1 /*
2 * WPA Supplicant - WPA state machine and EAPOL-Key processing
3 * Copyright (c) 2003-2018, Jouni Malinen <j@w1.fi>
4 * Copyright(c) 2015 Intel Deutschland GmbH
5 *
6 * This software may be distributed under the terms of the BSD license.
7 * See README for more details.
8 */
9
10 #include "includes.h"
11
12 #include "common.h"
13 #include "crypto/aes.h"
14 #include "crypto/aes_wrap.h"
15 #include "crypto/crypto.h"
16 #include "crypto/random.h"
17 #include "crypto/aes_siv.h"
18 #include "crypto/sha256.h"
19 #include "crypto/sha384.h"
20 #include "crypto/sha512.h"
21 #include "common/ieee802_11_defs.h"
22 #include "common/ieee802_11_common.h"
23 #include "common/ocv.h"
24 #include "common/dpp.h"
25 #include "common/wpa_ctrl.h"
26 #include "eap_common/eap_defs.h"
27 #include "eapol_supp/eapol_supp_sm.h"
28 #include "drivers/driver.h"
29 #include "wpa.h"
30 #include "eloop.h"
31 #include "preauth.h"
32 #include "pmksa_cache.h"
33 #include "wpa_i.h"
34 #include "wpa_ie.h"
35 #include "wpa_supplicant_i.h"
36 #include "driver_i.h"
37
38 static const u8 null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
39
40
_wpa_hexdump_link(int level,u8 link_id,const char * title,const void * buf,size_t len,bool key)41 static void _wpa_hexdump_link(int level, u8 link_id, const char *title,
42 const void *buf, size_t len, bool key)
43 {
44 char *link_title = NULL;
45
46 if (link_id >= MAX_NUM_MLD_LINKS)
47 goto out;
48
49 link_title = os_malloc(os_strlen(title) + 20);
50 if (!link_title)
51 goto out;
52
53 os_snprintf(link_title, os_strlen(title) + 20, "MLO link[%u]: %s",
54 link_id, title);
55
56 out:
57 if (key)
58 wpa_hexdump_key(level, link_title ? link_title : title, buf,
59 len);
60 else
61 wpa_hexdump(level, link_title ? link_title : title, buf, len);
62 os_free(link_title);
63 }
64
65
wpa_hexdump_link(int level,u8 link_id,const char * title,const void * buf,size_t len)66 static void wpa_hexdump_link(int level, u8 link_id, const char *title,
67 const void *buf, size_t len)
68 {
69 _wpa_hexdump_link(level, link_id, title, buf, len, false);
70 }
71
72
wpa_hexdump_link_key(int level,u8 link_id,const char * title,const void * buf,size_t len)73 static void wpa_hexdump_link_key(int level, u8 link_id, const char *title,
74 const void *buf, size_t len)
75 {
76 _wpa_hexdump_link(level, link_id, title, buf, len, true);
77 }
78
79
80 /**
81 * wpa_eapol_key_send - Send WPA/RSN EAPOL-Key message
82 * @sm: Pointer to WPA state machine data from wpa_sm_init()
83 * @ptk: PTK for Key Confirmation/Encryption Key
84 * @ver: Version field from Key Info
85 * @dest: Destination address for the frame
86 * @proto: Ethertype (usually ETH_P_EAPOL)
87 * @msg: EAPOL-Key message
88 * @msg_len: Length of message
89 * @key_mic: Pointer to the buffer to which the EAPOL-Key MIC is written
90 * Returns: >= 0 on success, < 0 on failure
91 */
wpa_eapol_key_send(struct wpa_sm * sm,struct wpa_ptk * ptk,int ver,const u8 * dest,u16 proto,u8 * msg,size_t msg_len,u8 * key_mic)92 int wpa_eapol_key_send(struct wpa_sm *sm, struct wpa_ptk *ptk,
93 int ver, const u8 *dest, u16 proto,
94 u8 *msg, size_t msg_len, u8 *key_mic)
95 {
96 int ret = -1;
97 size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
98
99 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL-Key frame to " MACSTR
100 " ver=%d mic_len=%d key_mgmt=0x%x",
101 MAC2STR(dest), ver, (int) mic_len, sm->key_mgmt);
102 if (is_zero_ether_addr(dest) && is_zero_ether_addr(sm->bssid)) {
103 /*
104 * Association event was not yet received; try to fetch
105 * BSSID from the driver.
106 */
107 if (wpa_sm_get_bssid(sm, sm->bssid) < 0) {
108 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
109 "WPA: Failed to read BSSID for "
110 "EAPOL-Key destination address");
111 } else {
112 dest = sm->bssid;
113 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
114 "WPA: Use BSSID (" MACSTR
115 ") as the destination for EAPOL-Key",
116 MAC2STR(dest));
117 }
118 }
119
120 if (mic_len) {
121 if (key_mic && (!ptk || !ptk->kck_len))
122 goto out;
123
124 if (key_mic &&
125 wpa_eapol_key_mic(ptk->kck, ptk->kck_len, sm->key_mgmt, ver,
126 msg, msg_len, key_mic)) {
127 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
128 "WPA: Failed to generate EAPOL-Key version %d key_mgmt 0x%x MIC",
129 ver, sm->key_mgmt);
130 goto out;
131 }
132 if (ptk)
133 wpa_hexdump_key(MSG_DEBUG, "WPA: KCK",
134 ptk->kck, ptk->kck_len);
135 wpa_hexdump(MSG_DEBUG, "WPA: Derived Key MIC",
136 key_mic, mic_len);
137 } else {
138 #ifdef CONFIG_FILS
139 /* AEAD cipher - Key MIC field not used */
140 struct ieee802_1x_hdr *s_hdr, *hdr;
141 struct wpa_eapol_key *s_key, *key;
142 u8 *buf, *s_key_data, *key_data;
143 size_t buf_len = msg_len + AES_BLOCK_SIZE;
144 size_t key_data_len;
145 u16 eapol_len;
146 const u8 *aad[1];
147 size_t aad_len[1];
148
149 if (!ptk || !ptk->kek_len)
150 goto out;
151
152 key_data_len = msg_len - sizeof(struct ieee802_1x_hdr) -
153 sizeof(struct wpa_eapol_key) - 2;
154
155 buf = os_malloc(buf_len);
156 if (!buf)
157 goto out;
158
159 os_memcpy(buf, msg, msg_len);
160 hdr = (struct ieee802_1x_hdr *) buf;
161 key = (struct wpa_eapol_key *) (hdr + 1);
162 key_data = ((u8 *) (key + 1)) + 2;
163
164 /* Update EAPOL header to include AES-SIV overhead */
165 eapol_len = be_to_host16(hdr->length);
166 eapol_len += AES_BLOCK_SIZE;
167 hdr->length = host_to_be16(eapol_len);
168
169 /* Update Key Data Length field to include AES-SIV overhead */
170 WPA_PUT_BE16((u8 *) (key + 1), AES_BLOCK_SIZE + key_data_len);
171
172 s_hdr = (struct ieee802_1x_hdr *) msg;
173 s_key = (struct wpa_eapol_key *) (s_hdr + 1);
174 s_key_data = ((u8 *) (s_key + 1)) + 2;
175
176 wpa_hexdump_key(MSG_DEBUG, "WPA: Plaintext Key Data",
177 s_key_data, key_data_len);
178
179 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len);
180 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
181 * to Key Data (exclusive). */
182 aad[0] = buf;
183 aad_len[0] = key_data - buf;
184 if (aes_siv_encrypt(ptk->kek, ptk->kek_len,
185 s_key_data, key_data_len,
186 1, aad, aad_len, key_data) < 0) {
187 os_free(buf);
188 goto out;
189 }
190
191 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
192 key_data, AES_BLOCK_SIZE + key_data_len);
193
194 os_free(msg);
195 msg = buf;
196 msg_len = buf_len;
197 #else /* CONFIG_FILS */
198 goto out;
199 #endif /* CONFIG_FILS */
200 }
201
202 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key", msg, msg_len);
203 ret = wpa_sm_ether_send(sm, dest, proto, msg, msg_len);
204 eapol_sm_notify_tx_eapol_key(sm->eapol);
205 out:
206 os_free(msg);
207 return ret;
208 }
209
210
211 /**
212 * wpa_sm_key_request - Send EAPOL-Key Request
213 * @sm: Pointer to WPA state machine data from wpa_sm_init()
214 * @error: Indicate whether this is an Michael MIC error report
215 * @pairwise: 1 = error report for pairwise packet, 0 = for group packet
216 *
217 * Send an EAPOL-Key Request to the current authenticator. This function is
218 * used to request rekeying and it is usually called when a local Michael MIC
219 * failure is detected.
220 */
wpa_sm_key_request(struct wpa_sm * sm,int error,int pairwise)221 void wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise)
222 {
223 size_t mic_len, hdrlen, rlen;
224 struct wpa_eapol_key *reply;
225 int key_info, ver;
226 u8 *rbuf, *key_mic, *mic;
227
228 if (pairwise && sm->wpa_deny_ptk0_rekey && !sm->use_ext_key_id &&
229 wpa_sm_get_state(sm) == WPA_COMPLETED && !error) {
230 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
231 "WPA: PTK0 rekey not allowed, reconnecting");
232 wpa_sm_reconnect(sm);
233 return;
234 }
235
236 if (!sm->ptk_set) {
237 wpa_printf(MSG_INFO,
238 "WPA: No PTK derived yet - cannot send EAPOL-Key Request");
239 return;
240 }
241
242 if (wpa_use_akm_defined(sm->key_mgmt))
243 ver = WPA_KEY_INFO_TYPE_AKM_DEFINED;
244 else if (wpa_key_mgmt_ft(sm->key_mgmt) ||
245 wpa_key_mgmt_sha256(sm->key_mgmt))
246 ver = WPA_KEY_INFO_TYPE_AES_128_CMAC;
247 else if (sm->pairwise_cipher != WPA_CIPHER_TKIP)
248 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
249 else
250 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
251
252 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
253 hdrlen = sizeof(*reply) + mic_len + 2;
254 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
255 hdrlen, &rlen, (void *) &reply);
256 if (rbuf == NULL)
257 return;
258
259 reply->type = (sm->proto == WPA_PROTO_RSN) ?
260 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
261 key_info = WPA_KEY_INFO_REQUEST | ver;
262 key_info |= WPA_KEY_INFO_SECURE;
263 if (mic_len)
264 key_info |= WPA_KEY_INFO_MIC;
265 else
266 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
267 if (error)
268 key_info |= WPA_KEY_INFO_ERROR;
269 if (pairwise)
270 key_info |= WPA_KEY_INFO_KEY_TYPE;
271 WPA_PUT_BE16(reply->key_info, key_info);
272 WPA_PUT_BE16(reply->key_length, 0);
273 os_memcpy(reply->replay_counter, sm->request_counter,
274 WPA_REPLAY_COUNTER_LEN);
275 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
276
277 mic = (u8 *) (reply + 1);
278 WPA_PUT_BE16(mic + mic_len, 0);
279 if (!(key_info & WPA_KEY_INFO_MIC))
280 key_mic = NULL;
281 else
282 key_mic = mic;
283
284 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
285 "WPA: Sending EAPOL-Key Request (error=%d "
286 "pairwise=%d ptk_set=%d len=%lu)",
287 error, pairwise, sm->ptk_set, (unsigned long) rlen);
288 wpa_eapol_key_send(sm, &sm->ptk, ver, wpa_sm_get_auth_addr(sm),
289 ETH_P_EAPOL, rbuf, rlen, key_mic);
290 }
291
292
wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm * sm)293 static void wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm *sm)
294 {
295 #ifdef CONFIG_IEEE80211R
296 if (sm->key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X) {
297 if (wpa_sm_key_mgmt_set_pmk(sm, sm->xxkey, sm->xxkey_len))
298 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
299 "RSN: Cannot set low order 256 bits of MSK for key management offload");
300 } else {
301 #endif /* CONFIG_IEEE80211R */
302 if (wpa_sm_key_mgmt_set_pmk(sm, sm->pmk, sm->pmk_len))
303 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
304 "RSN: Cannot set PMK for key management offload");
305 #ifdef CONFIG_IEEE80211R
306 }
307 #endif /* CONFIG_IEEE80211R */
308 }
309
310
wpa_supplicant_get_pmk(struct wpa_sm * sm,const unsigned char * src_addr,const u8 * pmkid)311 static int wpa_supplicant_get_pmk(struct wpa_sm *sm,
312 const unsigned char *src_addr,
313 const u8 *pmkid)
314 {
315 int abort_cached = 0;
316
317 if (pmkid && !sm->cur_pmksa) {
318 /* When using drivers that generate RSN IE, wpa_supplicant may
319 * not have enough time to get the association information
320 * event before receiving this 1/4 message, so try to find a
321 * matching PMKSA cache entry here. */
322 sm->cur_pmksa = pmksa_cache_get(sm->pmksa, src_addr,
323 sm->own_addr, pmkid,
324 NULL, 0);
325 if (sm->cur_pmksa) {
326 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
327 "RSN: found matching PMKID from PMKSA cache");
328 } else {
329 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
330 "RSN: no matching PMKID found");
331 abort_cached = 1;
332 }
333 }
334
335 if (pmkid && sm->cur_pmksa &&
336 os_memcmp_const(pmkid, sm->cur_pmksa->pmkid, PMKID_LEN) == 0) {
337 wpa_hexdump(MSG_DEBUG, "RSN: matched PMKID", pmkid, PMKID_LEN);
338 wpa_sm_set_pmk_from_pmksa(sm);
339 wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from PMKSA cache",
340 sm->pmk, sm->pmk_len);
341 eapol_sm_notify_cached(sm->eapol);
342 #ifdef CONFIG_IEEE80211R
343 sm->xxkey_len = 0;
344 #ifdef CONFIG_SAE
345 if ((sm->key_mgmt == WPA_KEY_MGMT_FT_SAE ||
346 sm->key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY) &&
347 sm->pmk_len == PMK_LEN) {
348 /* Need to allow FT key derivation to proceed with
349 * PMK from SAE being used as the XXKey in cases where
350 * the PMKID in msg 1/4 matches the PMKSA entry that was
351 * just added based on SAE authentication for the
352 * initial mobility domain association. */
353 os_memcpy(sm->xxkey, sm->pmk, sm->pmk_len);
354 sm->xxkey_len = sm->pmk_len;
355 }
356 #endif /* CONFIG_SAE */
357 #endif /* CONFIG_IEEE80211R */
358 } else if (wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && sm->eapol) {
359 int res, pmk_len;
360 #ifdef CONFIG_IEEE80211R
361 u8 buf[2 * PMK_LEN];
362 #endif /* CONFIG_IEEE80211R */
363
364 if (wpa_key_mgmt_sha384(sm->key_mgmt))
365 pmk_len = PMK_LEN_SUITE_B_192;
366 else
367 pmk_len = PMK_LEN;
368 res = eapol_sm_get_key(sm->eapol, sm->pmk, pmk_len);
369 if (res) {
370 if (pmk_len == PMK_LEN) {
371 /*
372 * EAP-LEAP is an exception from other EAP
373 * methods: it uses only 16-byte PMK.
374 */
375 res = eapol_sm_get_key(sm->eapol, sm->pmk, 16);
376 pmk_len = 16;
377 }
378 }
379 #ifdef CONFIG_IEEE80211R
380 if (res == 0 &&
381 eapol_sm_get_key(sm->eapol, buf, 2 * PMK_LEN) == 0) {
382 if (wpa_key_mgmt_sha384(sm->key_mgmt)) {
383 os_memcpy(sm->xxkey, buf, SHA384_MAC_LEN);
384 sm->xxkey_len = SHA384_MAC_LEN;
385 } else {
386 os_memcpy(sm->xxkey, buf + PMK_LEN, PMK_LEN);
387 sm->xxkey_len = PMK_LEN;
388 }
389 forced_memzero(buf, sizeof(buf));
390 if (sm->proto == WPA_PROTO_RSN &&
391 wpa_key_mgmt_ft(sm->key_mgmt)) {
392 struct rsn_pmksa_cache_entry *sa = NULL;
393 const u8 *fils_cache_id = NULL;
394
395 #ifdef CONFIG_FILS
396 if (sm->fils_cache_id_set)
397 fils_cache_id = sm->fils_cache_id;
398 #endif /* CONFIG_FILS */
399 wpa_hexdump_key(MSG_DEBUG,
400 "FT: Cache XXKey/MPMK",
401 sm->xxkey, sm->xxkey_len);
402 sa = pmksa_cache_add(sm->pmksa,
403 sm->xxkey, sm->xxkey_len,
404 NULL, NULL, 0,
405 src_addr, sm->own_addr,
406 sm->network_ctx,
407 sm->key_mgmt,
408 fils_cache_id);
409 if (!sm->cur_pmksa)
410 sm->cur_pmksa = sa;
411 }
412 }
413 #endif /* CONFIG_IEEE80211R */
414 if (res == 0) {
415 struct rsn_pmksa_cache_entry *sa = NULL;
416 const u8 *fils_cache_id = NULL;
417
418 #ifdef CONFIG_FILS
419 if (sm->fils_cache_id_set)
420 fils_cache_id = sm->fils_cache_id;
421 #endif /* CONFIG_FILS */
422
423 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK from EAPOL state "
424 "machines", sm->pmk, pmk_len);
425 sm->pmk_len = pmk_len;
426 wpa_supplicant_key_mgmt_set_pmk(sm);
427 if (sm->proto == WPA_PROTO_RSN &&
428 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
429 !wpa_key_mgmt_ft(sm->key_mgmt)) {
430 sa = pmksa_cache_add(sm->pmksa,
431 sm->pmk, pmk_len, NULL,
432 NULL, 0,
433 src_addr, sm->own_addr,
434 sm->network_ctx,
435 sm->key_mgmt,
436 fils_cache_id);
437 }
438 if (!sm->cur_pmksa && pmkid &&
439 pmksa_cache_get(sm->pmksa, src_addr, sm->own_addr,
440 pmkid, NULL, 0)) {
441 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
442 "RSN: the new PMK matches with the "
443 "PMKID");
444 abort_cached = 0;
445 } else if (sa && !sm->cur_pmksa && pmkid) {
446 /*
447 * It looks like the authentication server
448 * derived mismatching MSK. This should not
449 * really happen, but bugs happen.. There is not
450 * much we can do here without knowing what
451 * exactly caused the server to misbehave.
452 */
453 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
454 "RSN: PMKID mismatch - authentication server may have derived different MSK?!");
455 return -1;
456 }
457
458 if (!sm->cur_pmksa)
459 sm->cur_pmksa = sa;
460 #ifdef CONFIG_IEEE80211R
461 } else if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->ft_protocol) {
462 wpa_printf(MSG_DEBUG,
463 "FT: Continue 4-way handshake without PMK/PMKID for association using FT protocol");
464 #endif /* CONFIG_IEEE80211R */
465 } else {
466 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
467 "WPA: Failed to get master session key from "
468 "EAPOL state machines - key handshake "
469 "aborted");
470 if (sm->cur_pmksa) {
471 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
472 "RSN: Cancelled PMKSA caching "
473 "attempt");
474 sm->cur_pmksa = NULL;
475 abort_cached = 1;
476 } else if (!abort_cached) {
477 return -1;
478 }
479 }
480 }
481
482 if (abort_cached && wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) &&
483 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
484 !wpa_key_mgmt_ft(sm->key_mgmt)) {
485 /* Send EAPOL-Start to trigger full EAP authentication. */
486 u8 *buf;
487 size_t buflen;
488
489 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
490 "RSN: no PMKSA entry found - trigger "
491 "full EAP authentication");
492 buf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_START,
493 NULL, 0, &buflen, NULL);
494 if (buf) {
495 /* Set and reset eapFail to allow EAP state machine to
496 * proceed with new authentication. */
497 eapol_sm_notify_eap_fail(sm->eapol, true);
498 eapol_sm_notify_eap_fail(sm->eapol, false);
499 wpa_sm_ether_send(sm, sm->bssid, ETH_P_EAPOL,
500 buf, buflen);
501 os_free(buf);
502 return -2;
503 }
504
505 return -1;
506 }
507
508 return 0;
509 }
510
511
512 /**
513 * wpa_supplicant_send_2_of_4 - Send message 2 of WPA/RSN 4-Way Handshake
514 * @sm: Pointer to WPA state machine data from wpa_sm_init()
515 * @dst: Destination address for the frame
516 * @key: Pointer to the EAPOL-Key frame header
517 * @ver: Version bits from EAPOL-Key Key Info
518 * @nonce: Nonce value for the EAPOL-Key frame
519 * @wpa_ie: WPA/RSN IE
520 * @wpa_ie_len: Length of the WPA/RSN IE
521 * @ptk: PTK to use for keyed hash and encryption
522 * Returns: >= 0 on success, < 0 on failure
523 */
wpa_supplicant_send_2_of_4(struct wpa_sm * sm,const unsigned char * dst,const struct wpa_eapol_key * key,int ver,const u8 * nonce,const u8 * wpa_ie,size_t wpa_ie_len,struct wpa_ptk * ptk)524 int wpa_supplicant_send_2_of_4(struct wpa_sm *sm, const unsigned char *dst,
525 const struct wpa_eapol_key *key,
526 int ver, const u8 *nonce,
527 const u8 *wpa_ie, size_t wpa_ie_len,
528 struct wpa_ptk *ptk)
529 {
530 size_t mic_len, hdrlen, rlen, extra_len = 0;
531 struct wpa_eapol_key *reply;
532 u8 *rbuf, *key_mic;
533 u8 *rsn_ie_buf = NULL, *buf2 = NULL;
534 u16 key_info;
535 #ifdef CONFIG_TESTING_OPTIONS
536 size_t pad_len = 0;
537 #endif /* CONFIG_TESTING_OPTIONS */
538
539 if (wpa_ie == NULL) {
540 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No wpa_ie set - "
541 "cannot generate msg 2/4");
542 return -1;
543 }
544
545 #ifdef CONFIG_IEEE80211R
546 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
547 int res;
548
549 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE before FT processing",
550 wpa_ie, wpa_ie_len);
551 /*
552 * Add PMKR1Name into RSN IE (PMKID-List) and add MDIE and
553 * FTIE from (Re)Association Response.
554 */
555 rsn_ie_buf = os_malloc(wpa_ie_len + 2 + 2 + PMKID_LEN +
556 sm->assoc_resp_ies_len);
557 if (rsn_ie_buf == NULL)
558 return -1;
559 os_memcpy(rsn_ie_buf, wpa_ie, wpa_ie_len);
560 res = wpa_insert_pmkid(rsn_ie_buf, &wpa_ie_len,
561 sm->pmk_r1_name, !sm->ft_prepend_pmkid);
562 if (res < 0) {
563 os_free(rsn_ie_buf);
564 return -1;
565 }
566 wpa_hexdump(MSG_DEBUG,
567 "WPA: WPA IE after PMKID[PMKR1Name] addition into RSNE",
568 rsn_ie_buf, wpa_ie_len);
569
570 if (sm->assoc_resp_ies) {
571 wpa_hexdump(MSG_DEBUG, "WPA: Add assoc_resp_ies",
572 sm->assoc_resp_ies,
573 sm->assoc_resp_ies_len);
574 os_memcpy(rsn_ie_buf + wpa_ie_len, sm->assoc_resp_ies,
575 sm->assoc_resp_ies_len);
576 wpa_ie_len += sm->assoc_resp_ies_len;
577 }
578
579 wpa_ie = rsn_ie_buf;
580 }
581 #endif /* CONFIG_IEEE80211R */
582
583 if (sm->rsn_override != RSN_OVERRIDE_NOT_USED) {
584 u8 *pos;
585
586 buf2 = os_malloc(wpa_ie_len + 2 + 4 + 1);
587 if (!buf2) {
588 os_free(rsn_ie_buf);
589 return -1;
590 }
591 os_memcpy(buf2, wpa_ie, wpa_ie_len);
592 pos = buf2 + wpa_ie_len;
593 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
594 *pos++ = 4 + 1;
595 WPA_PUT_BE32(pos, RSN_SELECTION_IE_VENDOR_TYPE);
596 pos += 4;
597 if (sm->rsn_override == RSN_OVERRIDE_RSNE) {
598 *pos++ = RSN_SELECTION_RSNE;
599 } else if (sm->rsn_override == RSN_OVERRIDE_RSNE_OVERRIDE) {
600 *pos++ = RSN_SELECTION_RSNE_OVERRIDE;
601 } else if (sm->rsn_override == RSN_OVERRIDE_RSNE_OVERRIDE_2) {
602 *pos++ = RSN_SELECTION_RSNE_OVERRIDE_2;
603 } else {
604 os_free(rsn_ie_buf);
605 os_free(buf2);
606 return -1;
607 }
608
609 wpa_ie = buf2;
610 wpa_ie_len += 2 + 4 + 1;
611
612 }
613
614 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE for msg 2/4", wpa_ie, wpa_ie_len);
615
616 #ifdef CONFIG_TESTING_OPTIONS
617 if (sm->test_eapol_m2_elems)
618 extra_len = wpabuf_len(sm->test_eapol_m2_elems);
619 if (sm->encrypt_eapol_m2) {
620 pad_len = (wpa_ie_len + extra_len) % 8;
621 if (pad_len)
622 pad_len = 8 - pad_len;
623 extra_len += pad_len + 8;
624 }
625 #endif /* CONFIG_TESTING_OPTIONS */
626
627 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
628 hdrlen = sizeof(*reply) + mic_len + 2;
629 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY,
630 NULL, hdrlen + wpa_ie_len + extra_len,
631 &rlen, (void *) &reply);
632 if (rbuf == NULL) {
633 os_free(rsn_ie_buf);
634 os_free(buf2);
635 return -1;
636 }
637
638 reply->type = (sm->proto == WPA_PROTO_RSN) ?
639 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
640 key_info = ver | WPA_KEY_INFO_KEY_TYPE;
641 if (sm->ptk_set && sm->proto != WPA_PROTO_WPA)
642 key_info |= WPA_KEY_INFO_SECURE;
643 if (mic_len)
644 key_info |= WPA_KEY_INFO_MIC;
645 else
646 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
647 #ifdef CONFIG_TESTING_OPTIONS
648 if (sm->encrypt_eapol_m2)
649 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
650 if (sm->eapol_2_key_info_set_mask)
651 key_info |= sm->eapol_2_key_info_set_mask;
652 #endif /* CONFIG_TESTING_OPTIONS */
653 WPA_PUT_BE16(reply->key_info, key_info);
654 if (sm->proto == WPA_PROTO_RSN)
655 WPA_PUT_BE16(reply->key_length, 0);
656 else
657 os_memcpy(reply->key_length, key->key_length, 2);
658 os_memcpy(reply->replay_counter, key->replay_counter,
659 WPA_REPLAY_COUNTER_LEN);
660 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", reply->replay_counter,
661 WPA_REPLAY_COUNTER_LEN);
662
663 key_mic = (u8 *) (reply + 1);
664 /* Key Data Length */
665 WPA_PUT_BE16(key_mic + mic_len, wpa_ie_len + extra_len);
666 os_memcpy(key_mic + mic_len + 2, wpa_ie, wpa_ie_len); /* Key Data */
667 os_free(rsn_ie_buf);
668 os_free(buf2);
669 #ifdef CONFIG_TESTING_OPTIONS
670 if (sm->test_eapol_m2_elems) {
671 os_memcpy(key_mic + mic_len + 2 + wpa_ie_len,
672 wpabuf_head(sm->test_eapol_m2_elems),
673 wpabuf_len(sm->test_eapol_m2_elems));
674 }
675
676 if (sm->encrypt_eapol_m2) {
677 u8 *plain;
678 size_t plain_len;
679
680 if (sm->test_eapol_m2_elems)
681 extra_len = wpabuf_len(sm->test_eapol_m2_elems);
682 else
683 extra_len = 0;
684 plain_len = wpa_ie_len + extra_len + pad_len;
685 plain = os_memdup(key_mic + mic_len + 2, plain_len);
686 if (!plain) {
687 os_free(rbuf);
688 return -1;
689 }
690 if (pad_len)
691 plain[plain_len - pad_len] = 0xdd;
692
693 wpa_hexdump_key(MSG_DEBUG, "RSN: AES-WRAP using KEK",
694 ptk->kek, ptk->kek_len);
695 if (aes_wrap(ptk->kek, ptk->kek_len, plain_len / 8, plain,
696 key_mic + mic_len + 2)) {
697 os_free(plain);
698 os_free(rbuf);
699 return -1;
700 }
701 wpa_hexdump(MSG_DEBUG,
702 "RSN: Encrypted Key Data from AES-WRAP",
703 key_mic + mic_len + 2, plain_len + 8);
704 os_free(plain);
705 }
706 #endif /* CONFIG_TESTING_OPTIONS */
707
708 os_memcpy(reply->key_nonce, nonce, WPA_NONCE_LEN);
709
710 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Sending EAPOL-Key 2/4");
711 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
712 key_mic);
713 }
714
715
wpa_derive_ptk(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,struct wpa_ptk * ptk)716 static int wpa_derive_ptk(struct wpa_sm *sm, const unsigned char *src_addr,
717 const struct wpa_eapol_key *key, struct wpa_ptk *ptk)
718 {
719 int ret;
720 const u8 *z = NULL;
721 size_t z_len = 0, kdk_len;
722 int akmp;
723
724 #ifdef CONFIG_IEEE80211R
725 if (wpa_key_mgmt_ft(sm->key_mgmt))
726 return wpa_derive_ptk_ft(sm, src_addr, key, ptk);
727 #endif /* CONFIG_IEEE80211R */
728
729 #ifdef CONFIG_DPP2
730 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
731 z = wpabuf_head(sm->dpp_z);
732 z_len = wpabuf_len(sm->dpp_z);
733 }
734 #endif /* CONFIG_DPP2 */
735
736 akmp = sm->key_mgmt;
737 #ifdef CONFIG_OWE
738 if (sm->owe_ptk_workaround && akmp == WPA_KEY_MGMT_OWE &&
739 sm->pmk_len > 32) {
740 wpa_printf(MSG_DEBUG,
741 "OWE: Force SHA256 for PTK derivation");
742 akmp |= WPA_KEY_MGMT_PSK_SHA256;
743 }
744 #endif /* CONFIG_OWE */
745
746 if (sm->force_kdk_derivation ||
747 (sm->secure_ltf &&
748 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)))
749 kdk_len = WPA_KDK_MAX_LEN;
750 else
751 kdk_len = 0;
752
753 ret = wpa_pmk_to_ptk(sm->pmk, sm->pmk_len, "Pairwise key expansion",
754 sm->own_addr, wpa_sm_get_auth_addr(sm), sm->snonce,
755 key->key_nonce, ptk, akmp,
756 sm->pairwise_cipher, z, z_len,
757 kdk_len);
758 if (ret) {
759 wpa_printf(MSG_ERROR, "WPA: PTK derivation failed");
760 return ret;
761 }
762
763 #ifdef CONFIG_PASN
764 if (sm->secure_ltf &&
765 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF))
766 ret = wpa_ltf_keyseed(ptk, akmp, sm->pairwise_cipher);
767 #endif /* CONFIG_PASN */
768
769 return ret;
770 }
771
772
wpa_handle_ext_key_id(struct wpa_sm * sm,struct wpa_eapol_ie_parse * kde)773 static int wpa_handle_ext_key_id(struct wpa_sm *sm,
774 struct wpa_eapol_ie_parse *kde)
775 {
776 if (sm->ext_key_id) {
777 u16 key_id;
778
779 if (!kde->key_id) {
780 wpa_msg(sm->ctx->msg_ctx,
781 sm->use_ext_key_id ? MSG_INFO : MSG_DEBUG,
782 "RSN: No Key ID in Extended Key ID handshake");
783 sm->keyidx_active = 0;
784 return sm->use_ext_key_id ? -1 : 0;
785 }
786
787 key_id = kde->key_id[0] & 0x03;
788 if (key_id > 1) {
789 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
790 "RSN: Invalid Extended Key ID: %d", key_id);
791 return -1;
792 }
793 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
794 "RSN: Using Extended Key ID %d", key_id);
795 sm->keyidx_active = key_id;
796 sm->use_ext_key_id = 1;
797 } else {
798 if (kde->key_id && (kde->key_id[0] & 0x03)) {
799 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
800 "RSN: Non-zero Extended Key ID Key ID in PTK0 handshake");
801 return -1;
802 }
803
804 if (kde->key_id) {
805 /* This is not supposed to be included here, but ignore
806 * the case of matching Key ID 0 just in case. */
807 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
808 "RSN: Extended Key ID Key ID 0 in PTK0 handshake");
809 }
810 sm->keyidx_active = 0;
811 sm->use_ext_key_id = 0;
812 }
813
814 return 0;
815 }
816
817
rsn_add_kde(u8 * pos,u32 kde,const u8 * data,size_t data_len)818 static u8 * rsn_add_kde(u8 *pos, u32 kde, const u8 *data, size_t data_len)
819 {
820 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
821 *pos++ = RSN_SELECTOR_LEN + data_len;
822 RSN_SELECTOR_PUT(pos, kde);
823 pos += RSN_SELECTOR_LEN;
824 os_memcpy(pos, data, data_len);
825 pos += data_len;
826
827 return pos;
828 }
829
830
wpa_mlo_link_kde_len(struct wpa_sm * sm)831 static size_t wpa_mlo_link_kde_len(struct wpa_sm *sm)
832 {
833 int i;
834 unsigned int num_links = 0;
835
836 for_each_link(sm->mlo.req_links, i) {
837 if (sm->mlo.assoc_link_id != i)
838 num_links++;
839 }
840
841 return num_links * (RSN_SELECTOR_LEN + 1 + ETH_ALEN + 2);
842 }
843
844
wpa_mlo_link_kde(struct wpa_sm * sm,u8 * pos)845 static u8 * wpa_mlo_link_kde(struct wpa_sm *sm, u8 *pos)
846 {
847 int i;
848 u8 hdr[1 + ETH_ALEN];
849
850 for_each_link(sm->mlo.req_links, i) {
851 if (sm->mlo.assoc_link_id == i)
852 continue;
853
854 wpa_printf(MSG_DEBUG,
855 "MLO: Add MLO Link %d KDE in EAPOL-Key 2/4", i);
856 hdr[0] = i & 0xF; /* LinkID; no RSNE or RSNXE */
857 os_memcpy(&hdr[1], sm->mlo.links[i].addr, ETH_ALEN);
858 pos = rsn_add_kde(pos, RSN_KEY_DATA_MLO_LINK, hdr, sizeof(hdr));
859 }
860
861 return pos;
862 }
863
864
is_valid_ap_mld_mac_kde(struct wpa_sm * sm,const u8 * mac_kde)865 static bool is_valid_ap_mld_mac_kde(struct wpa_sm *sm, const u8 *mac_kde)
866 {
867 return mac_kde &&
868 ether_addr_equal(mac_kde, sm->mlo.ap_mld_addr);
869 }
870
871
wpas_swap_tkip_mic_keys(struct wpa_ptk * ptk)872 static void wpas_swap_tkip_mic_keys(struct wpa_ptk *ptk)
873 {
874 u8 buf[8];
875
876 /* Supplicant: swap tx/rx Mic keys */
877 os_memcpy(buf, &ptk->tk[16], 8);
878 os_memcpy(&ptk->tk[16], &ptk->tk[24], 8);
879 os_memcpy(&ptk->tk[24], buf, 8);
880 forced_memzero(buf, sizeof(buf));
881 }
882
883
wpa_supplicant_process_1_of_4_wpa(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len,enum frame_encryption encrypted)884 static void wpa_supplicant_process_1_of_4_wpa(struct wpa_sm *sm,
885 const unsigned char *src_addr,
886 const struct wpa_eapol_key *key,
887 u16 ver, const u8 *key_data,
888 size_t key_data_len,
889 enum frame_encryption encrypted)
890 {
891 struct wpa_eapol_ie_parse ie;
892 struct wpa_ptk *ptk;
893 int res;
894
895 if (wpa_sm_get_network_ctx(sm) == NULL) {
896 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
897 "WPA: No SSID info found (msg 1 of 4)");
898 return;
899 }
900
901 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
902 "WPA: RX message 1 of 4-Way Handshake from " MACSTR
903 " (ver=%d)", MAC2STR(src_addr), ver);
904
905 os_memset(&ie, 0, sizeof(ie));
906
907 res = wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid);
908 if (res == -2) {
909 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
910 "WPA: Do not reply to msg 1/4 - requesting full EAP authentication");
911 return;
912 }
913 if (res)
914 goto failed;
915
916 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
917
918 if (sm->renew_snonce) {
919 if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) {
920 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
921 "WPA: Failed to get random data for SNonce");
922 goto failed;
923 }
924 sm->renew_snonce = 0;
925 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce",
926 sm->snonce, WPA_NONCE_LEN);
927 }
928
929 /* Calculate PTK which will be stored as a temporary PTK until it has
930 * been verified when processing message 3/4. */
931 ptk = &sm->tptk;
932 if (wpa_derive_ptk(sm, src_addr, key, ptk) < 0)
933 goto failed;
934 if (sm->pairwise_cipher == WPA_CIPHER_TKIP)
935 wpas_swap_tkip_mic_keys(ptk);
936 sm->tptk_set = 1;
937
938 if (wpa_supplicant_send_2_of_4(sm, wpa_sm_get_auth_addr(sm), key, ver,
939 sm->snonce, sm->assoc_wpa_ie,
940 sm->assoc_wpa_ie_len, ptk) < 0)
941 goto failed;
942
943 os_memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN);
944 return;
945
946 failed:
947 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
948 }
949
950
wpa_supplicant_process_1_of_4(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len,enum frame_encryption encrypted)951 static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
952 const unsigned char *src_addr,
953 const struct wpa_eapol_key *key,
954 u16 ver, const u8 *key_data,
955 size_t key_data_len,
956 enum frame_encryption encrypted)
957 {
958 struct wpa_eapol_ie_parse ie;
959 struct wpa_ptk *ptk;
960 int res;
961 u8 *kde, *kde_buf = NULL;
962 size_t kde_len;
963 size_t mlo_kde_len = 0;
964
965 if (encrypted == FRAME_NOT_ENCRYPTED && sm->tk_set &&
966 wpa_sm_pmf_enabled(sm)) {
967 wpa_printf(MSG_DEBUG,
968 "RSN: Discard unencrypted EAPOL-Key msg 1/4 when TK is set and PMF is enabled");
969 return;
970 }
971
972 if (wpa_sm_get_network_ctx(sm) == NULL) {
973 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No SSID info "
974 "found (msg 1 of 4)");
975 return;
976 }
977
978 if (sm->wpa_deny_ptk0_rekey && !sm->use_ext_key_id &&
979 wpa_sm_get_state(sm) == WPA_COMPLETED) {
980 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
981 "WPA: PTK0 rekey not allowed, reconnecting");
982 wpa_sm_reconnect(sm);
983 return;
984 }
985
986 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO, "WPA: RX message 1 of 4-Way "
987 "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
988
989 os_memset(&ie, 0, sizeof(ie));
990
991 /* RSN: msg 1/4 should contain PMKID for the selected PMK */
992 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data", key_data, key_data_len);
993 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0) {
994 wpa_printf(MSG_DEBUG,
995 "RSN: Discard EAPOL-Key msg 1/4 with invalid IEs/KDEs");
996 return;
997 }
998 if (ie.pmkid) {
999 wpa_hexdump(MSG_DEBUG, "RSN: PMKID from Authenticator",
1000 ie.pmkid, PMKID_LEN);
1001 }
1002
1003 if (sm->mlo.valid_links && !is_valid_ap_mld_mac_kde(sm, ie.mac_addr)) {
1004 wpa_printf(MSG_INFO,
1005 "RSN: Discard EAPOL-Key msg 1/4 with invalid AP MLD MAC address KDE");
1006 return;
1007 }
1008
1009 res = wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid);
1010 if (res == -2) {
1011 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: Do not reply to "
1012 "msg 1/4 - requesting full EAP authentication");
1013 return;
1014 }
1015 if (res)
1016 goto failed;
1017
1018 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
1019
1020 if (sm->renew_snonce) {
1021 if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) {
1022 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1023 "WPA: Failed to get random data for SNonce");
1024 goto failed;
1025 }
1026 if (wpa_sm_rsn_overriding_supported(sm))
1027 rsn_set_snonce_cookie(sm->snonce);
1028 sm->renew_snonce = 0;
1029 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce",
1030 sm->snonce, WPA_NONCE_LEN);
1031 }
1032
1033 /* Calculate PTK which will be stored as a temporary PTK until it has
1034 * been verified when processing message 3/4. */
1035 ptk = &sm->tptk;
1036 if (wpa_derive_ptk(sm, src_addr, key, ptk) < 0)
1037 goto failed;
1038 if (sm->pairwise_cipher == WPA_CIPHER_TKIP)
1039 wpas_swap_tkip_mic_keys(ptk);
1040 sm->tptk_set = 1;
1041
1042 /* Add MLO Link KDE and MAC KDE in M2 for ML connection */
1043 if (sm->mlo.valid_links)
1044 mlo_kde_len = wpa_mlo_link_kde_len(sm) +
1045 RSN_SELECTOR_LEN + ETH_ALEN + 2;
1046
1047 kde = sm->assoc_wpa_ie;
1048 kde_len = sm->assoc_wpa_ie_len;
1049 kde_buf = os_malloc(kde_len +
1050 2 + RSN_SELECTOR_LEN + 3 +
1051 sm->assoc_rsnxe_len +
1052 2 + RSN_SELECTOR_LEN + 1 +
1053 2 + RSN_SELECTOR_LEN + 2 + mlo_kde_len);
1054
1055 if (!kde_buf)
1056 goto failed;
1057 os_memcpy(kde_buf, kde, kde_len);
1058 kde = kde_buf;
1059
1060 #ifdef CONFIG_OCV
1061 if (wpa_sm_ocv_enabled(sm)) {
1062 struct wpa_channel_info ci;
1063 u8 *pos;
1064
1065 pos = kde + kde_len;
1066 if (wpa_sm_channel_info(sm, &ci) != 0) {
1067 wpa_printf(MSG_WARNING,
1068 "Failed to get channel info for OCI element in EAPOL-Key 2/4");
1069 goto failed;
1070 }
1071 #ifdef CONFIG_TESTING_OPTIONS
1072 if (sm->oci_freq_override_eapol) {
1073 wpa_printf(MSG_INFO,
1074 "TEST: Override OCI KDE frequency %d -> %d MHz",
1075 ci.frequency, sm->oci_freq_override_eapol);
1076 ci.frequency = sm->oci_freq_override_eapol;
1077 }
1078 #endif /* CONFIG_TESTING_OPTIONS */
1079
1080 if (ocv_insert_oci_kde(&ci, &pos) < 0)
1081 goto failed;
1082 kde_len = pos - kde;
1083 }
1084 #endif /* CONFIG_OCV */
1085
1086 if (sm->assoc_rsnxe && sm->assoc_rsnxe_len) {
1087 os_memcpy(kde + kde_len, sm->assoc_rsnxe, sm->assoc_rsnxe_len);
1088 kde_len += sm->assoc_rsnxe_len;
1089 }
1090
1091 #ifdef CONFIG_P2P
1092 if (sm->p2p) {
1093 u8 *pos;
1094
1095 wpa_printf(MSG_DEBUG,
1096 "P2P: Add IP Address Request KDE into EAPOL-Key 2/4");
1097 pos = kde + kde_len;
1098 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
1099 *pos++ = RSN_SELECTOR_LEN + 1;
1100 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_IP_ADDR_REQ);
1101 pos += RSN_SELECTOR_LEN;
1102 *pos++ = 0x01;
1103 kde_len = pos - kde;
1104 }
1105 #endif /* CONFIG_P2P */
1106
1107 #ifdef CONFIG_DPP2
1108 if (DPP_VERSION > 1 && sm->key_mgmt == WPA_KEY_MGMT_DPP) {
1109 u8 *pos;
1110
1111 wpa_printf(MSG_DEBUG, "DPP: Add DPP KDE into EAPOL-Key 2/4");
1112 pos = kde + kde_len;
1113 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
1114 *pos++ = RSN_SELECTOR_LEN + 2;
1115 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_DPP);
1116 pos += RSN_SELECTOR_LEN;
1117 *pos++ = DPP_VERSION; /* Protocol Version */
1118 *pos = 0; /* Flags */
1119 if (sm->dpp_pfs == 0)
1120 *pos |= DPP_KDE_PFS_ALLOWED;
1121 else if (sm->dpp_pfs == 1)
1122 *pos |= DPP_KDE_PFS_ALLOWED | DPP_KDE_PFS_REQUIRED;
1123 pos++;
1124 kde_len = pos - kde;
1125 }
1126 #endif /* CONFIG_DPP2 */
1127
1128 if (sm->mlo.valid_links) {
1129 u8 *pos;
1130
1131 /* Add MAC KDE */
1132 wpa_printf(MSG_DEBUG, "MLO: Add MAC KDE into EAPOL-Key 2/4");
1133 pos = kde + kde_len;
1134 pos = rsn_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, sm->own_addr,
1135 ETH_ALEN);
1136
1137 /* Add MLO Link KDE */
1138 wpa_printf(MSG_DEBUG, "Add MLO Link KDE(s) into EAPOL-Key 2/4");
1139 pos = wpa_mlo_link_kde(sm, pos);
1140 kde_len = pos - kde;
1141 }
1142
1143 if (wpa_supplicant_send_2_of_4(sm, wpa_sm_get_auth_addr(sm), key, ver,
1144 sm->snonce, kde, kde_len, ptk) < 0)
1145 goto failed;
1146
1147 os_free(kde_buf);
1148 os_memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN);
1149 return;
1150
1151 failed:
1152 os_free(kde_buf);
1153 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
1154 }
1155
1156
wpa_sm_start_preauth(void * eloop_ctx,void * timeout_ctx)1157 static void wpa_sm_start_preauth(void *eloop_ctx, void *timeout_ctx)
1158 {
1159 struct wpa_sm *sm = eloop_ctx;
1160 rsn_preauth_candidate_process(sm);
1161 }
1162
1163
wpa_supplicant_key_neg_complete(struct wpa_sm * sm,const u8 * addr,int secure)1164 static void wpa_supplicant_key_neg_complete(struct wpa_sm *sm,
1165 const u8 *addr, int secure)
1166 {
1167 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1168 "WPA: Key negotiation completed with "
1169 MACSTR " [PTK=%s GTK=%s]", MAC2STR(addr),
1170 wpa_cipher_txt(sm->pairwise_cipher),
1171 wpa_cipher_txt(sm->group_cipher));
1172 wpa_sm_cancel_auth_timeout(sm);
1173 wpa_sm_set_state(sm, WPA_COMPLETED);
1174
1175 if (secure) {
1176 wpa_sm_mlme_setprotection(
1177 sm, addr, MLME_SETPROTECTION_PROTECT_TYPE_RX_TX,
1178 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
1179 eapol_sm_notify_portValid(sm->eapol, true);
1180 if (wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
1181 sm->key_mgmt == WPA_KEY_MGMT_DPP ||
1182 sm->key_mgmt == WPA_KEY_MGMT_OWE)
1183 eapol_sm_notify_eap_success(sm->eapol, true);
1184 /*
1185 * Start preauthentication after a short wait to avoid a
1186 * possible race condition between the data receive and key
1187 * configuration after the 4-Way Handshake. This increases the
1188 * likelihood of the first preauth EAPOL-Start frame getting to
1189 * the target AP.
1190 */
1191 if (!dl_list_empty(&sm->pmksa_candidates))
1192 eloop_register_timeout(1, 0, wpa_sm_start_preauth,
1193 sm, NULL);
1194 }
1195
1196 if (sm->cur_pmksa && sm->cur_pmksa->opportunistic) {
1197 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1198 "RSN: Authenticator accepted "
1199 "opportunistic PMKSA entry - marking it valid");
1200 sm->cur_pmksa->opportunistic = 0;
1201 }
1202
1203 #ifdef CONFIG_IEEE80211R
1204 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
1205 /* Prepare for the next transition */
1206 wpa_ft_prepare_auth_request(sm, NULL);
1207 }
1208 #endif /* CONFIG_IEEE80211R */
1209 }
1210
1211
wpa_sm_rekey_ptk(void * eloop_ctx,void * timeout_ctx)1212 static void wpa_sm_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
1213 {
1214 struct wpa_sm *sm = eloop_ctx;
1215 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Request PTK rekeying");
1216 wpa_sm_key_request(sm, 0, 1);
1217 }
1218
1219
wpa_supplicant_install_ptk(struct wpa_sm * sm,const struct wpa_eapol_key * key,enum key_flag key_flag)1220 static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
1221 const struct wpa_eapol_key *key,
1222 enum key_flag key_flag)
1223 {
1224 int keylen, rsclen;
1225 enum wpa_alg alg;
1226 const u8 *key_rsc;
1227
1228 if (sm->ptk.installed ||
1229 (sm->ptk.installed_rx && (key_flag & KEY_FLAG_NEXT))) {
1230 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1231 "WPA: Do not re-install same PTK to the driver");
1232 return 0;
1233 }
1234
1235 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1236 "WPA: Installing %sTK to the driver",
1237 (key_flag & KEY_FLAG_NEXT) ? "next " : "");
1238
1239 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
1240 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Pairwise Cipher "
1241 "Suite: NONE - do not use pairwise keys");
1242 return 0;
1243 }
1244
1245 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
1246 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1247 "WPA: Unsupported pairwise cipher %d",
1248 sm->pairwise_cipher);
1249 return -1;
1250 }
1251
1252 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
1253 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
1254 if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) {
1255 wpa_printf(MSG_DEBUG, "WPA: TK length mismatch: %d != %lu",
1256 keylen, (long unsigned int) sm->ptk.tk_len);
1257 return -1;
1258 }
1259 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
1260
1261 if (sm->proto == WPA_PROTO_RSN) {
1262 key_rsc = null_rsc;
1263 } else {
1264 key_rsc = key->key_rsc;
1265 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen);
1266 }
1267
1268 if (wpa_sm_set_key(sm, -1, alg, wpa_sm_get_auth_addr(sm),
1269 sm->keyidx_active, 1, key_rsc, rsclen, sm->ptk.tk,
1270 keylen, KEY_FLAG_PAIRWISE | key_flag) < 0) {
1271 if (key_flag & KEY_FLAG_NEXT)
1272 return 0; /* Not all drivers support this, so do not
1273 * report failures on the RX-only set_key */
1274 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1275 "WPA: Failed to set PTK to the driver (alg=%d keylen=%d auth_addr="
1276 MACSTR " idx=%d key_flag=0x%x)",
1277 alg, keylen, MAC2STR(wpa_sm_get_auth_addr(sm)),
1278 sm->keyidx_active, key_flag);
1279 return -1;
1280 }
1281
1282 #ifdef CONFIG_PASN
1283 if (sm->secure_ltf &&
1284 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF) &&
1285 wpa_sm_set_ltf_keyseed(sm, sm->own_addr, sm->bssid,
1286 sm->ptk.ltf_keyseed_len,
1287 sm->ptk.ltf_keyseed) < 0) {
1288 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1289 "WPA: Failed to set LTF keyseed to the driver (keylen=%zu bssid="
1290 MACSTR ")", sm->ptk.ltf_keyseed_len,
1291 MAC2STR(sm->bssid));
1292 return -1;
1293 }
1294 #endif /* CONFIG_PASN */
1295
1296 wpa_sm_store_ptk(sm, sm->bssid, sm->pairwise_cipher,
1297 sm->dot11RSNAConfigPMKLifetime, &sm->ptk);
1298
1299 if (key_flag & KEY_FLAG_NEXT) {
1300 sm->ptk.installed_rx = true;
1301 } else {
1302 /* TK is not needed anymore in supplicant */
1303 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
1304 sm->ptk.tk_len = 0;
1305 sm->ptk.installed = 1;
1306 sm->tk_set = true;
1307 }
1308
1309 if (sm->wpa_ptk_rekey) {
1310 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
1311 eloop_register_timeout(sm->wpa_ptk_rekey, 0, wpa_sm_rekey_ptk,
1312 sm, NULL);
1313 }
1314 return 0;
1315 }
1316
1317
wpa_supplicant_activate_ptk(struct wpa_sm * sm)1318 static int wpa_supplicant_activate_ptk(struct wpa_sm *sm)
1319 {
1320 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1321 "WPA: Activate PTK (idx=%d auth_addr=" MACSTR ")",
1322 sm->keyidx_active, MAC2STR(wpa_sm_get_auth_addr(sm)));
1323
1324 if (wpa_sm_set_key(sm, -1, 0, wpa_sm_get_auth_addr(sm),
1325 sm->keyidx_active, 0, NULL, 0, NULL, 0,
1326 KEY_FLAG_PAIRWISE_RX_TX_MODIFY) < 0) {
1327 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1328 "WPA: Failed to activate PTK for TX (idx=%d auth_addr="
1329 MACSTR ")", sm->keyidx_active,
1330 MAC2STR(wpa_sm_get_auth_addr(sm)));
1331 return -1;
1332 }
1333 return 0;
1334 }
1335
1336
wpa_supplicant_check_group_cipher(struct wpa_sm * sm,int group_cipher,int keylen,int maxkeylen,int * key_rsc_len,enum wpa_alg * alg)1337 static int wpa_supplicant_check_group_cipher(struct wpa_sm *sm,
1338 int group_cipher,
1339 int keylen, int maxkeylen,
1340 int *key_rsc_len,
1341 enum wpa_alg *alg)
1342 {
1343 int klen;
1344
1345 *alg = wpa_cipher_to_alg(group_cipher);
1346 if (*alg == WPA_ALG_NONE) {
1347 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1348 "WPA: Unsupported Group Cipher %d",
1349 group_cipher);
1350 return -1;
1351 }
1352 *key_rsc_len = wpa_cipher_rsc_len(group_cipher);
1353
1354 klen = wpa_cipher_key_len(group_cipher);
1355 if (keylen != klen || maxkeylen < klen) {
1356 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1357 "WPA: Unsupported %s Group Cipher key length %d (%d)",
1358 wpa_cipher_txt(group_cipher), keylen, maxkeylen);
1359 return -1;
1360 }
1361 return 0;
1362 }
1363
1364
1365 struct wpa_gtk_data {
1366 enum wpa_alg alg;
1367 int tx, key_rsc_len, keyidx;
1368 u8 gtk[32];
1369 int gtk_len;
1370 };
1371
1372
wpa_supplicant_install_gtk(struct wpa_sm * sm,const struct wpa_gtk_data * gd,const u8 * key_rsc,int wnm_sleep)1373 static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
1374 const struct wpa_gtk_data *gd,
1375 const u8 *key_rsc, int wnm_sleep)
1376 {
1377 const u8 *_gtk = gd->gtk;
1378 u8 gtk_buf[32];
1379
1380 /* Detect possible key reinstallation */
1381 if ((sm->gtk.gtk_len == (size_t) gd->gtk_len &&
1382 os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) ||
1383 (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len &&
1384 os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk,
1385 sm->gtk_wnm_sleep.gtk_len) == 0)) {
1386 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1387 "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
1388 gd->keyidx, gd->tx, gd->gtk_len);
1389 return 0;
1390 }
1391
1392 wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
1393 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1394 "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
1395 gd->keyidx, gd->tx, gd->gtk_len);
1396 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, gd->key_rsc_len);
1397 if (sm->group_cipher == WPA_CIPHER_TKIP) {
1398 /* Swap Tx/Rx keys for Michael MIC */
1399 os_memcpy(gtk_buf, gd->gtk, 16);
1400 os_memcpy(gtk_buf + 16, gd->gtk + 24, 8);
1401 os_memcpy(gtk_buf + 24, gd->gtk + 16, 8);
1402 _gtk = gtk_buf;
1403 }
1404 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
1405 if (wpa_sm_set_key(sm, -1, gd->alg, NULL,
1406 gd->keyidx, 1, key_rsc, gd->key_rsc_len,
1407 _gtk, gd->gtk_len,
1408 KEY_FLAG_GROUP_RX_TX_DEFAULT) < 0) {
1409 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1410 "WPA: Failed to set GTK to the driver "
1411 "(Group only)");
1412 forced_memzero(gtk_buf, sizeof(gtk_buf));
1413 return -1;
1414 }
1415 } else if (wpa_sm_set_key(sm, -1, gd->alg, broadcast_ether_addr,
1416 gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len,
1417 _gtk, gd->gtk_len, KEY_FLAG_GROUP_RX) < 0) {
1418 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1419 "WPA: Failed to set GTK to "
1420 "the driver (alg=%d keylen=%d keyidx=%d)",
1421 gd->alg, gd->gtk_len, gd->keyidx);
1422 forced_memzero(gtk_buf, sizeof(gtk_buf));
1423 return -1;
1424 }
1425 forced_memzero(gtk_buf, sizeof(gtk_buf));
1426
1427 if (wnm_sleep) {
1428 sm->gtk_wnm_sleep.gtk_len = gd->gtk_len;
1429 os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk,
1430 sm->gtk_wnm_sleep.gtk_len);
1431 } else {
1432 sm->gtk.gtk_len = gd->gtk_len;
1433 os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
1434 }
1435
1436 return 0;
1437 }
1438
1439
wpa_supplicant_install_mlo_gtk(struct wpa_sm * sm,u8 link_id,const struct wpa_gtk_data * gd,const u8 * key_rsc,int wnm_sleep)1440 static int wpa_supplicant_install_mlo_gtk(struct wpa_sm *sm, u8 link_id,
1441 const struct wpa_gtk_data *gd,
1442 const u8 *key_rsc, int wnm_sleep)
1443 {
1444 const u8 *gtk = gd->gtk;
1445 u8 gtk_buf[32];
1446
1447 /* Detect possible key reinstallation */
1448 if ((sm->mlo.links[link_id].gtk.gtk_len == (size_t) gd->gtk_len &&
1449 os_memcmp(sm->mlo.links[link_id].gtk.gtk, gd->gtk,
1450 sm->mlo.links[link_id].gtk.gtk_len) == 0) ||
1451 (sm->mlo.links[link_id].gtk_wnm_sleep.gtk_len ==
1452 (size_t) gd->gtk_len &&
1453 os_memcmp(sm->mlo.links[link_id].gtk_wnm_sleep.gtk, gd->gtk,
1454 sm->mlo.links[link_id].gtk_wnm_sleep.gtk_len) == 0)) {
1455 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1456 "RSN: Not reinstalling already in-use GTK to the driver (link_id=%d keyidx=%d tx=%d len=%d)",
1457 link_id, gd->keyidx, gd->tx, gd->gtk_len);
1458 return 0;
1459 }
1460
1461 wpa_hexdump_link_key(MSG_DEBUG, link_id, "RSN: Group Key", gd->gtk,
1462 gd->gtk_len);
1463 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1464 "RSN: Installing GTK to the driver (link_id=%d keyidx=%d tx=%d len=%d)",
1465 link_id, gd->keyidx, gd->tx, gd->gtk_len);
1466 wpa_hexdump_link(MSG_DEBUG, link_id, "RSN: RSC",
1467 key_rsc, gd->key_rsc_len);
1468 if (sm->group_cipher == WPA_CIPHER_TKIP) {
1469 /* Swap Tx/Rx keys for Michael MIC */
1470 os_memcpy(gtk_buf, gd->gtk, 16);
1471 os_memcpy(gtk_buf + 16, gd->gtk + 24, 8);
1472 os_memcpy(gtk_buf + 24, gd->gtk + 16, 8);
1473 gtk = gtk_buf;
1474 }
1475 if (wpa_sm_set_key(sm, link_id, gd->alg, broadcast_ether_addr,
1476 gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len, gtk,
1477 gd->gtk_len, KEY_FLAG_GROUP_RX) < 0) {
1478 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1479 "RSN: Failed to set GTK to the driver (link_id=%d alg=%d keylen=%d keyidx=%d)",
1480 link_id, gd->alg, gd->gtk_len, gd->keyidx);
1481 forced_memzero(gtk_buf, sizeof(gtk_buf));
1482 return -1;
1483 }
1484 forced_memzero(gtk_buf, sizeof(gtk_buf));
1485
1486 if (wnm_sleep) {
1487 sm->mlo.links[link_id].gtk_wnm_sleep.gtk_len = gd->gtk_len;
1488 os_memcpy(sm->mlo.links[link_id].gtk_wnm_sleep.gtk, gd->gtk,
1489 sm->mlo.links[link_id].gtk_wnm_sleep.gtk_len);
1490 } else {
1491 sm->mlo.links[link_id].gtk.gtk_len = gd->gtk_len;
1492 os_memcpy(sm->mlo.links[link_id].gtk.gtk, gd->gtk,
1493 sm->mlo.links[link_id].gtk.gtk_len);
1494 }
1495
1496 return 0;
1497 }
1498
1499
wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm * sm,int tx)1500 static int wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm *sm,
1501 int tx)
1502 {
1503 if (tx && sm->pairwise_cipher != WPA_CIPHER_NONE) {
1504 /* Ignore Tx bit for GTK if a pairwise key is used. One AP
1505 * seemed to set this bit (incorrectly, since Tx is only when
1506 * doing Group Key only APs) and without this workaround, the
1507 * data connection does not work because wpa_supplicant
1508 * configured non-zero keyidx to be used for unicast. */
1509 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1510 "WPA: Tx bit set for GTK, but pairwise "
1511 "keys are used - ignore Tx bit");
1512 return 0;
1513 }
1514 return tx;
1515 }
1516
1517
wpa_supplicant_rsc_relaxation(const struct wpa_sm * sm,const u8 * rsc)1518 static int wpa_supplicant_rsc_relaxation(const struct wpa_sm *sm,
1519 const u8 *rsc)
1520 {
1521 int rsclen;
1522
1523 if (!sm->wpa_rsc_relaxation)
1524 return 0;
1525
1526 rsclen = wpa_cipher_rsc_len(sm->group_cipher);
1527
1528 /*
1529 * Try to detect RSC (endian) corruption issue where the AP sends
1530 * the RSC bytes in EAPOL-Key message in the wrong order, both if
1531 * it's actually a 6-byte field (as it should be) and if it treats
1532 * it as an 8-byte field.
1533 * An AP model known to have this bug is the Sapido RB-1632.
1534 */
1535 if (rsclen == 6 && ((rsc[5] && !rsc[0]) || rsc[6] || rsc[7])) {
1536 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1537 "RSC %02x%02x%02x%02x%02x%02x%02x%02x is likely bogus, using 0",
1538 rsc[0], rsc[1], rsc[2], rsc[3],
1539 rsc[4], rsc[5], rsc[6], rsc[7]);
1540
1541 return 1;
1542 }
1543
1544 return 0;
1545 }
1546
1547
wpa_supplicant_mlo_gtk(struct wpa_sm * sm,u8 link_id,const u8 * gtk,size_t gtk_len,int key_info)1548 static int wpa_supplicant_mlo_gtk(struct wpa_sm *sm, u8 link_id, const u8 *gtk,
1549 size_t gtk_len, int key_info)
1550 {
1551 struct wpa_gtk_data gd;
1552 const u8 *key_rsc;
1553 int ret;
1554
1555 /*
1556 * MLO GTK KDE format:
1557 * KeyID[bits 0-1], Tx [bit 2], Reserved [bit 3], link id [4-7]
1558 * PN
1559 * GTK
1560 */
1561 os_memset(&gd, 0, sizeof(gd));
1562 wpa_hexdump_link_key(MSG_DEBUG, link_id,
1563 "RSN: received GTK in pairwise handshake",
1564 gtk, gtk_len);
1565
1566 if (gtk_len < RSN_MLO_GTK_KDE_PREFIX_LENGTH ||
1567 gtk_len - RSN_MLO_GTK_KDE_PREFIX_LENGTH > sizeof(gd.gtk))
1568 return -1;
1569
1570 gd.keyidx = gtk[0] & 0x3;
1571 gtk += 1;
1572 gtk_len -= 1;
1573
1574 key_rsc = gtk;
1575
1576 gtk += 6;
1577 gtk_len -= 6;
1578
1579 os_memcpy(gd.gtk, gtk, gtk_len);
1580 gd.gtk_len = gtk_len;
1581
1582 ret = 0;
1583 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, gtk_len,
1584 gtk_len, &gd.key_rsc_len,
1585 &gd.alg) ||
1586 wpa_supplicant_install_mlo_gtk(sm, link_id, &gd, key_rsc, 0)) {
1587 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1588 "RSN: Failed to install GTK for MLO Link ID %u",
1589 link_id);
1590 ret = -1;
1591 goto out;
1592 }
1593
1594 out:
1595 forced_memzero(&gd, sizeof(gd));
1596 return ret;
1597 }
1598
1599
wpa_supplicant_pairwise_mlo_gtk(struct wpa_sm * sm,const struct wpa_eapol_key * key,struct wpa_eapol_ie_parse * ie,int key_info)1600 static int wpa_supplicant_pairwise_mlo_gtk(struct wpa_sm *sm,
1601 const struct wpa_eapol_key *key,
1602 struct wpa_eapol_ie_parse *ie,
1603 int key_info)
1604 {
1605 u8 i;
1606
1607 for_each_link(sm->mlo.valid_links, i) {
1608 if (!ie->mlo_gtk[i]) {
1609 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
1610 "MLO RSN: GTK not found for link ID %u", i);
1611 return -1;
1612 }
1613
1614 if (wpa_supplicant_mlo_gtk(sm, i, ie->mlo_gtk[i],
1615 ie->mlo_gtk_len[i], key_info))
1616 return -1;
1617 }
1618
1619 return 0;
1620 }
1621
1622
wpa_supplicant_pairwise_gtk(struct wpa_sm * sm,const struct wpa_eapol_key * key,const u8 * gtk,size_t gtk_len,int key_info)1623 static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
1624 const struct wpa_eapol_key *key,
1625 const u8 *gtk, size_t gtk_len,
1626 int key_info)
1627 {
1628 struct wpa_gtk_data gd;
1629 const u8 *key_rsc;
1630
1631 /*
1632 * IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames - Figure 43x
1633 * GTK KDE format:
1634 * KeyID[bits 0-1], Tx [bit 2], Reserved [bits 3-7]
1635 * Reserved [bits 0-7]
1636 * GTK
1637 */
1638
1639 os_memset(&gd, 0, sizeof(gd));
1640 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in pairwise handshake",
1641 gtk, gtk_len);
1642
1643 if (gtk_len < 2 || gtk_len - 2 > sizeof(gd.gtk))
1644 return -1;
1645
1646 gd.keyidx = gtk[0] & 0x3;
1647 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
1648 !!(gtk[0] & BIT(2)));
1649 gtk += 2;
1650 gtk_len -= 2;
1651
1652 os_memcpy(gd.gtk, gtk, gtk_len);
1653 gd.gtk_len = gtk_len;
1654
1655 key_rsc = key->key_rsc;
1656 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
1657 key_rsc = null_rsc;
1658
1659 if (sm->group_cipher != WPA_CIPHER_GTK_NOT_USED &&
1660 (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
1661 gtk_len, gtk_len,
1662 &gd.key_rsc_len, &gd.alg) ||
1663 wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) {
1664 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1665 "RSN: Failed to install GTK");
1666 forced_memzero(&gd, sizeof(gd));
1667 return -1;
1668 }
1669 forced_memzero(&gd, sizeof(gd));
1670
1671 return 0;
1672 }
1673
1674
wpa_supplicant_install_igtk(struct wpa_sm * sm,const struct wpa_igtk_kde * igtk,int wnm_sleep)1675 static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
1676 const struct wpa_igtk_kde *igtk,
1677 int wnm_sleep)
1678 {
1679 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1680 u16 keyidx = WPA_GET_LE16(igtk->keyid);
1681
1682 /* Detect possible key reinstallation */
1683 if ((sm->igtk.igtk_len == len &&
1684 os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) ||
1685 (sm->igtk_wnm_sleep.igtk_len == len &&
1686 os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk,
1687 sm->igtk_wnm_sleep.igtk_len) == 0)) {
1688 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1689 "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
1690 keyidx);
1691 return 0;
1692 }
1693
1694 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1695 "WPA: IGTK keyid %d pn " COMPACT_MACSTR,
1696 keyidx, MAC2STR(igtk->pn));
1697 wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len);
1698 if (keyidx > 4095) {
1699 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1700 "WPA: Invalid IGTK KeyID %d", keyidx);
1701 return -1;
1702 }
1703 if (wpa_sm_set_key(sm, -1, wpa_cipher_to_alg(sm->mgmt_group_cipher),
1704 broadcast_ether_addr,
1705 keyidx, 0, igtk->pn, sizeof(igtk->pn),
1706 igtk->igtk, len, KEY_FLAG_GROUP_RX) < 0) {
1707 if (keyidx == 0x0400 || keyidx == 0x0500) {
1708 /* Assume the AP has broken PMF implementation since it
1709 * seems to have swapped the KeyID bytes. The AP cannot
1710 * be trusted to implement BIP correctly or provide a
1711 * valid IGTK, so do not try to configure this key with
1712 * swapped KeyID bytes. Instead, continue without
1713 * configuring the IGTK so that the driver can drop any
1714 * received group-addressed robust management frames due
1715 * to missing keys.
1716 *
1717 * Normally, this error behavior would result in us
1718 * disconnecting, but there are number of deployed APs
1719 * with this broken behavior, so as an interoperability
1720 * workaround, allow the connection to proceed. */
1721 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1722 "WPA: Ignore IGTK configuration error due to invalid IGTK KeyID byte order");
1723 } else {
1724 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1725 "WPA: Failed to configure IGTK to the driver");
1726 return -1;
1727 }
1728 }
1729
1730 if (wnm_sleep) {
1731 sm->igtk_wnm_sleep.igtk_len = len;
1732 os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk,
1733 sm->igtk_wnm_sleep.igtk_len);
1734 } else {
1735 sm->igtk.igtk_len = len;
1736 os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
1737 }
1738
1739 return 0;
1740 }
1741
1742
wpa_supplicant_install_bigtk(struct wpa_sm * sm,const struct wpa_bigtk_kde * bigtk,int wnm_sleep)1743 static int wpa_supplicant_install_bigtk(struct wpa_sm *sm,
1744 const struct wpa_bigtk_kde *bigtk,
1745 int wnm_sleep)
1746 {
1747 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1748 u16 keyidx = WPA_GET_LE16(bigtk->keyid);
1749
1750 /* Detect possible key reinstallation */
1751 if ((sm->bigtk.bigtk_len == len &&
1752 os_memcmp(sm->bigtk.bigtk, bigtk->bigtk,
1753 sm->bigtk.bigtk_len) == 0) ||
1754 (sm->bigtk_wnm_sleep.bigtk_len == len &&
1755 os_memcmp(sm->bigtk_wnm_sleep.bigtk, bigtk->bigtk,
1756 sm->bigtk_wnm_sleep.bigtk_len) == 0)) {
1757 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1758 "WPA: Not reinstalling already in-use BIGTK to the driver (keyidx=%d)",
1759 keyidx);
1760 return 0;
1761 }
1762
1763 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1764 "WPA: BIGTK keyid %d pn " COMPACT_MACSTR,
1765 keyidx, MAC2STR(bigtk->pn));
1766 wpa_hexdump_key(MSG_DEBUG, "WPA: BIGTK", bigtk->bigtk, len);
1767 if (keyidx < 6 || keyidx > 7) {
1768 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1769 "WPA: Invalid BIGTK KeyID %d", keyidx);
1770 return -1;
1771 }
1772 if (wpa_sm_set_key(sm, -1, wpa_cipher_to_alg(sm->mgmt_group_cipher),
1773 broadcast_ether_addr,
1774 keyidx, 0, bigtk->pn, sizeof(bigtk->pn),
1775 bigtk->bigtk, len, KEY_FLAG_GROUP_RX) < 0) {
1776 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1777 "WPA: Failed to configure BIGTK to the driver");
1778 return -1;
1779 }
1780
1781 if (wnm_sleep) {
1782 sm->bigtk_wnm_sleep.bigtk_len = len;
1783 os_memcpy(sm->bigtk_wnm_sleep.bigtk, bigtk->bigtk,
1784 sm->bigtk_wnm_sleep.bigtk_len);
1785 } else {
1786 sm->bigtk.bigtk_len = len;
1787 os_memcpy(sm->bigtk.bigtk, bigtk->bigtk, sm->bigtk.bigtk_len);
1788 }
1789
1790 return 0;
1791 }
1792
1793
wpa_supplicant_install_mlo_igtk(struct wpa_sm * sm,u8 link_id,const struct rsn_mlo_igtk_kde * igtk,int wnm_sleep)1794 static int wpa_supplicant_install_mlo_igtk(struct wpa_sm *sm, u8 link_id,
1795 const struct rsn_mlo_igtk_kde *igtk,
1796 int wnm_sleep)
1797 {
1798 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1799 u16 keyidx = WPA_GET_LE16(igtk->keyid);
1800
1801 /* Detect possible key reinstallation */
1802 if ((sm->mlo.links[link_id].igtk.igtk_len == len &&
1803 os_memcmp(sm->mlo.links[link_id].igtk.igtk, igtk->igtk,
1804 sm->mlo.links[link_id].igtk.igtk_len) == 0) ||
1805 (sm->mlo.links[link_id].igtk_wnm_sleep.igtk_len == len &&
1806 os_memcmp(sm->mlo.links[link_id].igtk_wnm_sleep.igtk, igtk->igtk,
1807 sm->mlo.links[link_id].igtk_wnm_sleep.igtk_len) == 0)) {
1808 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1809 "RSN: Not reinstalling already in-use IGTK to the driver (link_id=%d keyidx=%d)",
1810 link_id, keyidx);
1811 return 0;
1812 }
1813
1814 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1815 "RSN: MLO Link %u IGTK keyid %d pn " COMPACT_MACSTR,
1816 link_id, keyidx, MAC2STR(igtk->pn));
1817 wpa_hexdump_link_key(MSG_DEBUG, link_id, "RSN: IGTK", igtk->igtk, len);
1818 if (keyidx > 4095) {
1819 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1820 "RSN: Invalid MLO Link %d IGTK KeyID %d", link_id,
1821 keyidx);
1822 return -1;
1823 }
1824 if (wpa_sm_set_key(sm, link_id,
1825 wpa_cipher_to_alg(sm->mgmt_group_cipher),
1826 broadcast_ether_addr, keyidx, 0, igtk->pn,
1827 sizeof(igtk->pn), igtk->igtk, len,
1828 KEY_FLAG_GROUP_RX) < 0) {
1829 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1830 "RSN: Failed to configure MLO Link %d IGTK to the driver",
1831 link_id);
1832 return -1;
1833 }
1834
1835 if (wnm_sleep) {
1836 sm->mlo.links[link_id].igtk_wnm_sleep.igtk_len = len;
1837 os_memcpy(sm->mlo.links[link_id].igtk_wnm_sleep.igtk,
1838 igtk->igtk,
1839 sm->mlo.links[link_id].igtk_wnm_sleep.igtk_len);
1840 } else {
1841 sm->mlo.links[link_id].igtk.igtk_len = len;
1842 os_memcpy(sm->mlo.links[link_id].igtk.igtk, igtk->igtk,
1843 sm->mlo.links[link_id].igtk.igtk_len);
1844 }
1845
1846 return 0;
1847 }
1848
1849
1850 static int
wpa_supplicant_install_mlo_bigtk(struct wpa_sm * sm,u8 link_id,const struct rsn_mlo_bigtk_kde * bigtk,int wnm_sleep)1851 wpa_supplicant_install_mlo_bigtk(struct wpa_sm *sm, u8 link_id,
1852 const struct rsn_mlo_bigtk_kde *bigtk,
1853 int wnm_sleep)
1854 {
1855 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1856 u16 keyidx = WPA_GET_LE16(bigtk->keyid);
1857
1858 /* Detect possible key reinstallation */
1859 if ((sm->mlo.links[link_id].bigtk.bigtk_len == len &&
1860 os_memcmp(sm->mlo.links[link_id].bigtk.bigtk, bigtk->bigtk,
1861 sm->mlo.links[link_id].bigtk.bigtk_len) == 0) ||
1862 (sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk_len == len &&
1863 os_memcmp(sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk,
1864 bigtk->bigtk,
1865 sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk_len) ==
1866 0)) {
1867 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1868 "RSN: Not reinstalling already in-use BIGTK to the driver (link_id=%d keyidx=%d)",
1869 link_id, keyidx);
1870 return 0;
1871 }
1872
1873 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1874 "RSN: MLO Link %u BIGTK keyid %d pn " COMPACT_MACSTR,
1875 link_id, keyidx, MAC2STR(bigtk->pn));
1876 wpa_hexdump_link_key(MSG_DEBUG, link_id, "RSN: BIGTK", bigtk->bigtk,
1877 len);
1878 if (keyidx < 6 || keyidx > 7) {
1879 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1880 "RSN: Invalid MLO Link %d BIGTK KeyID %d", link_id,
1881 keyidx);
1882 return -1;
1883 }
1884 if (wpa_sm_set_key(sm, link_id,
1885 wpa_cipher_to_alg(sm->mgmt_group_cipher),
1886 broadcast_ether_addr, keyidx, 0, bigtk->pn,
1887 sizeof(bigtk->pn), bigtk->bigtk, len,
1888 KEY_FLAG_GROUP_RX) < 0) {
1889 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1890 "RSN: Failed to configure MLO Link %d BIGTK to the driver",
1891 link_id);
1892 return -1;
1893 }
1894
1895 if (wnm_sleep) {
1896 sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk_len = len;
1897 os_memcpy(sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk,
1898 bigtk->bigtk,
1899 sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk_len);
1900 } else {
1901 sm->mlo.links[link_id].bigtk.bigtk_len = len;
1902 os_memcpy(sm->mlo.links[link_id].bigtk.bigtk, bigtk->bigtk,
1903 sm->mlo.links[link_id].bigtk.bigtk_len);
1904 }
1905
1906 return 0;
1907 }
1908
1909
_mlo_ieee80211w_set_keys(struct wpa_sm * sm,u8 link_id,struct wpa_eapol_ie_parse * ie)1910 static int _mlo_ieee80211w_set_keys(struct wpa_sm *sm, u8 link_id,
1911 struct wpa_eapol_ie_parse *ie)
1912 {
1913 size_t len;
1914
1915 if (ie->mlo_igtk[link_id]) {
1916 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1917 if (ie->mlo_igtk_len[link_id] !=
1918 RSN_MLO_IGTK_KDE_PREFIX_LENGTH + len)
1919 return -1;
1920
1921 if (wpa_supplicant_install_mlo_igtk(
1922 sm, link_id,
1923 (const struct rsn_mlo_igtk_kde *)
1924 ie->mlo_igtk[link_id],
1925 0) < 0)
1926 return -1;
1927 }
1928
1929 if (ie->mlo_bigtk[link_id] && sm->beacon_prot) {
1930 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1931 if (ie->mlo_bigtk_len[link_id] !=
1932 RSN_MLO_BIGTK_KDE_PREFIX_LENGTH + len)
1933 return -1;
1934
1935 if (wpa_supplicant_install_mlo_bigtk(
1936 sm, link_id,
1937 (const struct rsn_mlo_bigtk_kde *)
1938 ie->mlo_bigtk[link_id],
1939 0) < 0)
1940 return -1;
1941 }
1942
1943 return 0;
1944 }
1945
1946
mlo_ieee80211w_set_keys(struct wpa_sm * sm,struct wpa_eapol_ie_parse * ie)1947 static int mlo_ieee80211w_set_keys(struct wpa_sm *sm,
1948 struct wpa_eapol_ie_parse *ie)
1949 {
1950 u8 i;
1951
1952 if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) ||
1953 sm->mgmt_group_cipher == WPA_CIPHER_GTK_NOT_USED)
1954 return 0;
1955
1956 for_each_link(sm->mlo.valid_links, i) {
1957 if (_mlo_ieee80211w_set_keys(sm, i, ie))
1958 return -1;
1959 }
1960
1961 return 0;
1962 }
1963
1964
ieee80211w_set_keys(struct wpa_sm * sm,struct wpa_eapol_ie_parse * ie)1965 static int ieee80211w_set_keys(struct wpa_sm *sm,
1966 struct wpa_eapol_ie_parse *ie)
1967 {
1968 size_t len;
1969
1970 if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) ||
1971 sm->mgmt_group_cipher == WPA_CIPHER_GTK_NOT_USED)
1972 return 0;
1973
1974 if (ie->igtk) {
1975 const struct wpa_igtk_kde *igtk;
1976
1977 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1978 if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
1979 return -1;
1980
1981 igtk = (const struct wpa_igtk_kde *) ie->igtk;
1982 if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0)
1983 return -1;
1984 }
1985
1986 if (ie->bigtk && sm->beacon_prot) {
1987 const struct wpa_bigtk_kde *bigtk;
1988
1989 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1990 if (ie->bigtk_len != WPA_BIGTK_KDE_PREFIX_LEN + len)
1991 return -1;
1992
1993 bigtk = (const struct wpa_bigtk_kde *) ie->bigtk;
1994 if (wpa_supplicant_install_bigtk(sm, bigtk, 0) < 0)
1995 return -1;
1996 }
1997
1998 return 0;
1999 }
2000
2001
wpa_report_ie_mismatch(struct wpa_sm * sm,const char * reason,const u8 * src_addr,const u8 * wpa_ie,size_t wpa_ie_len,const u8 * rsn_ie,size_t rsn_ie_len)2002 static void wpa_report_ie_mismatch(struct wpa_sm *sm,
2003 const char *reason, const u8 *src_addr,
2004 const u8 *wpa_ie, size_t wpa_ie_len,
2005 const u8 *rsn_ie, size_t rsn_ie_len)
2006 {
2007 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: %s (src=" MACSTR ")",
2008 reason, MAC2STR(src_addr));
2009
2010 if (sm->ap_wpa_ie) {
2011 wpa_hexdump(MSG_INFO, "WPA: WPA IE in Beacon/ProbeResp",
2012 sm->ap_wpa_ie, sm->ap_wpa_ie_len);
2013 }
2014 if (wpa_ie) {
2015 if (!sm->ap_wpa_ie) {
2016 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2017 "WPA: No WPA IE in Beacon/ProbeResp");
2018 }
2019 wpa_hexdump(MSG_INFO, "WPA: WPA IE in 3/4 msg",
2020 wpa_ie, wpa_ie_len);
2021 }
2022
2023 if (sm->ap_rsn_ie) {
2024 wpa_hexdump(MSG_INFO, "WPA: RSN IE in Beacon/ProbeResp",
2025 sm->ap_rsn_ie, sm->ap_rsn_ie_len);
2026 }
2027 if (rsn_ie) {
2028 if (!sm->ap_rsn_ie) {
2029 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2030 "WPA: No RSN IE in Beacon/ProbeResp");
2031 }
2032 wpa_hexdump(MSG_INFO, "WPA: RSN IE in 3/4 msg",
2033 rsn_ie, rsn_ie_len);
2034 }
2035
2036 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
2037 }
2038
2039
2040 #ifdef CONFIG_IEEE80211R
2041
ft_validate_mdie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie,const u8 * assoc_resp_mdie)2042 static int ft_validate_mdie(struct wpa_sm *sm,
2043 const unsigned char *src_addr,
2044 struct wpa_eapol_ie_parse *ie,
2045 const u8 *assoc_resp_mdie)
2046 {
2047 struct rsn_mdie *mdie;
2048
2049 mdie = (struct rsn_mdie *) (ie->mdie + 2);
2050 if (ie->mdie == NULL || ie->mdie_len < 2 + sizeof(*mdie) ||
2051 os_memcmp(mdie->mobility_domain, sm->mobility_domain,
2052 MOBILITY_DOMAIN_ID_LEN) != 0) {
2053 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE in msg 3/4 did "
2054 "not match with the current mobility domain");
2055 return -1;
2056 }
2057
2058 if (assoc_resp_mdie &&
2059 (assoc_resp_mdie[1] != ie->mdie[1] ||
2060 os_memcmp(assoc_resp_mdie, ie->mdie, 2 + ie->mdie[1]) != 0)) {
2061 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE mismatch");
2062 wpa_hexdump(MSG_DEBUG, "FT: MDIE in EAPOL-Key msg 3/4",
2063 ie->mdie, 2 + ie->mdie[1]);
2064 wpa_hexdump(MSG_DEBUG, "FT: MDIE in (Re)Association Response",
2065 assoc_resp_mdie, 2 + assoc_resp_mdie[1]);
2066 return -1;
2067 }
2068
2069 return 0;
2070 }
2071
2072
ft_validate_ftie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie,const u8 * assoc_resp_ftie)2073 static int ft_validate_ftie(struct wpa_sm *sm,
2074 const unsigned char *src_addr,
2075 struct wpa_eapol_ie_parse *ie,
2076 const u8 *assoc_resp_ftie)
2077 {
2078 if (ie->ftie == NULL) {
2079 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2080 "FT: No FTIE in EAPOL-Key msg 3/4");
2081 return -1;
2082 }
2083
2084 if (assoc_resp_ftie == NULL)
2085 return 0;
2086
2087 if (assoc_resp_ftie[1] != ie->ftie[1] ||
2088 os_memcmp(assoc_resp_ftie, ie->ftie, 2 + ie->ftie[1]) != 0) {
2089 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: FTIE mismatch");
2090 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 3/4",
2091 ie->ftie, 2 + ie->ftie[1]);
2092 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)Association Response",
2093 assoc_resp_ftie, 2 + assoc_resp_ftie[1]);
2094 return -1;
2095 }
2096
2097 return 0;
2098 }
2099
2100
ft_validate_rsnie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie)2101 static int ft_validate_rsnie(struct wpa_sm *sm,
2102 const unsigned char *src_addr,
2103 struct wpa_eapol_ie_parse *ie)
2104 {
2105 struct wpa_ie_data rsn;
2106
2107 if (!ie->rsn_ie)
2108 return 0;
2109
2110 /*
2111 * Verify that PMKR1Name from EAPOL-Key message 3/4
2112 * matches with the value we derived.
2113 */
2114 if (wpa_parse_wpa_ie_rsn(ie->rsn_ie, ie->rsn_ie_len, &rsn) < 0 ||
2115 rsn.num_pmkid != 1 || rsn.pmkid == NULL) {
2116 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: No PMKR1Name in "
2117 "FT 4-way handshake message 3/4");
2118 return -1;
2119 }
2120
2121 if (os_memcmp_const(rsn.pmkid, sm->pmk_r1_name, WPA_PMK_NAME_LEN) != 0)
2122 {
2123 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2124 "FT: PMKR1Name mismatch in "
2125 "FT 4-way handshake message 3/4");
2126 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Authenticator",
2127 rsn.pmkid, WPA_PMK_NAME_LEN);
2128 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
2129 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
2130 return -1;
2131 }
2132
2133 return 0;
2134 }
2135
2136
wpa_supplicant_validate_ie_ft(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie)2137 static int wpa_supplicant_validate_ie_ft(struct wpa_sm *sm,
2138 const unsigned char *src_addr,
2139 struct wpa_eapol_ie_parse *ie)
2140 {
2141 const u8 *pos, *end, *mdie = NULL, *ftie = NULL;
2142
2143 if (sm->assoc_resp_ies) {
2144 pos = sm->assoc_resp_ies;
2145 end = pos + sm->assoc_resp_ies_len;
2146 while (end - pos > 2) {
2147 if (2 + pos[1] > end - pos)
2148 break;
2149 switch (*pos) {
2150 case WLAN_EID_MOBILITY_DOMAIN:
2151 mdie = pos;
2152 break;
2153 case WLAN_EID_FAST_BSS_TRANSITION:
2154 ftie = pos;
2155 break;
2156 }
2157 pos += 2 + pos[1];
2158 }
2159 }
2160
2161 if (ft_validate_mdie(sm, src_addr, ie, mdie) < 0 ||
2162 ft_validate_ftie(sm, src_addr, ie, ftie) < 0 ||
2163 ft_validate_rsnie(sm, src_addr, ie) < 0)
2164 return -1;
2165
2166 return 0;
2167 }
2168
2169 #endif /* CONFIG_IEEE80211R */
2170
2171
wpa_supplicant_validate_ie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie)2172 static int wpa_supplicant_validate_ie(struct wpa_sm *sm,
2173 const unsigned char *src_addr,
2174 struct wpa_eapol_ie_parse *ie)
2175 {
2176 if (sm->ap_wpa_ie == NULL && sm->ap_rsn_ie == NULL) {
2177 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2178 "WPA: No WPA/RSN IE for this AP known. "
2179 "Trying to get from scan results");
2180 if (wpa_sm_get_beacon_ie(sm) < 0) {
2181 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2182 "WPA: Could not find AP from "
2183 "the scan results");
2184 return -1;
2185 }
2186 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
2187 "WPA: Found the current AP from updated scan results");
2188 }
2189
2190 if (ie->wpa_ie == NULL && ie->rsn_ie == NULL &&
2191 (sm->ap_wpa_ie || sm->ap_rsn_ie)) {
2192 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
2193 "with IE in Beacon/ProbeResp (no IE?)",
2194 src_addr, ie->wpa_ie, ie->wpa_ie_len,
2195 ie->rsn_ie, ie->rsn_ie_len);
2196 return -1;
2197 }
2198
2199 if ((ie->wpa_ie && sm->ap_wpa_ie &&
2200 (ie->wpa_ie_len != sm->ap_wpa_ie_len ||
2201 os_memcmp(ie->wpa_ie, sm->ap_wpa_ie, ie->wpa_ie_len) != 0)) ||
2202 (ie->rsn_ie && sm->ap_rsn_ie &&
2203 wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
2204 sm->ap_rsn_ie, sm->ap_rsn_ie_len,
2205 ie->rsn_ie, ie->rsn_ie_len))) {
2206 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
2207 "with IE in Beacon/ProbeResp",
2208 src_addr, ie->wpa_ie, ie->wpa_ie_len,
2209 ie->rsn_ie, ie->rsn_ie_len);
2210 return -1;
2211 }
2212
2213 if (sm->proto == WPA_PROTO_WPA &&
2214 ie->rsn_ie && sm->ap_rsn_ie == NULL && sm->rsn_enabled) {
2215 wpa_report_ie_mismatch(sm, "Possible downgrade attack "
2216 "detected - RSN was enabled and RSN IE "
2217 "was in msg 3/4, but not in "
2218 "Beacon/ProbeResp",
2219 src_addr, ie->wpa_ie, ie->wpa_ie_len,
2220 ie->rsn_ie, ie->rsn_ie_len);
2221 return -1;
2222 }
2223
2224 if (sm->proto == WPA_PROTO_RSN &&
2225 ((sm->ap_rsnxe && !ie->rsnxe) ||
2226 (!sm->ap_rsnxe && ie->rsnxe) ||
2227 (sm->ap_rsnxe && ie->rsnxe &&
2228 (sm->ap_rsnxe_len != ie->rsnxe_len ||
2229 os_memcmp(sm->ap_rsnxe, ie->rsnxe, sm->ap_rsnxe_len) != 0)))) {
2230 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2231 "WPA: RSNXE mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4");
2232 wpa_hexdump(MSG_INFO, "RSNXE in Beacon/ProbeResp",
2233 sm->ap_rsnxe, sm->ap_rsnxe_len);
2234 wpa_hexdump(MSG_INFO, "RSNXE in EAPOL-Key msg 3/4",
2235 ie->rsnxe, ie->rsnxe_len);
2236 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
2237 return -1;
2238 }
2239
2240 if (sm->proto == WPA_PROTO_RSN && wpa_sm_rsn_overriding_supported(sm)) {
2241 if ((sm->ap_rsne_override && !ie->rsne_override) ||
2242 (!sm->ap_rsne_override && ie->rsne_override) ||
2243 (sm->ap_rsne_override && ie->rsne_override &&
2244 (sm->ap_rsne_override_len != ie->rsne_override_len ||
2245 os_memcmp(sm->ap_rsne_override, ie->rsne_override,
2246 sm->ap_rsne_override_len) != 0))) {
2247 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2248 "RSN: RSNE Override element mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4");
2249 wpa_hexdump(MSG_INFO,
2250 "RSNE Override element in Beacon/ProbeResp",
2251 sm->ap_rsne_override,
2252 sm->ap_rsne_override_len);
2253 wpa_hexdump(MSG_INFO,
2254 "RSNE Override element in EAPOL-Key msg 3/4",
2255 ie->rsne_override, ie->rsne_override_len);
2256 wpa_sm_deauthenticate(sm,
2257 WLAN_REASON_IE_IN_4WAY_DIFFERS);
2258 return -1;
2259 }
2260
2261 if ((sm->ap_rsne_override_2 && !ie->rsne_override_2) ||
2262 (!sm->ap_rsne_override_2 && ie->rsne_override_2) ||
2263 (sm->ap_rsne_override_2 && ie->rsne_override_2 &&
2264 (sm->ap_rsne_override_2_len != ie->rsne_override_2_len ||
2265 os_memcmp(sm->ap_rsne_override_2, ie->rsne_override_2,
2266 sm->ap_rsne_override_2_len) != 0))) {
2267 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2268 "RSN: RSNE Override 2 element mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4");
2269 wpa_hexdump(MSG_INFO,
2270 "RSNE Override 2 element in Beacon/ProbeResp",
2271 sm->ap_rsne_override_2,
2272 sm->ap_rsne_override_2_len);
2273 wpa_hexdump(MSG_INFO,
2274 "RSNE Override 2 element in EAPOL-Key msg 3/4",
2275 ie->rsne_override_2, ie->rsne_override_2_len);
2276 wpa_sm_deauthenticate(sm,
2277 WLAN_REASON_IE_IN_4WAY_DIFFERS);
2278 return -1;
2279 }
2280
2281 if ((sm->ap_rsnxe_override && !ie->rsnxe_override) ||
2282 (!sm->ap_rsnxe_override && ie->rsnxe_override) ||
2283 (sm->ap_rsnxe_override && ie->rsnxe_override &&
2284 (sm->ap_rsnxe_override_len != ie->rsnxe_override_len ||
2285 os_memcmp(sm->ap_rsnxe_override, ie->rsnxe_override,
2286 sm->ap_rsnxe_override_len) != 0))) {
2287 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2288 "RSN: RSNXE Override element mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4");
2289 wpa_hexdump(MSG_INFO,
2290 "RSNXE Override element in Beacon/ProbeResp",
2291 sm->ap_rsnxe_override,
2292 sm->ap_rsnxe_override_len);
2293 wpa_hexdump(MSG_INFO,
2294 "RSNXE Override element in EAPOL-Key msg 3/4",
2295 ie->rsnxe_override, ie->rsnxe_override_len);
2296 wpa_sm_deauthenticate(sm,
2297 WLAN_REASON_IE_IN_4WAY_DIFFERS);
2298 return -1;
2299 }
2300 }
2301
2302 #ifdef CONFIG_IEEE80211R
2303 if (wpa_key_mgmt_ft(sm->key_mgmt) &&
2304 wpa_supplicant_validate_ie_ft(sm, src_addr, ie) < 0)
2305 return -1;
2306 #endif /* CONFIG_IEEE80211R */
2307
2308 return 0;
2309 }
2310
2311
2312 /**
2313 * wpa_supplicant_send_4_of_4 - Send message 4 of WPA/RSN 4-Way Handshake
2314 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2315 * @dst: Destination address for the frame
2316 * @key: Pointer to the EAPOL-Key frame header
2317 * @ver: Version bits from EAPOL-Key Key Info
2318 * @key_info: Key Info
2319 * @ptk: PTK to use for keyed hash and encryption
2320 * Returns: >= 0 on success, < 0 on failure
2321 */
wpa_supplicant_send_4_of_4(struct wpa_sm * sm,const unsigned char * dst,const struct wpa_eapol_key * key,u16 ver,u16 key_info,struct wpa_ptk * ptk)2322 int wpa_supplicant_send_4_of_4(struct wpa_sm *sm, const unsigned char *dst,
2323 const struct wpa_eapol_key *key,
2324 u16 ver, u16 key_info,
2325 struct wpa_ptk *ptk)
2326 {
2327 size_t mic_len, hdrlen, rlen;
2328 struct wpa_eapol_key *reply;
2329 u8 *rbuf, *key_mic;
2330 u8 *kde = NULL;
2331 size_t kde_len = 0, extra_len = 0;
2332 #ifdef CONFIG_TESTING_OPTIONS
2333 size_t pad_len = 0;
2334 #endif /* CONFIG_TESTING_OPTIONS */
2335
2336 if (sm->mlo.valid_links) {
2337 u8 *pos;
2338
2339 kde = os_malloc(RSN_SELECTOR_LEN + ETH_ALEN + 2);
2340 if (!kde)
2341 return -1;
2342
2343 /* Add MAC KDE */
2344 wpa_printf(MSG_DEBUG, "MLO: Add MAC KDE into EAPOL-Key 4/4");
2345 pos = kde;
2346 pos = rsn_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, sm->own_addr,
2347 ETH_ALEN);
2348 kde_len = pos - kde;
2349 }
2350
2351 #ifdef CONFIG_TESTING_OPTIONS
2352 if (sm->test_eapol_m4_elems)
2353 extra_len = wpabuf_len(sm->test_eapol_m4_elems);
2354 if (sm->encrypt_eapol_m4) {
2355 pad_len = (kde_len + extra_len) % 8;
2356 if (pad_len)
2357 pad_len = 8 - pad_len;
2358 extra_len += pad_len + 8;
2359 }
2360 #endif /* CONFIG_TESTING_OPTIONS */
2361
2362 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
2363 hdrlen = sizeof(*reply) + mic_len + 2;
2364 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
2365 hdrlen + kde_len + extra_len, &rlen,
2366 (void *) &reply);
2367 if (!rbuf) {
2368 os_free(kde);
2369 return -1;
2370 }
2371
2372 reply->type = (sm->proto == WPA_PROTO_RSN) ?
2373 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
2374 key_info &= WPA_KEY_INFO_SECURE;
2375 key_info |= ver | WPA_KEY_INFO_KEY_TYPE;
2376 if (mic_len)
2377 key_info |= WPA_KEY_INFO_MIC;
2378 else
2379 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
2380 #ifdef CONFIG_TESTING_OPTIONS
2381 if (sm->encrypt_eapol_m4)
2382 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
2383 #endif /* CONFIG_TESTING_OPTIONS */
2384 WPA_PUT_BE16(reply->key_info, key_info);
2385 if (sm->proto == WPA_PROTO_RSN)
2386 WPA_PUT_BE16(reply->key_length, 0);
2387 else
2388 os_memcpy(reply->key_length, key->key_length, 2);
2389 os_memcpy(reply->replay_counter, key->replay_counter,
2390 WPA_REPLAY_COUNTER_LEN);
2391
2392 key_mic = (u8 *) (reply + 1);
2393 /* Key Data length */
2394 WPA_PUT_BE16(key_mic + mic_len, kde_len + extra_len);
2395 if (kde) {
2396 os_memcpy(key_mic + mic_len + 2, kde, kde_len); /* Key Data */
2397 os_free(kde);
2398 }
2399
2400 #ifdef CONFIG_TESTING_OPTIONS
2401 if (sm->test_eapol_m4_elems) {
2402 os_memcpy(key_mic + mic_len + 2 + kde_len,
2403 wpabuf_head(sm->test_eapol_m4_elems),
2404 wpabuf_len(sm->test_eapol_m4_elems));
2405 }
2406
2407 if (sm->encrypt_eapol_m4) {
2408 u8 *plain;
2409 size_t plain_len;
2410
2411 if (sm->test_eapol_m4_elems)
2412 extra_len = wpabuf_len(sm->test_eapol_m4_elems);
2413 else
2414 extra_len = 0;
2415 plain_len = kde_len + extra_len + pad_len;
2416 plain = os_memdup(key_mic + mic_len + 2, plain_len);
2417 if (!plain) {
2418 os_free(rbuf);
2419 return -1;
2420 }
2421 if (pad_len)
2422 plain[plain_len - pad_len] = 0xdd;
2423
2424 wpa_hexdump_key(MSG_DEBUG, "RSN: AES-WRAP using KEK",
2425 ptk->kek, ptk->kek_len);
2426 if (aes_wrap(ptk->kek, ptk->kek_len, plain_len / 8, plain,
2427 key_mic + mic_len + 2)) {
2428 os_free(plain);
2429 os_free(rbuf);
2430 return -1;
2431 }
2432 wpa_hexdump(MSG_DEBUG,
2433 "RSN: Encrypted Key Data from AES-WRAP",
2434 key_mic + mic_len + 2, plain_len + 8);
2435 os_free(plain);
2436 }
2437 #endif /* CONFIG_TESTING_OPTIONS */
2438
2439 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Sending EAPOL-Key 4/4");
2440 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
2441 key_mic);
2442 }
2443
2444
wpa_supplicant_validate_link_kde(struct wpa_sm * sm,u8 link_id,const u8 * link_kde,size_t link_kde_len,const u8 * rsn_override_link_kde,size_t rsn_override_link_kde_len)2445 static int wpa_supplicant_validate_link_kde(struct wpa_sm *sm, u8 link_id,
2446 const u8 *link_kde,
2447 size_t link_kde_len,
2448 const u8 *rsn_override_link_kde,
2449 size_t rsn_override_link_kde_len)
2450 {
2451 size_t rsne_len = 0, rsnxe_len = 0, rsnoe_len = 0, rsno2e_len = 0,
2452 rsnxoe_len = 0;
2453 const u8 *rsne = NULL, *rsnxe = NULL, *rsnoe = NULL, *rsno2e = NULL,
2454 *rsnxoe = NULL;
2455
2456 if (!link_kde ||
2457 link_kde_len < RSN_MLO_LINK_KDE_LINK_MAC_INDEX + ETH_ALEN) {
2458 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2459 "RSN: MLO Link KDE is not found for link ID %d",
2460 link_id);
2461 return -1;
2462 }
2463
2464 if (!ether_addr_equal(sm->mlo.links[link_id].bssid,
2465 &link_kde[RSN_MLO_LINK_KDE_LINK_MAC_INDEX])) {
2466 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2467 "RSN: MLO Link %u MAC address (" MACSTR
2468 ") not matching association response (" MACSTR ")",
2469 link_id,
2470 MAC2STR(&link_kde[RSN_MLO_LINK_KDE_LINK_MAC_INDEX]),
2471 MAC2STR(sm->mlo.links[link_id].bssid));
2472 return -1;
2473 }
2474
2475 if (link_kde[0] & RSN_MLO_LINK_KDE_LI_RSNE_INFO) {
2476 rsne = link_kde + RSN_MLO_LINK_KDE_FIXED_LENGTH;
2477 if (link_kde_len < RSN_MLO_LINK_KDE_FIXED_LENGTH + 2 ||
2478 link_kde_len <
2479 (size_t) (RSN_MLO_LINK_KDE_FIXED_LENGTH + 2 + rsne[1])) {
2480 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2481 "RSN: No room for link %u RSNE in MLO Link KDE",
2482 link_id);
2483 return -1;
2484 }
2485
2486 rsne_len = rsne[1] + 2;
2487 }
2488
2489 if (!rsne) {
2490 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2491 "RSN: RSNE not present in MLO Link %u KDE", link_id);
2492 return -1;
2493 }
2494
2495 if (link_kde[0] & RSN_MLO_LINK_KDE_LI_RSNXE_INFO) {
2496 rsnxe = link_kde + RSN_MLO_LINK_KDE_FIXED_LENGTH + rsne_len;
2497 if (link_kde_len <
2498 (RSN_MLO_LINK_KDE_FIXED_LENGTH + rsne_len + 2) ||
2499 link_kde_len <
2500 (RSN_MLO_LINK_KDE_FIXED_LENGTH + rsne_len + 2 + rsnxe[1])) {
2501 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2502 "RSN: No room for link %u RSNXE in MLO Link KDE",
2503 link_id);
2504 return -1;
2505 }
2506
2507 rsnxe_len = rsnxe[1] + 2;
2508 }
2509
2510 if (wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
2511 sm->mlo.links[link_id].ap_rsne,
2512 sm->mlo.links[link_id].ap_rsne_len,
2513 rsne, rsne_len)) {
2514 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2515 "RSN MLO: RSNE in 3/4 msg does not match with IE in Beacon/ProbeResp for link ID %u",
2516 link_id);
2517 wpa_hexdump(MSG_INFO, "RSNE in Beacon/ProbeResp",
2518 sm->mlo.links[link_id].ap_rsne,
2519 sm->mlo.links[link_id].ap_rsne_len);
2520 wpa_hexdump(MSG_INFO, "RSNE in EAPOL-Key msg 3/4",
2521 rsne, rsne_len);
2522 goto fail;
2523 }
2524
2525 if ((sm->mlo.links[link_id].ap_rsnxe && !rsnxe) ||
2526 (!sm->mlo.links[link_id].ap_rsnxe && rsnxe) ||
2527 (sm->mlo.links[link_id].ap_rsnxe && rsnxe &&
2528 (sm->mlo.links[link_id].ap_rsnxe_len != rsnxe_len ||
2529 os_memcmp(sm->mlo.links[link_id].ap_rsnxe, rsnxe,
2530 sm->mlo.links[link_id].ap_rsnxe_len) != 0))) {
2531 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2532 "RSN MLO: RSNXE mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4 for link ID %u",
2533 link_id);
2534 wpa_hexdump(MSG_INFO, "RSNXE in Beacon/ProbeResp",
2535 sm->mlo.links[link_id].ap_rsnxe,
2536 sm->mlo.links[link_id].ap_rsnxe_len);
2537 wpa_hexdump(MSG_INFO, "RSNXE in EAPOL-Key msg 3/4",
2538 rsnxe, rsnxe_len);
2539 goto fail;
2540 }
2541
2542 if (!wpa_sm_rsn_overriding_supported(sm))
2543 return 0;
2544
2545 if (rsn_override_link_kde) {
2546 rsnoe = get_vendor_ie(rsn_override_link_kde + 1,
2547 rsn_override_link_kde_len - 1,
2548 RSNE_OVERRIDE_IE_VENDOR_TYPE);
2549 if (rsnoe)
2550 rsnoe_len = 2 + rsnoe[1];
2551
2552 rsno2e = get_vendor_ie(rsn_override_link_kde + 1,
2553 rsn_override_link_kde_len - 1,
2554 RSNE_OVERRIDE_2_IE_VENDOR_TYPE);
2555 if (rsno2e)
2556 rsno2e_len = 2 + rsno2e[1];
2557
2558 rsnxoe = get_vendor_ie(rsn_override_link_kde + 1,
2559 rsn_override_link_kde_len - 1,
2560 RSNXE_OVERRIDE_IE_VENDOR_TYPE);
2561 if (rsnxoe)
2562 rsnxoe_len = 2 + rsnxoe[1];
2563 }
2564
2565 if ((sm->mlo.links[link_id].ap_rsnoe && !rsnoe) ||
2566 (!sm->mlo.links[link_id].ap_rsnoe && rsnoe) ||
2567 (sm->mlo.links[link_id].ap_rsnoe && rsnoe &&
2568 wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
2569 sm->mlo.links[link_id].ap_rsnoe,
2570 sm->mlo.links[link_id].ap_rsnoe_len,
2571 rsnoe, rsnoe_len))) {
2572 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2573 "RSN MLO: RSNOE in 3/4 msg does not match with IE in Beacon/ProbeResp for link ID %u",
2574 link_id);
2575 wpa_hexdump(MSG_INFO, "RSNOE in Beacon/ProbeResp",
2576 sm->mlo.links[link_id].ap_rsnoe,
2577 sm->mlo.links[link_id].ap_rsnoe_len);
2578 wpa_hexdump(MSG_INFO, "RSNOE in EAPOL-Key msg 3/4",
2579 rsnoe, rsnoe_len);
2580 goto fail;
2581 }
2582
2583 if ((sm->mlo.links[link_id].ap_rsno2e && !rsno2e) ||
2584 (!sm->mlo.links[link_id].ap_rsno2e && rsno2e) ||
2585 (sm->mlo.links[link_id].ap_rsno2e && rsno2e &&
2586 wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
2587 sm->mlo.links[link_id].ap_rsno2e,
2588 sm->mlo.links[link_id].ap_rsno2e_len,
2589 rsno2e, rsno2e_len))) {
2590 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2591 "RSN MLO: RSNO2E in 3/4 msg does not match with IE in Beacon/ProbeResp for link ID %u",
2592 link_id);
2593 wpa_hexdump(MSG_INFO, "RSNO2E in Beacon/ProbeResp",
2594 sm->mlo.links[link_id].ap_rsno2e,
2595 sm->mlo.links[link_id].ap_rsno2e_len);
2596 wpa_hexdump(MSG_INFO, "RSNOE in EAPOL-Key msg 3/4",
2597 rsno2e, rsno2e_len);
2598 goto fail;
2599 }
2600
2601 if ((sm->mlo.links[link_id].ap_rsnxoe && !rsnxoe) ||
2602 (!sm->mlo.links[link_id].ap_rsnxoe && rsnxoe) ||
2603 (sm->mlo.links[link_id].ap_rsnxoe && rsnxoe &&
2604 (sm->mlo.links[link_id].ap_rsnxoe_len != rsnxoe_len ||
2605 os_memcmp(sm->mlo.links[link_id].ap_rsnxoe, rsnxoe,
2606 sm->mlo.links[link_id].ap_rsnxoe_len) != 0))) {
2607 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2608 "RSN MLO: RSNXOE mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4 for link ID %u",
2609 link_id);
2610 wpa_hexdump(MSG_INFO, "RSNXOE in Beacon/ProbeResp",
2611 sm->mlo.links[link_id].ap_rsnxoe,
2612 sm->mlo.links[link_id].ap_rsnxoe_len);
2613 wpa_hexdump(MSG_INFO, "RSNXOE in EAPOL-Key msg 3/4",
2614 rsnxoe, rsnxoe_len);
2615 goto fail;
2616 }
2617
2618 return 0;
2619 fail:
2620 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
2621 return -1;
2622 }
2623
2624
wpa_validate_mlo_ieee80211w_kdes(struct wpa_sm * sm,u8 link_id,struct wpa_eapol_ie_parse * ie)2625 static int wpa_validate_mlo_ieee80211w_kdes(struct wpa_sm *sm,
2626 u8 link_id,
2627 struct wpa_eapol_ie_parse *ie)
2628 {
2629 if (ie->mlo_igtk[link_id] &&
2630 ie->mlo_igtk_len[link_id] != RSN_MLO_IGTK_KDE_PREFIX_LENGTH +
2631 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
2632 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2633 "RSN MLO: Invalid IGTK KDE length %lu for link ID %u",
2634 (unsigned long) ie->mlo_igtk_len[link_id], link_id);
2635 return -1;
2636 }
2637
2638 if (!sm->beacon_prot)
2639 return 0;
2640
2641 if (ie->mlo_bigtk[link_id] &&
2642 ie->mlo_bigtk_len[link_id] != RSN_MLO_BIGTK_KDE_PREFIX_LENGTH +
2643 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
2644 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2645 "RSN MLO: Invalid BIGTK KDE length %lu for link ID %u",
2646 (unsigned long) ie->mlo_bigtk_len[link_id], link_id);
2647 return -1;
2648 }
2649
2650 return 0;
2651 }
2652
2653
wpa_supplicant_process_3_of_4_wpa(struct wpa_sm * sm,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len)2654 static void wpa_supplicant_process_3_of_4_wpa(struct wpa_sm *sm,
2655 const struct wpa_eapol_key *key,
2656 u16 ver, const u8 *key_data,
2657 size_t key_data_len)
2658 {
2659 u16 key_info, keylen;
2660 struct wpa_eapol_ie_parse ie;
2661
2662 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
2663 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2664 "WPA: RX message 3 of 4-Way Handshake from " MACSTR
2665 " (ver=%d)", MAC2STR(sm->bssid), ver);
2666
2667 key_info = WPA_GET_BE16(key->key_info);
2668
2669 wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", key_data, key_data_len);
2670 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
2671 goto failed;
2672
2673 if (wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0)
2674 goto failed;
2675
2676 if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
2677 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2678 "WPA: ANonce from message 1 of 4-Way Handshake differs from 3 of 4-Way Handshake - drop packet (src="
2679 MACSTR ")", MAC2STR(sm->bssid));
2680 goto failed;
2681 }
2682
2683 keylen = WPA_GET_BE16(key->key_length);
2684 if (keylen != wpa_cipher_key_len(sm->pairwise_cipher)) {
2685 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2686 "WPA: Invalid %s key length %d (src=" MACSTR ")",
2687 wpa_cipher_txt(sm->pairwise_cipher), keylen,
2688 MAC2STR(sm->bssid));
2689 goto failed;
2690 }
2691
2692 if (wpa_supplicant_send_4_of_4(sm, wpa_sm_get_auth_addr(sm), key, ver,
2693 key_info, &sm->ptk) < 0)
2694 goto failed;
2695
2696 /* SNonce was successfully used in msg 3/4, so mark it to be renewed
2697 * for the next 4-Way Handshake. If msg 3 is received again, the old
2698 * SNonce will still be used to avoid changing PTK. */
2699 sm->renew_snonce = 1;
2700
2701 if ((key_info & WPA_KEY_INFO_INSTALL) &&
2702 wpa_supplicant_install_ptk(sm, key, KEY_FLAG_RX_TX))
2703 goto failed;
2704
2705 if (key_info & WPA_KEY_INFO_SECURE) {
2706 wpa_sm_mlme_setprotection(
2707 sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX,
2708 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
2709 eapol_sm_notify_portValid(sm->eapol, true);
2710 }
2711 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
2712
2713 sm->msg_3_of_4_ok = 1;
2714 return;
2715
2716 failed:
2717 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
2718 }
2719
2720
wpa_supplicant_process_3_of_4(struct wpa_sm * sm,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len)2721 static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
2722 const struct wpa_eapol_key *key,
2723 u16 ver, const u8 *key_data,
2724 size_t key_data_len)
2725 {
2726 u16 key_info, keylen;
2727 struct wpa_eapol_ie_parse ie;
2728 bool mlo = sm->mlo.valid_links;
2729 int i;
2730
2731 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
2732 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO,
2733 "RSN: RX message 3 of 4-Way Handshake from " MACSTR
2734 " (ver=%d)%s", MAC2STR(sm->bssid), ver, mlo ? " (MLO)" : "");
2735
2736 key_info = WPA_GET_BE16(key->key_info);
2737
2738 wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", key_data, key_data_len);
2739 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
2740 goto failed;
2741
2742 if (sm->ssid_protection) {
2743 if (!ie.ssid) {
2744 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2745 "RSN: No SSID included in EAPOL-Key msg 3/4");
2746 goto failed;
2747 }
2748
2749 if (ie.ssid_len != sm->ssid_len ||
2750 os_memcmp(ie.ssid, sm->ssid, sm->ssid_len) != 0) {
2751 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2752 "RSN: SSID mismatch in EAPOL-Key msg 3/4");
2753 wpa_hexdump_ascii(MSG_DEBUG, "RSN: Received SSID",
2754 ie.ssid, ie.ssid_len);
2755 wpa_hexdump_ascii(MSG_DEBUG, "RSN: Expected SSID",
2756 sm->ssid, sm->ssid_len);
2757 goto failed;
2758 }
2759
2760 wpa_sm_ssid_verified(sm);
2761 }
2762
2763 if (mlo && !ie.valid_mlo_gtks) {
2764 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2765 "MLO RSN: No GTK KDE included in EAPOL-Key msg 3/4");
2766 goto failed;
2767 }
2768 if (mlo &&
2769 (key_info &
2770 (WPA_KEY_INFO_ENCR_KEY_DATA | WPA_KEY_INFO_INSTALL |
2771 WPA_KEY_INFO_SECURE)) !=
2772 (WPA_KEY_INFO_ENCR_KEY_DATA | WPA_KEY_INFO_INSTALL |
2773 WPA_KEY_INFO_SECURE)) {
2774 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2775 "RSN MLO: Invalid key info (0x%x) in EAPOL-Key msg 3/4",
2776 key_info);
2777 goto failed;
2778 }
2779
2780 if (mlo && !is_valid_ap_mld_mac_kde(sm, ie.mac_addr)) {
2781 wpa_printf(MSG_DEBUG, "RSN: Invalid AP MLD MAC address KDE");
2782 goto failed;
2783 }
2784
2785 for (i = 0; mlo && i < MAX_NUM_MLD_LINKS; i++) {
2786 if (!(sm->mlo.req_links & BIT(i)))
2787 continue;
2788
2789 if (wpa_supplicant_validate_link_kde(
2790 sm, i, ie.mlo_link[i], ie.mlo_link_len[i],
2791 ie.rsn_override_link[i],
2792 ie.rsn_override_link_len[i]) < 0)
2793 goto failed;
2794
2795 if (!(sm->mlo.valid_links & BIT(i)))
2796 continue;
2797
2798 if (!ie.mlo_gtk[i]) {
2799 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
2800 "RSN: GTK not found for link ID %u", i);
2801 goto failed;
2802 }
2803
2804 if (sm->mgmt_group_cipher != WPA_CIPHER_GTK_NOT_USED &&
2805 wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) &&
2806 wpa_validate_mlo_ieee80211w_kdes(sm, i, &ie) < 0)
2807 goto failed;
2808 }
2809
2810 #ifdef CONFIG_IEEE80211R
2811 if (mlo && wpa_key_mgmt_ft(sm->key_mgmt) &&
2812 wpa_supplicant_validate_ie_ft(sm, sm->bssid, &ie) < 0)
2813 goto failed;
2814 #endif /* CONFIG_IEEE80211R */
2815
2816 if (!mlo && ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
2817 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2818 "WPA: GTK IE in unencrypted key data");
2819 goto failed;
2820 }
2821 if (!mlo && ie.igtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
2822 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2823 "WPA: IGTK KDE in unencrypted key data");
2824 goto failed;
2825 }
2826
2827 if (!mlo && ie.igtk &&
2828 sm->mgmt_group_cipher != WPA_CIPHER_GTK_NOT_USED &&
2829 wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) &&
2830 ie.igtk_len != WPA_IGTK_KDE_PREFIX_LEN +
2831 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
2832 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2833 "WPA: Invalid IGTK KDE length %lu",
2834 (unsigned long) ie.igtk_len);
2835 goto failed;
2836 }
2837
2838 if (!mlo && wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0)
2839 goto failed;
2840
2841 if (wpa_handle_ext_key_id(sm, &ie))
2842 goto failed;
2843
2844 if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
2845 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2846 "WPA: ANonce from message 1 of 4-Way Handshake "
2847 "differs from 3 of 4-Way Handshake - drop packet (src="
2848 MACSTR ")", MAC2STR(sm->bssid));
2849 goto failed;
2850 }
2851
2852 keylen = WPA_GET_BE16(key->key_length);
2853 if (keylen != wpa_cipher_key_len(sm->pairwise_cipher)) {
2854 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2855 "WPA: Invalid %s key length %d (src=" MACSTR
2856 ")", wpa_cipher_txt(sm->pairwise_cipher), keylen,
2857 MAC2STR(sm->bssid));
2858 goto failed;
2859 }
2860
2861 #ifdef CONFIG_P2P
2862 if (ie.ip_addr_alloc) {
2863 os_memcpy(sm->p2p_ip_addr, ie.ip_addr_alloc, 3 * 4);
2864 wpa_hexdump(MSG_DEBUG, "P2P: IP address info",
2865 sm->p2p_ip_addr, sizeof(sm->p2p_ip_addr));
2866 }
2867 #endif /* CONFIG_P2P */
2868
2869 #ifdef CONFIG_OCV
2870 if (wpa_sm_ocv_enabled(sm)) {
2871 struct wpa_channel_info ci;
2872
2873 if (wpa_sm_channel_info(sm, &ci) != 0) {
2874 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2875 "Failed to get channel info to validate received OCI in EAPOL-Key 3/4");
2876 return;
2877 }
2878
2879 if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci,
2880 channel_width_to_int(ci.chanwidth),
2881 ci.seg1_idx) != OCI_SUCCESS) {
2882 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
2883 "addr=" MACSTR " frame=eapol-key-m3 error=%s",
2884 MAC2STR(sm->bssid), ocv_errorstr);
2885 return;
2886 }
2887 }
2888 #endif /* CONFIG_OCV */
2889
2890 #ifdef CONFIG_DPP2
2891 if (DPP_VERSION > 1 && ie.dpp_kde) {
2892 wpa_printf(MSG_DEBUG,
2893 "DPP: peer Protocol Version %u Flags 0x%x",
2894 ie.dpp_kde[0], ie.dpp_kde[1]);
2895 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_pfs != 2 &&
2896 (ie.dpp_kde[1] & DPP_KDE_PFS_ALLOWED) && !sm->dpp_z) {
2897 wpa_printf(MSG_INFO,
2898 "DPP: Peer indicated it supports PFS and local configuration allows this, but PFS was not negotiated for the association");
2899 goto failed;
2900 }
2901 }
2902 #endif /* CONFIG_DPP2 */
2903
2904 if (sm->use_ext_key_id &&
2905 wpa_supplicant_install_ptk(sm, key, KEY_FLAG_RX))
2906 goto failed;
2907
2908 if (!sm->use_ext_key_id &&
2909 wpa_supplicant_install_ptk(sm, key, KEY_FLAG_RX | KEY_FLAG_NEXT)) {
2910 /* Continue anyway since the many drivers do not support
2911 * configuration of the TK for RX-only purposes for cases where
2912 * multiple keys might be in use in parallel and this being an
2913 * optional optimization to avoid race condition during TK
2914 * changes that could result in some protected frames getting
2915 * discarded. */
2916 }
2917
2918 if (wpa_supplicant_send_4_of_4(sm, wpa_sm_get_auth_addr(sm), key, ver,
2919 key_info, &sm->ptk) < 0)
2920 goto failed;
2921
2922 /* SNonce was successfully used in msg 3/4, so mark it to be renewed
2923 * for the next 4-Way Handshake. If msg 3 is received again, the old
2924 * SNonce will still be used to avoid changing PTK. */
2925 sm->renew_snonce = 1;
2926
2927 if (key_info & WPA_KEY_INFO_INSTALL) {
2928 int res;
2929
2930 if (sm->use_ext_key_id)
2931 res = wpa_supplicant_activate_ptk(sm);
2932 else
2933 res = wpa_supplicant_install_ptk(sm, key,
2934 KEY_FLAG_RX_TX);
2935 if (res)
2936 goto failed;
2937 }
2938
2939 if (key_info & WPA_KEY_INFO_SECURE) {
2940 wpa_sm_mlme_setprotection(
2941 sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX,
2942 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
2943 eapol_sm_notify_portValid(sm->eapol, true);
2944 }
2945 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
2946
2947 if (mlo) {
2948 if (wpa_supplicant_pairwise_mlo_gtk(sm, key, &ie,
2949 key_info) < 0) {
2950 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2951 "MLO RSN: Failed to configure MLO GTKs");
2952 goto failed;
2953 }
2954 } else if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED) {
2955 /* No GTK to be set to the driver */
2956 } else if (!ie.gtk && sm->proto == WPA_PROTO_RSN) {
2957 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2958 "RSN: No GTK KDE included in EAPOL-Key msg 3/4");
2959 goto failed;
2960 } else if (ie.gtk &&
2961 wpa_supplicant_pairwise_gtk(sm, key,
2962 ie.gtk, ie.gtk_len, key_info) < 0) {
2963 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2964 "RSN: Failed to configure GTK");
2965 goto failed;
2966 }
2967
2968 if ((mlo && mlo_ieee80211w_set_keys(sm, &ie) < 0) ||
2969 (!mlo && ieee80211w_set_keys(sm, &ie) < 0)) {
2970 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2971 "RSN: Failed to configure IGTK");
2972 goto failed;
2973 }
2974
2975 if (mlo || sm->group_cipher == WPA_CIPHER_GTK_NOT_USED || ie.gtk)
2976 wpa_supplicant_key_neg_complete(sm, sm->bssid,
2977 key_info & WPA_KEY_INFO_SECURE);
2978
2979 if (mlo || ie.gtk)
2980 wpa_sm_set_rekey_offload(sm);
2981
2982 /* Add PMKSA cache entry for Suite B AKMs here since PMKID can be
2983 * calculated only after KCK has been derived. Though, do not replace an
2984 * existing PMKSA entry after each 4-way handshake (i.e., new KCK/PMKID)
2985 * to avoid unnecessary changes of PMKID while continuing to use the
2986 * same PMK. */
2987 if (sm->proto == WPA_PROTO_RSN && wpa_key_mgmt_suite_b(sm->key_mgmt) &&
2988 !sm->cur_pmksa) {
2989 struct rsn_pmksa_cache_entry *sa;
2990
2991 sa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, NULL,
2992 sm->ptk.kck, sm->ptk.kck_len,
2993 wpa_sm_get_auth_addr(sm), sm->own_addr,
2994 sm->network_ctx, sm->key_mgmt, NULL);
2995 if (!sm->cur_pmksa)
2996 sm->cur_pmksa = sa;
2997 }
2998
2999 if (ie.transition_disable)
3000 wpa_sm_transition_disable(sm, ie.transition_disable[0]);
3001 sm->msg_3_of_4_ok = 1;
3002 return;
3003
3004 failed:
3005 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
3006 }
3007
3008
wpa_supplicant_send_2_of_2(struct wpa_sm * sm,const struct wpa_eapol_key * key,int ver,u16 key_info)3009 static int wpa_supplicant_send_2_of_2(struct wpa_sm *sm,
3010 const struct wpa_eapol_key *key,
3011 int ver, u16 key_info)
3012 {
3013 size_t mic_len, hdrlen, rlen;
3014 struct wpa_eapol_key *reply;
3015 u8 *rbuf, *key_mic;
3016 size_t kde_len = 0;
3017
3018 #ifdef CONFIG_TESTING_OPTIONS
3019 if (sm->disable_eapol_g2_tx) {
3020 wpa_printf(MSG_INFO, "TEST: Disable sending EAPOL-Key 2/2");
3021 return 0;
3022 }
3023 #endif /* CONFIG_TESTING_OPTIONS */
3024
3025 #ifdef CONFIG_OCV
3026 if (wpa_sm_ocv_enabled(sm))
3027 kde_len = OCV_OCI_KDE_LEN;
3028 #endif /* CONFIG_OCV */
3029
3030 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
3031 hdrlen = sizeof(*reply) + mic_len + 2;
3032 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
3033 hdrlen + kde_len, &rlen, (void *) &reply);
3034 if (rbuf == NULL)
3035 return -1;
3036
3037 reply->type = (sm->proto == WPA_PROTO_RSN) ?
3038 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
3039 key_info &= WPA_KEY_INFO_KEY_INDEX_MASK;
3040 key_info |= ver | WPA_KEY_INFO_SECURE;
3041 if (mic_len)
3042 key_info |= WPA_KEY_INFO_MIC;
3043 else
3044 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
3045 WPA_PUT_BE16(reply->key_info, key_info);
3046 if (sm->proto == WPA_PROTO_RSN)
3047 WPA_PUT_BE16(reply->key_length, 0);
3048 else
3049 os_memcpy(reply->key_length, key->key_length, 2);
3050 os_memcpy(reply->replay_counter, key->replay_counter,
3051 WPA_REPLAY_COUNTER_LEN);
3052
3053 key_mic = (u8 *) (reply + 1);
3054 WPA_PUT_BE16(key_mic + mic_len, kde_len); /* Key Data Length */
3055
3056 #ifdef CONFIG_OCV
3057 if (wpa_sm_ocv_enabled(sm)) {
3058 struct wpa_channel_info ci;
3059 u8 *pos;
3060
3061 if (wpa_sm_channel_info(sm, &ci) != 0) {
3062 wpa_printf(MSG_WARNING,
3063 "Failed to get channel info for OCI element in EAPOL-Key 2/2");
3064 os_free(rbuf);
3065 return -1;
3066 }
3067 #ifdef CONFIG_TESTING_OPTIONS
3068 if (sm->oci_freq_override_eapol_g2) {
3069 wpa_printf(MSG_INFO,
3070 "TEST: Override OCI KDE frequency %d -> %d MHz",
3071 ci.frequency,
3072 sm->oci_freq_override_eapol_g2);
3073 ci.frequency = sm->oci_freq_override_eapol_g2;
3074 }
3075 #endif /* CONFIG_TESTING_OPTIONS */
3076
3077 pos = key_mic + mic_len + 2; /* Key Data */
3078 if (ocv_insert_oci_kde(&ci, &pos) < 0) {
3079 os_free(rbuf);
3080 return -1;
3081 }
3082 }
3083 #endif /* CONFIG_OCV */
3084
3085 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/2");
3086 return wpa_eapol_key_send(sm, &sm->ptk, ver, wpa_sm_get_auth_addr(sm),
3087 ETH_P_EAPOL, rbuf, rlen, key_mic);
3088 }
3089
3090
wpa_supplicant_process_mlo_1_of_2(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,const u8 * key_data,size_t key_data_len,u16 ver)3091 static void wpa_supplicant_process_mlo_1_of_2(struct wpa_sm *sm,
3092 const unsigned char *src_addr,
3093 const struct wpa_eapol_key *key,
3094 const u8 *key_data,
3095 size_t key_data_len, u16 ver)
3096 {
3097 u16 key_info;
3098 u8 i;
3099 struct wpa_eapol_ie_parse ie;
3100
3101 if (!sm->msg_3_of_4_ok && !wpa_fils_is_completed(sm)) {
3102 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3103 "MLO RSN: Group Key Handshake started prior to completion of 4-way handshake");
3104 goto failed;
3105 }
3106
3107 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "MLO RSN: RX message 1 of Group "
3108 "Key Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr),
3109 ver);
3110
3111 key_info = WPA_GET_BE16(key->key_info);
3112
3113 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
3114
3115 wpa_hexdump_key(MSG_DEBUG, "MLO RSN: msg 1/2 key data", key_data,
3116 key_data_len);
3117 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
3118 goto failed;
3119
3120 if (!ie.valid_mlo_gtks) {
3121 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3122 "MLO RSN: No MLO GTK KDE in Group Key msg 1/2");
3123 goto failed;
3124 }
3125
3126 if (!(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
3127 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3128 "MLO RSN: MLO GTK KDE in unencrypted key data");
3129 goto failed;
3130 }
3131
3132 #ifdef CONFIG_OCV
3133 if (wpa_sm_ocv_enabled(sm)) {
3134 struct wpa_channel_info ci;
3135
3136 if (wpa_sm_channel_info(sm, &ci) != 0) {
3137 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3138 "Failed to get channel info to validate received OCI in EAPOL-Key group msg 1/2");
3139 goto failed;
3140 }
3141
3142 if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci,
3143 channel_width_to_int(ci.chanwidth),
3144 ci.seg1_idx) != OCI_SUCCESS) {
3145 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
3146 "addr=" MACSTR " frame=eapol-key-g1 error=%s",
3147 MAC2STR(sm->bssid), ocv_errorstr);
3148 goto failed;
3149 }
3150 }
3151 #endif /* CONFIG_OCV */
3152
3153 if (mlo_ieee80211w_set_keys(sm, &ie) < 0)
3154 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3155 "MLO RSN: Failed to configure MLO IGTK");
3156
3157 for_each_link(sm->mlo.valid_links, i) {
3158 /*
3159 * AP may send group keys for subset of the all links during
3160 * rekey
3161 */
3162 if (!ie.mlo_gtk[i])
3163 continue;
3164
3165 if (wpa_supplicant_mlo_gtk(sm, i, ie.mlo_gtk[i],
3166 ie.mlo_gtk_len[i], key_info))
3167 goto failed;
3168 }
3169
3170 if (wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
3171 goto failed;
3172
3173 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "MLO RSN: Group rekeying completed "
3174 "with " MACSTR " [GTK=%s]", MAC2STR(sm->mlo.ap_mld_addr),
3175 wpa_cipher_txt(sm->group_cipher));
3176 wpa_sm_cancel_auth_timeout(sm);
3177 wpa_sm_set_state(sm, WPA_COMPLETED);
3178
3179 wpa_sm_set_rekey_offload(sm);
3180
3181 return;
3182
3183 failed:
3184 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
3185 }
3186
3187
wpa_supplicant_process_1_of_2_wpa(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,const u8 * key_data,size_t key_data_len,u16 ver)3188 static void wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm,
3189 const unsigned char *src_addr,
3190 const struct wpa_eapol_key *key,
3191 const u8 *key_data,
3192 size_t key_data_len, u16 ver)
3193 {
3194 u16 key_info;
3195 int rekey;
3196 struct wpa_gtk_data gd;
3197 const u8 *key_rsc;
3198 size_t maxkeylen;
3199 u16 gtk_len;
3200
3201 if (!sm->msg_3_of_4_ok) {
3202 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3203 "WPA: Group Key Handshake started prior to completion of 4-way handshake");
3204 goto failed;
3205 }
3206
3207 os_memset(&gd, 0, sizeof(gd));
3208
3209 rekey = wpa_sm_get_state(sm) == WPA_COMPLETED;
3210 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3211 "WPA: RX message 1 of Group Key Handshake from " MACSTR
3212 " (ver=%d)", MAC2STR(src_addr), ver);
3213
3214 key_info = WPA_GET_BE16(key->key_info);
3215
3216 gtk_len = WPA_GET_BE16(key->key_length);
3217 maxkeylen = key_data_len;
3218 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
3219 if (maxkeylen < 8) {
3220 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3221 "WPA: Too short maxkeylen (%lu)",
3222 (unsigned long) maxkeylen);
3223 goto failed;
3224 }
3225 maxkeylen -= 8;
3226 }
3227
3228 if (gtk_len > maxkeylen ||
3229 wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
3230 gtk_len, maxkeylen,
3231 &gd.key_rsc_len, &gd.alg))
3232 goto failed;
3233
3234 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
3235
3236 gd.gtk_len = gtk_len;
3237 gd.keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
3238 WPA_KEY_INFO_KEY_INDEX_SHIFT;
3239 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
3240 #if defined(CONFIG_NO_RC4) || defined(CONFIG_FIPS)
3241 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3242 "WPA: RC4 not supported in the build");
3243 goto failed;
3244 #else /* CONFIG_NO_RC4 || CONFIG_FIPS */
3245 u8 ek[32];
3246 if (key_data_len > sizeof(gd.gtk)) {
3247 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3248 "WPA: RC4 key data too long (%lu)",
3249 (unsigned long) key_data_len);
3250 goto failed;
3251 }
3252 os_memcpy(ek, key->key_iv, 16);
3253 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
3254 os_memcpy(gd.gtk, key_data, key_data_len);
3255 if (rc4_skip(ek, 32, 256, gd.gtk, key_data_len)) {
3256 forced_memzero(ek, sizeof(ek));
3257 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
3258 "WPA: RC4 failed");
3259 goto failed;
3260 }
3261 forced_memzero(ek, sizeof(ek));
3262 #endif /* CONFIG_NO_RC4 || CONFIG_FIPS */
3263 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
3264 if (maxkeylen % 8) {
3265 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3266 "WPA: Unsupported AES-WRAP len %lu",
3267 (unsigned long) maxkeylen);
3268 goto failed;
3269 }
3270 if (maxkeylen > sizeof(gd.gtk)) {
3271 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3272 "WPA: AES-WRAP key data "
3273 "too long (keydatalen=%lu maxkeylen=%lu)",
3274 (unsigned long) key_data_len,
3275 (unsigned long) maxkeylen);
3276 goto failed;
3277 }
3278 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, maxkeylen / 8,
3279 key_data, gd.gtk)) {
3280 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3281 "WPA: AES unwrap failed - could not decrypt "
3282 "GTK");
3283 goto failed;
3284 }
3285 } else {
3286 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3287 "WPA: Unsupported key_info type %d", ver);
3288 goto failed;
3289 }
3290 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(
3291 sm, !!(key_info & WPA_KEY_INFO_TXRX));
3292
3293 key_rsc = key->key_rsc;
3294 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
3295 key_rsc = null_rsc;
3296
3297 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
3298 wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
3299 goto failed;
3300 forced_memzero(&gd, sizeof(gd));
3301
3302 if (rekey) {
3303 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3304 "WPA: Group rekeying completed with " MACSTR
3305 " [GTK=%s]",
3306 MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher));
3307 wpa_sm_cancel_auth_timeout(sm);
3308 wpa_sm_set_state(sm, WPA_COMPLETED);
3309 } else {
3310 wpa_supplicant_key_neg_complete(sm, sm->bssid,
3311 key_info & WPA_KEY_INFO_SECURE);
3312 }
3313
3314 wpa_sm_set_rekey_offload(sm);
3315
3316 return;
3317
3318 failed:
3319 forced_memzero(&gd, sizeof(gd));
3320 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
3321 }
3322
3323
wpa_supplicant_process_1_of_2(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,const u8 * key_data,size_t key_data_len,u16 ver)3324 static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
3325 const unsigned char *src_addr,
3326 const struct wpa_eapol_key *key,
3327 const u8 *key_data,
3328 size_t key_data_len, u16 ver)
3329 {
3330 u16 key_info;
3331 struct wpa_gtk_data gd;
3332 const u8 *key_rsc;
3333 int maxkeylen;
3334 struct wpa_eapol_ie_parse ie;
3335 u16 gtk_len;
3336
3337 if (!sm->msg_3_of_4_ok && !wpa_fils_is_completed(sm)) {
3338 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3339 "RSN: Group Key Handshake started prior to completion of 4-way handshake");
3340 goto failed;
3341 }
3342
3343 os_memset(&gd, 0, sizeof(gd));
3344
3345 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3346 "RSN: RX message 1 of Group Key Handshake from " MACSTR
3347 " (ver=%d)", MAC2STR(src_addr), ver);
3348
3349 key_info = WPA_GET_BE16(key->key_info);
3350
3351 wpa_hexdump_key(MSG_DEBUG, "RSN: msg 1/2 key data",
3352 key_data, key_data_len);
3353 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
3354 goto failed;
3355
3356 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
3357
3358 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
3359 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3360 "RSN: GTK KDE in unencrypted key data");
3361 goto failed;
3362 }
3363 if (!ie.gtk) {
3364 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3365 "RSN: No GTK KDE in Group Key msg 1/2");
3366 goto failed;
3367 }
3368 gtk_len = ie.gtk_len;
3369 if (gtk_len < 2) {
3370 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3371 "RSN: Invalid GTK KDE length (%u) in Group Key msg 1/2",
3372 gtk_len);
3373 goto failed;
3374 }
3375 gtk_len -= 2;
3376 if (gtk_len > sizeof(gd.gtk)) {
3377 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3378 "RSN: Too long GTK in GTK KDE (len=%u)", gtk_len);
3379 goto failed;
3380 }
3381 maxkeylen = gd.gtk_len = gtk_len;
3382
3383 #ifdef CONFIG_OCV
3384 if (wpa_sm_ocv_enabled(sm)) {
3385 struct wpa_channel_info ci;
3386
3387 if (wpa_sm_channel_info(sm, &ci) != 0) {
3388 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3389 "Failed to get channel info to validate received OCI in EAPOL-Key group msg 1/2");
3390 goto failed;
3391 }
3392
3393 if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci,
3394 channel_width_to_int(ci.chanwidth),
3395 ci.seg1_idx) != OCI_SUCCESS) {
3396 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
3397 "addr=" MACSTR " frame=eapol-key-g1 error=%s",
3398 MAC2STR(sm->bssid), ocv_errorstr);
3399 goto failed;
3400 }
3401 }
3402 #endif /* CONFIG_OCV */
3403
3404 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
3405 gtk_len, maxkeylen,
3406 &gd.key_rsc_len, &gd.alg))
3407 goto failed;
3408
3409 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in group key handshake",
3410 ie.gtk, 2 + gtk_len);
3411 gd.keyidx = ie.gtk[0] & 0x3;
3412 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
3413 !!(ie.gtk[0] & BIT(2)));
3414 os_memcpy(gd.gtk, ie.gtk + 2, gtk_len);
3415
3416 if (ieee80211w_set_keys(sm, &ie) < 0)
3417 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3418 "RSN: Failed to configure IGTK");
3419
3420 key_rsc = key->key_rsc;
3421 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
3422 key_rsc = null_rsc;
3423
3424 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
3425 wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
3426 goto failed;
3427 forced_memzero(&gd, sizeof(gd));
3428
3429 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3430 "RSN: Group rekeying completed with " MACSTR " [GTK=%s]",
3431 MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher));
3432 wpa_sm_cancel_auth_timeout(sm);
3433 wpa_sm_set_state(sm, WPA_COMPLETED);
3434
3435 wpa_sm_set_rekey_offload(sm);
3436
3437 return;
3438
3439 failed:
3440 forced_memzero(&gd, sizeof(gd));
3441 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
3442 }
3443
3444
wpa_sm_tptk_to_ptk(struct wpa_sm * sm)3445 static void wpa_sm_tptk_to_ptk(struct wpa_sm *sm)
3446 {
3447 sm->tptk_set = 0;
3448 sm->ptk_set = 1;
3449 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
3450 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
3451
3452 if (wpa_sm_pmf_enabled(sm)) {
3453 os_memcpy(sm->last_kck, sm->ptk.kck, sm->ptk.kck_len);
3454 sm->last_kck_len = sm->ptk.kck_len;
3455 sm->last_kck_pmk_len = sm->pmk_len;
3456 sm->last_kck_key_mgmt = sm->key_mgmt;
3457 sm->last_kck_eapol_key_ver = sm->last_eapol_key_ver;
3458 os_memcpy(sm->last_kck_aa, wpa_sm_get_auth_addr(sm), ETH_ALEN);
3459 } else {
3460 os_memset(sm->last_kck, 0, sizeof(sm->last_kck));
3461 sm->last_kck_len = 0;
3462 os_memset(sm->last_kck_aa, 0, ETH_ALEN);
3463 }
3464 }
3465
3466
wpa_supplicant_verify_eapol_key_mic(struct wpa_sm * sm,struct wpa_eapol_key * key,u16 ver,const u8 * buf,size_t len)3467 static int wpa_supplicant_verify_eapol_key_mic(struct wpa_sm *sm,
3468 struct wpa_eapol_key *key,
3469 u16 ver,
3470 const u8 *buf, size_t len)
3471 {
3472 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN];
3473 int ok = 0;
3474 size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
3475
3476 os_memcpy(mic, key + 1, mic_len);
3477 if (sm->tptk_set) {
3478 os_memset(key + 1, 0, mic_len);
3479 if (wpa_eapol_key_mic(sm->tptk.kck, sm->tptk.kck_len,
3480 sm->key_mgmt,
3481 ver, buf, len, (u8 *) (key + 1)) < 0 ||
3482 os_memcmp_const(mic, key + 1, mic_len) != 0) {
3483 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3484 "WPA: Invalid EAPOL-Key MIC "
3485 "when using TPTK - ignoring TPTK");
3486 #ifdef TEST_FUZZ
3487 wpa_printf(MSG_INFO,
3488 "TEST: Ignore Key MIC failure for fuzz testing");
3489 goto continue_fuzz;
3490 #endif /* TEST_FUZZ */
3491 } else {
3492 #ifdef TEST_FUZZ
3493 continue_fuzz:
3494 #endif /* TEST_FUZZ */
3495 ok = 1;
3496 wpa_sm_tptk_to_ptk(sm);
3497 /*
3498 * This assures the same TPTK in sm->tptk can never be
3499 * copied twice to sm->ptk as the new PTK. In
3500 * combination with the installed flag in the wpa_ptk
3501 * struct, this assures the same PTK is only installed
3502 * once.
3503 */
3504 sm->renew_snonce = 1;
3505 }
3506 }
3507
3508 if (!ok && sm->ptk_set) {
3509 os_memset(key + 1, 0, mic_len);
3510 if (wpa_eapol_key_mic(sm->ptk.kck, sm->ptk.kck_len,
3511 sm->key_mgmt,
3512 ver, buf, len, (u8 *) (key + 1)) < 0 ||
3513 os_memcmp_const(mic, key + 1, mic_len) != 0) {
3514 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3515 "WPA: Invalid EAPOL-Key MIC - "
3516 "dropping packet");
3517 #ifdef TEST_FUZZ
3518 wpa_printf(MSG_INFO,
3519 "TEST: Ignore Key MIC failure for fuzz testing");
3520 goto continue_fuzz2;
3521 #endif /* TEST_FUZZ */
3522 return -1;
3523 }
3524 #ifdef TEST_FUZZ
3525 continue_fuzz2:
3526 #endif /* TEST_FUZZ */
3527 ok = 1;
3528 }
3529
3530 if (!ok) {
3531 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3532 "WPA: Could not verify EAPOL-Key MIC - "
3533 "dropping packet");
3534 return -1;
3535 }
3536
3537 os_memcpy(sm->rx_replay_counter, key->replay_counter,
3538 WPA_REPLAY_COUNTER_LEN);
3539 sm->rx_replay_counter_set = 1;
3540 return 0;
3541 }
3542
3543
3544 /* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */
wpa_supplicant_decrypt_key_data(struct wpa_sm * sm,struct wpa_eapol_key * key,size_t mic_len,u16 ver,u8 * key_data,size_t * key_data_len)3545 static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm,
3546 struct wpa_eapol_key *key,
3547 size_t mic_len, u16 ver,
3548 u8 *key_data, size_t *key_data_len)
3549 {
3550 wpa_hexdump(MSG_DEBUG, "RSN: encrypted key data",
3551 key_data, *key_data_len);
3552 if (!sm->ptk_set) {
3553 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3554 "WPA: PTK not available, cannot decrypt EAPOL-Key Key "
3555 "Data");
3556 return -1;
3557 }
3558
3559 /* Decrypt key data here so that this operation does not need
3560 * to be implemented separately for each message type. */
3561 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
3562 #if defined(CONFIG_NO_RC4) || defined(CONFIG_FIPS)
3563 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3564 "WPA: RC4 not supported in the build");
3565 return -1;
3566 #else /* CONFIG_NO_RC4 || CONFIG_FIPS */
3567 u8 ek[32];
3568
3569 wpa_printf(MSG_DEBUG, "WPA: Decrypt Key Data using RC4");
3570 os_memcpy(ek, key->key_iv, 16);
3571 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
3572 if (rc4_skip(ek, 32, 256, key_data, *key_data_len)) {
3573 forced_memzero(ek, sizeof(ek));
3574 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
3575 "WPA: RC4 failed");
3576 return -1;
3577 }
3578 forced_memzero(ek, sizeof(ek));
3579 #endif /* CONFIG_NO_RC4 || CONFIG_FIPS */
3580 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
3581 ver == WPA_KEY_INFO_TYPE_AES_128_CMAC ||
3582 wpa_use_aes_key_wrap(sm->key_mgmt)) {
3583 u8 *buf;
3584
3585 wpa_printf(MSG_DEBUG,
3586 "WPA: Decrypt Key Data using AES-UNWRAP (KEK length %u)",
3587 (unsigned int) sm->ptk.kek_len);
3588 if (*key_data_len < 8 || *key_data_len % 8) {
3589 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3590 "WPA: Unsupported AES-WRAP len %u",
3591 (unsigned int) *key_data_len);
3592 return -1;
3593 }
3594 *key_data_len -= 8; /* AES-WRAP adds 8 bytes */
3595 buf = os_malloc(*key_data_len);
3596 if (buf == NULL) {
3597 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3598 "WPA: No memory for AES-UNWRAP buffer");
3599 return -1;
3600 }
3601 #ifdef TEST_FUZZ
3602 os_memset(buf, 0x11, *key_data_len);
3603 #endif /* TEST_FUZZ */
3604 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, *key_data_len / 8,
3605 key_data, buf)) {
3606 #ifdef TEST_FUZZ
3607 wpa_printf(MSG_INFO,
3608 "TEST: Ignore AES unwrap failure for fuzz testing");
3609 goto continue_fuzz;
3610 #endif /* TEST_FUZZ */
3611 bin_clear_free(buf, *key_data_len);
3612 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3613 "WPA: AES unwrap failed - "
3614 "could not decrypt EAPOL-Key key data");
3615 return -1;
3616 }
3617 #ifdef TEST_FUZZ
3618 continue_fuzz:
3619 #endif /* TEST_FUZZ */
3620 os_memcpy(key_data, buf, *key_data_len);
3621 bin_clear_free(buf, *key_data_len);
3622 WPA_PUT_BE16(((u8 *) (key + 1)) + mic_len, *key_data_len);
3623 } else {
3624 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3625 "WPA: Unsupported key_info type %d", ver);
3626 return -1;
3627 }
3628 wpa_hexdump_key(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data",
3629 key_data, *key_data_len);
3630 return 0;
3631 }
3632
3633
3634 /**
3635 * wpa_sm_aborted_cached - Notify WPA that PMKSA caching was aborted
3636 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3637 */
wpa_sm_aborted_cached(struct wpa_sm * sm)3638 void wpa_sm_aborted_cached(struct wpa_sm *sm)
3639 {
3640 if (sm && sm->cur_pmksa) {
3641 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3642 "RSN: Cancelling PMKSA caching attempt");
3643 sm->cur_pmksa = NULL;
3644 }
3645 }
3646
3647
wpa_sm_aborted_external_cached(struct wpa_sm * sm)3648 void wpa_sm_aborted_external_cached(struct wpa_sm *sm)
3649 {
3650 if (sm && sm->cur_pmksa && sm->cur_pmksa->external) {
3651 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3652 "RSN: Cancelling external PMKSA caching attempt");
3653 sm->cur_pmksa = NULL;
3654 }
3655 }
3656
3657
wpa_eapol_key_dump(struct wpa_sm * sm,const struct wpa_eapol_key * key,unsigned int key_data_len,const u8 * mic,unsigned int mic_len)3658 static void wpa_eapol_key_dump(struct wpa_sm *sm,
3659 const struct wpa_eapol_key *key,
3660 unsigned int key_data_len,
3661 const u8 *mic, unsigned int mic_len)
3662 {
3663 #ifndef CONFIG_NO_STDOUT_DEBUG
3664 u16 key_info = WPA_GET_BE16(key->key_info);
3665
3666 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, " EAPOL-Key type=%d", key->type);
3667 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3668 " key_info 0x%x (ver=%d keyidx=%d rsvd=%d %s%s%s%s%s%s%s%s)",
3669 key_info, key_info & WPA_KEY_INFO_TYPE_MASK,
3670 (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
3671 WPA_KEY_INFO_KEY_INDEX_SHIFT,
3672 (key_info & (BIT(13) | BIT(14) | BIT(15))) >> 13,
3673 key_info & WPA_KEY_INFO_KEY_TYPE ? "Pairwise" : "Group",
3674 key_info & WPA_KEY_INFO_INSTALL ? " Install" : "",
3675 key_info & WPA_KEY_INFO_ACK ? " Ack" : "",
3676 key_info & WPA_KEY_INFO_MIC ? " MIC" : "",
3677 key_info & WPA_KEY_INFO_SECURE ? " Secure" : "",
3678 key_info & WPA_KEY_INFO_ERROR ? " Error" : "",
3679 key_info & WPA_KEY_INFO_REQUEST ? " Request" : "",
3680 key_info & WPA_KEY_INFO_ENCR_KEY_DATA ? " Encr" : "");
3681 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3682 " key_length=%u key_data_length=%u",
3683 WPA_GET_BE16(key->key_length), key_data_len);
3684 wpa_hexdump(MSG_DEBUG, " replay_counter",
3685 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
3686 wpa_hexdump(MSG_DEBUG, " key_nonce", key->key_nonce, WPA_NONCE_LEN);
3687 wpa_hexdump(MSG_DEBUG, " key_iv", key->key_iv, 16);
3688 wpa_hexdump(MSG_DEBUG, " key_rsc", key->key_rsc, 8);
3689 wpa_hexdump(MSG_DEBUG, " key_id (reserved)", key->key_id, 8);
3690 wpa_hexdump(MSG_DEBUG, " key_mic", mic, mic_len);
3691 #endif /* CONFIG_NO_STDOUT_DEBUG */
3692 }
3693
3694
3695 #ifdef CONFIG_FILS
wpa_supp_aead_decrypt(struct wpa_sm * sm,u8 * buf,size_t buf_len,size_t * key_data_len)3696 static int wpa_supp_aead_decrypt(struct wpa_sm *sm, u8 *buf, size_t buf_len,
3697 size_t *key_data_len)
3698 {
3699 struct wpa_ptk *ptk;
3700 struct ieee802_1x_hdr *hdr;
3701 struct wpa_eapol_key *key;
3702 u8 *pos, *tmp;
3703 const u8 *aad[1];
3704 size_t aad_len[1];
3705
3706 if (*key_data_len < AES_BLOCK_SIZE) {
3707 wpa_printf(MSG_INFO, "No room for AES-SIV data in the frame");
3708 return -1;
3709 }
3710
3711 if (sm->tptk_set)
3712 ptk = &sm->tptk;
3713 else if (sm->ptk_set)
3714 ptk = &sm->ptk;
3715 else
3716 return -1;
3717
3718 hdr = (struct ieee802_1x_hdr *) buf;
3719 key = (struct wpa_eapol_key *) (hdr + 1);
3720 pos = (u8 *) (key + 1);
3721 pos += 2; /* Pointing at the Encrypted Key Data field */
3722
3723 tmp = os_malloc(*key_data_len);
3724 if (!tmp)
3725 return -1;
3726
3727 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
3728 * to Key Data (exclusive). */
3729 aad[0] = buf;
3730 aad_len[0] = pos - buf;
3731 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, *key_data_len,
3732 1, aad, aad_len, tmp) < 0) {
3733 wpa_printf(MSG_INFO, "Invalid AES-SIV data in the frame");
3734 bin_clear_free(tmp, *key_data_len);
3735 return -1;
3736 }
3737
3738 /* AEAD decryption and validation completed successfully */
3739 (*key_data_len) -= AES_BLOCK_SIZE;
3740 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
3741 tmp, *key_data_len);
3742
3743 /* Replace Key Data field with the decrypted version */
3744 os_memcpy(pos, tmp, *key_data_len);
3745 pos -= 2; /* Key Data Length field */
3746 WPA_PUT_BE16(pos, *key_data_len);
3747 bin_clear_free(tmp, *key_data_len);
3748
3749 if (sm->tptk_set)
3750 wpa_sm_tptk_to_ptk(sm);
3751
3752 os_memcpy(sm->rx_replay_counter, key->replay_counter,
3753 WPA_REPLAY_COUNTER_LEN);
3754 sm->rx_replay_counter_set = 1;
3755
3756 return 0;
3757 }
3758 #endif /* CONFIG_FILS */
3759
3760
wpa_sm_rx_eapol_wpa(struct wpa_sm * sm,const u8 * src_addr,struct wpa_eapol_key * key,enum frame_encryption encrypted,const u8 * tmp,size_t data_len,u8 * key_data,size_t key_data_len)3761 static int wpa_sm_rx_eapol_wpa(struct wpa_sm *sm, const u8 *src_addr,
3762 struct wpa_eapol_key *key,
3763 enum frame_encryption encrypted,
3764 const u8 *tmp, size_t data_len,
3765 u8 *key_data, size_t key_data_len)
3766 {
3767 u16 key_info, ver;
3768
3769 key_info = WPA_GET_BE16(key->key_info);
3770
3771 if (key->type != EAPOL_KEY_TYPE_WPA) {
3772 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3773 "WPA: Unsupported EAPOL-Key type %d", key->type);
3774 return -1;
3775 }
3776
3777 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
3778 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
3779 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
3780 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3781 "WPA: Unsupported EAPOL-Key descriptor version %d",
3782 ver);
3783 return -1;
3784 }
3785
3786 if (sm->pairwise_cipher == WPA_CIPHER_CCMP &&
3787 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
3788 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3789 "WPA: CCMP is used, but EAPOL-Key descriptor version (%d) is not 2",
3790 ver);
3791 if (sm->group_cipher != WPA_CIPHER_CCMP &&
3792 !(key_info & WPA_KEY_INFO_KEY_TYPE)) {
3793 /* Earlier versions of IEEE 802.11i did not explicitly
3794 * require version 2 descriptor for all EAPOL-Key
3795 * packets, so allow group keys to use version 1 if
3796 * CCMP is not used for them. */
3797 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3798 "WPA: Backwards compatibility: allow invalid version for non-CCMP group keys");
3799 } else
3800 return -1;
3801 }
3802
3803 if ((key_info & WPA_KEY_INFO_MIC) &&
3804 wpa_supplicant_verify_eapol_key_mic(sm, key, ver, tmp, data_len))
3805 return -1;
3806
3807 if (key_info & WPA_KEY_INFO_KEY_TYPE) {
3808 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) {
3809 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3810 "WPA: Ignored EAPOL-Key (Pairwise) with non-zero key index");
3811 return -1;
3812 }
3813 if (key_info & (WPA_KEY_INFO_MIC |
3814 WPA_KEY_INFO_ENCR_KEY_DATA)) {
3815 /* 3/4 4-Way Handshake */
3816 wpa_supplicant_process_3_of_4_wpa(sm, key, ver,
3817 key_data,
3818 key_data_len);
3819 } else {
3820 /* 1/4 4-Way Handshake */
3821 wpa_supplicant_process_1_of_4_wpa(sm, src_addr, key,
3822 ver, key_data,
3823 key_data_len,
3824 encrypted);
3825 }
3826 } else {
3827 if (key_info & WPA_KEY_INFO_MIC) {
3828 /* 1/2 Group Key Handshake */
3829 wpa_supplicant_process_1_of_2_wpa(sm, src_addr, key,
3830 key_data,
3831 key_data_len,
3832 ver);
3833 } else {
3834 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3835 "WPA: EAPOL-Key (Group) without Mic/Encr bit - dropped");
3836 }
3837 }
3838
3839 return 1;
3840 }
3841
3842
3843 /**
3844 * wpa_sm_rx_eapol - Process received WPA EAPOL frames
3845 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3846 * @src_addr: Source MAC address of the EAPOL packet
3847 * @buf: Pointer to the beginning of the EAPOL data (EAPOL header)
3848 * @len: Length of the EAPOL frame
3849 * @encrypted: Whether the frame was encrypted
3850 * Returns: 1 = WPA EAPOL-Key processed, 0 = not a WPA EAPOL-Key, -1 failure,
3851 * -2 = reply counter did not increase.
3852 *
3853 * This function is called for each received EAPOL frame. Other than EAPOL-Key
3854 * frames can be skipped if filtering is done elsewhere. wpa_sm_rx_eapol() is
3855 * only processing WPA and WPA2 EAPOL-Key frames.
3856 *
3857 * The received EAPOL-Key packets are validated and valid packets are replied
3858 * to. In addition, key material (PTK, GTK) is configured at the end of a
3859 * successful key handshake.
3860 */
wpa_sm_rx_eapol(struct wpa_sm * sm,const u8 * src_addr,const u8 * buf,size_t len,enum frame_encryption encrypted)3861 int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr,
3862 const u8 *buf, size_t len, enum frame_encryption encrypted)
3863 {
3864 size_t plen, data_len, key_data_len;
3865 const struct ieee802_1x_hdr *hdr;
3866 struct wpa_eapol_key *key;
3867 u16 key_info, ver;
3868 u8 *tmp = NULL;
3869 int ret = -1;
3870 u8 *mic, *key_data;
3871 size_t mic_len, keyhdrlen, pmk_len;
3872
3873 #ifdef CONFIG_IEEE80211R
3874 sm->ft_completed = 0;
3875 #endif /* CONFIG_IEEE80211R */
3876
3877 pmk_len = sm->pmk_len;
3878 if (!pmk_len && sm->cur_pmksa)
3879 pmk_len = sm->cur_pmksa->pmk_len;
3880 mic_len = wpa_mic_len(sm->key_mgmt, pmk_len);
3881 keyhdrlen = sizeof(*key) + mic_len + 2;
3882
3883 if (len < sizeof(*hdr) + keyhdrlen) {
3884 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3885 "WPA: EAPOL frame too short to be a WPA "
3886 "EAPOL-Key (len %lu, expecting at least %lu)",
3887 (unsigned long) len,
3888 (unsigned long) sizeof(*hdr) + keyhdrlen);
3889 return 0;
3890 }
3891
3892 hdr = (const struct ieee802_1x_hdr *) buf;
3893 plen = be_to_host16(hdr->length);
3894 data_len = plen + sizeof(*hdr);
3895 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3896 "IEEE 802.1X RX: version=%d type=%d length=%lu",
3897 hdr->version, hdr->type, (unsigned long) plen);
3898
3899 if (hdr->version < EAPOL_VERSION) {
3900 /* TODO: backwards compatibility */
3901 }
3902 if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) {
3903 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3904 "WPA: EAPOL frame (type %u) discarded, "
3905 "not a Key frame", hdr->type);
3906 ret = 0;
3907 goto out;
3908 }
3909 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", buf, len);
3910 if (plen > len - sizeof(*hdr) || plen < keyhdrlen) {
3911 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3912 "WPA: EAPOL frame payload size %lu "
3913 "invalid (frame size %lu)",
3914 (unsigned long) plen, (unsigned long) len);
3915 ret = 0;
3916 goto out;
3917 }
3918 if (data_len < len) {
3919 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3920 "WPA: ignoring %lu bytes after the IEEE 802.1X data",
3921 (unsigned long) len - data_len);
3922 }
3923
3924 /*
3925 * Make a copy of the frame since we need to modify the buffer during
3926 * MAC validation and Key Data decryption.
3927 */
3928 tmp = os_memdup(buf, data_len);
3929 if (tmp == NULL)
3930 goto out;
3931 key = (struct wpa_eapol_key *) (tmp + sizeof(struct ieee802_1x_hdr));
3932 mic = (u8 *) (key + 1);
3933 key_data = mic + mic_len + 2;
3934
3935 if (key->type != EAPOL_KEY_TYPE_WPA && key->type != EAPOL_KEY_TYPE_RSN)
3936 {
3937 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3938 "WPA: EAPOL-Key type (%d) unknown, discarded",
3939 key->type);
3940 ret = 0;
3941 goto out;
3942 }
3943
3944 key_data_len = WPA_GET_BE16(mic + mic_len);
3945 wpa_eapol_key_dump(sm, key, key_data_len, mic, mic_len);
3946
3947 if (key_data_len > plen - keyhdrlen) {
3948 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Invalid EAPOL-Key "
3949 "frame - key_data overflow (%u > %u)",
3950 (unsigned int) key_data_len,
3951 (unsigned int) (plen - keyhdrlen));
3952 goto out;
3953 }
3954
3955 if (sm->rx_replay_counter_set &&
3956 os_memcmp(key->replay_counter, sm->rx_replay_counter,
3957 WPA_REPLAY_COUNTER_LEN) <= 0) {
3958 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3959 "WPA: EAPOL-Key Replay Counter did not increase - dropping packet");
3960 ret = -2;
3961 goto out;
3962 }
3963
3964 eapol_sm_notify_lower_layer_success(sm->eapol, 0);
3965
3966 key_info = WPA_GET_BE16(key->key_info);
3967
3968 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
3969 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3970 "WPA: Unsupported SMK bit in key_info");
3971 goto out;
3972 }
3973
3974 if (!(key_info & WPA_KEY_INFO_ACK)) {
3975 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3976 "WPA: No Ack bit in key_info");
3977 goto out;
3978 }
3979
3980 if (key_info & WPA_KEY_INFO_REQUEST) {
3981 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3982 "WPA: EAPOL-Key with Request bit - dropped");
3983 goto out;
3984 }
3985
3986 if (sm->proto == WPA_PROTO_WPA) {
3987 ret = wpa_sm_rx_eapol_wpa(sm, src_addr, key, encrypted,
3988 tmp, data_len,
3989 key_data, key_data_len);
3990 goto out;
3991 }
3992
3993 if (key->type != EAPOL_KEY_TYPE_RSN) {
3994 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3995 "RSN: Unsupported EAPOL-Key type %d", key->type);
3996 goto out;
3997 }
3998
3999 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
4000 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
4001 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
4002 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES &&
4003 !wpa_use_akm_defined(sm->key_mgmt)) {
4004 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
4005 "RSN: Unsupported EAPOL-Key descriptor version %d",
4006 ver);
4007 goto out;
4008 }
4009
4010 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
4011 sm->pairwise_cipher != WPA_CIPHER_TKIP) {
4012 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
4013 "RSN: EAPOL-Key descriptor version %d not allowed without TKIP as the pairwise cipher",
4014 ver);
4015 goto out;
4016 }
4017
4018 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES &&
4019 (sm->key_mgmt != WPA_KEY_MGMT_IEEE8021X &&
4020 sm->key_mgmt != WPA_KEY_MGMT_PSK)) {
4021 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
4022 "RSN: EAPOL-Key descriptor version %d not allowed due to negotiated AKM (0x%x)",
4023 ver, sm->key_mgmt);
4024 goto out;
4025 }
4026
4027 if (wpa_use_akm_defined(sm->key_mgmt) &&
4028 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
4029 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
4030 "RSN: Unsupported EAPOL-Key descriptor version %d (expected AKM defined = 0)",
4031 ver);
4032 goto out;
4033 }
4034
4035 #ifdef CONFIG_IEEE80211R
4036 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
4037 /* IEEE 802.11r uses a new key_info type (AES-128-CMAC). */
4038 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
4039 !wpa_use_akm_defined(sm->key_mgmt)) {
4040 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
4041 "FT: AP did not use AES-128-CMAC");
4042 goto out;
4043 }
4044 } else
4045 #endif /* CONFIG_IEEE80211R */
4046 if (wpa_key_mgmt_sha256(sm->key_mgmt)) {
4047 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
4048 !wpa_use_akm_defined(sm->key_mgmt)) {
4049 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
4050 "RSN: AP did not use the negotiated AES-128-CMAC");
4051 goto out;
4052 }
4053 } else if (sm->pairwise_cipher == WPA_CIPHER_CCMP &&
4054 !wpa_use_akm_defined(sm->key_mgmt) &&
4055 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
4056 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
4057 "RSN: CCMP is used, but EAPOL-Key descriptor version (%d) is not 2", ver);
4058 if (ver == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
4059 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
4060 "RSN: Interoperability workaround: allow incorrect (should have been HMAC-SHA1), but stronger (is AES-128-CMAC), descriptor version to be used");
4061 } else {
4062 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
4063 "RSN: Unexpected descriptor version %u", ver);
4064 goto out;
4065 }
4066 } else if (sm->pairwise_cipher == WPA_CIPHER_GCMP &&
4067 !wpa_use_akm_defined(sm->key_mgmt) &&
4068 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
4069 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
4070 "RSN: GCMP is used, but EAPOL-Key descriptor version (%d) is not 2",
4071 ver);
4072 goto out;
4073 }
4074
4075 sm->last_eapol_key_ver = ver;
4076
4077 if ((key_info & WPA_KEY_INFO_MIC) &&
4078 wpa_supplicant_verify_eapol_key_mic(sm, key, ver, tmp, data_len))
4079 goto out;
4080
4081 #ifdef CONFIG_FILS
4082 if (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
4083 if (wpa_supp_aead_decrypt(sm, tmp, data_len, &key_data_len))
4084 goto out;
4085 }
4086 #endif /* CONFIG_FILS */
4087
4088 if (sm->proto == WPA_PROTO_RSN &&
4089 (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && mic_len) {
4090 /*
4091 * Only decrypt the Key Data field if the frame's authenticity
4092 * was verified. When using AES-SIV (FILS), the MIC flag is not
4093 * set, so this check should only be performed if mic_len != 0
4094 * which is the case in this code branch.
4095 */
4096 if (!(key_info & WPA_KEY_INFO_MIC)) {
4097 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
4098 "WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
4099 goto out;
4100 }
4101 if (wpa_supplicant_decrypt_key_data(sm, key, mic_len,
4102 ver, key_data,
4103 &key_data_len))
4104 goto out;
4105 }
4106
4107 if (key_info & WPA_KEY_INFO_KEY_TYPE) {
4108 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) {
4109 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
4110 "RSN: Ignored EAPOL-Key (Pairwise) with non-zero key index");
4111 goto out;
4112 }
4113 if (key_info & (WPA_KEY_INFO_MIC |
4114 WPA_KEY_INFO_ENCR_KEY_DATA)) {
4115 /* 3/4 4-Way Handshake */
4116 wpa_supplicant_process_3_of_4(sm, key, ver, key_data,
4117 key_data_len);
4118 } else {
4119 /* 1/4 4-Way Handshake */
4120 wpa_supplicant_process_1_of_4(sm, src_addr, key,
4121 ver, key_data,
4122 key_data_len,
4123 encrypted);
4124 }
4125 } else {
4126 if ((mic_len && (key_info & WPA_KEY_INFO_MIC)) ||
4127 (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA))) {
4128 /* 1/2 Group Key Handshake */
4129 if (sm->mlo.valid_links)
4130 wpa_supplicant_process_mlo_1_of_2(sm, src_addr,
4131 key, key_data,
4132 key_data_len,
4133 ver);
4134 else
4135 wpa_supplicant_process_1_of_2(sm, src_addr, key,
4136 key_data,
4137 key_data_len,
4138 ver);
4139 } else {
4140 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
4141 "RSN: EAPOL-Key (Group) without Mic/Encr bit - dropped");
4142 }
4143 }
4144
4145 ret = 1;
4146
4147 out:
4148 bin_clear_free(tmp, data_len);
4149 return ret;
4150 }
4151
4152
4153 #ifdef CONFIG_CTRL_IFACE
wpa_key_mgmt_suite(struct wpa_sm * sm)4154 static u32 wpa_key_mgmt_suite(struct wpa_sm *sm)
4155 {
4156 switch (sm->key_mgmt) {
4157 case WPA_KEY_MGMT_IEEE8021X:
4158 return ((sm->proto == WPA_PROTO_RSN) ?
4159 RSN_AUTH_KEY_MGMT_UNSPEC_802_1X :
4160 WPA_AUTH_KEY_MGMT_UNSPEC_802_1X);
4161 case WPA_KEY_MGMT_PSK:
4162 return (sm->proto == WPA_PROTO_RSN ?
4163 RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X :
4164 WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X);
4165 #ifdef CONFIG_IEEE80211R
4166 case WPA_KEY_MGMT_FT_IEEE8021X:
4167 return RSN_AUTH_KEY_MGMT_FT_802_1X;
4168 case WPA_KEY_MGMT_FT_PSK:
4169 return RSN_AUTH_KEY_MGMT_FT_PSK;
4170 #endif /* CONFIG_IEEE80211R */
4171 case WPA_KEY_MGMT_IEEE8021X_SHA256:
4172 return RSN_AUTH_KEY_MGMT_802_1X_SHA256;
4173 case WPA_KEY_MGMT_PSK_SHA256:
4174 return RSN_AUTH_KEY_MGMT_PSK_SHA256;
4175 case WPA_KEY_MGMT_CCKM:
4176 return (sm->proto == WPA_PROTO_RSN ?
4177 RSN_AUTH_KEY_MGMT_CCKM:
4178 WPA_AUTH_KEY_MGMT_CCKM);
4179 case WPA_KEY_MGMT_WPA_NONE:
4180 return WPA_AUTH_KEY_MGMT_NONE;
4181 case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
4182 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B;
4183 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
4184 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192;
4185 case WPA_KEY_MGMT_IEEE8021X_SHA384:
4186 return RSN_AUTH_KEY_MGMT_802_1X_SHA384;
4187 default:
4188 return 0;
4189 }
4190 }
4191
4192
4193 #define RSN_SUITE "%02x-%02x-%02x-%d"
4194 #define RSN_SUITE_ARG(s) \
4195 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
4196
4197 /**
4198 * wpa_sm_get_mib - Dump text list of MIB entries
4199 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4200 * @buf: Buffer for the list
4201 * @buflen: Length of the buffer
4202 * Returns: Number of bytes written to buffer
4203 *
4204 * This function is used fetch dot11 MIB variables.
4205 */
wpa_sm_get_mib(struct wpa_sm * sm,char * buf,size_t buflen)4206 int wpa_sm_get_mib(struct wpa_sm *sm, char *buf, size_t buflen)
4207 {
4208 char pmkid_txt[PMKID_LEN * 2 + 1];
4209 bool rsna;
4210 int ret;
4211 size_t len;
4212
4213 if (sm->cur_pmksa) {
4214 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
4215 sm->cur_pmksa->pmkid, PMKID_LEN);
4216 } else
4217 pmkid_txt[0] = '\0';
4218
4219 rsna = (wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
4220 wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt)) &&
4221 sm->proto == WPA_PROTO_RSN;
4222
4223 ret = os_snprintf(buf, buflen,
4224 "dot11RSNAOptionImplemented=TRUE\n"
4225 "dot11RSNAPreauthenticationImplemented=TRUE\n"
4226 "dot11RSNAEnabled=%s\n"
4227 "dot11RSNAPreauthenticationEnabled=%s\n"
4228 "dot11RSNAConfigVersion=%d\n"
4229 "dot11RSNAConfigPairwiseKeysSupported=5\n"
4230 "dot11RSNAConfigGroupCipherSize=%d\n"
4231 "dot11RSNAConfigPMKLifetime=%d\n"
4232 "dot11RSNAConfigPMKReauthThreshold=%d\n"
4233 "dot11RSNAConfigNumberOfPTKSAReplayCounters=1\n"
4234 "dot11RSNAConfigSATimeout=%d\n",
4235 rsna ? "TRUE" : "FALSE",
4236 rsna ? "TRUE" : "FALSE",
4237 RSN_VERSION,
4238 wpa_cipher_key_len(sm->group_cipher) * 8,
4239 sm->dot11RSNAConfigPMKLifetime,
4240 sm->dot11RSNAConfigPMKReauthThreshold,
4241 sm->dot11RSNAConfigSATimeout);
4242 if (os_snprintf_error(buflen, ret))
4243 return 0;
4244 len = ret;
4245
4246 ret = os_snprintf(
4247 buf + len, buflen - len,
4248 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
4249 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
4250 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
4251 "dot11RSNAPMKIDUsed=%s\n"
4252 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
4253 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
4254 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
4255 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n"
4256 "dot11RSNA4WayHandshakeFailures=%u\n",
4257 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
4258 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
4259 sm->pairwise_cipher)),
4260 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
4261 sm->group_cipher)),
4262 pmkid_txt,
4263 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
4264 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
4265 sm->pairwise_cipher)),
4266 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
4267 sm->group_cipher)),
4268 sm->dot11RSNA4WayHandshakeFailures);
4269 if (!os_snprintf_error(buflen - len, ret))
4270 len += ret;
4271
4272 return (int) len;
4273 }
4274 #endif /* CONFIG_CTRL_IFACE */
4275
4276
wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry * entry,void * ctx,enum pmksa_free_reason reason)4277 static void wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
4278 void *ctx, enum pmksa_free_reason reason)
4279 {
4280 struct wpa_sm *sm = ctx;
4281 int deauth = 0;
4282
4283 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: PMKSA cache entry free_cb: "
4284 MACSTR " reason=%d", MAC2STR(entry->aa), reason);
4285
4286 if (sm->cur_pmksa == entry) {
4287 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4288 "RSN: %s current PMKSA entry",
4289 reason == PMKSA_REPLACE ? "replaced" : "removed");
4290 pmksa_cache_clear_current(sm);
4291
4292 /*
4293 * If an entry is simply being replaced, there's no need to
4294 * deauthenticate because it will be immediately re-added.
4295 * This happens when EAP authentication is completed again
4296 * (reauth or failed PMKSA caching attempt).
4297 */
4298 if (reason != PMKSA_REPLACE)
4299 deauth = 1;
4300 }
4301
4302 if (reason == PMKSA_EXPIRE &&
4303 (sm->pmk_len == entry->pmk_len &&
4304 os_memcmp(sm->pmk, entry->pmk, sm->pmk_len) == 0)) {
4305 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4306 "RSN: deauthenticating due to expired PMK");
4307 pmksa_cache_clear_current(sm);
4308 deauth = 1;
4309 }
4310
4311 if (deauth) {
4312 sm->pmk_len = 0;
4313 os_memset(sm->pmk, 0, sizeof(sm->pmk));
4314 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
4315 }
4316 }
4317
4318
wpa_sm_pmksa_is_current_cb(struct rsn_pmksa_cache_entry * entry,void * ctx)4319 static bool wpa_sm_pmksa_is_current_cb(struct rsn_pmksa_cache_entry *entry,
4320 void *ctx)
4321 {
4322 struct wpa_sm *sm = ctx;
4323
4324 return sm->cur_pmksa == entry;
4325 }
4326
4327
wpa_sm_pmksa_notify_cb(struct rsn_pmksa_cache_entry * entry,void * ctx)4328 static void wpa_sm_pmksa_notify_cb(struct rsn_pmksa_cache_entry *entry,
4329 void *ctx)
4330 {
4331 struct wpa_sm *sm = ctx;
4332
4333 wpa_sm_notify_pmksa_cache_entry(sm, entry);
4334 }
4335
4336
4337 /**
4338 * wpa_sm_init - Initialize WPA state machine
4339 * @ctx: Context pointer for callbacks; this needs to be an allocated buffer
4340 * Returns: Pointer to the allocated WPA state machine data
4341 *
4342 * This function is used to allocate a new WPA state machine and the returned
4343 * value is passed to all WPA state machine calls.
4344 */
wpa_sm_init(struct wpa_sm_ctx * ctx)4345 struct wpa_sm * wpa_sm_init(struct wpa_sm_ctx *ctx)
4346 {
4347 struct wpa_sm *sm;
4348
4349 sm = os_zalloc(sizeof(*sm));
4350 if (sm == NULL)
4351 return NULL;
4352 dl_list_init(&sm->pmksa_candidates);
4353 sm->renew_snonce = 1;
4354 sm->ctx = ctx;
4355
4356 sm->dot11RSNAConfigPMKLifetime = 43200;
4357 sm->dot11RSNAConfigPMKReauthThreshold = 70;
4358 sm->dot11RSNAConfigSATimeout = 60;
4359
4360 sm->pmksa = pmksa_cache_init(wpa_sm_pmksa_free_cb,
4361 wpa_sm_pmksa_is_current_cb,
4362 wpa_sm_pmksa_notify_cb, sm, sm);
4363 if (sm->pmksa == NULL) {
4364 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
4365 "RSN: PMKSA cache initialization failed");
4366 os_free(sm);
4367 return NULL;
4368 }
4369
4370 return sm;
4371 }
4372
4373
4374 /**
4375 * wpa_sm_deinit - Deinitialize WPA state machine
4376 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4377 */
wpa_sm_deinit(struct wpa_sm * sm)4378 void wpa_sm_deinit(struct wpa_sm *sm)
4379 {
4380 int i;
4381
4382 if (sm == NULL)
4383 return;
4384 pmksa_cache_deinit(sm->pmksa);
4385 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
4386 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
4387 os_free(sm->assoc_wpa_ie);
4388 os_free(sm->assoc_rsnxe);
4389 os_free(sm->ap_wpa_ie);
4390 os_free(sm->ap_rsn_ie);
4391 os_free(sm->ap_rsnxe);
4392 os_free(sm->ap_rsne_override);
4393 os_free(sm->ap_rsne_override_2);
4394 os_free(sm->ap_rsnxe_override);
4395 for (i = 0; i < MAX_NUM_MLD_LINKS; i++) {
4396 os_free(sm->mlo.links[i].ap_rsne);
4397 os_free(sm->mlo.links[i].ap_rsnxe);
4398 os_free(sm->mlo.links[i].ap_rsnoe);
4399 os_free(sm->mlo.links[i].ap_rsno2e);
4400 os_free(sm->mlo.links[i].ap_rsnxoe);
4401 }
4402 wpa_sm_drop_sa(sm);
4403 os_free(sm->ctx);
4404 #ifdef CONFIG_IEEE80211R
4405 os_free(sm->assoc_resp_ies);
4406 #endif /* CONFIG_IEEE80211R */
4407 #ifdef CONFIG_TESTING_OPTIONS
4408 wpabuf_free(sm->test_assoc_ie);
4409 wpabuf_free(sm->test_eapol_m2_elems);
4410 wpabuf_free(sm->test_eapol_m4_elems);
4411 wpabuf_free(sm->test_rsnxe_data);
4412 wpabuf_free(sm->test_rsnxe_mask);
4413 #endif /* CONFIG_TESTING_OPTIONS */
4414 #ifdef CONFIG_FILS_SK_PFS
4415 crypto_ecdh_deinit(sm->fils_ecdh);
4416 #endif /* CONFIG_FILS_SK_PFS */
4417 #ifdef CONFIG_FILS
4418 wpabuf_free(sm->fils_ft_ies);
4419 #endif /* CONFIG_FILS */
4420 #ifdef CONFIG_OWE
4421 crypto_ecdh_deinit(sm->owe_ecdh);
4422 #endif /* CONFIG_OWE */
4423 #ifdef CONFIG_DPP2
4424 wpabuf_clear_free(sm->dpp_z);
4425 #endif /* CONFIG_DPP2 */
4426 os_memset(sm->last_kck, 0, sizeof(sm->last_kck));
4427 os_free(sm);
4428 }
4429
4430
wpa_sm_clear_ptk(struct wpa_sm * sm)4431 static void wpa_sm_clear_ptk(struct wpa_sm *sm)
4432 {
4433 int i;
4434
4435 sm->ptk_set = 0;
4436 os_memset(&sm->ptk, 0, sizeof(sm->ptk));
4437 sm->tptk_set = 0;
4438 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
4439 os_memset(&sm->gtk, 0, sizeof(sm->gtk));
4440 os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
4441 os_memset(&sm->igtk, 0, sizeof(sm->igtk));
4442 os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
4443 os_memset(&sm->bigtk, 0, sizeof(sm->bigtk));
4444 os_memset(&sm->bigtk_wnm_sleep, 0, sizeof(sm->bigtk_wnm_sleep));
4445 sm->tk_set = false;
4446 for (i = 0; i < MAX_NUM_MLD_LINKS; i++) {
4447 os_memset(&sm->mlo.links[i].gtk, 0,
4448 sizeof(sm->mlo.links[i].gtk));
4449 os_memset(&sm->mlo.links[i].gtk_wnm_sleep, 0,
4450 sizeof(sm->mlo.links[i].gtk_wnm_sleep));
4451 os_memset(&sm->mlo.links[i].igtk, 0,
4452 sizeof(sm->mlo.links[i].igtk));
4453 os_memset(&sm->mlo.links[i].igtk_wnm_sleep, 0,
4454 sizeof(sm->mlo.links[i].igtk_wnm_sleep));
4455 os_memset(&sm->mlo.links[i].bigtk, 0,
4456 sizeof(sm->mlo.links[i].bigtk));
4457 os_memset(&sm->mlo.links[i].bigtk_wnm_sleep, 0,
4458 sizeof(sm->mlo.links[i].bigtk_wnm_sleep));
4459 }
4460 }
4461
4462
4463 /**
4464 * wpa_sm_notify_assoc - Notify WPA state machine about association
4465 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4466 * @bssid: The BSSID of the new association
4467 *
4468 * This function is called to let WPA state machine know that the connection
4469 * was established.
4470 */
wpa_sm_notify_assoc(struct wpa_sm * sm,const u8 * bssid)4471 void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
4472 {
4473 int clear_keys = 1;
4474
4475 if (sm == NULL)
4476 return;
4477
4478 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4479 "WPA: Association event - clear replay counter");
4480 os_memcpy(sm->bssid, bssid, ETH_ALEN);
4481 os_memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN);
4482 sm->rx_replay_counter_set = 0;
4483 sm->renew_snonce = 1;
4484 if (ether_addr_equal(sm->preauth_bssid, bssid))
4485 rsn_preauth_deinit(sm);
4486
4487 #ifdef CONFIG_IEEE80211R
4488 if (wpa_ft_is_completed(sm)) {
4489 /*
4490 * Clear portValid to kick EAPOL state machine to re-enter
4491 * AUTHENTICATED state to get the EAPOL port Authorized.
4492 */
4493 eapol_sm_notify_portValid(sm->eapol, false);
4494 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
4495
4496 /* Prepare for the next transition */
4497 wpa_ft_prepare_auth_request(sm, NULL);
4498
4499 clear_keys = 0;
4500 sm->ft_protocol = 1;
4501 } else {
4502 sm->ft_protocol = 0;
4503 }
4504 #endif /* CONFIG_IEEE80211R */
4505 #ifdef CONFIG_FILS
4506 if (sm->fils_completed) {
4507 /*
4508 * Clear portValid to kick EAPOL state machine to re-enter
4509 * AUTHENTICATED state to get the EAPOL port Authorized.
4510 */
4511 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
4512 clear_keys = 0;
4513 }
4514 #endif /* CONFIG_FILS */
4515
4516 if (clear_keys) {
4517 /*
4518 * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
4519 * this is not part of a Fast BSS Transition.
4520 */
4521 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PTK");
4522 wpa_sm_clear_ptk(sm);
4523 }
4524
4525 #ifdef CONFIG_TDLS
4526 wpa_tdls_assoc(sm);
4527 #endif /* CONFIG_TDLS */
4528
4529 #ifdef CONFIG_P2P
4530 os_memset(sm->p2p_ip_addr, 0, sizeof(sm->p2p_ip_addr));
4531 #endif /* CONFIG_P2P */
4532
4533 sm->keyidx_active = 0;
4534 }
4535
4536
4537 /**
4538 * wpa_sm_notify_disassoc - Notify WPA state machine about disassociation
4539 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4540 *
4541 * This function is called to let WPA state machine know that the connection
4542 * was lost. This will abort any existing pre-authentication session.
4543 */
wpa_sm_notify_disassoc(struct wpa_sm * sm)4544 void wpa_sm_notify_disassoc(struct wpa_sm *sm)
4545 {
4546 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
4547 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
4548 rsn_preauth_deinit(sm);
4549 pmksa_cache_clear_current(sm);
4550 if (wpa_sm_get_state(sm) == WPA_4WAY_HANDSHAKE)
4551 sm->dot11RSNA4WayHandshakeFailures++;
4552 #ifdef CONFIG_TDLS
4553 wpa_tdls_disassoc(sm);
4554 #endif /* CONFIG_TDLS */
4555 #ifdef CONFIG_FILS
4556 sm->fils_completed = 0;
4557 #endif /* CONFIG_FILS */
4558 #ifdef CONFIG_IEEE80211R
4559 sm->ft_reassoc_completed = 0;
4560 sm->ft_protocol = 0;
4561 #endif /* CONFIG_IEEE80211R */
4562
4563 /* Keys are not needed in the WPA state machine anymore */
4564 wpa_sm_drop_sa(sm);
4565 sm->keyidx_active = 0;
4566
4567 sm->msg_3_of_4_ok = 0;
4568 os_memset(sm->bssid, 0, ETH_ALEN);
4569 }
4570
4571
4572 /**
4573 * wpa_sm_set_pmk - Set PMK
4574 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4575 * @pmk: The new PMK
4576 * @pmk_len: The length of the new PMK in bytes
4577 * @pmkid: Calculated PMKID
4578 * @bssid: AA to add into PMKSA cache or %NULL to not cache the PMK
4579 *
4580 * Configure the PMK for WPA state machine.
4581 */
wpa_sm_set_pmk(struct wpa_sm * sm,const u8 * pmk,size_t pmk_len,const u8 * pmkid,const u8 * bssid)4582 void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
4583 const u8 *pmkid, const u8 *bssid)
4584 {
4585 if (sm == NULL)
4586 return;
4587
4588 wpa_hexdump_key(MSG_DEBUG, "WPA: Set PMK based on external data",
4589 pmk, pmk_len);
4590 sm->pmk_len = pmk_len;
4591 os_memcpy(sm->pmk, pmk, pmk_len);
4592
4593 #ifdef CONFIG_IEEE80211R
4594 /* Set XXKey to be PSK for FT key derivation */
4595 sm->xxkey_len = pmk_len;
4596 os_memcpy(sm->xxkey, pmk, pmk_len);
4597 #endif /* CONFIG_IEEE80211R */
4598
4599 if (bssid) {
4600 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len,
4601 pmkid, NULL, 0, bssid,
4602 sm->own_addr,
4603 sm->network_ctx, sm->key_mgmt,
4604 NULL);
4605 }
4606 }
4607
4608
4609 /**
4610 * wpa_sm_set_pmk_from_pmksa - Set PMK based on the current PMKSA
4611 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4612 *
4613 * Take the PMK from the current PMKSA into use. If no PMKSA is active, the PMK
4614 * will be cleared.
4615 */
wpa_sm_set_pmk_from_pmksa(struct wpa_sm * sm)4616 void wpa_sm_set_pmk_from_pmksa(struct wpa_sm *sm)
4617 {
4618 if (sm == NULL)
4619 return;
4620
4621 if (sm->cur_pmksa) {
4622 wpa_hexdump_key(MSG_DEBUG,
4623 "WPA: Set PMK based on current PMKSA",
4624 sm->cur_pmksa->pmk, sm->cur_pmksa->pmk_len);
4625 sm->pmk_len = sm->cur_pmksa->pmk_len;
4626 os_memcpy(sm->pmk, sm->cur_pmksa->pmk, sm->pmk_len);
4627 } else {
4628 wpa_printf(MSG_DEBUG, "WPA: No current PMKSA - clear PMK");
4629 sm->pmk_len = 0;
4630 os_memset(sm->pmk, 0, PMK_LEN_MAX);
4631 }
4632 }
4633
4634
4635 /**
4636 * wpa_sm_set_fast_reauth - Set fast reauthentication (EAP) enabled/disabled
4637 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4638 * @fast_reauth: Whether fast reauthentication (EAP) is allowed
4639 */
wpa_sm_set_fast_reauth(struct wpa_sm * sm,int fast_reauth)4640 void wpa_sm_set_fast_reauth(struct wpa_sm *sm, int fast_reauth)
4641 {
4642 if (sm)
4643 sm->fast_reauth = fast_reauth;
4644 }
4645
4646
4647 /**
4648 * wpa_sm_set_scard_ctx - Set context pointer for smartcard callbacks
4649 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4650 * @scard_ctx: Context pointer for smartcard related callback functions
4651 */
wpa_sm_set_scard_ctx(struct wpa_sm * sm,void * scard_ctx)4652 void wpa_sm_set_scard_ctx(struct wpa_sm *sm, void *scard_ctx)
4653 {
4654 if (sm == NULL)
4655 return;
4656 sm->scard_ctx = scard_ctx;
4657 if (sm->preauth_eapol)
4658 eapol_sm_register_scard_ctx(sm->preauth_eapol, scard_ctx);
4659 }
4660
4661
4662 /**
4663 * wpa_sm_set_config - Notification of current configuration change
4664 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4665 * @config: Pointer to current network configuration
4666 *
4667 * Notify WPA state machine that configuration has changed. config will be
4668 * stored as a backpointer to network configuration. This can be %NULL to clear
4669 * the stored pointed.
4670 */
wpa_sm_set_config(struct wpa_sm * sm,struct rsn_supp_config * config)4671 void wpa_sm_set_config(struct wpa_sm *sm, struct rsn_supp_config *config)
4672 {
4673 if (!sm)
4674 return;
4675
4676 if (config) {
4677 sm->network_ctx = config->network_ctx;
4678 sm->allowed_pairwise_cipher = config->allowed_pairwise_cipher;
4679 sm->proactive_key_caching = config->proactive_key_caching;
4680 sm->eap_workaround = config->eap_workaround;
4681 sm->eap_conf_ctx = config->eap_conf_ctx;
4682 if (config->ssid) {
4683 os_memcpy(sm->ssid, config->ssid, config->ssid_len);
4684 sm->ssid_len = config->ssid_len;
4685 } else
4686 sm->ssid_len = 0;
4687 sm->wpa_ptk_rekey = config->wpa_ptk_rekey;
4688 sm->p2p = config->p2p;
4689 sm->wpa_rsc_relaxation = config->wpa_rsc_relaxation;
4690 sm->owe_ptk_workaround = config->owe_ptk_workaround;
4691 sm->force_kdk_derivation = config->force_kdk_derivation;
4692 #ifdef CONFIG_FILS
4693 if (config->fils_cache_id) {
4694 sm->fils_cache_id_set = 1;
4695 os_memcpy(sm->fils_cache_id, config->fils_cache_id,
4696 FILS_CACHE_ID_LEN);
4697 } else {
4698 sm->fils_cache_id_set = 0;
4699 }
4700 #endif /* CONFIG_FILS */
4701 sm->beacon_prot = config->beacon_prot;
4702 } else {
4703 sm->network_ctx = NULL;
4704 sm->allowed_pairwise_cipher = 0;
4705 sm->proactive_key_caching = 0;
4706 sm->eap_workaround = 0;
4707 sm->eap_conf_ctx = NULL;
4708 sm->ssid_len = 0;
4709 sm->wpa_ptk_rekey = 0;
4710 sm->p2p = 0;
4711 sm->wpa_rsc_relaxation = 0;
4712 sm->owe_ptk_workaround = 0;
4713 sm->beacon_prot = 0;
4714 sm->force_kdk_derivation = false;
4715 }
4716 }
4717
4718
wpa_sm_set_ssid(struct wpa_sm * sm,const u8 * ssid,size_t ssid_len)4719 void wpa_sm_set_ssid(struct wpa_sm *sm, const u8 *ssid, size_t ssid_len)
4720 {
4721 if (!sm)
4722 return;
4723
4724 if (ssid) {
4725 os_memcpy(sm->ssid, ssid, ssid_len);
4726 sm->ssid_len = ssid_len;
4727 } else {
4728 sm->ssid_len = 0;
4729 }
4730 }
4731
4732
wpa_sm_set_mlo_params(struct wpa_sm * sm,const struct wpa_sm_mlo * mlo)4733 int wpa_sm_set_mlo_params(struct wpa_sm *sm, const struct wpa_sm_mlo *mlo)
4734 {
4735 int i;
4736
4737 if (!sm)
4738 return -1;
4739
4740 os_memcpy(sm->mlo.ap_mld_addr, mlo->ap_mld_addr, ETH_ALEN);
4741 sm->mlo.assoc_link_id = mlo->assoc_link_id;
4742 sm->mlo.valid_links = mlo->valid_links;
4743 sm->mlo.req_links = mlo->req_links;
4744
4745 for (i = 0; i < MAX_NUM_MLD_LINKS; i++) {
4746 const u8 *ie;
4747 size_t len;
4748
4749 if (sm->mlo.req_links & BIT(i)) {
4750 if (!mlo->links[i].ap_rsne ||
4751 mlo->links[i].ap_rsne_len == 0) {
4752 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO,
4753 "RSN: No RSNE for AP MLO link %d with BSSID "
4754 MACSTR,
4755 i, MAC2STR(mlo->links[i].bssid));
4756 return -1;
4757
4758 }
4759 os_memcpy(sm->mlo.links[i].addr, mlo->links[i].addr,
4760 ETH_ALEN);
4761 os_memcpy(sm->mlo.links[i].bssid, mlo->links[i].bssid,
4762 ETH_ALEN);
4763 }
4764
4765 ie = mlo->links[i].ap_rsne;
4766 len = mlo->links[i].ap_rsne_len;
4767 os_free(sm->mlo.links[i].ap_rsne);
4768 if (!ie || len == 0) {
4769 if (sm->mlo.links[i].ap_rsne)
4770 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4771 "RSN: Clearing MLO link[%u] AP RSNE",
4772 i);
4773 sm->mlo.links[i].ap_rsne = NULL;
4774 sm->mlo.links[i].ap_rsne_len = 0;
4775 } else {
4776 wpa_hexdump_link(MSG_DEBUG, i, "RSN: Set AP RSNE",
4777 ie, len);
4778 sm->mlo.links[i].ap_rsne = os_memdup(ie, len);
4779 if (!sm->mlo.links[i].ap_rsne) {
4780 sm->mlo.links[i].ap_rsne_len = 0;
4781 return -1;
4782 }
4783 sm->mlo.links[i].ap_rsne_len = len;
4784 }
4785
4786 ie = mlo->links[i].ap_rsnxe;
4787 len = mlo->links[i].ap_rsnxe_len;
4788 os_free(sm->mlo.links[i].ap_rsnxe);
4789 if (!ie || len == 0) {
4790 if (sm->mlo.links[i].ap_rsnxe)
4791 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4792 "RSN: Clearing MLO link[%u] AP RSNXE",
4793 i);
4794 sm->mlo.links[i].ap_rsnxe = NULL;
4795 sm->mlo.links[i].ap_rsnxe_len = 0;
4796 } else {
4797 wpa_hexdump_link(MSG_DEBUG, i, "RSN: Set AP RSNXE", ie,
4798 len);
4799 sm->mlo.links[i].ap_rsnxe = os_memdup(ie, len);
4800 if (!sm->mlo.links[i].ap_rsnxe) {
4801 sm->mlo.links[i].ap_rsnxe_len = 0;
4802 return -1;
4803 }
4804 sm->mlo.links[i].ap_rsnxe_len = len;
4805 }
4806
4807 ie = mlo->links[i].ap_rsnoe;
4808 len = mlo->links[i].ap_rsnoe_len;
4809 os_free(sm->mlo.links[i].ap_rsnoe);
4810 if (!ie || len == 0) {
4811 if (sm->mlo.links[i].ap_rsnoe)
4812 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4813 "RSN: Clearing MLO link[%u] AP RSNOE",
4814 i);
4815 sm->mlo.links[i].ap_rsnoe = NULL;
4816 sm->mlo.links[i].ap_rsnoe_len = 0;
4817 } else {
4818 wpa_hexdump_link(MSG_DEBUG, i, "RSN: Set AP RSNOE",
4819 ie, len);
4820 sm->mlo.links[i].ap_rsnoe = os_memdup(ie, len);
4821 if (!sm->mlo.links[i].ap_rsnoe) {
4822 sm->mlo.links[i].ap_rsnoe_len = 0;
4823 return -1;
4824 }
4825 sm->mlo.links[i].ap_rsnoe_len = len;
4826 }
4827
4828 ie = mlo->links[i].ap_rsno2e;
4829 len = mlo->links[i].ap_rsno2e_len;
4830 os_free(sm->mlo.links[i].ap_rsno2e);
4831 if (!ie || len == 0) {
4832 if (sm->mlo.links[i].ap_rsno2e)
4833 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4834 "RSN: Clearing MLO link[%u] AP RSNO2E",
4835 i);
4836 sm->mlo.links[i].ap_rsno2e = NULL;
4837 sm->mlo.links[i].ap_rsno2e_len = 0;
4838 } else {
4839 wpa_hexdump_link(MSG_DEBUG, i, "RSN: Set AP RSNO2E",
4840 ie, len);
4841 sm->mlo.links[i].ap_rsno2e = os_memdup(ie, len);
4842 if (!sm->mlo.links[i].ap_rsno2e) {
4843 sm->mlo.links[i].ap_rsno2e_len = 0;
4844 return -1;
4845 }
4846 sm->mlo.links[i].ap_rsno2e_len = len;
4847 }
4848
4849 ie = mlo->links[i].ap_rsnxoe;
4850 len = mlo->links[i].ap_rsnxoe_len;
4851 os_free(sm->mlo.links[i].ap_rsnxoe);
4852 if (!ie || len == 0) {
4853 if (sm->mlo.links[i].ap_rsnxoe)
4854 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4855 "RSN: Clearing MLO link[%u] AP RSNXOE",
4856 i);
4857 sm->mlo.links[i].ap_rsnxoe = NULL;
4858 sm->mlo.links[i].ap_rsnxoe_len = 0;
4859 } else {
4860 wpa_hexdump_link(MSG_DEBUG, i, "RSN: Set AP RSNXOE",
4861 ie, len);
4862 sm->mlo.links[i].ap_rsnxoe = os_memdup(ie, len);
4863 if (!sm->mlo.links[i].ap_rsnxoe) {
4864 sm->mlo.links[i].ap_rsnxoe_len = 0;
4865 return -1;
4866 }
4867 sm->mlo.links[i].ap_rsnxoe_len = len;
4868 }
4869 }
4870
4871 return 0;
4872 }
4873
4874
4875 /**
4876 * wpa_sm_set_own_addr - Set own MAC address
4877 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4878 * @addr: Own MAC address
4879 */
wpa_sm_set_own_addr(struct wpa_sm * sm,const u8 * addr)4880 void wpa_sm_set_own_addr(struct wpa_sm *sm, const u8 *addr)
4881 {
4882 if (sm)
4883 os_memcpy(sm->own_addr, addr, ETH_ALEN);
4884 }
4885
4886
4887 /**
4888 * wpa_sm_set_ifname - Set network interface name
4889 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4890 * @ifname: Interface name
4891 * @bridge_ifname: Optional bridge interface name (for pre-auth)
4892 */
wpa_sm_set_ifname(struct wpa_sm * sm,const char * ifname,const char * bridge_ifname)4893 void wpa_sm_set_ifname(struct wpa_sm *sm, const char *ifname,
4894 const char *bridge_ifname)
4895 {
4896 if (sm) {
4897 sm->ifname = ifname;
4898 sm->bridge_ifname = bridge_ifname;
4899 }
4900 }
4901
4902
4903 /**
4904 * wpa_sm_set_eapol - Set EAPOL state machine pointer
4905 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4906 * @eapol: Pointer to EAPOL state machine allocated with eapol_sm_init()
4907 */
wpa_sm_set_eapol(struct wpa_sm * sm,struct eapol_sm * eapol)4908 void wpa_sm_set_eapol(struct wpa_sm *sm, struct eapol_sm *eapol)
4909 {
4910 if (sm)
4911 sm->eapol = eapol;
4912 }
4913
4914
4915 /**
4916 * wpa_sm_set_param - Set WPA state machine parameters
4917 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4918 * @param: Parameter field
4919 * @value: Parameter value
4920 * Returns: 0 on success, -1 on failure
4921 */
wpa_sm_set_param(struct wpa_sm * sm,enum wpa_sm_conf_params param,unsigned int value)4922 int wpa_sm_set_param(struct wpa_sm *sm, enum wpa_sm_conf_params param,
4923 unsigned int value)
4924 {
4925 int ret = 0;
4926
4927 if (sm == NULL)
4928 return -1;
4929
4930 switch (param) {
4931 case RSNA_PMK_LIFETIME:
4932 if (value > 0)
4933 sm->dot11RSNAConfigPMKLifetime = value;
4934 else
4935 ret = -1;
4936 break;
4937 case RSNA_PMK_REAUTH_THRESHOLD:
4938 if (value > 0 && value <= 100)
4939 sm->dot11RSNAConfigPMKReauthThreshold = value;
4940 else
4941 ret = -1;
4942 break;
4943 case RSNA_SA_TIMEOUT:
4944 if (value > 0)
4945 sm->dot11RSNAConfigSATimeout = value;
4946 else
4947 ret = -1;
4948 break;
4949 case WPA_PARAM_PROTO:
4950 sm->proto = value;
4951 break;
4952 case WPA_PARAM_PAIRWISE:
4953 sm->pairwise_cipher = value;
4954 break;
4955 case WPA_PARAM_GROUP:
4956 sm->group_cipher = value;
4957 break;
4958 case WPA_PARAM_KEY_MGMT:
4959 sm->key_mgmt = value;
4960 break;
4961 case WPA_PARAM_MGMT_GROUP:
4962 sm->mgmt_group_cipher = value;
4963 break;
4964 case WPA_PARAM_RSN_ENABLED:
4965 sm->rsn_enabled = value;
4966 break;
4967 case WPA_PARAM_MFP:
4968 sm->mfp = value;
4969 break;
4970 case WPA_PARAM_OCV:
4971 sm->ocv = value;
4972 break;
4973 case WPA_PARAM_SAE_PWE:
4974 sm->sae_pwe = value;
4975 break;
4976 case WPA_PARAM_SAE_PK:
4977 sm->sae_pk = value;
4978 break;
4979 case WPA_PARAM_DENY_PTK0_REKEY:
4980 sm->wpa_deny_ptk0_rekey = value;
4981 break;
4982 case WPA_PARAM_EXT_KEY_ID:
4983 sm->ext_key_id = value;
4984 break;
4985 case WPA_PARAM_USE_EXT_KEY_ID:
4986 sm->use_ext_key_id = value;
4987 break;
4988 case WPA_PARAM_SPP_AMSDU:
4989 sm->spp_amsdu = !!value;
4990 break;
4991 #ifdef CONFIG_TESTING_OPTIONS
4992 case WPA_PARAM_FT_RSNXE_USED:
4993 sm->ft_rsnxe_used = value;
4994 break;
4995 case WPA_PARAM_OCI_FREQ_EAPOL:
4996 sm->oci_freq_override_eapol = value;
4997 break;
4998 case WPA_PARAM_OCI_FREQ_EAPOL_G2:
4999 sm->oci_freq_override_eapol_g2 = value;
5000 break;
5001 case WPA_PARAM_OCI_FREQ_FT_ASSOC:
5002 sm->oci_freq_override_ft_assoc = value;
5003 break;
5004 case WPA_PARAM_OCI_FREQ_FILS_ASSOC:
5005 sm->oci_freq_override_fils_assoc = value;
5006 break;
5007 case WPA_PARAM_DISABLE_EAPOL_G2_TX:
5008 sm->disable_eapol_g2_tx = value;
5009 break;
5010 case WPA_PARAM_ENCRYPT_EAPOL_M2:
5011 sm->encrypt_eapol_m2 = value;
5012 break;
5013 case WPA_PARAM_ENCRYPT_EAPOL_M4:
5014 sm->encrypt_eapol_m4 = value;
5015 break;
5016 case WPA_PARAM_EAPOL_2_KEY_INFO_SET_MASK:
5017 sm->eapol_2_key_info_set_mask = value;
5018 break;
5019 #endif /* CONFIG_TESTING_OPTIONS */
5020 #ifdef CONFIG_DPP2
5021 case WPA_PARAM_DPP_PFS:
5022 sm->dpp_pfs = value;
5023 break;
5024 #endif /* CONFIG_DPP2 */
5025 case WPA_PARAM_WMM_ENABLED:
5026 sm->wmm_enabled = value;
5027 break;
5028 case WPA_PARAM_FT_PREPEND_PMKID:
5029 sm->ft_prepend_pmkid = value;
5030 break;
5031 case WPA_PARAM_SSID_PROTECTION:
5032 sm->ssid_protection = value;
5033 break;
5034 case WPA_PARAM_RSN_OVERRIDE:
5035 sm->rsn_override = value;
5036 break;
5037 case WPA_PARAM_RSN_OVERRIDE_SUPPORT:
5038 sm->rsn_override_support = value;
5039 break;
5040 default:
5041 break;
5042 }
5043
5044 return ret;
5045 }
5046
5047
wpa_sm_get_ap_rsne(struct wpa_sm * sm,size_t * len)5048 static const u8 * wpa_sm_get_ap_rsne(struct wpa_sm *sm, size_t *len)
5049 {
5050 if (sm->rsn_override == RSN_OVERRIDE_RSNE_OVERRIDE) {
5051 *len = sm->ap_rsne_override_len;
5052 return sm->ap_rsne_override;
5053 }
5054
5055 if (sm->rsn_override == RSN_OVERRIDE_RSNE_OVERRIDE_2) {
5056 *len = sm->ap_rsne_override_2_len;
5057 return sm->ap_rsne_override_2;
5058 }
5059
5060 *len = sm->ap_rsn_ie_len;
5061 return sm->ap_rsn_ie;
5062 }
5063
5064
5065 /**
5066 * wpa_sm_get_status - Get WPA state machine
5067 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5068 * @buf: Buffer for status information
5069 * @buflen: Maximum buffer length
5070 * @verbose: Whether to include verbose status information
5071 * Returns: Number of bytes written to buf.
5072 *
5073 * Query WPA state machine for status information. This function fills in
5074 * a text area with current status information. If the buffer (buf) is not
5075 * large enough, status information will be truncated to fit the buffer.
5076 */
wpa_sm_get_status(struct wpa_sm * sm,char * buf,size_t buflen,int verbose)5077 int wpa_sm_get_status(struct wpa_sm *sm, char *buf, size_t buflen,
5078 int verbose)
5079 {
5080 char *pos = buf, *end = buf + buflen;
5081 int ret;
5082 const u8 *rsne;
5083 size_t rsne_len;
5084
5085 rsne = wpa_sm_get_ap_rsne(sm, &rsne_len);
5086
5087 ret = os_snprintf(pos, end - pos,
5088 "pairwise_cipher=%s\n"
5089 "group_cipher=%s\n"
5090 "key_mgmt=%s\n",
5091 wpa_cipher_txt(sm->pairwise_cipher),
5092 wpa_cipher_txt(sm->group_cipher),
5093 wpa_key_mgmt_txt(sm->key_mgmt, sm->proto));
5094 if (os_snprintf_error(end - pos, ret))
5095 return pos - buf;
5096 pos += ret;
5097
5098 #ifdef CONFIG_DPP2
5099 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
5100 ret = os_snprintf(pos, end - pos, "dpp_pfs=1\n");
5101 if (os_snprintf_error(end - pos, ret))
5102 return pos - buf;
5103 pos += ret;
5104 }
5105 #endif /* CONFIG_DPP2 */
5106
5107 if (sm->mfp != NO_MGMT_FRAME_PROTECTION && rsne) {
5108 struct wpa_ie_data rsn;
5109
5110 if (wpa_parse_wpa_ie_rsn(rsne, rsne_len, &rsn) >= 0 &&
5111 rsn.capabilities & (WPA_CAPABILITY_MFPR |
5112 WPA_CAPABILITY_MFPC)) {
5113 ret = os_snprintf(pos, end - pos, "pmf=%d\n"
5114 "mgmt_group_cipher=%s\n",
5115 (rsn.capabilities &
5116 WPA_CAPABILITY_MFPR) ? 2 : 1,
5117 wpa_cipher_txt(
5118 sm->mgmt_group_cipher));
5119 if (os_snprintf_error(end - pos, ret))
5120 return pos - buf;
5121 pos += ret;
5122 }
5123 }
5124
5125 return pos - buf;
5126 }
5127
5128
wpa_sm_pmf_enabled(struct wpa_sm * sm)5129 int wpa_sm_pmf_enabled(struct wpa_sm *sm)
5130 {
5131 struct wpa_ie_data rsn;
5132 const u8 *rsne;
5133 size_t rsne_len;
5134
5135 rsne = wpa_sm_get_ap_rsne(sm, &rsne_len);
5136
5137 if (sm->mfp == NO_MGMT_FRAME_PROTECTION || !rsne)
5138 return 0;
5139
5140 if (wpa_parse_wpa_ie_rsn(rsne, rsne_len, &rsn) >= 0 &&
5141 rsn.capabilities & (WPA_CAPABILITY_MFPR | WPA_CAPABILITY_MFPC))
5142 return 1;
5143
5144 return 0;
5145 }
5146
5147
wpa_sm_rsn_overriding_supported(struct wpa_sm * sm)5148 bool wpa_sm_rsn_overriding_supported(struct wpa_sm *sm)
5149 {
5150 const u8 *rsne;
5151 size_t rsne_len;
5152
5153 rsne = wpa_sm_get_ap_rsne(sm, &rsne_len);
5154
5155 return sm->rsn_override_support && rsne;
5156 }
5157
5158
wpa_sm_ext_key_id(struct wpa_sm * sm)5159 int wpa_sm_ext_key_id(struct wpa_sm *sm)
5160 {
5161 return sm ? sm->ext_key_id : 0;
5162 }
5163
5164
wpa_sm_ext_key_id_active(struct wpa_sm * sm)5165 int wpa_sm_ext_key_id_active(struct wpa_sm *sm)
5166 {
5167 return sm ? sm->use_ext_key_id : 0;
5168 }
5169
5170
wpa_sm_ocv_enabled(struct wpa_sm * sm)5171 int wpa_sm_ocv_enabled(struct wpa_sm *sm)
5172 {
5173 struct wpa_ie_data rsn;
5174 const u8 *rsne;
5175 size_t rsne_len;
5176
5177 rsne = wpa_sm_get_ap_rsne(sm, &rsne_len);
5178 if (!sm->ocv || !rsne)
5179 return 0;
5180
5181 return wpa_parse_wpa_ie_rsn(rsne, rsne_len, &rsn) >= 0 &&
5182 (rsn.capabilities & WPA_CAPABILITY_OCVC);
5183 }
5184
5185
5186 /**
5187 * wpa_sm_set_assoc_wpa_ie_default - Generate own WPA/RSN IE from configuration
5188 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5189 * @wpa_ie: Pointer to buffer for WPA/RSN IE
5190 * @wpa_ie_len: Pointer to the length of the wpa_ie buffer
5191 * Returns: 0 on success, -1 on failure
5192 */
wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm * sm,u8 * wpa_ie,size_t * wpa_ie_len)5193 int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm *sm, u8 *wpa_ie,
5194 size_t *wpa_ie_len)
5195 {
5196 int res;
5197
5198 if (sm == NULL)
5199 return -1;
5200
5201 #ifdef CONFIG_TESTING_OPTIONS
5202 if (sm->test_assoc_ie) {
5203 wpa_printf(MSG_DEBUG,
5204 "TESTING: Replace association WPA/RSN IE");
5205 if (*wpa_ie_len < wpabuf_len(sm->test_assoc_ie))
5206 return -1;
5207 os_memcpy(wpa_ie, wpabuf_head(sm->test_assoc_ie),
5208 wpabuf_len(sm->test_assoc_ie));
5209 res = wpabuf_len(sm->test_assoc_ie);
5210 } else
5211 #endif /* CONFIG_TESTING_OPTIONS */
5212 res = wpa_gen_wpa_ie(sm, wpa_ie, *wpa_ie_len);
5213 if (res < 0)
5214 return -1;
5215 *wpa_ie_len = res;
5216
5217 wpa_hexdump(MSG_DEBUG, "WPA: Set own WPA IE default",
5218 wpa_ie, *wpa_ie_len);
5219
5220 if (sm->assoc_wpa_ie == NULL) {
5221 /*
5222 * Make a copy of the WPA/RSN IE so that 4-Way Handshake gets
5223 * the correct version of the IE even if PMKSA caching is
5224 * aborted (which would remove PMKID from IE generation).
5225 */
5226 sm->assoc_wpa_ie = os_memdup(wpa_ie, *wpa_ie_len);
5227 if (sm->assoc_wpa_ie == NULL)
5228 return -1;
5229
5230 sm->assoc_wpa_ie_len = *wpa_ie_len;
5231 } else {
5232 wpa_hexdump(MSG_DEBUG,
5233 "WPA: Leave previously set WPA IE default",
5234 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
5235 }
5236
5237 return 0;
5238 }
5239
5240
5241 /**
5242 * wpa_sm_set_assoc_wpa_ie - Set own WPA/RSN IE from (Re)AssocReq
5243 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5244 * @ie: Pointer to IE data (starting from id)
5245 * @len: IE length
5246 * Returns: 0 on success, -1 on failure
5247 *
5248 * Inform WPA state machine about the WPA/RSN IE used in (Re)Association
5249 * Request frame. The IE will be used to override the default value generated
5250 * with wpa_sm_set_assoc_wpa_ie_default().
5251 */
wpa_sm_set_assoc_wpa_ie(struct wpa_sm * sm,const u8 * ie,size_t len)5252 int wpa_sm_set_assoc_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
5253 {
5254 if (sm == NULL)
5255 return -1;
5256
5257 os_free(sm->assoc_wpa_ie);
5258 if (ie == NULL || len == 0) {
5259 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5260 "WPA: clearing own WPA/RSN IE");
5261 sm->assoc_wpa_ie = NULL;
5262 sm->assoc_wpa_ie_len = 0;
5263 } else {
5264 wpa_hexdump(MSG_DEBUG, "WPA: set own WPA/RSN IE", ie, len);
5265 sm->assoc_wpa_ie = os_memdup(ie, len);
5266 if (sm->assoc_wpa_ie == NULL)
5267 return -1;
5268
5269 sm->assoc_wpa_ie_len = len;
5270 }
5271
5272 return 0;
5273 }
5274
5275
5276 #ifdef CONFIG_TESTING_OPTIONS
5277
wpa_sm_set_test_rsnxe_data(struct wpa_sm * sm,struct wpabuf * data,struct wpabuf * mask)5278 int wpa_sm_set_test_rsnxe_data(struct wpa_sm *sm, struct wpabuf *data,
5279 struct wpabuf *mask)
5280 {
5281 size_t data_len = 0, mask_len = 0;
5282
5283 wpabuf_free(sm->test_rsnxe_data);
5284 sm->test_rsnxe_data = NULL;
5285 wpabuf_free(sm->test_rsnxe_mask);
5286 sm->test_rsnxe_mask = NULL;
5287
5288 if (!data && !mask)
5289 return 0;
5290
5291 if (data)
5292 data_len = wpabuf_len(data);
5293 if (mask)
5294 mask_len = wpabuf_len(mask);
5295
5296 if (data_len != mask_len || data_len > 255)
5297 return -1;
5298
5299 sm->test_rsnxe_data = data;
5300 sm->test_rsnxe_mask = mask;
5301
5302 return 0;
5303 }
5304
5305
wpa_set_test_rsnxe_data(struct wpa_sm * sm,u8 * rsnxe,size_t orig_len,size_t max_len)5306 static int wpa_set_test_rsnxe_data(struct wpa_sm *sm, u8 *rsnxe,
5307 size_t orig_len, size_t max_len)
5308 {
5309 const u8 *data, *mask;
5310 size_t i, data_len;
5311
5312 if (!sm->test_rsnxe_data || !sm->test_rsnxe_mask)
5313 return orig_len;
5314
5315 mask = wpabuf_head(sm->test_rsnxe_mask);
5316 data = wpabuf_head(sm->test_rsnxe_data);
5317 data_len = wpabuf_len(sm->test_rsnxe_data);
5318 if (max_len < data_len + 2) {
5319 wpa_printf(MSG_ERROR, "Couldn't fit RSNXE test data");
5320 return -1;
5321 }
5322
5323 /* Set data after original RSNXE to zero */
5324 if (orig_len < data_len + 2)
5325 os_memset(&rsnxe[orig_len], 0, data_len + 2 - orig_len);
5326
5327 /* Set EID and length fields */
5328 *rsnxe++ = WLAN_EID_RSNX;
5329 *rsnxe++ = data_len;
5330
5331 /* Preserve original RSNXE bit value when mask bit is zero */
5332 for (i = 0; i < data_len; i++) {
5333 if (!mask[i])
5334 continue;
5335
5336 rsnxe[i] &= ~mask[i];
5337 rsnxe[i] |= data[i] & mask[i];
5338 }
5339
5340 return data_len + 2;
5341 }
5342
5343 #endif /* CONFIG_TESTING_OPTIONS */
5344
5345
5346 /**
5347 * wpa_sm_set_assoc_rsnxe_default - Generate own RSNXE from configuration
5348 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5349 * @rsnxe: Pointer to buffer for RSNXE
5350 * @rsnxe_len: Pointer to the length of the rsne buffer
5351 * Returns: 0 on success, -1 on failure
5352 */
wpa_sm_set_assoc_rsnxe_default(struct wpa_sm * sm,u8 * rsnxe,size_t * rsnxe_len)5353 int wpa_sm_set_assoc_rsnxe_default(struct wpa_sm *sm, u8 *rsnxe,
5354 size_t *rsnxe_len)
5355 {
5356 int res;
5357
5358 if (!sm)
5359 return -1;
5360
5361 res = wpa_gen_rsnxe(sm, rsnxe, *rsnxe_len);
5362 if (res < 0)
5363 return -1;
5364 #ifdef CONFIG_TESTING_OPTIONS
5365 res = wpa_set_test_rsnxe_data(sm, rsnxe, res, *rsnxe_len);
5366 if (res < 0)
5367 return -1;
5368 #endif /* CONFIG_TESTING_OPTIONS */
5369 *rsnxe_len = res;
5370
5371 wpa_hexdump(MSG_DEBUG, "RSN: Set own RSNXE default", rsnxe, *rsnxe_len);
5372
5373 if (sm->assoc_rsnxe) {
5374 wpa_hexdump(MSG_DEBUG,
5375 "RSN: Leave previously set RSNXE default",
5376 sm->assoc_rsnxe, sm->assoc_rsnxe_len);
5377 } else if (*rsnxe_len > 0) {
5378 /*
5379 * Make a copy of the RSNXE so that 4-Way Handshake gets the
5380 * correct version of the IE even if it gets changed.
5381 */
5382 sm->assoc_rsnxe = os_memdup(rsnxe, *rsnxe_len);
5383 if (!sm->assoc_rsnxe)
5384 return -1;
5385
5386 sm->assoc_rsnxe_len = *rsnxe_len;
5387 }
5388
5389 return 0;
5390 }
5391
5392
5393 /**
5394 * wpa_sm_set_assoc_rsnxe - Set own RSNXE from (Re)AssocReq
5395 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5396 * @ie: Pointer to IE data (starting from id)
5397 * @len: IE length
5398 * Returns: 0 on success, -1 on failure
5399 *
5400 * Inform WPA state machine about the RSNXE used in (Re)Association Request
5401 * frame. The IE will be used to override the default value generated
5402 * with wpa_sm_set_assoc_rsnxe_default().
5403 */
wpa_sm_set_assoc_rsnxe(struct wpa_sm * sm,const u8 * ie,size_t len)5404 int wpa_sm_set_assoc_rsnxe(struct wpa_sm *sm, const u8 *ie, size_t len)
5405 {
5406 if (!sm)
5407 return -1;
5408
5409 os_free(sm->assoc_rsnxe);
5410 if (!ie || len == 0) {
5411 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5412 "RSN: clearing own RSNXE");
5413 sm->assoc_rsnxe = NULL;
5414 sm->assoc_rsnxe_len = 0;
5415 } else {
5416 wpa_hexdump(MSG_DEBUG, "RSN: set own RSNXE", ie, len);
5417 sm->assoc_rsnxe = os_memdup(ie, len);
5418 if (!sm->assoc_rsnxe)
5419 return -1;
5420
5421 sm->assoc_rsnxe_len = len;
5422 }
5423
5424 if (sm->ssid_protection &&
5425 !ieee802_11_rsnx_capab(sm->assoc_rsnxe,
5426 WLAN_RSNX_CAPAB_SSID_PROTECTION)) {
5427 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5428 "RSN: Disabling SSID protection based on own RSNXE update");
5429 sm->ssid_protection = 0;
5430 }
5431
5432 return 0;
5433 }
5434
5435
5436 /**
5437 * wpa_sm_set_ap_wpa_ie - Set AP WPA IE from Beacon/ProbeResp
5438 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5439 * @ie: Pointer to IE data (starting from id)
5440 * @len: IE length
5441 * Returns: 0 on success, -1 on failure
5442 *
5443 * Inform WPA state machine about the WPA IE used in Beacon / Probe Response
5444 * frame.
5445 */
wpa_sm_set_ap_wpa_ie(struct wpa_sm * sm,const u8 * ie,size_t len)5446 int wpa_sm_set_ap_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
5447 {
5448 if (sm == NULL)
5449 return -1;
5450
5451 os_free(sm->ap_wpa_ie);
5452 if (ie == NULL || len == 0) {
5453 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5454 "WPA: clearing AP WPA IE");
5455 sm->ap_wpa_ie = NULL;
5456 sm->ap_wpa_ie_len = 0;
5457 } else {
5458 wpa_hexdump(MSG_DEBUG, "WPA: set AP WPA IE", ie, len);
5459 sm->ap_wpa_ie = os_memdup(ie, len);
5460 if (sm->ap_wpa_ie == NULL)
5461 return -1;
5462
5463 sm->ap_wpa_ie_len = len;
5464 }
5465
5466 return 0;
5467 }
5468
5469
5470 /**
5471 * wpa_sm_set_ap_rsn_ie - Set AP RSN IE from Beacon/ProbeResp
5472 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5473 * @ie: Pointer to IE data (starting from id)
5474 * @len: IE length
5475 * Returns: 0 on success, -1 on failure
5476 *
5477 * Inform WPA state machine about the RSN IE used in Beacon / Probe Response
5478 * frame.
5479 */
wpa_sm_set_ap_rsn_ie(struct wpa_sm * sm,const u8 * ie,size_t len)5480 int wpa_sm_set_ap_rsn_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
5481 {
5482 if (sm == NULL)
5483 return -1;
5484
5485 os_free(sm->ap_rsn_ie);
5486 if (ie == NULL || len == 0) {
5487 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5488 "WPA: clearing AP RSN IE");
5489 sm->ap_rsn_ie = NULL;
5490 sm->ap_rsn_ie_len = 0;
5491 } else {
5492 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSN IE", ie, len);
5493 sm->ap_rsn_ie = os_memdup(ie, len);
5494 if (sm->ap_rsn_ie == NULL)
5495 return -1;
5496
5497 sm->ap_rsn_ie_len = len;
5498 }
5499
5500 return 0;
5501 }
5502
5503
5504 /**
5505 * wpa_sm_set_ap_rsnxe - Set AP RSNXE from Beacon/ProbeResp
5506 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5507 * @ie: Pointer to IE data (starting from id)
5508 * @len: IE length
5509 * Returns: 0 on success, -1 on failure
5510 *
5511 * Inform WPA state machine about the RSNXE used in Beacon / Probe Response
5512 * frame.
5513 */
wpa_sm_set_ap_rsnxe(struct wpa_sm * sm,const u8 * ie,size_t len)5514 int wpa_sm_set_ap_rsnxe(struct wpa_sm *sm, const u8 *ie, size_t len)
5515 {
5516 if (!sm)
5517 return -1;
5518
5519 os_free(sm->ap_rsnxe);
5520 if (!ie || len == 0) {
5521 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: clearing AP RSNXE");
5522 sm->ap_rsnxe = NULL;
5523 sm->ap_rsnxe_len = 0;
5524 } else {
5525 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSNXE", ie, len);
5526 sm->ap_rsnxe = os_memdup(ie, len);
5527 if (!sm->ap_rsnxe)
5528 return -1;
5529
5530 sm->ap_rsnxe_len = len;
5531 }
5532
5533 return 0;
5534 }
5535
5536
wpa_sm_set_ap_rsne_override(struct wpa_sm * sm,const u8 * ie,size_t len)5537 int wpa_sm_set_ap_rsne_override(struct wpa_sm *sm, const u8 *ie, size_t len)
5538 {
5539 if (!sm)
5540 return -1;
5541
5542 os_free(sm->ap_rsne_override);
5543 if (!ie || len == 0) {
5544 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5545 "RSN: Clearing AP RSNE Override element");
5546 sm->ap_rsne_override = NULL;
5547 sm->ap_rsne_override_len = 0;
5548 } else {
5549 wpa_hexdump(MSG_DEBUG, "RSN: Set AP RSNE Override element",
5550 ie, len);
5551 sm->ap_rsne_override = os_memdup(ie, len);
5552 if (!sm->ap_rsne_override)
5553 return -1;
5554
5555 sm->ap_rsne_override_len = len;
5556 }
5557
5558 return 0;
5559 }
5560
5561
wpa_sm_set_ap_rsne_override_2(struct wpa_sm * sm,const u8 * ie,size_t len)5562 int wpa_sm_set_ap_rsne_override_2(struct wpa_sm *sm, const u8 *ie, size_t len)
5563 {
5564 if (!sm)
5565 return -1;
5566
5567 os_free(sm->ap_rsne_override_2);
5568 if (!ie || len == 0) {
5569 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5570 "RSN: Clearing AP RSNE Override 2 element");
5571 sm->ap_rsne_override_2 = NULL;
5572 sm->ap_rsne_override_2_len = 0;
5573 } else {
5574 wpa_hexdump(MSG_DEBUG, "RSN: Set AP RSNE Override 2 element",
5575 ie, len);
5576 sm->ap_rsne_override_2 = os_memdup(ie, len);
5577 if (!sm->ap_rsne_override_2)
5578 return -1;
5579
5580 sm->ap_rsne_override_2_len = len;
5581 }
5582
5583 return 0;
5584 }
5585
5586
wpa_sm_set_ap_rsnxe_override(struct wpa_sm * sm,const u8 * ie,size_t len)5587 int wpa_sm_set_ap_rsnxe_override(struct wpa_sm *sm, const u8 *ie, size_t len)
5588 {
5589 if (!sm)
5590 return -1;
5591
5592 os_free(sm->ap_rsnxe_override);
5593 if (!ie || len == 0) {
5594 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5595 "RSN: Clearing AP RSNXE Override element");
5596 sm->ap_rsnxe_override = NULL;
5597 sm->ap_rsnxe_override_len = 0;
5598 } else {
5599 wpa_hexdump(MSG_DEBUG, "RSN: Set AP RSNXE Override element",
5600 ie, len);
5601 sm->ap_rsnxe_override = os_memdup(ie, len);
5602 if (!sm->ap_rsnxe_override)
5603 return -1;
5604
5605 sm->ap_rsnxe_override_len = len;
5606 }
5607
5608 return 0;
5609 }
5610
5611
5612 /**
5613 * wpa_sm_parse_own_wpa_ie - Parse own WPA/RSN IE
5614 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5615 * @data: Pointer to data area for parsing results
5616 * Returns: 0 on success, -1 if IE is not known, or -2 on parsing failure
5617 *
5618 * Parse the contents of the own WPA or RSN IE from (Re)AssocReq and write the
5619 * parsed data into data.
5620 */
wpa_sm_parse_own_wpa_ie(struct wpa_sm * sm,struct wpa_ie_data * data)5621 int wpa_sm_parse_own_wpa_ie(struct wpa_sm *sm, struct wpa_ie_data *data)
5622 {
5623 if (sm == NULL)
5624 return -1;
5625
5626 if (sm->assoc_wpa_ie == NULL) {
5627 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5628 "WPA: No WPA/RSN IE available from association info");
5629 return -1;
5630 }
5631 if (wpa_parse_wpa_ie(sm->assoc_wpa_ie, sm->assoc_wpa_ie_len, data))
5632 return -2;
5633 return 0;
5634 }
5635
5636
wpa_sm_pmksa_cache_list(struct wpa_sm * sm,char * buf,size_t len)5637 int wpa_sm_pmksa_cache_list(struct wpa_sm *sm, char *buf, size_t len)
5638 {
5639 return pmksa_cache_list(sm->pmksa, buf, len);
5640 }
5641
5642
wpa_sm_pmksa_cache_head(struct wpa_sm * sm)5643 struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_head(struct wpa_sm *sm)
5644 {
5645 return pmksa_cache_head(sm->pmksa);
5646 }
5647
5648
5649 struct rsn_pmksa_cache_entry *
wpa_sm_pmksa_cache_add_entry(struct wpa_sm * sm,struct rsn_pmksa_cache_entry * entry)5650 wpa_sm_pmksa_cache_add_entry(struct wpa_sm *sm,
5651 struct rsn_pmksa_cache_entry * entry)
5652 {
5653 return pmksa_cache_add_entry(sm->pmksa, entry);
5654 }
5655
5656
wpa_sm_pmksa_cache_add(struct wpa_sm * sm,const u8 * pmk,size_t pmk_len,const u8 * pmkid,const u8 * bssid,const u8 * fils_cache_id)5657 void wpa_sm_pmksa_cache_add(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
5658 const u8 *pmkid, const u8 *bssid,
5659 const u8 *fils_cache_id)
5660 {
5661 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0,
5662 bssid, sm->own_addr, sm->network_ctx,
5663 sm->key_mgmt, fils_cache_id);
5664 }
5665
5666
wpa_sm_pmksa_exists(struct wpa_sm * sm,const u8 * bssid,const u8 * own_addr,const void * network_ctx)5667 int wpa_sm_pmksa_exists(struct wpa_sm *sm, const u8 *bssid, const u8 *own_addr,
5668 const void *network_ctx)
5669 {
5670 return pmksa_cache_get(sm->pmksa, bssid, own_addr, NULL, network_ctx,
5671 0) != NULL;
5672 }
5673
5674
wpa_sm_pmksa_cache_get(struct wpa_sm * sm,const u8 * aa,const u8 * pmkid,const void * network_ctx,int akmp)5675 struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_get(struct wpa_sm *sm,
5676 const u8 *aa,
5677 const u8 *pmkid,
5678 const void *network_ctx,
5679 int akmp)
5680 {
5681 return pmksa_cache_get(sm->pmksa, aa, sm->own_addr, pmkid, network_ctx,
5682 akmp);
5683 }
5684
5685
wpa_sm_pmksa_get_pmk(struct wpa_sm * sm,const u8 * aa,const u8 ** pmk,size_t * pmk_len,const u8 ** pmkid)5686 int wpa_sm_pmksa_get_pmk(struct wpa_sm *sm, const u8 *aa, const u8 **pmk,
5687 size_t *pmk_len, const u8 **pmkid)
5688 {
5689 struct rsn_pmksa_cache_entry *pmksa;
5690
5691 pmksa = wpa_sm_pmksa_cache_get(sm, aa, NULL, NULL, 0);
5692 if (!pmksa) {
5693 wpa_printf(MSG_DEBUG, "RSN: Failed to get PMKSA for " MACSTR,
5694 MAC2STR(aa));
5695 return -1;
5696 }
5697
5698 *pmk = pmksa->pmk;
5699 *pmk_len = pmksa->pmk_len;
5700 *pmkid = pmksa->pmkid;
5701 return 0;
5702 }
5703
5704
wpa_sm_pmksa_cache_remove(struct wpa_sm * sm,struct rsn_pmksa_cache_entry * entry)5705 void wpa_sm_pmksa_cache_remove(struct wpa_sm *sm,
5706 struct rsn_pmksa_cache_entry *entry)
5707 {
5708 if (sm && sm->pmksa)
5709 pmksa_cache_remove(sm->pmksa, entry);
5710 }
5711
5712
wpa_sm_drop_sa(struct wpa_sm * sm)5713 void wpa_sm_drop_sa(struct wpa_sm *sm)
5714 {
5715 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PMK and PTK");
5716 wpa_sm_clear_ptk(sm);
5717 sm->pmk_len = 0;
5718 os_memset(sm->pmk, 0, sizeof(sm->pmk));
5719 #ifdef CONFIG_IEEE80211R
5720 os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
5721 sm->xxkey_len = 0;
5722 os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
5723 sm->pmk_r0_len = 0;
5724 os_memset(sm->pmk_r1, 0, sizeof(sm->pmk_r1));
5725 sm->pmk_r1_len = 0;
5726 #ifdef CONFIG_PASN
5727 os_free(sm->pasn_r1kh);
5728 sm->pasn_r1kh = NULL;
5729 sm->n_pasn_r1kh = 0;
5730 #endif /* CONFIG_PASN */
5731 #endif /* CONFIG_IEEE80211R */
5732 }
5733
5734
5735 #ifdef CONFIG_IEEE80211R
wpa_sm_has_ft_keys(struct wpa_sm * sm,const u8 * md)5736 bool wpa_sm_has_ft_keys(struct wpa_sm *sm, const u8 *md)
5737 {
5738 if (!sm)
5739 return false;
5740 if (!wpa_key_mgmt_ft(sm->key_mgmt) ||
5741 os_memcmp(md, sm->key_mobility_domain,
5742 MOBILITY_DOMAIN_ID_LEN) != 0) {
5743 /* Do not allow FT protocol to be used even if we were to have
5744 * an PTK since the mobility domain has changed. */
5745 return false;
5746 }
5747 return sm->ptk_set;
5748 }
5749 #endif /* CONFIG_IEEE80211R */
5750
5751
wpa_sm_has_ptk_installed(struct wpa_sm * sm)5752 int wpa_sm_has_ptk_installed(struct wpa_sm *sm)
5753 {
5754 if (!sm)
5755 return 0;
5756 return sm->tk_set || sm->ptk.installed;
5757 }
5758
5759
wpa_sm_update_replay_ctr(struct wpa_sm * sm,const u8 * replay_ctr)5760 void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr)
5761 {
5762 os_memcpy(sm->rx_replay_counter, replay_ctr, WPA_REPLAY_COUNTER_LEN);
5763 }
5764
5765
wpa_sm_pmksa_cache_flush(struct wpa_sm * sm,void * network_ctx)5766 void wpa_sm_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx)
5767 {
5768 pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0, false);
5769 }
5770
5771
wpa_sm_external_pmksa_cache_flush(struct wpa_sm * sm,void * network_ctx)5772 void wpa_sm_external_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx)
5773 {
5774 pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0, true);
5775 }
5776
5777 #if defined(CONFIG_DRIVER_NL80211_BRCM) || defined(CONFIG_DRIVER_NL80211_SYNA)
wpa_sm_install_pmk(struct wpa_sm * sm)5778 void wpa_sm_install_pmk(struct wpa_sm *sm)
5779 {
5780 /* In case the driver wants to handle re-assocs, pass it down the PMK. */
5781 if (wpa_sm_set_key(sm, -1, wpa_cipher_to_alg(sm->pairwise_cipher), NULL, 0, 0, NULL, 0,
5782 (u8*)sm->pmk, sm->pmk_len, KEY_FLAG_PMK) < 0) {
5783 wpa_hexdump(MSG_DEBUG, "PSK: Install PMK to the driver for driver reassociations",
5784 (u8*)sm->pmk, sm->pmk_len);
5785 /* No harm if the driver doesn't support. */
5786 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
5787 "WPA: Failed to set PMK to the driver");
5788 }
5789 }
5790
wpa_sm_notify_brcm_ft_reassoc(struct wpa_sm * sm,const u8 * bssid)5791 void wpa_sm_notify_brcm_ft_reassoc(struct wpa_sm *sm, const u8 *bssid)
5792 {
5793 u8 buf[256];
5794 struct wpa_supplicant *wpa_s = sm->ctx->ctx;
5795
5796 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5797 "WPA: BRCM FT Reassociation event - clear replay counter");
5798 os_memcpy(sm->bssid, bssid, ETH_ALEN);
5799 os_memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN);
5800 sm->rx_replay_counter_set = 0;
5801
5802 if (wpa_drv_driver_cmd(wpa_s, "GET_FTKEY", (char *)buf, sizeof(buf)) < 0) {
5803 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
5804 "WPA: Failed to get FT KEY information");
5805 wpa_supplicant_deauthenticate(
5806 wpa_s, WLAN_REASON_DEAUTH_LEAVING);
5807
5808 } else {
5809 /* update kck and kek */
5810 os_memcpy(sm->ptk.kck, buf, 16);
5811 os_memcpy(sm->ptk.kek, buf + 16, 16);
5812 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
5813 "WPA: Updated KCK and KEK after FT reassoc");
5814 }
5815 }
5816 #endif /* CONFIG_DRIVER_NL80211_BRCM || CONFIG_DRIVER_NL80211_SYNA */
5817
5818
5819 #ifdef CONFIG_WNM
wpa_wnmsleep_install_key(struct wpa_sm * sm,u8 subelem_id,u8 * buf)5820 int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
5821 {
5822 u16 keyinfo;
5823 u8 keylen; /* plaintext key len */
5824 u8 *key_rsc;
5825
5826 if (subelem_id == WNM_SLEEP_SUBELEM_GTK) {
5827 struct wpa_gtk_data gd;
5828
5829 os_memset(&gd, 0, sizeof(gd));
5830 keylen = wpa_cipher_key_len(sm->group_cipher);
5831 gd.key_rsc_len = wpa_cipher_rsc_len(sm->group_cipher);
5832 gd.alg = wpa_cipher_to_alg(sm->group_cipher);
5833 if (gd.alg == WPA_ALG_NONE) {
5834 wpa_printf(MSG_DEBUG, "Unsupported group cipher suite");
5835 return -1;
5836 }
5837
5838 key_rsc = buf + 5;
5839 keyinfo = WPA_GET_LE16(buf + 2);
5840 gd.gtk_len = keylen;
5841 if (gd.gtk_len != buf[4]) {
5842 wpa_printf(MSG_DEBUG, "GTK len mismatch len %d vs %d",
5843 gd.gtk_len, buf[4]);
5844 return -1;
5845 }
5846 gd.keyidx = keyinfo & 0x03; /* B0 - B1 */
5847 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(
5848 sm, !!(keyinfo & WPA_KEY_INFO_TXRX));
5849
5850 os_memcpy(gd.gtk, buf + 13, gd.gtk_len);
5851
5852 wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)",
5853 gd.gtk, gd.gtk_len);
5854 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) {
5855 forced_memzero(&gd, sizeof(gd));
5856 wpa_printf(MSG_DEBUG, "Failed to install the GTK in "
5857 "WNM mode");
5858 return -1;
5859 }
5860 forced_memzero(&gd, sizeof(gd));
5861 } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
5862 const struct wpa_igtk_kde *igtk;
5863
5864 igtk = (const struct wpa_igtk_kde *) (buf + 2);
5865 if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0)
5866 return -1;
5867 } else if (subelem_id == WNM_SLEEP_SUBELEM_BIGTK) {
5868 const struct wpa_bigtk_kde *bigtk;
5869
5870 bigtk = (const struct wpa_bigtk_kde *) (buf + 2);
5871 if (sm->beacon_prot &&
5872 wpa_supplicant_install_bigtk(sm, bigtk, 1) < 0)
5873 return -1;
5874 } else {
5875 wpa_printf(MSG_DEBUG, "Unknown element id");
5876 return -1;
5877 }
5878
5879 return 0;
5880 }
5881 #endif /* CONFIG_WNM */
5882
5883
5884 #ifdef CONFIG_P2P
5885
wpa_sm_get_p2p_ip_addr(struct wpa_sm * sm,u8 * buf)5886 int wpa_sm_get_p2p_ip_addr(struct wpa_sm *sm, u8 *buf)
5887 {
5888 if (sm == NULL || WPA_GET_BE32(sm->p2p_ip_addr) == 0)
5889 return -1;
5890 os_memcpy(buf, sm->p2p_ip_addr, 3 * 4);
5891 return 0;
5892 }
5893
5894 #endif /* CONFIG_P2P */
5895
5896
wpa_sm_set_rx_replay_ctr(struct wpa_sm * sm,const u8 * rx_replay_counter)5897 void wpa_sm_set_rx_replay_ctr(struct wpa_sm *sm, const u8 *rx_replay_counter)
5898 {
5899 if (rx_replay_counter == NULL)
5900 return;
5901
5902 os_memcpy(sm->rx_replay_counter, rx_replay_counter,
5903 WPA_REPLAY_COUNTER_LEN);
5904 sm->rx_replay_counter_set = 1;
5905 wpa_printf(MSG_DEBUG, "Updated key replay counter");
5906 }
5907
5908
wpa_sm_set_ptk_kck_kek(struct wpa_sm * sm,const u8 * ptk_kck,size_t ptk_kck_len,const u8 * ptk_kek,size_t ptk_kek_len)5909 void wpa_sm_set_ptk_kck_kek(struct wpa_sm *sm,
5910 const u8 *ptk_kck, size_t ptk_kck_len,
5911 const u8 *ptk_kek, size_t ptk_kek_len)
5912 {
5913 if (ptk_kck && ptk_kck_len <= WPA_KCK_MAX_LEN) {
5914 os_memcpy(sm->ptk.kck, ptk_kck, ptk_kck_len);
5915 sm->ptk.kck_len = ptk_kck_len;
5916 wpa_printf(MSG_DEBUG, "Updated PTK KCK");
5917 }
5918 if (ptk_kek && ptk_kek_len <= WPA_KEK_MAX_LEN) {
5919 os_memcpy(sm->ptk.kek, ptk_kek, ptk_kek_len);
5920 sm->ptk.kek_len = ptk_kek_len;
5921 wpa_printf(MSG_DEBUG, "Updated PTK KEK");
5922 }
5923 sm->ptk_set = 1;
5924 }
5925
5926
5927 #ifdef CONFIG_TESTING_OPTIONS
5928
wpa_sm_set_test_assoc_ie(struct wpa_sm * sm,struct wpabuf * buf)5929 void wpa_sm_set_test_assoc_ie(struct wpa_sm *sm, struct wpabuf *buf)
5930 {
5931 wpabuf_free(sm->test_assoc_ie);
5932 sm->test_assoc_ie = buf;
5933 }
5934
5935
wpa_sm_set_test_eapol_m2_elems(struct wpa_sm * sm,struct wpabuf * buf)5936 void wpa_sm_set_test_eapol_m2_elems(struct wpa_sm *sm, struct wpabuf *buf)
5937 {
5938 wpabuf_free(sm->test_eapol_m2_elems);
5939 sm->test_eapol_m2_elems = buf;
5940 }
5941
5942
wpa_sm_set_test_eapol_m4_elems(struct wpa_sm * sm,struct wpabuf * buf)5943 void wpa_sm_set_test_eapol_m4_elems(struct wpa_sm *sm, struct wpabuf *buf)
5944 {
5945 wpabuf_free(sm->test_eapol_m4_elems);
5946 sm->test_eapol_m4_elems = buf;
5947 }
5948
5949
wpa_sm_get_anonce(struct wpa_sm * sm)5950 const u8 * wpa_sm_get_anonce(struct wpa_sm *sm)
5951 {
5952 return sm->anonce;
5953 }
5954
5955 #endif /* CONFIG_TESTING_OPTIONS */
5956
5957
wpa_sm_get_key_mgmt(struct wpa_sm * sm)5958 unsigned int wpa_sm_get_key_mgmt(struct wpa_sm *sm)
5959 {
5960 return sm->key_mgmt;
5961 }
5962
5963
wpa_sm_get_auth_addr(struct wpa_sm * sm)5964 const u8 * wpa_sm_get_auth_addr(struct wpa_sm *sm)
5965 {
5966 return sm->mlo.valid_links ? sm->mlo.ap_mld_addr : sm->bssid;
5967 }
5968
5969
5970 #ifdef CONFIG_FILS
5971
fils_build_auth(struct wpa_sm * sm,int dh_group,const u8 * md)5972 struct wpabuf * fils_build_auth(struct wpa_sm *sm, int dh_group, const u8 *md)
5973 {
5974 struct wpabuf *buf = NULL;
5975 struct wpabuf *erp_msg;
5976 struct wpabuf *pub = NULL;
5977
5978 erp_msg = eapol_sm_build_erp_reauth_start(sm->eapol);
5979 if (!erp_msg && !sm->cur_pmksa) {
5980 wpa_printf(MSG_DEBUG,
5981 "FILS: Neither ERP EAP-Initiate/Re-auth nor PMKSA cache entry is available - skip FILS");
5982 goto fail;
5983 }
5984
5985 wpa_printf(MSG_DEBUG, "FILS: Try to use FILS (erp=%d pmksa_cache=%d)",
5986 erp_msg != NULL, sm->cur_pmksa != NULL);
5987
5988 sm->fils_completed = 0;
5989
5990 if (!sm->assoc_wpa_ie) {
5991 wpa_printf(MSG_INFO, "FILS: No own RSN IE set for FILS");
5992 goto fail;
5993 }
5994
5995 if (random_get_bytes(sm->fils_nonce, FILS_NONCE_LEN) < 0 ||
5996 random_get_bytes(sm->fils_session, FILS_SESSION_LEN) < 0)
5997 goto fail;
5998
5999 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Nonce",
6000 sm->fils_nonce, FILS_NONCE_LEN);
6001 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Session",
6002 sm->fils_session, FILS_SESSION_LEN);
6003
6004 #ifdef CONFIG_FILS_SK_PFS
6005 sm->fils_dh_group = dh_group;
6006 if (dh_group) {
6007 crypto_ecdh_deinit(sm->fils_ecdh);
6008 sm->fils_ecdh = crypto_ecdh_init(dh_group);
6009 if (!sm->fils_ecdh) {
6010 wpa_printf(MSG_INFO,
6011 "FILS: Could not initialize ECDH with group %d",
6012 dh_group);
6013 goto fail;
6014 }
6015 pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1);
6016 if (!pub)
6017 goto fail;
6018 wpa_hexdump_buf(MSG_DEBUG, "FILS: Element (DH public key)",
6019 pub);
6020 sm->fils_dh_elem_len = wpabuf_len(pub);
6021 }
6022 #endif /* CONFIG_FILS_SK_PFS */
6023
6024 buf = wpabuf_alloc(1000 + sm->assoc_wpa_ie_len +
6025 (pub ? wpabuf_len(pub) : 0));
6026 if (!buf)
6027 goto fail;
6028
6029 /* Fields following the Authentication algorithm number field */
6030
6031 /* Authentication Transaction seq# */
6032 wpabuf_put_le16(buf, 1);
6033
6034 /* Status Code */
6035 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
6036
6037 /* TODO: FILS PK */
6038 #ifdef CONFIG_FILS_SK_PFS
6039 if (dh_group) {
6040 /* Finite Cyclic Group */
6041 wpabuf_put_le16(buf, dh_group);
6042 /* Element */
6043 wpabuf_put_buf(buf, pub);
6044 }
6045 #endif /* CONFIG_FILS_SK_PFS */
6046
6047 /* RSNE */
6048 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in FILS Authentication frame",
6049 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
6050 wpabuf_put_data(buf, sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
6051
6052 if (md) {
6053 /* MDE when using FILS for FT initial association */
6054 struct rsn_mdie *mdie;
6055
6056 wpabuf_put_u8(buf, WLAN_EID_MOBILITY_DOMAIN);
6057 wpabuf_put_u8(buf, sizeof(*mdie));
6058 mdie = wpabuf_put(buf, sizeof(*mdie));
6059 os_memcpy(mdie->mobility_domain, md, MOBILITY_DOMAIN_ID_LEN);
6060 mdie->ft_capab = 0;
6061 }
6062
6063 /* FILS Nonce */
6064 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
6065 wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN); /* Length */
6066 /* Element ID Extension */
6067 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
6068 wpabuf_put_data(buf, sm->fils_nonce, FILS_NONCE_LEN);
6069
6070 /* FILS Session */
6071 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
6072 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
6073 /* Element ID Extension */
6074 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
6075 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
6076
6077 /* Wrapped Data */
6078 sm->fils_erp_pmkid_set = 0;
6079 if (erp_msg) {
6080 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
6081 wpabuf_put_u8(buf, 1 + wpabuf_len(erp_msg)); /* Length */
6082 /* Element ID Extension */
6083 wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA);
6084 wpabuf_put_buf(buf, erp_msg);
6085 /* Calculate pending PMKID here so that we do not need to
6086 * maintain a copy of the EAP-Initiate/Reauth message. */
6087 if (fils_pmkid_erp(sm->key_mgmt, wpabuf_head(erp_msg),
6088 wpabuf_len(erp_msg),
6089 sm->fils_erp_pmkid) == 0)
6090 sm->fils_erp_pmkid_set = 1;
6091 }
6092
6093 wpa_hexdump_buf(MSG_DEBUG, "RSN: FILS fields for Authentication frame",
6094 buf);
6095
6096 fail:
6097 wpabuf_free(erp_msg);
6098 wpabuf_free(pub);
6099 return buf;
6100 }
6101
6102
fils_process_auth(struct wpa_sm * sm,const u8 * bssid,const u8 * data,size_t len)6103 int fils_process_auth(struct wpa_sm *sm, const u8 *bssid, const u8 *data,
6104 size_t len)
6105 {
6106 const u8 *pos, *end;
6107 struct ieee802_11_elems elems;
6108 struct wpa_ie_data rsn;
6109 int pmkid_match = 0;
6110 u8 ick[FILS_ICK_MAX_LEN];
6111 size_t ick_len;
6112 int res;
6113 struct wpabuf *dh_ss = NULL;
6114 const u8 *g_sta = NULL;
6115 size_t g_sta_len = 0;
6116 const u8 *g_ap = NULL;
6117 size_t g_ap_len = 0, kdk_len;
6118 struct wpabuf *pub = NULL;
6119 #ifdef CONFIG_IEEE80211R
6120 struct wpa_ft_ies parse;
6121
6122 os_memset(&parse, 0, sizeof(parse));
6123 #endif /* CONFIG_IEEE80211R */
6124
6125 os_memcpy(sm->bssid, bssid, ETH_ALEN);
6126
6127 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
6128 data, len);
6129 pos = data;
6130 end = data + len;
6131
6132 /* TODO: FILS PK */
6133 #ifdef CONFIG_FILS_SK_PFS
6134 if (sm->fils_dh_group) {
6135 u16 group;
6136
6137 /* Using FILS PFS */
6138
6139 /* Finite Cyclic Group */
6140 if (end - pos < 2) {
6141 wpa_printf(MSG_DEBUG,
6142 "FILS: No room for Finite Cyclic Group");
6143 goto fail;
6144 }
6145 group = WPA_GET_LE16(pos);
6146 pos += 2;
6147 if (group != sm->fils_dh_group) {
6148 wpa_printf(MSG_DEBUG,
6149 "FILS: Unexpected change in Finite Cyclic Group: %u (expected %u)",
6150 group, sm->fils_dh_group);
6151 goto fail;
6152 }
6153
6154 /* Element */
6155 if ((size_t) (end - pos) < sm->fils_dh_elem_len) {
6156 wpa_printf(MSG_DEBUG, "FILS: No room for Element");
6157 goto fail;
6158 }
6159
6160 if (!sm->fils_ecdh) {
6161 wpa_printf(MSG_DEBUG, "FILS: No ECDH state available");
6162 goto fail;
6163 }
6164 dh_ss = crypto_ecdh_set_peerkey(sm->fils_ecdh, 1, pos,
6165 sm->fils_dh_elem_len);
6166 if (!dh_ss) {
6167 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
6168 goto fail;
6169 }
6170 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", dh_ss);
6171 g_ap = pos;
6172 g_ap_len = sm->fils_dh_elem_len;
6173 pos += sm->fils_dh_elem_len;
6174 }
6175 #endif /* CONFIG_FILS_SK_PFS */
6176
6177 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
6178 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
6179 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
6180 goto fail;
6181 }
6182
6183 /* RSNE */
6184 wpa_hexdump(MSG_DEBUG, "FILS: RSN element", elems.rsn_ie,
6185 elems.rsn_ie_len);
6186 if (!elems.rsn_ie ||
6187 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
6188 &rsn) < 0) {
6189 wpa_printf(MSG_DEBUG, "FILS: No RSN element");
6190 goto fail;
6191 }
6192
6193 if (!elems.fils_nonce) {
6194 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
6195 goto fail;
6196 }
6197 os_memcpy(sm->fils_anonce, elems.fils_nonce, FILS_NONCE_LEN);
6198 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", sm->fils_anonce, FILS_NONCE_LEN);
6199
6200 #ifdef CONFIG_IEEE80211R
6201 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
6202 if (!elems.mdie || !elems.ftie) {
6203 wpa_printf(MSG_DEBUG, "FILS+FT: No MDE or FTE");
6204 goto fail;
6205 }
6206
6207 if (wpa_ft_parse_ies(pos, end - pos, &parse,
6208 sm->key_mgmt, false) < 0) {
6209 wpa_printf(MSG_DEBUG, "FILS+FT: Failed to parse IEs");
6210 goto fail;
6211 }
6212
6213 if (!parse.r0kh_id) {
6214 wpa_printf(MSG_DEBUG,
6215 "FILS+FT: No R0KH-ID subelem in FTE");
6216 goto fail;
6217 }
6218 os_memcpy(sm->r0kh_id, parse.r0kh_id, parse.r0kh_id_len);
6219 sm->r0kh_id_len = parse.r0kh_id_len;
6220 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID",
6221 sm->r0kh_id, sm->r0kh_id_len);
6222
6223 if (!parse.r1kh_id) {
6224 wpa_printf(MSG_DEBUG,
6225 "FILS+FT: No R1KH-ID subelem in FTE");
6226 goto fail;
6227 }
6228 os_memcpy(sm->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN);
6229 wpa_hexdump(MSG_DEBUG, "FILS+FT: R1KH-ID",
6230 sm->r1kh_id, FT_R1KH_ID_LEN);
6231
6232 /* TODO: Check MDE and FTE payload */
6233
6234 wpabuf_free(sm->fils_ft_ies);
6235 sm->fils_ft_ies = wpabuf_alloc(2 + elems.mdie_len +
6236 2 + elems.ftie_len);
6237 if (!sm->fils_ft_ies)
6238 goto fail;
6239 wpabuf_put_data(sm->fils_ft_ies, elems.mdie - 2,
6240 2 + elems.mdie_len);
6241 wpabuf_put_data(sm->fils_ft_ies, elems.ftie - 2,
6242 2 + elems.ftie_len);
6243 } else {
6244 wpabuf_free(sm->fils_ft_ies);
6245 sm->fils_ft_ies = NULL;
6246 }
6247 #endif /* CONFIG_IEEE80211R */
6248
6249 /* PMKID List */
6250 if (rsn.pmkid && rsn.num_pmkid > 0) {
6251 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
6252 rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
6253
6254 if (rsn.num_pmkid != 1) {
6255 wpa_printf(MSG_DEBUG, "FILS: Invalid PMKID selection");
6256 goto fail;
6257 }
6258 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", rsn.pmkid, PMKID_LEN);
6259 if (os_memcmp(sm->cur_pmksa->pmkid, rsn.pmkid, PMKID_LEN) != 0)
6260 {
6261 wpa_printf(MSG_DEBUG, "FILS: PMKID mismatch");
6262 wpa_hexdump(MSG_DEBUG, "FILS: Expected PMKID",
6263 sm->cur_pmksa->pmkid, PMKID_LEN);
6264 goto fail;
6265 }
6266 wpa_printf(MSG_DEBUG,
6267 "FILS: Matching PMKID - continue using PMKSA caching");
6268 pmkid_match = 1;
6269 }
6270 if (!pmkid_match && sm->cur_pmksa) {
6271 wpa_printf(MSG_DEBUG,
6272 "FILS: No PMKID match - cannot use cached PMKSA entry");
6273 sm->cur_pmksa = NULL;
6274 }
6275
6276 /* FILS Session */
6277 if (!elems.fils_session) {
6278 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
6279 goto fail;
6280 }
6281 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
6282 FILS_SESSION_LEN);
6283 if (os_memcmp(sm->fils_session, elems.fils_session, FILS_SESSION_LEN)
6284 != 0) {
6285 wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
6286 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
6287 sm->fils_session, FILS_SESSION_LEN);
6288 goto fail;
6289 }
6290
6291 /* Wrapped Data */
6292 if (!sm->cur_pmksa && elems.wrapped_data) {
6293 u8 rmsk[ERP_MAX_KEY_LEN];
6294 size_t rmsk_len;
6295
6296 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
6297 elems.wrapped_data,
6298 elems.wrapped_data_len);
6299 eapol_sm_process_erp_finish(sm->eapol, elems.wrapped_data,
6300 elems.wrapped_data_len);
6301 if (eapol_sm_failed(sm->eapol))
6302 goto fail;
6303
6304 rmsk_len = ERP_MAX_KEY_LEN;
6305 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
6306 if (res == PMK_LEN) {
6307 rmsk_len = PMK_LEN;
6308 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
6309 }
6310 if (res)
6311 goto fail;
6312
6313 res = fils_rmsk_to_pmk(sm->key_mgmt, rmsk, rmsk_len,
6314 sm->fils_nonce, sm->fils_anonce,
6315 dh_ss ? wpabuf_head(dh_ss) : NULL,
6316 dh_ss ? wpabuf_len(dh_ss) : 0,
6317 sm->pmk, &sm->pmk_len);
6318 forced_memzero(rmsk, sizeof(rmsk));
6319
6320 /* Don't use DHss in PTK derivation if PMKSA caching is not
6321 * used. */
6322 wpabuf_clear_free(dh_ss);
6323 dh_ss = NULL;
6324
6325 if (res)
6326 goto fail;
6327
6328 if (!sm->fils_erp_pmkid_set) {
6329 wpa_printf(MSG_DEBUG, "FILS: PMKID not available");
6330 goto fail;
6331 }
6332 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", sm->fils_erp_pmkid,
6333 PMKID_LEN);
6334 wpa_printf(MSG_DEBUG, "FILS: ERP processing succeeded - add PMKSA cache entry for the result");
6335 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len,
6336 sm->fils_erp_pmkid, NULL, 0,
6337 sm->bssid, sm->own_addr,
6338 sm->network_ctx, sm->key_mgmt,
6339 NULL);
6340 }
6341
6342 if (!sm->cur_pmksa) {
6343 wpa_printf(MSG_DEBUG,
6344 "FILS: No remaining options to continue FILS authentication");
6345 goto fail;
6346 }
6347
6348 if (sm->force_kdk_derivation ||
6349 (sm->secure_ltf &&
6350 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)))
6351 kdk_len = WPA_KDK_MAX_LEN;
6352 else
6353 kdk_len = 0;
6354
6355 if (fils_pmk_to_ptk(sm->pmk, sm->pmk_len, sm->own_addr,
6356 wpa_sm_get_auth_addr(sm),
6357 sm->fils_nonce, sm->fils_anonce,
6358 dh_ss ? wpabuf_head(dh_ss) : NULL,
6359 dh_ss ? wpabuf_len(dh_ss) : 0,
6360 &sm->ptk, ick, &ick_len,
6361 sm->key_mgmt, sm->pairwise_cipher,
6362 sm->fils_ft, &sm->fils_ft_len,
6363 kdk_len) < 0) {
6364 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PTK");
6365 goto fail;
6366 }
6367
6368 #ifdef CONFIG_PASN
6369 if (sm->secure_ltf &&
6370 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF) &&
6371 wpa_ltf_keyseed(&sm->ptk, sm->key_mgmt, sm->pairwise_cipher)) {
6372 wpa_printf(MSG_DEBUG, "FILS: Failed to derive LTF keyseed");
6373 goto fail;
6374 }
6375 #endif /* CONFIG_PASN */
6376
6377 wpabuf_clear_free(dh_ss);
6378 dh_ss = NULL;
6379
6380 sm->ptk_set = 1;
6381 sm->tptk_set = 0;
6382 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
6383
6384 #ifdef CONFIG_FILS_SK_PFS
6385 if (sm->fils_dh_group) {
6386 if (!sm->fils_ecdh) {
6387 wpa_printf(MSG_INFO, "FILS: ECDH not initialized");
6388 goto fail;
6389 }
6390 pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1);
6391 if (!pub)
6392 goto fail;
6393 wpa_hexdump_buf(MSG_DEBUG, "FILS: gSTA", pub);
6394 g_sta = wpabuf_head(pub);
6395 g_sta_len = wpabuf_len(pub);
6396 if (!g_ap) {
6397 wpa_printf(MSG_INFO, "FILS: gAP not available");
6398 goto fail;
6399 }
6400 wpa_hexdump(MSG_DEBUG, "FILS: gAP", g_ap, g_ap_len);
6401 }
6402 #endif /* CONFIG_FILS_SK_PFS */
6403
6404 res = fils_key_auth_sk(ick, ick_len, sm->fils_nonce,
6405 sm->fils_anonce, sm->own_addr, sm->bssid,
6406 g_sta, g_sta_len, g_ap, g_ap_len,
6407 sm->key_mgmt, sm->fils_key_auth_sta,
6408 sm->fils_key_auth_ap,
6409 &sm->fils_key_auth_len);
6410 wpabuf_free(pub);
6411 forced_memzero(ick, sizeof(ick));
6412 #ifdef CONFIG_IEEE80211R
6413 wpa_ft_parse_ies_free(&parse);
6414 #endif /* CONFIG_IEEE80211R */
6415 return res;
6416 fail:
6417 wpabuf_free(pub);
6418 wpabuf_clear_free(dh_ss);
6419 #ifdef CONFIG_IEEE80211R
6420 wpa_ft_parse_ies_free(&parse);
6421 #endif /* CONFIG_IEEE80211R */
6422 return -1;
6423 }
6424
6425
6426 #ifdef CONFIG_IEEE80211R
fils_ft_build_assoc_req_rsne(struct wpa_sm * sm,struct wpabuf * buf)6427 static int fils_ft_build_assoc_req_rsne(struct wpa_sm *sm, struct wpabuf *buf)
6428 {
6429 struct rsn_ie_hdr *rsnie;
6430 u16 capab;
6431 u8 *pos;
6432 int use_sha384 = wpa_key_mgmt_sha384(sm->key_mgmt);
6433
6434 /* RSNIE[PMKR0Name/PMKR1Name] */
6435 rsnie = wpabuf_put(buf, sizeof(*rsnie));
6436 rsnie->elem_id = WLAN_EID_RSN;
6437 WPA_PUT_LE16(rsnie->version, RSN_VERSION);
6438
6439 /* Group Suite Selector */
6440 if (!wpa_cipher_valid_group(sm->group_cipher)) {
6441 wpa_printf(MSG_WARNING, "FT: Invalid group cipher (%d)",
6442 sm->group_cipher);
6443 return -1;
6444 }
6445 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
6446 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
6447 sm->group_cipher));
6448
6449 /* Pairwise Suite Count */
6450 wpabuf_put_le16(buf, 1);
6451
6452 /* Pairwise Suite List */
6453 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
6454 wpa_printf(MSG_WARNING, "FT: Invalid pairwise cipher (%d)",
6455 sm->pairwise_cipher);
6456 return -1;
6457 }
6458 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
6459 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
6460 sm->pairwise_cipher));
6461
6462 /* Authenticated Key Management Suite Count */
6463 wpabuf_put_le16(buf, 1);
6464
6465 /* Authenticated Key Management Suite List */
6466 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
6467 if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA256)
6468 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA256);
6469 else if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA384)
6470 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA384);
6471 else {
6472 wpa_printf(MSG_WARNING,
6473 "FILS+FT: Invalid key management type (%d)",
6474 sm->key_mgmt);
6475 return -1;
6476 }
6477
6478 /* RSN Capabilities */
6479 capab = 0;
6480 if (sm->mfp)
6481 capab |= WPA_CAPABILITY_MFPC;
6482 if (sm->mfp == 2)
6483 capab |= WPA_CAPABILITY_MFPR;
6484 if (sm->ocv)
6485 capab |= WPA_CAPABILITY_OCVC;
6486 if (sm->ext_key_id)
6487 capab |= WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST;
6488 wpabuf_put_le16(buf, capab);
6489
6490 /* PMKID Count */
6491 wpabuf_put_le16(buf, 1);
6492
6493 /* PMKID List [PMKR1Name] */
6494 wpa_hexdump_key(MSG_DEBUG, "FILS+FT: XXKey (FILS-FT)",
6495 sm->fils_ft, sm->fils_ft_len);
6496 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: SSID", sm->ssid, sm->ssid_len);
6497 wpa_hexdump(MSG_DEBUG, "FILS+FT: MDID",
6498 sm->mobility_domain, MOBILITY_DOMAIN_ID_LEN);
6499 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID",
6500 sm->r0kh_id, sm->r0kh_id_len);
6501 if (wpa_derive_pmk_r0(sm->fils_ft, sm->fils_ft_len, sm->ssid,
6502 sm->ssid_len, sm->mobility_domain,
6503 sm->r0kh_id, sm->r0kh_id_len, sm->own_addr,
6504 sm->pmk_r0, sm->pmk_r0_name, sm->key_mgmt) < 0) {
6505 wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMK-R0");
6506 return -1;
6507 }
6508 if (wpa_key_mgmt_sae_ext_key(sm->key_mgmt))
6509 sm->pmk_r0_len = sm->fils_ft_len;
6510 else
6511 sm->pmk_r0_len = use_sha384 ? SHA384_MAC_LEN : PMK_LEN;
6512 wpa_printf(MSG_DEBUG, "FILS+FT: R1KH-ID: " MACSTR,
6513 MAC2STR(sm->r1kh_id));
6514 pos = wpabuf_put(buf, WPA_PMK_NAME_LEN);
6515 if (wpa_derive_pmk_r1_name(sm->pmk_r0_name, sm->r1kh_id, sm->own_addr,
6516 sm->pmk_r1_name, sm->fils_ft_len) < 0) {
6517 wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMKR1Name");
6518 return -1;
6519 }
6520 os_memcpy(pos, sm->pmk_r1_name, WPA_PMK_NAME_LEN);
6521
6522 os_memcpy(sm->key_mobility_domain, sm->mobility_domain,
6523 MOBILITY_DOMAIN_ID_LEN);
6524
6525 if (sm->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC) {
6526 /* Management Group Cipher Suite */
6527 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
6528 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_AES_128_CMAC);
6529 }
6530
6531 rsnie->len = ((u8 *) wpabuf_put(buf, 0) - (u8 *) rsnie) - 2;
6532 return 0;
6533 }
6534 #endif /* CONFIG_IEEE80211R */
6535
6536
fils_build_assoc_req(struct wpa_sm * sm,const u8 ** kek,size_t * kek_len,const u8 ** snonce,const u8 ** anonce,const struct wpabuf ** hlp,unsigned int num_hlp)6537 struct wpabuf * fils_build_assoc_req(struct wpa_sm *sm, const u8 **kek,
6538 size_t *kek_len, const u8 **snonce,
6539 const u8 **anonce,
6540 const struct wpabuf **hlp,
6541 unsigned int num_hlp)
6542 {
6543 struct wpabuf *buf;
6544 size_t len;
6545 unsigned int i;
6546
6547 len = 1000;
6548 #ifdef CONFIG_IEEE80211R
6549 if (sm->fils_ft_ies)
6550 len += wpabuf_len(sm->fils_ft_ies);
6551 if (wpa_key_mgmt_ft(sm->key_mgmt))
6552 len += 256;
6553 #endif /* CONFIG_IEEE80211R */
6554 for (i = 0; hlp && i < num_hlp; i++)
6555 len += 10 + wpabuf_len(hlp[i]);
6556 buf = wpabuf_alloc(len);
6557 if (!buf)
6558 return NULL;
6559
6560 #ifdef CONFIG_IEEE80211R
6561 if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) {
6562 /* MDE and FTE when using FILS+FT */
6563 wpabuf_put_buf(buf, sm->fils_ft_ies);
6564 /* RSNE with PMKR1Name in PMKID field */
6565 if (fils_ft_build_assoc_req_rsne(sm, buf) < 0) {
6566 wpabuf_free(buf);
6567 return NULL;
6568 }
6569 }
6570 #endif /* CONFIG_IEEE80211R */
6571
6572 /* FILS Session */
6573 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
6574 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
6575 /* Element ID Extension */
6576 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
6577 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
6578
6579 /* Everything after FILS Session element gets encrypted in the driver
6580 * with KEK. The buffer returned from here is the plaintext version. */
6581
6582 /* TODO: FILS Public Key */
6583
6584 /* FILS Key Confirm */
6585 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
6586 wpabuf_put_u8(buf, 1 + sm->fils_key_auth_len); /* Length */
6587 /* Element ID Extension */
6588 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_KEY_CONFIRM);
6589 wpabuf_put_data(buf, sm->fils_key_auth_sta, sm->fils_key_auth_len);
6590
6591 /* FILS HLP Container */
6592 for (i = 0; hlp && i < num_hlp; i++) {
6593 const u8 *pos = wpabuf_head(hlp[i]);
6594 size_t left = wpabuf_len(hlp[i]);
6595
6596 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
6597 if (left <= 254)
6598 len = 1 + left;
6599 else
6600 len = 255;
6601 wpabuf_put_u8(buf, len); /* Length */
6602 /* Element ID Extension */
6603 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_HLP_CONTAINER);
6604 /* Destination MAC Address, Source MAC Address, HLP Packet.
6605 * HLP Packet is in MSDU format (i.e., included the LLC/SNAP
6606 * header when LPD is used). */
6607 wpabuf_put_data(buf, pos, len - 1);
6608 pos += len - 1;
6609 left -= len - 1;
6610 while (left) {
6611 wpabuf_put_u8(buf, WLAN_EID_FRAGMENT);
6612 len = left > 255 ? 255 : left;
6613 wpabuf_put_u8(buf, len);
6614 wpabuf_put_data(buf, pos, len);
6615 pos += len;
6616 left -= len;
6617 }
6618 }
6619
6620 /* TODO: FILS IP Address Assignment */
6621
6622 #ifdef CONFIG_OCV
6623 if (wpa_sm_ocv_enabled(sm)) {
6624 struct wpa_channel_info ci;
6625 u8 *pos;
6626
6627 if (wpa_sm_channel_info(sm, &ci) != 0) {
6628 wpa_printf(MSG_WARNING,
6629 "FILS: Failed to get channel info for OCI element");
6630 wpabuf_free(buf);
6631 return NULL;
6632 }
6633 #ifdef CONFIG_TESTING_OPTIONS
6634 if (sm->oci_freq_override_fils_assoc) {
6635 wpa_printf(MSG_INFO,
6636 "TEST: Override OCI KDE frequency %d -> %d MHz",
6637 ci.frequency,
6638 sm->oci_freq_override_fils_assoc);
6639 ci.frequency = sm->oci_freq_override_fils_assoc;
6640 }
6641 #endif /* CONFIG_TESTING_OPTIONS */
6642
6643 pos = wpabuf_put(buf, OCV_OCI_EXTENDED_LEN);
6644 if (ocv_insert_extended_oci(&ci, pos) < 0) {
6645 wpabuf_free(buf);
6646 return NULL;
6647 }
6648 }
6649 #endif /* CONFIG_OCV */
6650
6651 wpa_hexdump_buf(MSG_DEBUG, "FILS: Association Request plaintext", buf);
6652
6653 *kek = sm->ptk.kek;
6654 *kek_len = sm->ptk.kek_len;
6655 wpa_hexdump_key(MSG_DEBUG, "FILS: KEK for AEAD", *kek, *kek_len);
6656 *snonce = sm->fils_nonce;
6657 wpa_hexdump(MSG_DEBUG, "FILS: SNonce for AEAD AAD",
6658 *snonce, FILS_NONCE_LEN);
6659 *anonce = sm->fils_anonce;
6660 wpa_hexdump(MSG_DEBUG, "FILS: ANonce for AEAD AAD",
6661 *anonce, FILS_NONCE_LEN);
6662
6663 return buf;
6664 }
6665
6666
fils_process_hlp_resp(struct wpa_sm * sm,const u8 * resp,size_t len)6667 static void fils_process_hlp_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
6668 {
6669 const u8 *pos, *end;
6670
6671 wpa_hexdump(MSG_MSGDUMP, "FILS: HLP response", resp, len);
6672 if (len < 2 * ETH_ALEN)
6673 return;
6674 pos = resp + 2 * ETH_ALEN;
6675 end = resp + len;
6676 if (end - pos >= 6 &&
6677 os_memcmp(pos, "\xaa\xaa\x03\x00\x00\x00", 6) == 0)
6678 pos += 6; /* Remove SNAP/LLC header */
6679 wpa_sm_fils_hlp_rx(sm, resp, resp + ETH_ALEN, pos, end - pos);
6680 }
6681
6682
fils_process_hlp_container(struct wpa_sm * sm,const u8 * pos,size_t len)6683 static void fils_process_hlp_container(struct wpa_sm *sm, const u8 *pos,
6684 size_t len)
6685 {
6686 const u8 *end = pos + len;
6687 u8 *tmp, *tmp_pos;
6688
6689 /* Check if there are any FILS HLP Container elements */
6690 while (end - pos >= 2) {
6691 if (2 + pos[1] > end - pos)
6692 return;
6693 if (pos[0] == WLAN_EID_EXTENSION &&
6694 pos[1] >= 1 + 2 * ETH_ALEN &&
6695 pos[2] == WLAN_EID_EXT_FILS_HLP_CONTAINER)
6696 break;
6697 pos += 2 + pos[1];
6698 }
6699 if (end - pos < 2)
6700 return; /* No FILS HLP Container elements */
6701
6702 tmp = os_malloc(end - pos);
6703 if (!tmp)
6704 return;
6705
6706 while (end - pos >= 2) {
6707 if (2 + pos[1] > end - pos ||
6708 pos[0] != WLAN_EID_EXTENSION ||
6709 pos[1] < 1 + 2 * ETH_ALEN ||
6710 pos[2] != WLAN_EID_EXT_FILS_HLP_CONTAINER)
6711 break;
6712 tmp_pos = tmp;
6713 os_memcpy(tmp_pos, pos + 3, pos[1] - 1);
6714 tmp_pos += pos[1] - 1;
6715 pos += 2 + pos[1];
6716
6717 /* Add possible fragments */
6718 while (end - pos >= 2 && pos[0] == WLAN_EID_FRAGMENT &&
6719 2 + pos[1] <= end - pos) {
6720 os_memcpy(tmp_pos, pos + 2, pos[1]);
6721 tmp_pos += pos[1];
6722 pos += 2 + pos[1];
6723 }
6724
6725 fils_process_hlp_resp(sm, tmp, tmp_pos - tmp);
6726 }
6727
6728 os_free(tmp);
6729 }
6730
6731
fils_process_assoc_resp(struct wpa_sm * sm,const u8 * resp,size_t len)6732 int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
6733 {
6734 const struct ieee80211_mgmt *mgmt;
6735 const u8 *end, *ie_start;
6736 struct ieee802_11_elems elems;
6737 int keylen, rsclen;
6738 enum wpa_alg alg;
6739 struct wpa_gtk_data gd;
6740 int maxkeylen;
6741 struct wpa_eapol_ie_parse kde;
6742
6743 if (!sm || !sm->ptk_set) {
6744 wpa_printf(MSG_DEBUG, "FILS: No KEK available");
6745 return -1;
6746 }
6747
6748 if (!wpa_key_mgmt_fils(sm->key_mgmt)) {
6749 wpa_printf(MSG_DEBUG, "FILS: Not a FILS AKM");
6750 return -1;
6751 }
6752
6753 if (sm->fils_completed) {
6754 wpa_printf(MSG_DEBUG,
6755 "FILS: Association has already been completed for this FILS authentication - ignore unexpected retransmission");
6756 return -1;
6757 }
6758
6759 wpa_hexdump(MSG_DEBUG, "FILS: (Re)Association Response frame",
6760 resp, len);
6761
6762 mgmt = (const struct ieee80211_mgmt *) resp;
6763 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_resp))
6764 return -1;
6765
6766 end = resp + len;
6767 /* Same offset for Association Response and Reassociation Response */
6768 ie_start = mgmt->u.assoc_resp.variable;
6769
6770 if (ieee802_11_parse_elems(ie_start, end - ie_start, &elems, 1) ==
6771 ParseFailed) {
6772 wpa_printf(MSG_DEBUG,
6773 "FILS: Failed to parse decrypted elements");
6774 goto fail;
6775 }
6776
6777 if (!elems.fils_session) {
6778 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
6779 return -1;
6780 }
6781 if (os_memcmp(elems.fils_session, sm->fils_session,
6782 FILS_SESSION_LEN) != 0) {
6783 wpa_printf(MSG_DEBUG, "FILS: FILS Session mismatch");
6784 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
6785 elems.fils_session, FILS_SESSION_LEN);
6786 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
6787 sm->fils_session, FILS_SESSION_LEN);
6788 }
6789
6790 if (!elems.rsn_ie) {
6791 wpa_printf(MSG_DEBUG,
6792 "FILS: No RSNE in (Re)Association Response");
6793 /* As an interop workaround, allow this for now since IEEE Std
6794 * 802.11ai-2016 did not include all the needed changes to make
6795 * a FILS AP include RSNE in the frame. This workaround might
6796 * eventually be removed and replaced with rejection (goto fail)
6797 * to follow a strict interpretation of the standard. */
6798 } else if (wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
6799 sm->ap_rsn_ie, sm->ap_rsn_ie_len,
6800 elems.rsn_ie - 2, elems.rsn_ie_len + 2)) {
6801 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
6802 "FILS: RSNE mismatch between Beacon/Probe Response and (Re)Association Response");
6803 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in Beacon/Probe Response",
6804 sm->ap_rsn_ie, sm->ap_rsn_ie_len);
6805 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in (Re)Association Response",
6806 elems.rsn_ie, elems.rsn_ie_len);
6807 goto fail;
6808 }
6809
6810 if ((sm->ap_rsnxe && !elems.rsnxe) ||
6811 (!sm->ap_rsnxe && elems.rsnxe) ||
6812 (sm->ap_rsnxe && elems.rsnxe && sm->ap_rsnxe_len >= 2 &&
6813 (sm->ap_rsnxe_len != 2U + elems.rsnxe_len ||
6814 os_memcmp(sm->ap_rsnxe + 2, elems.rsnxe, sm->ap_rsnxe_len - 2) !=
6815 0))) {
6816 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
6817 "FILS: RSNXE mismatch between Beacon/Probe Response and (Re)Association Response");
6818 wpa_hexdump(MSG_INFO, "FILS: RSNXE in Beacon/Probe Response",
6819 sm->ap_rsnxe, sm->ap_rsnxe_len);
6820 wpa_hexdump(MSG_INFO, "RSNXE in (Re)Association Response",
6821 elems.rsnxe, elems.rsnxe_len);
6822 /* As an interop workaround, allow this for now if we did not
6823 * include the RSNXE in (Re)Association Request frame since
6824 * IEEE Std 802.11-2020 does not say anything about verifying
6825 * the RSNXE in FILS cases and there have been hostapd releases
6826 * that might omit the RSNXE in cases where the STA did not
6827 * include it in the Association Request frame. This workaround
6828 * might eventually be removed. */
6829 if (sm->assoc_rsnxe && sm->assoc_rsnxe_len)
6830 goto fail;
6831 }
6832
6833 /* TODO: FILS Public Key */
6834
6835 if (!elems.fils_key_confirm) {
6836 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
6837 goto fail;
6838 }
6839 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
6840 wpa_printf(MSG_DEBUG,
6841 "FILS: Unexpected Key-Auth length %d (expected %d)",
6842 elems.fils_key_confirm_len,
6843 (int) sm->fils_key_auth_len);
6844 goto fail;
6845 }
6846 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_ap,
6847 sm->fils_key_auth_len) != 0) {
6848 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
6849 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
6850 elems.fils_key_confirm,
6851 elems.fils_key_confirm_len);
6852 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
6853 sm->fils_key_auth_ap, sm->fils_key_auth_len);
6854 goto fail;
6855 }
6856
6857 #ifdef CONFIG_OCV
6858 if (wpa_sm_ocv_enabled(sm)) {
6859 struct wpa_channel_info ci;
6860
6861 if (wpa_sm_channel_info(sm, &ci) != 0) {
6862 wpa_printf(MSG_WARNING,
6863 "Failed to get channel info to validate received OCI in FILS (Re)Association Response frame");
6864 goto fail;
6865 }
6866
6867 if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci,
6868 channel_width_to_int(ci.chanwidth),
6869 ci.seg1_idx) != OCI_SUCCESS) {
6870 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
6871 "addr=" MACSTR " frame=fils-assoc error=%s",
6872 MAC2STR(sm->bssid), ocv_errorstr);
6873 goto fail;
6874 }
6875 }
6876 #endif /* CONFIG_OCV */
6877
6878 #ifdef CONFIG_IEEE80211R
6879 if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) {
6880 struct wpa_ie_data rsn;
6881
6882 /* Check that PMKR1Name derived by the AP matches */
6883 if (!elems.rsn_ie ||
6884 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
6885 &rsn) < 0 ||
6886 !rsn.pmkid || rsn.num_pmkid != 1 ||
6887 os_memcmp(rsn.pmkid, sm->pmk_r1_name,
6888 WPA_PMK_NAME_LEN) != 0) {
6889 wpa_printf(MSG_DEBUG,
6890 "FILS+FT: No RSNE[PMKR1Name] match in AssocResp");
6891 goto fail;
6892 }
6893 }
6894 #endif /* CONFIG_IEEE80211R */
6895
6896 /* Key Delivery */
6897 if (!elems.key_delivery) {
6898 wpa_printf(MSG_DEBUG, "FILS: No Key Delivery element");
6899 goto fail;
6900 }
6901
6902 /* Parse GTK and set the key to the driver */
6903 os_memset(&gd, 0, sizeof(gd));
6904 if (wpa_supplicant_parse_ies(elems.key_delivery + WPA_KEY_RSC_LEN,
6905 elems.key_delivery_len - WPA_KEY_RSC_LEN,
6906 &kde) < 0) {
6907 wpa_printf(MSG_DEBUG, "FILS: Failed to parse KDEs");
6908 goto fail;
6909 }
6910 if (!kde.gtk) {
6911 wpa_printf(MSG_DEBUG, "FILS: No GTK KDE");
6912 goto fail;
6913 }
6914 maxkeylen = gd.gtk_len = kde.gtk_len - 2;
6915 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
6916 gd.gtk_len, maxkeylen,
6917 &gd.key_rsc_len, &gd.alg))
6918 goto fail;
6919
6920 wpa_hexdump_key(MSG_DEBUG, "FILS: Received GTK", kde.gtk, kde.gtk_len);
6921 gd.keyidx = kde.gtk[0] & 0x3;
6922 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
6923 !!(kde.gtk[0] & BIT(2)));
6924 if (kde.gtk_len - 2 > sizeof(gd.gtk)) {
6925 wpa_printf(MSG_DEBUG, "FILS: Too long GTK in GTK KDE (len=%lu)",
6926 (unsigned long) kde.gtk_len - 2);
6927 goto fail;
6928 }
6929 os_memcpy(gd.gtk, kde.gtk + 2, kde.gtk_len - 2);
6930
6931 wpa_printf(MSG_DEBUG, "FILS: Set GTK to driver");
6932 if (wpa_supplicant_install_gtk(sm, &gd, elems.key_delivery, 0) < 0) {
6933 wpa_printf(MSG_DEBUG, "FILS: Failed to set GTK");
6934 goto fail;
6935 }
6936
6937 if (ieee80211w_set_keys(sm, &kde) < 0) {
6938 wpa_printf(MSG_DEBUG, "FILS: Failed to set IGTK");
6939 goto fail;
6940 }
6941
6942 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
6943 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
6944 if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) {
6945 wpa_printf(MSG_DEBUG, "FILS: TK length mismatch: %u != %lu",
6946 keylen, (long unsigned int) sm->ptk.tk_len);
6947 goto fail;
6948 }
6949
6950 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
6951 wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver",
6952 sm->ptk.tk, keylen);
6953 if (wpa_sm_set_key(sm, -1, alg, wpa_sm_get_auth_addr(sm), 0, 1,
6954 null_rsc, rsclen,
6955 sm->ptk.tk, keylen, KEY_FLAG_PAIRWISE_RX_TX) < 0) {
6956 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
6957 "FILS: Failed to set PTK to the driver (alg=%d keylen=%d auth_addr="
6958 MACSTR ")",
6959 alg, keylen, MAC2STR(wpa_sm_get_auth_addr(sm)));
6960 goto fail;
6961 }
6962
6963 wpa_sm_store_ptk(sm, sm->bssid, sm->pairwise_cipher,
6964 sm->dot11RSNAConfigPMKLifetime, &sm->ptk);
6965
6966 /* TODO: TK could be cleared after auth frame exchange now that driver
6967 * takes care of association frame encryption/decryption. */
6968 /* TK is not needed anymore in supplicant */
6969 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
6970 sm->ptk.tk_len = 0;
6971 sm->ptk.installed = 1;
6972 sm->tk_set = true;
6973
6974 /* FILS HLP Container */
6975 fils_process_hlp_container(sm, ie_start, end - ie_start);
6976
6977 /* TODO: FILS IP Address Assignment */
6978
6979 wpa_printf(MSG_DEBUG, "FILS: Auth+Assoc completed successfully");
6980 sm->fils_completed = 1;
6981 forced_memzero(&gd, sizeof(gd));
6982
6983 if (kde.transition_disable)
6984 wpa_sm_transition_disable(sm, kde.transition_disable[0]);
6985
6986 return 0;
6987 fail:
6988 forced_memzero(&gd, sizeof(gd));
6989 return -1;
6990 }
6991
6992
wpa_sm_set_reset_fils_completed(struct wpa_sm * sm,int set)6993 void wpa_sm_set_reset_fils_completed(struct wpa_sm *sm, int set)
6994 {
6995 if (sm)
6996 sm->fils_completed = !!set;
6997 }
6998
6999 #endif /* CONFIG_FILS */
7000
7001
wpa_fils_is_completed(struct wpa_sm * sm)7002 int wpa_fils_is_completed(struct wpa_sm *sm)
7003 {
7004 #ifdef CONFIG_FILS
7005 return sm && sm->fils_completed;
7006 #else /* CONFIG_FILS */
7007 return 0;
7008 #endif /* CONFIG_FILS */
7009 }
7010
7011
7012 #ifdef CONFIG_OWE
7013
owe_build_assoc_req(struct wpa_sm * sm,u16 group)7014 struct wpabuf * owe_build_assoc_req(struct wpa_sm *sm, u16 group)
7015 {
7016 struct wpabuf *ie = NULL, *pub = NULL;
7017 size_t prime_len;
7018
7019 if (group == 19)
7020 prime_len = 32;
7021 else if (group == 20)
7022 prime_len = 48;
7023 else if (group == 21)
7024 prime_len = 66;
7025 else
7026 return NULL;
7027
7028 crypto_ecdh_deinit(sm->owe_ecdh);
7029 sm->owe_ecdh = crypto_ecdh_init(group);
7030 if (!sm->owe_ecdh)
7031 goto fail;
7032 sm->owe_group = group;
7033 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
7034 pub = wpabuf_zeropad(pub, prime_len);
7035 if (!pub)
7036 goto fail;
7037
7038 ie = wpabuf_alloc(5 + wpabuf_len(pub));
7039 if (!ie)
7040 goto fail;
7041 wpabuf_put_u8(ie, WLAN_EID_EXTENSION);
7042 wpabuf_put_u8(ie, 1 + 2 + wpabuf_len(pub));
7043 wpabuf_put_u8(ie, WLAN_EID_EXT_OWE_DH_PARAM);
7044 wpabuf_put_le16(ie, group);
7045 wpabuf_put_buf(ie, pub);
7046 wpabuf_free(pub);
7047 wpa_hexdump_buf(MSG_DEBUG, "OWE: Diffie-Hellman Parameter element",
7048 ie);
7049
7050 return ie;
7051 fail:
7052 wpabuf_free(pub);
7053 crypto_ecdh_deinit(sm->owe_ecdh);
7054 sm->owe_ecdh = NULL;
7055 return NULL;
7056 }
7057
7058
owe_process_assoc_resp(struct wpa_sm * sm,const u8 * bssid,const u8 * resp_ies,size_t resp_ies_len)7059 int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *bssid,
7060 const u8 *resp_ies, size_t resp_ies_len)
7061 {
7062 struct ieee802_11_elems elems;
7063 u16 group;
7064 struct wpabuf *secret, *pub, *hkey;
7065 int res;
7066 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
7067 const char *info = "OWE Key Generation";
7068 const u8 *addr[2];
7069 size_t len[2];
7070 size_t hash_len, prime_len;
7071 struct wpa_ie_data data;
7072
7073 if (!resp_ies ||
7074 ieee802_11_parse_elems(resp_ies, resp_ies_len, &elems, 1) ==
7075 ParseFailed) {
7076 wpa_printf(MSG_INFO,
7077 "OWE: Could not parse Association Response frame elements");
7078 return -1;
7079 }
7080
7081 if (sm->cur_pmksa && elems.rsn_ie &&
7082 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, 2 + elems.rsn_ie_len,
7083 &data) == 0 &&
7084 data.num_pmkid == 1 && data.pmkid &&
7085 os_memcmp(sm->cur_pmksa->pmkid, data.pmkid, PMKID_LEN) == 0) {
7086 wpa_printf(MSG_DEBUG, "OWE: Use PMKSA caching");
7087 wpa_sm_set_pmk_from_pmksa(sm);
7088 return 0;
7089 }
7090
7091 if (!elems.owe_dh) {
7092 wpa_printf(MSG_INFO,
7093 "OWE: No Diffie-Hellman Parameter element found in Association Response frame");
7094 return -1;
7095 }
7096
7097 group = WPA_GET_LE16(elems.owe_dh);
7098 if (group != sm->owe_group) {
7099 wpa_printf(MSG_INFO,
7100 "OWE: Unexpected Diffie-Hellman group in response: %u",
7101 group);
7102 return -1;
7103 }
7104
7105 if (!sm->owe_ecdh) {
7106 wpa_printf(MSG_INFO, "OWE: No ECDH state available");
7107 return -1;
7108 }
7109
7110 if (group == 19)
7111 prime_len = 32;
7112 else if (group == 20)
7113 prime_len = 48;
7114 else if (group == 21)
7115 prime_len = 66;
7116 else
7117 return -1;
7118
7119 secret = crypto_ecdh_set_peerkey(sm->owe_ecdh, 0,
7120 elems.owe_dh + 2,
7121 elems.owe_dh_len - 2);
7122 secret = wpabuf_zeropad(secret, prime_len);
7123 if (!secret) {
7124 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
7125 return -1;
7126 }
7127 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
7128
7129 /* prk = HKDF-extract(C | A | group, z) */
7130
7131 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
7132 if (!pub) {
7133 wpabuf_clear_free(secret);
7134 return -1;
7135 }
7136
7137 /* PMKID = Truncate-128(Hash(C | A)) */
7138 addr[0] = wpabuf_head(pub);
7139 len[0] = wpabuf_len(pub);
7140 addr[1] = elems.owe_dh + 2;
7141 len[1] = elems.owe_dh_len - 2;
7142 if (group == 19) {
7143 res = sha256_vector(2, addr, len, pmkid);
7144 hash_len = SHA256_MAC_LEN;
7145 } else if (group == 20) {
7146 res = sha384_vector(2, addr, len, pmkid);
7147 hash_len = SHA384_MAC_LEN;
7148 } else if (group == 21) {
7149 res = sha512_vector(2, addr, len, pmkid);
7150 hash_len = SHA512_MAC_LEN;
7151 } else {
7152 res = -1;
7153 hash_len = 0;
7154 }
7155 pub = wpabuf_zeropad(pub, prime_len);
7156 if (res < 0 || !pub) {
7157 wpabuf_free(pub);
7158 wpabuf_clear_free(secret);
7159 return -1;
7160 }
7161
7162 hkey = wpabuf_alloc(wpabuf_len(pub) + elems.owe_dh_len - 2 + 2);
7163 if (!hkey) {
7164 wpabuf_free(pub);
7165 wpabuf_clear_free(secret);
7166 return -1;
7167 }
7168
7169 wpabuf_put_buf(hkey, pub); /* C */
7170 wpabuf_free(pub);
7171 wpabuf_put_data(hkey, elems.owe_dh + 2, elems.owe_dh_len - 2); /* A */
7172 wpabuf_put_le16(hkey, sm->owe_group); /* group */
7173 if (group == 19)
7174 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
7175 wpabuf_head(secret), wpabuf_len(secret), prk);
7176 else if (group == 20)
7177 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
7178 wpabuf_head(secret), wpabuf_len(secret), prk);
7179 else if (group == 21)
7180 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
7181 wpabuf_head(secret), wpabuf_len(secret), prk);
7182 wpabuf_clear_free(hkey);
7183 wpabuf_clear_free(secret);
7184 if (res < 0)
7185 return -1;
7186
7187 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
7188
7189 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
7190
7191 if (group == 19)
7192 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
7193 os_strlen(info), sm->pmk, hash_len);
7194 else if (group == 20)
7195 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
7196 os_strlen(info), sm->pmk, hash_len);
7197 else if (group == 21)
7198 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
7199 os_strlen(info), sm->pmk, hash_len);
7200 forced_memzero(prk, SHA512_MAC_LEN);
7201 if (res < 0) {
7202 sm->pmk_len = 0;
7203 return -1;
7204 }
7205 sm->pmk_len = hash_len;
7206
7207 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sm->pmk, sm->pmk_len);
7208 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
7209 pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, pmkid, NULL, 0,
7210 bssid, sm->own_addr, sm->network_ctx, sm->key_mgmt,
7211 NULL);
7212
7213 return 0;
7214 }
7215
7216 #endif /* CONFIG_OWE */
7217
7218
wpa_sm_set_fils_cache_id(struct wpa_sm * sm,const u8 * fils_cache_id)7219 void wpa_sm_set_fils_cache_id(struct wpa_sm *sm, const u8 *fils_cache_id)
7220 {
7221 #ifdef CONFIG_FILS
7222 if (sm && fils_cache_id) {
7223 sm->fils_cache_id_set = 1;
7224 os_memcpy(sm->fils_cache_id, fils_cache_id, FILS_CACHE_ID_LEN);
7225 }
7226 #endif /* CONFIG_FILS */
7227 }
7228
7229
7230 #ifdef CONFIG_DPP2
wpa_sm_set_dpp_z(struct wpa_sm * sm,const struct wpabuf * z)7231 void wpa_sm_set_dpp_z(struct wpa_sm *sm, const struct wpabuf *z)
7232 {
7233 if (sm) {
7234 wpabuf_clear_free(sm->dpp_z);
7235 sm->dpp_z = z ? wpabuf_dup(z) : NULL;
7236 }
7237 }
7238 #endif /* CONFIG_DPP2 */
7239
7240
7241 #ifdef CONFIG_PASN
7242
wpa_pasn_sm_set_caps(struct wpa_sm * sm,unsigned int flags2)7243 void wpa_pasn_sm_set_caps(struct wpa_sm *sm, unsigned int flags2)
7244 {
7245 if (flags2 & WPA_DRIVER_FLAGS2_SEC_LTF_STA)
7246 sm->secure_ltf = 1;
7247 if (flags2 & WPA_DRIVER_FLAGS2_SEC_RTT_STA)
7248 sm->secure_rtt = 1;
7249 if (flags2 & WPA_DRIVER_FLAGS2_PROT_RANGE_NEG_STA)
7250 sm->prot_range_neg = 1;
7251 }
7252
7253 #endif /* CONFIG_PASN */
7254
7255
wpa_sm_pmksa_cache_reconfig(struct wpa_sm * sm)7256 void wpa_sm_pmksa_cache_reconfig(struct wpa_sm *sm)
7257 {
7258 if (sm)
7259 pmksa_cache_reconfig(sm->pmksa);
7260 }
7261
7262
wpa_sm_uses_spp_amsdu(struct wpa_sm * sm)7263 bool wpa_sm_uses_spp_amsdu(struct wpa_sm *sm)
7264 {
7265 return sm ? sm->spp_amsdu : false;
7266 }
7267
7268
wpa_sm_get_pmksa_cache(struct wpa_sm * sm)7269 struct rsn_pmksa_cache * wpa_sm_get_pmksa_cache(struct wpa_sm *sm)
7270 {
7271 return sm ? sm->pmksa : NULL;
7272 }
7273
7274
wpa_sm_set_cur_pmksa(struct wpa_sm * sm,struct rsn_pmksa_cache_entry * entry)7275 void wpa_sm_set_cur_pmksa(struct wpa_sm *sm,
7276 struct rsn_pmksa_cache_entry *entry)
7277 {
7278 if (sm)
7279 sm->cur_pmksa = entry;
7280 }
7281
7282
wpa_sm_set_driver_bss_selection(struct wpa_sm * sm,bool driver_bss_selection)7283 void wpa_sm_set_driver_bss_selection(struct wpa_sm *sm,
7284 bool driver_bss_selection)
7285 {
7286 if (sm)
7287 sm->driver_bss_selection = driver_bss_selection;
7288 }
7289
7290
wpa_sm_known_sta_identification(struct wpa_sm * sm,const u8 * aa,u64 timestamp)7291 struct wpabuf * wpa_sm_known_sta_identification(struct wpa_sm *sm, const u8 *aa,
7292 u64 timestamp)
7293 {
7294 struct wpabuf *ie;
7295 unsigned int mic_len;
7296 const u8 *start;
7297 u8 *mic;
7298
7299 if (!sm || sm->last_kck_len == 0)
7300 return NULL;
7301
7302 if (!ether_addr_equal(aa, sm->last_kck_aa))
7303 return NULL;
7304
7305 mic_len = wpa_mic_len(sm->last_kck_key_mgmt, sm->last_kck_pmk_len);
7306
7307 ie = wpabuf_alloc(3 + 8 + 1 + mic_len);
7308 if (!ie)
7309 return NULL;
7310
7311 wpabuf_put_u8(ie, WLAN_EID_EXTENSION);
7312 wpabuf_put_u8(ie, 1 + 8 + 1 + mic_len);
7313 wpabuf_put_u8(ie, WLAN_EID_EXT_KNOWN_STA_IDENTIFICATION);
7314 start = wpabuf_put(ie, 0);
7315 wpabuf_put_le64(ie, timestamp);
7316 wpabuf_put_u8(ie, mic_len);
7317 mic = wpabuf_put(ie, mic_len);
7318 if (wpa_eapol_key_mic(sm->last_kck, sm->last_kck_len,
7319 sm->last_kck_key_mgmt, sm->last_kck_eapol_key_ver,
7320 start, 8, mic) < 0) {
7321 wpabuf_free(ie);
7322 return NULL;
7323 }
7324
7325 return ie;
7326 }
7327