);
6014 tmp_pos += pos[1] - 1;
6015 pos += 2 + pos[1];
6016
6017 /* Add possible fragments */
6018 while (end - pos >= 2 && pos[0] == WLAN_EID_FRAGMENT &&
6019 2 + pos[1] <= end - pos) {
6020 os_memcpy(tmp_pos, pos + 2, pos[1]);
6021 tmp_pos += pos[1];
6022 pos += 2 + pos[1];
6023 }
6024
6025 fils_process_hlp_resp(sm, tmp, tmp_pos - tmp);
6026 }
6027
6028 os_free(tmp);
6029 }
6030
6031
fils_process_assoc_resp(struct wpa_sm * sm,const u8 * resp,size_t len)6032 int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
6033 {
6034 const struct ieee80211_mgmt *mgmt;
6035 const u8 *end, *ie_start;
6036 struct ieee802_11_elems elems;
6037 int keylen, rsclen;
6038 enum wpa_alg alg;
6039 struct wpa_gtk_data gd;
6040 int maxkeylen;
6041 struct wpa_eapol_ie_parse kde;
6042
6043 if (!sm || !sm->ptk_set) {
6044 wpa_printf(MSG_DEBUG, "FILS: No KEK available");
6045 return -1;
6046 }
6047
6048 if (!wpa_key_mgmt_fils(sm->key_mgmt)) {
6049 wpa_printf(MSG_DEBUG, "FILS: Not a FILS AKM");
6050 return -1;
6051 }
6052
6053 if (sm->fils_completed) {
6054 wpa_printf(MSG_DEBUG,
6055 "FILS: Association has already been completed for this FILS authentication - ignore unexpected retransmission");
6056 return -1;
6057 }
6058
6059 wpa_hexdump(MSG_DEBUG, "FILS: (Re)Association Response frame",
6060 resp, len);
6061
6062 mgmt = (const struct ieee80211_mgmt *) resp;
6063 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_resp))
6064 return -1;
6065
6066 end = resp + len;
6067 /* Same offset for Association Response and Reassociation Response */
6068 ie_start = mgmt->u.assoc_resp.variable;
6069
6070 if (ieee802_11_parse_elems(ie_start, end - ie_start, &elems, 1) ==
6071 ParseFailed) {
6072 wpa_printf(MSG_DEBUG,
6073 "FILS: Failed to parse decrypted elements");
6074 goto fail;
6075 }
6076
6077 if (!elems.fils_session) {
6078 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
6079 return -1;
6080 }
6081 if (os_memcmp(elems.fils_session, sm->fils_session,
6082 FILS_SESSION_LEN) != 0) {
6083 wpa_printf(MSG_DEBUG, "FILS: FILS Session mismatch");
6084 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
6085 elems.fils_session, FILS_SESSION_LEN);
6086 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
6087 sm->fils_session, FILS_SESSION_LEN);
6088 }
6089
6090 if (!elems.rsn_ie) {
6091 wpa_printf(MSG_DEBUG,
6092 "FILS: No RSNE in (Re)Association Response");
6093 /* As an interop workaround, allow this for now since IEEE Std
6094 * 802.11ai-2016 did not include all the needed changes to make
6095 * a FILS AP include RSNE in the frame. This workaround might
6096 * eventually be removed and replaced with rejection (goto fail)
6097 * to follow a strict interpretation of the standard. */
6098 } else if (wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
6099 sm->ap_rsn_ie, sm->ap_rsn_ie_len,
6100 elems.rsn_ie - 2, elems.rsn_ie_len + 2)) {
6101 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
6102 "FILS: RSNE mismatch between Beacon/Probe Response and (Re)Association Response");
6103 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in Beacon/Probe Response",
6104 sm->ap_rsn_ie, sm->ap_rsn_ie_len);
6105 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in (Re)Association Response",
6106 elems.rsn_ie, elems.rsn_ie_len);
6107 goto fail;
6108 }
6109
6110 /* TODO: FILS Public Key */
6111
6112 if (!elems.fils_key_confirm) {
6113 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
6114 goto fail;
6115 }
6116 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
6117 wpa_printf(MSG_DEBUG,
6118 "FILS: Unexpected Key-Auth length %d (expected %d)",
6119 elems.fils_key_confirm_len,
6120 (int) sm->fils_key_auth_len);
6121 goto fail;
6122 }
6123 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_ap,
6124 sm->fils_key_auth_len) != 0) {
6125 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
6126 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
6127 elems.fils_key_confirm,
6128 elems.fils_key_confirm_len);
6129 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
6130 sm->fils_key_auth_ap, sm->fils_key_auth_len);
6131 goto fail;
6132 }
6133
6134 #ifdef CONFIG_OCV
6135 if (wpa_sm_ocv_enabled(sm)) {
6136 struct wpa_channel_info ci;
6137
6138 if (wpa_sm_channel_info(sm, &ci) != 0) {
6139 wpa_printf(MSG_WARNING,
6140 "Failed to get channel info to validate received OCI in FILS (Re)Association Response frame");
6141 goto fail;
6142 }
6143
6144 if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci,
6145 channel_width_to_int(ci.chanwidth),
6146 ci.seg1_idx) != OCI_SUCCESS) {
6147 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
6148 "addr=" MACSTR " frame=fils-assoc error=%s",
6149 MAC2STR(sm->bssid), ocv_errorstr);
6150 goto fail;
6151 }
6152 }
6153 #endif /* CONFIG_OCV */
6154
6155 #ifdef CONFIG_IEEE80211R
6156 if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) {
6157 struct wpa_ie_data rsn;
6158
6159 /* Check that PMKR1Name derived by the AP matches */
6160 if (!elems.rsn_ie ||
6161 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
6162 &rsn) < 0 ||
6163 !rsn.pmkid || rsn.num_pmkid != 1 ||
6164 os_memcmp(rsn.pmkid, sm->pmk_r1_name,
6165 WPA_PMK_NAME_LEN) != 0) {
6166 wpa_printf(MSG_DEBUG,
6167 "FILS+FT: No RSNE[PMKR1Name] match in AssocResp");
6168 goto fail;
6169 }
6170 }
6171 #endif /* CONFIG_IEEE80211R */
6172
6173 /* Key Delivery */
6174 if (!elems.key_delivery) {
6175 wpa_printf(MSG_DEBUG, "FILS: No Key Delivery element");
6176 goto fail;
6177 }
6178
6179 /* Parse GTK and set the key to the driver */
6180 os_memset(&gd, 0, sizeof(gd));
6181 if (wpa_supplicant_parse_ies(elems.key_delivery + WPA_KEY_RSC_LEN,
6182 elems.key_delivery_len - WPA_KEY_RSC_LEN,
6183 &kde) < 0) {
6184 wpa_printf(MSG_DEBUG, "FILS: Failed to parse KDEs");
6185 goto fail;
6186 }
6187 if (!kde.gtk) {
6188 wpa_printf(MSG_DEBUG, "FILS: No GTK KDE");
6189 goto fail;
6190 }
6191 maxkeylen = gd.gtk_len = kde.gtk_len - 2;
6192 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
6193 gd.gtk_len, maxkeylen,
6194 &gd.key_rsc_len, &gd.alg))
6195 goto fail;
6196
6197 wpa_hexdump_key(MSG_DEBUG, "FILS: Received GTK", kde.gtk, kde.gtk_len);
6198 gd.keyidx = kde.gtk[0] & 0x3;
6199 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
6200 !!(kde.gtk[0] & BIT(2)));
6201 if (kde.gtk_len - 2 > sizeof(gd.gtk)) {
6202 wpa_printf(MSG_DEBUG, "FILS: Too long GTK in GTK KDE (len=%lu)",
6203 (unsigned long) kde.gtk_len - 2);
6204 goto fail;
6205 }
6206 os_memcpy(gd.gtk, kde.gtk + 2, kde.gtk_len - 2);
6207
6208 wpa_printf(MSG_DEBUG, "FILS: Set GTK to driver");
6209 if (wpa_supplicant_install_gtk(sm, &gd, elems.key_delivery, 0) < 0) {
6210 wpa_printf(MSG_DEBUG, "FILS: Failed to set GTK");
6211 goto fail;
6212 }
6213
6214 if (ieee80211w_set_keys(sm, &kde) < 0) {
6215 wpa_printf(MSG_DEBUG, "FILS: Failed to set IGTK");
6216 goto fail;
6217 }
6218
6219 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
6220 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
6221 if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) {
6222 wpa_printf(MSG_DEBUG, "FILS: TK length mismatch: %u != %lu",
6223 keylen, (long unsigned int) sm->ptk.tk_len);
6224 goto fail;
6225 }
6226
6227 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
6228 wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver",
6229 sm->ptk.tk, keylen);
6230 if (wpa_sm_set_key(sm, -1, alg, wpa_sm_get_auth_addr(sm), 0, 1,
6231 null_rsc, rsclen,
6232 sm->ptk.tk, keylen, KEY_FLAG_PAIRWISE_RX_TX) < 0) {
6233 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
6234 "FILS: Failed to set PTK to the driver (alg=%d keylen=%d auth_addr="
6235 MACSTR ")",
6236 alg, keylen, MAC2STR(wpa_sm_get_auth_addr(sm)));
6237 goto fail;
6238 }
6239
6240 wpa_sm_store_ptk(sm, sm->bssid, sm->pairwise_cipher,
6241 sm->dot11RSNAConfigPMKLifetime, &sm->ptk);
6242
6243 /* TODO: TK could be cleared after auth frame exchange now that driver
6244 * takes care of association frame encryption/decryption. */
6245 /* TK is not needed anymore in supplicant */
6246 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
6247 sm->ptk.tk_len = 0;
6248 sm->ptk.installed = 1;
6249 sm->tk_set = true;
6250
6251 /* FILS HLP Container */
6252 fils_process_hlp_container(sm, ie_start, end - ie_start);
6253
6254 /* TODO: FILS IP Address Assignment */
6255
6256 wpa_printf(MSG_DEBUG, "FILS: Auth+Assoc completed successfully");
6257 sm->fils_completed = 1;
6258 forced_memzero(&gd, sizeof(gd));
6259
6260 if (kde.transition_disable)
6261 wpa_sm_transition_disable(sm, kde.transition_disable[0]);
6262
6263 return 0;
6264 fail:
6265 forced_memzero(&gd, sizeof(gd));
6266 return -1;
6267 }
6268
6269
wpa_sm_set_reset_fils_completed(struct wpa_sm * sm,int set)6270 void wpa_sm_set_reset_fils_completed(struct wpa_sm *sm, int set)
6271 {
6272 if (sm)
6273 sm->fils_completed = !!set;
6274 }
6275
6276 #endif /* CONFIG_FILS */
6277
6278
wpa_fils_is_completed(struct wpa_sm * sm)6279 int wpa_fils_is_completed(struct wpa_sm *sm)
6280 {
6281 #ifdef CONFIG_FILS
6282 return sm && sm->fils_completed;
6283 #else /* CONFIG_FILS */
6284 return 0;
6285 #endif /* CONFIG_FILS */
6286 }
6287
6288
6289 #ifdef CONFIG_OWE
6290
owe_build_assoc_req(struct wpa_sm * sm,u16 group)6291 struct wpabuf * owe_build_assoc_req(struct wpa_sm *sm, u16 group)
6292 {
6293 struct wpabuf *ie = NULL, *pub = NULL;
6294 size_t prime_len;
6295
6296 if (group == 19)
6297 prime_len = 32;
6298 else if (group == 20)
6299 prime_len = 48;
6300 else if (group == 21)
6301 prime_len = 66;
6302 else
6303 return NULL;
6304
6305 crypto_ecdh_deinit(sm->owe_ecdh);
6306 sm->owe_ecdh = crypto_ecdh_init(group);
6307 if (!sm->owe_ecdh)
6308 goto fail;
6309 sm->owe_group = group;
6310 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
6311 pub = wpabuf_zeropad(pub, prime_len);
6312 if (!pub)
6313 goto fail;
6314
6315 ie = wpabuf_alloc(5 + wpabuf_len(pub));
6316 if (!ie)
6317 goto fail;
6318 wpabuf_put_u8(ie, WLAN_EID_EXTENSION);
6319 wpabuf_put_u8(ie, 1 + 2 + wpabuf_len(pub));
6320 wpabuf_put_u8(ie, WLAN_EID_EXT_OWE_DH_PARAM);
6321 wpabuf_put_le16(ie, group);
6322 wpabuf_put_buf(ie, pub);
6323 wpabuf_free(pub);
6324 wpa_hexdump_buf(MSG_DEBUG, "OWE: Diffie-Hellman Parameter element",
6325 ie);
6326
6327 return ie;
6328 fail:
6329 wpabuf_free(pub);
6330 crypto_ecdh_deinit(sm->owe_ecdh);
6331 sm->owe_ecdh = NULL;
6332 return NULL;
6333 }
6334
6335
owe_process_assoc_resp(struct wpa_sm * sm,const u8 * bssid,const u8 * resp_ies,size_t resp_ies_len)6336 int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *bssid,
6337 const u8 *resp_ies, size_t resp_ies_len)
6338 {
6339 struct ieee802_11_elems elems;
6340 u16 group;
6341 struct wpabuf *secret, *pub, *hkey;
6342 int res;
6343 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
6344 const char *info = "OWE Key Generation";
6345 const u8 *addr[2];
6346 size_t len[2];
6347 size_t hash_len, prime_len;
6348 struct wpa_ie_data data;
6349
6350 if (!resp_ies ||
6351 ieee802_11_parse_elems(resp_ies, resp_ies_len, &elems, 1) ==
6352 ParseFailed) {
6353 wpa_printf(MSG_INFO,
6354 "OWE: Could not parse Association Response frame elements");
6355 return -1;
6356 }
6357
6358 if (sm->cur_pmksa && elems.rsn_ie &&
6359 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, 2 + elems.rsn_ie_len,
6360 &data) == 0 &&
6361 data.num_pmkid == 1 && data.pmkid &&
6362 os_memcmp(sm->cur_pmksa->pmkid, data.pmkid, PMKID_LEN) == 0) {
6363 wpa_printf(MSG_DEBUG, "OWE: Use PMKSA caching");
6364 wpa_sm_set_pmk_from_pmksa(sm);
6365 return 0;
6366 }
6367
6368 if (!elems.owe_dh) {
6369 wpa_printf(MSG_INFO,
6370 "OWE: No Diffie-Hellman Parameter element found in Association Response frame");
6371 return -1;
6372 }
6373
6374 group = WPA_GET_LE16(elems.owe_dh);
6375 if (group != sm->owe_group) {
6376 wpa_printf(MSG_INFO,
6377 "OWE: Unexpected Diffie-Hellman group in response: %u",
6378 group);
6379 return -1;
6380 }
6381
6382 if (!sm->owe_ecdh) {
6383 wpa_printf(MSG_INFO, "OWE: No ECDH state available");
6384 return -1;
6385 }
6386
6387 if (group == 19)
6388 prime_len = 32;
6389 else if (group == 20)
6390 prime_len = 48;
6391 else if (group == 21)
6392 prime_len = 66;
6393 else
6394 return -1;
6395
6396 secret = crypto_ecdh_set_peerkey(sm->owe_ecdh, 0,
6397 elems.owe_dh + 2,
6398 elems.owe_dh_len - 2);
6399 secret = wpabuf_zeropad(secret, prime_len);
6400 if (!secret) {
6401 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
6402 return -1;
6403 }
6404 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
6405
6406 /* prk = HKDF-extract(C | A | group, z) */
6407
6408 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
6409 if (!pub) {
6410 wpabuf_clear_free(secret);
6411 return -1;
6412 }
6413
6414 /* PMKID = Truncate-128(Hash(C | A)) */
6415 addr[0] = wpabuf_head(pub);
6416 len[0] = wpabuf_len(pub);
6417 addr[1] = elems.owe_dh + 2;
6418 len[1] = elems.owe_dh_len - 2;
6419 if (group == 19) {
6420 res = sha256_vector(2, addr, len, pmkid);
6421 hash_len = SHA256_MAC_LEN;
6422 } else if (group == 20) {
6423 res = sha384_vector(2, addr, len, pmkid);
6424 hash_len = SHA384_MAC_LEN;
6425 } else if (group == 21) {
6426 res = sha512_vector(2, addr, len, pmkid);
6427 hash_len = SHA512_MAC_LEN;
6428 } else {
6429 res = -1;
6430 hash_len = 0;
6431 }
6432 pub = wpabuf_zeropad(pub, prime_len);
6433 if (res < 0 || !pub) {
6434 wpabuf_free(pub);
6435 wpabuf_clear_free(secret);
6436 return -1;
6437 }
6438
6439 hkey = wpabuf_alloc(wpabuf_len(pub) + elems.owe_dh_len - 2 + 2);
6440 if (!hkey) {
6441 wpabuf_free(pub);
6442 wpabuf_clear_free(secret);
6443 return -1;
6444 }
6445
6446 wpabuf_put_buf(hkey, pub); /* C */
6447 wpabuf_free(pub);
6448 wpabuf_put_data(hkey, elems.owe_dh + 2, elems.owe_dh_len - 2); /* A */
6449 wpabuf_put_le16(hkey, sm->owe_group); /* group */
6450 if (group == 19)
6451 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
6452 wpabuf_head(secret), wpabuf_len(secret), prk);
6453 else if (group == 20)
6454 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
6455 wpabuf_head(secret), wpabuf_len(secret), prk);
6456 else if (group == 21)
6457 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
6458 wpabuf_head(secret), wpabuf_len(secret), prk);
6459 wpabuf_clear_free(hkey);
6460 wpabuf_clear_free(secret);
6461 if (res < 0)
6462 return -1;
6463
6464 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
6465
6466 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
6467
6468 if (group == 19)
6469 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
6470 os_strlen(info), sm->pmk, hash_len);
6471 else if (group == 20)
6472 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
6473 os_strlen(info), sm->pmk, hash_len);
6474 else if (group == 21)
6475 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
6476 os_strlen(info), sm->pmk, hash_len);
6477 forced_memzero(prk, SHA512_MAC_LEN);
6478 if (res < 0) {
6479 sm->pmk_len = 0;
6480 return -1;
6481 }
6482 sm->pmk_len = hash_len;
6483
6484 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sm->pmk, sm->pmk_len);
6485 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
6486 pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, pmkid, NULL, 0,
6487 bssid, sm->own_addr, sm->network_ctx, sm->key_mgmt,
6488 NULL);
6489
6490 return 0;
6491 }
6492
6493 #endif /* CONFIG_OWE */
6494
6495
wpa_sm_set_fils_cache_id(struct wpa_sm * sm,const u8 * fils_cache_id)6496 void wpa_sm_set_fils_cache_id(struct wpa_sm *sm, const u8 *fils_cache_id)
6497 {
6498 #ifdef CONFIG_FILS
6499 if (sm && fils_cache_id) {
6500 sm->fils_cache_id_set = 1;
6501 os_memcpy(sm->fils_cache_id, fils_cache_id, FILS_CACHE_ID_LEN);
6502 }
6503 #endif /* CONFIG_FILS */
6504 }
6505
6506
6507 #ifdef CONFIG_DPP2
wpa_sm_set_dpp_z(struct wpa_sm * sm,const struct wpabuf * z)6508 void wpa_sm_set_dpp_z(struct wpa_sm *sm, const struct wpabuf *z)
6509 {
6510 if (sm) {
6511 wpabuf_clear_free(sm->dpp_z);
6512 sm->dpp_z = z ? wpabuf_dup(z) : NULL;
6513 }
6514 }
6515 #endif /* CONFIG_DPP2 */
6516
6517
6518 #ifdef CONFIG_PASN
6519
wpa_pasn_sm_set_caps(struct wpa_sm * sm,unsigned int flags2)6520 void wpa_pasn_sm_set_caps(struct wpa_sm *sm, unsigned int flags2)
6521 {
6522 if (flags2 & WPA_DRIVER_FLAGS2_SEC_LTF_STA)
6523 sm->secure_ltf = 1;
6524 if (flags2 & WPA_DRIVER_FLAGS2_SEC_RTT_STA)
6525 sm->secure_rtt = 1;
6526 if (flags2 & WPA_DRIVER_FLAGS2_PROT_RANGE_NEG_STA)
6527 sm->prot_range_neg = 1;
6528 }
6529
6530 #endif /* CONFIG_PASN */
6531
6532
wpa_sm_pmksa_cache_reconfig(struct wpa_sm * sm)6533 void wpa_sm_pmksa_cache_reconfig(struct wpa_sm *sm)
6534 {
6535 if (sm)
6536 pmksa_cache_reconfig(sm->pmksa);
6537 }
6538
6539
wpa_sm_get_pmksa_cache(struct wpa_sm * sm)6540 struct rsn_pmksa_cache * wpa_sm_get_pmksa_cache(struct wpa_sm *sm)
6541 {
6542 return sm ? sm->pmksa : NULL;
6543 }
6544
6545
wpa_sm_set_cur_pmksa(struct wpa_sm * sm,struct rsn_pmksa_cache_entry * entry)6546 void wpa_sm_set_cur_pmksa(struct wpa_sm *sm,
6547 struct rsn_pmksa_cache_entry *entry)
6548 {
6549 if (sm)
6550 sm->cur_pmksa = entry;
6551 }
6552
6553
wpa_sm_set_driver_bss_selection(struct wpa_sm * sm,bool driver_bss_selection)6554 void wpa_sm_set_driver_bss_selection(struct wpa_sm *sm,
6555 bool driver_bss_selection)
6556 {
6557 if (sm)
6558 sm->driver_bss_selection = driver_bss_selection;
6559 }
6560