1 /*
2 * WPA Supplicant - WPA state machine and EAPOL-Key processing
3 * Copyright (c) 2003-2015, Jouni Malinen <j@w1.fi>
4 * Copyright(c) 2015 Intel Deutschland GmbH
5 *
6 * This software may be distributed under the terms of the BSD license.
7 * See README for more details.
8 */
9
10 #include "includes.h"
11
12 #include "common.h"
13 #include "crypto/aes.h"
14 #include "crypto/aes_wrap.h"
15 #include "crypto/crypto.h"
16 #include "crypto/random.h"
17 #include "crypto/aes_siv.h"
18 #include "common/ieee802_11_defs.h"
19 #include "common/ieee802_11_common.h"
20 #include "eap_common/eap_defs.h"
21 #include "eapol_supp/eapol_supp_sm.h"
22 #include "wpa.h"
23 #include "eloop.h"
24 #include "preauth.h"
25 #include "pmksa_cache.h"
26 #include "wpa_i.h"
27 #include "wpa_ie.h"
28 #include "peerkey.h"
29
30
31 static const u8 null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
32
33
34 /**
35 * wpa_eapol_key_send - Send WPA/RSN EAPOL-Key message
36 * @sm: Pointer to WPA state machine data from wpa_sm_init()
37 * @ptk: PTK for Key Confirmation/Encryption Key
38 * @ver: Version field from Key Info
39 * @dest: Destination address for the frame
40 * @proto: Ethertype (usually ETH_P_EAPOL)
41 * @msg: EAPOL-Key message
42 * @msg_len: Length of message
43 * @key_mic: Pointer to the buffer to which the EAPOL-Key MIC is written
44 * Returns: >= 0 on success, < 0 on failure
45 */
wpa_eapol_key_send(struct wpa_sm * sm,struct wpa_ptk * ptk,int ver,const u8 * dest,u16 proto,u8 * msg,size_t msg_len,u8 * key_mic)46 int wpa_eapol_key_send(struct wpa_sm *sm, struct wpa_ptk *ptk,
47 int ver, const u8 *dest, u16 proto,
48 u8 *msg, size_t msg_len, u8 *key_mic)
49 {
50 int ret = -1;
51 size_t mic_len = wpa_mic_len(sm->key_mgmt);
52
53 if (is_zero_ether_addr(dest) && is_zero_ether_addr(sm->bssid)) {
54 /*
55 * Association event was not yet received; try to fetch
56 * BSSID from the driver.
57 */
58 if (wpa_sm_get_bssid(sm, sm->bssid) < 0) {
59 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
60 "WPA: Failed to read BSSID for "
61 "EAPOL-Key destination address");
62 } else {
63 dest = sm->bssid;
64 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
65 "WPA: Use BSSID (" MACSTR
66 ") as the destination for EAPOL-Key",
67 MAC2STR(dest));
68 }
69 }
70
71 if (mic_len) {
72 if (key_mic && (!ptk || !ptk->kck_len))
73 goto out;
74
75 if (key_mic &&
76 wpa_eapol_key_mic(ptk->kck, ptk->kck_len, sm->key_mgmt, ver,
77 msg, msg_len, key_mic)) {
78 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
79 "WPA: Failed to generate EAPOL-Key version %d key_mgmt 0x%x MIC",
80 ver, sm->key_mgmt);
81 goto out;
82 }
83 if (ptk)
84 wpa_hexdump_key(MSG_DEBUG, "WPA: KCK",
85 ptk->kck, ptk->kck_len);
86 wpa_hexdump(MSG_DEBUG, "WPA: Derived Key MIC",
87 key_mic, mic_len);
88 } else {
89 #ifdef CONFIG_FILS
90 /* AEAD cipher - Key MIC field not used */
91 struct ieee802_1x_hdr *s_hdr, *hdr;
92 struct wpa_eapol_key *s_key, *key;
93 u8 *buf, *s_key_data, *key_data;
94 size_t buf_len = msg_len + AES_BLOCK_SIZE;
95 size_t key_data_len;
96 u16 eapol_len;
97 const u8 *aad[1];
98 size_t aad_len[1];
99
100 if (!ptk || !ptk->kek_len)
101 goto out;
102
103 key_data_len = msg_len - sizeof(struct ieee802_1x_hdr) -
104 sizeof(struct wpa_eapol_key) - 2;
105
106 buf = os_malloc(buf_len);
107 if (!buf)
108 goto out;
109
110 os_memcpy(buf, msg, msg_len);
111 hdr = (struct ieee802_1x_hdr *) buf;
112 key = (struct wpa_eapol_key *) (hdr + 1);
113 key_data = ((u8 *) (key + 1)) + 2;
114
115 /* Update EAPOL header to include AES-SIV overhead */
116 eapol_len = be_to_host16(hdr->length);
117 eapol_len += AES_BLOCK_SIZE;
118 hdr->length = host_to_be16(eapol_len);
119
120 /* Update Key Data Length field to include AES-SIV overhead */
121 WPA_PUT_BE16((u8 *) (key + 1), AES_BLOCK_SIZE + key_data_len);
122
123 s_hdr = (struct ieee802_1x_hdr *) msg;
124 s_key = (struct wpa_eapol_key *) (s_hdr + 1);
125 s_key_data = ((u8 *) (s_key + 1)) + 2;
126
127 wpa_hexdump_key(MSG_DEBUG, "WPA: Plaintext Key Data",
128 s_key_data, key_data_len);
129
130 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len);
131 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
132 * to Key Data (exclusive). */
133 aad[0] = buf;
134 aad_len[0] = key_data - buf;
135 if (aes_siv_encrypt(ptk->kek, ptk->kek_len,
136 s_key_data, key_data_len,
137 1, aad, aad_len, key_data) < 0) {
138 os_free(buf);
139 goto out;
140 }
141
142 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
143 key_data, AES_BLOCK_SIZE + key_data_len);
144
145 os_free(msg);
146 msg = buf;
147 msg_len = buf_len;
148 #else /* CONFIG_FILS */
149 goto out;
150 #endif /* CONFIG_FILS */
151 }
152
153 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key", msg, msg_len);
154 ret = wpa_sm_ether_send(sm, dest, proto, msg, msg_len);
155 eapol_sm_notify_tx_eapol_key(sm->eapol);
156 out:
157 os_free(msg);
158 return ret;
159 }
160
161
162 /**
163 * wpa_sm_key_request - Send EAPOL-Key Request
164 * @sm: Pointer to WPA state machine data from wpa_sm_init()
165 * @error: Indicate whether this is an Michael MIC error report
166 * @pairwise: 1 = error report for pairwise packet, 0 = for group packet
167 *
168 * Send an EAPOL-Key Request to the current authenticator. This function is
169 * used to request rekeying and it is usually called when a local Michael MIC
170 * failure is detected.
171 */
wpa_sm_key_request(struct wpa_sm * sm,int error,int pairwise)172 void wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise)
173 {
174 size_t mic_len, hdrlen, rlen;
175 struct wpa_eapol_key *reply;
176 int key_info, ver;
177 u8 bssid[ETH_ALEN], *rbuf, *key_mic, *mic;
178
179 if (sm->key_mgmt == WPA_KEY_MGMT_OSEN ||
180 wpa_key_mgmt_suite_b(sm->key_mgmt))
181 ver = WPA_KEY_INFO_TYPE_AKM_DEFINED;
182 else if (wpa_key_mgmt_ft(sm->key_mgmt) ||
183 wpa_key_mgmt_sha256(sm->key_mgmt))
184 ver = WPA_KEY_INFO_TYPE_AES_128_CMAC;
185 else if (sm->pairwise_cipher != WPA_CIPHER_TKIP)
186 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
187 else
188 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
189
190 if (wpa_sm_get_bssid(sm, bssid) < 0) {
191 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
192 "Failed to read BSSID for EAPOL-Key request");
193 return;
194 }
195
196 mic_len = wpa_mic_len(sm->key_mgmt);
197 hdrlen = sizeof(*reply) + mic_len + 2;
198 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
199 hdrlen, &rlen, (void *) &reply);
200 if (rbuf == NULL)
201 return;
202
203 reply->type = (sm->proto == WPA_PROTO_RSN ||
204 sm->proto == WPA_PROTO_OSEN) ?
205 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
206 key_info = WPA_KEY_INFO_REQUEST | ver;
207 if (sm->ptk_set)
208 key_info |= WPA_KEY_INFO_SECURE;
209 if (sm->ptk_set && mic_len)
210 key_info |= WPA_KEY_INFO_MIC;
211 if (error)
212 key_info |= WPA_KEY_INFO_ERROR;
213 if (pairwise)
214 key_info |= WPA_KEY_INFO_KEY_TYPE;
215 WPA_PUT_BE16(reply->key_info, key_info);
216 WPA_PUT_BE16(reply->key_length, 0);
217 os_memcpy(reply->replay_counter, sm->request_counter,
218 WPA_REPLAY_COUNTER_LEN);
219 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
220
221 mic = (u8 *) (reply + 1);
222 WPA_PUT_BE16(mic + mic_len, 0);
223 if (!(key_info & WPA_KEY_INFO_MIC))
224 key_mic = NULL;
225 else
226 key_mic = mic;
227
228 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
229 "WPA: Sending EAPOL-Key Request (error=%d "
230 "pairwise=%d ptk_set=%d len=%lu)",
231 error, pairwise, sm->ptk_set, (unsigned long) rlen);
232 wpa_eapol_key_send(sm, &sm->ptk, ver, bssid, ETH_P_EAPOL, rbuf, rlen,
233 key_mic);
234 }
235
236
wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm * sm)237 static void wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm *sm)
238 {
239 #ifdef CONFIG_IEEE80211R
240 if (sm->key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X) {
241 if (wpa_sm_key_mgmt_set_pmk(sm, sm->xxkey, sm->xxkey_len))
242 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
243 "RSN: Cannot set low order 256 bits of MSK for key management offload");
244 } else {
245 #endif /* CONFIG_IEEE80211R */
246 if (wpa_sm_key_mgmt_set_pmk(sm, sm->pmk, sm->pmk_len))
247 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
248 "RSN: Cannot set PMK for key management offload");
249 #ifdef CONFIG_IEEE80211R
250 }
251 #endif /* CONFIG_IEEE80211R */
252 }
253
254
wpa_supplicant_get_pmk(struct wpa_sm * sm,const unsigned char * src_addr,const u8 * pmkid)255 static int wpa_supplicant_get_pmk(struct wpa_sm *sm,
256 const unsigned char *src_addr,
257 const u8 *pmkid)
258 {
259 int abort_cached = 0;
260
261 if (pmkid && !sm->cur_pmksa) {
262 /* When using drivers that generate RSN IE, wpa_supplicant may
263 * not have enough time to get the association information
264 * event before receiving this 1/4 message, so try to find a
265 * matching PMKSA cache entry here. */
266 sm->cur_pmksa = pmksa_cache_get(sm->pmksa, src_addr, pmkid,
267 NULL);
268 if (sm->cur_pmksa) {
269 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
270 "RSN: found matching PMKID from PMKSA cache");
271 } else {
272 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
273 "RSN: no matching PMKID found");
274 abort_cached = 1;
275 }
276 }
277
278 if (pmkid && sm->cur_pmksa &&
279 os_memcmp_const(pmkid, sm->cur_pmksa->pmkid, PMKID_LEN) == 0) {
280 wpa_hexdump(MSG_DEBUG, "RSN: matched PMKID", pmkid, PMKID_LEN);
281 wpa_sm_set_pmk_from_pmksa(sm);
282 wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from PMKSA cache",
283 sm->pmk, sm->pmk_len);
284 eapol_sm_notify_cached(sm->eapol);
285 #ifdef CONFIG_IEEE80211R
286 sm->xxkey_len = 0;
287 #endif /* CONFIG_IEEE80211R */
288 } else if (wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && sm->eapol) {
289 int res, pmk_len;
290
291 if (wpa_key_mgmt_sha384(sm->key_mgmt))
292 pmk_len = PMK_LEN_SUITE_B_192;
293 else
294 pmk_len = PMK_LEN;
295 res = eapol_sm_get_key(sm->eapol, sm->pmk, pmk_len);
296 if (res) {
297 if (pmk_len == PMK_LEN) {
298 /*
299 * EAP-LEAP is an exception from other EAP
300 * methods: it uses only 16-byte PMK.
301 */
302 res = eapol_sm_get_key(sm->eapol, sm->pmk, 16);
303 pmk_len = 16;
304 }
305 } else {
306 #ifdef CONFIG_IEEE80211R
307 u8 buf[2 * PMK_LEN];
308 if (eapol_sm_get_key(sm->eapol, buf, 2 * PMK_LEN) == 0)
309 {
310 os_memcpy(sm->xxkey, buf + PMK_LEN, PMK_LEN);
311 sm->xxkey_len = PMK_LEN;
312 os_memset(buf, 0, sizeof(buf));
313 }
314 #endif /* CONFIG_IEEE80211R */
315 }
316 if (res == 0) {
317 struct rsn_pmksa_cache_entry *sa = NULL;
318 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK from EAPOL state "
319 "machines", sm->pmk, pmk_len);
320 sm->pmk_len = pmk_len;
321 wpa_supplicant_key_mgmt_set_pmk(sm);
322 if (sm->proto == WPA_PROTO_RSN &&
323 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
324 !wpa_key_mgmt_ft(sm->key_mgmt)) {
325 sa = pmksa_cache_add(sm->pmksa,
326 sm->pmk, pmk_len, NULL,
327 NULL, 0,
328 src_addr, sm->own_addr,
329 sm->network_ctx,
330 sm->key_mgmt);
331 }
332 if (!sm->cur_pmksa && pmkid &&
333 pmksa_cache_get(sm->pmksa, src_addr, pmkid, NULL))
334 {
335 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
336 "RSN: the new PMK matches with the "
337 "PMKID");
338 abort_cached = 0;
339 } else if (sa && !sm->cur_pmksa && pmkid) {
340 /*
341 * It looks like the authentication server
342 * derived mismatching MSK. This should not
343 * really happen, but bugs happen.. There is not
344 * much we can do here without knowing what
345 * exactly caused the server to misbehave.
346 */
347 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
348 "RSN: PMKID mismatch - authentication server may have derived different MSK?!");
349 return -1;
350 }
351
352 if (!sm->cur_pmksa)
353 sm->cur_pmksa = sa;
354 } else {
355 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
356 "WPA: Failed to get master session key from "
357 "EAPOL state machines - key handshake "
358 "aborted");
359 if (sm->cur_pmksa) {
360 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
361 "RSN: Cancelled PMKSA caching "
362 "attempt");
363 sm->cur_pmksa = NULL;
364 abort_cached = 1;
365 } else if (!abort_cached) {
366 return -1;
367 }
368 }
369 }
370
371 if (abort_cached && wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) &&
372 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
373 !wpa_key_mgmt_ft(sm->key_mgmt) && sm->key_mgmt != WPA_KEY_MGMT_OSEN)
374 {
375 /* Send EAPOL-Start to trigger full EAP authentication. */
376 u8 *buf;
377 size_t buflen;
378
379 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
380 "RSN: no PMKSA entry found - trigger "
381 "full EAP authentication");
382 buf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_START,
383 NULL, 0, &buflen, NULL);
384 if (buf) {
385 wpa_sm_ether_send(sm, sm->bssid, ETH_P_EAPOL,
386 buf, buflen);
387 os_free(buf);
388 return -2;
389 }
390
391 return -1;
392 }
393
394 return 0;
395 }
396
397
398 /**
399 * wpa_supplicant_send_2_of_4 - Send message 2 of WPA/RSN 4-Way Handshake
400 * @sm: Pointer to WPA state machine data from wpa_sm_init()
401 * @dst: Destination address for the frame
402 * @key: Pointer to the EAPOL-Key frame header
403 * @ver: Version bits from EAPOL-Key Key Info
404 * @nonce: Nonce value for the EAPOL-Key frame
405 * @wpa_ie: WPA/RSN IE
406 * @wpa_ie_len: Length of the WPA/RSN IE
407 * @ptk: PTK to use for keyed hash and encryption
408 * Returns: >= 0 on success, < 0 on failure
409 */
wpa_supplicant_send_2_of_4(struct wpa_sm * sm,const unsigned char * dst,const struct wpa_eapol_key * key,int ver,const u8 * nonce,const u8 * wpa_ie,size_t wpa_ie_len,struct wpa_ptk * ptk)410 int wpa_supplicant_send_2_of_4(struct wpa_sm *sm, const unsigned char *dst,
411 const struct wpa_eapol_key *key,
412 int ver, const u8 *nonce,
413 const u8 *wpa_ie, size_t wpa_ie_len,
414 struct wpa_ptk *ptk)
415 {
416 size_t mic_len, hdrlen, rlen;
417 struct wpa_eapol_key *reply;
418 u8 *rbuf, *key_mic;
419 u8 *rsn_ie_buf = NULL;
420 u16 key_info;
421
422 if (wpa_ie == NULL) {
423 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No wpa_ie set - "
424 "cannot generate msg 2/4");
425 return -1;
426 }
427
428 #ifdef CONFIG_IEEE80211R
429 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
430 int res;
431
432 /*
433 * Add PMKR1Name into RSN IE (PMKID-List) and add MDIE and
434 * FTIE from (Re)Association Response.
435 */
436 rsn_ie_buf = os_malloc(wpa_ie_len + 2 + 2 + PMKID_LEN +
437 sm->assoc_resp_ies_len);
438 if (rsn_ie_buf == NULL)
439 return -1;
440 os_memcpy(rsn_ie_buf, wpa_ie, wpa_ie_len);
441 res = wpa_insert_pmkid(rsn_ie_buf, &wpa_ie_len,
442 sm->pmk_r1_name);
443 if (res < 0) {
444 os_free(rsn_ie_buf);
445 return -1;
446 }
447
448 if (sm->assoc_resp_ies) {
449 os_memcpy(rsn_ie_buf + wpa_ie_len, sm->assoc_resp_ies,
450 sm->assoc_resp_ies_len);
451 wpa_ie_len += sm->assoc_resp_ies_len;
452 }
453
454 wpa_ie = rsn_ie_buf;
455 }
456 #endif /* CONFIG_IEEE80211R */
457
458 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE for msg 2/4", wpa_ie, wpa_ie_len);
459
460 mic_len = wpa_mic_len(sm->key_mgmt);
461 hdrlen = sizeof(*reply) + mic_len + 2;
462 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY,
463 NULL, hdrlen + wpa_ie_len,
464 &rlen, (void *) &reply);
465 if (rbuf == NULL) {
466 os_free(rsn_ie_buf);
467 return -1;
468 }
469
470 reply->type = (sm->proto == WPA_PROTO_RSN ||
471 sm->proto == WPA_PROTO_OSEN) ?
472 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
473 key_info = ver | WPA_KEY_INFO_KEY_TYPE;
474 if (mic_len)
475 key_info |= WPA_KEY_INFO_MIC;
476 else
477 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
478 WPA_PUT_BE16(reply->key_info, key_info);
479 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
480 WPA_PUT_BE16(reply->key_length, 0);
481 else
482 os_memcpy(reply->key_length, key->key_length, 2);
483 os_memcpy(reply->replay_counter, key->replay_counter,
484 WPA_REPLAY_COUNTER_LEN);
485 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", reply->replay_counter,
486 WPA_REPLAY_COUNTER_LEN);
487
488 key_mic = (u8 *) (reply + 1);
489 WPA_PUT_BE16(key_mic + mic_len, wpa_ie_len); /* Key Data Length */
490 os_memcpy(key_mic + mic_len + 2, wpa_ie, wpa_ie_len); /* Key Data */
491 os_free(rsn_ie_buf);
492
493 os_memcpy(reply->key_nonce, nonce, WPA_NONCE_LEN);
494
495 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/4");
496 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
497 key_mic);
498 }
499
500
wpa_derive_ptk(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,struct wpa_ptk * ptk)501 static int wpa_derive_ptk(struct wpa_sm *sm, const unsigned char *src_addr,
502 const struct wpa_eapol_key *key, struct wpa_ptk *ptk)
503 {
504 #ifdef CONFIG_IEEE80211R
505 if (wpa_key_mgmt_ft(sm->key_mgmt))
506 return wpa_derive_ptk_ft(sm, src_addr, key, ptk);
507 #endif /* CONFIG_IEEE80211R */
508
509 return wpa_pmk_to_ptk(sm->pmk, sm->pmk_len, "Pairwise key expansion",
510 sm->own_addr, sm->bssid, sm->snonce,
511 key->key_nonce, ptk, sm->key_mgmt,
512 sm->pairwise_cipher);
513 }
514
515
wpa_supplicant_process_1_of_4(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len)516 static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
517 const unsigned char *src_addr,
518 const struct wpa_eapol_key *key,
519 u16 ver, const u8 *key_data,
520 size_t key_data_len)
521 {
522 struct wpa_eapol_ie_parse ie;
523 struct wpa_ptk *ptk;
524 int res;
525 u8 *kde, *kde_buf = NULL;
526 size_t kde_len;
527
528 if (wpa_sm_get_network_ctx(sm) == NULL) {
529 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No SSID info "
530 "found (msg 1 of 4)");
531 return;
532 }
533
534 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
535 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of 4-Way "
536 "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
537
538 os_memset(&ie, 0, sizeof(ie));
539
540 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
541 /* RSN: msg 1/4 should contain PMKID for the selected PMK */
542 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data",
543 key_data, key_data_len);
544 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
545 goto failed;
546 if (ie.pmkid) {
547 wpa_hexdump(MSG_DEBUG, "RSN: PMKID from "
548 "Authenticator", ie.pmkid, PMKID_LEN);
549 }
550 }
551
552 res = wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid);
553 if (res == -2) {
554 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: Do not reply to "
555 "msg 1/4 - requesting full EAP authentication");
556 return;
557 }
558 if (res)
559 goto failed;
560
561 if (sm->renew_snonce) {
562 if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) {
563 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
564 "WPA: Failed to get random data for SNonce");
565 goto failed;
566 }
567 sm->renew_snonce = 0;
568 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce",
569 sm->snonce, WPA_NONCE_LEN);
570 }
571
572 /* Calculate PTK which will be stored as a temporary PTK until it has
573 * been verified when processing message 3/4. */
574 ptk = &sm->tptk;
575 wpa_derive_ptk(sm, src_addr, key, ptk);
576 if (sm->pairwise_cipher == WPA_CIPHER_TKIP) {
577 u8 buf[8];
578 /* Supplicant: swap tx/rx Mic keys */
579 os_memcpy(buf, &ptk->tk[16], 8);
580 os_memcpy(&ptk->tk[16], &ptk->tk[24], 8);
581 os_memcpy(&ptk->tk[24], buf, 8);
582 os_memset(buf, 0, sizeof(buf));
583 }
584 sm->tptk_set = 1;
585
586 kde = sm->assoc_wpa_ie;
587 kde_len = sm->assoc_wpa_ie_len;
588
589 #ifdef CONFIG_P2P
590 if (sm->p2p) {
591 kde_buf = os_malloc(kde_len + 2 + RSN_SELECTOR_LEN + 1);
592 if (kde_buf) {
593 u8 *pos;
594 wpa_printf(MSG_DEBUG, "P2P: Add IP Address Request KDE "
595 "into EAPOL-Key 2/4");
596 os_memcpy(kde_buf, kde, kde_len);
597 kde = kde_buf;
598 pos = kde + kde_len;
599 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
600 *pos++ = RSN_SELECTOR_LEN + 1;
601 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_IP_ADDR_REQ);
602 pos += RSN_SELECTOR_LEN;
603 *pos++ = 0x01;
604 kde_len = pos - kde;
605 }
606 }
607 #endif /* CONFIG_P2P */
608
609 if (wpa_supplicant_send_2_of_4(sm, sm->bssid, key, ver, sm->snonce,
610 kde, kde_len, ptk) < 0)
611 goto failed;
612
613 os_free(kde_buf);
614 os_memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN);
615 return;
616
617 failed:
618 os_free(kde_buf);
619 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
620 }
621
622
wpa_sm_start_preauth(void * eloop_ctx,void * timeout_ctx)623 static void wpa_sm_start_preauth(void *eloop_ctx, void *timeout_ctx)
624 {
625 struct wpa_sm *sm = eloop_ctx;
626 rsn_preauth_candidate_process(sm);
627 }
628
629
wpa_supplicant_key_neg_complete(struct wpa_sm * sm,const u8 * addr,int secure)630 static void wpa_supplicant_key_neg_complete(struct wpa_sm *sm,
631 const u8 *addr, int secure)
632 {
633 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
634 "WPA: Key negotiation completed with "
635 MACSTR " [PTK=%s GTK=%s]", MAC2STR(addr),
636 wpa_cipher_txt(sm->pairwise_cipher),
637 wpa_cipher_txt(sm->group_cipher));
638 wpa_sm_cancel_auth_timeout(sm);
639 wpa_sm_set_state(sm, WPA_COMPLETED);
640
641 if (secure) {
642 wpa_sm_mlme_setprotection(
643 sm, addr, MLME_SETPROTECTION_PROTECT_TYPE_RX_TX,
644 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
645 eapol_sm_notify_portValid(sm->eapol, TRUE);
646 if (wpa_key_mgmt_wpa_psk(sm->key_mgmt))
647 eapol_sm_notify_eap_success(sm->eapol, TRUE);
648 /*
649 * Start preauthentication after a short wait to avoid a
650 * possible race condition between the data receive and key
651 * configuration after the 4-Way Handshake. This increases the
652 * likelihood of the first preauth EAPOL-Start frame getting to
653 * the target AP.
654 */
655 eloop_register_timeout(1, 0, wpa_sm_start_preauth, sm, NULL);
656 }
657
658 if (sm->cur_pmksa && sm->cur_pmksa->opportunistic) {
659 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
660 "RSN: Authenticator accepted "
661 "opportunistic PMKSA entry - marking it valid");
662 sm->cur_pmksa->opportunistic = 0;
663 }
664
665 #ifdef CONFIG_IEEE80211R
666 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
667 /* Prepare for the next transition */
668 wpa_ft_prepare_auth_request(sm, NULL);
669 }
670 #endif /* CONFIG_IEEE80211R */
671 }
672
673
wpa_sm_rekey_ptk(void * eloop_ctx,void * timeout_ctx)674 static void wpa_sm_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
675 {
676 struct wpa_sm *sm = eloop_ctx;
677 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Request PTK rekeying");
678 wpa_sm_key_request(sm, 0, 1);
679 }
680
681
wpa_supplicant_install_ptk(struct wpa_sm * sm,const struct wpa_eapol_key * key)682 static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
683 const struct wpa_eapol_key *key)
684 {
685 int keylen, rsclen;
686 enum wpa_alg alg;
687 const u8 *key_rsc;
688
689 if (sm->ptk.installed) {
690 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
691 "WPA: Do not re-install same PTK to the driver");
692 return 0;
693 }
694
695 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
696 "WPA: Installing PTK to the driver");
697
698 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
699 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Pairwise Cipher "
700 "Suite: NONE - do not use pairwise keys");
701 return 0;
702 }
703
704 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
705 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
706 "WPA: Unsupported pairwise cipher %d",
707 sm->pairwise_cipher);
708 return -1;
709 }
710
711 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
712 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
713 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
714
715 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
716 key_rsc = null_rsc;
717 } else {
718 key_rsc = key->key_rsc;
719 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen);
720 }
721
722 if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, key_rsc, rsclen,
723 sm->ptk.tk, keylen) < 0) {
724 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
725 "WPA: Failed to set PTK to the "
726 "driver (alg=%d keylen=%d bssid=" MACSTR ")",
727 alg, keylen, MAC2STR(sm->bssid));
728 return -1;
729 }
730
731 /* TK is not needed anymore in supplicant */
732 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
733 sm->ptk.installed = 1;
734
735 if (sm->wpa_ptk_rekey) {
736 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
737 eloop_register_timeout(sm->wpa_ptk_rekey, 0, wpa_sm_rekey_ptk,
738 sm, NULL);
739 }
740
741 return 0;
742 }
743
744
wpa_supplicant_check_group_cipher(struct wpa_sm * sm,int group_cipher,int keylen,int maxkeylen,int * key_rsc_len,enum wpa_alg * alg)745 static int wpa_supplicant_check_group_cipher(struct wpa_sm *sm,
746 int group_cipher,
747 int keylen, int maxkeylen,
748 int *key_rsc_len,
749 enum wpa_alg *alg)
750 {
751 int klen;
752
753 *alg = wpa_cipher_to_alg(group_cipher);
754 if (*alg == WPA_ALG_NONE) {
755 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
756 "WPA: Unsupported Group Cipher %d",
757 group_cipher);
758 return -1;
759 }
760 *key_rsc_len = wpa_cipher_rsc_len(group_cipher);
761
762 klen = wpa_cipher_key_len(group_cipher);
763 if (keylen != klen || maxkeylen < klen) {
764 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
765 "WPA: Unsupported %s Group Cipher key length %d (%d)",
766 wpa_cipher_txt(group_cipher), keylen, maxkeylen);
767 return -1;
768 }
769 return 0;
770 }
771
772
773 struct wpa_gtk_data {
774 enum wpa_alg alg;
775 int tx, key_rsc_len, keyidx;
776 u8 gtk[32];
777 int gtk_len;
778 };
779
780
wpa_supplicant_install_gtk(struct wpa_sm * sm,const struct wpa_gtk_data * gd,const u8 * key_rsc,int wnm_sleep)781 static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
782 const struct wpa_gtk_data *gd,
783 const u8 *key_rsc, int wnm_sleep)
784 {
785 const u8 *_gtk = gd->gtk;
786 u8 gtk_buf[32];
787
788 /* Detect possible key reinstallation */
789 if ((sm->gtk.gtk_len == (size_t) gd->gtk_len &&
790 os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) ||
791 (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len &&
792 os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk,
793 sm->gtk_wnm_sleep.gtk_len) == 0)) {
794 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
795 "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
796 gd->keyidx, gd->tx, gd->gtk_len);
797 return 0;
798 }
799
800 wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
801 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
802 "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
803 gd->keyidx, gd->tx, gd->gtk_len);
804 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, gd->key_rsc_len);
805 if (sm->group_cipher == WPA_CIPHER_TKIP) {
806 /* Swap Tx/Rx keys for Michael MIC */
807 os_memcpy(gtk_buf, gd->gtk, 16);
808 os_memcpy(gtk_buf + 16, gd->gtk + 24, 8);
809 os_memcpy(gtk_buf + 24, gd->gtk + 16, 8);
810 _gtk = gtk_buf;
811 }
812 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
813 if (wpa_sm_set_key(sm, gd->alg, NULL,
814 gd->keyidx, 1, key_rsc, gd->key_rsc_len,
815 _gtk, gd->gtk_len) < 0) {
816 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
817 "WPA: Failed to set GTK to the driver "
818 "(Group only)");
819 os_memset(gtk_buf, 0, sizeof(gtk_buf));
820 return -1;
821 }
822 } else if (wpa_sm_set_key(sm, gd->alg, broadcast_ether_addr,
823 gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len,
824 _gtk, gd->gtk_len) < 0) {
825 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
826 "WPA: Failed to set GTK to "
827 "the driver (alg=%d keylen=%d keyidx=%d)",
828 gd->alg, gd->gtk_len, gd->keyidx);
829 os_memset(gtk_buf, 0, sizeof(gtk_buf));
830 return -1;
831 }
832 os_memset(gtk_buf, 0, sizeof(gtk_buf));
833
834 if (wnm_sleep) {
835 sm->gtk_wnm_sleep.gtk_len = gd->gtk_len;
836 os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk,
837 sm->gtk_wnm_sleep.gtk_len);
838 } else {
839 sm->gtk.gtk_len = gd->gtk_len;
840 os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
841 }
842
843 return 0;
844 }
845
846
wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm * sm,int tx)847 static int wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm *sm,
848 int tx)
849 {
850 if (tx && sm->pairwise_cipher != WPA_CIPHER_NONE) {
851 /* Ignore Tx bit for GTK if a pairwise key is used. One AP
852 * seemed to set this bit (incorrectly, since Tx is only when
853 * doing Group Key only APs) and without this workaround, the
854 * data connection does not work because wpa_supplicant
855 * configured non-zero keyidx to be used for unicast. */
856 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
857 "WPA: Tx bit set for GTK, but pairwise "
858 "keys are used - ignore Tx bit");
859 return 0;
860 }
861 return tx;
862 }
863
864
wpa_supplicant_rsc_relaxation(const struct wpa_sm * sm,const u8 * rsc)865 static int wpa_supplicant_rsc_relaxation(const struct wpa_sm *sm,
866 const u8 *rsc)
867 {
868 int rsclen;
869
870 if (!sm->wpa_rsc_relaxation)
871 return 0;
872
873 rsclen = wpa_cipher_rsc_len(sm->group_cipher);
874
875 /*
876 * Try to detect RSC (endian) corruption issue where the AP sends
877 * the RSC bytes in EAPOL-Key message in the wrong order, both if
878 * it's actually a 6-byte field (as it should be) and if it treats
879 * it as an 8-byte field.
880 * An AP model known to have this bug is the Sapido RB-1632.
881 */
882 if (rsclen == 6 && ((rsc[5] && !rsc[0]) || rsc[6] || rsc[7])) {
883 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
884 "RSC %02x%02x%02x%02x%02x%02x%02x%02x is likely bogus, using 0",
885 rsc[0], rsc[1], rsc[2], rsc[3],
886 rsc[4], rsc[5], rsc[6], rsc[7]);
887
888 return 1;
889 }
890
891 return 0;
892 }
893
894
wpa_supplicant_pairwise_gtk(struct wpa_sm * sm,const struct wpa_eapol_key * key,const u8 * gtk,size_t gtk_len,int key_info)895 static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
896 const struct wpa_eapol_key *key,
897 const u8 *gtk, size_t gtk_len,
898 int key_info)
899 {
900 struct wpa_gtk_data gd;
901 const u8 *key_rsc;
902
903 /*
904 * IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames - Figure 43x
905 * GTK KDE format:
906 * KeyID[bits 0-1], Tx [bit 2], Reserved [bits 3-7]
907 * Reserved [bits 0-7]
908 * GTK
909 */
910
911 os_memset(&gd, 0, sizeof(gd));
912 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in pairwise handshake",
913 gtk, gtk_len);
914
915 if (gtk_len < 2 || gtk_len - 2 > sizeof(gd.gtk))
916 return -1;
917
918 gd.keyidx = gtk[0] & 0x3;
919 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
920 !!(gtk[0] & BIT(2)));
921 gtk += 2;
922 gtk_len -= 2;
923
924 os_memcpy(gd.gtk, gtk, gtk_len);
925 gd.gtk_len = gtk_len;
926
927 key_rsc = key->key_rsc;
928 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
929 key_rsc = null_rsc;
930
931 if (sm->group_cipher != WPA_CIPHER_GTK_NOT_USED &&
932 (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
933 gtk_len, gtk_len,
934 &gd.key_rsc_len, &gd.alg) ||
935 wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) {
936 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
937 "RSN: Failed to install GTK");
938 os_memset(&gd, 0, sizeof(gd));
939 return -1;
940 }
941 os_memset(&gd, 0, sizeof(gd));
942
943 wpa_supplicant_key_neg_complete(sm, sm->bssid,
944 key_info & WPA_KEY_INFO_SECURE);
945 return 0;
946 }
947
948
949 #ifdef CONFIG_IEEE80211W
wpa_supplicant_install_igtk(struct wpa_sm * sm,const struct wpa_igtk_kde * igtk,int wnm_sleep)950 static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
951 const struct wpa_igtk_kde *igtk,
952 int wnm_sleep)
953 {
954 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
955 u16 keyidx = WPA_GET_LE16(igtk->keyid);
956
957 /* Detect possible key reinstallation */
958 if ((sm->igtk.igtk_len == len &&
959 os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) ||
960 (sm->igtk_wnm_sleep.igtk_len == len &&
961 os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk,
962 sm->igtk_wnm_sleep.igtk_len) == 0)) {
963 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
964 "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
965 keyidx);
966 return 0;
967 }
968
969 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
970 "WPA: IGTK keyid %d pn %02x%02x%02x%02x%02x%02x",
971 keyidx, MAC2STR(igtk->pn));
972 wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len);
973 if (keyidx > 4095) {
974 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
975 "WPA: Invalid IGTK KeyID %d", keyidx);
976 return -1;
977 }
978 if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
979 broadcast_ether_addr,
980 keyidx, 0, igtk->pn, sizeof(igtk->pn),
981 igtk->igtk, len) < 0) {
982 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
983 "WPA: Failed to configure IGTK to the driver");
984 return -1;
985 }
986
987 if (wnm_sleep) {
988 sm->igtk_wnm_sleep.igtk_len = len;
989 os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk,
990 sm->igtk_wnm_sleep.igtk_len);
991 } else {
992 sm->igtk.igtk_len = len;
993 os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
994 }
995
996 return 0;
997 }
998 #endif /* CONFIG_IEEE80211W */
999
1000
ieee80211w_set_keys(struct wpa_sm * sm,struct wpa_eapol_ie_parse * ie)1001 static int ieee80211w_set_keys(struct wpa_sm *sm,
1002 struct wpa_eapol_ie_parse *ie)
1003 {
1004 #ifdef CONFIG_IEEE80211W
1005 if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher))
1006 return 0;
1007
1008 if (ie->igtk) {
1009 size_t len;
1010 const struct wpa_igtk_kde *igtk;
1011
1012 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1013 if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
1014 return -1;
1015
1016 igtk = (const struct wpa_igtk_kde *) ie->igtk;
1017 if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0)
1018 return -1;
1019 }
1020
1021 return 0;
1022 #else /* CONFIG_IEEE80211W */
1023 return 0;
1024 #endif /* CONFIG_IEEE80211W */
1025 }
1026
1027
wpa_report_ie_mismatch(struct wpa_sm * sm,const char * reason,const u8 * src_addr,const u8 * wpa_ie,size_t wpa_ie_len,const u8 * rsn_ie,size_t rsn_ie_len)1028 static void wpa_report_ie_mismatch(struct wpa_sm *sm,
1029 const char *reason, const u8 *src_addr,
1030 const u8 *wpa_ie, size_t wpa_ie_len,
1031 const u8 *rsn_ie, size_t rsn_ie_len)
1032 {
1033 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: %s (src=" MACSTR ")",
1034 reason, MAC2STR(src_addr));
1035
1036 if (sm->ap_wpa_ie) {
1037 wpa_hexdump(MSG_INFO, "WPA: WPA IE in Beacon/ProbeResp",
1038 sm->ap_wpa_ie, sm->ap_wpa_ie_len);
1039 }
1040 if (wpa_ie) {
1041 if (!sm->ap_wpa_ie) {
1042 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1043 "WPA: No WPA IE in Beacon/ProbeResp");
1044 }
1045 wpa_hexdump(MSG_INFO, "WPA: WPA IE in 3/4 msg",
1046 wpa_ie, wpa_ie_len);
1047 }
1048
1049 if (sm->ap_rsn_ie) {
1050 wpa_hexdump(MSG_INFO, "WPA: RSN IE in Beacon/ProbeResp",
1051 sm->ap_rsn_ie, sm->ap_rsn_ie_len);
1052 }
1053 if (rsn_ie) {
1054 if (!sm->ap_rsn_ie) {
1055 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1056 "WPA: No RSN IE in Beacon/ProbeResp");
1057 }
1058 wpa_hexdump(MSG_INFO, "WPA: RSN IE in 3/4 msg",
1059 rsn_ie, rsn_ie_len);
1060 }
1061
1062 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
1063 }
1064
1065
1066 #ifdef CONFIG_IEEE80211R
1067
ft_validate_mdie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie,const u8 * assoc_resp_mdie)1068 static int ft_validate_mdie(struct wpa_sm *sm,
1069 const unsigned char *src_addr,
1070 struct wpa_eapol_ie_parse *ie,
1071 const u8 *assoc_resp_mdie)
1072 {
1073 struct rsn_mdie *mdie;
1074
1075 mdie = (struct rsn_mdie *) (ie->mdie + 2);
1076 if (ie->mdie == NULL || ie->mdie_len < 2 + sizeof(*mdie) ||
1077 os_memcmp(mdie->mobility_domain, sm->mobility_domain,
1078 MOBILITY_DOMAIN_ID_LEN) != 0) {
1079 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE in msg 3/4 did "
1080 "not match with the current mobility domain");
1081 return -1;
1082 }
1083
1084 if (assoc_resp_mdie &&
1085 (assoc_resp_mdie[1] != ie->mdie[1] ||
1086 os_memcmp(assoc_resp_mdie, ie->mdie, 2 + ie->mdie[1]) != 0)) {
1087 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE mismatch");
1088 wpa_hexdump(MSG_DEBUG, "FT: MDIE in EAPOL-Key msg 3/4",
1089 ie->mdie, 2 + ie->mdie[1]);
1090 wpa_hexdump(MSG_DEBUG, "FT: MDIE in (Re)Association Response",
1091 assoc_resp_mdie, 2 + assoc_resp_mdie[1]);
1092 return -1;
1093 }
1094
1095 return 0;
1096 }
1097
1098
ft_validate_ftie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie,const u8 * assoc_resp_ftie)1099 static int ft_validate_ftie(struct wpa_sm *sm,
1100 const unsigned char *src_addr,
1101 struct wpa_eapol_ie_parse *ie,
1102 const u8 *assoc_resp_ftie)
1103 {
1104 if (ie->ftie == NULL) {
1105 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1106 "FT: No FTIE in EAPOL-Key msg 3/4");
1107 return -1;
1108 }
1109
1110 if (assoc_resp_ftie == NULL)
1111 return 0;
1112
1113 if (assoc_resp_ftie[1] != ie->ftie[1] ||
1114 os_memcmp(assoc_resp_ftie, ie->ftie, 2 + ie->ftie[1]) != 0) {
1115 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: FTIE mismatch");
1116 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 3/4",
1117 ie->ftie, 2 + ie->ftie[1]);
1118 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)Association Response",
1119 assoc_resp_ftie, 2 + assoc_resp_ftie[1]);
1120 return -1;
1121 }
1122
1123 return 0;
1124 }
1125
1126
ft_validate_rsnie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie)1127 static int ft_validate_rsnie(struct wpa_sm *sm,
1128 const unsigned char *src_addr,
1129 struct wpa_eapol_ie_parse *ie)
1130 {
1131 struct wpa_ie_data rsn;
1132
1133 if (!ie->rsn_ie)
1134 return 0;
1135
1136 /*
1137 * Verify that PMKR1Name from EAPOL-Key message 3/4
1138 * matches with the value we derived.
1139 */
1140 if (wpa_parse_wpa_ie_rsn(ie->rsn_ie, ie->rsn_ie_len, &rsn) < 0 ||
1141 rsn.num_pmkid != 1 || rsn.pmkid == NULL) {
1142 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: No PMKR1Name in "
1143 "FT 4-way handshake message 3/4");
1144 return -1;
1145 }
1146
1147 if (os_memcmp_const(rsn.pmkid, sm->pmk_r1_name, WPA_PMK_NAME_LEN) != 0)
1148 {
1149 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1150 "FT: PMKR1Name mismatch in "
1151 "FT 4-way handshake message 3/4");
1152 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Authenticator",
1153 rsn.pmkid, WPA_PMK_NAME_LEN);
1154 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
1155 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
1156 return -1;
1157 }
1158
1159 return 0;
1160 }
1161
1162
wpa_supplicant_validate_ie_ft(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie)1163 static int wpa_supplicant_validate_ie_ft(struct wpa_sm *sm,
1164 const unsigned char *src_addr,
1165 struct wpa_eapol_ie_parse *ie)
1166 {
1167 const u8 *pos, *end, *mdie = NULL, *ftie = NULL;
1168
1169 if (sm->assoc_resp_ies) {
1170 pos = sm->assoc_resp_ies;
1171 end = pos + sm->assoc_resp_ies_len;
1172 while (end - pos > 2) {
1173 if (2 + pos[1] > end - pos)
1174 break;
1175 switch (*pos) {
1176 case WLAN_EID_MOBILITY_DOMAIN:
1177 mdie = pos;
1178 break;
1179 case WLAN_EID_FAST_BSS_TRANSITION:
1180 ftie = pos;
1181 break;
1182 }
1183 pos += 2 + pos[1];
1184 }
1185 }
1186
1187 if (ft_validate_mdie(sm, src_addr, ie, mdie) < 0 ||
1188 ft_validate_ftie(sm, src_addr, ie, ftie) < 0 ||
1189 ft_validate_rsnie(sm, src_addr, ie) < 0)
1190 return -1;
1191
1192 return 0;
1193 }
1194
1195 #endif /* CONFIG_IEEE80211R */
1196
1197
wpa_supplicant_validate_ie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie)1198 static int wpa_supplicant_validate_ie(struct wpa_sm *sm,
1199 const unsigned char *src_addr,
1200 struct wpa_eapol_ie_parse *ie)
1201 {
1202 if (sm->ap_wpa_ie == NULL && sm->ap_rsn_ie == NULL) {
1203 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1204 "WPA: No WPA/RSN IE for this AP known. "
1205 "Trying to get from scan results");
1206 if (wpa_sm_get_beacon_ie(sm) < 0) {
1207 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1208 "WPA: Could not find AP from "
1209 "the scan results");
1210 } else {
1211 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
1212 "WPA: Found the current AP from "
1213 "updated scan results");
1214 }
1215 }
1216
1217 if (ie->wpa_ie == NULL && ie->rsn_ie == NULL &&
1218 (sm->ap_wpa_ie || sm->ap_rsn_ie)) {
1219 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
1220 "with IE in Beacon/ProbeResp (no IE?)",
1221 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1222 ie->rsn_ie, ie->rsn_ie_len);
1223 return -1;
1224 }
1225
1226 if ((ie->wpa_ie && sm->ap_wpa_ie &&
1227 (ie->wpa_ie_len != sm->ap_wpa_ie_len ||
1228 os_memcmp(ie->wpa_ie, sm->ap_wpa_ie, ie->wpa_ie_len) != 0)) ||
1229 (ie->rsn_ie && sm->ap_rsn_ie &&
1230 wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
1231 sm->ap_rsn_ie, sm->ap_rsn_ie_len,
1232 ie->rsn_ie, ie->rsn_ie_len))) {
1233 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
1234 "with IE in Beacon/ProbeResp",
1235 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1236 ie->rsn_ie, ie->rsn_ie_len);
1237 return -1;
1238 }
1239
1240 if (sm->proto == WPA_PROTO_WPA &&
1241 ie->rsn_ie && sm->ap_rsn_ie == NULL && sm->rsn_enabled) {
1242 wpa_report_ie_mismatch(sm, "Possible downgrade attack "
1243 "detected - RSN was enabled and RSN IE "
1244 "was in msg 3/4, but not in "
1245 "Beacon/ProbeResp",
1246 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1247 ie->rsn_ie, ie->rsn_ie_len);
1248 return -1;
1249 }
1250
1251 #ifdef CONFIG_IEEE80211R
1252 if (wpa_key_mgmt_ft(sm->key_mgmt) &&
1253 wpa_supplicant_validate_ie_ft(sm, src_addr, ie) < 0)
1254 return -1;
1255 #endif /* CONFIG_IEEE80211R */
1256
1257 return 0;
1258 }
1259
1260
1261 /**
1262 * wpa_supplicant_send_4_of_4 - Send message 4 of WPA/RSN 4-Way Handshake
1263 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1264 * @dst: Destination address for the frame
1265 * @key: Pointer to the EAPOL-Key frame header
1266 * @ver: Version bits from EAPOL-Key Key Info
1267 * @key_info: Key Info
1268 * @ptk: PTK to use for keyed hash and encryption
1269 * Returns: >= 0 on success, < 0 on failure
1270 */
wpa_supplicant_send_4_of_4(struct wpa_sm * sm,const unsigned char * dst,const struct wpa_eapol_key * key,u16 ver,u16 key_info,struct wpa_ptk * ptk)1271 int wpa_supplicant_send_4_of_4(struct wpa_sm *sm, const unsigned char *dst,
1272 const struct wpa_eapol_key *key,
1273 u16 ver, u16 key_info,
1274 struct wpa_ptk *ptk)
1275 {
1276 size_t mic_len, hdrlen, rlen;
1277 struct wpa_eapol_key *reply;
1278 u8 *rbuf, *key_mic;
1279
1280 mic_len = wpa_mic_len(sm->key_mgmt);
1281 hdrlen = sizeof(*reply) + mic_len + 2;
1282 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
1283 hdrlen, &rlen, (void *) &reply);
1284 if (rbuf == NULL)
1285 return -1;
1286
1287 reply->type = (sm->proto == WPA_PROTO_RSN ||
1288 sm->proto == WPA_PROTO_OSEN) ?
1289 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1290 key_info &= WPA_KEY_INFO_SECURE;
1291 key_info |= ver | WPA_KEY_INFO_KEY_TYPE;
1292 if (mic_len)
1293 key_info |= WPA_KEY_INFO_MIC;
1294 else
1295 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1296 WPA_PUT_BE16(reply->key_info, key_info);
1297 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
1298 WPA_PUT_BE16(reply->key_length, 0);
1299 else
1300 os_memcpy(reply->key_length, key->key_length, 2);
1301 os_memcpy(reply->replay_counter, key->replay_counter,
1302 WPA_REPLAY_COUNTER_LEN);
1303
1304 key_mic = (u8 *) (reply + 1);
1305 WPA_PUT_BE16(key_mic + mic_len, 0);
1306
1307 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 4/4");
1308 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
1309 key_mic);
1310 }
1311
1312
wpa_supplicant_process_3_of_4(struct wpa_sm * sm,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len)1313 static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
1314 const struct wpa_eapol_key *key,
1315 u16 ver, const u8 *key_data,
1316 size_t key_data_len)
1317 {
1318 u16 key_info, keylen;
1319 struct wpa_eapol_ie_parse ie;
1320
1321 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
1322 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 3 of 4-Way "
1323 "Handshake from " MACSTR " (ver=%d)", MAC2STR(sm->bssid), ver);
1324
1325 key_info = WPA_GET_BE16(key->key_info);
1326
1327 wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", key_data, key_data_len);
1328 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
1329 goto failed;
1330 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1331 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1332 "WPA: GTK IE in unencrypted key data");
1333 goto failed;
1334 }
1335 #ifdef CONFIG_IEEE80211W
1336 if (ie.igtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1337 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1338 "WPA: IGTK KDE in unencrypted key data");
1339 goto failed;
1340 }
1341
1342 if (ie.igtk &&
1343 wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) &&
1344 ie.igtk_len != WPA_IGTK_KDE_PREFIX_LEN +
1345 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
1346 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1347 "WPA: Invalid IGTK KDE length %lu",
1348 (unsigned long) ie.igtk_len);
1349 goto failed;
1350 }
1351 #endif /* CONFIG_IEEE80211W */
1352
1353 if (wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0)
1354 goto failed;
1355
1356 if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
1357 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1358 "WPA: ANonce from message 1 of 4-Way Handshake "
1359 "differs from 3 of 4-Way Handshake - drop packet (src="
1360 MACSTR ")", MAC2STR(sm->bssid));
1361 goto failed;
1362 }
1363
1364 keylen = WPA_GET_BE16(key->key_length);
1365 if (keylen != wpa_cipher_key_len(sm->pairwise_cipher)) {
1366 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1367 "WPA: Invalid %s key length %d (src=" MACSTR
1368 ")", wpa_cipher_txt(sm->pairwise_cipher), keylen,
1369 MAC2STR(sm->bssid));
1370 goto failed;
1371 }
1372
1373 #ifdef CONFIG_P2P
1374 if (ie.ip_addr_alloc) {
1375 os_memcpy(sm->p2p_ip_addr, ie.ip_addr_alloc, 3 * 4);
1376 wpa_hexdump(MSG_DEBUG, "P2P: IP address info",
1377 sm->p2p_ip_addr, sizeof(sm->p2p_ip_addr));
1378 }
1379 #endif /* CONFIG_P2P */
1380
1381 if (wpa_supplicant_send_4_of_4(sm, sm->bssid, key, ver, key_info,
1382 &sm->ptk) < 0) {
1383 goto failed;
1384 }
1385
1386 /* SNonce was successfully used in msg 3/4, so mark it to be renewed
1387 * for the next 4-Way Handshake. If msg 3 is received again, the old
1388 * SNonce will still be used to avoid changing PTK. */
1389 sm->renew_snonce = 1;
1390
1391 if (key_info & WPA_KEY_INFO_INSTALL) {
1392 if (wpa_supplicant_install_ptk(sm, key))
1393 goto failed;
1394 }
1395
1396 if (key_info & WPA_KEY_INFO_SECURE) {
1397 wpa_sm_mlme_setprotection(
1398 sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX,
1399 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
1400 eapol_sm_notify_portValid(sm->eapol, TRUE);
1401 }
1402 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
1403
1404 if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED) {
1405 wpa_supplicant_key_neg_complete(sm, sm->bssid,
1406 key_info & WPA_KEY_INFO_SECURE);
1407 } else if (ie.gtk &&
1408 wpa_supplicant_pairwise_gtk(sm, key,
1409 ie.gtk, ie.gtk_len, key_info) < 0) {
1410 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1411 "RSN: Failed to configure GTK");
1412 goto failed;
1413 }
1414
1415 if (ieee80211w_set_keys(sm, &ie) < 0) {
1416 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1417 "RSN: Failed to configure IGTK");
1418 goto failed;
1419 }
1420
1421 if (ie.gtk)
1422 wpa_sm_set_rekey_offload(sm);
1423
1424 if (sm->proto == WPA_PROTO_RSN && wpa_key_mgmt_suite_b(sm->key_mgmt)) {
1425 struct rsn_pmksa_cache_entry *sa;
1426
1427 sa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, NULL,
1428 sm->ptk.kck, sm->ptk.kck_len,
1429 sm->bssid, sm->own_addr,
1430 sm->network_ctx, sm->key_mgmt);
1431 if (!sm->cur_pmksa)
1432 sm->cur_pmksa = sa;
1433 }
1434
1435 sm->msg_3_of_4_ok = 1;
1436 return;
1437
1438 failed:
1439 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
1440 }
1441
1442
wpa_supplicant_process_1_of_2_rsn(struct wpa_sm * sm,const u8 * keydata,size_t keydatalen,u16 key_info,struct wpa_gtk_data * gd)1443 static int wpa_supplicant_process_1_of_2_rsn(struct wpa_sm *sm,
1444 const u8 *keydata,
1445 size_t keydatalen,
1446 u16 key_info,
1447 struct wpa_gtk_data *gd)
1448 {
1449 int maxkeylen;
1450 struct wpa_eapol_ie_parse ie;
1451
1452 wpa_hexdump_key(MSG_DEBUG, "RSN: msg 1/2 key data",
1453 keydata, keydatalen);
1454 if (wpa_supplicant_parse_ies(keydata, keydatalen, &ie) < 0)
1455 return -1;
1456 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1457 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1458 "WPA: GTK IE in unencrypted key data");
1459 return -1;
1460 }
1461 if (ie.gtk == NULL) {
1462 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1463 "WPA: No GTK IE in Group Key msg 1/2");
1464 return -1;
1465 }
1466 maxkeylen = gd->gtk_len = ie.gtk_len - 2;
1467
1468 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
1469 gd->gtk_len, maxkeylen,
1470 &gd->key_rsc_len, &gd->alg))
1471 return -1;
1472
1473 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in group key handshake",
1474 ie.gtk, ie.gtk_len);
1475 gd->keyidx = ie.gtk[0] & 0x3;
1476 gd->tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
1477 !!(ie.gtk[0] & BIT(2)));
1478 if (ie.gtk_len - 2 > sizeof(gd->gtk)) {
1479 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1480 "RSN: Too long GTK in GTK IE (len=%lu)",
1481 (unsigned long) ie.gtk_len - 2);
1482 return -1;
1483 }
1484 os_memcpy(gd->gtk, ie.gtk + 2, ie.gtk_len - 2);
1485
1486 if (ieee80211w_set_keys(sm, &ie) < 0)
1487 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1488 "RSN: Failed to configure IGTK");
1489
1490 return 0;
1491 }
1492
1493
wpa_supplicant_process_1_of_2_wpa(struct wpa_sm * sm,const struct wpa_eapol_key * key,const u8 * key_data,size_t key_data_len,u16 key_info,u16 ver,struct wpa_gtk_data * gd)1494 static int wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm,
1495 const struct wpa_eapol_key *key,
1496 const u8 *key_data,
1497 size_t key_data_len, u16 key_info,
1498 u16 ver, struct wpa_gtk_data *gd)
1499 {
1500 size_t maxkeylen;
1501 u16 gtk_len;
1502
1503 gtk_len = WPA_GET_BE16(key->key_length);
1504 maxkeylen = key_data_len;
1505 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1506 if (maxkeylen < 8) {
1507 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1508 "WPA: Too short maxkeylen (%lu)",
1509 (unsigned long) maxkeylen);
1510 return -1;
1511 }
1512 maxkeylen -= 8;
1513 }
1514
1515 if (gtk_len > maxkeylen ||
1516 wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
1517 gtk_len, maxkeylen,
1518 &gd->key_rsc_len, &gd->alg))
1519 return -1;
1520
1521 gd->gtk_len = gtk_len;
1522 gd->keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
1523 WPA_KEY_INFO_KEY_INDEX_SHIFT;
1524 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
1525 #ifdef CONFIG_NO_RC4
1526 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1527 "WPA: RC4 not supported in the build");
1528 return -1;
1529 #else /* CONFIG_NO_RC4 */
1530 u8 ek[32];
1531 if (key_data_len > sizeof(gd->gtk)) {
1532 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1533 "WPA: RC4 key data too long (%lu)",
1534 (unsigned long) key_data_len);
1535 return -1;
1536 }
1537 os_memcpy(ek, key->key_iv, 16);
1538 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
1539 os_memcpy(gd->gtk, key_data, key_data_len);
1540 if (rc4_skip(ek, 32, 256, gd->gtk, key_data_len)) {
1541 os_memset(ek, 0, sizeof(ek));
1542 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
1543 "WPA: RC4 failed");
1544 return -1;
1545 }
1546 os_memset(ek, 0, sizeof(ek));
1547 #endif /* CONFIG_NO_RC4 */
1548 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1549 if (maxkeylen % 8) {
1550 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1551 "WPA: Unsupported AES-WRAP len %lu",
1552 (unsigned long) maxkeylen);
1553 return -1;
1554 }
1555 if (maxkeylen > sizeof(gd->gtk)) {
1556 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1557 "WPA: AES-WRAP key data "
1558 "too long (keydatalen=%lu maxkeylen=%lu)",
1559 (unsigned long) key_data_len,
1560 (unsigned long) maxkeylen);
1561 return -1;
1562 }
1563 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, maxkeylen / 8,
1564 key_data, gd->gtk)) {
1565 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1566 "WPA: AES unwrap failed - could not decrypt "
1567 "GTK");
1568 return -1;
1569 }
1570 } else {
1571 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1572 "WPA: Unsupported key_info type %d", ver);
1573 return -1;
1574 }
1575 gd->tx = wpa_supplicant_gtk_tx_bit_workaround(
1576 sm, !!(key_info & WPA_KEY_INFO_TXRX));
1577 return 0;
1578 }
1579
1580
wpa_supplicant_send_2_of_2(struct wpa_sm * sm,const struct wpa_eapol_key * key,int ver,u16 key_info)1581 static int wpa_supplicant_send_2_of_2(struct wpa_sm *sm,
1582 const struct wpa_eapol_key *key,
1583 int ver, u16 key_info)
1584 {
1585 size_t mic_len, hdrlen, rlen;
1586 struct wpa_eapol_key *reply;
1587 u8 *rbuf, *key_mic;
1588
1589 mic_len = wpa_mic_len(sm->key_mgmt);
1590 hdrlen = sizeof(*reply) + mic_len + 2;
1591 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
1592 hdrlen, &rlen, (void *) &reply);
1593 if (rbuf == NULL)
1594 return -1;
1595
1596 reply->type = (sm->proto == WPA_PROTO_RSN ||
1597 sm->proto == WPA_PROTO_OSEN) ?
1598 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1599 key_info &= WPA_KEY_INFO_KEY_INDEX_MASK;
1600 key_info |= ver | WPA_KEY_INFO_SECURE;
1601 if (mic_len)
1602 key_info |= WPA_KEY_INFO_MIC;
1603 WPA_PUT_BE16(reply->key_info, key_info);
1604 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
1605 WPA_PUT_BE16(reply->key_length, 0);
1606 else
1607 os_memcpy(reply->key_length, key->key_length, 2);
1608 os_memcpy(reply->replay_counter, key->replay_counter,
1609 WPA_REPLAY_COUNTER_LEN);
1610
1611 key_mic = (u8 *) (reply + 1);
1612 WPA_PUT_BE16(key_mic + mic_len, 0);
1613
1614 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/2");
1615 return wpa_eapol_key_send(sm, &sm->ptk, ver, sm->bssid, ETH_P_EAPOL,
1616 rbuf, rlen, key_mic);
1617 }
1618
1619
wpa_supplicant_process_1_of_2(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,const u8 * key_data,size_t key_data_len,u16 ver)1620 static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
1621 const unsigned char *src_addr,
1622 const struct wpa_eapol_key *key,
1623 const u8 *key_data,
1624 size_t key_data_len, u16 ver)
1625 {
1626 u16 key_info;
1627 int rekey, ret;
1628 struct wpa_gtk_data gd;
1629 const u8 *key_rsc;
1630
1631 if (!sm->msg_3_of_4_ok) {
1632 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1633 "WPA: Group Key Handshake started prior to completion of 4-way handshake");
1634 goto failed;
1635 }
1636
1637 os_memset(&gd, 0, sizeof(gd));
1638
1639 rekey = wpa_sm_get_state(sm) == WPA_COMPLETED;
1640 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of Group Key "
1641 "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
1642
1643 key_info = WPA_GET_BE16(key->key_info);
1644
1645 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
1646 ret = wpa_supplicant_process_1_of_2_rsn(sm, key_data,
1647 key_data_len, key_info,
1648 &gd);
1649 } else {
1650 ret = wpa_supplicant_process_1_of_2_wpa(sm, key, key_data,
1651 key_data_len,
1652 key_info, ver, &gd);
1653 }
1654
1655 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
1656
1657 if (ret)
1658 goto failed;
1659
1660 key_rsc = key->key_rsc;
1661 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
1662 key_rsc = null_rsc;
1663
1664 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
1665 wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
1666 goto failed;
1667 os_memset(&gd, 0, sizeof(gd));
1668
1669 if (rekey) {
1670 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Group rekeying "
1671 "completed with " MACSTR " [GTK=%s]",
1672 MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher));
1673 wpa_sm_cancel_auth_timeout(sm);
1674 wpa_sm_set_state(sm, WPA_COMPLETED);
1675 } else {
1676 wpa_supplicant_key_neg_complete(sm, sm->bssid,
1677 key_info &
1678 WPA_KEY_INFO_SECURE);
1679 }
1680
1681 wpa_sm_set_rekey_offload(sm);
1682
1683 return;
1684
1685 failed:
1686 os_memset(&gd, 0, sizeof(gd));
1687 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
1688 }
1689
1690
wpa_supplicant_verify_eapol_key_mic(struct wpa_sm * sm,struct wpa_eapol_key * key,u16 ver,const u8 * buf,size_t len)1691 static int wpa_supplicant_verify_eapol_key_mic(struct wpa_sm *sm,
1692 struct wpa_eapol_key *key,
1693 u16 ver,
1694 const u8 *buf, size_t len)
1695 {
1696 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN];
1697 int ok = 0;
1698 size_t mic_len = wpa_mic_len(sm->key_mgmt);
1699
1700 os_memcpy(mic, key + 1, mic_len);
1701 if (sm->tptk_set) {
1702 os_memset(key + 1, 0, mic_len);
1703 wpa_eapol_key_mic(sm->tptk.kck, sm->tptk.kck_len, sm->key_mgmt,
1704 ver, buf, len, (u8 *) (key + 1));
1705 if (os_memcmp_const(mic, key + 1, mic_len) != 0) {
1706 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1707 "WPA: Invalid EAPOL-Key MIC "
1708 "when using TPTK - ignoring TPTK");
1709 } else {
1710 ok = 1;
1711 sm->tptk_set = 0;
1712 sm->ptk_set = 1;
1713 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
1714 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
1715 }
1716 }
1717
1718 if (!ok && sm->ptk_set) {
1719 os_memset(key + 1, 0, mic_len);
1720 wpa_eapol_key_mic(sm->ptk.kck, sm->ptk.kck_len, sm->key_mgmt,
1721 ver, buf, len, (u8 *) (key + 1));
1722 if (os_memcmp_const(mic, key + 1, mic_len) != 0) {
1723 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1724 "WPA: Invalid EAPOL-Key MIC - "
1725 "dropping packet");
1726 return -1;
1727 }
1728 ok = 1;
1729 }
1730
1731 if (!ok) {
1732 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1733 "WPA: Could not verify EAPOL-Key MIC - "
1734 "dropping packet");
1735 return -1;
1736 }
1737
1738 os_memcpy(sm->rx_replay_counter, key->replay_counter,
1739 WPA_REPLAY_COUNTER_LEN);
1740 sm->rx_replay_counter_set = 1;
1741 return 0;
1742 }
1743
1744
1745 /* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */
wpa_supplicant_decrypt_key_data(struct wpa_sm * sm,struct wpa_eapol_key * key,size_t mic_len,u16 ver,u8 * key_data,size_t * key_data_len)1746 static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm,
1747 struct wpa_eapol_key *key,
1748 size_t mic_len, u16 ver,
1749 u8 *key_data, size_t *key_data_len)
1750 {
1751 wpa_hexdump(MSG_DEBUG, "RSN: encrypted key data",
1752 key_data, *key_data_len);
1753 if (!sm->ptk_set) {
1754 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1755 "WPA: PTK not available, cannot decrypt EAPOL-Key Key "
1756 "Data");
1757 return -1;
1758 }
1759
1760 /* Decrypt key data here so that this operation does not need
1761 * to be implemented separately for each message type. */
1762 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
1763 #ifdef CONFIG_NO_RC4
1764 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1765 "WPA: RC4 not supported in the build");
1766 return -1;
1767 #else /* CONFIG_NO_RC4 */
1768 u8 ek[32];
1769 os_memcpy(ek, key->key_iv, 16);
1770 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
1771 if (rc4_skip(ek, 32, 256, key_data, *key_data_len)) {
1772 os_memset(ek, 0, sizeof(ek));
1773 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
1774 "WPA: RC4 failed");
1775 return -1;
1776 }
1777 os_memset(ek, 0, sizeof(ek));
1778 #endif /* CONFIG_NO_RC4 */
1779 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1780 ver == WPA_KEY_INFO_TYPE_AES_128_CMAC ||
1781 sm->key_mgmt == WPA_KEY_MGMT_OSEN ||
1782 wpa_key_mgmt_suite_b(sm->key_mgmt)) {
1783 u8 *buf;
1784 if (*key_data_len < 8 || *key_data_len % 8) {
1785 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1786 "WPA: Unsupported AES-WRAP len %u",
1787 (unsigned int) *key_data_len);
1788 return -1;
1789 }
1790 *key_data_len -= 8; /* AES-WRAP adds 8 bytes */
1791 buf = os_malloc(*key_data_len);
1792 if (buf == NULL) {
1793 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1794 "WPA: No memory for AES-UNWRAP buffer");
1795 return -1;
1796 }
1797 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, *key_data_len / 8,
1798 key_data, buf)) {
1799 bin_clear_free(buf, *key_data_len);
1800 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1801 "WPA: AES unwrap failed - "
1802 "could not decrypt EAPOL-Key key data");
1803 return -1;
1804 }
1805 os_memcpy(key_data, buf, *key_data_len);
1806 bin_clear_free(buf, *key_data_len);
1807 WPA_PUT_BE16(((u8 *) (key + 1)) + mic_len, *key_data_len);
1808 } else {
1809 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1810 "WPA: Unsupported key_info type %d", ver);
1811 return -1;
1812 }
1813 wpa_hexdump_key(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data",
1814 key_data, *key_data_len);
1815 return 0;
1816 }
1817
1818
1819 /**
1820 * wpa_sm_aborted_cached - Notify WPA that PMKSA caching was aborted
1821 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1822 */
wpa_sm_aborted_cached(struct wpa_sm * sm)1823 void wpa_sm_aborted_cached(struct wpa_sm *sm)
1824 {
1825 if (sm && sm->cur_pmksa) {
1826 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1827 "RSN: Cancelling PMKSA caching attempt");
1828 sm->cur_pmksa = NULL;
1829 }
1830 }
1831
1832
wpa_eapol_key_dump(struct wpa_sm * sm,const struct wpa_eapol_key * key,unsigned int key_data_len,const u8 * mic,unsigned int mic_len)1833 static void wpa_eapol_key_dump(struct wpa_sm *sm,
1834 const struct wpa_eapol_key *key,
1835 unsigned int key_data_len,
1836 const u8 *mic, unsigned int mic_len)
1837 {
1838 #ifndef CONFIG_NO_STDOUT_DEBUG
1839 u16 key_info = WPA_GET_BE16(key->key_info);
1840
1841 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, " EAPOL-Key type=%d", key->type);
1842 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1843 " key_info 0x%x (ver=%d keyidx=%d rsvd=%d %s%s%s%s%s%s%s%s)",
1844 key_info, key_info & WPA_KEY_INFO_TYPE_MASK,
1845 (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
1846 WPA_KEY_INFO_KEY_INDEX_SHIFT,
1847 (key_info & (BIT(13) | BIT(14) | BIT(15))) >> 13,
1848 key_info & WPA_KEY_INFO_KEY_TYPE ? "Pairwise" : "Group",
1849 key_info & WPA_KEY_INFO_INSTALL ? " Install" : "",
1850 key_info & WPA_KEY_INFO_ACK ? " Ack" : "",
1851 key_info & WPA_KEY_INFO_MIC ? " MIC" : "",
1852 key_info & WPA_KEY_INFO_SECURE ? " Secure" : "",
1853 key_info & WPA_KEY_INFO_ERROR ? " Error" : "",
1854 key_info & WPA_KEY_INFO_REQUEST ? " Request" : "",
1855 key_info & WPA_KEY_INFO_ENCR_KEY_DATA ? " Encr" : "");
1856 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1857 " key_length=%u key_data_length=%u",
1858 WPA_GET_BE16(key->key_length), key_data_len);
1859 wpa_hexdump(MSG_DEBUG, " replay_counter",
1860 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1861 wpa_hexdump(MSG_DEBUG, " key_nonce", key->key_nonce, WPA_NONCE_LEN);
1862 wpa_hexdump(MSG_DEBUG, " key_iv", key->key_iv, 16);
1863 wpa_hexdump(MSG_DEBUG, " key_rsc", key->key_rsc, 8);
1864 wpa_hexdump(MSG_DEBUG, " key_id (reserved)", key->key_id, 8);
1865 wpa_hexdump(MSG_DEBUG, " key_mic", mic, mic_len);
1866 #endif /* CONFIG_NO_STDOUT_DEBUG */
1867 }
1868
1869
1870 #ifdef CONFIG_FILS
wpa_supp_aead_decrypt(struct wpa_sm * sm,u8 * buf,size_t buf_len,size_t * key_data_len)1871 static int wpa_supp_aead_decrypt(struct wpa_sm *sm, u8 *buf, size_t buf_len,
1872 size_t *key_data_len)
1873 {
1874 struct wpa_ptk *ptk;
1875 struct ieee802_1x_hdr *hdr;
1876 struct wpa_eapol_key *key;
1877 u8 *pos, *tmp;
1878 const u8 *aad[1];
1879 size_t aad_len[1];
1880
1881 if (*key_data_len < AES_BLOCK_SIZE) {
1882 wpa_printf(MSG_INFO, "No room for AES-SIV data in the frame");
1883 return -1;
1884 }
1885
1886 if (sm->tptk_set)
1887 ptk = &sm->tptk;
1888 else if (sm->ptk_set)
1889 ptk = &sm->ptk;
1890 else
1891 return -1;
1892
1893 hdr = (struct ieee802_1x_hdr *) buf;
1894 key = (struct wpa_eapol_key *) (hdr + 1);
1895 pos = (u8 *) (key + 1);
1896 pos += 2; /* Pointing at the Encrypted Key Data field */
1897
1898 tmp = os_malloc(*key_data_len);
1899 if (!tmp)
1900 return -1;
1901
1902 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
1903 * to Key Data (exclusive). */
1904 aad[0] = buf;
1905 aad_len[0] = pos - buf;
1906 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, *key_data_len,
1907 1, aad, aad_len, tmp) < 0) {
1908 wpa_printf(MSG_INFO, "Invalid AES-SIV data in the frame");
1909 bin_clear_free(tmp, *key_data_len);
1910 return -1;
1911 }
1912
1913 /* AEAD decryption and validation completed successfully */
1914 (*key_data_len) -= AES_BLOCK_SIZE;
1915 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
1916 tmp, *key_data_len);
1917
1918 /* Replace Key Data field with the decrypted version */
1919 os_memcpy(pos, tmp, *key_data_len);
1920 pos -= 2; /* Key Data Length field */
1921 WPA_PUT_BE16(pos, *key_data_len);
1922 bin_clear_free(tmp, *key_data_len);
1923
1924 if (sm->tptk_set) {
1925 sm->tptk_set = 0;
1926 sm->ptk_set = 1;
1927 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
1928 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
1929 }
1930
1931 os_memcpy(sm->rx_replay_counter, key->replay_counter,
1932 WPA_REPLAY_COUNTER_LEN);
1933 sm->rx_replay_counter_set = 1;
1934
1935 return 0;
1936 }
1937 #endif /* CONFIG_FILS */
1938
1939
1940 /**
1941 * wpa_sm_rx_eapol - Process received WPA EAPOL frames
1942 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1943 * @src_addr: Source MAC address of the EAPOL packet
1944 * @buf: Pointer to the beginning of the EAPOL data (EAPOL header)
1945 * @len: Length of the EAPOL frame
1946 * Returns: 1 = WPA EAPOL-Key processed, 0 = not a WPA EAPOL-Key, -1 failure
1947 *
1948 * This function is called for each received EAPOL frame. Other than EAPOL-Key
1949 * frames can be skipped if filtering is done elsewhere. wpa_sm_rx_eapol() is
1950 * only processing WPA and WPA2 EAPOL-Key frames.
1951 *
1952 * The received EAPOL-Key packets are validated and valid packets are replied
1953 * to. In addition, key material (PTK, GTK) is configured at the end of a
1954 * successful key handshake.
1955 */
wpa_sm_rx_eapol(struct wpa_sm * sm,const u8 * src_addr,const u8 * buf,size_t len)1956 int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr,
1957 const u8 *buf, size_t len)
1958 {
1959 size_t plen, data_len, key_data_len;
1960 const struct ieee802_1x_hdr *hdr;
1961 struct wpa_eapol_key *key;
1962 u16 key_info, ver;
1963 u8 *tmp = NULL;
1964 int ret = -1;
1965 struct wpa_peerkey *peerkey = NULL;
1966 u8 *mic, *key_data;
1967 size_t mic_len, keyhdrlen;
1968
1969 #ifdef CONFIG_IEEE80211R
1970 sm->ft_completed = 0;
1971 #endif /* CONFIG_IEEE80211R */
1972
1973 mic_len = wpa_mic_len(sm->key_mgmt);
1974 keyhdrlen = sizeof(*key) + mic_len + 2;
1975
1976 if (len < sizeof(*hdr) + keyhdrlen) {
1977 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1978 "WPA: EAPOL frame too short to be a WPA "
1979 "EAPOL-Key (len %lu, expecting at least %lu)",
1980 (unsigned long) len,
1981 (unsigned long) sizeof(*hdr) + keyhdrlen);
1982 return 0;
1983 }
1984
1985 hdr = (const struct ieee802_1x_hdr *) buf;
1986 plen = be_to_host16(hdr->length);
1987 data_len = plen + sizeof(*hdr);
1988 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1989 "IEEE 802.1X RX: version=%d type=%d length=%lu",
1990 hdr->version, hdr->type, (unsigned long) plen);
1991
1992 if (hdr->version < EAPOL_VERSION) {
1993 /* TODO: backwards compatibility */
1994 }
1995 if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) {
1996 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1997 "WPA: EAPOL frame (type %u) discarded, "
1998 "not a Key frame", hdr->type);
1999 ret = 0;
2000 goto out;
2001 }
2002 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", buf, len);
2003 if (plen > len - sizeof(*hdr) || plen < keyhdrlen) {
2004 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2005 "WPA: EAPOL frame payload size %lu "
2006 "invalid (frame size %lu)",
2007 (unsigned long) plen, (unsigned long) len);
2008 ret = 0;
2009 goto out;
2010 }
2011 if (data_len < len) {
2012 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2013 "WPA: ignoring %lu bytes after the IEEE 802.1X data",
2014 (unsigned long) len - data_len);
2015 }
2016
2017 /*
2018 * Make a copy of the frame since we need to modify the buffer during
2019 * MAC validation and Key Data decryption.
2020 */
2021 tmp = os_malloc(data_len);
2022 if (tmp == NULL)
2023 goto out;
2024 os_memcpy(tmp, buf, data_len);
2025 key = (struct wpa_eapol_key *) (tmp + sizeof(struct ieee802_1x_hdr));
2026 mic = (u8 *) (key + 1);
2027 key_data = mic + mic_len + 2;
2028
2029 if (key->type != EAPOL_KEY_TYPE_WPA && key->type != EAPOL_KEY_TYPE_RSN)
2030 {
2031 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2032 "WPA: EAPOL-Key type (%d) unknown, discarded",
2033 key->type);
2034 ret = 0;
2035 goto out;
2036 }
2037
2038 key_data_len = WPA_GET_BE16(mic + mic_len);
2039 wpa_eapol_key_dump(sm, key, key_data_len, mic, mic_len);
2040
2041 if (key_data_len > plen - keyhdrlen) {
2042 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Invalid EAPOL-Key "
2043 "frame - key_data overflow (%u > %u)",
2044 (unsigned int) key_data_len,
2045 (unsigned int) (plen - keyhdrlen));
2046 goto out;
2047 }
2048
2049 eapol_sm_notify_lower_layer_success(sm->eapol, 0);
2050 key_info = WPA_GET_BE16(key->key_info);
2051 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
2052 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
2053 #if defined(CONFIG_IEEE80211R) || defined(CONFIG_IEEE80211W)
2054 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
2055 #endif /* CONFIG_IEEE80211R || CONFIG_IEEE80211W */
2056 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES &&
2057 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
2058 !wpa_key_mgmt_fils(sm->key_mgmt) &&
2059 sm->key_mgmt != WPA_KEY_MGMT_OSEN) {
2060 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2061 "WPA: Unsupported EAPOL-Key descriptor version %d",
2062 ver);
2063 goto out;
2064 }
2065
2066 if (sm->key_mgmt == WPA_KEY_MGMT_OSEN &&
2067 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
2068 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2069 "OSEN: Unsupported EAPOL-Key descriptor version %d",
2070 ver);
2071 goto out;
2072 }
2073
2074 if ((wpa_key_mgmt_suite_b(sm->key_mgmt) ||
2075 wpa_key_mgmt_fils(sm->key_mgmt)) &&
2076 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
2077 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2078 "RSN: Unsupported EAPOL-Key descriptor version %d (expected AKM defined = 0)",
2079 ver);
2080 goto out;
2081 }
2082
2083 #ifdef CONFIG_IEEE80211R
2084 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
2085 /* IEEE 802.11r uses a new key_info type (AES-128-CMAC). */
2086 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
2087 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2088 "FT: AP did not use AES-128-CMAC");
2089 goto out;
2090 }
2091 } else
2092 #endif /* CONFIG_IEEE80211R */
2093 #ifdef CONFIG_IEEE80211W
2094 if (wpa_key_mgmt_sha256(sm->key_mgmt)) {
2095 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
2096 sm->key_mgmt != WPA_KEY_MGMT_OSEN &&
2097 !wpa_key_mgmt_fils(sm->key_mgmt) &&
2098 !wpa_key_mgmt_suite_b(sm->key_mgmt)) {
2099 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2100 "WPA: AP did not use the "
2101 "negotiated AES-128-CMAC");
2102 goto out;
2103 }
2104 } else
2105 #endif /* CONFIG_IEEE80211W */
2106 if (sm->pairwise_cipher == WPA_CIPHER_CCMP &&
2107 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
2108 !wpa_key_mgmt_fils(sm->key_mgmt) &&
2109 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
2110 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2111 "WPA: CCMP is used, but EAPOL-Key "
2112 "descriptor version (%d) is not 2", ver);
2113 if (sm->group_cipher != WPA_CIPHER_CCMP &&
2114 !(key_info & WPA_KEY_INFO_KEY_TYPE)) {
2115 /* Earlier versions of IEEE 802.11i did not explicitly
2116 * require version 2 descriptor for all EAPOL-Key
2117 * packets, so allow group keys to use version 1 if
2118 * CCMP is not used for them. */
2119 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2120 "WPA: Backwards compatibility: allow invalid "
2121 "version for non-CCMP group keys");
2122 } else if (ver == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
2123 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2124 "WPA: Interoperability workaround: allow incorrect (should have been HMAC-SHA1), but stronger (is AES-128-CMAC), descriptor version to be used");
2125 } else
2126 goto out;
2127 } else if (sm->pairwise_cipher == WPA_CIPHER_GCMP &&
2128 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
2129 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
2130 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2131 "WPA: GCMP is used, but EAPOL-Key "
2132 "descriptor version (%d) is not 2", ver);
2133 goto out;
2134 }
2135
2136 #ifdef CONFIG_PEERKEY
2137 for (peerkey = sm->peerkey; peerkey; peerkey = peerkey->next) {
2138 if (os_memcmp(peerkey->addr, src_addr, ETH_ALEN) == 0)
2139 break;
2140 }
2141
2142 if (!(key_info & WPA_KEY_INFO_SMK_MESSAGE) && peerkey) {
2143 if (!peerkey->initiator && peerkey->replay_counter_set &&
2144 os_memcmp(key->replay_counter, peerkey->replay_counter,
2145 WPA_REPLAY_COUNTER_LEN) <= 0) {
2146 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2147 "RSN: EAPOL-Key Replay Counter did not "
2148 "increase (STK) - dropping packet");
2149 goto out;
2150 } else if (peerkey->initiator) {
2151 u8 _tmp[WPA_REPLAY_COUNTER_LEN];
2152 os_memcpy(_tmp, key->replay_counter,
2153 WPA_REPLAY_COUNTER_LEN);
2154 inc_byte_array(_tmp, WPA_REPLAY_COUNTER_LEN);
2155 if (os_memcmp(_tmp, peerkey->replay_counter,
2156 WPA_REPLAY_COUNTER_LEN) != 0) {
2157 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2158 "RSN: EAPOL-Key Replay "
2159 "Counter did not match (STK) - "
2160 "dropping packet");
2161 goto out;
2162 }
2163 }
2164 }
2165
2166 if (peerkey && peerkey->initiator && (key_info & WPA_KEY_INFO_ACK)) {
2167 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2168 "RSN: Ack bit in key_info from STK peer");
2169 goto out;
2170 }
2171 #endif /* CONFIG_PEERKEY */
2172
2173 if (!peerkey && sm->rx_replay_counter_set &&
2174 os_memcmp(key->replay_counter, sm->rx_replay_counter,
2175 WPA_REPLAY_COUNTER_LEN) <= 0) {
2176 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2177 "WPA: EAPOL-Key Replay Counter did not increase - "
2178 "dropping packet");
2179 goto out;
2180 }
2181
2182 if (!(key_info & (WPA_KEY_INFO_ACK | WPA_KEY_INFO_SMK_MESSAGE))
2183 #ifdef CONFIG_PEERKEY
2184 && (peerkey == NULL || !peerkey->initiator)
2185 #endif /* CONFIG_PEERKEY */
2186 ) {
2187 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2188 "WPA: No Ack bit in key_info");
2189 goto out;
2190 }
2191
2192 if (key_info & WPA_KEY_INFO_REQUEST) {
2193 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2194 "WPA: EAPOL-Key with Request bit - dropped");
2195 goto out;
2196 }
2197
2198 if ((key_info & WPA_KEY_INFO_MIC) && !peerkey &&
2199 wpa_supplicant_verify_eapol_key_mic(sm, key, ver, tmp, data_len))
2200 goto out;
2201
2202 #ifdef CONFIG_PEERKEY
2203 if ((key_info & WPA_KEY_INFO_MIC) && peerkey &&
2204 peerkey_verify_eapol_key_mic(sm, peerkey, key, ver, tmp,
2205 data_len))
2206 goto out;
2207 #endif /* CONFIG_PEERKEY */
2208
2209 #ifdef CONFIG_FILS
2210 if (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
2211 if (wpa_supp_aead_decrypt(sm, tmp, data_len, &key_data_len))
2212 goto out;
2213 }
2214 #endif /* CONFIG_FILS */
2215
2216 if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
2217 (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && mic_len) {
2218 if (wpa_supplicant_decrypt_key_data(sm, key, mic_len,
2219 ver, key_data,
2220 &key_data_len))
2221 goto out;
2222 }
2223
2224 if (key_info & WPA_KEY_INFO_KEY_TYPE) {
2225 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) {
2226 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2227 "WPA: Ignored EAPOL-Key (Pairwise) with "
2228 "non-zero key index");
2229 goto out;
2230 }
2231 if (peerkey) {
2232 /* PeerKey 4-Way Handshake */
2233 peerkey_rx_eapol_4way(sm, peerkey, key, key_info, ver,
2234 key_data, key_data_len);
2235 } else if (key_info & (WPA_KEY_INFO_MIC |
2236 WPA_KEY_INFO_ENCR_KEY_DATA)) {
2237 /* 3/4 4-Way Handshake */
2238 wpa_supplicant_process_3_of_4(sm, key, ver, key_data,
2239 key_data_len);
2240 } else {
2241 /* 1/4 4-Way Handshake */
2242 wpa_supplicant_process_1_of_4(sm, src_addr, key,
2243 ver, key_data,
2244 key_data_len);
2245 }
2246 } else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
2247 /* PeerKey SMK Handshake */
2248 peerkey_rx_eapol_smk(sm, src_addr, key, key_data, key_data_len,
2249 key_info, ver);
2250 } else {
2251 if ((mic_len && (key_info & WPA_KEY_INFO_MIC)) ||
2252 (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA))) {
2253 /* 1/2 Group Key Handshake */
2254 wpa_supplicant_process_1_of_2(sm, src_addr, key,
2255 key_data, key_data_len,
2256 ver);
2257 } else {
2258 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2259 "WPA: EAPOL-Key (Group) without Mic/Encr bit - "
2260 "dropped");
2261 }
2262 }
2263
2264 ret = 1;
2265
2266 out:
2267 bin_clear_free(tmp, data_len);
2268 return ret;
2269 }
2270
2271
2272 #ifdef CONFIG_CTRL_IFACE
wpa_key_mgmt_suite(struct wpa_sm * sm)2273 static u32 wpa_key_mgmt_suite(struct wpa_sm *sm)
2274 {
2275 switch (sm->key_mgmt) {
2276 case WPA_KEY_MGMT_IEEE8021X:
2277 return ((sm->proto == WPA_PROTO_RSN ||
2278 sm->proto == WPA_PROTO_OSEN) ?
2279 RSN_AUTH_KEY_MGMT_UNSPEC_802_1X :
2280 WPA_AUTH_KEY_MGMT_UNSPEC_802_1X);
2281 case WPA_KEY_MGMT_PSK:
2282 return (sm->proto == WPA_PROTO_RSN ?
2283 RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X :
2284 WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X);
2285 #ifdef CONFIG_IEEE80211R
2286 case WPA_KEY_MGMT_FT_IEEE8021X:
2287 return RSN_AUTH_KEY_MGMT_FT_802_1X;
2288 case WPA_KEY_MGMT_FT_PSK:
2289 return RSN_AUTH_KEY_MGMT_FT_PSK;
2290 #endif /* CONFIG_IEEE80211R */
2291 #ifdef CONFIG_IEEE80211W
2292 case WPA_KEY_MGMT_IEEE8021X_SHA256:
2293 return RSN_AUTH_KEY_MGMT_802_1X_SHA256;
2294 case WPA_KEY_MGMT_PSK_SHA256:
2295 return RSN_AUTH_KEY_MGMT_PSK_SHA256;
2296 #endif /* CONFIG_IEEE80211W */
2297 case WPA_KEY_MGMT_CCKM:
2298 return (sm->proto == WPA_PROTO_RSN ?
2299 RSN_AUTH_KEY_MGMT_CCKM:
2300 WPA_AUTH_KEY_MGMT_CCKM);
2301 case WPA_KEY_MGMT_WPA_NONE:
2302 return WPA_AUTH_KEY_MGMT_NONE;
2303 case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
2304 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B;
2305 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
2306 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192;
2307 default:
2308 return 0;
2309 }
2310 }
2311
2312
2313 #define RSN_SUITE "%02x-%02x-%02x-%d"
2314 #define RSN_SUITE_ARG(s) \
2315 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
2316
2317 /**
2318 * wpa_sm_get_mib - Dump text list of MIB entries
2319 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2320 * @buf: Buffer for the list
2321 * @buflen: Length of the buffer
2322 * Returns: Number of bytes written to buffer
2323 *
2324 * This function is used fetch dot11 MIB variables.
2325 */
wpa_sm_get_mib(struct wpa_sm * sm,char * buf,size_t buflen)2326 int wpa_sm_get_mib(struct wpa_sm *sm, char *buf, size_t buflen)
2327 {
2328 char pmkid_txt[PMKID_LEN * 2 + 1];
2329 int rsna, ret;
2330 size_t len;
2331
2332 if (sm->cur_pmksa) {
2333 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
2334 sm->cur_pmksa->pmkid, PMKID_LEN);
2335 } else
2336 pmkid_txt[0] = '\0';
2337
2338 if ((wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
2339 wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt)) &&
2340 sm->proto == WPA_PROTO_RSN)
2341 rsna = 1;
2342 else
2343 rsna = 0;
2344
2345 ret = os_snprintf(buf, buflen,
2346 "dot11RSNAOptionImplemented=TRUE\n"
2347 "dot11RSNAPreauthenticationImplemented=TRUE\n"
2348 "dot11RSNAEnabled=%s\n"
2349 "dot11RSNAPreauthenticationEnabled=%s\n"
2350 "dot11RSNAConfigVersion=%d\n"
2351 "dot11RSNAConfigPairwiseKeysSupported=5\n"
2352 "dot11RSNAConfigGroupCipherSize=%d\n"
2353 "dot11RSNAConfigPMKLifetime=%d\n"
2354 "dot11RSNAConfigPMKReauthThreshold=%d\n"
2355 "dot11RSNAConfigNumberOfPTKSAReplayCounters=1\n"
2356 "dot11RSNAConfigSATimeout=%d\n",
2357 rsna ? "TRUE" : "FALSE",
2358 rsna ? "TRUE" : "FALSE",
2359 RSN_VERSION,
2360 wpa_cipher_key_len(sm->group_cipher) * 8,
2361 sm->dot11RSNAConfigPMKLifetime,
2362 sm->dot11RSNAConfigPMKReauthThreshold,
2363 sm->dot11RSNAConfigSATimeout);
2364 if (os_snprintf_error(buflen, ret))
2365 return 0;
2366 len = ret;
2367
2368 ret = os_snprintf(
2369 buf + len, buflen - len,
2370 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
2371 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
2372 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
2373 "dot11RSNAPMKIDUsed=%s\n"
2374 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
2375 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
2376 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
2377 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n"
2378 "dot11RSNA4WayHandshakeFailures=%u\n",
2379 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
2380 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2381 sm->pairwise_cipher)),
2382 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2383 sm->group_cipher)),
2384 pmkid_txt,
2385 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
2386 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2387 sm->pairwise_cipher)),
2388 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2389 sm->group_cipher)),
2390 sm->dot11RSNA4WayHandshakeFailures);
2391 if (!os_snprintf_error(buflen - len, ret))
2392 len += ret;
2393
2394 return (int) len;
2395 }
2396 #endif /* CONFIG_CTRL_IFACE */
2397
2398
wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry * entry,void * ctx,enum pmksa_free_reason reason)2399 static void wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
2400 void *ctx, enum pmksa_free_reason reason)
2401 {
2402 struct wpa_sm *sm = ctx;
2403 int deauth = 0;
2404
2405 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: PMKSA cache entry free_cb: "
2406 MACSTR " reason=%d", MAC2STR(entry->aa), reason);
2407
2408 if (sm->cur_pmksa == entry) {
2409 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2410 "RSN: %s current PMKSA entry",
2411 reason == PMKSA_REPLACE ? "replaced" : "removed");
2412 pmksa_cache_clear_current(sm);
2413
2414 /*
2415 * If an entry is simply being replaced, there's no need to
2416 * deauthenticate because it will be immediately re-added.
2417 * This happens when EAP authentication is completed again
2418 * (reauth or failed PMKSA caching attempt).
2419 */
2420 if (reason != PMKSA_REPLACE)
2421 deauth = 1;
2422 }
2423
2424 if (reason == PMKSA_EXPIRE &&
2425 (sm->pmk_len == entry->pmk_len &&
2426 os_memcmp(sm->pmk, entry->pmk, sm->pmk_len) == 0)) {
2427 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2428 "RSN: deauthenticating due to expired PMK");
2429 pmksa_cache_clear_current(sm);
2430 deauth = 1;
2431 }
2432
2433 if (deauth) {
2434 os_memset(sm->pmk, 0, sizeof(sm->pmk));
2435 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
2436 }
2437 }
2438
2439
2440 /**
2441 * wpa_sm_init - Initialize WPA state machine
2442 * @ctx: Context pointer for callbacks; this needs to be an allocated buffer
2443 * Returns: Pointer to the allocated WPA state machine data
2444 *
2445 * This function is used to allocate a new WPA state machine and the returned
2446 * value is passed to all WPA state machine calls.
2447 */
wpa_sm_init(struct wpa_sm_ctx * ctx)2448 struct wpa_sm * wpa_sm_init(struct wpa_sm_ctx *ctx)
2449 {
2450 struct wpa_sm *sm;
2451
2452 sm = os_zalloc(sizeof(*sm));
2453 if (sm == NULL)
2454 return NULL;
2455 dl_list_init(&sm->pmksa_candidates);
2456 sm->renew_snonce = 1;
2457 sm->ctx = ctx;
2458
2459 sm->dot11RSNAConfigPMKLifetime = 43200;
2460 sm->dot11RSNAConfigPMKReauthThreshold = 70;
2461 sm->dot11RSNAConfigSATimeout = 60;
2462
2463 sm->pmksa = pmksa_cache_init(wpa_sm_pmksa_free_cb, sm, sm);
2464 if (sm->pmksa == NULL) {
2465 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
2466 "RSN: PMKSA cache initialization failed");
2467 os_free(sm);
2468 return NULL;
2469 }
2470
2471 return sm;
2472 }
2473
2474
2475 /**
2476 * wpa_sm_deinit - Deinitialize WPA state machine
2477 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2478 */
wpa_sm_deinit(struct wpa_sm * sm)2479 void wpa_sm_deinit(struct wpa_sm *sm)
2480 {
2481 if (sm == NULL)
2482 return;
2483 pmksa_cache_deinit(sm->pmksa);
2484 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
2485 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
2486 os_free(sm->assoc_wpa_ie);
2487 os_free(sm->ap_wpa_ie);
2488 os_free(sm->ap_rsn_ie);
2489 wpa_sm_drop_sa(sm);
2490 os_free(sm->ctx);
2491 peerkey_deinit(sm);
2492 #ifdef CONFIG_IEEE80211R
2493 os_free(sm->assoc_resp_ies);
2494 #endif /* CONFIG_IEEE80211R */
2495 #ifdef CONFIG_TESTING_OPTIONS
2496 wpabuf_free(sm->test_assoc_ie);
2497 #endif /* CONFIG_TESTING_OPTIONS */
2498 os_free(sm);
2499 }
2500
2501
2502 /**
2503 * wpa_sm_notify_assoc - Notify WPA state machine about association
2504 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2505 * @bssid: The BSSID of the new association
2506 *
2507 * This function is called to let WPA state machine know that the connection
2508 * was established.
2509 */
wpa_sm_notify_assoc(struct wpa_sm * sm,const u8 * bssid)2510 void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
2511 {
2512 int clear_keys = 1;
2513
2514 if (sm == NULL)
2515 return;
2516
2517 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2518 "WPA: Association event - clear replay counter");
2519 os_memcpy(sm->bssid, bssid, ETH_ALEN);
2520 os_memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN);
2521 sm->rx_replay_counter_set = 0;
2522 sm->renew_snonce = 1;
2523 if (os_memcmp(sm->preauth_bssid, bssid, ETH_ALEN) == 0)
2524 rsn_preauth_deinit(sm);
2525
2526 #ifdef CONFIG_IEEE80211R
2527 if (wpa_ft_is_completed(sm)) {
2528 /*
2529 * Clear portValid to kick EAPOL state machine to re-enter
2530 * AUTHENTICATED state to get the EAPOL port Authorized.
2531 */
2532 eapol_sm_notify_portValid(sm->eapol, FALSE);
2533 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
2534
2535 /* Prepare for the next transition */
2536 wpa_ft_prepare_auth_request(sm, NULL);
2537
2538 clear_keys = 0;
2539 }
2540 #endif /* CONFIG_IEEE80211R */
2541 #ifdef CONFIG_FILS
2542 if (sm->fils_completed) {
2543 /*
2544 * Clear portValid to kick EAPOL state machine to re-enter
2545 * AUTHENTICATED state to get the EAPOL port Authorized.
2546 */
2547 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
2548 clear_keys = 0;
2549 }
2550 #endif /* CONFIG_FILS */
2551
2552 if (clear_keys) {
2553 /*
2554 * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
2555 * this is not part of a Fast BSS Transition.
2556 */
2557 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PTK");
2558 sm->ptk_set = 0;
2559 os_memset(&sm->ptk, 0, sizeof(sm->ptk));
2560 sm->tptk_set = 0;
2561 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
2562 os_memset(&sm->gtk, 0, sizeof(sm->gtk));
2563 os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
2564 #ifdef CONFIG_IEEE80211W
2565 os_memset(&sm->igtk, 0, sizeof(sm->igtk));
2566 os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
2567 #endif /* CONFIG_IEEE80211W */
2568 }
2569
2570 #ifdef CONFIG_TDLS
2571 wpa_tdls_assoc(sm);
2572 #endif /* CONFIG_TDLS */
2573
2574 #ifdef CONFIG_P2P
2575 os_memset(sm->p2p_ip_addr, 0, sizeof(sm->p2p_ip_addr));
2576 #endif /* CONFIG_P2P */
2577 }
2578
2579
2580 /**
2581 * wpa_sm_notify_disassoc - Notify WPA state machine about disassociation
2582 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2583 *
2584 * This function is called to let WPA state machine know that the connection
2585 * was lost. This will abort any existing pre-authentication session.
2586 */
wpa_sm_notify_disassoc(struct wpa_sm * sm)2587 void wpa_sm_notify_disassoc(struct wpa_sm *sm)
2588 {
2589 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
2590 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
2591 peerkey_deinit(sm);
2592 rsn_preauth_deinit(sm);
2593 pmksa_cache_clear_current(sm);
2594 if (wpa_sm_get_state(sm) == WPA_4WAY_HANDSHAKE)
2595 sm->dot11RSNA4WayHandshakeFailures++;
2596 #ifdef CONFIG_TDLS
2597 wpa_tdls_disassoc(sm);
2598 #endif /* CONFIG_TDLS */
2599 #ifdef CONFIG_FILS
2600 sm->fils_completed = 0;
2601 #endif /* CONFIG_FILS */
2602 #ifdef CONFIG_IEEE80211R
2603 sm->ft_reassoc_completed = 0;
2604 #endif /* CONFIG_IEEE80211R */
2605
2606 /* Keys are not needed in the WPA state machine anymore */
2607 wpa_sm_drop_sa(sm);
2608
2609 sm->msg_3_of_4_ok = 0;
2610 }
2611
2612
2613 /**
2614 * wpa_sm_set_pmk - Set PMK
2615 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2616 * @pmk: The new PMK
2617 * @pmk_len: The length of the new PMK in bytes
2618 * @pmkid: Calculated PMKID
2619 * @bssid: AA to add into PMKSA cache or %NULL to not cache the PMK
2620 *
2621 * Configure the PMK for WPA state machine.
2622 */
wpa_sm_set_pmk(struct wpa_sm * sm,const u8 * pmk,size_t pmk_len,const u8 * pmkid,const u8 * bssid)2623 void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
2624 const u8 *pmkid, const u8 *bssid)
2625 {
2626 if (sm == NULL)
2627 return;
2628
2629 sm->pmk_len = pmk_len;
2630 os_memcpy(sm->pmk, pmk, pmk_len);
2631
2632 #ifdef CONFIG_IEEE80211R
2633 /* Set XXKey to be PSK for FT key derivation */
2634 sm->xxkey_len = pmk_len;
2635 os_memcpy(sm->xxkey, pmk, pmk_len);
2636 #endif /* CONFIG_IEEE80211R */
2637
2638 if (bssid) {
2639 pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0,
2640 bssid, sm->own_addr,
2641 sm->network_ctx, sm->key_mgmt);
2642 }
2643 }
2644
2645
2646 /**
2647 * wpa_sm_set_pmk_from_pmksa - Set PMK based on the current PMKSA
2648 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2649 *
2650 * Take the PMK from the current PMKSA into use. If no PMKSA is active, the PMK
2651 * will be cleared.
2652 */
wpa_sm_set_pmk_from_pmksa(struct wpa_sm * sm)2653 void wpa_sm_set_pmk_from_pmksa(struct wpa_sm *sm)
2654 {
2655 if (sm == NULL)
2656 return;
2657
2658 if (sm->cur_pmksa) {
2659 sm->pmk_len = sm->cur_pmksa->pmk_len;
2660 os_memcpy(sm->pmk, sm->cur_pmksa->pmk, sm->pmk_len);
2661 } else {
2662 sm->pmk_len = PMK_LEN;
2663 os_memset(sm->pmk, 0, PMK_LEN);
2664 }
2665 }
2666
2667
2668 /**
2669 * wpa_sm_set_fast_reauth - Set fast reauthentication (EAP) enabled/disabled
2670 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2671 * @fast_reauth: Whether fast reauthentication (EAP) is allowed
2672 */
wpa_sm_set_fast_reauth(struct wpa_sm * sm,int fast_reauth)2673 void wpa_sm_set_fast_reauth(struct wpa_sm *sm, int fast_reauth)
2674 {
2675 if (sm)
2676 sm->fast_reauth = fast_reauth;
2677 }
2678
2679
2680 /**
2681 * wpa_sm_set_scard_ctx - Set context pointer for smartcard callbacks
2682 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2683 * @scard_ctx: Context pointer for smartcard related callback functions
2684 */
wpa_sm_set_scard_ctx(struct wpa_sm * sm,void * scard_ctx)2685 void wpa_sm_set_scard_ctx(struct wpa_sm *sm, void *scard_ctx)
2686 {
2687 if (sm == NULL)
2688 return;
2689 sm->scard_ctx = scard_ctx;
2690 if (sm->preauth_eapol)
2691 eapol_sm_register_scard_ctx(sm->preauth_eapol, scard_ctx);
2692 }
2693
2694
2695 /**
2696 * wpa_sm_set_config - Notification of current configration change
2697 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2698 * @config: Pointer to current network configuration
2699 *
2700 * Notify WPA state machine that configuration has changed. config will be
2701 * stored as a backpointer to network configuration. This can be %NULL to clear
2702 * the stored pointed.
2703 */
wpa_sm_set_config(struct wpa_sm * sm,struct rsn_supp_config * config)2704 void wpa_sm_set_config(struct wpa_sm *sm, struct rsn_supp_config *config)
2705 {
2706 if (!sm)
2707 return;
2708
2709 if (config) {
2710 sm->network_ctx = config->network_ctx;
2711 sm->peerkey_enabled = config->peerkey_enabled;
2712 sm->allowed_pairwise_cipher = config->allowed_pairwise_cipher;
2713 sm->proactive_key_caching = config->proactive_key_caching;
2714 sm->eap_workaround = config->eap_workaround;
2715 sm->eap_conf_ctx = config->eap_conf_ctx;
2716 if (config->ssid) {
2717 os_memcpy(sm->ssid, config->ssid, config->ssid_len);
2718 sm->ssid_len = config->ssid_len;
2719 } else
2720 sm->ssid_len = 0;
2721 sm->wpa_ptk_rekey = config->wpa_ptk_rekey;
2722 sm->p2p = config->p2p;
2723 sm->wpa_rsc_relaxation = config->wpa_rsc_relaxation;
2724 } else {
2725 sm->network_ctx = NULL;
2726 sm->peerkey_enabled = 0;
2727 sm->allowed_pairwise_cipher = 0;
2728 sm->proactive_key_caching = 0;
2729 sm->eap_workaround = 0;
2730 sm->eap_conf_ctx = NULL;
2731 sm->ssid_len = 0;
2732 sm->wpa_ptk_rekey = 0;
2733 sm->p2p = 0;
2734 sm->wpa_rsc_relaxation = 0;
2735 }
2736 }
2737
2738
2739 /**
2740 * wpa_sm_set_own_addr - Set own MAC address
2741 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2742 * @addr: Own MAC address
2743 */
wpa_sm_set_own_addr(struct wpa_sm * sm,const u8 * addr)2744 void wpa_sm_set_own_addr(struct wpa_sm *sm, const u8 *addr)
2745 {
2746 if (sm)
2747 os_memcpy(sm->own_addr, addr, ETH_ALEN);
2748 }
2749
2750
2751 /**
2752 * wpa_sm_set_ifname - Set network interface name
2753 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2754 * @ifname: Interface name
2755 * @bridge_ifname: Optional bridge interface name (for pre-auth)
2756 */
wpa_sm_set_ifname(struct wpa_sm * sm,const char * ifname,const char * bridge_ifname)2757 void wpa_sm_set_ifname(struct wpa_sm *sm, const char *ifname,
2758 const char *bridge_ifname)
2759 {
2760 if (sm) {
2761 sm->ifname = ifname;
2762 sm->bridge_ifname = bridge_ifname;
2763 }
2764 }
2765
2766
2767 /**
2768 * wpa_sm_set_eapol - Set EAPOL state machine pointer
2769 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2770 * @eapol: Pointer to EAPOL state machine allocated with eapol_sm_init()
2771 */
wpa_sm_set_eapol(struct wpa_sm * sm,struct eapol_sm * eapol)2772 void wpa_sm_set_eapol(struct wpa_sm *sm, struct eapol_sm *eapol)
2773 {
2774 if (sm)
2775 sm->eapol = eapol;
2776 }
2777
2778
2779 /**
2780 * wpa_sm_set_param - Set WPA state machine parameters
2781 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2782 * @param: Parameter field
2783 * @value: Parameter value
2784 * Returns: 0 on success, -1 on failure
2785 */
wpa_sm_set_param(struct wpa_sm * sm,enum wpa_sm_conf_params param,unsigned int value)2786 int wpa_sm_set_param(struct wpa_sm *sm, enum wpa_sm_conf_params param,
2787 unsigned int value)
2788 {
2789 int ret = 0;
2790
2791 if (sm == NULL)
2792 return -1;
2793
2794 switch (param) {
2795 case RSNA_PMK_LIFETIME:
2796 if (value > 0)
2797 sm->dot11RSNAConfigPMKLifetime = value;
2798 else
2799 ret = -1;
2800 break;
2801 case RSNA_PMK_REAUTH_THRESHOLD:
2802 if (value > 0 && value <= 100)
2803 sm->dot11RSNAConfigPMKReauthThreshold = value;
2804 else
2805 ret = -1;
2806 break;
2807 case RSNA_SA_TIMEOUT:
2808 if (value > 0)
2809 sm->dot11RSNAConfigSATimeout = value;
2810 else
2811 ret = -1;
2812 break;
2813 case WPA_PARAM_PROTO:
2814 sm->proto = value;
2815 break;
2816 case WPA_PARAM_PAIRWISE:
2817 sm->pairwise_cipher = value;
2818 break;
2819 case WPA_PARAM_GROUP:
2820 sm->group_cipher = value;
2821 break;
2822 case WPA_PARAM_KEY_MGMT:
2823 sm->key_mgmt = value;
2824 break;
2825 #ifdef CONFIG_IEEE80211W
2826 case WPA_PARAM_MGMT_GROUP:
2827 sm->mgmt_group_cipher = value;
2828 break;
2829 #endif /* CONFIG_IEEE80211W */
2830 case WPA_PARAM_RSN_ENABLED:
2831 sm->rsn_enabled = value;
2832 break;
2833 case WPA_PARAM_MFP:
2834 sm->mfp = value;
2835 break;
2836 default:
2837 break;
2838 }
2839
2840 return ret;
2841 }
2842
2843
2844 /**
2845 * wpa_sm_get_status - Get WPA state machine
2846 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2847 * @buf: Buffer for status information
2848 * @buflen: Maximum buffer length
2849 * @verbose: Whether to include verbose status information
2850 * Returns: Number of bytes written to buf.
2851 *
2852 * Query WPA state machine for status information. This function fills in
2853 * a text area with current status information. If the buffer (buf) is not
2854 * large enough, status information will be truncated to fit the buffer.
2855 */
wpa_sm_get_status(struct wpa_sm * sm,char * buf,size_t buflen,int verbose)2856 int wpa_sm_get_status(struct wpa_sm *sm, char *buf, size_t buflen,
2857 int verbose)
2858 {
2859 char *pos = buf, *end = buf + buflen;
2860 int ret;
2861
2862 ret = os_snprintf(pos, end - pos,
2863 "pairwise_cipher=%s\n"
2864 "group_cipher=%s\n"
2865 "key_mgmt=%s\n",
2866 wpa_cipher_txt(sm->pairwise_cipher),
2867 wpa_cipher_txt(sm->group_cipher),
2868 wpa_key_mgmt_txt(sm->key_mgmt, sm->proto));
2869 if (os_snprintf_error(end - pos, ret))
2870 return pos - buf;
2871 pos += ret;
2872
2873 if (sm->mfp != NO_MGMT_FRAME_PROTECTION && sm->ap_rsn_ie) {
2874 struct wpa_ie_data rsn;
2875 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn)
2876 >= 0 &&
2877 rsn.capabilities & (WPA_CAPABILITY_MFPR |
2878 WPA_CAPABILITY_MFPC)) {
2879 ret = os_snprintf(pos, end - pos, "pmf=%d\n",
2880 (rsn.capabilities &
2881 WPA_CAPABILITY_MFPR) ? 2 : 1);
2882 if (os_snprintf_error(end - pos, ret))
2883 return pos - buf;
2884 pos += ret;
2885 }
2886 }
2887
2888 return pos - buf;
2889 }
2890
2891
wpa_sm_pmf_enabled(struct wpa_sm * sm)2892 int wpa_sm_pmf_enabled(struct wpa_sm *sm)
2893 {
2894 struct wpa_ie_data rsn;
2895
2896 if (sm->mfp == NO_MGMT_FRAME_PROTECTION || !sm->ap_rsn_ie)
2897 return 0;
2898
2899 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn) >= 0 &&
2900 rsn.capabilities & (WPA_CAPABILITY_MFPR | WPA_CAPABILITY_MFPC))
2901 return 1;
2902
2903 return 0;
2904 }
2905
2906
2907 /**
2908 * wpa_sm_set_assoc_wpa_ie_default - Generate own WPA/RSN IE from configuration
2909 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2910 * @wpa_ie: Pointer to buffer for WPA/RSN IE
2911 * @wpa_ie_len: Pointer to the length of the wpa_ie buffer
2912 * Returns: 0 on success, -1 on failure
2913 */
wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm * sm,u8 * wpa_ie,size_t * wpa_ie_len)2914 int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm *sm, u8 *wpa_ie,
2915 size_t *wpa_ie_len)
2916 {
2917 int res;
2918
2919 if (sm == NULL)
2920 return -1;
2921
2922 #ifdef CONFIG_TESTING_OPTIONS
2923 if (sm->test_assoc_ie) {
2924 wpa_printf(MSG_DEBUG,
2925 "TESTING: Replace association WPA/RSN IE");
2926 if (*wpa_ie_len < wpabuf_len(sm->test_assoc_ie))
2927 return -1;
2928 os_memcpy(wpa_ie, wpabuf_head(sm->test_assoc_ie),
2929 wpabuf_len(sm->test_assoc_ie));
2930 res = wpabuf_len(sm->test_assoc_ie);
2931 } else
2932 #endif /* CONFIG_TESTING_OPTIONS */
2933 res = wpa_gen_wpa_ie(sm, wpa_ie, *wpa_ie_len);
2934 if (res < 0)
2935 return -1;
2936 *wpa_ie_len = res;
2937
2938 wpa_hexdump(MSG_DEBUG, "WPA: Set own WPA IE default",
2939 wpa_ie, *wpa_ie_len);
2940
2941 if (sm->assoc_wpa_ie == NULL) {
2942 /*
2943 * Make a copy of the WPA/RSN IE so that 4-Way Handshake gets
2944 * the correct version of the IE even if PMKSA caching is
2945 * aborted (which would remove PMKID from IE generation).
2946 */
2947 sm->assoc_wpa_ie = os_malloc(*wpa_ie_len);
2948 if (sm->assoc_wpa_ie == NULL)
2949 return -1;
2950
2951 os_memcpy(sm->assoc_wpa_ie, wpa_ie, *wpa_ie_len);
2952 sm->assoc_wpa_ie_len = *wpa_ie_len;
2953 } else {
2954 wpa_hexdump(MSG_DEBUG,
2955 "WPA: Leave previously set WPA IE default",
2956 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
2957 }
2958
2959 return 0;
2960 }
2961
2962
2963 /**
2964 * wpa_sm_set_assoc_wpa_ie - Set own WPA/RSN IE from (Re)AssocReq
2965 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2966 * @ie: Pointer to IE data (starting from id)
2967 * @len: IE length
2968 * Returns: 0 on success, -1 on failure
2969 *
2970 * Inform WPA state machine about the WPA/RSN IE used in (Re)Association
2971 * Request frame. The IE will be used to override the default value generated
2972 * with wpa_sm_set_assoc_wpa_ie_default().
2973 */
wpa_sm_set_assoc_wpa_ie(struct wpa_sm * sm,const u8 * ie,size_t len)2974 int wpa_sm_set_assoc_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
2975 {
2976 if (sm == NULL)
2977 return -1;
2978
2979 os_free(sm->assoc_wpa_ie);
2980 if (ie == NULL || len == 0) {
2981 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2982 "WPA: clearing own WPA/RSN IE");
2983 sm->assoc_wpa_ie = NULL;
2984 sm->assoc_wpa_ie_len = 0;
2985 } else {
2986 wpa_hexdump(MSG_DEBUG, "WPA: set own WPA/RSN IE", ie, len);
2987 sm->assoc_wpa_ie = os_malloc(len);
2988 if (sm->assoc_wpa_ie == NULL)
2989 return -1;
2990
2991 os_memcpy(sm->assoc_wpa_ie, ie, len);
2992 sm->assoc_wpa_ie_len = len;
2993 }
2994
2995 return 0;
2996 }
2997
2998
2999 /**
3000 * wpa_sm_set_ap_wpa_ie - Set AP WPA IE from Beacon/ProbeResp
3001 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3002 * @ie: Pointer to IE data (starting from id)
3003 * @len: IE length
3004 * Returns: 0 on success, -1 on failure
3005 *
3006 * Inform WPA state machine about the WPA IE used in Beacon / Probe Response
3007 * frame.
3008 */
wpa_sm_set_ap_wpa_ie(struct wpa_sm * sm,const u8 * ie,size_t len)3009 int wpa_sm_set_ap_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
3010 {
3011 if (sm == NULL)
3012 return -1;
3013
3014 os_free(sm->ap_wpa_ie);
3015 if (ie == NULL || len == 0) {
3016 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3017 "WPA: clearing AP WPA IE");
3018 sm->ap_wpa_ie = NULL;
3019 sm->ap_wpa_ie_len = 0;
3020 } else {
3021 wpa_hexdump(MSG_DEBUG, "WPA: set AP WPA IE", ie, len);
3022 sm->ap_wpa_ie = os_malloc(len);
3023 if (sm->ap_wpa_ie == NULL)
3024 return -1;
3025
3026 os_memcpy(sm->ap_wpa_ie, ie, len);
3027 sm->ap_wpa_ie_len = len;
3028 }
3029
3030 return 0;
3031 }
3032
3033
3034 /**
3035 * wpa_sm_set_ap_rsn_ie - Set AP RSN IE from Beacon/ProbeResp
3036 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3037 * @ie: Pointer to IE data (starting from id)
3038 * @len: IE length
3039 * Returns: 0 on success, -1 on failure
3040 *
3041 * Inform WPA state machine about the RSN IE used in Beacon / Probe Response
3042 * frame.
3043 */
wpa_sm_set_ap_rsn_ie(struct wpa_sm * sm,const u8 * ie,size_t len)3044 int wpa_sm_set_ap_rsn_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
3045 {
3046 if (sm == NULL)
3047 return -1;
3048
3049 os_free(sm->ap_rsn_ie);
3050 if (ie == NULL || len == 0) {
3051 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3052 "WPA: clearing AP RSN IE");
3053 sm->ap_rsn_ie = NULL;
3054 sm->ap_rsn_ie_len = 0;
3055 } else {
3056 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSN IE", ie, len);
3057 sm->ap_rsn_ie = os_malloc(len);
3058 if (sm->ap_rsn_ie == NULL)
3059 return -1;
3060
3061 os_memcpy(sm->ap_rsn_ie, ie, len);
3062 sm->ap_rsn_ie_len = len;
3063 }
3064
3065 return 0;
3066 }
3067
3068
3069 /**
3070 * wpa_sm_parse_own_wpa_ie - Parse own WPA/RSN IE
3071 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3072 * @data: Pointer to data area for parsing results
3073 * Returns: 0 on success, -1 if IE is not known, or -2 on parsing failure
3074 *
3075 * Parse the contents of the own WPA or RSN IE from (Re)AssocReq and write the
3076 * parsed data into data.
3077 */
wpa_sm_parse_own_wpa_ie(struct wpa_sm * sm,struct wpa_ie_data * data)3078 int wpa_sm_parse_own_wpa_ie(struct wpa_sm *sm, struct wpa_ie_data *data)
3079 {
3080 if (sm == NULL)
3081 return -1;
3082
3083 if (sm->assoc_wpa_ie == NULL) {
3084 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3085 "WPA: No WPA/RSN IE available from association info");
3086 return -1;
3087 }
3088 if (wpa_parse_wpa_ie(sm->assoc_wpa_ie, sm->assoc_wpa_ie_len, data))
3089 return -2;
3090 return 0;
3091 }
3092
3093
wpa_sm_pmksa_cache_list(struct wpa_sm * sm,char * buf,size_t len)3094 int wpa_sm_pmksa_cache_list(struct wpa_sm *sm, char *buf, size_t len)
3095 {
3096 return pmksa_cache_list(sm->pmksa, buf, len);
3097 }
3098
3099
wpa_sm_pmksa_cache_head(struct wpa_sm * sm)3100 struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_head(struct wpa_sm *sm)
3101 {
3102 return pmksa_cache_head(sm->pmksa);
3103 }
3104
3105
3106 struct rsn_pmksa_cache_entry *
wpa_sm_pmksa_cache_add_entry(struct wpa_sm * sm,struct rsn_pmksa_cache_entry * entry)3107 wpa_sm_pmksa_cache_add_entry(struct wpa_sm *sm,
3108 struct rsn_pmksa_cache_entry * entry)
3109 {
3110 return pmksa_cache_add_entry(sm->pmksa, entry);
3111 }
3112
3113
wpa_sm_drop_sa(struct wpa_sm * sm)3114 void wpa_sm_drop_sa(struct wpa_sm *sm)
3115 {
3116 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PMK and PTK");
3117 sm->ptk_set = 0;
3118 sm->tptk_set = 0;
3119 os_memset(sm->pmk, 0, sizeof(sm->pmk));
3120 os_memset(&sm->ptk, 0, sizeof(sm->ptk));
3121 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
3122 os_memset(&sm->gtk, 0, sizeof(sm->gtk));
3123 os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
3124 #ifdef CONFIG_IEEE80211W
3125 os_memset(&sm->igtk, 0, sizeof(sm->igtk));
3126 os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
3127 #endif /* CONFIG_IEEE80211W */
3128 #ifdef CONFIG_IEEE80211R
3129 os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
3130 os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
3131 os_memset(sm->pmk_r1, 0, sizeof(sm->pmk_r1));
3132 #endif /* CONFIG_IEEE80211R */
3133 }
3134
3135
wpa_sm_has_ptk(struct wpa_sm * sm)3136 int wpa_sm_has_ptk(struct wpa_sm *sm)
3137 {
3138 if (sm == NULL)
3139 return 0;
3140 return sm->ptk_set;
3141 }
3142
3143
wpa_sm_update_replay_ctr(struct wpa_sm * sm,const u8 * replay_ctr)3144 void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr)
3145 {
3146 os_memcpy(sm->rx_replay_counter, replay_ctr, WPA_REPLAY_COUNTER_LEN);
3147 }
3148
3149
wpa_sm_pmksa_cache_flush(struct wpa_sm * sm,void * network_ctx)3150 void wpa_sm_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx)
3151 {
3152 pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0);
3153 }
3154
3155
3156 #ifdef CONFIG_WNM
wpa_wnmsleep_install_key(struct wpa_sm * sm,u8 subelem_id,u8 * buf)3157 int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
3158 {
3159 u16 keyinfo;
3160 u8 keylen; /* plaintext key len */
3161 u8 *key_rsc;
3162
3163 if (subelem_id == WNM_SLEEP_SUBELEM_GTK) {
3164 struct wpa_gtk_data gd;
3165
3166 os_memset(&gd, 0, sizeof(gd));
3167 keylen = wpa_cipher_key_len(sm->group_cipher);
3168 gd.key_rsc_len = wpa_cipher_rsc_len(sm->group_cipher);
3169 gd.alg = wpa_cipher_to_alg(sm->group_cipher);
3170 if (gd.alg == WPA_ALG_NONE) {
3171 wpa_printf(MSG_DEBUG, "Unsupported group cipher suite");
3172 return -1;
3173 }
3174
3175 key_rsc = buf + 5;
3176 keyinfo = WPA_GET_LE16(buf + 2);
3177 gd.gtk_len = keylen;
3178 if (gd.gtk_len != buf[4]) {
3179 wpa_printf(MSG_DEBUG, "GTK len mismatch len %d vs %d",
3180 gd.gtk_len, buf[4]);
3181 return -1;
3182 }
3183 gd.keyidx = keyinfo & 0x03; /* B0 - B1 */
3184 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(
3185 sm, !!(keyinfo & WPA_KEY_INFO_TXRX));
3186
3187 os_memcpy(gd.gtk, buf + 13, gd.gtk_len);
3188
3189 wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)",
3190 gd.gtk, gd.gtk_len);
3191 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) {
3192 os_memset(&gd, 0, sizeof(gd));
3193 wpa_printf(MSG_DEBUG, "Failed to install the GTK in "
3194 "WNM mode");
3195 return -1;
3196 }
3197 os_memset(&gd, 0, sizeof(gd));
3198 #ifdef CONFIG_IEEE80211W
3199 } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
3200 const struct wpa_igtk_kde *igtk;
3201
3202 igtk = (const struct wpa_igtk_kde *) (buf + 2);
3203 if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0)
3204 return -1;
3205 #endif /* CONFIG_IEEE80211W */
3206 } else {
3207 wpa_printf(MSG_DEBUG, "Unknown element id");
3208 return -1;
3209 }
3210
3211 return 0;
3212 }
3213 #endif /* CONFIG_WNM */
3214
3215
3216 #ifdef CONFIG_PEERKEY
wpa_sm_rx_eapol_peerkey(struct wpa_sm * sm,const u8 * src_addr,const u8 * buf,size_t len)3217 int wpa_sm_rx_eapol_peerkey(struct wpa_sm *sm, const u8 *src_addr,
3218 const u8 *buf, size_t len)
3219 {
3220 struct wpa_peerkey *peerkey;
3221
3222 for (peerkey = sm->peerkey; peerkey; peerkey = peerkey->next) {
3223 if (os_memcmp(peerkey->addr, src_addr, ETH_ALEN) == 0)
3224 break;
3225 }
3226
3227 if (!peerkey)
3228 return 0;
3229
3230 wpa_sm_rx_eapol(sm, src_addr, buf, len);
3231
3232 return 1;
3233 }
3234 #endif /* CONFIG_PEERKEY */
3235
3236
3237 #ifdef CONFIG_P2P
3238
wpa_sm_get_p2p_ip_addr(struct wpa_sm * sm,u8 * buf)3239 int wpa_sm_get_p2p_ip_addr(struct wpa_sm *sm, u8 *buf)
3240 {
3241 if (sm == NULL || WPA_GET_BE32(sm->p2p_ip_addr) == 0)
3242 return -1;
3243 os_memcpy(buf, sm->p2p_ip_addr, 3 * 4);
3244 return 0;
3245 }
3246
3247 #endif /* CONFIG_P2P */
3248
3249
wpa_sm_set_rx_replay_ctr(struct wpa_sm * sm,const u8 * rx_replay_counter)3250 void wpa_sm_set_rx_replay_ctr(struct wpa_sm *sm, const u8 *rx_replay_counter)
3251 {
3252 if (rx_replay_counter == NULL)
3253 return;
3254
3255 os_memcpy(sm->rx_replay_counter, rx_replay_counter,
3256 WPA_REPLAY_COUNTER_LEN);
3257 sm->rx_replay_counter_set = 1;
3258 wpa_printf(MSG_DEBUG, "Updated key replay counter");
3259 }
3260
3261
wpa_sm_set_ptk_kck_kek(struct wpa_sm * sm,const u8 * ptk_kck,size_t ptk_kck_len,const u8 * ptk_kek,size_t ptk_kek_len)3262 void wpa_sm_set_ptk_kck_kek(struct wpa_sm *sm,
3263 const u8 *ptk_kck, size_t ptk_kck_len,
3264 const u8 *ptk_kek, size_t ptk_kek_len)
3265 {
3266 if (ptk_kck && ptk_kck_len <= WPA_KCK_MAX_LEN) {
3267 os_memcpy(sm->ptk.kck, ptk_kck, ptk_kck_len);
3268 sm->ptk.kck_len = ptk_kck_len;
3269 wpa_printf(MSG_DEBUG, "Updated PTK KCK");
3270 }
3271 if (ptk_kek && ptk_kek_len <= WPA_KEK_MAX_LEN) {
3272 os_memcpy(sm->ptk.kek, ptk_kek, ptk_kek_len);
3273 sm->ptk.kek_len = ptk_kek_len;
3274 wpa_printf(MSG_DEBUG, "Updated PTK KEK");
3275 }
3276 sm->ptk_set = 1;
3277 }
3278
3279
3280 #ifdef CONFIG_TESTING_OPTIONS
wpa_sm_set_test_assoc_ie(struct wpa_sm * sm,struct wpabuf * buf)3281 void wpa_sm_set_test_assoc_ie(struct wpa_sm *sm, struct wpabuf *buf)
3282 {
3283 wpabuf_free(sm->test_assoc_ie);
3284 sm->test_assoc_ie = buf;
3285 }
3286 #endif /* CONFIG_TESTING_OPTIONS */
3287
3288
3289 #ifdef CONFIG_FILS
3290
fils_build_auth(struct wpa_sm * sm)3291 struct wpabuf * fils_build_auth(struct wpa_sm *sm)
3292 {
3293 struct wpabuf *buf = NULL;
3294 struct wpabuf *erp_msg;
3295
3296 erp_msg = eapol_sm_build_erp_reauth_start(sm->eapol);
3297 if (!erp_msg && !sm->cur_pmksa) {
3298 wpa_printf(MSG_DEBUG,
3299 "FILS: Neither ERP EAP-Initiate/Re-auth nor PMKSA cache entry is available - skip FILS");
3300 goto fail;
3301 }
3302
3303 wpa_printf(MSG_DEBUG, "FILS: Try to use FILS (erp=%d pmksa_cache=%d)",
3304 erp_msg != NULL, sm->cur_pmksa != NULL);
3305
3306 sm->fils_completed = 0;
3307
3308 if (!sm->assoc_wpa_ie) {
3309 wpa_printf(MSG_INFO, "FILS: No own RSN IE set for FILS");
3310 goto fail;
3311 }
3312
3313 if (random_get_bytes(sm->fils_nonce, FILS_NONCE_LEN) < 0 ||
3314 random_get_bytes(sm->fils_session, FILS_SESSION_LEN) < 0)
3315 goto fail;
3316
3317 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Nonce",
3318 sm->fils_nonce, FILS_NONCE_LEN);
3319 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Session",
3320 sm->fils_session, FILS_SESSION_LEN);
3321
3322 buf = wpabuf_alloc(1000 + sm->assoc_wpa_ie_len);
3323 if (!buf)
3324 goto fail;
3325
3326 /* Fields following the Authentication algorithm number field */
3327
3328 /* Authentication Transaction seq# */
3329 wpabuf_put_le16(buf, 1);
3330
3331 /* Status Code */
3332 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
3333
3334 /* TODO: Finite Cyclic Group when using PK or PFS */
3335 /* TODO: Element when using PK or PFS */
3336
3337 /* RSNE */
3338 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in FILS Authentication frame",
3339 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
3340 wpabuf_put_data(buf, sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
3341
3342 /* TODO: MDE when using FILS for FT initial association */
3343 /* TODO: FTE when using FILS for FT initial association */
3344
3345 /* FILS Nonce */
3346 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3347 wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN); /* Length */
3348 /* Element ID Extension */
3349 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
3350 wpabuf_put_data(buf, sm->fils_nonce, FILS_NONCE_LEN);
3351
3352 /* FILS Session */
3353 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3354 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
3355 /* Element ID Extension */
3356 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
3357 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
3358
3359 /* FILS Wrapped Data */
3360 sm->fils_erp_pmkid_set = 0;
3361 if (erp_msg) {
3362 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3363 wpabuf_put_u8(buf, 1 + wpabuf_len(erp_msg)); /* Length */
3364 /* Element ID Extension */
3365 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_WRAPPED_DATA);
3366 wpabuf_put_buf(buf, erp_msg);
3367 /* Calculate pending PMKID here so that we do not need to
3368 * maintain a copy of the EAP-Initiate/Reauth message. */
3369 if (fils_pmkid_erp(sm->key_mgmt, wpabuf_head(erp_msg),
3370 wpabuf_len(erp_msg),
3371 sm->fils_erp_pmkid) == 0)
3372 sm->fils_erp_pmkid_set = 1;
3373 }
3374
3375 wpa_hexdump_buf(MSG_DEBUG, "RSN: FILS fields for Authentication frame",
3376 buf);
3377
3378 fail:
3379 wpabuf_free(erp_msg);
3380 return buf;
3381 }
3382
3383
fils_process_auth(struct wpa_sm * sm,const u8 * data,size_t len)3384 int fils_process_auth(struct wpa_sm *sm, const u8 *data, size_t len)
3385 {
3386 const u8 *pos, *end;
3387 struct ieee802_11_elems elems;
3388 struct wpa_ie_data rsn;
3389 int pmkid_match = 0;
3390 u8 ick[FILS_ICK_MAX_LEN];
3391 size_t ick_len;
3392 int res;
3393
3394 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
3395 data, len);
3396 pos = data;
3397 end = data + len;
3398
3399 /* TODO: Finite Cyclic Group when using PK or PFS */
3400 /* TODO: Element when using PK or PFS */
3401
3402 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
3403 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
3404 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
3405 return -1;
3406 }
3407
3408 /* RSNE */
3409 wpa_hexdump(MSG_DEBUG, "FILS: RSN element", elems.rsn_ie,
3410 elems.rsn_ie_len);
3411 if (!elems.rsn_ie ||
3412 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
3413 &rsn) < 0) {
3414 wpa_printf(MSG_DEBUG, "FILS: No RSN element");
3415 return -1;
3416 }
3417
3418 if (!elems.fils_nonce) {
3419 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
3420 return -1;
3421 }
3422 os_memcpy(sm->fils_anonce, elems.fils_nonce, FILS_NONCE_LEN);
3423 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", sm->fils_anonce, FILS_NONCE_LEN);
3424
3425 /* TODO: MDE when using FILS+FT */
3426 /* TODO: FTE when using FILS+FT */
3427
3428 /* PMKID List */
3429 if (rsn.pmkid && rsn.num_pmkid > 0) {
3430 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
3431 rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
3432
3433 if (rsn.num_pmkid != 1) {
3434 wpa_printf(MSG_DEBUG, "FILS: Invalid PMKID selection");
3435 return -1;
3436 }
3437 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", rsn.pmkid, PMKID_LEN);
3438 if (os_memcmp(sm->cur_pmksa->pmkid, rsn.pmkid, PMKID_LEN) != 0)
3439 {
3440 wpa_printf(MSG_DEBUG, "FILS: PMKID mismatch");
3441 wpa_hexdump(MSG_DEBUG, "FILS: Expected PMKID",
3442 sm->cur_pmksa->pmkid, PMKID_LEN);
3443 return -1;
3444 }
3445 wpa_printf(MSG_DEBUG,
3446 "FILS: Matching PMKID - continue using PMKSA caching");
3447 pmkid_match = 1;
3448 }
3449 if (!pmkid_match && sm->cur_pmksa) {
3450 wpa_printf(MSG_DEBUG,
3451 "FILS: No PMKID match - cannot use cached PMKSA entry");
3452 sm->cur_pmksa = NULL;
3453 }
3454
3455 /* FILS Session */
3456 if (!elems.fils_session) {
3457 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
3458 return -1;
3459 }
3460 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
3461 FILS_SESSION_LEN);
3462 if (os_memcmp(sm->fils_session, elems.fils_session, FILS_SESSION_LEN)
3463 != 0) {
3464 wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
3465 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
3466 sm->fils_session, FILS_SESSION_LEN);
3467 return -1;
3468 }
3469
3470 /* FILS Wrapped Data */
3471 if (!sm->cur_pmksa && elems.fils_wrapped_data) {
3472 u8 rmsk[ERP_MAX_KEY_LEN];
3473 size_t rmsk_len;
3474
3475 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
3476 elems.fils_wrapped_data,
3477 elems.fils_wrapped_data_len);
3478 eapol_sm_process_erp_finish(sm->eapol, elems.fils_wrapped_data,
3479 elems.fils_wrapped_data_len);
3480 if (eapol_sm_failed(sm->eapol))
3481 return -1;
3482
3483 rmsk_len = ERP_MAX_KEY_LEN;
3484 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
3485 if (res == PMK_LEN) {
3486 rmsk_len = PMK_LEN;
3487 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
3488 }
3489 if (res)
3490 return -1;
3491
3492 res = fils_rmsk_to_pmk(sm->key_mgmt, rmsk, rmsk_len,
3493 sm->fils_nonce, sm->fils_anonce, NULL, 0,
3494 sm->pmk, &sm->pmk_len);
3495 os_memset(rmsk, 0, sizeof(rmsk));
3496 if (res)
3497 return -1;
3498
3499 if (!sm->fils_erp_pmkid_set) {
3500 wpa_printf(MSG_DEBUG, "FILS: PMKID not available");
3501 return -1;
3502 }
3503 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", sm->fils_erp_pmkid,
3504 PMKID_LEN);
3505 wpa_printf(MSG_DEBUG, "FILS: ERP processing succeeded - add PMKSA cache entry for the result");
3506 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len,
3507 sm->fils_erp_pmkid, NULL, 0,
3508 sm->bssid, sm->own_addr,
3509 sm->network_ctx, sm->key_mgmt);
3510 }
3511
3512 if (!sm->cur_pmksa) {
3513 wpa_printf(MSG_DEBUG,
3514 "FILS: No remaining options to continue FILS authentication");
3515 return -1;
3516 }
3517
3518 if (fils_pmk_to_ptk(sm->pmk, sm->pmk_len, sm->own_addr, sm->bssid,
3519 sm->fils_nonce, sm->fils_anonce, &sm->ptk,
3520 ick, &ick_len, sm->key_mgmt, sm->pairwise_cipher) <
3521 0) {
3522 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PTK");
3523 return -1;
3524 }
3525 sm->ptk_set = 1;
3526 sm->tptk_set = 0;
3527 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
3528
3529 res = fils_key_auth_sk(ick, ick_len, sm->fils_nonce,
3530 sm->fils_anonce, sm->own_addr, sm->bssid,
3531 NULL, 0, NULL, 0, /* TODO: SK+PFS */
3532 sm->key_mgmt, sm->fils_key_auth_sta,
3533 sm->fils_key_auth_ap,
3534 &sm->fils_key_auth_len);
3535 os_memset(ick, 0, sizeof(ick));
3536 return res;
3537 }
3538
3539
fils_build_assoc_req(struct wpa_sm * sm,const u8 ** kek,size_t * kek_len,const u8 ** snonce,const u8 ** anonce,const struct wpabuf ** hlp,unsigned int num_hlp)3540 struct wpabuf * fils_build_assoc_req(struct wpa_sm *sm, const u8 **kek,
3541 size_t *kek_len, const u8 **snonce,
3542 const u8 **anonce,
3543 const struct wpabuf **hlp,
3544 unsigned int num_hlp)
3545 {
3546 struct wpabuf *buf;
3547 size_t len;
3548 unsigned int i;
3549
3550 len = 1000;
3551 for (i = 0; hlp && i < num_hlp; i++)
3552 len += 10 + wpabuf_len(hlp[i]);
3553 buf = wpabuf_alloc(len);
3554 if (!buf)
3555 return NULL;
3556
3557 /* FILS Session */
3558 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3559 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
3560 /* Element ID Extension */
3561 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
3562 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
3563
3564 /* Everything after FILS Session element gets encrypted in the driver
3565 * with KEK. The buffer returned from here is the plaintext version. */
3566
3567 /* TODO: FILS Public Key */
3568
3569 /* FILS Key Confirm */
3570 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3571 wpabuf_put_u8(buf, 1 + sm->fils_key_auth_len); /* Length */
3572 /* Element ID Extension */
3573 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_KEY_CONFIRM);
3574 wpabuf_put_data(buf, sm->fils_key_auth_sta, sm->fils_key_auth_len);
3575
3576 /* FILS HLP Container */
3577 for (i = 0; hlp && i < num_hlp; i++) {
3578 const u8 *pos = wpabuf_head(hlp[i]);
3579 size_t left = wpabuf_len(hlp[i]);
3580
3581 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3582 if (left <= 254)
3583 len = 1 + left;
3584 else
3585 len = 255;
3586 wpabuf_put_u8(buf, len); /* Length */
3587 /* Element ID Extension */
3588 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_HLP_CONTAINER);
3589 /* Destination MAC Address, Source MAC Address, HLP Packet.
3590 * HLP Packet is in MSDU format (i.e., included the LLC/SNAP
3591 * header when LPD is used). */
3592 wpabuf_put_data(buf, pos, len - 1);
3593 pos += len - 1;
3594 left -= len - 1;
3595 while (left) {
3596 wpabuf_put_u8(buf, WLAN_EID_FRAGMENT);
3597 len = left > 255 ? 255 : left;
3598 wpabuf_put_u8(buf, len);
3599 wpabuf_put_data(buf, pos, len);
3600 pos += len;
3601 left -= len;
3602 }
3603 }
3604
3605 /* TODO: FILS IP Address Assignment */
3606
3607 wpa_hexdump_buf(MSG_DEBUG, "FILS: Association Request plaintext", buf);
3608
3609 *kek = sm->ptk.kek;
3610 *kek_len = sm->ptk.kek_len;
3611 wpa_hexdump_key(MSG_DEBUG, "FILS: KEK for AEAD", *kek, *kek_len);
3612 *snonce = sm->fils_nonce;
3613 wpa_hexdump(MSG_DEBUG, "FILS: SNonce for AEAD AAD",
3614 *snonce, FILS_NONCE_LEN);
3615 *anonce = sm->fils_anonce;
3616 wpa_hexdump(MSG_DEBUG, "FILS: ANonce for AEAD AAD",
3617 *anonce, FILS_NONCE_LEN);
3618
3619 return buf;
3620 }
3621
3622
fils_process_hlp_resp(struct wpa_sm * sm,const u8 * resp,size_t len)3623 static void fils_process_hlp_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
3624 {
3625 const u8 *pos, *end;
3626
3627 wpa_hexdump(MSG_MSGDUMP, "FILS: HLP response", resp, len);
3628 if (len < 2 * ETH_ALEN)
3629 return;
3630 pos = resp + 2 * ETH_ALEN;
3631 end = resp + len;
3632 if (end - pos >= 6 &&
3633 os_memcmp(pos, "\xaa\xaa\x03\x00\x00\x00", 6) == 0)
3634 pos += 6; /* Remove SNAP/LLC header */
3635 wpa_sm_fils_hlp_rx(sm, resp, resp + ETH_ALEN, pos, end - pos);
3636 }
3637
3638
fils_process_hlp_container(struct wpa_sm * sm,const u8 * pos,size_t len)3639 static void fils_process_hlp_container(struct wpa_sm *sm, const u8 *pos,
3640 size_t len)
3641 {
3642 const u8 *end = pos + len;
3643 u8 *tmp, *tmp_pos;
3644
3645 /* Check if there are any FILS HLP Container elements */
3646 while (end - pos >= 2) {
3647 if (2 + pos[1] > end - pos)
3648 return;
3649 if (pos[0] == WLAN_EID_EXTENSION &&
3650 pos[1] >= 1 + 2 * ETH_ALEN &&
3651 pos[2] == WLAN_EID_EXT_FILS_HLP_CONTAINER)
3652 break;
3653 pos += 2 + pos[1];
3654 }
3655 if (end - pos < 2)
3656 return; /* No FILS HLP Container elements */
3657
3658 tmp = os_malloc(end - pos);
3659 if (!tmp)
3660 return;
3661
3662 while (end - pos >= 2) {
3663 if (2 + pos[1] > end - pos ||
3664 pos[0] != WLAN_EID_EXTENSION ||
3665 pos[1] < 1 + 2 * ETH_ALEN ||
3666 pos[2] != WLAN_EID_EXT_FILS_HLP_CONTAINER)
3667 break;
3668 tmp_pos = tmp;
3669 os_memcpy(tmp_pos, pos + 3, pos[1] - 1);
3670 tmp_pos += pos[1] - 1;
3671 pos += 2 + pos[1];
3672
3673 /* Add possible fragments */
3674 while (end - pos >= 2 && pos[0] == WLAN_EID_FRAGMENT &&
3675 2 + pos[1] <= end - pos) {
3676 os_memcpy(tmp_pos, pos + 2, pos[1]);
3677 tmp_pos += pos[1];
3678 pos += 2 + pos[1];
3679 }
3680
3681 fils_process_hlp_resp(sm, tmp, tmp_pos - tmp);
3682 }
3683
3684 os_free(tmp);
3685 }
3686
3687
fils_process_assoc_resp(struct wpa_sm * sm,const u8 * resp,size_t len)3688 int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
3689 {
3690 const struct ieee80211_mgmt *mgmt;
3691 const u8 *end, *ie_start;
3692 struct ieee802_11_elems elems;
3693 int keylen, rsclen;
3694 enum wpa_alg alg;
3695 struct wpa_gtk_data gd;
3696 int maxkeylen;
3697 struct wpa_eapol_ie_parse kde;
3698
3699 if (!sm || !sm->ptk_set) {
3700 wpa_printf(MSG_DEBUG, "FILS: No KEK available");
3701 return -1;
3702 }
3703
3704 if (!wpa_key_mgmt_fils(sm->key_mgmt)) {
3705 wpa_printf(MSG_DEBUG, "FILS: Not a FILS AKM");
3706 return -1;
3707 }
3708
3709 wpa_hexdump(MSG_DEBUG, "FILS: (Re)Association Response frame",
3710 resp, len);
3711
3712 mgmt = (const struct ieee80211_mgmt *) resp;
3713 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_resp))
3714 return -1;
3715
3716 end = resp + len;
3717 /* Same offset for Association Response and Reassociation Response */
3718 ie_start = mgmt->u.assoc_resp.variable;
3719
3720 if (ieee802_11_parse_elems(ie_start, end - ie_start, &elems, 1) ==
3721 ParseFailed) {
3722 wpa_printf(MSG_DEBUG,
3723 "FILS: Failed to parse decrypted elements");
3724 goto fail;
3725 }
3726
3727 if (!elems.fils_session) {
3728 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
3729 return -1;
3730 }
3731 if (os_memcmp(elems.fils_session, sm->fils_session,
3732 FILS_SESSION_LEN) != 0) {
3733 wpa_printf(MSG_DEBUG, "FILS: FILS Session mismatch");
3734 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
3735 elems.fils_session, FILS_SESSION_LEN);
3736 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
3737 sm->fils_session, FILS_SESSION_LEN);
3738 }
3739
3740 /* TODO: FILS Public Key */
3741
3742 if (!elems.fils_key_confirm) {
3743 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
3744 goto fail;
3745 }
3746 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
3747 wpa_printf(MSG_DEBUG,
3748 "FILS: Unexpected Key-Auth length %d (expected %d)",
3749 elems.fils_key_confirm_len,
3750 (int) sm->fils_key_auth_len);
3751 goto fail;
3752 }
3753 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_ap,
3754 sm->fils_key_auth_len) != 0) {
3755 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
3756 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
3757 elems.fils_key_confirm,
3758 elems.fils_key_confirm_len);
3759 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
3760 sm->fils_key_auth_ap, sm->fils_key_auth_len);
3761 goto fail;
3762 }
3763
3764 /* Key Delivery */
3765 if (!elems.key_delivery) {
3766 wpa_printf(MSG_DEBUG, "FILS: No Key Delivery element");
3767 goto fail;
3768 }
3769
3770 /* Parse GTK and set the key to the driver */
3771 os_memset(&gd, 0, sizeof(gd));
3772 if (wpa_supplicant_parse_ies(elems.key_delivery + WPA_KEY_RSC_LEN,
3773 elems.key_delivery_len - WPA_KEY_RSC_LEN,
3774 &kde) < 0) {
3775 wpa_printf(MSG_DEBUG, "FILS: Failed to parse KDEs");
3776 goto fail;
3777 }
3778 if (!kde.gtk) {
3779 wpa_printf(MSG_DEBUG, "FILS: No GTK KDE");
3780 goto fail;
3781 }
3782 maxkeylen = gd.gtk_len = kde.gtk_len - 2;
3783 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
3784 gd.gtk_len, maxkeylen,
3785 &gd.key_rsc_len, &gd.alg))
3786 goto fail;
3787
3788 wpa_hexdump_key(MSG_DEBUG, "FILS: Received GTK", kde.gtk, kde.gtk_len);
3789 gd.keyidx = kde.gtk[0] & 0x3;
3790 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
3791 !!(kde.gtk[0] & BIT(2)));
3792 if (kde.gtk_len - 2 > sizeof(gd.gtk)) {
3793 wpa_printf(MSG_DEBUG, "FILS: Too long GTK in GTK KDE (len=%lu)",
3794 (unsigned long) kde.gtk_len - 2);
3795 goto fail;
3796 }
3797 os_memcpy(gd.gtk, kde.gtk + 2, kde.gtk_len - 2);
3798
3799 wpa_printf(MSG_DEBUG, "FILS: Set GTK to driver");
3800 if (wpa_supplicant_install_gtk(sm, &gd, elems.key_delivery) < 0) {
3801 wpa_printf(MSG_DEBUG, "FILS: Failed to set GTK");
3802 goto fail;
3803 }
3804
3805 if (ieee80211w_set_keys(sm, &kde) < 0) {
3806 wpa_printf(MSG_DEBUG, "FILS: Failed to set IGTK");
3807 goto fail;
3808 }
3809
3810 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
3811 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
3812 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
3813 wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver",
3814 sm->ptk.tk, keylen);
3815 if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, null_rsc, rsclen,
3816 sm->ptk.tk, keylen) < 0) {
3817 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3818 "FILS: Failed to set PTK to the driver (alg=%d keylen=%d bssid="
3819 MACSTR ")",
3820 alg, keylen, MAC2STR(sm->bssid));
3821 goto fail;
3822 }
3823
3824 /* TODO: TK could be cleared after auth frame exchange now that driver
3825 * takes care of association frame encryption/decryption. */
3826 /* TK is not needed anymore in supplicant */
3827 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
3828 sm->ptk.installed = 1;
3829
3830 /* FILS HLP Container */
3831 fils_process_hlp_container(sm, ie_start, end - ie_start);
3832
3833 /* TODO: FILS IP Address Assignment */
3834
3835 wpa_printf(MSG_DEBUG, "FILS: Auth+Assoc completed successfully");
3836 sm->fils_completed = 1;
3837
3838 return 0;
3839 fail:
3840 return -1;
3841 }
3842
3843 #endif /* CONFIG_FILS */
3844
3845
wpa_fils_is_completed(struct wpa_sm * sm)3846 int wpa_fils_is_completed(struct wpa_sm *sm)
3847 {
3848 #ifdef CONFIG_FILS
3849 return sm && sm->fils_completed;
3850 #else /* CONFIG_FILS */
3851 return 0;
3852 #endif /* CONFIG_FILS */
3853 }
3854