1 /*
2 * IEEE 802.11 RSN / WPA Authenticator
3 * Copyright (c) 2004-2022, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "utils/state_machine.h"
14 #include "utils/bitfield.h"
15 #include "common/ieee802_11_defs.h"
16 #include "common/ocv.h"
17 #include "common/dpp.h"
18 #include "common/wpa_ctrl.h"
19 #include "crypto/aes.h"
20 #include "crypto/aes_wrap.h"
21 #include "crypto/aes_siv.h"
22 #include "crypto/crypto.h"
23 #include "crypto/sha1.h"
24 #include "crypto/sha256.h"
25 #include "crypto/sha384.h"
26 #include "crypto/sha512.h"
27 #include "crypto/random.h"
28 #include "eapol_auth/eapol_auth_sm.h"
29 #include "drivers/driver.h"
30 #include "ap_config.h"
31 #include "ieee802_11.h"
32 #include "sta_info.h"
33 #include "wpa_auth.h"
34 #include "pmksa_cache_auth.h"
35 #include "wpa_auth_i.h"
36 #include "wpa_auth_ie.h"
37
38 #define STATE_MACHINE_DATA struct wpa_state_machine
39 #define STATE_MACHINE_DEBUG_PREFIX "WPA"
40 #define STATE_MACHINE_ADDR wpa_auth_get_spa(sm)
41
42
43 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx);
44 static int wpa_sm_step(struct wpa_state_machine *sm);
45 static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK,
46 u8 *data, size_t data_len);
47 #ifdef CONFIG_FILS
48 static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
49 u8 *buf, size_t buf_len, u16 *_key_data_len);
50 static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
51 const struct wpabuf *hlp);
52 #endif /* CONFIG_FILS */
53 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx);
54 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
55 struct wpa_group *group);
56 static void wpa_request_new_ptk(struct wpa_state_machine *sm);
57 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
58 struct wpa_group *group);
59 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
60 struct wpa_group *group);
61 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
62 const u8 *pmk, unsigned int pmk_len,
63 struct wpa_ptk *ptk, int force_sha256,
64 u8 *pmk_r0, u8 *pmk_r1, u8 *pmk_r0_name,
65 size_t *key_len, bool no_kdk);
66 static void wpa_group_free(struct wpa_authenticator *wpa_auth,
67 struct wpa_group *group);
68 static void wpa_group_get(struct wpa_authenticator *wpa_auth,
69 struct wpa_group *group);
70 static void wpa_group_put(struct wpa_authenticator *wpa_auth,
71 struct wpa_group *group);
72 static int ieee80211w_kde_len(struct wpa_state_machine *sm);
73 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
74 static void wpa_group_update_gtk(struct wpa_authenticator *wpa_auth,
75 struct wpa_group *group);
76
77
78 static const u32 eapol_key_timeout_first = 100; /* ms */
79 static const u32 eapol_key_timeout_subseq = 1000; /* ms */
80 static const u32 eapol_key_timeout_first_group = 500; /* ms */
81 static const u32 eapol_key_timeout_no_retrans = 4000; /* ms */
82
83 /* TODO: make these configurable */
84 static const int dot11RSNAConfigPMKLifetime = 43200;
85 static const int dot11RSNAConfigPMKReauthThreshold = 70;
86 static const int dot11RSNAConfigSATimeout = 60;
87
88
wpa_auth_get_aa(const struct wpa_state_machine * sm)89 static const u8 * wpa_auth_get_aa(const struct wpa_state_machine *sm)
90 {
91 #ifdef CONFIG_IEEE80211BE
92 if (sm->mld_assoc_link_id >= 0)
93 return sm->wpa_auth->mld_addr;
94 #endif /* CONFIG_IEEE80211BE */
95 return sm->wpa_auth->addr;
96 }
97
98
wpa_auth_get_spa(const struct wpa_state_machine * sm)99 static const u8 * wpa_auth_get_spa(const struct wpa_state_machine *sm)
100 {
101 #ifdef CONFIG_IEEE80211BE
102 if (sm->mld_assoc_link_id >= 0)
103 return sm->peer_mld_addr;
104 #endif /* CONFIG_IEEE80211BE */
105 return sm->addr;
106 }
107
108
wpa_gkeydone_sta(struct wpa_state_machine * sm)109 static void wpa_gkeydone_sta(struct wpa_state_machine *sm)
110 {
111 #ifdef CONFIG_IEEE80211BE
112 int link_id;
113 #endif /* CONFIG_IEEE80211BE */
114
115 if (!sm->wpa_auth)
116 return;
117
118 sm->wpa_auth->group->GKeyDoneStations--;
119 sm->GUpdateStationKeys = false;
120
121 #ifdef CONFIG_IEEE80211BE
122 for_each_sm_auth(sm, link_id)
123 sm->mld_links[link_id].wpa_auth->group->GKeyDoneStations--;
124 #endif /* CONFIG_IEEE80211BE */
125 }
126
127
128 #ifdef CONFIG_IEEE80211BE
129
wpa_release_link_auth_ref(struct wpa_state_machine * sm,int release_link_id)130 void wpa_release_link_auth_ref(struct wpa_state_machine *sm,
131 int release_link_id)
132 {
133 int link_id;
134
135 if (!sm || release_link_id >= MAX_NUM_MLD_LINKS)
136 return;
137
138 for_each_sm_auth(sm, link_id) {
139 if (link_id == release_link_id) {
140 wpa_group_put(sm->mld_links[link_id].wpa_auth,
141 sm->mld_links[link_id].wpa_auth->group);
142 sm->mld_links[link_id].wpa_auth = NULL;
143 }
144 }
145 }
146
147
148 struct wpa_get_link_auth_ctx {
149 const u8 *addr;
150 const u8 *mld_addr;
151 int link_id;
152 struct wpa_authenticator *wpa_auth;
153 };
154
wpa_get_link_sta_auth(struct wpa_authenticator * wpa_auth,void * data)155 static int wpa_get_link_sta_auth(struct wpa_authenticator *wpa_auth, void *data)
156 {
157 struct wpa_get_link_auth_ctx *ctx = data;
158
159 if (!wpa_auth->is_ml)
160 return 0;
161
162 if (ctx->mld_addr &&
163 !ether_addr_equal(wpa_auth->mld_addr, ctx->mld_addr))
164 return 0;
165
166 if ((ctx->addr && ether_addr_equal(wpa_auth->addr, ctx->addr)) ||
167 (ctx->link_id > -1 && wpa_auth->is_ml &&
168 wpa_auth->link_id == ctx->link_id)) {
169 ctx->wpa_auth = wpa_auth;
170 return 1;
171
172 }
173 return 0;
174 }
175
176
177 static struct wpa_authenticator *
wpa_get_link_auth(struct wpa_authenticator * wpa_auth,int link_id)178 wpa_get_link_auth(struct wpa_authenticator *wpa_auth, int link_id)
179 {
180 struct wpa_get_link_auth_ctx ctx;
181
182 ctx.addr = NULL;
183 ctx.mld_addr = wpa_auth->mld_addr;
184 ctx.link_id = link_id;
185 ctx.wpa_auth = NULL;
186 wpa_auth_for_each_auth(wpa_auth, wpa_get_link_sta_auth, &ctx);
187 return ctx.wpa_auth;
188 }
189
190
wpa_get_primary_auth_cb(struct wpa_authenticator * wpa_auth,void * data)191 static int wpa_get_primary_auth_cb(struct wpa_authenticator *wpa_auth,
192 void *data)
193 {
194 struct wpa_get_link_auth_ctx *ctx = data;
195
196 if (!wpa_auth->is_ml ||
197 !ether_addr_equal(wpa_auth->mld_addr, ctx->addr) ||
198 !wpa_auth->primary_auth)
199 return 0;
200
201 ctx->wpa_auth = wpa_auth;
202 return 1;
203 }
204
205 #endif /* CONFIG_IEEE80211BE */
206
207
208 static struct wpa_authenticator *
wpa_get_primary_auth(struct wpa_authenticator * wpa_auth)209 wpa_get_primary_auth(struct wpa_authenticator *wpa_auth)
210 {
211 #ifdef CONFIG_IEEE80211BE
212 struct wpa_get_link_auth_ctx ctx;
213
214 if (!wpa_auth || !wpa_auth->is_ml || wpa_auth->primary_auth)
215 return wpa_auth;
216
217 ctx.addr = wpa_auth->mld_addr;
218 ctx.wpa_auth = NULL;
219 wpa_auth_for_each_auth(wpa_auth, wpa_get_primary_auth_cb, &ctx);
220
221 return ctx.wpa_auth;
222 #else /* CONFIG_IEEE80211BE */
223 return wpa_auth;
224 #endif /* CONFIG_IEEE80211BE */
225 }
226
227
wpa_auth_mic_failure_report(struct wpa_authenticator * wpa_auth,const u8 * addr)228 static inline int wpa_auth_mic_failure_report(
229 struct wpa_authenticator *wpa_auth, const u8 *addr)
230 {
231 if (wpa_auth->cb->mic_failure_report)
232 return wpa_auth->cb->mic_failure_report(wpa_auth->cb_ctx, addr);
233 return 0;
234 }
235
236
wpa_auth_psk_failure_report(struct wpa_authenticator * wpa_auth,const u8 * addr)237 static inline void wpa_auth_psk_failure_report(
238 struct wpa_authenticator *wpa_auth, const u8 *addr)
239 {
240 if (wpa_auth->cb->psk_failure_report)
241 wpa_auth->cb->psk_failure_report(wpa_auth->cb_ctx, addr);
242 }
243
244
wpa_auth_set_eapol(struct wpa_authenticator * wpa_auth,const u8 * addr,wpa_eapol_variable var,int value)245 static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth,
246 const u8 *addr, wpa_eapol_variable var,
247 int value)
248 {
249 if (wpa_auth->cb->set_eapol)
250 wpa_auth->cb->set_eapol(wpa_auth->cb_ctx, addr, var, value);
251 }
252
253
wpa_auth_get_eapol(struct wpa_authenticator * wpa_auth,const u8 * addr,wpa_eapol_variable var)254 static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth,
255 const u8 *addr, wpa_eapol_variable var)
256 {
257 if (!wpa_auth->cb->get_eapol)
258 return -1;
259 return wpa_auth->cb->get_eapol(wpa_auth->cb_ctx, addr, var);
260 }
261
262
wpa_auth_get_psk(struct wpa_authenticator * wpa_auth,const u8 * addr,const u8 * p2p_dev_addr,const u8 * prev_psk,size_t * psk_len,int * vlan_id)263 static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth,
264 const u8 *addr,
265 const u8 *p2p_dev_addr,
266 const u8 *prev_psk, size_t *psk_len,
267 int *vlan_id)
268 {
269 if (!wpa_auth->cb->get_psk)
270 return NULL;
271 return wpa_auth->cb->get_psk(wpa_auth->cb_ctx, addr, p2p_dev_addr,
272 prev_psk, psk_len, vlan_id);
273 }
274
275
wpa_auth_get_msk(struct wpa_authenticator * wpa_auth,const u8 * addr,u8 * msk,size_t * len)276 static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth,
277 const u8 *addr, u8 *msk, size_t *len)
278 {
279 if (!wpa_auth->cb->get_msk)
280 return -1;
281 return wpa_auth->cb->get_msk(wpa_auth->cb_ctx, addr, msk, len);
282 }
283
284
wpa_auth_set_key(struct wpa_authenticator * wpa_auth,int vlan_id,enum wpa_alg alg,const u8 * addr,int idx,u8 * key,size_t key_len,enum key_flag key_flag)285 static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
286 int vlan_id,
287 enum wpa_alg alg, const u8 *addr, int idx,
288 u8 *key, size_t key_len,
289 enum key_flag key_flag)
290 {
291 if (!wpa_auth->cb->set_key)
292 return -1;
293 return wpa_auth->cb->set_key(wpa_auth->cb_ctx, vlan_id, alg, addr, idx,
294 key, key_len, key_flag);
295 }
296
297
298 #ifdef CONFIG_PASN
wpa_auth_set_ltf_keyseed(struct wpa_authenticator * wpa_auth,const u8 * peer_addr,const u8 * ltf_keyseed,size_t ltf_keyseed_len)299 static inline int wpa_auth_set_ltf_keyseed(struct wpa_authenticator *wpa_auth,
300 const u8 *peer_addr,
301 const u8 *ltf_keyseed,
302 size_t ltf_keyseed_len)
303 {
304 if (!wpa_auth->cb->set_ltf_keyseed)
305 return -1;
306 return wpa_auth->cb->set_ltf_keyseed(wpa_auth->cb_ctx, peer_addr,
307 ltf_keyseed, ltf_keyseed_len);
308 }
309 #endif /* CONFIG_PASN */
310
311
wpa_auth_get_seqnum(struct wpa_authenticator * wpa_auth,const u8 * addr,int idx,u8 * seq)312 static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth,
313 const u8 *addr, int idx, u8 *seq)
314 {
315 int res;
316
317 if (!wpa_auth->cb->get_seqnum)
318 return -1;
319 #ifdef CONFIG_TESTING_OPTIONS
320 os_memset(seq, 0, WPA_KEY_RSC_LEN);
321 #endif /* CONFIG_TESTING_OPTIONS */
322 res = wpa_auth->cb->get_seqnum(wpa_auth->cb_ctx, addr, idx, seq);
323 #ifdef CONFIG_TESTING_OPTIONS
324 if (!addr && idx < 4 && wpa_auth->conf.gtk_rsc_override_set) {
325 wpa_printf(MSG_DEBUG,
326 "TESTING: Override GTK RSC %016llx --> %016llx",
327 (long long unsigned) WPA_GET_LE64(seq),
328 (long long unsigned)
329 WPA_GET_LE64(wpa_auth->conf.gtk_rsc_override));
330 os_memcpy(seq, wpa_auth->conf.gtk_rsc_override,
331 WPA_KEY_RSC_LEN);
332 }
333 if (!addr && idx >= 4 && idx <= 5 &&
334 wpa_auth->conf.igtk_rsc_override_set) {
335 wpa_printf(MSG_DEBUG,
336 "TESTING: Override IGTK RSC %016llx --> %016llx",
337 (long long unsigned) WPA_GET_LE64(seq),
338 (long long unsigned)
339 WPA_GET_LE64(wpa_auth->conf.igtk_rsc_override));
340 os_memcpy(seq, wpa_auth->conf.igtk_rsc_override,
341 WPA_KEY_RSC_LEN);
342 }
343 #endif /* CONFIG_TESTING_OPTIONS */
344 return res;
345 }
346
347
348 static inline int
wpa_auth_send_eapol(struct wpa_authenticator * wpa_auth,const u8 * addr,const u8 * data,size_t data_len,int encrypt)349 wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr,
350 const u8 *data, size_t data_len, int encrypt)
351 {
352 if (!wpa_auth->cb->send_eapol)
353 return -1;
354 return wpa_auth->cb->send_eapol(wpa_auth->cb_ctx, addr, data, data_len,
355 encrypt);
356 }
357
358
359 #ifdef CONFIG_MESH
wpa_auth_start_ampe(struct wpa_authenticator * wpa_auth,const u8 * addr)360 static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth,
361 const u8 *addr)
362 {
363 if (!wpa_auth->cb->start_ampe)
364 return -1;
365 return wpa_auth->cb->start_ampe(wpa_auth->cb_ctx, addr);
366 }
367 #endif /* CONFIG_MESH */
368
369
wpa_auth_for_each_sta(struct wpa_authenticator * wpa_auth,int (* cb)(struct wpa_state_machine * sm,void * ctx),void * cb_ctx)370 int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
371 int (*cb)(struct wpa_state_machine *sm, void *ctx),
372 void *cb_ctx)
373 {
374 if (!wpa_auth->cb->for_each_sta)
375 return 0;
376 return wpa_auth->cb->for_each_sta(wpa_auth->cb_ctx, cb, cb_ctx);
377 }
378
379
wpa_auth_for_each_auth(struct wpa_authenticator * wpa_auth,int (* cb)(struct wpa_authenticator * a,void * ctx),void * cb_ctx)380 int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
381 int (*cb)(struct wpa_authenticator *a, void *ctx),
382 void *cb_ctx)
383 {
384 if (!wpa_auth->cb->for_each_auth)
385 return 0;
386 return wpa_auth->cb->for_each_auth(wpa_auth->cb_ctx, cb, cb_ctx);
387 }
388
389
wpa_auth_store_ptksa(struct wpa_authenticator * wpa_auth,const u8 * addr,int cipher,u32 life_time,const struct wpa_ptk * ptk)390 void wpa_auth_store_ptksa(struct wpa_authenticator *wpa_auth,
391 const u8 *addr, int cipher,
392 u32 life_time, const struct wpa_ptk *ptk)
393 {
394 if (wpa_auth->cb->store_ptksa)
395 wpa_auth->cb->store_ptksa(wpa_auth->cb_ctx, addr, cipher,
396 life_time, ptk);
397 }
398
399
wpa_auth_remove_ptksa(struct wpa_authenticator * wpa_auth,const u8 * addr,int cipher)400 static void wpa_auth_remove_ptksa(struct wpa_authenticator *wpa_auth,
401 const u8 *addr, int cipher)
402 {
403 if (wpa_auth->cb->clear_ptksa)
404 wpa_auth->cb->clear_ptksa(wpa_auth->cb_ctx, addr, cipher);
405 }
406
407
wpa_auth_logger(struct wpa_authenticator * wpa_auth,const u8 * addr,logger_level level,const char * txt)408 void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr,
409 logger_level level, const char *txt)
410 {
411 if (!wpa_auth->cb->logger)
412 return;
413 wpa_auth->cb->logger(wpa_auth->cb_ctx, addr, level, txt);
414 }
415
416
wpa_auth_vlogger(struct wpa_authenticator * wpa_auth,const u8 * addr,logger_level level,const char * fmt,...)417 void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr,
418 logger_level level, const char *fmt, ...)
419 {
420 char *format;
421 int maxlen;
422 va_list ap;
423
424 if (!wpa_auth->cb->logger)
425 return;
426
427 maxlen = os_strlen(fmt) + 100;
428 format = os_malloc(maxlen);
429 if (!format)
430 return;
431
432 va_start(ap, fmt);
433 vsnprintf(format, maxlen, fmt, ap);
434 va_end(ap);
435
436 wpa_auth_logger(wpa_auth, addr, level, format);
437
438 os_free(format);
439 }
440
441
wpa_sta_disconnect(struct wpa_authenticator * wpa_auth,const u8 * addr,u16 reason)442 static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth,
443 const u8 *addr, u16 reason)
444 {
445 if (!wpa_auth->cb->disconnect)
446 return;
447 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR " (reason %u)",
448 MAC2STR(addr), reason);
449 wpa_auth->cb->disconnect(wpa_auth->cb_ctx, addr, reason);
450 }
451
452
453 #ifdef CONFIG_OCV
wpa_channel_info(struct wpa_authenticator * wpa_auth,struct wpa_channel_info * ci)454 static int wpa_channel_info(struct wpa_authenticator *wpa_auth,
455 struct wpa_channel_info *ci)
456 {
457 if (!wpa_auth->cb->channel_info)
458 return -1;
459 return wpa_auth->cb->channel_info(wpa_auth->cb_ctx, ci);
460 }
461 #endif /* CONFIG_OCV */
462
463
wpa_auth_update_vlan(struct wpa_authenticator * wpa_auth,const u8 * addr,int vlan_id)464 static int wpa_auth_update_vlan(struct wpa_authenticator *wpa_auth,
465 const u8 *addr, int vlan_id)
466 {
467 if (!wpa_auth->cb->update_vlan)
468 return -1;
469 return wpa_auth->cb->update_vlan(wpa_auth->cb_ctx, addr, vlan_id);
470 }
471
472
wpa_rekey_gmk(void * eloop_ctx,void * timeout_ctx)473 static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx)
474 {
475 struct wpa_authenticator *wpa_auth = eloop_ctx;
476
477 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) {
478 wpa_printf(MSG_ERROR,
479 "Failed to get random data for WPA initialization.");
480 } else {
481 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd");
482 wpa_hexdump_key(MSG_DEBUG, "GMK",
483 wpa_auth->group->GMK, WPA_GMK_LEN);
484 }
485
486 if (wpa_auth->conf.wpa_gmk_rekey) {
487 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
488 wpa_rekey_gmk, wpa_auth, NULL);
489 }
490 }
491
492
wpa_rekey_all_groups(struct wpa_authenticator * wpa_auth)493 static void wpa_rekey_all_groups(struct wpa_authenticator *wpa_auth)
494 {
495 struct wpa_group *group, *next;
496
497 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK");
498 group = wpa_auth->group;
499 while (group) {
500 wpa_printf(MSG_DEBUG, "GTK rekey start for authenticator ("
501 MACSTR "), group vlan %d",
502 MAC2STR(wpa_auth->addr), group->vlan_id);
503 wpa_group_get(wpa_auth, group);
504
505 group->GTKReKey = true;
506 do {
507 group->changed = false;
508 wpa_group_sm_step(wpa_auth, group);
509 } while (group->changed);
510
511 next = group->next;
512 wpa_group_put(wpa_auth, group);
513 group = next;
514 }
515 }
516
517
518 #ifdef CONFIG_IEEE80211BE
519
wpa_update_all_gtks(struct wpa_authenticator * wpa_auth)520 static void wpa_update_all_gtks(struct wpa_authenticator *wpa_auth)
521 {
522 struct wpa_group *group, *next;
523
524 group = wpa_auth->group;
525 while (group) {
526 wpa_group_get(wpa_auth, group);
527
528 wpa_group_update_gtk(wpa_auth, group);
529 next = group->next;
530 wpa_group_put(wpa_auth, group);
531 group = next;
532 }
533 }
534
535
wpa_update_all_gtks_cb(struct wpa_authenticator * wpa_auth,void * ctx)536 static int wpa_update_all_gtks_cb(struct wpa_authenticator *wpa_auth, void *ctx)
537 {
538 const u8 *mld_addr = ctx;
539
540 if (!ether_addr_equal(wpa_auth->mld_addr, mld_addr))
541 return 0;
542
543 wpa_update_all_gtks(wpa_auth);
544 return 0;
545 }
546
547
wpa_rekey_all_groups_cb(struct wpa_authenticator * wpa_auth,void * ctx)548 static int wpa_rekey_all_groups_cb(struct wpa_authenticator *wpa_auth,
549 void *ctx)
550 {
551 const u8 *mld_addr = ctx;
552
553 if (!ether_addr_equal(wpa_auth->mld_addr, mld_addr))
554 return 0;
555
556 wpa_rekey_all_groups(wpa_auth);
557 return 0;
558 }
559
560 #endif /* CONFIG_IEEE80211BE */
561
562
wpa_rekey_gtk(void * eloop_ctx,void * timeout_ctx)563 static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx)
564 {
565 struct wpa_authenticator *wpa_auth = eloop_ctx;
566
567 #ifdef CONFIG_IEEE80211BE
568 if (wpa_auth->is_ml) {
569 /* Non-primary ML authenticator eloop timer for group rekey is
570 * never started and shouldn't fire. Check and warn just in
571 * case. */
572 if (!wpa_auth->primary_auth) {
573 wpa_printf(MSG_DEBUG,
574 "RSN: Cannot start GTK rekey on non-primary ML authenticator");
575 return;
576 }
577
578 /* Generate all the new group keys */
579 wpa_auth_for_each_auth(wpa_auth, wpa_update_all_gtks_cb,
580 wpa_auth->mld_addr);
581
582 /* Send all the generated group keys to the respective stations
583 * with group key handshake. */
584 wpa_auth_for_each_auth(wpa_auth, wpa_rekey_all_groups_cb,
585 wpa_auth->mld_addr);
586 } else {
587 wpa_rekey_all_groups(wpa_auth);
588 }
589 #else /* CONFIG_IEEE80211BE */
590 wpa_rekey_all_groups(wpa_auth);
591 #endif /* CONFIG_IEEE80211BE */
592
593 if (wpa_auth->conf.wpa_group_rekey) {
594 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey,
595 0, wpa_rekey_gtk, wpa_auth, NULL);
596 }
597 }
598
599
wpa_rekey_ptk(void * eloop_ctx,void * timeout_ctx)600 static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
601 {
602 struct wpa_authenticator *wpa_auth = eloop_ctx;
603 struct wpa_state_machine *sm = timeout_ctx;
604
605 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
606 "rekeying PTK");
607 wpa_request_new_ptk(sm);
608 wpa_sm_step(sm);
609 }
610
611
wpa_auth_set_ptk_rekey_timer(struct wpa_state_machine * sm)612 void wpa_auth_set_ptk_rekey_timer(struct wpa_state_machine *sm)
613 {
614 if (sm && sm->wpa_auth->conf.wpa_ptk_rekey) {
615 wpa_printf(MSG_DEBUG, "WPA: Start PTK rekeying timer for "
616 MACSTR " (%d seconds)",
617 MAC2STR(wpa_auth_get_spa(sm)),
618 sm->wpa_auth->conf.wpa_ptk_rekey);
619 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
620 eloop_register_timeout(sm->wpa_auth->conf.wpa_ptk_rekey, 0,
621 wpa_rekey_ptk, sm->wpa_auth, sm);
622 }
623 }
624
625
wpa_auth_pmksa_clear_cb(struct wpa_state_machine * sm,void * ctx)626 static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx)
627 {
628 if (sm->pmksa == ctx)
629 sm->pmksa = NULL;
630 return 0;
631 }
632
633
wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry * entry,void * ctx)634 static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
635 void *ctx)
636 {
637 struct wpa_authenticator *wpa_auth = ctx;
638 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry);
639 }
640
641
wpa_group_init_gmk_and_counter(struct wpa_authenticator * wpa_auth,struct wpa_group * group)642 static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth,
643 struct wpa_group *group)
644 {
645 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)];
646 u8 rkey[32];
647 unsigned long ptr;
648
649 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0)
650 return -1;
651 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN);
652
653 /*
654 * Counter = PRF-256(Random number, "Init Counter",
655 * Local MAC Address || Time)
656 */
657 os_memcpy(buf, wpa_auth->addr, ETH_ALEN);
658 wpa_get_ntp_timestamp(buf + ETH_ALEN);
659 ptr = (unsigned long) group;
660 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr));
661 #ifdef TEST_FUZZ
662 os_memset(buf + ETH_ALEN, 0xab, 8);
663 os_memset(buf + ETH_ALEN + 8, 0xcd, sizeof(ptr));
664 #endif /* TEST_FUZZ */
665 if (random_get_bytes(rkey, sizeof(rkey)) < 0)
666 return -1;
667
668 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf),
669 group->Counter, WPA_NONCE_LEN) < 0)
670 return -1;
671 wpa_hexdump_key(MSG_DEBUG, "Key Counter",
672 group->Counter, WPA_NONCE_LEN);
673
674 return 0;
675 }
676
677
wpa_group_init(struct wpa_authenticator * wpa_auth,int vlan_id,int delay_init)678 static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth,
679 int vlan_id, int delay_init)
680 {
681 struct wpa_group *group;
682
683 group = os_zalloc(sizeof(struct wpa_group));
684 if (!group)
685 return NULL;
686
687 group->GTKAuthenticator = true;
688 group->vlan_id = vlan_id;
689 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
690
691 if (random_pool_ready() != 1) {
692 wpa_printf(MSG_INFO,
693 "WPA: Not enough entropy in random pool for secure operations - update keys later when the first station connects");
694 }
695
696 /*
697 * Set initial GMK/Counter value here. The actual values that will be
698 * used in negotiations will be set once the first station tries to
699 * connect. This allows more time for collecting additional randomness
700 * on embedded devices.
701 */
702 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) {
703 wpa_printf(MSG_ERROR,
704 "Failed to get random data for WPA initialization.");
705 os_free(group);
706 return NULL;
707 }
708
709 group->GInit = true;
710 if (delay_init) {
711 wpa_printf(MSG_DEBUG,
712 "WPA: Delay group state machine start until Beacon frames have been configured");
713 /* Initialization is completed in wpa_init_keys(). */
714 } else {
715 wpa_group_sm_step(wpa_auth, group);
716 group->GInit = false;
717 wpa_group_sm_step(wpa_auth, group);
718 }
719
720 return group;
721 }
722
723
724 /**
725 * wpa_init - Initialize WPA authenticator
726 * @addr: Authenticator address
727 * @conf: Configuration for WPA authenticator
728 * @cb: Callback functions for WPA authenticator
729 * Returns: Pointer to WPA authenticator data or %NULL on failure
730 */
wpa_init(const u8 * addr,struct wpa_auth_config * conf,const struct wpa_auth_callbacks * cb,void * cb_ctx)731 struct wpa_authenticator * wpa_init(const u8 *addr,
732 struct wpa_auth_config *conf,
733 const struct wpa_auth_callbacks *cb,
734 void *cb_ctx)
735 {
736 struct wpa_authenticator *wpa_auth;
737
738 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator));
739 if (!wpa_auth)
740 return NULL;
741
742 os_memcpy(wpa_auth->addr, addr, ETH_ALEN);
743 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
744
745 #ifdef CONFIG_IEEE80211BE
746 if (conf->mld_addr) {
747 wpa_auth->is_ml = true;
748 wpa_auth->link_id = conf->link_id;
749 wpa_auth->primary_auth = !conf->first_link_auth;
750 os_memcpy(wpa_auth->mld_addr, conf->mld_addr, ETH_ALEN);
751 }
752 #endif /* CONFIG_IEEE80211BE */
753
754 wpa_auth->cb = cb;
755 wpa_auth->cb_ctx = cb_ctx;
756
757 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
758 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
759 os_free(wpa_auth);
760 return NULL;
761 }
762
763 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1);
764 if (!wpa_auth->group) {
765 os_free(wpa_auth->wpa_ie);
766 os_free(wpa_auth);
767 return NULL;
768 }
769
770 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb,
771 wpa_auth);
772 if (!wpa_auth->pmksa) {
773 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed.");
774 os_free(wpa_auth->group);
775 os_free(wpa_auth->wpa_ie);
776 os_free(wpa_auth);
777 return NULL;
778 }
779
780 #ifdef CONFIG_IEEE80211R_AP
781 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init();
782 if (!wpa_auth->ft_pmk_cache) {
783 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed.");
784 os_free(wpa_auth->group);
785 os_free(wpa_auth->wpa_ie);
786 pmksa_cache_auth_deinit(wpa_auth->pmksa);
787 os_free(wpa_auth);
788 return NULL;
789 }
790 #endif /* CONFIG_IEEE80211R_AP */
791
792 if (wpa_auth->conf.wpa_gmk_rekey) {
793 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
794 wpa_rekey_gmk, wpa_auth, NULL);
795 }
796
797 #ifdef CONFIG_IEEE80211BE
798 /* For AP MLD, run group rekey timer only on one link (first) and
799 * whenever it fires do rekey on all associated ML links in one shot.
800 */
801 if ((!wpa_auth->is_ml || !conf->first_link_auth) &&
802 wpa_auth->conf.wpa_group_rekey) {
803 #else /* CONFIG_IEEE80211BE */
804 if (wpa_auth->conf.wpa_group_rekey) {
805 #endif /* CONFIG_IEEE80211BE */
806 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0,
807 wpa_rekey_gtk, wpa_auth, NULL);
808 }
809
810 #ifdef CONFIG_P2P
811 if (WPA_GET_BE32(conf->ip_addr_start)) {
812 int count = WPA_GET_BE32(conf->ip_addr_end) -
813 WPA_GET_BE32(conf->ip_addr_start) + 1;
814 if (count > 1000)
815 count = 1000;
816 if (count > 0)
817 wpa_auth->ip_pool = bitfield_alloc(count);
818 }
819 #endif /* CONFIG_P2P */
820
821 if (conf->tx_bss_auth && conf->beacon_prot) {
822 conf->tx_bss_auth->non_tx_beacon_prot = true;
823 if (!conf->tx_bss_auth->conf.beacon_prot)
824 conf->tx_bss_auth->conf.beacon_prot = true;
825 if (!conf->tx_bss_auth->conf.group_mgmt_cipher)
826 conf->tx_bss_auth->conf.group_mgmt_cipher =
827 conf->group_mgmt_cipher;
828 }
829
830 return wpa_auth;
831 }
832
833
834 int wpa_init_keys(struct wpa_authenticator *wpa_auth)
835 {
836 struct wpa_group *group = wpa_auth->group;
837
838 wpa_printf(MSG_DEBUG,
839 "WPA: Start group state machine to set initial keys");
840 wpa_group_sm_step(wpa_auth, group);
841 group->GInit = false;
842 wpa_group_sm_step(wpa_auth, group);
843 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
844 return -1;
845 return 0;
846 }
847
848
849 static void wpa_auth_free_conf(struct wpa_auth_config *conf)
850 {
851 #ifdef CONFIG_TESTING_OPTIONS
852 wpabuf_free(conf->eapol_m1_elements);
853 conf->eapol_m1_elements = NULL;
854 wpabuf_free(conf->eapol_m3_elements);
855 conf->eapol_m3_elements = NULL;
856 #endif /* CONFIG_TESTING_OPTIONS */
857 }
858
859
860 /**
861 * wpa_deinit - Deinitialize WPA authenticator
862 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
863 */
864 void wpa_deinit(struct wpa_authenticator *wpa_auth)
865 {
866 struct wpa_group *group, *prev;
867
868 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL);
869
870 /* TODO: Assign ML primary authenticator to next link authenticator and
871 * start rekey timer. */
872 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
873
874 pmksa_cache_auth_deinit(wpa_auth->pmksa);
875
876 #ifdef CONFIG_IEEE80211R_AP
877 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache);
878 wpa_auth->ft_pmk_cache = NULL;
879 wpa_ft_deinit(wpa_auth);
880 #endif /* CONFIG_IEEE80211R_AP */
881
882 #ifdef CONFIG_P2P
883 bitfield_free(wpa_auth->ip_pool);
884 #endif /* CONFIG_P2P */
885
886
887 os_free(wpa_auth->wpa_ie);
888
889 group = wpa_auth->group;
890 while (group) {
891 prev = group;
892 group = group->next;
893 bin_clear_free(prev, sizeof(*prev));
894 }
895
896 wpa_auth_free_conf(&wpa_auth->conf);
897 os_free(wpa_auth);
898 }
899
900
901 /**
902 * wpa_reconfig - Update WPA authenticator configuration
903 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
904 * @conf: Configuration for WPA authenticator
905 */
906 int wpa_reconfig(struct wpa_authenticator *wpa_auth,
907 struct wpa_auth_config *conf)
908 {
909 struct wpa_group *group;
910
911 if (!wpa_auth)
912 return 0;
913
914 wpa_auth_free_conf(&wpa_auth->conf);
915 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
916 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
917 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
918 return -1;
919 }
920
921 /*
922 * Reinitialize GTK to make sure it is suitable for the new
923 * configuration.
924 */
925 group = wpa_auth->group;
926 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
927 group->GInit = true;
928 wpa_group_sm_step(wpa_auth, group);
929 group->GInit = false;
930 wpa_group_sm_step(wpa_auth, group);
931
932 return 0;
933 }
934
935
936 struct wpa_state_machine *
937 wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr,
938 const u8 *p2p_dev_addr)
939 {
940 struct wpa_state_machine *sm;
941
942 if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
943 return NULL;
944
945 sm = os_zalloc(sizeof(struct wpa_state_machine));
946 if (!sm)
947 return NULL;
948 os_memcpy(sm->addr, addr, ETH_ALEN);
949 if (p2p_dev_addr)
950 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN);
951
952 sm->wpa_auth = wpa_auth;
953 sm->group = wpa_auth->group;
954 wpa_group_get(sm->wpa_auth, sm->group);
955 #ifdef CONFIG_IEEE80211BE
956 sm->mld_assoc_link_id = -1;
957 #endif /* CONFIG_IEEE80211BE */
958
959 return sm;
960 }
961
962
963 int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
964 struct wpa_state_machine *sm)
965 {
966 if (!wpa_auth || !wpa_auth->conf.wpa || !sm)
967 return -1;
968
969 #ifdef CONFIG_IEEE80211R_AP
970 if (sm->ft_completed) {
971 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
972 "FT authentication already completed - do not start 4-way handshake");
973 /* Go to PTKINITDONE state to allow GTK rekeying */
974 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
975 sm->Pair = true;
976 return 0;
977 }
978 #endif /* CONFIG_IEEE80211R_AP */
979
980 #ifdef CONFIG_FILS
981 if (sm->fils_completed) {
982 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
983 "FILS authentication already completed - do not start 4-way handshake");
984 /* Go to PTKINITDONE state to allow GTK rekeying */
985 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
986 sm->Pair = true;
987 return 0;
988 }
989 #endif /* CONFIG_FILS */
990
991 if (sm->started) {
992 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay));
993 sm->ReAuthenticationRequest = true;
994 return wpa_sm_step(sm);
995 }
996
997 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
998 "start authentication");
999 sm->started = 1;
1000
1001 sm->Init = true;
1002 if (wpa_sm_step(sm) == 1)
1003 return 1; /* should not really happen */
1004 sm->Init = false;
1005 sm->AuthenticationRequest = true;
1006 return wpa_sm_step(sm);
1007 }
1008
1009
1010 void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm)
1011 {
1012 /* WPA/RSN was not used - clear WPA state. This is needed if the STA
1013 * reassociates back to the same AP while the previous entry for the
1014 * STA has not yet been removed. */
1015 if (!sm)
1016 return;
1017
1018 sm->wpa_key_mgmt = 0;
1019 }
1020
1021
1022 static void wpa_free_sta_sm(struct wpa_state_machine *sm)
1023 {
1024 #ifdef CONFIG_IEEE80211BE
1025 int link_id;
1026 #endif /* CONFIG_IEEE80211BE */
1027
1028 #ifdef CONFIG_P2P
1029 if (WPA_GET_BE32(sm->ip_addr)) {
1030 wpa_printf(MSG_DEBUG,
1031 "P2P: Free assigned IP address %u.%u.%u.%u from "
1032 MACSTR " (bit %u)",
1033 sm->ip_addr[0], sm->ip_addr[1],
1034 sm->ip_addr[2], sm->ip_addr[3],
1035 MAC2STR(wpa_auth_get_spa(sm)),
1036 sm->ip_addr_bit);
1037 bitfield_clear(sm->wpa_auth->ip_pool, sm->ip_addr_bit);
1038 }
1039 #endif /* CONFIG_P2P */
1040 if (sm->GUpdateStationKeys)
1041 wpa_gkeydone_sta(sm);
1042 #ifdef CONFIG_IEEE80211R_AP
1043 os_free(sm->assoc_resp_ftie);
1044 wpabuf_free(sm->ft_pending_req_ies);
1045 #endif /* CONFIG_IEEE80211R_AP */
1046 os_free(sm->last_rx_eapol_key);
1047 os_free(sm->wpa_ie);
1048 os_free(sm->rsnxe);
1049 #ifdef CONFIG_IEEE80211BE
1050 for_each_sm_auth(sm, link_id) {
1051 wpa_group_put(sm->mld_links[link_id].wpa_auth,
1052 sm->mld_links[link_id].wpa_auth->group);
1053 sm->mld_links[link_id].wpa_auth = NULL;
1054 }
1055 #endif /* CONFIG_IEEE80211BE */
1056 wpa_group_put(sm->wpa_auth, sm->group);
1057 #ifdef CONFIG_DPP2
1058 wpabuf_clear_free(sm->dpp_z);
1059 #endif /* CONFIG_DPP2 */
1060 bin_clear_free(sm, sizeof(*sm));
1061 }
1062
1063
1064 void wpa_auth_sta_deinit(struct wpa_state_machine *sm)
1065 {
1066 struct wpa_authenticator *wpa_auth;
1067
1068 if (!sm)
1069 return;
1070
1071 wpa_auth = sm->wpa_auth;
1072 if (wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) {
1073 struct wpa_authenticator *primary_auth = wpa_auth;
1074
1075 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
1076 "strict rekeying - force GTK rekey since STA is leaving");
1077
1078 #ifdef CONFIG_IEEE80211BE
1079 if (wpa_auth->is_ml && !wpa_auth->primary_auth)
1080 primary_auth = wpa_get_primary_auth(wpa_auth);
1081 #endif /* CONFIG_IEEE80211BE */
1082
1083 if (eloop_deplete_timeout(0, 500000, wpa_rekey_gtk,
1084 primary_auth, NULL) == -1)
1085 eloop_register_timeout(0, 500000, wpa_rekey_gtk,
1086 primary_auth, NULL);
1087 }
1088
1089 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
1090 sm->pending_1_of_4_timeout = 0;
1091 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL);
1092 eloop_cancel_timeout(wpa_rekey_ptk, wpa_auth, sm);
1093 #ifdef CONFIG_IEEE80211R_AP
1094 wpa_ft_sta_deinit(sm);
1095 #endif /* CONFIG_IEEE80211R_AP */
1096 if (sm->in_step_loop) {
1097 /* Must not free state machine while wpa_sm_step() is running.
1098 * Freeing will be completed in the end of wpa_sm_step(). */
1099 wpa_printf(MSG_DEBUG,
1100 "WPA: Registering pending STA state machine deinit for "
1101 MACSTR, MAC2STR(wpa_auth_get_spa(sm)));
1102 sm->pending_deinit = 1;
1103 } else
1104 wpa_free_sta_sm(sm);
1105 }
1106
1107
1108 static void wpa_request_new_ptk(struct wpa_state_machine *sm)
1109 {
1110 if (!sm)
1111 return;
1112
1113 if (!sm->use_ext_key_id && sm->wpa_auth->conf.wpa_deny_ptk0_rekey) {
1114 wpa_printf(MSG_INFO,
1115 "WPA: PTK0 rekey not allowed, disconnect " MACSTR,
1116 MAC2STR(wpa_auth_get_spa(sm)));
1117 sm->Disconnect = true;
1118 /* Try to encourage the STA to reconnect */
1119 sm->disconnect_reason =
1120 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA;
1121 } else {
1122 if (sm->use_ext_key_id)
1123 sm->keyidx_active ^= 1; /* flip Key ID */
1124 sm->PTKRequest = true;
1125 sm->PTK_valid = 0;
1126 }
1127 }
1128
1129
1130 static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr,
1131 const u8 *replay_counter)
1132 {
1133 int i;
1134 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
1135 if (!ctr[i].valid)
1136 break;
1137 if (os_memcmp(replay_counter, ctr[i].counter,
1138 WPA_REPLAY_COUNTER_LEN) == 0)
1139 return 1;
1140 }
1141 return 0;
1142 }
1143
1144
1145 static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr,
1146 const u8 *replay_counter)
1147 {
1148 int i;
1149 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
1150 if (ctr[i].valid &&
1151 (!replay_counter ||
1152 os_memcmp(replay_counter, ctr[i].counter,
1153 WPA_REPLAY_COUNTER_LEN) == 0))
1154 ctr[i].valid = false;
1155 }
1156 }
1157
1158
1159 #ifdef CONFIG_IEEE80211R_AP
1160 static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth,
1161 struct wpa_state_machine *sm,
1162 struct wpa_eapol_ie_parse *kde)
1163 {
1164 struct wpa_ie_data ie, assoc_ie;
1165 struct rsn_mdie *mdie;
1166 unsigned int i, j;
1167 bool found = false;
1168
1169 /* Verify that PMKR1Name from EAPOL-Key message 2/4 matches the value
1170 * we derived. */
1171
1172 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 ||
1173 ie.num_pmkid < 1 || !ie.pmkid) {
1174 wpa_printf(MSG_DEBUG,
1175 "FT: No PMKR1Name in FT 4-way handshake message 2/4");
1176 return -1;
1177 }
1178
1179 if (wpa_parse_wpa_ie_rsn(sm->wpa_ie, sm->wpa_ie_len, &assoc_ie) < 0) {
1180 wpa_printf(MSG_DEBUG,
1181 "FT: Could not parse (Re)Association Request frame RSNE");
1182 os_memset(&assoc_ie, 0, sizeof(assoc_ie));
1183 /* Continue to allow PMKR1Name matching to be done to cover the
1184 * case where it is the only listed PMKID. */
1185 }
1186
1187 for (i = 0; i < ie.num_pmkid; i++) {
1188 const u8 *pmkid = ie.pmkid + i * PMKID_LEN;
1189
1190 if (os_memcmp_const(pmkid, sm->pmk_r1_name,
1191 WPA_PMK_NAME_LEN) == 0) {
1192 wpa_printf(MSG_DEBUG,
1193 "FT: RSNE[PMKID[%u]] from supplicant matches PMKR1Name",
1194 i);
1195 found = true;
1196 } else {
1197 for (j = 0; j < assoc_ie.num_pmkid; j++) {
1198 if (os_memcmp(pmkid,
1199 assoc_ie.pmkid + j * PMKID_LEN,
1200 PMKID_LEN) == 0)
1201 break;
1202 }
1203
1204 if (j == assoc_ie.num_pmkid) {
1205 wpa_printf(MSG_DEBUG,
1206 "FT: RSNE[PMKID[%u]] from supplicant is neither PMKR1Name nor included in AssocReq",
1207 i);
1208 found = false;
1209 break;
1210 }
1211 wpa_printf(MSG_DEBUG,
1212 "FT: RSNE[PMKID[%u]] from supplicant is not PMKR1Name, but matches a PMKID in AssocReq",
1213 i);
1214 }
1215 }
1216
1217 if (!found) {
1218 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm),
1219 LOGGER_DEBUG,
1220 "PMKR1Name mismatch in FT 4-way handshake");
1221 wpa_hexdump(MSG_DEBUG,
1222 "FT: PMKIDs/PMKR1Name from Supplicant",
1223 ie.pmkid, ie.num_pmkid * PMKID_LEN);
1224 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
1225 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
1226 return -1;
1227 }
1228
1229 if (!kde->mdie || !kde->ftie) {
1230 wpa_printf(MSG_DEBUG,
1231 "FT: No %s in FT 4-way handshake message 2/4",
1232 kde->mdie ? "FTIE" : "MDIE");
1233 return -1;
1234 }
1235
1236 mdie = (struct rsn_mdie *) (kde->mdie + 2);
1237 if (kde->mdie[1] < sizeof(struct rsn_mdie) ||
1238 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain,
1239 MOBILITY_DOMAIN_ID_LEN) != 0) {
1240 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch");
1241 return -1;
1242 }
1243
1244 if (sm->assoc_resp_ftie &&
1245 (kde->ftie[1] != sm->assoc_resp_ftie[1] ||
1246 os_memcmp(kde->ftie, sm->assoc_resp_ftie,
1247 2 + sm->assoc_resp_ftie[1]) != 0)) {
1248 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch");
1249 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4",
1250 kde->ftie, kde->ftie_len);
1251 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp",
1252 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]);
1253 return -1;
1254 }
1255
1256 return 0;
1257 }
1258 #endif /* CONFIG_IEEE80211R_AP */
1259
1260
1261 static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
1262 struct wpa_state_machine *sm, int group)
1263 {
1264 /* Supplicant reported a Michael MIC error */
1265 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
1266 "received EAPOL-Key Error Request (STA detected Michael MIC failure (group=%d))",
1267 group);
1268
1269 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
1270 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
1271 "ignore Michael MIC failure report since group cipher is not TKIP");
1272 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
1273 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
1274 "ignore Michael MIC failure report since pairwise cipher is not TKIP");
1275 } else {
1276 if (wpa_auth_mic_failure_report(wpa_auth,
1277 wpa_auth_get_spa(sm)) > 0)
1278 return 1; /* STA entry was removed */
1279 sm->dot11RSNAStatsTKIPRemoteMICFailures++;
1280 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
1281 }
1282
1283 /*
1284 * Error report is not a request for a new key handshake, but since
1285 * Authenticator may do it, let's change the keys now anyway.
1286 */
1287 wpa_request_new_ptk(sm);
1288 return 0;
1289 }
1290
1291
1292 static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data,
1293 size_t data_len)
1294 {
1295 struct wpa_ptk PTK;
1296 int ok = 0;
1297 const u8 *pmk = NULL;
1298 size_t pmk_len;
1299 int vlan_id = 0;
1300 u8 pmk_r0[PMK_LEN_MAX], pmk_r0_name[WPA_PMK_NAME_LEN];
1301 u8 pmk_r1[PMK_LEN_MAX];
1302 size_t key_len;
1303 int ret = -1;
1304
1305 os_memset(&PTK, 0, sizeof(PTK));
1306 for (;;) {
1307 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
1308 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
1309 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
1310 sm->p2p_dev_addr, pmk, &pmk_len,
1311 &vlan_id);
1312 if (!pmk)
1313 break;
1314 #ifdef CONFIG_IEEE80211R_AP
1315 if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) {
1316 os_memcpy(sm->xxkey, pmk, pmk_len);
1317 sm->xxkey_len = pmk_len;
1318 }
1319 #endif /* CONFIG_IEEE80211R_AP */
1320 } else {
1321 pmk = sm->PMK;
1322 pmk_len = sm->pmk_len;
1323 }
1324
1325 if (wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK, 0,
1326 pmk_r0, pmk_r1, pmk_r0_name, &key_len,
1327 false) < 0)
1328 break;
1329
1330 if (wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
1331 data, data_len) == 0) {
1332 if (sm->PMK != pmk) {
1333 os_memcpy(sm->PMK, pmk, pmk_len);
1334 sm->pmk_len = pmk_len;
1335 }
1336 ok = 1;
1337 break;
1338 }
1339
1340 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
1341 wpa_key_mgmt_sae(sm->wpa_key_mgmt))
1342 break;
1343 }
1344
1345 if (!ok) {
1346 wpa_printf(MSG_DEBUG,
1347 "WPA: Earlier SNonce did not result in matching MIC");
1348 goto fail;
1349 }
1350
1351 wpa_printf(MSG_DEBUG,
1352 "WPA: Earlier SNonce resulted in matching MIC");
1353 sm->alt_snonce_valid = 0;
1354
1355 if (vlan_id && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
1356 wpa_auth_update_vlan(sm->wpa_auth, sm->addr, vlan_id) < 0)
1357 goto fail;
1358
1359 #ifdef CONFIG_IEEE80211R_AP
1360 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt) && !sm->ft_completed) {
1361 wpa_printf(MSG_DEBUG, "FT: Store PMK-R0/PMK-R1");
1362 wpa_auth_ft_store_keys(sm, pmk_r0, pmk_r1, pmk_r0_name,
1363 key_len);
1364 }
1365 #endif /* CONFIG_IEEE80211R_AP */
1366
1367 os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN);
1368 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
1369 forced_memzero(&PTK, sizeof(PTK));
1370 sm->PTK_valid = true;
1371
1372 ret = 0;
1373 fail:
1374 forced_memzero(pmk_r0, sizeof(pmk_r0));
1375 forced_memzero(pmk_r1, sizeof(pmk_r1));
1376 return ret;
1377 }
1378
1379
1380 static bool wpa_auth_gtk_rekey_in_process(struct wpa_authenticator *wpa_auth)
1381 {
1382 struct wpa_group *group;
1383
1384 for (group = wpa_auth->group; group; group = group->next) {
1385 if (group->GKeyDoneStations)
1386 return true;
1387 }
1388 return false;
1389 }
1390
1391
1392 enum eapol_key_msg { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST };
1393
1394 static bool wpa_auth_valid_key_desc_ver(struct wpa_authenticator *wpa_auth,
1395 struct wpa_state_machine *sm, u16 ver)
1396 {
1397 if (ver > WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1398 wpa_printf(MSG_INFO, "RSN: " MACSTR
1399 " used undefined Key Descriptor Version %d",
1400 MAC2STR(wpa_auth_get_spa(sm)), ver);
1401 return false;
1402 }
1403
1404 if (!wpa_use_akm_defined(sm->wpa_key_mgmt) &&
1405 wpa_use_cmac(sm->wpa_key_mgmt) &&
1406 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1407 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1408 LOGGER_WARNING,
1409 "advertised support for AES-128-CMAC, but did not use it");
1410 return false;
1411 }
1412
1413 if (sm->pairwise != WPA_CIPHER_TKIP &&
1414 !wpa_use_akm_defined(sm->wpa_key_mgmt) &&
1415 !wpa_use_cmac(sm->wpa_key_mgmt) &&
1416 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1417 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1418 LOGGER_WARNING,
1419 "did not use HMAC-SHA1-AES with CCMP/GCMP");
1420 return false;
1421 }
1422
1423 if (wpa_use_akm_defined(sm->wpa_key_mgmt) &&
1424 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
1425 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1426 LOGGER_WARNING,
1427 "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases");
1428 return false;
1429 }
1430
1431 return true;
1432 }
1433
1434
1435 static bool wpa_auth_valid_request_counter(struct wpa_authenticator *wpa_auth,
1436 struct wpa_state_machine *sm,
1437 const u8 *replay_counter)
1438 {
1439
1440 if (sm->req_replay_counter_used &&
1441 os_memcmp(replay_counter, sm->req_replay_counter,
1442 WPA_REPLAY_COUNTER_LEN) <= 0) {
1443 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1444 LOGGER_WARNING,
1445 "received EAPOL-Key request with replayed counter");
1446 return false;
1447 }
1448
1449 return true;
1450 }
1451
1452
1453 static bool wpa_auth_valid_counter(struct wpa_authenticator *wpa_auth,
1454 struct wpa_state_machine *sm,
1455 const struct wpa_eapol_key *key,
1456 enum eapol_key_msg msg,
1457 const char *msgtxt)
1458 {
1459 int i;
1460
1461 if (msg == REQUEST)
1462 return wpa_auth_valid_request_counter(wpa_auth, sm,
1463 key->replay_counter);
1464
1465 if (wpa_replay_counter_valid(sm->key_replay, key->replay_counter))
1466 return true;
1467
1468 if (msg == PAIRWISE_2 &&
1469 wpa_replay_counter_valid(sm->prev_key_replay,
1470 key->replay_counter) &&
1471 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1472 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
1473 /*
1474 * Some supplicant implementations (e.g., Windows XP
1475 * WZC) update SNonce for each EAPOL-Key 2/4. This
1476 * breaks the workaround on accepting any of the
1477 * pending requests, so allow the SNonce to be updated
1478 * even if we have already sent out EAPOL-Key 3/4.
1479 */
1480 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
1481 LOGGER_DEBUG,
1482 "Process SNonce update from STA based on retransmitted EAPOL-Key 1/4");
1483 sm->update_snonce = 1;
1484 os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN);
1485 sm->alt_snonce_valid = true;
1486 os_memcpy(sm->alt_replay_counter,
1487 sm->key_replay[0].counter,
1488 WPA_REPLAY_COUNTER_LEN);
1489 return true;
1490 }
1491
1492 if (msg == PAIRWISE_4 && sm->alt_snonce_valid &&
1493 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1494 os_memcmp(key->replay_counter, sm->alt_replay_counter,
1495 WPA_REPLAY_COUNTER_LEN) == 0) {
1496 /*
1497 * Supplicant may still be using the old SNonce since
1498 * there was two EAPOL-Key 2/4 messages and they had
1499 * different SNonce values.
1500 */
1501 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
1502 LOGGER_DEBUG,
1503 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4");
1504 return true;
1505 }
1506
1507 if (msg == PAIRWISE_2 &&
1508 wpa_replay_counter_valid(sm->prev_key_replay,
1509 key->replay_counter) &&
1510 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
1511 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
1512 LOGGER_DEBUG,
1513 "ignore retransmitted EAPOL-Key %s - SNonce did not change",
1514 msgtxt);
1515 } else {
1516 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
1517 LOGGER_DEBUG,
1518 "received EAPOL-Key %s with unexpected replay counter",
1519 msgtxt);
1520 }
1521 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
1522 if (!sm->key_replay[i].valid)
1523 break;
1524 wpa_hexdump(MSG_DEBUG, "pending replay counter",
1525 sm->key_replay[i].counter,
1526 WPA_REPLAY_COUNTER_LEN);
1527 }
1528 wpa_hexdump(MSG_DEBUG, "received replay counter",
1529 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1530 return false;
1531 }
1532
1533
1534 void wpa_receive(struct wpa_authenticator *wpa_auth,
1535 struct wpa_state_machine *sm,
1536 u8 *data, size_t data_len)
1537 {
1538 struct ieee802_1x_hdr *hdr;
1539 struct wpa_eapol_key *key;
1540 u16 key_info, ver, key_data_length;
1541 enum eapol_key_msg msg;
1542 const char *msgtxt;
1543 const u8 *key_data;
1544 size_t keyhdrlen, mic_len;
1545 u8 *mic;
1546 u8 *key_data_buf = NULL;
1547 size_t key_data_buf_len = 0;
1548
1549 if (!wpa_auth || !wpa_auth->conf.wpa || !sm)
1550 return;
1551
1552 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL data", data, data_len);
1553
1554 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
1555 keyhdrlen = sizeof(*key) + mic_len + 2;
1556
1557 if (data_len < sizeof(*hdr) + keyhdrlen) {
1558 wpa_printf(MSG_DEBUG, "WPA: Ignore too short EAPOL-Key frame");
1559 return;
1560 }
1561
1562 hdr = (struct ieee802_1x_hdr *) data;
1563 key = (struct wpa_eapol_key *) (hdr + 1);
1564 mic = (u8 *) (key + 1);
1565 key_info = WPA_GET_BE16(key->key_info);
1566 key_data = mic + mic_len + 2;
1567 key_data_length = WPA_GET_BE16(mic + mic_len);
1568 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR
1569 " key_info=0x%x type=%u mic_len=%zu key_data_length=%u",
1570 MAC2STR(wpa_auth_get_spa(sm)), key_info, key->type,
1571 mic_len, key_data_length);
1572 wpa_hexdump(MSG_MSGDUMP,
1573 "WPA: EAPOL-Key header (ending before Key MIC)",
1574 key, sizeof(*key));
1575 wpa_hexdump(MSG_MSGDUMP, "WPA: EAPOL-Key Key MIC",
1576 mic, mic_len);
1577 if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) {
1578 wpa_printf(MSG_INFO,
1579 "WPA: Invalid EAPOL-Key frame - key_data overflow (%d > %zu)",
1580 key_data_length,
1581 data_len - sizeof(*hdr) - keyhdrlen);
1582 return;
1583 }
1584
1585 if (sm->wpa == WPA_VERSION_WPA2) {
1586 if (key->type == EAPOL_KEY_TYPE_WPA) {
1587 /*
1588 * Some deployed station implementations seem to send
1589 * msg 4/4 with incorrect type value in WPA2 mode.
1590 */
1591 wpa_printf(MSG_DEBUG,
1592 "Workaround: Allow EAPOL-Key with unexpected WPA type in RSN mode");
1593 } else if (key->type != EAPOL_KEY_TYPE_RSN) {
1594 wpa_printf(MSG_DEBUG,
1595 "Ignore EAPOL-Key with unexpected type %d in RSN mode",
1596 key->type);
1597 return;
1598 }
1599 } else {
1600 if (key->type != EAPOL_KEY_TYPE_WPA) {
1601 wpa_printf(MSG_DEBUG,
1602 "Ignore EAPOL-Key with unexpected type %d in WPA mode",
1603 key->type);
1604 return;
1605 }
1606 }
1607
1608 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce,
1609 WPA_NONCE_LEN);
1610 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter",
1611 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1612
1613 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
1614 * are set */
1615
1616 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
1617 wpa_printf(MSG_DEBUG, "WPA: Ignore SMK message");
1618 return;
1619 }
1620
1621 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
1622 if (!wpa_auth_valid_key_desc_ver(wpa_auth, sm, ver))
1623 goto out;
1624 if (mic_len > 0 && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) &&
1625 sm->PTK_valid &&
1626 (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1627 ver == WPA_KEY_INFO_TYPE_AES_128_CMAC ||
1628 wpa_use_aes_key_wrap(sm->wpa_key_mgmt)) &&
1629 key_data_length >= 8 && key_data_length % 8 == 0) {
1630 key_data_length -= 8; /* AES-WRAP adds 8 bytes */
1631 key_data_buf = os_malloc(key_data_length);
1632 if (!key_data_buf)
1633 goto out;
1634 key_data_buf_len = key_data_length;
1635 if (aes_unwrap(sm->PTK.kek, sm->PTK.kek_len,
1636 key_data_length / 8, key_data, key_data_buf)) {
1637 wpa_printf(MSG_INFO,
1638 "RSN: AES unwrap failed - could not decrypt EAPOL-Key key data");
1639 goto out;
1640 }
1641 key_data = key_data_buf;
1642 wpa_hexdump_key(MSG_DEBUG, "RSN: Decrypted EAPOL-Key Key Data",
1643 key_data, key_data_length);
1644 }
1645
1646 if (key_info & WPA_KEY_INFO_REQUEST) {
1647 msg = REQUEST;
1648 msgtxt = "Request";
1649 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) {
1650 msg = GROUP_2;
1651 msgtxt = "2/2 Group";
1652 } else if (key_data_length == 0 ||
1653 (sm->wpa == WPA_VERSION_WPA2 &&
1654 (!(key_info & WPA_KEY_INFO_ENCR_KEY_DATA) ||
1655 key_data_buf) &&
1656 (key_info & WPA_KEY_INFO_SECURE) &&
1657 !get_ie(key_data, key_data_length, WLAN_EID_RSN)) ||
1658 (mic_len == 0 && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) &&
1659 key_data_length == AES_BLOCK_SIZE)) {
1660 msg = PAIRWISE_4;
1661 msgtxt = "4/4 Pairwise";
1662 } else {
1663 msg = PAIRWISE_2;
1664 msgtxt = "2/4 Pairwise";
1665 }
1666
1667 if (!wpa_auth_valid_counter(wpa_auth, sm, key, msg, msgtxt))
1668 goto out;
1669
1670 #ifdef CONFIG_FILS
1671 if (sm->wpa == WPA_VERSION_WPA2 && mic_len == 0 &&
1672 !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1673 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
1674 "WPA: Encr Key Data bit not set even though AEAD cipher is supposed to be used - drop frame");
1675 goto out;
1676 }
1677 #endif /* CONFIG_FILS */
1678
1679 switch (msg) {
1680 case PAIRWISE_2:
1681 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART &&
1682 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING &&
1683 (!sm->update_snonce ||
1684 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) {
1685 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
1686 LOGGER_INFO,
1687 "received EAPOL-Key msg 2/4 in invalid state (%d) - dropped",
1688 sm->wpa_ptk_state);
1689 goto out;
1690 }
1691 random_add_randomness(key->key_nonce, WPA_NONCE_LEN);
1692 if (sm->group->reject_4way_hs_for_entropy) {
1693 /*
1694 * The system did not have enough entropy to generate
1695 * strong random numbers. Reject the first 4-way
1696 * handshake(s) and collect some entropy based on the
1697 * information from it. Once enough entropy is
1698 * available, the next atempt will trigger GMK/Key
1699 * Counter update and the station will be allowed to
1700 * continue.
1701 */
1702 wpa_printf(MSG_DEBUG,
1703 "WPA: Reject 4-way handshake to collect more entropy for random number generation");
1704 random_mark_pool_ready();
1705 wpa_sta_disconnect(wpa_auth, sm->addr,
1706 WLAN_REASON_PREV_AUTH_NOT_VALID);
1707 goto out;
1708 }
1709 break;
1710 case PAIRWISE_4:
1711 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING ||
1712 !sm->PTK_valid) {
1713 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
1714 LOGGER_INFO,
1715 "received EAPOL-Key msg 4/4 in invalid state (%d) - dropped",
1716 sm->wpa_ptk_state);
1717 goto out;
1718 }
1719 break;
1720 case GROUP_2:
1721 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING
1722 || !sm->PTK_valid) {
1723 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
1724 LOGGER_INFO,
1725 "received EAPOL-Key msg 2/2 in invalid state (%d) - dropped",
1726 sm->wpa_ptk_group_state);
1727 goto out;
1728 }
1729 break;
1730 case REQUEST:
1731 if (sm->wpa_ptk_state == WPA_PTK_PTKSTART ||
1732 sm->wpa_ptk_state == WPA_PTK_PTKCALCNEGOTIATING ||
1733 sm->wpa_ptk_state == WPA_PTK_PTKCALCNEGOTIATING2 ||
1734 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
1735 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
1736 LOGGER_INFO,
1737 "received EAPOL-Key Request in invalid state (%d) - dropped",
1738 sm->wpa_ptk_state);
1739 goto out;
1740 }
1741 break;
1742 }
1743
1744 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
1745 "received EAPOL-Key frame (%s)", msgtxt);
1746
1747 if (key_info & WPA_KEY_INFO_ACK) {
1748 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
1749 "received invalid EAPOL-Key: Key Ack set");
1750 goto out;
1751 }
1752
1753 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1754 !(key_info & WPA_KEY_INFO_MIC)) {
1755 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
1756 "received invalid EAPOL-Key: Key MIC not set");
1757 goto out;
1758 }
1759
1760 #ifdef CONFIG_FILS
1761 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1762 (key_info & WPA_KEY_INFO_MIC)) {
1763 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
1764 "received invalid EAPOL-Key: Key MIC set");
1765 goto out;
1766 }
1767 #endif /* CONFIG_FILS */
1768
1769 sm->MICVerified = false;
1770 if (sm->PTK_valid && !sm->update_snonce) {
1771 if (mic_len &&
1772 wpa_verify_key_mic(sm->wpa_key_mgmt, sm->pmk_len, &sm->PTK,
1773 data, data_len) &&
1774 (msg != PAIRWISE_4 || !sm->alt_snonce_valid ||
1775 wpa_try_alt_snonce(sm, data, data_len))) {
1776 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1777 LOGGER_INFO,
1778 "received EAPOL-Key with invalid MIC");
1779 #ifdef TEST_FUZZ
1780 wpa_printf(MSG_INFO,
1781 "TEST: Ignore Key MIC failure for fuzz testing");
1782 goto continue_fuzz;
1783 #endif /* TEST_FUZZ */
1784 goto out;
1785 }
1786 #ifdef CONFIG_FILS
1787 if (!mic_len &&
1788 wpa_aead_decrypt(sm, &sm->PTK, data, data_len,
1789 &key_data_length) < 0) {
1790 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1791 LOGGER_INFO,
1792 "received EAPOL-Key with invalid MIC");
1793 #ifdef TEST_FUZZ
1794 wpa_printf(MSG_INFO,
1795 "TEST: Ignore Key MIC failure for fuzz testing");
1796 goto continue_fuzz;
1797 #endif /* TEST_FUZZ */
1798 goto out;
1799 }
1800 #endif /* CONFIG_FILS */
1801 #ifdef TEST_FUZZ
1802 continue_fuzz:
1803 #endif /* TEST_FUZZ */
1804 sm->MICVerified = true;
1805 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
1806 sm->pending_1_of_4_timeout = 0;
1807 }
1808
1809 if (key_info & WPA_KEY_INFO_REQUEST) {
1810 if (!(key_info & WPA_KEY_INFO_SECURE)) {
1811 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1812 LOGGER_INFO,
1813 "received EAPOL-Key request without Secure=1");
1814 goto out;
1815 }
1816 if (sm->MICVerified) {
1817 sm->req_replay_counter_used = 1;
1818 os_memcpy(sm->req_replay_counter, key->replay_counter,
1819 WPA_REPLAY_COUNTER_LEN);
1820 } else {
1821 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1822 LOGGER_INFO,
1823 "received EAPOL-Key request with invalid MIC");
1824 goto out;
1825 }
1826
1827 if (key_info & WPA_KEY_INFO_ERROR) {
1828 if (wpa_receive_error_report(
1829 wpa_auth, sm,
1830 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0)
1831 goto out; /* STA entry was removed */
1832 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) {
1833 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1834 LOGGER_INFO,
1835 "received EAPOL-Key Request for new 4-Way Handshake");
1836 wpa_request_new_ptk(sm);
1837 } else {
1838 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1839 LOGGER_INFO,
1840 "received EAPOL-Key Request for GTK rekeying");
1841
1842 eloop_cancel_timeout(wpa_rekey_gtk,
1843 wpa_get_primary_auth(wpa_auth),
1844 NULL);
1845 if (wpa_auth_gtk_rekey_in_process(wpa_auth))
1846 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG,
1847 "skip new GTK rekey - already in process");
1848 else
1849 wpa_rekey_gtk(wpa_get_primary_auth(wpa_auth),
1850 NULL);
1851 }
1852 } else {
1853 /* Do not allow the same key replay counter to be reused. */
1854 wpa_replay_counter_mark_invalid(sm->key_replay,
1855 key->replay_counter);
1856
1857 if (msg == PAIRWISE_2) {
1858 /*
1859 * Maintain a copy of the pending EAPOL-Key frames in
1860 * case the EAPOL-Key frame was retransmitted. This is
1861 * needed to allow EAPOL-Key msg 2/4 reply to another
1862 * pending msg 1/4 to update the SNonce to work around
1863 * unexpected supplicant behavior.
1864 */
1865 os_memcpy(sm->prev_key_replay, sm->key_replay,
1866 sizeof(sm->key_replay));
1867 } else {
1868 os_memset(sm->prev_key_replay, 0,
1869 sizeof(sm->prev_key_replay));
1870 }
1871
1872 /*
1873 * Make sure old valid counters are not accepted anymore and
1874 * do not get copied again.
1875 */
1876 wpa_replay_counter_mark_invalid(sm->key_replay, NULL);
1877 }
1878
1879 os_free(sm->last_rx_eapol_key);
1880 sm->last_rx_eapol_key = os_memdup(data, data_len);
1881 if (!sm->last_rx_eapol_key)
1882 goto out;
1883 sm->last_rx_eapol_key_len = data_len;
1884
1885 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE);
1886 sm->EAPOLKeyReceived = true;
1887 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1888 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST);
1889 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN);
1890 wpa_sm_step(sm);
1891
1892 out:
1893 bin_clear_free(key_data_buf, key_data_buf_len);
1894 }
1895
1896
1897 static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr,
1898 const u8 *gnonce, u8 *gtk, size_t gtk_len)
1899 {
1900 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + WPA_GTK_MAX_LEN];
1901 u8 *pos;
1902 int ret = 0;
1903
1904 /* GTK = PRF-X(GMK, "Group key expansion",
1905 * AA || GNonce || Time || random data)
1906 * The example described in the IEEE 802.11 standard uses only AA and
1907 * GNonce as inputs here. Add some more entropy since this derivation
1908 * is done only at the Authenticator and as such, does not need to be
1909 * exactly same.
1910 */
1911 os_memset(data, 0, sizeof(data));
1912 os_memcpy(data, addr, ETH_ALEN);
1913 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN);
1914 pos = data + ETH_ALEN + WPA_NONCE_LEN;
1915 wpa_get_ntp_timestamp(pos);
1916 #ifdef TEST_FUZZ
1917 os_memset(pos, 0xef, 8);
1918 #endif /* TEST_FUZZ */
1919 pos += 8;
1920 if (random_get_bytes(pos, gtk_len) < 0)
1921 ret = -1;
1922
1923 #ifdef CONFIG_SHA384
1924 if (sha384_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
1925 gtk, gtk_len) < 0)
1926 ret = -1;
1927 #else /* CONFIG_SHA384 */
1928 #ifdef CONFIG_SHA256
1929 if (sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
1930 gtk, gtk_len) < 0)
1931 ret = -1;
1932 #else /* CONFIG_SHA256 */
1933 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
1934 gtk, gtk_len) < 0)
1935 ret = -1;
1936 #endif /* CONFIG_SHA256 */
1937 #endif /* CONFIG_SHA384 */
1938
1939 forced_memzero(data, sizeof(data));
1940
1941 return ret;
1942 }
1943
1944
1945 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx)
1946 {
1947 struct wpa_authenticator *wpa_auth = eloop_ctx;
1948 struct wpa_state_machine *sm = timeout_ctx;
1949
1950 if (sm->waiting_radius_psk) {
1951 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
1952 "Ignore EAPOL-Key timeout while waiting for RADIUS PSK");
1953 return;
1954 }
1955
1956 sm->pending_1_of_4_timeout = 0;
1957 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
1958 "EAPOL-Key timeout");
1959 sm->TimeoutEvt = true;
1960 wpa_sm_step(sm);
1961 }
1962
1963
1964 void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1965 struct wpa_state_machine *sm, int key_info,
1966 const u8 *key_rsc, const u8 *nonce,
1967 const u8 *kde, size_t kde_len,
1968 int keyidx, int encr, int force_version)
1969 {
1970 struct wpa_auth_config *conf = &wpa_auth->conf;
1971 struct ieee802_1x_hdr *hdr;
1972 struct wpa_eapol_key *key;
1973 size_t len, mic_len, keyhdrlen;
1974 int alg;
1975 int key_data_len, pad_len = 0;
1976 u8 *buf, *pos;
1977 int version, pairwise;
1978 int i;
1979 u8 *key_mic, *key_data;
1980
1981 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
1982 keyhdrlen = sizeof(*key) + mic_len + 2;
1983
1984 len = sizeof(struct ieee802_1x_hdr) + keyhdrlen;
1985
1986 if (force_version)
1987 version = force_version;
1988 else if (wpa_use_akm_defined(sm->wpa_key_mgmt))
1989 version = WPA_KEY_INFO_TYPE_AKM_DEFINED;
1990 else if (wpa_use_cmac(sm->wpa_key_mgmt))
1991 version = WPA_KEY_INFO_TYPE_AES_128_CMAC;
1992 else if (sm->pairwise != WPA_CIPHER_TKIP)
1993 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
1994 else
1995 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
1996
1997 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1998
1999 wpa_printf(MSG_DEBUG,
2000 "WPA: Send EAPOL(version=%d secure=%d mic=%d ack=%d install=%d pairwise=%d kde_len=%zu keyidx=%d encr=%d)",
2001 version,
2002 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0,
2003 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0,
2004 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0,
2005 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0,
2006 pairwise, kde_len, keyidx, encr);
2007
2008 key_data_len = kde_len;
2009
2010 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
2011 wpa_use_aes_key_wrap(sm->wpa_key_mgmt) ||
2012 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) {
2013 pad_len = key_data_len % 8;
2014 if (pad_len)
2015 pad_len = 8 - pad_len;
2016 key_data_len += pad_len + 8;
2017 }
2018
2019 len += key_data_len;
2020 if (!mic_len && encr)
2021 len += AES_BLOCK_SIZE;
2022
2023 hdr = os_zalloc(len);
2024 if (!hdr)
2025 return;
2026 hdr->version = conf->eapol_version;
2027 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
2028 hdr->length = host_to_be16(len - sizeof(*hdr));
2029 key = (struct wpa_eapol_key *) (hdr + 1);
2030 key_mic = (u8 *) (key + 1);
2031 key_data = ((u8 *) (hdr + 1)) + keyhdrlen;
2032
2033 key->type = sm->wpa == WPA_VERSION_WPA2 ?
2034 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
2035 key_info |= version;
2036 if (encr && sm->wpa == WPA_VERSION_WPA2)
2037 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
2038 if (sm->wpa != WPA_VERSION_WPA2)
2039 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT;
2040 WPA_PUT_BE16(key->key_info, key_info);
2041
2042 alg = pairwise ? sm->pairwise : conf->wpa_group;
2043 if (sm->wpa == WPA_VERSION_WPA2 && !pairwise)
2044 WPA_PUT_BE16(key->key_length, 0);
2045 else
2046 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg));
2047
2048 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) {
2049 sm->key_replay[i].valid = sm->key_replay[i - 1].valid;
2050 os_memcpy(sm->key_replay[i].counter,
2051 sm->key_replay[i - 1].counter,
2052 WPA_REPLAY_COUNTER_LEN);
2053 }
2054 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN);
2055 os_memcpy(key->replay_counter, sm->key_replay[0].counter,
2056 WPA_REPLAY_COUNTER_LEN);
2057 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter",
2058 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
2059 sm->key_replay[0].valid = true;
2060
2061 if (nonce)
2062 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN);
2063
2064 if (key_rsc)
2065 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN);
2066
2067 if (kde && !encr) {
2068 os_memcpy(key_data, kde, kde_len);
2069 WPA_PUT_BE16(key_mic + mic_len, kde_len);
2070 #ifdef CONFIG_FILS
2071 } else if (!mic_len && kde) {
2072 const u8 *aad[1];
2073 size_t aad_len[1];
2074
2075 WPA_PUT_BE16(key_mic, AES_BLOCK_SIZE + kde_len);
2076 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
2077 kde, kde_len);
2078
2079 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK",
2080 sm->PTK.kek, sm->PTK.kek_len);
2081 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
2082 * to Key Data (exclusive). */
2083 aad[0] = (u8 *) hdr;
2084 aad_len[0] = key_mic + 2 - (u8 *) hdr;
2085 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, kde, kde_len,
2086 1, aad, aad_len, key_mic + 2) < 0) {
2087 wpa_printf(MSG_DEBUG, "WPA: AES-SIV encryption failed");
2088 return;
2089 }
2090
2091 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
2092 key_mic + 2, AES_BLOCK_SIZE + kde_len);
2093 #endif /* CONFIG_FILS */
2094 } else if (encr && kde) {
2095 buf = os_zalloc(key_data_len);
2096 if (!buf) {
2097 os_free(hdr);
2098 return;
2099 }
2100 pos = buf;
2101 os_memcpy(pos, kde, kde_len);
2102 pos += kde_len;
2103
2104 if (pad_len)
2105 *pos++ = 0xdd;
2106
2107 wpa_hexdump_key(MSG_DEBUG,
2108 "Plaintext EAPOL-Key Key Data (+ padding)",
2109 buf, key_data_len);
2110 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
2111 wpa_use_aes_key_wrap(sm->wpa_key_mgmt) ||
2112 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
2113 wpa_hexdump_key(MSG_DEBUG, "RSN: AES-WRAP using KEK",
2114 sm->PTK.kek, sm->PTK.kek_len);
2115 if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len,
2116 (key_data_len - 8) / 8, buf, key_data)) {
2117 os_free(hdr);
2118 bin_clear_free(buf, key_data_len);
2119 return;
2120 }
2121 wpa_hexdump(MSG_DEBUG,
2122 "RSN: Encrypted Key Data from AES-WRAP",
2123 key_data, key_data_len);
2124 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
2125 #if !defined(CONFIG_NO_RC4) && !defined(CONFIG_FIPS)
2126 } else if (sm->PTK.kek_len == 16) {
2127 u8 ek[32];
2128
2129 wpa_printf(MSG_DEBUG,
2130 "WPA: Encrypt Key Data using RC4");
2131 os_memcpy(key->key_iv,
2132 sm->group->Counter + WPA_NONCE_LEN - 16, 16);
2133 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
2134 os_memcpy(ek, key->key_iv, 16);
2135 os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len);
2136 os_memcpy(key_data, buf, key_data_len);
2137 rc4_skip(ek, 32, 256, key_data, key_data_len);
2138 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
2139 #endif /* !(CONFIG_NO_RC4 || CONFIG_FIPS) */
2140 } else {
2141 os_free(hdr);
2142 bin_clear_free(buf, key_data_len);
2143 return;
2144 }
2145 bin_clear_free(buf, key_data_len);
2146 }
2147
2148 if (key_info & WPA_KEY_INFO_MIC) {
2149 if (!sm->PTK_valid || !mic_len) {
2150 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
2151 LOGGER_DEBUG,
2152 "PTK not valid when sending EAPOL-Key frame");
2153 os_free(hdr);
2154 return;
2155 }
2156
2157 if (wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len,
2158 sm->wpa_key_mgmt, version,
2159 (u8 *) hdr, len, key_mic) < 0) {
2160 os_free(hdr);
2161 return;
2162 }
2163 #ifdef CONFIG_TESTING_OPTIONS
2164 if (!pairwise &&
2165 conf->corrupt_gtk_rekey_mic_probability > 0.0 &&
2166 drand48() < conf->corrupt_gtk_rekey_mic_probability) {
2167 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
2168 LOGGER_INFO,
2169 "Corrupting group EAPOL-Key Key MIC");
2170 key_mic[0]++;
2171 }
2172 #endif /* CONFIG_TESTING_OPTIONS */
2173 }
2174
2175 wpa_auth_set_eapol(wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx, 1);
2176 wpa_hexdump(MSG_DEBUG, "Send EAPOL-Key msg", hdr, len);
2177 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len,
2178 sm->pairwise_set);
2179 os_free(hdr);
2180 }
2181
2182
2183 static int wpa_auth_get_sta_count(struct wpa_authenticator *wpa_auth)
2184 {
2185 if (!wpa_auth->cb->get_sta_count)
2186 return -1;
2187
2188 return wpa_auth->cb->get_sta_count(wpa_auth->cb_ctx);
2189 }
2190
2191
2192 static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
2193 struct wpa_state_machine *sm, int key_info,
2194 const u8 *key_rsc, const u8 *nonce,
2195 const u8 *kde, size_t kde_len,
2196 int keyidx, int encr)
2197 {
2198 int timeout_ms;
2199 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
2200 u32 ctr;
2201
2202 if (!sm)
2203 return;
2204
2205 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr;
2206
2207 #ifdef CONFIG_TESTING_OPTIONS
2208 /* When delay_eapol_tx is true, delay the EAPOL-Key transmission by
2209 * sending it only on the last attempt after all timeouts for the prior
2210 * skipped attemps. */
2211 if (wpa_auth->conf.delay_eapol_tx &&
2212 ctr != wpa_auth->conf.wpa_pairwise_update_count) {
2213 wpa_msg(sm->wpa_auth->conf.msg_ctx, MSG_INFO,
2214 "DELAY-EAPOL-TX-%d", ctr);
2215 goto skip_tx;
2216 }
2217 #endif /* CONFIG_TESTING_OPTIONS */
2218 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len,
2219 keyidx, encr, 0);
2220 #ifdef CONFIG_TESTING_OPTIONS
2221 skip_tx:
2222 #endif /* CONFIG_TESTING_OPTIONS */
2223
2224 if (ctr == 1 && wpa_auth->conf.tx_status) {
2225 if (pairwise)
2226 timeout_ms = eapol_key_timeout_first;
2227 else if (wpa_auth_get_sta_count(wpa_auth) > 100)
2228 timeout_ms = eapol_key_timeout_first_group * 2;
2229 else
2230 timeout_ms = eapol_key_timeout_first_group;
2231 } else {
2232 timeout_ms = eapol_key_timeout_subseq;
2233 }
2234 if (wpa_auth->conf.wpa_disable_eapol_key_retries &&
2235 (!pairwise || (key_info & WPA_KEY_INFO_MIC)))
2236 timeout_ms = eapol_key_timeout_no_retrans;
2237 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
2238 sm->pending_1_of_4_timeout = 1;
2239 #ifdef TEST_FUZZ
2240 timeout_ms = 1;
2241 #endif /* TEST_FUZZ */
2242 wpa_printf(MSG_DEBUG,
2243 "WPA: Use EAPOL-Key timeout of %u ms (retry counter %u)",
2244 timeout_ms, ctr);
2245 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000,
2246 wpa_send_eapol_timeout, wpa_auth, sm);
2247 }
2248
2249
2250 static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK,
2251 u8 *data, size_t data_len)
2252 {
2253 struct ieee802_1x_hdr *hdr;
2254 struct wpa_eapol_key *key;
2255 u16 key_info;
2256 int ret = 0;
2257 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN], *mic_pos;
2258 size_t mic_len = wpa_mic_len(akmp, pmk_len);
2259
2260 if (data_len < sizeof(*hdr) + sizeof(*key))
2261 return -1;
2262
2263 hdr = (struct ieee802_1x_hdr *) data;
2264 key = (struct wpa_eapol_key *) (hdr + 1);
2265 mic_pos = (u8 *) (key + 1);
2266 key_info = WPA_GET_BE16(key->key_info);
2267 os_memcpy(mic, mic_pos, mic_len);
2268 os_memset(mic_pos, 0, mic_len);
2269 if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp,
2270 key_info & WPA_KEY_INFO_TYPE_MASK,
2271 data, data_len, mic_pos) ||
2272 os_memcmp_const(mic, mic_pos, mic_len) != 0)
2273 ret = -1;
2274 os_memcpy(mic_pos, mic, mic_len);
2275 return ret;
2276 }
2277
2278
2279 void wpa_remove_ptk(struct wpa_state_machine *sm)
2280 {
2281 sm->PTK_valid = false;
2282 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
2283
2284 wpa_auth_remove_ptksa(sm->wpa_auth, sm->addr, sm->pairwise);
2285
2286 if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL,
2287 0, KEY_FLAG_PAIRWISE))
2288 wpa_printf(MSG_DEBUG,
2289 "RSN: PTK removal from the driver failed");
2290 if (sm->use_ext_key_id &&
2291 wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 1, NULL,
2292 0, KEY_FLAG_PAIRWISE))
2293 wpa_printf(MSG_DEBUG,
2294 "RSN: PTK Key ID 1 removal from the driver failed");
2295 sm->pairwise_set = false;
2296 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
2297 }
2298
2299
2300 int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
2301 {
2302 int remove_ptk = 1;
2303
2304 if (!sm)
2305 return -1;
2306
2307 wpa_auth_vlogger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
2308 "event %d notification", event);
2309
2310 switch (event) {
2311 case WPA_AUTH:
2312 #ifdef CONFIG_MESH
2313 /* PTKs are derived through AMPE */
2314 if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) {
2315 /* not mesh */
2316 break;
2317 }
2318 return 0;
2319 #endif /* CONFIG_MESH */
2320 case WPA_ASSOC:
2321 break;
2322 case WPA_DEAUTH:
2323 case WPA_DISASSOC:
2324 sm->DeauthenticationRequest = true;
2325 os_memset(sm->PMK, 0, sizeof(sm->PMK));
2326 sm->pmk_len = 0;
2327 #ifdef CONFIG_IEEE80211R_AP
2328 os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
2329 sm->xxkey_len = 0;
2330 os_memset(sm->pmk_r1, 0, sizeof(sm->pmk_r1));
2331 sm->pmk_r1_len = 0;
2332 #endif /* CONFIG_IEEE80211R_AP */
2333 break;
2334 case WPA_REAUTH:
2335 case WPA_REAUTH_EAPOL:
2336 if (!sm->started) {
2337 /*
2338 * When using WPS, we may end up here if the STA
2339 * manages to re-associate without the previous STA
2340 * entry getting removed. Consequently, we need to make
2341 * sure that the WPA state machines gets initialized
2342 * properly at this point.
2343 */
2344 wpa_printf(MSG_DEBUG,
2345 "WPA state machine had not been started - initialize now");
2346 sm->started = 1;
2347 sm->Init = true;
2348 if (wpa_sm_step(sm) == 1)
2349 return 1; /* should not really happen */
2350 sm->Init = false;
2351 sm->AuthenticationRequest = true;
2352 break;
2353 }
2354
2355 if (sm->ptkstart_without_success > 3) {
2356 wpa_printf(MSG_INFO,
2357 "WPA: Multiple EAP reauth attempts without 4-way handshake completion, disconnect "
2358 MACSTR, MAC2STR(sm->addr));
2359 sm->Disconnect = true;
2360 break;
2361 }
2362
2363 if (!sm->use_ext_key_id &&
2364 sm->wpa_auth->conf.wpa_deny_ptk0_rekey) {
2365 wpa_printf(MSG_INFO,
2366 "WPA: PTK0 rekey not allowed, disconnect "
2367 MACSTR, MAC2STR(wpa_auth_get_spa(sm)));
2368 sm->Disconnect = true;
2369 /* Try to encourage the STA to reconnect */
2370 sm->disconnect_reason =
2371 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA;
2372 break;
2373 }
2374
2375 if (sm->use_ext_key_id)
2376 sm->keyidx_active ^= 1; /* flip Key ID */
2377
2378 if (sm->GUpdateStationKeys) {
2379 /*
2380 * Reauthentication cancels the pending group key
2381 * update for this STA.
2382 */
2383 wpa_gkeydone_sta(sm);
2384 sm->PtkGroupInit = true;
2385 }
2386 sm->ReAuthenticationRequest = true;
2387 break;
2388 case WPA_ASSOC_FT:
2389 #ifdef CONFIG_IEEE80211R_AP
2390 wpa_printf(MSG_DEBUG,
2391 "FT: Retry PTK configuration after association");
2392 wpa_ft_install_ptk(sm, 1);
2393
2394 /* Using FT protocol, not WPA auth state machine */
2395 sm->ft_completed = 1;
2396 wpa_auth_set_ptk_rekey_timer(sm);
2397 return 0;
2398 #else /* CONFIG_IEEE80211R_AP */
2399 break;
2400 #endif /* CONFIG_IEEE80211R_AP */
2401 case WPA_ASSOC_FILS:
2402 #ifdef CONFIG_FILS
2403 wpa_printf(MSG_DEBUG,
2404 "FILS: TK configuration after association");
2405 fils_set_tk(sm);
2406 sm->fils_completed = 1;
2407 return 0;
2408 #else /* CONFIG_FILS */
2409 break;
2410 #endif /* CONFIG_FILS */
2411 case WPA_DRV_STA_REMOVED:
2412 sm->tk_already_set = false;
2413 return 0;
2414 }
2415
2416 #ifdef CONFIG_IEEE80211R_AP
2417 sm->ft_completed = 0;
2418 #endif /* CONFIG_IEEE80211R_AP */
2419
2420 if (sm->mgmt_frame_prot && event == WPA_AUTH)
2421 remove_ptk = 0;
2422 #ifdef CONFIG_FILS
2423 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
2424 (event == WPA_AUTH || event == WPA_ASSOC))
2425 remove_ptk = 0;
2426 #endif /* CONFIG_FILS */
2427
2428 if (remove_ptk) {
2429 sm->PTK_valid = false;
2430 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
2431
2432 if (event != WPA_REAUTH_EAPOL)
2433 wpa_remove_ptk(sm);
2434 }
2435
2436 if (sm->in_step_loop) {
2437 /*
2438 * wpa_sm_step() is already running - avoid recursive call to
2439 * it by making the existing loop process the new update.
2440 */
2441 sm->changed = true;
2442 return 0;
2443 }
2444 return wpa_sm_step(sm);
2445 }
2446
2447
2448 SM_STATE(WPA_PTK, INITIALIZE)
2449 {
2450 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk);
2451 if (sm->Init) {
2452 /* Init flag is not cleared here, so avoid busy
2453 * loop by claiming nothing changed. */
2454 sm->changed = false;
2455 }
2456
2457 sm->keycount = 0;
2458 if (sm->GUpdateStationKeys)
2459 wpa_gkeydone_sta(sm);
2460 if (sm->wpa == WPA_VERSION_WPA)
2461 sm->PInitAKeys = false;
2462 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and
2463 * Local AA > Remote AA)) */) {
2464 sm->Pair = true;
2465 }
2466 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0);
2467 wpa_remove_ptk(sm);
2468 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0);
2469 sm->TimeoutCtr = 0;
2470 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
2471 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
2472 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
2473 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
2474 WPA_EAPOL_authorized, 0);
2475 }
2476 }
2477
2478
2479 SM_STATE(WPA_PTK, DISCONNECT)
2480 {
2481 u16 reason = sm->disconnect_reason;
2482
2483 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk);
2484 sm->Disconnect = false;
2485 sm->disconnect_reason = 0;
2486 if (!reason)
2487 reason = WLAN_REASON_PREV_AUTH_NOT_VALID;
2488 wpa_sta_disconnect(sm->wpa_auth, sm->addr, reason);
2489 }
2490
2491
2492 SM_STATE(WPA_PTK, DISCONNECTED)
2493 {
2494 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk);
2495 sm->DeauthenticationRequest = false;
2496 }
2497
2498
2499 SM_STATE(WPA_PTK, AUTHENTICATION)
2500 {
2501 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk);
2502 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
2503 sm->PTK_valid = false;
2504 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto,
2505 1);
2506 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1);
2507 sm->AuthenticationRequest = false;
2508 }
2509
2510
2511 static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth,
2512 struct wpa_group *group)
2513 {
2514 if (group->first_sta_seen)
2515 return;
2516 /*
2517 * System has run bit further than at the time hostapd was started
2518 * potentially very early during boot up. This provides better chances
2519 * of collecting more randomness on embedded systems. Re-initialize the
2520 * GMK and Counter here to improve their strength if there was not
2521 * enough entropy available immediately after system startup.
2522 */
2523 wpa_printf(MSG_DEBUG,
2524 "WPA: Re-initialize GMK/Counter on first station");
2525 if (random_pool_ready() != 1) {
2526 wpa_printf(MSG_INFO,
2527 "WPA: Not enough entropy in random pool to proceed - reject first 4-way handshake");
2528 group->reject_4way_hs_for_entropy = true;
2529 } else {
2530 group->first_sta_seen = true;
2531 group->reject_4way_hs_for_entropy = false;
2532 }
2533
2534 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 ||
2535 wpa_gtk_update(wpa_auth, group) < 0 ||
2536 wpa_group_config_group_keys(wpa_auth, group) < 0) {
2537 wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed");
2538 group->first_sta_seen = false;
2539 group->reject_4way_hs_for_entropy = true;
2540 }
2541 }
2542
2543
2544 SM_STATE(WPA_PTK, AUTHENTICATION2)
2545 {
2546 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk);
2547
2548 wpa_group_ensure_init(sm->wpa_auth, sm->group);
2549 sm->ReAuthenticationRequest = false;
2550
2551 /*
2552 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
2553 * ambiguous. The Authenticator state machine uses a counter that is
2554 * incremented by one for each 4-way handshake. However, the security
2555 * analysis of 4-way handshake points out that unpredictable nonces
2556 * help in preventing precomputation attacks. Instead of the state
2557 * machine definition, use an unpredictable nonce value here to provide
2558 * stronger protection against potential precomputation attacks.
2559 */
2560 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
2561 wpa_printf(MSG_ERROR,
2562 "WPA: Failed to get random data for ANonce.");
2563 sm->Disconnect = true;
2564 return;
2565 }
2566 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
2567 WPA_NONCE_LEN);
2568 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more
2569 * logical place than INITIALIZE since AUTHENTICATION2 can be
2570 * re-entered on ReAuthenticationRequest without going through
2571 * INITIALIZE. */
2572 sm->TimeoutCtr = 0;
2573 }
2574
2575
2576 static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm)
2577 {
2578 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
2579 wpa_printf(MSG_ERROR,
2580 "WPA: Failed to get random data for ANonce");
2581 sm->Disconnect = true;
2582 return -1;
2583 }
2584 wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce,
2585 WPA_NONCE_LEN);
2586 sm->TimeoutCtr = 0;
2587 return 0;
2588 }
2589
2590
2591 SM_STATE(WPA_PTK, INITPMK)
2592 {
2593 u8 msk[2 * PMK_LEN];
2594 size_t len = 2 * PMK_LEN;
2595
2596 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk);
2597 #ifdef CONFIG_IEEE80211R_AP
2598 sm->xxkey_len = 0;
2599 #endif /* CONFIG_IEEE80211R_AP */
2600 if (sm->pmksa) {
2601 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache");
2602 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
2603 sm->pmk_len = sm->pmksa->pmk_len;
2604 #ifdef CONFIG_DPP
2605 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) {
2606 wpa_printf(MSG_DEBUG,
2607 "DPP: No PMKSA cache entry for STA - reject connection");
2608 sm->Disconnect = true;
2609 sm->disconnect_reason = WLAN_REASON_INVALID_PMKID;
2610 return;
2611 #endif /* CONFIG_DPP */
2612 } else if (wpa_auth_get_msk(sm->wpa_auth, wpa_auth_get_spa(sm),
2613 msk, &len) == 0) {
2614 unsigned int pmk_len;
2615
2616 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt))
2617 pmk_len = PMK_LEN_SUITE_B_192;
2618 else
2619 pmk_len = PMK_LEN;
2620 wpa_printf(MSG_DEBUG,
2621 "WPA: PMK from EAPOL state machine (MSK len=%zu PMK len=%u)",
2622 len, pmk_len);
2623 if (len < pmk_len) {
2624 wpa_printf(MSG_DEBUG,
2625 "WPA: MSK not long enough (%zu) to create PMK (%u)",
2626 len, pmk_len);
2627 sm->Disconnect = true;
2628 return;
2629 }
2630 os_memcpy(sm->PMK, msk, pmk_len);
2631 sm->pmk_len = pmk_len;
2632 #ifdef CONFIG_IEEE80211R_AP
2633 if (len >= 2 * PMK_LEN) {
2634 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
2635 os_memcpy(sm->xxkey, msk, SHA384_MAC_LEN);
2636 sm->xxkey_len = SHA384_MAC_LEN;
2637 } else {
2638 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
2639 sm->xxkey_len = PMK_LEN;
2640 }
2641 }
2642 #endif /* CONFIG_IEEE80211R_AP */
2643 } else {
2644 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p",
2645 sm->wpa_auth->cb->get_msk);
2646 sm->Disconnect = true;
2647 return;
2648 }
2649 forced_memzero(msk, sizeof(msk));
2650
2651 sm->req_replay_counter_used = 0;
2652 /* IEEE 802.11i does not set keyRun to false, but not doing this
2653 * will break reauthentication since EAPOL state machines may not be
2654 * get into AUTHENTICATING state that clears keyRun before WPA state
2655 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK
2656 * state and takes PMK from the previously used AAA Key. This will
2657 * eventually fail in 4-Way Handshake because Supplicant uses PMK
2658 * derived from the new AAA Key. Setting keyRun = false here seems to
2659 * be good workaround for this issue. */
2660 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, false);
2661 }
2662
2663
2664 SM_STATE(WPA_PTK, INITPSK)
2665 {
2666 const u8 *psk;
2667 size_t psk_len;
2668
2669 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk);
2670 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL,
2671 &psk_len, NULL);
2672 if (psk) {
2673 os_memcpy(sm->PMK, psk, psk_len);
2674 sm->pmk_len = psk_len;
2675 #ifdef CONFIG_IEEE80211R_AP
2676 sm->xxkey_len = PMK_LEN;
2677 #ifdef CONFIG_SAE
2678 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY &&
2679 (psk_len == SHA512_MAC_LEN || psk_len == SHA384_MAC_LEN ||
2680 psk_len == SHA256_MAC_LEN))
2681 sm->xxkey_len = psk_len;
2682 #endif /* CONFIG_SAE */
2683 os_memcpy(sm->xxkey, psk, sm->xxkey_len);
2684 #endif /* CONFIG_IEEE80211R_AP */
2685 }
2686 #ifdef CONFIG_SAE
2687 if (wpa_auth_uses_sae(sm) && sm->pmksa) {
2688 wpa_printf(MSG_DEBUG, "SAE: PMK from PMKSA cache (len=%zu)",
2689 sm->pmksa->pmk_len);
2690 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
2691 sm->pmk_len = sm->pmksa->pmk_len;
2692 #ifdef CONFIG_IEEE80211R_AP
2693 os_memcpy(sm->xxkey, sm->pmksa->pmk, sm->pmksa->pmk_len);
2694 sm->xxkey_len = sm->pmksa->pmk_len;
2695 #endif /* CONFIG_IEEE80211R_AP */
2696 }
2697 #endif /* CONFIG_SAE */
2698 sm->req_replay_counter_used = 0;
2699 }
2700
2701
2702 SM_STATE(WPA_PTK, PTKSTART)
2703 {
2704 u8 *buf;
2705 size_t buf_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
2706 u8 *pmkid = NULL;
2707 size_t kde_len = 0;
2708 u16 key_info;
2709 #ifdef CONFIG_TESTING_OPTIONS
2710 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
2711 #endif /* CONFIG_TESTING_OPTIONS */
2712
2713 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk);
2714 sm->PTKRequest = false;
2715 sm->TimeoutEvt = false;
2716 sm->alt_snonce_valid = false;
2717 sm->ptkstart_without_success++;
2718
2719 sm->TimeoutCtr++;
2720 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
2721 /* No point in sending the EAPOL-Key - we will disconnect
2722 * immediately following this. */
2723 return;
2724 }
2725
2726 #ifdef CONFIG_IEEE80211BE
2727 if (sm->mld_assoc_link_id >= 0)
2728 buf_len += 2 + RSN_SELECTOR_LEN + ETH_ALEN;
2729 #endif /* CONFIG_IEEE80211BE */
2730 #ifdef CONFIG_TESTING_OPTIONS
2731 if (conf->eapol_m1_elements)
2732 buf_len += wpabuf_len(conf->eapol_m1_elements);
2733 #endif /* CONFIG_TESTING_OPTIONS */
2734
2735 buf = os_zalloc(buf_len);
2736 if (!buf)
2737 return;
2738
2739 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
2740 "sending 1/4 msg of 4-Way Handshake");
2741 /*
2742 * For infrastructure BSS cases, it is better for the AP not to include
2743 * the PMKID KDE in EAPOL-Key msg 1/4 since it could be used to initiate
2744 * offline search for the passphrase/PSK without having to be able to
2745 * capture a 4-way handshake from a STA that has access to the network.
2746 *
2747 * For IBSS cases, addition of PMKID KDE could be considered even with
2748 * WPA2-PSK cases that use multiple PSKs, but only if there is a single
2749 * possible PSK for this STA. However, this should not be done unless
2750 * there is support for using that information on the supplicant side.
2751 * The concern about exposing PMKID unnecessarily in infrastructure BSS
2752 * cases would also apply here, but at least in the IBSS case, this
2753 * would cover a potential real use case.
2754 */
2755 if (sm->wpa == WPA_VERSION_WPA2 &&
2756 (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) ||
2757 (sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE && sm->pmksa) ||
2758 wpa_key_mgmt_sae(sm->wpa_key_mgmt)) &&
2759 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) {
2760 pmkid = buf;
2761 kde_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
2762 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC;
2763 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN;
2764 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID);
2765 if (sm->pmksa) {
2766 wpa_hexdump(MSG_DEBUG,
2767 "RSN: Message 1/4 PMKID from PMKSA entry",
2768 sm->pmksa->pmkid, PMKID_LEN);
2769 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2770 sm->pmksa->pmkid, PMKID_LEN);
2771 } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) {
2772 /* No KCK available to derive PMKID */
2773 wpa_printf(MSG_DEBUG,
2774 "RSN: No KCK available to derive PMKID for message 1/4");
2775 pmkid = NULL;
2776 #ifdef CONFIG_FILS
2777 } else if (wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2778 if (sm->pmkid_set) {
2779 wpa_hexdump(MSG_DEBUG,
2780 "RSN: Message 1/4 PMKID from FILS/ERP",
2781 sm->pmkid, PMKID_LEN);
2782 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2783 sm->pmkid, PMKID_LEN);
2784 } else {
2785 /* No PMKID available */
2786 wpa_printf(MSG_DEBUG,
2787 "RSN: No FILS/ERP PMKID available for message 1/4");
2788 pmkid = NULL;
2789 }
2790 #endif /* CONFIG_FILS */
2791 #ifdef CONFIG_IEEE80211R_AP
2792 } else if (wpa_key_mgmt_ft(sm->wpa_key_mgmt) &&
2793 sm->ft_completed) {
2794 wpa_printf(MSG_DEBUG,
2795 "FT: No PMKID in message 1/4 when using FT protocol");
2796 pmkid = NULL;
2797 #endif /* CONFIG_IEEE80211R_AP */
2798 #ifdef CONFIG_SAE
2799 } else if (wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
2800 if (sm->pmkid_set) {
2801 wpa_hexdump(MSG_DEBUG,
2802 "RSN: Message 1/4 PMKID from SAE",
2803 sm->pmkid, PMKID_LEN);
2804 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2805 sm->pmkid, PMKID_LEN);
2806 } else {
2807 /* No PMKID available */
2808 wpa_printf(MSG_DEBUG,
2809 "RSN: No SAE PMKID available for message 1/4");
2810 pmkid = NULL;
2811 }
2812 #endif /* CONFIG_SAE */
2813 } else {
2814 /*
2815 * Calculate PMKID since no PMKSA cache entry was
2816 * available with pre-calculated PMKID.
2817 */
2818 rsn_pmkid(sm->PMK, sm->pmk_len,
2819 wpa_auth_get_aa(sm),
2820 wpa_auth_get_spa(sm),
2821 &pmkid[2 + RSN_SELECTOR_LEN],
2822 sm->wpa_key_mgmt);
2823 wpa_hexdump(MSG_DEBUG,
2824 "RSN: Message 1/4 PMKID derived from PMK",
2825 &pmkid[2 + RSN_SELECTOR_LEN], PMKID_LEN);
2826 }
2827 }
2828 if (!pmkid)
2829 kde_len = 0;
2830
2831 #ifdef CONFIG_IEEE80211BE
2832 if (sm->mld_assoc_link_id >= 0) {
2833 wpa_printf(MSG_DEBUG,
2834 "RSN: MLD: Add MAC Address KDE: kde_len=%zu",
2835 kde_len);
2836 wpa_add_kde(buf + kde_len, RSN_KEY_DATA_MAC_ADDR,
2837 sm->wpa_auth->mld_addr, ETH_ALEN, NULL, 0);
2838 kde_len += 2 + RSN_SELECTOR_LEN + ETH_ALEN;
2839 }
2840 #endif /* CONFIG_IEEE80211BE */
2841
2842 #ifdef CONFIG_TESTING_OPTIONS
2843 if (conf->eapol_m1_elements) {
2844 os_memcpy(buf + kde_len, wpabuf_head(conf->eapol_m1_elements),
2845 wpabuf_len(conf->eapol_m1_elements));
2846 kde_len += wpabuf_len(conf->eapol_m1_elements);
2847 }
2848 #endif /* CONFIG_TESTING_OPTIONS */
2849
2850 key_info = WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE;
2851 if (sm->pairwise_set && sm->wpa != WPA_VERSION_WPA)
2852 key_info |= WPA_KEY_INFO_SECURE;
2853 wpa_send_eapol(sm->wpa_auth, sm, key_info, NULL,
2854 sm->ANonce, kde_len ? buf : NULL, kde_len, 0, 0);
2855 os_free(buf);
2856 }
2857
2858
2859 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
2860 const u8 *pmk, unsigned int pmk_len,
2861 struct wpa_ptk *ptk, int force_sha256,
2862 u8 *pmk_r0, u8 *pmk_r1, u8 *pmk_r0_name,
2863 size_t *key_len, bool no_kdk)
2864 {
2865 const u8 *z = NULL;
2866 size_t z_len = 0, kdk_len;
2867 int akmp;
2868 int ret;
2869
2870 if (sm->wpa_auth->conf.force_kdk_derivation ||
2871 (!no_kdk && sm->wpa_auth->conf.secure_ltf &&
2872 ieee802_11_rsnx_capab(sm->rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)))
2873 kdk_len = WPA_KDK_MAX_LEN;
2874 else
2875 kdk_len = 0;
2876
2877 #ifdef CONFIG_IEEE80211R_AP
2878 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2879 if (sm->ft_completed) {
2880 u8 ptk_name[WPA_PMK_NAME_LEN];
2881
2882 ret = wpa_pmk_r1_to_ptk(sm->pmk_r1, sm->pmk_r1_len,
2883 sm->SNonce, sm->ANonce,
2884 wpa_auth_get_spa(sm),
2885 wpa_auth_get_aa(sm),
2886 sm->pmk_r1_name, ptk,
2887 ptk_name, sm->wpa_key_mgmt,
2888 sm->pairwise, kdk_len);
2889 } else {
2890 ret = wpa_auth_derive_ptk_ft(sm, ptk, pmk_r0, pmk_r1,
2891 pmk_r0_name, key_len,
2892 kdk_len);
2893 }
2894 if (ret) {
2895 wpa_printf(MSG_ERROR, "FT: PTK derivation failed");
2896 return ret;
2897 }
2898
2899 #ifdef CONFIG_PASN
2900 if (!no_kdk && sm->wpa_auth->conf.secure_ltf &&
2901 ieee802_11_rsnx_capab(sm->rsnxe,
2902 WLAN_RSNX_CAPAB_SECURE_LTF)) {
2903 ret = wpa_ltf_keyseed(ptk, sm->wpa_key_mgmt,
2904 sm->pairwise);
2905 if (ret) {
2906 wpa_printf(MSG_ERROR,
2907 "FT: LTF keyseed derivation failed");
2908 }
2909 }
2910 #endif /* CONFIG_PASN */
2911 return ret;
2912 }
2913 #endif /* CONFIG_IEEE80211R_AP */
2914
2915 #ifdef CONFIG_DPP2
2916 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
2917 z = wpabuf_head(sm->dpp_z);
2918 z_len = wpabuf_len(sm->dpp_z);
2919 }
2920 #endif /* CONFIG_DPP2 */
2921
2922 akmp = sm->wpa_key_mgmt;
2923 if (force_sha256)
2924 akmp |= WPA_KEY_MGMT_PSK_SHA256;
2925 ret = wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion",
2926 wpa_auth_get_aa(sm), wpa_auth_get_spa(sm),
2927 sm->ANonce, snonce, ptk, akmp,
2928 sm->pairwise, z, z_len, kdk_len);
2929 if (ret) {
2930 wpa_printf(MSG_DEBUG,
2931 "WPA: PTK derivation failed");
2932 return ret;
2933 }
2934
2935 #ifdef CONFIG_PASN
2936 if (!no_kdk && sm->wpa_auth->conf.secure_ltf &&
2937 ieee802_11_rsnx_capab(sm->rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)) {
2938 ret = wpa_ltf_keyseed(ptk, sm->wpa_key_mgmt, sm->pairwise);
2939 if (ret) {
2940 wpa_printf(MSG_DEBUG,
2941 "WPA: LTF keyseed derivation failed");
2942 }
2943 }
2944 #endif /* CONFIG_PASN */
2945 return ret;
2946 }
2947
2948
2949 #ifdef CONFIG_FILS
2950
2951 int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk,
2952 size_t pmk_len, const u8 *snonce, const u8 *anonce,
2953 const u8 *dhss, size_t dhss_len,
2954 struct wpabuf *g_sta, struct wpabuf *g_ap)
2955 {
2956 u8 ick[FILS_ICK_MAX_LEN];
2957 size_t ick_len;
2958 int res;
2959 u8 fils_ft[FILS_FT_MAX_LEN];
2960 size_t fils_ft_len = 0, kdk_len;
2961
2962 if (sm->wpa_auth->conf.force_kdk_derivation ||
2963 (sm->wpa_auth->conf.secure_ltf &&
2964 ieee802_11_rsnx_capab(sm->rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)))
2965 kdk_len = WPA_KDK_MAX_LEN;
2966 else
2967 kdk_len = 0;
2968
2969 res = fils_pmk_to_ptk(pmk, pmk_len, wpa_auth_get_spa(sm),
2970 wpa_auth_get_aa(sm),
2971 snonce, anonce, dhss, dhss_len,
2972 &sm->PTK, ick, &ick_len,
2973 sm->wpa_key_mgmt, sm->pairwise,
2974 fils_ft, &fils_ft_len, kdk_len);
2975 if (res < 0)
2976 return res;
2977
2978 #ifdef CONFIG_PASN
2979 if (sm->wpa_auth->conf.secure_ltf &&
2980 ieee802_11_rsnx_capab(sm->rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)) {
2981 res = wpa_ltf_keyseed(&sm->PTK, sm->wpa_key_mgmt, sm->pairwise);
2982 if (res) {
2983 wpa_printf(MSG_ERROR,
2984 "FILS: LTF keyseed derivation failed");
2985 return res;
2986 }
2987 }
2988 #endif /* CONFIG_PASN */
2989
2990 sm->PTK_valid = true;
2991 sm->tk_already_set = false;
2992
2993 #ifdef CONFIG_IEEE80211R_AP
2994 if (fils_ft_len) {
2995 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2996 struct wpa_auth_config *conf = &wpa_auth->conf;
2997 u8 pmk_r0[PMK_LEN_MAX], pmk_r0_name[WPA_PMK_NAME_LEN];
2998
2999 if (wpa_derive_pmk_r0(fils_ft, fils_ft_len,
3000 conf->ssid, conf->ssid_len,
3001 conf->mobility_domain,
3002 conf->r0_key_holder,
3003 conf->r0_key_holder_len,
3004 wpa_auth_get_spa(sm), pmk_r0, pmk_r0_name,
3005 sm->wpa_key_mgmt) < 0)
3006 return -1;
3007
3008 wpa_ft_store_pmk_fils(sm, pmk_r0, pmk_r0_name);
3009 forced_memzero(fils_ft, sizeof(fils_ft));
3010
3011 res = wpa_derive_pmk_r1_name(pmk_r0_name, conf->r1_key_holder,
3012 wpa_auth_get_spa(sm),
3013 sm->pmk_r1_name,
3014 fils_ft_len);
3015 forced_memzero(pmk_r0, PMK_LEN_MAX);
3016 if (res < 0)
3017 return -1;
3018 wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR1Name", sm->pmk_r1_name,
3019 WPA_PMK_NAME_LEN);
3020 sm->pmk_r1_name_valid = 1;
3021 }
3022 #endif /* CONFIG_IEEE80211R_AP */
3023
3024 res = fils_key_auth_sk(ick, ick_len, snonce, anonce,
3025 wpa_auth_get_spa(sm),
3026 wpa_auth_get_aa(sm),
3027 g_sta ? wpabuf_head(g_sta) : NULL,
3028 g_sta ? wpabuf_len(g_sta) : 0,
3029 g_ap ? wpabuf_head(g_ap) : NULL,
3030 g_ap ? wpabuf_len(g_ap) : 0,
3031 sm->wpa_key_mgmt, sm->fils_key_auth_sta,
3032 sm->fils_key_auth_ap,
3033 &sm->fils_key_auth_len);
3034 forced_memzero(ick, sizeof(ick));
3035
3036 /* Store nonces for (Re)Association Request/Response frame processing */
3037 os_memcpy(sm->SNonce, snonce, FILS_NONCE_LEN);
3038 os_memcpy(sm->ANonce, anonce, FILS_NONCE_LEN);
3039
3040 return res;
3041 }
3042
3043
3044 static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
3045 u8 *buf, size_t buf_len, u16 *_key_data_len)
3046 {
3047 struct ieee802_1x_hdr *hdr;
3048 struct wpa_eapol_key *key;
3049 u8 *pos;
3050 u16 key_data_len;
3051 u8 *tmp;
3052 const u8 *aad[1];
3053 size_t aad_len[1];
3054
3055 hdr = (struct ieee802_1x_hdr *) buf;
3056 key = (struct wpa_eapol_key *) (hdr + 1);
3057 pos = (u8 *) (key + 1);
3058 key_data_len = WPA_GET_BE16(pos);
3059 if (key_data_len < AES_BLOCK_SIZE ||
3060 key_data_len > buf_len - sizeof(*hdr) - sizeof(*key) - 2) {
3061 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
3062 "No room for AES-SIV data in the frame");
3063 return -1;
3064 }
3065 pos += 2; /* Pointing at the Encrypted Key Data field */
3066
3067 tmp = os_malloc(key_data_len);
3068 if (!tmp)
3069 return -1;
3070
3071 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
3072 * to Key Data (exclusive). */
3073 aad[0] = buf;
3074 aad_len[0] = pos - buf;
3075 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, key_data_len,
3076 1, aad, aad_len, tmp) < 0) {
3077 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
3078 "Invalid AES-SIV data in the frame");
3079 bin_clear_free(tmp, key_data_len);
3080 return -1;
3081 }
3082
3083 /* AEAD decryption and validation completed successfully */
3084 key_data_len -= AES_BLOCK_SIZE;
3085 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
3086 tmp, key_data_len);
3087
3088 /* Replace Key Data field with the decrypted version */
3089 os_memcpy(pos, tmp, key_data_len);
3090 pos -= 2; /* Key Data Length field */
3091 WPA_PUT_BE16(pos, key_data_len);
3092 bin_clear_free(tmp, key_data_len);
3093 if (_key_data_len)
3094 *_key_data_len = key_data_len;
3095 return 0;
3096 }
3097
3098
3099 const u8 * wpa_fils_validate_fils_session(struct wpa_state_machine *sm,
3100 const u8 *ies, size_t ies_len,
3101 const u8 *fils_session)
3102 {
3103 const u8 *ie, *end;
3104 const u8 *session = NULL;
3105
3106 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
3107 wpa_printf(MSG_DEBUG,
3108 "FILS: Not a FILS AKM - reject association");
3109 return NULL;
3110 }
3111
3112 /* Verify Session element */
3113 ie = ies;
3114 end = ((const u8 *) ie) + ies_len;
3115 while (ie + 1 < end) {
3116 if (ie + 2 + ie[1] > end)
3117 break;
3118 if (ie[0] == WLAN_EID_EXTENSION &&
3119 ie[1] >= 1 + FILS_SESSION_LEN &&
3120 ie[2] == WLAN_EID_EXT_FILS_SESSION) {
3121 session = ie;
3122 break;
3123 }
3124 ie += 2 + ie[1];
3125 }
3126
3127 if (!session) {
3128 wpa_printf(MSG_DEBUG,
3129 "FILS: %s: Could not find FILS Session element in Assoc Req - reject",
3130 __func__);
3131 return NULL;
3132 }
3133
3134 if (!fils_session) {
3135 wpa_printf(MSG_DEBUG,
3136 "FILS: %s: Could not find FILS Session element in STA entry - reject",
3137 __func__);
3138 return NULL;
3139 }
3140
3141 if (os_memcmp(fils_session, session + 3, FILS_SESSION_LEN) != 0) {
3142 wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
3143 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
3144 fils_session, FILS_SESSION_LEN);
3145 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
3146 session + 3, FILS_SESSION_LEN);
3147 return NULL;
3148 }
3149 return session;
3150 }
3151
3152
3153 int wpa_fils_validate_key_confirm(struct wpa_state_machine *sm, const u8 *ies,
3154 size_t ies_len)
3155 {
3156 struct ieee802_11_elems elems;
3157
3158 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
3159 wpa_printf(MSG_DEBUG,
3160 "FILS: Failed to parse decrypted elements");
3161 return -1;
3162 }
3163
3164 if (!elems.fils_session) {
3165 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
3166 return -1;
3167 }
3168
3169 if (!elems.fils_key_confirm) {
3170 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
3171 return -1;
3172 }
3173
3174 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
3175 wpa_printf(MSG_DEBUG,
3176 "FILS: Unexpected Key-Auth length %d (expected %zu)",
3177 elems.fils_key_confirm_len,
3178 sm->fils_key_auth_len);
3179 return -1;
3180 }
3181
3182 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_sta,
3183 sm->fils_key_auth_len) != 0) {
3184 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
3185 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
3186 elems.fils_key_confirm, elems.fils_key_confirm_len);
3187 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
3188 sm->fils_key_auth_sta, sm->fils_key_auth_len);
3189 return -1;
3190 }
3191
3192 return 0;
3193 }
3194
3195
3196 int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session,
3197 const struct ieee80211_mgmt *mgmt, size_t frame_len,
3198 u8 *pos, size_t left)
3199 {
3200 u16 fc, stype;
3201 const u8 *end, *ie_start, *ie, *session, *crypt;
3202 const u8 *aad[5];
3203 size_t aad_len[5];
3204
3205 if (!sm || !sm->PTK_valid) {
3206 wpa_printf(MSG_DEBUG,
3207 "FILS: No KEK to decrypt Assocication Request frame");
3208 return -1;
3209 }
3210
3211 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
3212 wpa_printf(MSG_DEBUG,
3213 "FILS: Not a FILS AKM - reject association");
3214 return -1;
3215 }
3216
3217 end = ((const u8 *) mgmt) + frame_len;
3218 fc = le_to_host16(mgmt->frame_control);
3219 stype = WLAN_FC_GET_STYPE(fc);
3220 if (stype == WLAN_FC_STYPE_REASSOC_REQ)
3221 ie_start = mgmt->u.reassoc_req.variable;
3222 else
3223 ie_start = mgmt->u.assoc_req.variable;
3224 ie = ie_start;
3225
3226 /*
3227 * Find FILS Session element which is the last unencrypted element in
3228 * the frame.
3229 */
3230 session = wpa_fils_validate_fils_session(sm, ie, end - ie,
3231 fils_session);
3232 if (!session) {
3233 wpa_printf(MSG_DEBUG, "FILS: Session validation failed");
3234 return -1;
3235 }
3236
3237 crypt = session + 2 + session[1];
3238
3239 if (end - crypt < AES_BLOCK_SIZE) {
3240 wpa_printf(MSG_DEBUG,
3241 "FILS: Too short frame to include AES-SIV data");
3242 return -1;
3243 }
3244
3245 /* AES-SIV AAD vectors */
3246
3247 /* The STA's MAC address */
3248 aad[0] = mgmt->sa;
3249 aad_len[0] = ETH_ALEN;
3250 /* The AP's BSSID */
3251 aad[1] = mgmt->da;
3252 aad_len[1] = ETH_ALEN;
3253 /* The STA's nonce */
3254 aad[2] = sm->SNonce;
3255 aad_len[2] = FILS_NONCE_LEN;
3256 /* The AP's nonce */
3257 aad[3] = sm->ANonce;
3258 aad_len[3] = FILS_NONCE_LEN;
3259 /*
3260 * The (Re)Association Request frame from the Capability Information
3261 * field to the FILS Session element (both inclusive).
3262 */
3263 aad[4] = (const u8 *) &mgmt->u.assoc_req.capab_info;
3264 aad_len[4] = crypt - aad[4];
3265
3266 if (aes_siv_decrypt(sm->PTK.kek, sm->PTK.kek_len, crypt, end - crypt,
3267 5, aad, aad_len, pos + (crypt - ie_start)) < 0) {
3268 wpa_printf(MSG_DEBUG,
3269 "FILS: Invalid AES-SIV data in the frame");
3270 return -1;
3271 }
3272 wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Request elements",
3273 pos, left - AES_BLOCK_SIZE);
3274
3275 if (wpa_fils_validate_key_confirm(sm, pos, left - AES_BLOCK_SIZE) < 0) {
3276 wpa_printf(MSG_DEBUG, "FILS: Key Confirm validation failed");
3277 return -1;
3278 }
3279
3280 return left - AES_BLOCK_SIZE;
3281 }
3282
3283
3284 int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf,
3285 size_t current_len, size_t max_len,
3286 const struct wpabuf *hlp)
3287 {
3288 u8 *end = buf + max_len;
3289 u8 *pos = buf + current_len;
3290 struct ieee80211_mgmt *mgmt;
3291 struct wpabuf *plain;
3292 const u8 *aad[5];
3293 size_t aad_len[5];
3294
3295 if (!sm || !sm->PTK_valid)
3296 return -1;
3297
3298 wpa_hexdump(MSG_DEBUG,
3299 "FILS: Association Response frame before FILS processing",
3300 buf, current_len);
3301
3302 mgmt = (struct ieee80211_mgmt *) buf;
3303
3304 /* AES-SIV AAD vectors */
3305
3306 /* The AP's BSSID */
3307 aad[0] = mgmt->sa;
3308 aad_len[0] = ETH_ALEN;
3309 /* The STA's MAC address */
3310 aad[1] = mgmt->da;
3311 aad_len[1] = ETH_ALEN;
3312 /* The AP's nonce */
3313 aad[2] = sm->ANonce;
3314 aad_len[2] = FILS_NONCE_LEN;
3315 /* The STA's nonce */
3316 aad[3] = sm->SNonce;
3317 aad_len[3] = FILS_NONCE_LEN;
3318 /*
3319 * The (Re)Association Response frame from the Capability Information
3320 * field (the same offset in both Association and Reassociation
3321 * Response frames) to the FILS Session element (both inclusive).
3322 */
3323 aad[4] = (const u8 *) &mgmt->u.assoc_resp.capab_info;
3324 aad_len[4] = pos - aad[4];
3325
3326 /* The following elements will be encrypted with AES-SIV */
3327 plain = fils_prepare_plainbuf(sm, hlp);
3328 if (!plain) {
3329 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed");
3330 return -1;
3331 }
3332
3333 if (pos + wpabuf_len(plain) + AES_BLOCK_SIZE > end) {
3334 wpa_printf(MSG_DEBUG,
3335 "FILS: Not enough room for FILS elements");
3336 wpabuf_clear_free(plain);
3337 return -1;
3338 }
3339
3340 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: Association Response plaintext",
3341 plain);
3342
3343 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len,
3344 wpabuf_head(plain), wpabuf_len(plain),
3345 5, aad, aad_len, pos) < 0) {
3346 wpabuf_clear_free(plain);
3347 return -1;
3348 }
3349
3350 wpa_hexdump(MSG_DEBUG,
3351 "FILS: Encrypted Association Response elements",
3352 pos, AES_BLOCK_SIZE + wpabuf_len(plain));
3353 current_len += wpabuf_len(plain) + AES_BLOCK_SIZE;
3354 wpabuf_clear_free(plain);
3355
3356 sm->fils_completed = 1;
3357
3358 return current_len;
3359 }
3360
3361
3362 static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
3363 const struct wpabuf *hlp)
3364 {
3365 struct wpabuf *plain;
3366 u8 *len, *tmp, *tmp2;
3367 u8 hdr[2];
3368 u8 *gtk, stub_gtk[32];
3369 size_t gtk_len;
3370 struct wpa_group *gsm;
3371 size_t plain_len;
3372 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
3373
3374 plain_len = 1000 + ieee80211w_kde_len(sm);
3375 if (conf->transition_disable)
3376 plain_len += 2 + RSN_SELECTOR_LEN + 1;
3377 plain = wpabuf_alloc(plain_len);
3378 if (!plain)
3379 return NULL;
3380
3381 /* TODO: FILS Public Key */
3382
3383 /* FILS Key Confirmation */
3384 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
3385 wpabuf_put_u8(plain, 1 + sm->fils_key_auth_len); /* Length */
3386 /* Element ID Extension */
3387 wpabuf_put_u8(plain, WLAN_EID_EXT_FILS_KEY_CONFIRM);
3388 wpabuf_put_data(plain, sm->fils_key_auth_ap, sm->fils_key_auth_len);
3389
3390 /* FILS HLP Container */
3391 if (hlp)
3392 wpabuf_put_buf(plain, hlp);
3393
3394 /* TODO: FILS IP Address Assignment */
3395
3396 /* Key Delivery */
3397 gsm = sm->group;
3398 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
3399 len = wpabuf_put(plain, 1);
3400 wpabuf_put_u8(plain, WLAN_EID_EXT_KEY_DELIVERY);
3401 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN,
3402 wpabuf_put(plain, WPA_KEY_RSC_LEN));
3403 /* GTK KDE */
3404 gtk = gsm->GTK[gsm->GN - 1];
3405 gtk_len = gsm->GTK_len;
3406 if (conf->disable_gtk || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
3407 /*
3408 * Provide unique random GTK to each STA to prevent use
3409 * of GTK in the BSS.
3410 */
3411 if (random_get_bytes(stub_gtk, gtk_len) < 0) {
3412 wpabuf_clear_free(plain);
3413 return NULL;
3414 }
3415 gtk = stub_gtk;
3416 }
3417 hdr[0] = gsm->GN & 0x03;
3418 hdr[1] = 0;
3419 tmp = wpabuf_put(plain, 0);
3420 tmp2 = wpa_add_kde(tmp, RSN_KEY_DATA_GROUPKEY, hdr, 2,
3421 gtk, gtk_len);
3422 wpabuf_put(plain, tmp2 - tmp);
3423
3424 /* IGTK KDE and BIGTK KDE */
3425 tmp = wpabuf_put(plain, 0);
3426 tmp2 = ieee80211w_kde_add(sm, tmp);
3427 wpabuf_put(plain, tmp2 - tmp);
3428
3429 if (conf->transition_disable) {
3430 tmp = wpabuf_put(plain, 0);
3431 tmp2 = wpa_add_kde(tmp, WFA_KEY_DATA_TRANSITION_DISABLE,
3432 &conf->transition_disable, 1, NULL, 0);
3433 wpabuf_put(plain, tmp2 - tmp);
3434 }
3435
3436 *len = (u8 *) wpabuf_put(plain, 0) - len - 1;
3437
3438 #ifdef CONFIG_OCV
3439 if (wpa_auth_uses_ocv(sm)) {
3440 struct wpa_channel_info ci;
3441 u8 *pos;
3442
3443 if (wpa_channel_info(sm->wpa_auth, &ci) != 0) {
3444 wpa_printf(MSG_WARNING,
3445 "FILS: Failed to get channel info for OCI element");
3446 wpabuf_clear_free(plain);
3447 return NULL;
3448 }
3449 #ifdef CONFIG_TESTING_OPTIONS
3450 if (conf->oci_freq_override_fils_assoc) {
3451 wpa_printf(MSG_INFO,
3452 "TEST: Override OCI frequency %d -> %u MHz",
3453 ci.frequency,
3454 conf->oci_freq_override_fils_assoc);
3455 ci.frequency = conf->oci_freq_override_fils_assoc;
3456 }
3457 #endif /* CONFIG_TESTING_OPTIONS */
3458
3459 pos = wpabuf_put(plain, OCV_OCI_EXTENDED_LEN);
3460 if (ocv_insert_extended_oci(&ci, pos) < 0) {
3461 wpabuf_clear_free(plain);
3462 return NULL;
3463 }
3464 }
3465 #endif /* CONFIG_OCV */
3466
3467 return plain;
3468 }
3469
3470
3471 int fils_set_tk(struct wpa_state_machine *sm)
3472 {
3473 enum wpa_alg alg;
3474 int klen;
3475
3476 if (!sm || !sm->PTK_valid) {
3477 wpa_printf(MSG_DEBUG, "FILS: No valid PTK available to set TK");
3478 return -1;
3479 }
3480 if (sm->tk_already_set) {
3481 wpa_printf(MSG_DEBUG, "FILS: TK already set to the driver");
3482 return -1;
3483 }
3484
3485 alg = wpa_cipher_to_alg(sm->pairwise);
3486 klen = wpa_cipher_key_len(sm->pairwise);
3487
3488 wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver");
3489 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
3490 sm->PTK.tk, klen, KEY_FLAG_PAIRWISE_RX_TX)) {
3491 wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver");
3492 return -1;
3493 }
3494
3495 #ifdef CONFIG_PASN
3496 if (sm->wpa_auth->conf.secure_ltf &&
3497 ieee802_11_rsnx_capab(sm->rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF) &&
3498 wpa_auth_set_ltf_keyseed(sm->wpa_auth, sm->addr,
3499 sm->PTK.ltf_keyseed,
3500 sm->PTK.ltf_keyseed_len)) {
3501 wpa_printf(MSG_ERROR,
3502 "FILS: Failed to set LTF keyseed to driver");
3503 return -1;
3504 }
3505 #endif /* CONFIG_PASN */
3506
3507 sm->pairwise_set = true;
3508 sm->tk_already_set = true;
3509
3510 wpa_auth_store_ptksa(sm->wpa_auth, sm->addr, sm->pairwise,
3511 dot11RSNAConfigPMKLifetime, &sm->PTK);
3512
3513 return 0;
3514 }
3515
3516
3517 u8 * hostapd_eid_assoc_fils_session(struct wpa_state_machine *sm, u8 *buf,
3518 const u8 *fils_session, struct wpabuf *hlp)
3519 {
3520 struct wpabuf *plain;
3521 u8 *pos = buf;
3522
3523 /* FILS Session */
3524 *pos++ = WLAN_EID_EXTENSION; /* Element ID */
3525 *pos++ = 1 + FILS_SESSION_LEN; /* Length */
3526 *pos++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
3527 os_memcpy(pos, fils_session, FILS_SESSION_LEN);
3528 pos += FILS_SESSION_LEN;
3529
3530 plain = fils_prepare_plainbuf(sm, hlp);
3531 if (!plain) {
3532 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed");
3533 return NULL;
3534 }
3535
3536 os_memcpy(pos, wpabuf_head(plain), wpabuf_len(plain));
3537 pos += wpabuf_len(plain);
3538
3539 wpa_printf(MSG_DEBUG, "%s: plain buf_len: %zu", __func__,
3540 wpabuf_len(plain));
3541 wpabuf_clear_free(plain);
3542 sm->fils_completed = 1;
3543 return pos;
3544 }
3545
3546 #endif /* CONFIG_FILS */
3547
3548
3549 #ifdef CONFIG_OCV
3550 int get_sta_tx_parameters(struct wpa_state_machine *sm, int ap_max_chanwidth,
3551 int ap_seg1_idx, int *bandwidth, int *seg1_idx)
3552 {
3553 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
3554
3555 if (!wpa_auth->cb->get_sta_tx_params)
3556 return -1;
3557 return wpa_auth->cb->get_sta_tx_params(wpa_auth->cb_ctx, sm->addr,
3558 ap_max_chanwidth, ap_seg1_idx,
3559 bandwidth, seg1_idx);
3560 }
3561 #endif /* CONFIG_OCV */
3562
3563
3564 static int wpa_auth_validate_ml_kdes_m2(struct wpa_state_machine *sm,
3565 struct wpa_eapol_ie_parse *kde)
3566 {
3567 #ifdef CONFIG_IEEE80211BE
3568 int i;
3569 unsigned int n_links = 0;
3570
3571 if (sm->mld_assoc_link_id < 0)
3572 return 0;
3573
3574 /* MLD MAC address must be the same */
3575 if (!kde->mac_addr ||
3576 !ether_addr_equal(kde->mac_addr, sm->peer_mld_addr)) {
3577 wpa_printf(MSG_DEBUG, "RSN: MLD: Invalid MLD address");
3578 return -1;
3579 }
3580
3581 /* Find matching link ID and the MAC address for each link */
3582 for_each_link(kde->valid_mlo_links, i) {
3583 /*
3584 * Each entry should contain the link information and the MAC
3585 * address.
3586 */
3587 if (kde->mlo_link_len[i] != 1 + ETH_ALEN) {
3588 wpa_printf(MSG_DEBUG,
3589 "RSN: MLD: Invalid MLO Link (ID %u) KDE len=%zu",
3590 i, kde->mlo_link_len[i]);
3591 return -1;
3592 }
3593
3594 if (!sm->mld_links[i].valid || i == sm->mld_assoc_link_id) {
3595 wpa_printf(MSG_DEBUG,
3596 "RSN: MLD: Invalid link ID=%u", i);
3597 return -1;
3598 }
3599
3600 if (!ether_addr_equal(sm->mld_links[i].peer_addr,
3601 kde->mlo_link[i] + 1)) {
3602 wpa_printf(MSG_DEBUG,
3603 "RSN: MLD: invalid MAC address=" MACSTR
3604 " expected " MACSTR " (link ID %u)",
3605 MAC2STR(kde->mlo_link[i] + 1),
3606 MAC2STR(sm->mld_links[i].peer_addr), i);
3607 return -1;
3608 }
3609
3610 n_links++;
3611 }
3612
3613 /* Must have the same number of MLO links (excluding the local one) */
3614 if (n_links != sm->n_mld_affiliated_links) {
3615 wpa_printf(MSG_DEBUG,
3616 "RSN: MLD: Expecting %u MLD links in msg 2, but got %u",
3617 sm->n_mld_affiliated_links, n_links);
3618 return -1;
3619 }
3620 #endif /* CONFIG_IEEE80211BE */
3621
3622 return 0;
3623 }
3624
3625
3626 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
3627 {
3628 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
3629 struct wpa_ptk PTK;
3630 int ok = 0, psk_found = 0;
3631 const u8 *pmk = NULL;
3632 size_t pmk_len;
3633 int ft;
3634 const u8 *eapol_key_ie, *key_data, *mic;
3635 u16 key_info, ver, key_data_length;
3636 size_t mic_len, eapol_key_ie_len;
3637 struct ieee802_1x_hdr *hdr;
3638 struct wpa_eapol_key *key;
3639 struct wpa_eapol_ie_parse kde;
3640 int vlan_id = 0;
3641 int owe_ptk_workaround = !!wpa_auth->conf.owe_ptk_workaround;
3642 u8 pmk_r0[PMK_LEN_MAX], pmk_r0_name[WPA_PMK_NAME_LEN];
3643 u8 pmk_r1[PMK_LEN_MAX];
3644 size_t key_len;
3645 u8 *key_data_buf = NULL;
3646 size_t key_data_buf_len = 0;
3647 bool derive_kdk, no_kdk = false;
3648
3649 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
3650 sm->EAPOLKeyReceived = false;
3651 sm->update_snonce = false;
3652 os_memset(&PTK, 0, sizeof(PTK));
3653
3654 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
3655
3656 derive_kdk = sm->wpa_auth->conf.secure_ltf &&
3657 ieee802_11_rsnx_capab(sm->rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF);
3658
3659 /* WPA with IEEE 802.1X: use the derived PMK from EAP
3660 * WPA-PSK: iterate through possible PSKs and select the one matching
3661 * the packet */
3662 for (;;) {
3663 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
3664 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
3665 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
3666 sm->p2p_dev_addr, pmk, &pmk_len,
3667 &vlan_id);
3668 if (!pmk)
3669 break;
3670 psk_found = 1;
3671 #ifdef CONFIG_IEEE80211R_AP
3672 if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) {
3673 os_memcpy(sm->xxkey, pmk, pmk_len);
3674 sm->xxkey_len = pmk_len;
3675 }
3676 #endif /* CONFIG_IEEE80211R_AP */
3677 } else {
3678 pmk = sm->PMK;
3679 pmk_len = sm->pmk_len;
3680 }
3681
3682 if ((!pmk || !pmk_len) && sm->pmksa) {
3683 wpa_printf(MSG_DEBUG, "WPA: Use PMK from PMKSA cache");
3684 pmk = sm->pmksa->pmk;
3685 pmk_len = sm->pmksa->pmk_len;
3686 }
3687
3688 no_kdk = false;
3689 try_without_kdk:
3690 if (wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK,
3691 owe_ptk_workaround == 2, pmk_r0, pmk_r1,
3692 pmk_r0_name, &key_len, no_kdk) < 0)
3693 break;
3694
3695 if (mic_len &&
3696 wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
3697 sm->last_rx_eapol_key,
3698 sm->last_rx_eapol_key_len) == 0) {
3699 if (sm->PMK != pmk) {
3700 os_memcpy(sm->PMK, pmk, pmk_len);
3701 sm->pmk_len = pmk_len;
3702 }
3703 ok = 1;
3704 break;
3705 }
3706
3707 #ifdef CONFIG_FILS
3708 if (!mic_len &&
3709 wpa_aead_decrypt(sm, &PTK, sm->last_rx_eapol_key,
3710 sm->last_rx_eapol_key_len, NULL) == 0) {
3711 ok = 1;
3712 break;
3713 }
3714 #endif /* CONFIG_FILS */
3715
3716 #ifdef CONFIG_OWE
3717 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE && pmk_len > 32 &&
3718 owe_ptk_workaround == 1) {
3719 wpa_printf(MSG_DEBUG,
3720 "OWE: Try PTK derivation workaround with SHA256");
3721 owe_ptk_workaround = 2;
3722 continue;
3723 }
3724 #endif /* CONFIG_OWE */
3725
3726 /* Some deployed STAs that advertise SecureLTF support in the
3727 * RSNXE in (Re)Association Request frames, do not derive KDK
3728 * during PTK generation. Try to work around this by checking if
3729 * a PTK derived without KDK would result in a matching MIC. */
3730 if (!sm->wpa_auth->conf.force_kdk_derivation &&
3731 derive_kdk && !no_kdk) {
3732 wpa_printf(MSG_DEBUG,
3733 "Try new PTK derivation without KDK as a workaround");
3734 no_kdk = true;
3735 goto try_without_kdk;
3736 }
3737
3738 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
3739 wpa_key_mgmt_sae(sm->wpa_key_mgmt))
3740 break;
3741 }
3742
3743 if (no_kdk && ok) {
3744 /* The workaround worked, so allow the 4-way handshake to be
3745 * completed with the PTK that was derived without the KDK. */
3746 wpa_printf(MSG_DEBUG,
3747 "PTK without KDK worked - misbehaving STA "
3748 MACSTR, MAC2STR(sm->addr));
3749 }
3750
3751 if (!ok && wpa_key_mgmt_wpa_psk_no_sae(sm->wpa_key_mgmt) &&
3752 wpa_auth->conf.radius_psk && wpa_auth->cb->request_radius_psk &&
3753 !sm->waiting_radius_psk) {
3754 wpa_printf(MSG_DEBUG, "No PSK available - ask RADIUS server");
3755 wpa_auth->cb->request_radius_psk(wpa_auth->cb_ctx, sm->addr,
3756 sm->wpa_key_mgmt,
3757 sm->ANonce,
3758 sm->last_rx_eapol_key,
3759 sm->last_rx_eapol_key_len);
3760 sm->waiting_radius_psk = 1;
3761 goto out;
3762 }
3763
3764 if (!ok) {
3765 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm),
3766 LOGGER_DEBUG,
3767 "invalid MIC in msg 2/4 of 4-Way Handshake");
3768 if (psk_found)
3769 wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr);
3770 goto out;
3771 }
3772
3773 /*
3774 * Note: last_rx_eapol_key length fields have already been validated in
3775 * wpa_receive().
3776 */
3777 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
3778 key = (struct wpa_eapol_key *) (hdr + 1);
3779 mic = (u8 *) (key + 1);
3780 key_info = WPA_GET_BE16(key->key_info);
3781 key_data = mic + mic_len + 2;
3782 key_data_length = WPA_GET_BE16(mic + mic_len);
3783 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
3784 sizeof(*key) - mic_len - 2)
3785 goto out;
3786
3787 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
3788 if (mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
3789 if (ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES &&
3790 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
3791 !wpa_use_aes_key_wrap(sm->wpa_key_mgmt)) {
3792 wpa_printf(MSG_INFO,
3793 "Unsupported EAPOL-Key Key Data field encryption");
3794 goto out;
3795 }
3796
3797 if (key_data_length < 8 || key_data_length % 8) {
3798 wpa_printf(MSG_INFO,
3799 "RSN: Unsupported AES-WRAP len %u",
3800 key_data_length);
3801 goto out;
3802 }
3803 key_data_length -= 8; /* AES-WRAP adds 8 bytes */
3804 key_data_buf = os_malloc(key_data_length);
3805 if (!key_data_buf)
3806 goto out;
3807 key_data_buf_len = key_data_length;
3808 if (aes_unwrap(PTK.kek, PTK.kek_len, key_data_length / 8,
3809 key_data, key_data_buf)) {
3810 bin_clear_free(key_data_buf, key_data_buf_len);
3811 wpa_printf(MSG_INFO,
3812 "RSN: AES unwrap failed - could not decrypt EAPOL-Key key data");
3813 goto out;
3814 }
3815 key_data = key_data_buf;
3816 wpa_hexdump_key(MSG_DEBUG, "RSN: Decrypted EAPOL-Key Key Data",
3817 key_data, key_data_length);
3818 }
3819
3820 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
3821 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
3822 "received EAPOL-Key msg 2/4 with invalid Key Data contents");
3823 goto out;
3824 }
3825 if (kde.rsn_ie) {
3826 eapol_key_ie = kde.rsn_ie;
3827 eapol_key_ie_len = kde.rsn_ie_len;
3828 } else if (kde.osen) {
3829 eapol_key_ie = kde.osen;
3830 eapol_key_ie_len = kde.osen_len;
3831 } else {
3832 eapol_key_ie = kde.wpa_ie;
3833 eapol_key_ie_len = kde.wpa_ie_len;
3834 }
3835 ft = sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt);
3836 if (!sm->wpa_ie ||
3837 wpa_compare_rsn_ie(ft, sm->wpa_ie, sm->wpa_ie_len,
3838 eapol_key_ie, eapol_key_ie_len)) {
3839 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
3840 "WPA IE from (Re)AssocReq did not match with msg 2/4");
3841 if (sm->wpa_ie) {
3842 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq",
3843 sm->wpa_ie, sm->wpa_ie_len);
3844 }
3845 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4",
3846 eapol_key_ie, eapol_key_ie_len);
3847 /* MLME-DEAUTHENTICATE.request */
3848 wpa_sta_disconnect(wpa_auth, sm->addr,
3849 WLAN_REASON_PREV_AUTH_NOT_VALID);
3850 goto out;
3851 }
3852 if ((!sm->rsnxe && kde.rsnxe) ||
3853 (sm->rsnxe && !kde.rsnxe) ||
3854 (sm->rsnxe && kde.rsnxe &&
3855 (sm->rsnxe_len != kde.rsnxe_len ||
3856 os_memcmp(sm->rsnxe, kde.rsnxe, sm->rsnxe_len) != 0))) {
3857 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
3858 "RSNXE from (Re)AssocReq did not match the one in EAPOL-Key msg 2/4");
3859 wpa_hexdump(MSG_DEBUG, "RSNXE in AssocReq",
3860 sm->rsnxe, sm->rsnxe_len);
3861 wpa_hexdump(MSG_DEBUG, "RSNXE in EAPOL-Key msg 2/4",
3862 kde.rsnxe, kde.rsnxe_len);
3863 /* MLME-DEAUTHENTICATE.request */
3864 wpa_sta_disconnect(wpa_auth, sm->addr,
3865 WLAN_REASON_PREV_AUTH_NOT_VALID);
3866 goto out;
3867 }
3868 #ifdef CONFIG_OCV
3869 if (wpa_auth_uses_ocv(sm)) {
3870 struct wpa_channel_info ci;
3871 int tx_chanwidth;
3872 int tx_seg1_idx;
3873 enum oci_verify_result res;
3874
3875 if (wpa_channel_info(wpa_auth, &ci) != 0) {
3876 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
3877 LOGGER_INFO,
3878 "Failed to get channel info to validate received OCI in EAPOL-Key 2/4");
3879 goto out;
3880 }
3881
3882 if (get_sta_tx_parameters(sm,
3883 channel_width_to_int(ci.chanwidth),
3884 ci.seg1_idx, &tx_chanwidth,
3885 &tx_seg1_idx) < 0)
3886 goto out;
3887
3888 res = ocv_verify_tx_params(kde.oci, kde.oci_len, &ci,
3889 tx_chanwidth, tx_seg1_idx);
3890 if (wpa_auth_uses_ocv(sm) == 2 && res == OCI_NOT_FOUND) {
3891 /* Work around misbehaving STAs */
3892 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
3893 LOGGER_INFO,
3894 "Disable OCV with a STA that does not send OCI");
3895 wpa_auth_set_ocv(sm, 0);
3896 } else if (res != OCI_SUCCESS) {
3897 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
3898 LOGGER_INFO,
3899 "OCV failed: %s", ocv_errorstr);
3900 if (wpa_auth->conf.msg_ctx)
3901 wpa_msg(wpa_auth->conf.msg_ctx, MSG_INFO,
3902 OCV_FAILURE "addr=" MACSTR
3903 " frame=eapol-key-m2 error=%s",
3904 MAC2STR(wpa_auth_get_spa(sm)),
3905 ocv_errorstr);
3906 goto out;
3907 }
3908 }
3909 #endif /* CONFIG_OCV */
3910 #ifdef CONFIG_IEEE80211R_AP
3911 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
3912 wpa_sta_disconnect(wpa_auth, sm->addr,
3913 WLAN_REASON_PREV_AUTH_NOT_VALID);
3914 goto out;
3915 }
3916 #endif /* CONFIG_IEEE80211R_AP */
3917 #ifdef CONFIG_P2P
3918 if (kde.ip_addr_req && kde.ip_addr_req[0] &&
3919 wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) {
3920 int idx;
3921 wpa_printf(MSG_DEBUG,
3922 "P2P: IP address requested in EAPOL-Key exchange");
3923 idx = bitfield_get_first_zero(wpa_auth->ip_pool);
3924 if (idx >= 0) {
3925 u32 start = WPA_GET_BE32(wpa_auth->conf.ip_addr_start);
3926 bitfield_set(wpa_auth->ip_pool, idx);
3927 sm->ip_addr_bit = idx;
3928 WPA_PUT_BE32(sm->ip_addr, start + idx);
3929 wpa_printf(MSG_DEBUG,
3930 "P2P: Assigned IP address %u.%u.%u.%u to "
3931 MACSTR " (bit %u)",
3932 sm->ip_addr[0], sm->ip_addr[1],
3933 sm->ip_addr[2], sm->ip_addr[3],
3934 MAC2STR(wpa_auth_get_spa(sm)),
3935 sm->ip_addr_bit);
3936 }
3937 }
3938 #endif /* CONFIG_P2P */
3939
3940 #ifdef CONFIG_DPP2
3941 if (DPP_VERSION > 1 && kde.dpp_kde) {
3942 wpa_printf(MSG_DEBUG,
3943 "DPP: peer Protocol Version %u Flags 0x%x",
3944 kde.dpp_kde[0], kde.dpp_kde[1]);
3945 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP &&
3946 wpa_auth->conf.dpp_pfs != 2 &&
3947 (kde.dpp_kde[1] & DPP_KDE_PFS_ALLOWED) &&
3948 !sm->dpp_z) {
3949 wpa_printf(MSG_INFO,
3950 "DPP: Peer indicated it supports PFS and local configuration allows this, but PFS was not negotiated for the association");
3951 wpa_sta_disconnect(wpa_auth, sm->addr,
3952 WLAN_REASON_PREV_AUTH_NOT_VALID);
3953 goto out;
3954 }
3955 }
3956 #endif /* CONFIG_DPP2 */
3957
3958 if (wpa_auth_validate_ml_kdes_m2(sm, &kde) < 0) {
3959 wpa_sta_disconnect(wpa_auth, sm->addr,
3960 WLAN_REASON_PREV_AUTH_NOT_VALID);
3961 return;
3962 }
3963
3964 if (vlan_id && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
3965 wpa_auth_update_vlan(wpa_auth, sm->addr, vlan_id) < 0) {
3966 wpa_sta_disconnect(wpa_auth, sm->addr,
3967 WLAN_REASON_PREV_AUTH_NOT_VALID);
3968 goto out;
3969 }
3970
3971 sm->pending_1_of_4_timeout = 0;
3972 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
3973
3974 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) && sm->PMK != pmk) {
3975 /* PSK may have changed from the previous choice, so update
3976 * state machine data based on whatever PSK was selected here.
3977 */
3978 os_memcpy(sm->PMK, pmk, PMK_LEN);
3979 sm->pmk_len = PMK_LEN;
3980 }
3981
3982 sm->MICVerified = true;
3983
3984 #ifdef CONFIG_IEEE80211R_AP
3985 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt) && !sm->ft_completed) {
3986 wpa_printf(MSG_DEBUG, "FT: Store PMK-R0/PMK-R1");
3987 wpa_auth_ft_store_keys(sm, pmk_r0, pmk_r1, pmk_r0_name,
3988 key_len);
3989 }
3990 #endif /* CONFIG_IEEE80211R_AP */
3991
3992 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
3993 forced_memzero(&PTK, sizeof(PTK));
3994 sm->PTK_valid = true;
3995 out:
3996 forced_memzero(pmk_r0, sizeof(pmk_r0));
3997 forced_memzero(pmk_r1, sizeof(pmk_r1));
3998 bin_clear_free(key_data_buf, key_data_buf_len);
3999 }
4000
4001
4002 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2)
4003 {
4004 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk);
4005 sm->TimeoutCtr = 0;
4006 }
4007
4008
4009 static int ieee80211w_kde_len(struct wpa_state_machine *sm)
4010 {
4011 size_t len = 0;
4012 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
4013
4014 if (sm->mgmt_frame_prot) {
4015 len += 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN;
4016 len += wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
4017 }
4018
4019 if (wpa_auth->conf.tx_bss_auth)
4020 wpa_auth = wpa_auth->conf.tx_bss_auth;
4021 if (sm->mgmt_frame_prot && sm->wpa_auth->conf.beacon_prot) {
4022 len += 2 + RSN_SELECTOR_LEN + WPA_BIGTK_KDE_PREFIX_LEN;
4023 len += wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
4024 }
4025
4026 return len;
4027 }
4028
4029
4030 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
4031 {
4032 struct wpa_igtk_kde igtk;
4033 struct wpa_bigtk_kde bigtk;
4034 struct wpa_group *gsm = sm->group;
4035 u8 rsc[WPA_KEY_RSC_LEN];
4036 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
4037 struct wpa_auth_config *conf = &wpa_auth->conf;
4038 size_t len = wpa_cipher_key_len(conf->group_mgmt_cipher);
4039
4040 if (!sm->mgmt_frame_prot)
4041 return pos;
4042
4043 #ifdef CONFIG_IEEE80211BE
4044 if (sm->mld_assoc_link_id >= 0)
4045 return pos; /* Use per-link MLO KDEs instead */
4046 #endif /* CONFIG_IEEE80211BE */
4047
4048 igtk.keyid[0] = gsm->GN_igtk;
4049 igtk.keyid[1] = 0;
4050 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
4051 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0)
4052 os_memset(igtk.pn, 0, sizeof(igtk.pn));
4053 else
4054 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn));
4055 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len);
4056 if (conf->disable_gtk || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
4057 /*
4058 * Provide unique random IGTK to each STA to prevent use of
4059 * IGTK in the BSS.
4060 */
4061 if (random_get_bytes(igtk.igtk, len) < 0)
4062 return pos;
4063 }
4064 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK,
4065 (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len,
4066 NULL, 0);
4067 forced_memzero(&igtk, sizeof(igtk));
4068
4069 if (wpa_auth->conf.tx_bss_auth) {
4070 wpa_auth = wpa_auth->conf.tx_bss_auth;
4071 conf = &wpa_auth->conf;
4072 len = wpa_cipher_key_len(conf->group_mgmt_cipher);
4073 gsm = wpa_auth->group;
4074 }
4075
4076 if (!sm->wpa_auth->conf.beacon_prot)
4077 return pos;
4078
4079 bigtk.keyid[0] = gsm->GN_bigtk;
4080 bigtk.keyid[1] = 0;
4081 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
4082 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_bigtk, rsc) < 0)
4083 os_memset(bigtk.pn, 0, sizeof(bigtk.pn));
4084 else
4085 os_memcpy(bigtk.pn, rsc, sizeof(bigtk.pn));
4086 os_memcpy(bigtk.bigtk, gsm->BIGTK[gsm->GN_bigtk - 6], len);
4087 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
4088 /*
4089 * Provide unique random BIGTK to each OSEN STA to prevent use
4090 * of BIGTK in the BSS.
4091 */
4092 if (random_get_bytes(bigtk.bigtk, len) < 0)
4093 return pos;
4094 }
4095 pos = wpa_add_kde(pos, RSN_KEY_DATA_BIGTK,
4096 (const u8 *) &bigtk, WPA_BIGTK_KDE_PREFIX_LEN + len,
4097 NULL, 0);
4098 forced_memzero(&bigtk, sizeof(bigtk));
4099
4100 return pos;
4101 }
4102
4103
4104 static int ocv_oci_len(struct wpa_state_machine *sm)
4105 {
4106 #ifdef CONFIG_OCV
4107 if (wpa_auth_uses_ocv(sm))
4108 return OCV_OCI_KDE_LEN;
4109 #endif /* CONFIG_OCV */
4110 return 0;
4111 }
4112
4113
4114 static int ocv_oci_add(struct wpa_state_machine *sm, u8 **argpos,
4115 unsigned int freq)
4116 {
4117 #ifdef CONFIG_OCV
4118 struct wpa_channel_info ci;
4119
4120 if (!wpa_auth_uses_ocv(sm))
4121 return 0;
4122
4123 if (wpa_channel_info(sm->wpa_auth, &ci) != 0) {
4124 wpa_printf(MSG_WARNING,
4125 "Failed to get channel info for OCI element");
4126 return -1;
4127 }
4128 #ifdef CONFIG_TESTING_OPTIONS
4129 if (freq) {
4130 wpa_printf(MSG_INFO,
4131 "TEST: Override OCI KDE frequency %d -> %u MHz",
4132 ci.frequency, freq);
4133 ci.frequency = freq;
4134 }
4135 #endif /* CONFIG_TESTING_OPTIONS */
4136
4137 return ocv_insert_oci_kde(&ci, argpos);
4138 #else /* CONFIG_OCV */
4139 return 0;
4140 #endif /* CONFIG_OCV */
4141 }
4142
4143
4144 #ifdef CONFIG_TESTING_OPTIONS
4145 static u8 * replace_ie(const char *name, const u8 *old_buf, size_t *len, u8 eid,
4146 const u8 *ie, size_t ie_len)
4147 {
4148 const u8 *elem;
4149 u8 *buf;
4150
4151 wpa_printf(MSG_DEBUG, "TESTING: %s EAPOL override", name);
4152 wpa_hexdump(MSG_DEBUG, "TESTING: wpa_ie before override",
4153 old_buf, *len);
4154 buf = os_malloc(*len + ie_len);
4155 if (!buf)
4156 return NULL;
4157 os_memcpy(buf, old_buf, *len);
4158 elem = get_ie(buf, *len, eid);
4159 if (elem) {
4160 u8 elem_len = 2 + elem[1];
4161
4162 os_memmove((void *) elem, elem + elem_len,
4163 *len - (elem - buf) - elem_len);
4164 *len -= elem_len;
4165 }
4166 os_memcpy(buf + *len, ie, ie_len);
4167 *len += ie_len;
4168 wpa_hexdump(MSG_DEBUG, "TESTING: wpa_ie after EAPOL override",
4169 buf, *len);
4170
4171 return buf;
4172 }
4173 #endif /* CONFIG_TESTING_OPTIONS */
4174
4175
4176 #ifdef CONFIG_IEEE80211BE
4177
4178 void wpa_auth_ml_get_key_info(struct wpa_authenticator *a,
4179 struct wpa_auth_ml_link_key_info *info,
4180 bool mgmt_frame_prot, bool beacon_prot)
4181 {
4182 struct wpa_group *gsm = a->group;
4183 u8 rsc[WPA_KEY_RSC_LEN];
4184
4185 wpa_printf(MSG_DEBUG,
4186 "MLD: Get group key info: link_id=%u, IGTK=%u, BIGTK=%u",
4187 info->link_id, mgmt_frame_prot, beacon_prot);
4188
4189 info->gtkidx = gsm->GN & 0x03;
4190 info->gtk = gsm->GTK[gsm->GN - 1];
4191 info->gtk_len = gsm->GTK_len;
4192
4193 if (wpa_auth_get_seqnum(a, NULL, gsm->GN, rsc) < 0)
4194 os_memset(info->pn, 0, sizeof(info->pn));
4195 else
4196 os_memcpy(info->pn, rsc, sizeof(info->pn));
4197
4198 if (!mgmt_frame_prot)
4199 return;
4200
4201 info->igtkidx = gsm->GN_igtk;
4202 info->igtk = gsm->IGTK[gsm->GN_igtk - 4];
4203 info->igtk_len = wpa_cipher_key_len(a->conf.group_mgmt_cipher);
4204
4205 if (wpa_auth_get_seqnum(a, NULL, gsm->GN_igtk, rsc) < 0)
4206 os_memset(info->ipn, 0, sizeof(info->ipn));
4207 else
4208 os_memcpy(info->ipn, rsc, sizeof(info->ipn));
4209
4210 if (!beacon_prot)
4211 return;
4212
4213 if (a->conf.tx_bss_auth) {
4214 a = a->conf.tx_bss_auth;
4215 gsm = a->group;
4216 }
4217
4218 info->bigtkidx = gsm->GN_bigtk;
4219 info->bigtk = gsm->BIGTK[gsm->GN_bigtk - 6];
4220
4221 if (wpa_auth_get_seqnum(a, NULL, gsm->GN_bigtk, rsc) < 0)
4222 os_memset(info->bipn, 0, sizeof(info->bipn));
4223 else
4224 os_memcpy(info->bipn, rsc, sizeof(info->bipn));
4225 }
4226
4227
4228 static void wpa_auth_get_ml_key_info(struct wpa_authenticator *wpa_auth,
4229 struct wpa_auth_ml_key_info *info)
4230 {
4231 if (!wpa_auth->cb->get_ml_key_info)
4232 return;
4233
4234 wpa_auth->cb->get_ml_key_info(wpa_auth->cb_ctx, info);
4235 }
4236
4237
4238 static size_t wpa_auth_ml_group_kdes_len(struct wpa_state_machine *sm)
4239 {
4240 struct wpa_authenticator *wpa_auth;
4241 size_t kde_len = 0;
4242 int link_id;
4243
4244 if (sm->mld_assoc_link_id < 0)
4245 return 0;
4246
4247 for (link_id = 0; link_id < MAX_NUM_MLD_LINKS; link_id++) {
4248 if (!sm->mld_links[link_id].valid)
4249 continue;
4250
4251 wpa_auth = sm->mld_links[link_id].wpa_auth;
4252 if (!wpa_auth || !wpa_auth->group)
4253 continue;
4254
4255 /* MLO GTK KDE
4256 * Header + Key ID + Tx + LinkID + PN + GTK */
4257 kde_len += KDE_HDR_LEN + 1 + RSN_PN_LEN;
4258 kde_len += wpa_auth->group->GTK_len;
4259
4260 if (!sm->mgmt_frame_prot)
4261 continue;
4262
4263 if (wpa_auth->conf.tx_bss_auth)
4264 wpa_auth = wpa_auth->conf.tx_bss_auth;
4265
4266 /* MLO IGTK KDE
4267 * Header + Key ID + IPN + LinkID + IGTK */
4268 kde_len += KDE_HDR_LEN + WPA_IGTK_KDE_PREFIX_LEN + 1;
4269 kde_len += wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
4270
4271 if (!wpa_auth->conf.beacon_prot)
4272 continue;
4273
4274 /* MLO BIGTK KDE
4275 * Header + Key ID + BIPN + LinkID + BIGTK */
4276 kde_len += KDE_HDR_LEN + WPA_BIGTK_KDE_PREFIX_LEN + 1;
4277 kde_len += wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
4278 }
4279
4280 wpa_printf(MSG_DEBUG, "MLO Group KDEs len = %zu", kde_len);
4281
4282 return kde_len;
4283 }
4284
4285
4286 static u8 * wpa_auth_ml_group_kdes(struct wpa_state_machine *sm, u8 *pos)
4287 {
4288 struct wpa_auth_ml_key_info ml_key_info;
4289 unsigned int i, link_id;
4290 u8 *start = pos;
4291
4292 /* First fetch the key information from all the authenticators */
4293 os_memset(&ml_key_info, 0, sizeof(ml_key_info));
4294 ml_key_info.n_mld_links = sm->n_mld_affiliated_links + 1;
4295
4296 /*
4297 * Assume that management frame protection and beacon protection are the
4298 * same on all links.
4299 */
4300 ml_key_info.mgmt_frame_prot = sm->mgmt_frame_prot;
4301 ml_key_info.beacon_prot = sm->wpa_auth->conf.beacon_prot;
4302
4303 for (i = 0, link_id = 0; link_id < MAX_NUM_MLD_LINKS; link_id++) {
4304 if (!sm->mld_links[link_id].valid)
4305 continue;
4306
4307 ml_key_info.links[i++].link_id = link_id;
4308 }
4309
4310 wpa_auth_get_ml_key_info(sm->wpa_auth, &ml_key_info);
4311
4312 /* Add MLO GTK KDEs */
4313 for (i = 0, link_id = 0; link_id < MAX_NUM_MLD_LINKS; link_id++) {
4314 if (!sm->mld_links[link_id].valid ||
4315 !ml_key_info.links[i].gtk_len)
4316 continue;
4317
4318 wpa_printf(MSG_DEBUG, "RSN: MLO GTK: link=%u", link_id);
4319 wpa_hexdump_key(MSG_DEBUG, "RSN: MLO GTK",
4320 ml_key_info.links[i].gtk,
4321 ml_key_info.links[i].gtk_len);
4322
4323 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
4324 *pos++ = RSN_SELECTOR_LEN + 1 + 6 +
4325 ml_key_info.links[i].gtk_len;
4326
4327 RSN_SELECTOR_PUT(pos, RSN_KEY_DATA_MLO_GTK);
4328 pos += RSN_SELECTOR_LEN;
4329
4330 *pos++ = (ml_key_info.links[i].gtkidx & 0x3) | (link_id << 4);
4331
4332 os_memcpy(pos, ml_key_info.links[i].pn, 6);
4333 pos += 6;
4334
4335 os_memcpy(pos, ml_key_info.links[i].gtk,
4336 ml_key_info.links[i].gtk_len);
4337 pos += ml_key_info.links[i].gtk_len;
4338
4339 i++;
4340 }
4341
4342 if (!sm->mgmt_frame_prot) {
4343 wpa_printf(MSG_DEBUG, "RSN: MLO Group KDE len = %ld",
4344 pos - start);
4345 return pos;
4346 }
4347
4348 /* Add MLO IGTK KDEs */
4349 for (i = 0, link_id = 0; link_id < MAX_NUM_MLD_LINKS; link_id++) {
4350 if (!sm->mld_links[link_id].valid ||
4351 !ml_key_info.links[i].igtk_len)
4352 continue;
4353
4354 wpa_printf(MSG_DEBUG, "RSN: MLO IGTK: link=%u", link_id);
4355 wpa_hexdump_key(MSG_DEBUG, "RSN: MLO IGTK",
4356 ml_key_info.links[i].igtk,
4357 ml_key_info.links[i].igtk_len);
4358
4359 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
4360 *pos++ = RSN_SELECTOR_LEN + 2 + 1 +
4361 sizeof(ml_key_info.links[i].ipn) +
4362 ml_key_info.links[i].igtk_len;
4363
4364 RSN_SELECTOR_PUT(pos, RSN_KEY_DATA_MLO_IGTK);
4365 pos += RSN_SELECTOR_LEN;
4366
4367 /* Add the Key ID */
4368 *pos++ = ml_key_info.links[i].igtkidx;
4369 *pos++ = 0;
4370
4371 /* Add the IPN */
4372 os_memcpy(pos, ml_key_info.links[i].ipn,
4373 sizeof(ml_key_info.links[i].ipn));
4374 pos += sizeof(ml_key_info.links[i].ipn);
4375
4376 *pos++ = ml_key_info.links[i].link_id << 4;
4377
4378 os_memcpy(pos, ml_key_info.links[i].igtk,
4379 ml_key_info.links[i].igtk_len);
4380 pos += ml_key_info.links[i].igtk_len;
4381
4382 i++;
4383 }
4384
4385 if (!sm->wpa_auth->conf.beacon_prot) {
4386 wpa_printf(MSG_DEBUG, "RSN: MLO Group KDE len = %ld",
4387 pos - start);
4388 return pos;
4389 }
4390
4391 /* Add MLO BIGTK KDEs */
4392 for (i = 0, link_id = 0; link_id < MAX_NUM_MLD_LINKS; link_id++) {
4393 if (!sm->mld_links[link_id].valid ||
4394 !ml_key_info.links[i].bigtk ||
4395 !ml_key_info.links[i].igtk_len)
4396 continue;
4397
4398 wpa_printf(MSG_DEBUG, "RSN: MLO BIGTK: link=%u", link_id);
4399 wpa_hexdump_key(MSG_DEBUG, "RSN: MLO BIGTK",
4400 ml_key_info.links[i].bigtk,
4401 ml_key_info.links[i].igtk_len);
4402
4403 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
4404 *pos++ = RSN_SELECTOR_LEN + 2 + 1 +
4405 sizeof(ml_key_info.links[i].bipn) +
4406 ml_key_info.links[i].igtk_len;
4407
4408 RSN_SELECTOR_PUT(pos, RSN_KEY_DATA_MLO_BIGTK);
4409 pos += RSN_SELECTOR_LEN;
4410
4411 /* Add the Key ID */
4412 *pos++ = ml_key_info.links[i].bigtkidx;
4413 *pos++ = 0;
4414
4415 /* Add the BIPN */
4416 os_memcpy(pos, ml_key_info.links[i].bipn,
4417 sizeof(ml_key_info.links[i].bipn));
4418 pos += sizeof(ml_key_info.links[i].bipn);
4419
4420 *pos++ = ml_key_info.links[i].link_id << 4;
4421
4422 os_memcpy(pos, ml_key_info.links[i].bigtk,
4423 ml_key_info.links[i].igtk_len);
4424 pos += ml_key_info.links[i].igtk_len;
4425
4426 i++;
4427 }
4428
4429 wpa_printf(MSG_DEBUG, "RSN: MLO Group KDE len = %ld", pos - start);
4430 return pos;
4431 }
4432
4433 #endif /* CONFIG_IEEE80211BE */
4434
4435
4436 static size_t wpa_auth_ml_kdes_len(struct wpa_state_machine *sm)
4437 {
4438 size_t kde_len = 0;
4439
4440 #ifdef CONFIG_IEEE80211BE
4441 unsigned int link_id;
4442
4443 if (sm->mld_assoc_link_id < 0)
4444 return 0;
4445
4446 /* For the MAC Address KDE */
4447 kde_len = 2 + RSN_SELECTOR_LEN + ETH_ALEN;
4448
4449 /* MLO Link KDE for each link */
4450 for (link_id = 0; link_id < MAX_NUM_MLD_LINKS; link_id++) {
4451 struct wpa_authenticator *wpa_auth;
4452 const u8 *ie;
4453
4454 wpa_auth = wpa_get_link_auth(sm->wpa_auth, link_id);
4455 if (!wpa_auth)
4456 continue;
4457
4458 kde_len += 2 + RSN_SELECTOR_LEN + 1 + ETH_ALEN;
4459 ie = get_ie(wpa_auth->wpa_ie, wpa_auth->wpa_ie_len,
4460 WLAN_EID_RSN);
4461 if (ie)
4462 kde_len += 2 + ie[1];
4463 ie = get_ie(wpa_auth->wpa_ie, wpa_auth->wpa_ie_len,
4464 WLAN_EID_RSNX);
4465 if (ie)
4466 kde_len += 2 + ie[1];
4467 }
4468
4469 kde_len += wpa_auth_ml_group_kdes_len(sm);
4470 #endif /* CONFIG_IEEE80211BE */
4471
4472 return kde_len;
4473 }
4474
4475
4476 static u8 * wpa_auth_ml_kdes(struct wpa_state_machine *sm, u8 *pos)
4477 {
4478 #ifdef CONFIG_IEEE80211BE
4479 u8 link_id;
4480 u8 *start = pos;
4481
4482 if (sm->mld_assoc_link_id < 0)
4483 return pos;
4484
4485 wpa_printf(MSG_DEBUG, "RSN: MLD: Adding MAC Address KDE");
4486 pos = wpa_add_kde(pos, RSN_KEY_DATA_MAC_ADDR,
4487 sm->wpa_auth->mld_addr, ETH_ALEN, NULL, 0);
4488
4489 for (link_id = 0; link_id < MAX_NUM_MLD_LINKS; link_id++) {
4490 struct wpa_authenticator *wpa_auth;
4491 const u8 *rsne, *rsnxe;
4492 size_t rsne_len, rsnxe_len;
4493
4494 wpa_auth = wpa_get_link_auth(sm->wpa_auth, link_id);
4495 if (!wpa_auth)
4496 continue;
4497
4498 rsne = get_ie(wpa_auth->wpa_ie, wpa_auth->wpa_ie_len,
4499 WLAN_EID_RSN);
4500 rsne_len = rsne ? 2 + rsne[1] : 0;
4501
4502 rsnxe = get_ie(wpa_auth->wpa_ie, wpa_auth->wpa_ie_len,
4503 WLAN_EID_RSNX);
4504 rsnxe_len = rsnxe ? 2 + rsnxe[1] : 0;
4505
4506 wpa_printf(MSG_DEBUG,
4507 "RSN: MLO Link: link=%u, len=%zu", link_id,
4508 RSN_SELECTOR_LEN + 1 + ETH_ALEN +
4509 rsne_len + rsnxe_len);
4510
4511 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
4512 *pos++ = RSN_SELECTOR_LEN + 1 + ETH_ALEN +
4513 rsne_len + rsnxe_len;
4514
4515 RSN_SELECTOR_PUT(pos, RSN_KEY_DATA_MLO_LINK);
4516 pos += RSN_SELECTOR_LEN;
4517
4518 /* Add the Link Information */
4519 *pos = link_id;
4520 if (rsne_len)
4521 *pos |= RSN_MLO_LINK_KDE_LI_RSNE_INFO;
4522 if (rsnxe_len)
4523 *pos |= RSN_MLO_LINK_KDE_LI_RSNXE_INFO;
4524
4525 pos++;
4526 os_memcpy(pos, wpa_auth->addr, ETH_ALEN);
4527 pos += ETH_ALEN;
4528
4529 if (rsne_len) {
4530 os_memcpy(pos, rsne, rsne_len);
4531 pos += rsne_len;
4532 }
4533
4534 if (rsnxe_len) {
4535 os_memcpy(pos, rsnxe, rsnxe_len);
4536 pos += rsnxe_len;
4537 }
4538 }
4539
4540 wpa_printf(MSG_DEBUG, "RSN: MLO Link KDE len = %ld", pos - start);
4541 pos = wpa_auth_ml_group_kdes(sm, pos);
4542 #endif /* CONFIG_IEEE80211BE */
4543
4544 return pos;
4545 }
4546
4547
4548 SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
4549 {
4550 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde = NULL, *pos, stub_gtk[32];
4551 size_t gtk_len, kde_len = 0, wpa_ie_len;
4552 struct wpa_group *gsm = sm->group;
4553 u8 *wpa_ie;
4554 int secure, gtkidx, encr = 0;
4555 u8 *wpa_ie_buf = NULL, *wpa_ie_buf2 = NULL;
4556 u8 hdr[2];
4557 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
4558 #ifdef CONFIG_IEEE80211BE
4559 bool is_mld = sm->mld_assoc_link_id >= 0;
4560 #else /* CONFIG_IEEE80211BE */
4561 bool is_mld = false;
4562 #endif /* CONFIG_IEEE80211BE */
4563
4564 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk);
4565 sm->TimeoutEvt = false;
4566
4567 sm->TimeoutCtr++;
4568 if (conf->wpa_disable_eapol_key_retries && sm->TimeoutCtr > 1) {
4569 /* Do not allow retransmission of EAPOL-Key msg 3/4 */
4570 return;
4571 }
4572 if (sm->TimeoutCtr > conf->wpa_pairwise_update_count) {
4573 /* No point in sending the EAPOL-Key - we will disconnect
4574 * immediately following this. */
4575 return;
4576 }
4577
4578 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
4579 GTK[GN], IGTK, [BIGTK], [FTIE], [TIE * 2])
4580 */
4581 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
4582 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
4583 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
4584 wpa_ie = sm->wpa_auth->wpa_ie;
4585 wpa_ie_len = sm->wpa_auth->wpa_ie_len;
4586 if (sm->wpa == WPA_VERSION_WPA && (conf->wpa & WPA_PROTO_RSN) &&
4587 wpa_ie_len > wpa_ie[1] + 2U && wpa_ie[0] == WLAN_EID_RSN) {
4588 /* WPA-only STA, remove RSN IE and possible MDIE */
4589 wpa_ie = wpa_ie + wpa_ie[1] + 2;
4590 if (wpa_ie[0] == WLAN_EID_RSNX)
4591 wpa_ie = wpa_ie + wpa_ie[1] + 2;
4592 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
4593 wpa_ie = wpa_ie + wpa_ie[1] + 2;
4594 wpa_ie_len = wpa_ie[1] + 2;
4595 }
4596 #ifdef CONFIG_TESTING_OPTIONS
4597 if (conf->rsne_override_eapol_set) {
4598 wpa_ie_buf2 = replace_ie(
4599 "RSNE", wpa_ie, &wpa_ie_len, WLAN_EID_RSN,
4600 conf->rsne_override_eapol,
4601 conf->rsne_override_eapol_len);
4602 if (!wpa_ie_buf2)
4603 goto done;
4604 wpa_ie = wpa_ie_buf2;
4605 }
4606 if (conf->rsnxe_override_eapol_set) {
4607 wpa_ie_buf = replace_ie(
4608 "RSNXE", wpa_ie, &wpa_ie_len, WLAN_EID_RSNX,
4609 conf->rsnxe_override_eapol,
4610 conf->rsnxe_override_eapol_len);
4611 if (!wpa_ie_buf)
4612 goto done;
4613 wpa_ie = wpa_ie_buf;
4614 }
4615 #endif /* CONFIG_TESTING_OPTIONS */
4616 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
4617 "sending 3/4 msg of 4-Way Handshake");
4618 if (sm->wpa == WPA_VERSION_WPA2) {
4619 if (sm->use_ext_key_id && sm->TimeoutCtr == 1 &&
4620 wpa_auth_set_key(sm->wpa_auth, 0,
4621 wpa_cipher_to_alg(sm->pairwise),
4622 sm->addr,
4623 sm->keyidx_active, sm->PTK.tk,
4624 wpa_cipher_key_len(sm->pairwise),
4625 KEY_FLAG_PAIRWISE_RX)) {
4626 wpa_sta_disconnect(sm->wpa_auth, sm->addr,
4627 WLAN_REASON_PREV_AUTH_NOT_VALID);
4628 return;
4629 }
4630
4631 #ifdef CONFIG_PASN
4632 if (sm->wpa_auth->conf.secure_ltf &&
4633 ieee802_11_rsnx_capab(sm->rsnxe,
4634 WLAN_RSNX_CAPAB_SECURE_LTF) &&
4635 wpa_auth_set_ltf_keyseed(sm->wpa_auth, sm->addr,
4636 sm->PTK.ltf_keyseed,
4637 sm->PTK.ltf_keyseed_len)) {
4638 wpa_printf(MSG_ERROR,
4639 "WPA: Failed to set LTF keyseed to driver");
4640 wpa_sta_disconnect(sm->wpa_auth, sm->addr,
4641 WLAN_REASON_PREV_AUTH_NOT_VALID);
4642 return;
4643 }
4644 #endif /* CONFIG_PASN */
4645
4646 /* WPA2 send GTK in the 4-way handshake */
4647 secure = 1;
4648 gtk = gsm->GTK[gsm->GN - 1];
4649 gtk_len = gsm->GTK_len;
4650 if (conf->disable_gtk ||
4651 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
4652 /*
4653 * Provide unique random GTK to each STA to prevent use
4654 * of GTK in the BSS.
4655 */
4656 if (random_get_bytes(stub_gtk, gtk_len) < 0)
4657 goto done;
4658 gtk = stub_gtk;
4659 }
4660 gtkidx = gsm->GN;
4661 _rsc = rsc;
4662 encr = 1;
4663 } else {
4664 /* WPA does not include GTK in msg 3/4 */
4665 secure = 0;
4666 gtk = NULL;
4667 gtk_len = 0;
4668 gtkidx = 0;
4669 _rsc = NULL;
4670 if (sm->rx_eapol_key_secure) {
4671 /*
4672 * It looks like Windows 7 supplicant tries to use
4673 * Secure bit in msg 2/4 after having reported Michael
4674 * MIC failure and it then rejects the 4-way handshake
4675 * if msg 3/4 does not set Secure bit. Work around this
4676 * by setting the Secure bit here even in the case of
4677 * WPA if the supplicant used it first.
4678 */
4679 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm),
4680 LOGGER_DEBUG,
4681 "STA used Secure bit in WPA msg 2/4 - set Secure for 3/4 as workaround");
4682 secure = 1;
4683 }
4684 }
4685
4686 kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm);
4687
4688 if (sm->use_ext_key_id)
4689 kde_len += 2 + RSN_SELECTOR_LEN + 2;
4690
4691 if (gtk)
4692 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
4693 #ifdef CONFIG_IEEE80211R_AP
4694 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
4695 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
4696 kde_len += 300; /* FTIE + 2 * TIE */
4697 }
4698 #endif /* CONFIG_IEEE80211R_AP */
4699 #ifdef CONFIG_P2P
4700 if (WPA_GET_BE32(sm->ip_addr) > 0)
4701 kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4;
4702 #endif /* CONFIG_P2P */
4703
4704 if (conf->transition_disable)
4705 kde_len += 2 + RSN_SELECTOR_LEN + 1;
4706
4707 #ifdef CONFIG_DPP2
4708 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP)
4709 kde_len += 2 + RSN_SELECTOR_LEN + 2;
4710 #endif /* CONFIG_DPP2 */
4711
4712 kde_len += wpa_auth_ml_kdes_len(sm);
4713
4714 if (sm->ssid_protection)
4715 kde_len += 2 + conf->ssid_len;
4716
4717 #ifdef CONFIG_TESTING_OPTIONS
4718 if (conf->eapol_m3_elements)
4719 kde_len += wpabuf_len(conf->eapol_m3_elements);
4720 #endif /* CONFIG_TESTING_OPTIONS */
4721
4722 kde = os_malloc(kde_len);
4723 if (!kde)
4724 goto done;
4725
4726 pos = kde;
4727 if (!is_mld) {
4728 os_memcpy(pos, wpa_ie, wpa_ie_len);
4729 pos += wpa_ie_len;
4730 }
4731 #ifdef CONFIG_IEEE80211R_AP
4732 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
4733 int res;
4734 size_t elen;
4735
4736 elen = pos - kde;
4737 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name, true);
4738 if (res < 0) {
4739 wpa_printf(MSG_ERROR,
4740 "FT: Failed to insert PMKR1Name into RSN IE in EAPOL-Key data");
4741 goto done;
4742 }
4743 pos -= wpa_ie_len;
4744 pos += elen;
4745 }
4746 #endif /* CONFIG_IEEE80211R_AP */
4747 hdr[1] = 0;
4748
4749 if (sm->use_ext_key_id) {
4750 hdr[0] = sm->keyidx_active & 0x01;
4751 pos = wpa_add_kde(pos, RSN_KEY_DATA_KEYID, hdr, 2, NULL, 0);
4752 }
4753
4754 if (gtk && !is_mld) {
4755 hdr[0] = gtkidx & 0x03;
4756 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
4757 gtk, gtk_len);
4758 }
4759 pos = ieee80211w_kde_add(sm, pos);
4760 if (ocv_oci_add(sm, &pos, conf->oci_freq_override_eapol_m3) < 0)
4761 goto done;
4762
4763 #ifdef CONFIG_IEEE80211R_AP
4764 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
4765 int res;
4766
4767 if (sm->assoc_resp_ftie &&
4768 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) {
4769 os_memcpy(pos, sm->assoc_resp_ftie,
4770 2 + sm->assoc_resp_ftie[1]);
4771 res = 2 + sm->assoc_resp_ftie[1];
4772 } else {
4773 res = wpa_write_ftie(conf, sm->wpa_key_mgmt,
4774 sm->xxkey_len,
4775 conf->r0_key_holder,
4776 conf->r0_key_holder_len,
4777 NULL, NULL, pos,
4778 kde + kde_len - pos,
4779 NULL, 0, 0);
4780 }
4781 if (res < 0) {
4782 wpa_printf(MSG_ERROR,
4783 "FT: Failed to insert FTIE into EAPOL-Key Key Data");
4784 goto done;
4785 }
4786 pos += res;
4787
4788 /* TIE[ReassociationDeadline] (TU) */
4789 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
4790 *pos++ = 5;
4791 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
4792 WPA_PUT_LE32(pos, conf->reassociation_deadline);
4793 pos += 4;
4794
4795 /* TIE[KeyLifetime] (seconds) */
4796 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
4797 *pos++ = 5;
4798 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
4799 WPA_PUT_LE32(pos, conf->r0_key_lifetime);
4800 pos += 4;
4801 }
4802 #endif /* CONFIG_IEEE80211R_AP */
4803 #ifdef CONFIG_P2P
4804 if (WPA_GET_BE32(sm->ip_addr) > 0) {
4805 u8 addr[3 * 4];
4806 os_memcpy(addr, sm->ip_addr, 4);
4807 os_memcpy(addr + 4, conf->ip_addr_mask, 4);
4808 os_memcpy(addr + 8, conf->ip_addr_go, 4);
4809 pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC,
4810 addr, sizeof(addr), NULL, 0);
4811 }
4812 #endif /* CONFIG_P2P */
4813
4814 if (conf->transition_disable)
4815 pos = wpa_add_kde(pos, WFA_KEY_DATA_TRANSITION_DISABLE,
4816 &conf->transition_disable, 1, NULL, 0);
4817
4818 #ifdef CONFIG_DPP2
4819 if (DPP_VERSION > 1 && sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) {
4820 u8 payload[2];
4821
4822 payload[0] = DPP_VERSION; /* Protocol Version */
4823 payload[1] = 0; /* Flags */
4824 if (conf->dpp_pfs == 0)
4825 payload[1] |= DPP_KDE_PFS_ALLOWED;
4826 else if (conf->dpp_pfs == 1)
4827 payload[1] |= DPP_KDE_PFS_ALLOWED |
4828 DPP_KDE_PFS_REQUIRED;
4829 pos = wpa_add_kde(pos, WFA_KEY_DATA_DPP,
4830 payload, sizeof(payload), NULL, 0);
4831 }
4832 #endif /* CONFIG_DPP2 */
4833
4834 pos = wpa_auth_ml_kdes(sm, pos);
4835
4836 if (sm->ssid_protection) {
4837 *pos++ = WLAN_EID_SSID;
4838 *pos++ = conf->ssid_len;
4839 os_memcpy(pos, conf->ssid, conf->ssid_len);
4840 pos += conf->ssid_len;
4841 }
4842
4843 #ifdef CONFIG_TESTING_OPTIONS
4844 if (conf->eapol_m3_elements) {
4845 os_memcpy(pos, wpabuf_head(conf->eapol_m3_elements),
4846 wpabuf_len(conf->eapol_m3_elements));
4847 pos += wpabuf_len(conf->eapol_m3_elements);
4848 }
4849
4850 if (conf->eapol_m3_no_encrypt)
4851 encr = 0;
4852 #endif /* CONFIG_TESTING_OPTIONS */
4853
4854 wpa_send_eapol(sm->wpa_auth, sm,
4855 (secure ? WPA_KEY_INFO_SECURE : 0) |
4856 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
4857 WPA_KEY_INFO_MIC : 0) |
4858 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
4859 WPA_KEY_INFO_KEY_TYPE,
4860 _rsc, sm->ANonce, kde, pos - kde, 0, encr);
4861 done:
4862 bin_clear_free(kde, kde_len);
4863 os_free(wpa_ie_buf);
4864 os_free(wpa_ie_buf2);
4865 }
4866
4867
4868 static int wpa_auth_validate_ml_kdes_m4(struct wpa_state_machine *sm)
4869 {
4870 #ifdef CONFIG_IEEE80211BE
4871 const struct ieee802_1x_hdr *hdr;
4872 const struct wpa_eapol_key *key;
4873 struct wpa_eapol_ie_parse kde;
4874 const u8 *key_data, *mic;
4875 u16 key_data_length;
4876 size_t mic_len;
4877
4878 if (sm->mld_assoc_link_id < 0)
4879 return 0;
4880
4881 /*
4882 * Note: last_rx_eapol_key length fields have already been validated in
4883 * wpa_receive().
4884 */
4885 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
4886
4887 hdr = (const struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
4888 key = (const struct wpa_eapol_key *) (hdr + 1);
4889 mic = (const u8 *) (key + 1);
4890 key_data = mic + mic_len + 2;
4891 key_data_length = WPA_GET_BE16(mic + mic_len);
4892 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
4893 sizeof(*key) - mic_len - 2)
4894 return -1;
4895
4896 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
4897 wpa_auth_vlogger(sm->wpa_auth, wpa_auth_get_spa(sm),
4898 LOGGER_INFO,
4899 "received EAPOL-Key msg 4/4 with invalid Key Data contents");
4900 return -1;
4901 }
4902
4903 /* MLD MAC address must be the same */
4904 if (!kde.mac_addr ||
4905 !ether_addr_equal(kde.mac_addr, sm->peer_mld_addr)) {
4906 wpa_printf(MSG_DEBUG,
4907 "MLD: Mismatching or missing MLD address in EAPOL-Key msg 4/4");
4908 return -1;
4909 }
4910
4911 wpa_printf(MSG_DEBUG, "MLD: MLD address in EAPOL-Key msg 4/4: " MACSTR,
4912 MAC2STR(kde.mac_addr));
4913 #endif /* CONFIG_IEEE80211BE */
4914
4915 return 0;
4916 }
4917
4918
4919 SM_STATE(WPA_PTK, PTKINITDONE)
4920 {
4921 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk);
4922 sm->EAPOLKeyReceived = false;
4923
4924 if (wpa_auth_validate_ml_kdes_m4(sm) < 0) {
4925 wpa_sta_disconnect(sm->wpa_auth, sm->addr,
4926 WLAN_REASON_PREV_AUTH_NOT_VALID);
4927 return;
4928 }
4929
4930 if (sm->Pair) {
4931 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
4932 int klen = wpa_cipher_key_len(sm->pairwise);
4933 int res;
4934
4935 if (sm->use_ext_key_id)
4936 res = wpa_auth_set_key(sm->wpa_auth, 0, 0, sm->addr,
4937 sm->keyidx_active, NULL, 0,
4938 KEY_FLAG_PAIRWISE_RX_TX_MODIFY);
4939 else
4940 res = wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr,
4941 0, sm->PTK.tk, klen,
4942 KEY_FLAG_PAIRWISE_RX_TX);
4943 if (res) {
4944 wpa_sta_disconnect(sm->wpa_auth, sm->addr,
4945 WLAN_REASON_PREV_AUTH_NOT_VALID);
4946 return;
4947 }
4948
4949 #ifdef CONFIG_PASN
4950 if (sm->wpa_auth->conf.secure_ltf &&
4951 ieee802_11_rsnx_capab(sm->rsnxe,
4952 WLAN_RSNX_CAPAB_SECURE_LTF) &&
4953 wpa_auth_set_ltf_keyseed(sm->wpa_auth, sm->addr,
4954 sm->PTK.ltf_keyseed,
4955 sm->PTK.ltf_keyseed_len)) {
4956 wpa_printf(MSG_ERROR,
4957 "WPA: Failed to set LTF keyseed to driver");
4958 wpa_sta_disconnect(sm->wpa_auth, sm->addr,
4959 WLAN_REASON_PREV_AUTH_NOT_VALID);
4960 return;
4961 }
4962 #endif /* CONFIG_PASN */
4963
4964 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
4965 sm->pairwise_set = true;
4966
4967 wpa_auth_set_ptk_rekey_timer(sm);
4968 wpa_auth_store_ptksa(sm->wpa_auth, sm->addr, sm->pairwise,
4969 dot11RSNAConfigPMKLifetime, &sm->PTK);
4970
4971 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
4972 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
4973 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
4974 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
4975 WPA_EAPOL_authorized, 1);
4976 }
4977 }
4978
4979 if (0 /* IBSS == TRUE */) {
4980 sm->keycount++;
4981 if (sm->keycount == 2) {
4982 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
4983 WPA_EAPOL_portValid, 1);
4984 }
4985 } else {
4986 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid,
4987 1);
4988 }
4989 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable,
4990 false);
4991 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, true);
4992 if (sm->wpa == WPA_VERSION_WPA)
4993 sm->PInitAKeys = true;
4994 else
4995 sm->has_GTK = true;
4996 wpa_auth_vlogger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
4997 "pairwise key handshake completed (%s)",
4998 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
4999 wpa_msg(sm->wpa_auth->conf.msg_ctx, MSG_INFO, "EAPOL-4WAY-HS-COMPLETED "
5000 MACSTR, MAC2STR(sm->addr));
5001
5002 #ifdef CONFIG_IEEE80211R_AP
5003 wpa_ft_push_pmk_r1(sm->wpa_auth, wpa_auth_get_spa(sm));
5004 #endif /* CONFIG_IEEE80211R_AP */
5005
5006 sm->ptkstart_without_success = 0;
5007 }
5008
5009
5010 SM_STEP(WPA_PTK)
5011 {
5012 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
5013 struct wpa_auth_config *conf = &wpa_auth->conf;
5014
5015 if (sm->Init)
5016 SM_ENTER(WPA_PTK, INITIALIZE);
5017 else if (sm->Disconnect
5018 /* || FIX: dot11RSNAConfigSALifetime timeout */) {
5019 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
5020 "WPA_PTK: sm->Disconnect");
5021 SM_ENTER(WPA_PTK, DISCONNECT);
5022 }
5023 else if (sm->DeauthenticationRequest)
5024 SM_ENTER(WPA_PTK, DISCONNECTED);
5025 else if (sm->AuthenticationRequest)
5026 SM_ENTER(WPA_PTK, AUTHENTICATION);
5027 else if (sm->ReAuthenticationRequest)
5028 SM_ENTER(WPA_PTK, AUTHENTICATION2);
5029 else if (sm->PTKRequest) {
5030 if (wpa_auth_sm_ptk_update(sm) < 0)
5031 SM_ENTER(WPA_PTK, DISCONNECTED);
5032 else
5033 SM_ENTER(WPA_PTK, PTKSTART);
5034 } else switch (sm->wpa_ptk_state) {
5035 case WPA_PTK_INITIALIZE:
5036 break;
5037 case WPA_PTK_DISCONNECT:
5038 SM_ENTER(WPA_PTK, DISCONNECTED);
5039 break;
5040 case WPA_PTK_DISCONNECTED:
5041 SM_ENTER(WPA_PTK, INITIALIZE);
5042 break;
5043 case WPA_PTK_AUTHENTICATION:
5044 SM_ENTER(WPA_PTK, AUTHENTICATION2);
5045 break;
5046 case WPA_PTK_AUTHENTICATION2:
5047 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
5048 wpa_auth_get_eapol(wpa_auth, sm->addr,
5049 WPA_EAPOL_keyRun))
5050 SM_ENTER(WPA_PTK, INITPMK);
5051 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
5052 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE
5053 /* FIX: && 802.1X::keyRun */)
5054 SM_ENTER(WPA_PTK, INITPSK);
5055 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP)
5056 SM_ENTER(WPA_PTK, INITPMK);
5057 break;
5058 case WPA_PTK_INITPMK:
5059 if (wpa_auth_get_eapol(wpa_auth, sm->addr,
5060 WPA_EAPOL_keyAvailable)) {
5061 SM_ENTER(WPA_PTK, PTKSTART);
5062 #ifdef CONFIG_DPP
5063 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->pmksa) {
5064 SM_ENTER(WPA_PTK, PTKSTART);
5065 #endif /* CONFIG_DPP */
5066 } else {
5067 wpa_auth->dot11RSNA4WayHandshakeFailures++;
5068 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
5069 LOGGER_INFO,
5070 "INITPMK - keyAvailable = false");
5071 SM_ENTER(WPA_PTK, DISCONNECT);
5072 }
5073 break;
5074 case WPA_PTK_INITPSK:
5075 if (wpa_auth_get_psk(wpa_auth, sm->addr, sm->p2p_dev_addr,
5076 NULL, NULL, NULL)) {
5077 SM_ENTER(WPA_PTK, PTKSTART);
5078 #ifdef CONFIG_SAE
5079 } else if (wpa_auth_uses_sae(sm) && sm->pmksa) {
5080 SM_ENTER(WPA_PTK, PTKSTART);
5081 #endif /* CONFIG_SAE */
5082 } else if (wpa_key_mgmt_wpa_psk_no_sae(sm->wpa_key_mgmt) &&
5083 wpa_auth->conf.radius_psk) {
5084 wpa_printf(MSG_DEBUG,
5085 "INITPSK: No PSK yet available for STA - use RADIUS later");
5086 SM_ENTER(WPA_PTK, PTKSTART);
5087 } else {
5088 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
5089 LOGGER_INFO,
5090 "no PSK configured for the STA");
5091 wpa_auth->dot11RSNA4WayHandshakeFailures++;
5092 SM_ENTER(WPA_PTK, DISCONNECT);
5093 }
5094 break;
5095 case WPA_PTK_PTKSTART:
5096 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
5097 sm->EAPOLKeyPairwise)
5098 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
5099 else if (sm->TimeoutCtr > conf->wpa_pairwise_update_count) {
5100 wpa_auth->dot11RSNA4WayHandshakeFailures++;
5101 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
5102 LOGGER_DEBUG,
5103 "PTKSTART: Retry limit %u reached",
5104 conf->wpa_pairwise_update_count);
5105 sm->disconnect_reason =
5106 WLAN_REASON_4WAY_HANDSHAKE_TIMEOUT;
5107 SM_ENTER(WPA_PTK, DISCONNECT);
5108 } else if (sm->TimeoutEvt)
5109 SM_ENTER(WPA_PTK, PTKSTART);
5110 break;
5111 case WPA_PTK_PTKCALCNEGOTIATING:
5112 if (sm->MICVerified)
5113 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2);
5114 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
5115 sm->EAPOLKeyPairwise)
5116 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
5117 else if (sm->TimeoutEvt)
5118 SM_ENTER(WPA_PTK, PTKSTART);
5119 break;
5120 case WPA_PTK_PTKCALCNEGOTIATING2:
5121 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
5122 break;
5123 case WPA_PTK_PTKINITNEGOTIATING:
5124 if (sm->update_snonce)
5125 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
5126 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
5127 sm->EAPOLKeyPairwise && sm->MICVerified)
5128 SM_ENTER(WPA_PTK, PTKINITDONE);
5129 else if (sm->TimeoutCtr >
5130 conf->wpa_pairwise_update_count ||
5131 (conf->wpa_disable_eapol_key_retries &&
5132 sm->TimeoutCtr > 1)) {
5133 wpa_auth->dot11RSNA4WayHandshakeFailures++;
5134 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
5135 LOGGER_DEBUG,
5136 "PTKINITNEGOTIATING: Retry limit %u reached",
5137 conf->wpa_pairwise_update_count);
5138 sm->disconnect_reason =
5139 WLAN_REASON_4WAY_HANDSHAKE_TIMEOUT;
5140 SM_ENTER(WPA_PTK, DISCONNECT);
5141 } else if (sm->TimeoutEvt)
5142 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
5143 break;
5144 case WPA_PTK_PTKINITDONE:
5145 break;
5146 }
5147 }
5148
5149
5150 SM_STATE(WPA_PTK_GROUP, IDLE)
5151 {
5152 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group);
5153 if (sm->Init) {
5154 /* Init flag is not cleared here, so avoid busy
5155 * loop by claiming nothing changed. */
5156 sm->changed = false;
5157 }
5158 sm->GTimeoutCtr = 0;
5159 }
5160
5161
5162 SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
5163 {
5164 u8 rsc[WPA_KEY_RSC_LEN];
5165 struct wpa_group *gsm = sm->group;
5166 const u8 *kde = NULL;
5167 u8 *kde_buf = NULL, *pos, hdr[2];
5168 size_t kde_len = 0;
5169 u8 *gtk, stub_gtk[32];
5170 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
5171 bool is_mld = false;
5172
5173 #ifdef CONFIG_IEEE80211BE
5174 is_mld = sm->mld_assoc_link_id >= 0;
5175 #endif /* CONFIG_IEEE80211BE */
5176
5177 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
5178
5179 sm->GTimeoutCtr++;
5180 if (conf->wpa_disable_eapol_key_retries && sm->GTimeoutCtr > 1) {
5181 /* Do not allow retransmission of EAPOL-Key group msg 1/2 */
5182 return;
5183 }
5184 if (sm->GTimeoutCtr > conf->wpa_group_update_count) {
5185 /* No point in sending the EAPOL-Key - we will disconnect
5186 * immediately following this. */
5187 return;
5188 }
5189
5190 if (sm->wpa == WPA_VERSION_WPA)
5191 sm->PInitAKeys = false;
5192 sm->TimeoutEvt = false;
5193 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
5194 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
5195 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE)
5196 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
5197 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
5198 "sending 1/2 msg of Group Key Handshake");
5199
5200 gtk = gsm->GTK[gsm->GN - 1];
5201 if (conf->disable_gtk || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
5202 /*
5203 * Provide unique random GTK to each STA to prevent use
5204 * of GTK in the BSS.
5205 */
5206 if (random_get_bytes(stub_gtk, gsm->GTK_len) < 0)
5207 return;
5208 gtk = stub_gtk;
5209 }
5210
5211 if (sm->wpa == WPA_VERSION_WPA2 && !is_mld) {
5212 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
5213 ieee80211w_kde_len(sm) + ocv_oci_len(sm);
5214 kde_buf = os_malloc(kde_len);
5215 if (!kde_buf)
5216 return;
5217
5218 kde = pos = kde_buf;
5219 hdr[0] = gsm->GN & 0x03;
5220 hdr[1] = 0;
5221 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
5222 gtk, gsm->GTK_len);
5223 pos = ieee80211w_kde_add(sm, pos);
5224 if (ocv_oci_add(sm, &pos,
5225 conf->oci_freq_override_eapol_g1) < 0) {
5226 os_free(kde_buf);
5227 return;
5228 }
5229 kde_len = pos - kde;
5230 #ifdef CONFIG_IEEE80211BE
5231 } else if (sm->wpa == WPA_VERSION_WPA2 && is_mld) {
5232 kde_len = wpa_auth_ml_group_kdes_len(sm);
5233 if (kde_len) {
5234 kde_buf = os_malloc(kde_len);
5235 if (!kde_buf)
5236 return;
5237
5238 kde = pos = kde_buf;
5239 pos = wpa_auth_ml_group_kdes(sm, pos);
5240 kde_len = pos - kde_buf;
5241 }
5242 #endif /* CONFIG_IEEE80211BE */
5243 } else {
5244 kde = gtk;
5245 kde_len = gsm->GTK_len;
5246 }
5247
5248 wpa_send_eapol(sm->wpa_auth, sm,
5249 WPA_KEY_INFO_SECURE |
5250 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
5251 WPA_KEY_INFO_MIC : 0) |
5252 WPA_KEY_INFO_ACK |
5253 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
5254 rsc, NULL, kde, kde_len, gsm->GN, 1);
5255
5256 bin_clear_free(kde_buf, kde_len);
5257 }
5258
5259
5260 SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED)
5261 {
5262 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
5263 #ifdef CONFIG_OCV
5264 const u8 *key_data, *mic;
5265 struct ieee802_1x_hdr *hdr;
5266 struct wpa_eapol_key *key;
5267 struct wpa_eapol_ie_parse kde;
5268 size_t mic_len;
5269 u16 key_data_length;
5270 #endif /* CONFIG_OCV */
5271
5272 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group);
5273 sm->EAPOLKeyReceived = false;
5274
5275 #ifdef CONFIG_OCV
5276 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
5277
5278 /*
5279 * Note: last_rx_eapol_key length fields have already been validated in
5280 * wpa_receive().
5281 */
5282 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
5283 key = (struct wpa_eapol_key *) (hdr + 1);
5284 mic = (u8 *) (key + 1);
5285 key_data = mic + mic_len + 2;
5286 key_data_length = WPA_GET_BE16(mic + mic_len);
5287 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
5288 sizeof(*key) - mic_len - 2)
5289 return;
5290
5291 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
5292 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
5293 "received EAPOL-Key group msg 2/2 with invalid Key Data contents");
5294 return;
5295 }
5296
5297 if (wpa_auth_uses_ocv(sm)) {
5298 struct wpa_channel_info ci;
5299 int tx_chanwidth;
5300 int tx_seg1_idx;
5301
5302 if (wpa_channel_info(wpa_auth, &ci) != 0) {
5303 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
5304 LOGGER_INFO,
5305 "Failed to get channel info to validate received OCI in EAPOL-Key group 2/2");
5306 return;
5307 }
5308
5309 if (get_sta_tx_parameters(sm,
5310 channel_width_to_int(ci.chanwidth),
5311 ci.seg1_idx, &tx_chanwidth,
5312 &tx_seg1_idx) < 0)
5313 return;
5314
5315 if (ocv_verify_tx_params(kde.oci, kde.oci_len, &ci,
5316 tx_chanwidth, tx_seg1_idx) !=
5317 OCI_SUCCESS) {
5318 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
5319 LOGGER_INFO,
5320 "OCV failed: %s", ocv_errorstr);
5321 if (wpa_auth->conf.msg_ctx)
5322 wpa_msg(wpa_auth->conf.msg_ctx, MSG_INFO,
5323 OCV_FAILURE "addr=" MACSTR
5324 " frame=eapol-key-g2 error=%s",
5325 MAC2STR(wpa_auth_get_spa(sm)),
5326 ocv_errorstr);
5327 return;
5328 }
5329 }
5330 #endif /* CONFIG_OCV */
5331
5332 if (sm->GUpdateStationKeys)
5333 wpa_gkeydone_sta(sm);
5334 sm->GTimeoutCtr = 0;
5335 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */
5336 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
5337 "group key handshake completed (%s)",
5338 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
5339 sm->has_GTK = true;
5340 }
5341
5342
5343 SM_STATE(WPA_PTK_GROUP, KEYERROR)
5344 {
5345 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group);
5346 if (sm->GUpdateStationKeys)
5347 wpa_gkeydone_sta(sm);
5348 if (sm->wpa_auth->conf.no_disconnect_on_group_keyerror &&
5349 sm->wpa == WPA_VERSION_WPA2) {
5350 wpa_auth_vlogger(sm->wpa_auth, wpa_auth_get_spa(sm),
5351 LOGGER_DEBUG,
5352 "group key handshake failed after %u tries - allow STA to remain connected",
5353 sm->wpa_auth->conf.wpa_group_update_count);
5354 return;
5355 }
5356 sm->Disconnect = true;
5357 sm->disconnect_reason = WLAN_REASON_GROUP_KEY_UPDATE_TIMEOUT;
5358 wpa_auth_vlogger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
5359 "group key handshake failed (%s) after %u tries",
5360 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN",
5361 sm->wpa_auth->conf.wpa_group_update_count);
5362 }
5363
5364
5365 SM_STEP(WPA_PTK_GROUP)
5366 {
5367 if (sm->Init || sm->PtkGroupInit) {
5368 SM_ENTER(WPA_PTK_GROUP, IDLE);
5369 sm->PtkGroupInit = false;
5370 } else switch (sm->wpa_ptk_group_state) {
5371 case WPA_PTK_GROUP_IDLE:
5372 if (sm->GUpdateStationKeys ||
5373 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys))
5374 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
5375 break;
5376 case WPA_PTK_GROUP_REKEYNEGOTIATING:
5377 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
5378 !sm->EAPOLKeyPairwise && sm->MICVerified)
5379 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
5380 else if (sm->GTimeoutCtr >
5381 sm->wpa_auth->conf.wpa_group_update_count ||
5382 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
5383 sm->GTimeoutCtr > 1))
5384 SM_ENTER(WPA_PTK_GROUP, KEYERROR);
5385 else if (sm->TimeoutEvt)
5386 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
5387 break;
5388 case WPA_PTK_GROUP_KEYERROR:
5389 SM_ENTER(WPA_PTK_GROUP, IDLE);
5390 break;
5391 case WPA_PTK_GROUP_REKEYESTABLISHED:
5392 SM_ENTER(WPA_PTK_GROUP, IDLE);
5393 break;
5394 }
5395 }
5396
5397
5398 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
5399 struct wpa_group *group)
5400 {
5401 struct wpa_auth_config *conf = &wpa_auth->conf;
5402 int ret = 0;
5403 size_t len;
5404
5405 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
5406 inc_byte_array(group->Counter, WPA_NONCE_LEN);
5407 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion",
5408 wpa_auth->addr, group->GNonce,
5409 group->GTK[group->GN - 1], group->GTK_len) < 0)
5410 ret = -1;
5411 wpa_hexdump_key(MSG_DEBUG, "GTK",
5412 group->GTK[group->GN - 1], group->GTK_len);
5413
5414 if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
5415 len = wpa_cipher_key_len(conf->group_mgmt_cipher);
5416 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
5417 inc_byte_array(group->Counter, WPA_NONCE_LEN);
5418 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion",
5419 wpa_auth->addr, group->GNonce,
5420 group->IGTK[group->GN_igtk - 4], len) < 0)
5421 ret = -1;
5422 wpa_hexdump_key(MSG_DEBUG, "IGTK",
5423 group->IGTK[group->GN_igtk - 4], len);
5424 }
5425
5426 if (!wpa_auth->non_tx_beacon_prot &&
5427 conf->ieee80211w == NO_MGMT_FRAME_PROTECTION)
5428 return ret;
5429 if (!conf->beacon_prot)
5430 return ret;
5431
5432 if (wpa_auth->conf.tx_bss_auth) {
5433 group = wpa_auth->conf.tx_bss_auth->group;
5434 if (group->bigtk_set)
5435 return ret;
5436 wpa_printf(MSG_DEBUG, "Set up BIGTK for TX BSS");
5437 }
5438
5439 len = wpa_cipher_key_len(conf->group_mgmt_cipher);
5440 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
5441 inc_byte_array(group->Counter, WPA_NONCE_LEN);
5442 if (wpa_gmk_to_gtk(group->GMK, "BIGTK key expansion",
5443 wpa_auth->addr, group->GNonce,
5444 group->BIGTK[group->GN_bigtk - 6], len) < 0)
5445 return -1;
5446 group->bigtk_set = true;
5447 wpa_hexdump_key(MSG_DEBUG, "BIGTK",
5448 group->BIGTK[group->GN_bigtk - 6], len);
5449
5450 return ret;
5451 }
5452
5453
5454 static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth,
5455 struct wpa_group *group)
5456 {
5457 wpa_printf(MSG_DEBUG,
5458 "WPA: group state machine entering state GTK_INIT (VLAN-ID %d)",
5459 group->vlan_id);
5460 group->changed = false; /* GInit is not cleared here; avoid loop */
5461 group->wpa_group_state = WPA_GROUP_GTK_INIT;
5462
5463 /* GTK[0..N] = 0 */
5464 os_memset(group->GTK, 0, sizeof(group->GTK));
5465 group->GN = 1;
5466 group->GM = 2;
5467 group->GN_igtk = 4;
5468 group->GM_igtk = 5;
5469 group->GN_bigtk = 6;
5470 group->GM_bigtk = 7;
5471 /* GTK[GN] = CalcGTK() */
5472 wpa_gtk_update(wpa_auth, group);
5473 }
5474
5475
5476 static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
5477 {
5478 if (ctx != NULL && ctx != sm->group)
5479 return 0;
5480
5481 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) {
5482 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm),
5483 LOGGER_DEBUG,
5484 "Not in PTKINITDONE; skip Group Key update");
5485 sm->GUpdateStationKeys = false;
5486 return 0;
5487 }
5488 if (sm->GUpdateStationKeys) {
5489 /*
5490 * This should not really happen, so add a debug log entry.
5491 * Since we clear the GKeyDoneStations before the loop, the
5492 * station needs to be counted here anyway.
5493 */
5494 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm),
5495 LOGGER_DEBUG,
5496 "GUpdateStationKeys was already set when marking station for GTK rekeying");
5497 }
5498
5499 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */
5500 if (sm->is_wnmsleep)
5501 return 0;
5502
5503 sm->group->GKeyDoneStations++;
5504 sm->GUpdateStationKeys = true;
5505
5506 wpa_sm_step(sm);
5507 return 0;
5508 }
5509
5510
5511 #ifdef CONFIG_WNM_AP
5512 /* update GTK when exiting WNM-Sleep Mode */
5513 void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm)
5514 {
5515 if (!sm || sm->is_wnmsleep)
5516 return;
5517
5518 wpa_group_update_sta(sm, NULL);
5519 }
5520
5521
5522 void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag)
5523 {
5524 if (sm)
5525 sm->is_wnmsleep = !!flag;
5526 }
5527
5528
5529 int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos)
5530 {
5531 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
5532 struct wpa_group *gsm = sm->group;
5533 u8 *start = pos;
5534
5535 /*
5536 * GTK subelement:
5537 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] |
5538 * Key[5..32]
5539 */
5540 *pos++ = WNM_SLEEP_SUBELEM_GTK;
5541 *pos++ = 11 + gsm->GTK_len;
5542 /* Key ID in B0-B1 of Key Info */
5543 WPA_PUT_LE16(pos, gsm->GN & 0x03);
5544 pos += 2;
5545 *pos++ = gsm->GTK_len;
5546 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0)
5547 return 0;
5548 pos += 8;
5549 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len);
5550 if (conf->disable_gtk || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
5551 /*
5552 * Provide unique random GTK to each STA to prevent use
5553 * of GTK in the BSS.
5554 */
5555 if (random_get_bytes(pos, gsm->GTK_len) < 0)
5556 return 0;
5557 }
5558 pos += gsm->GTK_len;
5559
5560 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit",
5561 gsm->GN);
5562 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit",
5563 gsm->GTK[gsm->GN - 1], gsm->GTK_len);
5564
5565 return pos - start;
5566 }
5567
5568
5569 int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos)
5570 {
5571 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
5572 struct wpa_group *gsm = sm->group;
5573 u8 *start = pos;
5574 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
5575
5576 /*
5577 * IGTK subelement:
5578 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16]
5579 */
5580 *pos++ = WNM_SLEEP_SUBELEM_IGTK;
5581 *pos++ = 2 + 6 + len;
5582 WPA_PUT_LE16(pos, gsm->GN_igtk);
5583 pos += 2;
5584 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0)
5585 return 0;
5586 pos += 6;
5587
5588 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len);
5589 if (conf->disable_gtk || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
5590 /*
5591 * Provide unique random IGTK to each STA to prevent use
5592 * of IGTK in the BSS.
5593 */
5594 if (random_get_bytes(pos, len) < 0)
5595 return 0;
5596 }
5597 pos += len;
5598
5599 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit",
5600 gsm->GN_igtk);
5601 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit",
5602 gsm->IGTK[gsm->GN_igtk - 4], len);
5603
5604 return pos - start;
5605 }
5606
5607
5608 int wpa_wnmsleep_bigtk_subelem(struct wpa_state_machine *sm, u8 *pos)
5609 {
5610 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
5611 struct wpa_group *gsm = wpa_auth->group;
5612 u8 *start = pos;
5613 size_t len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
5614
5615 /*
5616 * BIGTK subelement:
5617 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16]
5618 */
5619 *pos++ = WNM_SLEEP_SUBELEM_BIGTK;
5620 *pos++ = 2 + 6 + len;
5621 WPA_PUT_LE16(pos, gsm->GN_bigtk);
5622 pos += 2;
5623 if (wpa_auth_get_seqnum(wpa_auth, NULL, gsm->GN_bigtk, pos) != 0)
5624 return 0;
5625 pos += 6;
5626
5627 os_memcpy(pos, gsm->BIGTK[gsm->GN_bigtk - 6], len);
5628 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
5629 /*
5630 * Provide unique random BIGTK to each STA to prevent use
5631 * of BIGTK in the BSS.
5632 */
5633 if (random_get_bytes(pos, len) < 0)
5634 return 0;
5635 }
5636 pos += len;
5637
5638 wpa_printf(MSG_DEBUG, "WNM: BIGTK Key ID %u in WNM-Sleep Mode exit",
5639 gsm->GN_bigtk);
5640 wpa_hexdump_key(MSG_DEBUG, "WNM: BIGTK in WNM-Sleep Mode exit",
5641 gsm->BIGTK[gsm->GN_bigtk - 6], len);
5642
5643 return pos - start;
5644 }
5645
5646 #endif /* CONFIG_WNM_AP */
5647
5648
5649 static void wpa_group_update_gtk(struct wpa_authenticator *wpa_auth,
5650 struct wpa_group *group)
5651 {
5652 int tmp;
5653
5654 tmp = group->GM;
5655 group->GM = group->GN;
5656 group->GN = tmp;
5657 tmp = group->GM_igtk;
5658 group->GM_igtk = group->GN_igtk;
5659 group->GN_igtk = tmp;
5660 tmp = group->GM_bigtk;
5661 group->GM_bigtk = group->GN_bigtk;
5662 group->GN_bigtk = tmp;
5663 /* "GKeyDoneStations = GNoStations" is done in more robust way by
5664 * counting the STAs that are marked with GUpdateStationKeys instead of
5665 * including all STAs that could be in not-yet-completed state. */
5666 wpa_gtk_update(wpa_auth, group);
5667 }
5668
5669
5670 static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth,
5671 struct wpa_group *group)
5672 {
5673 wpa_printf(MSG_DEBUG,
5674 "WPA: group state machine entering state SETKEYS (VLAN-ID %d)",
5675 group->vlan_id);
5676 group->changed = true;
5677 group->wpa_group_state = WPA_GROUP_SETKEYS;
5678 group->GTKReKey = false;
5679
5680 #ifdef CONFIG_IEEE80211BE
5681 if (wpa_auth->is_ml)
5682 goto skip_update;
5683 #endif /* CONFIG_IEEE80211BE */
5684
5685 wpa_group_update_gtk(wpa_auth, group);
5686
5687 if (group->GKeyDoneStations) {
5688 wpa_printf(MSG_DEBUG,
5689 "wpa_group_setkeys: Unexpected GKeyDoneStations=%d when starting new GTK rekey",
5690 group->GKeyDoneStations);
5691 group->GKeyDoneStations = 0;
5692 }
5693
5694 #ifdef CONFIG_IEEE80211BE
5695 skip_update:
5696 #endif /* CONFIG_IEEE80211BE */
5697 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group);
5698 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d",
5699 group->GKeyDoneStations);
5700 }
5701
5702
5703 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
5704 struct wpa_group *group)
5705 {
5706 struct wpa_auth_config *conf = &wpa_auth->conf;
5707 int ret = 0;
5708
5709 if (wpa_auth_set_key(wpa_auth, group->vlan_id,
5710 wpa_cipher_to_alg(conf->wpa_group),
5711 broadcast_ether_addr, group->GN,
5712 group->GTK[group->GN - 1], group->GTK_len,
5713 KEY_FLAG_GROUP_TX_DEFAULT) < 0)
5714 ret = -1;
5715
5716 if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
5717 enum wpa_alg alg;
5718 size_t len;
5719
5720 alg = wpa_cipher_to_alg(conf->group_mgmt_cipher);
5721 len = wpa_cipher_key_len(conf->group_mgmt_cipher);
5722
5723 if (ret == 0 &&
5724 wpa_auth_set_key(wpa_auth, group->vlan_id, alg,
5725 broadcast_ether_addr, group->GN_igtk,
5726 group->IGTK[group->GN_igtk - 4], len,
5727 KEY_FLAG_GROUP_TX_DEFAULT) < 0)
5728 ret = -1;
5729
5730 if (ret || !conf->beacon_prot)
5731 return ret;
5732 if (wpa_auth->conf.tx_bss_auth) {
5733 wpa_auth = wpa_auth->conf.tx_bss_auth;
5734 group = wpa_auth->group;
5735 if (!group->bigtk_set || group->bigtk_configured)
5736 return ret;
5737 }
5738 if (wpa_auth_set_key(wpa_auth, group->vlan_id, alg,
5739 broadcast_ether_addr, group->GN_bigtk,
5740 group->BIGTK[group->GN_bigtk - 6], len,
5741 KEY_FLAG_GROUP_TX_DEFAULT) < 0)
5742 ret = -1;
5743 else
5744 group->bigtk_configured = true;
5745 }
5746
5747 return ret;
5748 }
5749
5750
5751 static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx)
5752 {
5753 if (sm->group == ctx) {
5754 wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR
5755 " for disconnection due to fatal failure",
5756 MAC2STR(wpa_auth_get_spa(sm)));
5757 sm->Disconnect = true;
5758 }
5759
5760 return 0;
5761 }
5762
5763
5764 static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth,
5765 struct wpa_group *group)
5766 {
5767 wpa_printf(MSG_DEBUG,
5768 "WPA: group state machine entering state FATAL_FAILURE");
5769 group->changed = true;
5770 group->wpa_group_state = WPA_GROUP_FATAL_FAILURE;
5771 wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group);
5772 }
5773
5774
5775 static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
5776 struct wpa_group *group)
5777 {
5778 wpa_printf(MSG_DEBUG,
5779 "WPA: group state machine entering state SETKEYSDONE (VLAN-ID %d)",
5780 group->vlan_id);
5781 group->changed = true;
5782 group->wpa_group_state = WPA_GROUP_SETKEYSDONE;
5783
5784 if (wpa_group_config_group_keys(wpa_auth, group) < 0) {
5785 wpa_group_fatal_failure(wpa_auth, group);
5786 return -1;
5787 }
5788
5789 return 0;
5790 }
5791
5792
5793 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
5794 struct wpa_group *group)
5795 {
5796 if (group->GInit) {
5797 wpa_group_gtk_init(wpa_auth, group);
5798 } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) {
5799 /* Do not allow group operations */
5800 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT &&
5801 group->GTKAuthenticator) {
5802 wpa_group_setkeysdone(wpa_auth, group);
5803 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE &&
5804 group->GTKReKey) {
5805 wpa_group_setkeys(wpa_auth, group);
5806 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) {
5807 if (group->GKeyDoneStations == 0)
5808 wpa_group_setkeysdone(wpa_auth, group);
5809 else if (group->GTKReKey)
5810 wpa_group_setkeys(wpa_auth, group);
5811 }
5812 }
5813
5814
5815 static void wpa_clear_changed(struct wpa_state_machine *sm)
5816 {
5817 #ifdef CONFIG_IEEE80211BE
5818 int link_id;
5819 #endif /* CONFIG_IEEE80211BE */
5820
5821 sm->changed = false;
5822 sm->wpa_auth->group->changed = false;
5823
5824 #ifdef CONFIG_IEEE80211BE
5825 for_each_sm_auth(sm, link_id)
5826 sm->mld_links[link_id].wpa_auth->group->changed = false;
5827 #endif /* CONFIG_IEEE80211BE */
5828 }
5829
5830
5831 static void wpa_group_sm_step_links(struct wpa_state_machine *sm)
5832 {
5833 #ifdef CONFIG_IEEE80211BE
5834 int link_id;
5835 #endif /* CONFIG_IEEE80211BE */
5836
5837 if (!sm || !sm->wpa_auth)
5838 return;
5839 wpa_group_sm_step(sm->wpa_auth, sm->wpa_auth->group);
5840
5841 #ifdef CONFIG_IEEE80211BE
5842 for_each_sm_auth(sm, link_id) {
5843 wpa_group_sm_step(sm->mld_links[link_id].wpa_auth,
5844 sm->mld_links[link_id].wpa_auth->group);
5845 }
5846 #endif /* CONFIG_IEEE80211BE */
5847 }
5848
5849
5850 static bool wpa_group_sm_changed(struct wpa_state_machine *sm)
5851 {
5852 #ifdef CONFIG_IEEE80211BE
5853 int link_id;
5854 #endif /* CONFIG_IEEE80211BE */
5855 bool changed;
5856
5857 if (!sm || !sm->wpa_auth)
5858 return false;
5859 changed = sm->wpa_auth->group->changed;
5860
5861 #ifdef CONFIG_IEEE80211BE
5862 for_each_sm_auth(sm, link_id)
5863 changed |= sm->mld_links[link_id].wpa_auth->group->changed;
5864 #endif /* CONFIG_IEEE80211BE */
5865
5866 return changed;
5867 }
5868
5869
5870 static int wpa_sm_step(struct wpa_state_machine *sm)
5871 {
5872 if (!sm)
5873 return 0;
5874
5875 if (sm->in_step_loop) {
5876 /* This should not happen, but if it does, make sure we do not
5877 * end up freeing the state machine too early by exiting the
5878 * recursive call. */
5879 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively");
5880 return 0;
5881 }
5882
5883 sm->in_step_loop = 1;
5884 do {
5885 if (sm->pending_deinit)
5886 break;
5887
5888 wpa_clear_changed(sm);
5889
5890 SM_STEP_RUN(WPA_PTK);
5891 if (sm->pending_deinit)
5892 break;
5893 SM_STEP_RUN(WPA_PTK_GROUP);
5894 if (sm->pending_deinit)
5895 break;
5896 wpa_group_sm_step_links(sm);
5897 } while (sm->changed || wpa_group_sm_changed(sm));
5898 sm->in_step_loop = 0;
5899
5900 if (sm->pending_deinit) {
5901 wpa_printf(MSG_DEBUG,
5902 "WPA: Completing pending STA state machine deinit for "
5903 MACSTR, MAC2STR(wpa_auth_get_spa(sm)));
5904 wpa_free_sta_sm(sm);
5905 return 1;
5906 }
5907 return 0;
5908 }
5909
5910
5911 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx)
5912 {
5913 struct wpa_state_machine *sm = eloop_ctx;
5914 wpa_sm_step(sm);
5915 }
5916
5917
5918 void wpa_auth_sm_notify(struct wpa_state_machine *sm)
5919 {
5920 if (!sm)
5921 return;
5922 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
5923 }
5924
5925
5926 void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth)
5927 {
5928 int tmp, i;
5929 struct wpa_group *group;
5930
5931 if (!wpa_auth)
5932 return;
5933
5934 group = wpa_auth->group;
5935
5936 for (i = 0; i < 2; i++) {
5937 tmp = group->GM;
5938 group->GM = group->GN;
5939 group->GN = tmp;
5940 tmp = group->GM_igtk;
5941 group->GM_igtk = group->GN_igtk;
5942 group->GN_igtk = tmp;
5943 if (!wpa_auth->conf.tx_bss_auth) {
5944 tmp = group->GM_bigtk;
5945 group->GM_bigtk = group->GN_bigtk;
5946 group->GN_bigtk = tmp;
5947 }
5948 wpa_gtk_update(wpa_auth, group);
5949 wpa_group_config_group_keys(wpa_auth, group);
5950 }
5951 }
5952
5953
5954 static const char * wpa_bool_txt(int val)
5955 {
5956 return val ? "TRUE" : "FALSE";
5957 }
5958
5959
5960 #define RSN_SUITE "%02x-%02x-%02x-%d"
5961 #define RSN_SUITE_ARG(s) \
5962 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
5963
5964 int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen)
5965 {
5966 struct wpa_auth_config *conf;
5967 int len = 0, ret;
5968 char pmkid_txt[PMKID_LEN * 2 + 1];
5969 #ifdef CONFIG_RSN_PREAUTH
5970 const int preauth = 1;
5971 #else /* CONFIG_RSN_PREAUTH */
5972 const int preauth = 0;
5973 #endif /* CONFIG_RSN_PREAUTH */
5974
5975 if (!wpa_auth)
5976 return len;
5977 conf = &wpa_auth->conf;
5978
5979 ret = os_snprintf(buf + len, buflen - len,
5980 "dot11RSNAOptionImplemented=TRUE\n"
5981 "dot11RSNAPreauthenticationImplemented=%s\n"
5982 "dot11RSNAEnabled=%s\n"
5983 "dot11RSNAPreauthenticationEnabled=%s\n",
5984 wpa_bool_txt(preauth),
5985 wpa_bool_txt(conf->wpa & WPA_PROTO_RSN),
5986 wpa_bool_txt(conf->rsn_preauth));
5987 if (os_snprintf_error(buflen - len, ret))
5988 return len;
5989 len += ret;
5990
5991 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
5992 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN);
5993
5994 ret = os_snprintf(
5995 buf + len, buflen - len,
5996 "dot11RSNAConfigVersion=%u\n"
5997 "dot11RSNAConfigPairwiseKeysSupported=9999\n"
5998 /* FIX: dot11RSNAConfigGroupCipher */
5999 /* FIX: dot11RSNAConfigGroupRekeyMethod */
6000 /* FIX: dot11RSNAConfigGroupRekeyTime */
6001 /* FIX: dot11RSNAConfigGroupRekeyPackets */
6002 "dot11RSNAConfigGroupRekeyStrict=%u\n"
6003 "dot11RSNAConfigGroupUpdateCount=%u\n"
6004 "dot11RSNAConfigPairwiseUpdateCount=%u\n"
6005 "dot11RSNAConfigGroupCipherSize=%u\n"
6006 "dot11RSNAConfigPMKLifetime=%u\n"
6007 "dot11RSNAConfigPMKReauthThreshold=%u\n"
6008 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n"
6009 "dot11RSNAConfigSATimeout=%u\n"
6010 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
6011 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
6012 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
6013 "dot11RSNAPMKIDUsed=%s\n"
6014 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
6015 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
6016 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
6017 "dot11RSNATKIPCounterMeasuresInvoked=%u\n"
6018 "dot11RSNA4WayHandshakeFailures=%u\n"
6019 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n",
6020 RSN_VERSION,
6021 !!conf->wpa_strict_rekey,
6022 conf->wpa_group_update_count,
6023 conf->wpa_pairwise_update_count,
6024 wpa_cipher_key_len(conf->wpa_group) * 8,
6025 dot11RSNAConfigPMKLifetime,
6026 dot11RSNAConfigPMKReauthThreshold,
6027 dot11RSNAConfigSATimeout,
6028 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected),
6029 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected),
6030 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected),
6031 pmkid_txt,
6032 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested),
6033 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested),
6034 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested),
6035 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked,
6036 wpa_auth->dot11RSNA4WayHandshakeFailures);
6037 if (os_snprintf_error(buflen - len, ret))
6038 return len;
6039 len += ret;
6040
6041 /* TODO: dot11RSNAConfigPairwiseCiphersTable */
6042 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */
6043
6044 /* Private MIB */
6045 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n",
6046 wpa_auth->group->wpa_group_state);
6047 if (os_snprintf_error(buflen - len, ret))
6048 return len;
6049 len += ret;
6050
6051 return len;
6052 }
6053
6054
6055 int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen)
6056 {
6057 int len = 0, ret;
6058 u32 pairwise = 0;
6059
6060 if (!sm)
6061 return 0;
6062
6063 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */
6064
6065 /* dot11RSNAStatsEntry */
6066
6067 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ?
6068 WPA_PROTO_RSN : WPA_PROTO_WPA,
6069 sm->pairwise);
6070 if (pairwise == 0)
6071 return 0;
6072
6073 ret = os_snprintf(
6074 buf + len, buflen - len,
6075 /* TODO: dot11RSNAStatsIndex */
6076 "dot11RSNAStatsSTAAddress=" MACSTR "\n"
6077 "dot11RSNAStatsVersion=1\n"
6078 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n"
6079 /* TODO: dot11RSNAStatsTKIPICVErrors */
6080 "dot11RSNAStatsTKIPLocalMICFailures=%u\n"
6081 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n"
6082 /* TODO: dot11RSNAStatsCCMPReplays */
6083 /* TODO: dot11RSNAStatsCCMPDecryptErrors */
6084 /* TODO: dot11RSNAStatsTKIPReplays */,
6085 MAC2STR(sm->addr),
6086 RSN_SUITE_ARG(pairwise),
6087 sm->dot11RSNAStatsTKIPLocalMICFailures,
6088 sm->dot11RSNAStatsTKIPRemoteMICFailures);
6089 if (os_snprintf_error(buflen - len, ret))
6090 return len;
6091 len += ret;
6092
6093 /* Private MIB */
6094 ret = os_snprintf(buf + len, buflen - len,
6095 "wpa=%d\n"
6096 "AKMSuiteSelector=" RSN_SUITE "\n"
6097 "hostapdWPAPTKState=%d\n"
6098 "hostapdWPAPTKGroupState=%d\n"
6099 "hostapdMFPR=%d\n",
6100 sm->wpa,
6101 RSN_SUITE_ARG(wpa_akm_to_suite(sm->wpa_key_mgmt)),
6102 sm->wpa_ptk_state,
6103 sm->wpa_ptk_group_state,
6104 sm->mfpr);
6105 if (os_snprintf_error(buflen - len, ret))
6106 return len;
6107 len += ret;
6108
6109 return len;
6110 }
6111
6112
6113 void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth)
6114 {
6115 if (wpa_auth)
6116 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++;
6117 }
6118
6119
6120 int wpa_auth_pairwise_set(struct wpa_state_machine *sm)
6121 {
6122 return sm && sm->pairwise_set;
6123 }
6124
6125
6126 int wpa_auth_get_pairwise(struct wpa_state_machine *sm)
6127 {
6128 return sm->pairwise;
6129 }
6130
6131
6132 const u8 * wpa_auth_get_pmk(struct wpa_state_machine *sm, int *len)
6133 {
6134 if (!sm)
6135 return NULL;
6136 *len = sm->pmk_len;
6137 return sm->PMK;
6138 }
6139
6140
6141 const u8 * wpa_auth_get_dpp_pkhash(struct wpa_state_machine *sm)
6142 {
6143 if (!sm || !sm->pmksa)
6144 return NULL;
6145 return sm->pmksa->dpp_pkhash;
6146 }
6147
6148
6149 int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm)
6150 {
6151 if (!sm)
6152 return -1;
6153 return sm->wpa_key_mgmt;
6154 }
6155
6156
6157 int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
6158 {
6159 if (!sm)
6160 return 0;
6161 return sm->wpa;
6162 }
6163
6164
6165 int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm)
6166 {
6167 if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt))
6168 return 0;
6169 return sm->tk_already_set;
6170 }
6171
6172
6173 int wpa_auth_sta_fils_tk_already_set(struct wpa_state_machine *sm)
6174 {
6175 if (!sm || !wpa_key_mgmt_fils(sm->wpa_key_mgmt))
6176 return 0;
6177 return sm->tk_already_set;
6178 }
6179
6180
6181 int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
6182 struct rsn_pmksa_cache_entry *entry)
6183 {
6184 if (!sm || sm->pmksa != entry)
6185 return -1;
6186 sm->pmksa = NULL;
6187 return 0;
6188 }
6189
6190
6191 struct rsn_pmksa_cache_entry *
6192 wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm)
6193 {
6194 return sm ? sm->pmksa : NULL;
6195 }
6196
6197
6198 void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm)
6199 {
6200 if (sm)
6201 sm->dot11RSNAStatsTKIPLocalMICFailures++;
6202 }
6203
6204
6205 const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
6206 {
6207 if (!wpa_auth)
6208 return NULL;
6209 *len = wpa_auth->wpa_ie_len;
6210 return wpa_auth->wpa_ie;
6211 }
6212
6213
6214 int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
6215 unsigned int pmk_len,
6216 int session_timeout, struct eapol_state_machine *eapol)
6217 {
6218 if (!sm || sm->wpa != WPA_VERSION_WPA2 ||
6219 sm->wpa_auth->conf.disable_pmksa_caching)
6220 return -1;
6221
6222 #ifdef CONFIG_IEEE80211R_AP
6223 if (pmk_len >= 2 * PMK_LEN && wpa_key_mgmt_ft(sm->wpa_key_mgmt) &&
6224 wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
6225 !wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
6226 /* Cache MPMK/XXKey instead of initial part from MSK */
6227 pmk = pmk + PMK_LEN;
6228 pmk_len = PMK_LEN;
6229 } else
6230 #endif /* CONFIG_IEEE80211R_AP */
6231 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
6232 if (pmk_len > PMK_LEN_SUITE_B_192)
6233 pmk_len = PMK_LEN_SUITE_B_192;
6234 } else if (pmk_len > PMK_LEN) {
6235 pmk_len = PMK_LEN;
6236 }
6237
6238 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK", pmk, pmk_len);
6239 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL,
6240 sm->PTK.kck, sm->PTK.kck_len,
6241 wpa_auth_get_aa(sm),
6242 wpa_auth_get_spa(sm), session_timeout,
6243 eapol, sm->wpa_key_mgmt))
6244 return 0;
6245
6246 return -1;
6247 }
6248
6249
6250 int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
6251 const u8 *pmk, size_t len, const u8 *sta_addr,
6252 int session_timeout,
6253 struct eapol_state_machine *eapol)
6254 {
6255 if (!wpa_auth)
6256 return -1;
6257
6258 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK from preauth", pmk, len);
6259 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL,
6260 NULL, 0,
6261 wpa_auth->addr,
6262 sta_addr, session_timeout, eapol,
6263 WPA_KEY_MGMT_IEEE8021X))
6264 return 0;
6265
6266 return -1;
6267 }
6268
6269
6270 int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr,
6271 const u8 *pmk, size_t pmk_len, const u8 *pmkid,
6272 int akmp)
6273 {
6274 if (wpa_auth->conf.disable_pmksa_caching)
6275 return -1;
6276
6277 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK from SAE", pmk, pmk_len);
6278 if (!akmp)
6279 akmp = WPA_KEY_MGMT_SAE;
6280 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, pmk_len, pmkid,
6281 NULL, 0, wpa_auth->addr, addr, 0, NULL, akmp))
6282 return 0;
6283
6284 return -1;
6285 }
6286
6287
6288 void wpa_auth_add_sae_pmkid(struct wpa_state_machine *sm, const u8 *pmkid)
6289 {
6290 os_memcpy(sm->pmkid, pmkid, PMKID_LEN);
6291 sm->pmkid_set = 1;
6292 }
6293
6294
6295 int wpa_auth_pmksa_add2(struct wpa_authenticator *wpa_auth, const u8 *addr,
6296 const u8 *pmk, size_t pmk_len, const u8 *pmkid,
6297 int session_timeout, int akmp, const u8 *dpp_pkhash)
6298 {
6299 struct rsn_pmksa_cache_entry *entry;
6300
6301 if (!wpa_auth || wpa_auth->conf.disable_pmksa_caching)
6302 return -1;
6303
6304 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK (3)", pmk, PMK_LEN);
6305 entry = pmksa_cache_auth_add(wpa_auth->pmksa, pmk, pmk_len, pmkid,
6306 NULL, 0, wpa_auth->addr, addr, session_timeout,
6307 NULL, akmp);
6308 if (!entry)
6309 return -1;
6310
6311 if (dpp_pkhash)
6312 entry->dpp_pkhash = os_memdup(dpp_pkhash, SHA256_MAC_LEN);
6313
6314 return 0;
6315 }
6316
6317
6318 void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
6319 const u8 *sta_addr)
6320 {
6321 struct rsn_pmksa_cache_entry *pmksa;
6322
6323 if (!wpa_auth || !wpa_auth->pmksa)
6324 return;
6325 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL);
6326 if (pmksa) {
6327 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for "
6328 MACSTR " based on request", MAC2STR(sta_addr));
6329 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa);
6330 }
6331 }
6332
6333
6334 int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf,
6335 size_t len)
6336 {
6337 if (!wpa_auth || !wpa_auth->pmksa)
6338 return 0;
6339 return pmksa_cache_auth_list(wpa_auth->pmksa, buf, len);
6340 }
6341
6342
6343 void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth)
6344 {
6345 if (wpa_auth && wpa_auth->pmksa)
6346 pmksa_cache_auth_flush(wpa_auth->pmksa);
6347 }
6348
6349
6350 #ifdef CONFIG_PMKSA_CACHE_EXTERNAL
6351 #ifdef CONFIG_MESH
6352
6353 int wpa_auth_pmksa_list_mesh(struct wpa_authenticator *wpa_auth, const u8 *addr,
6354 char *buf, size_t len)
6355 {
6356 if (!wpa_auth || !wpa_auth->pmksa)
6357 return 0;
6358
6359 return pmksa_cache_auth_list_mesh(wpa_auth->pmksa, addr, buf, len);
6360 }
6361
6362
6363 struct rsn_pmksa_cache_entry *
6364 wpa_auth_pmksa_create_entry(const u8 *aa, const u8 *spa, const u8 *pmk,
6365 size_t pmk_len, int akmp,
6366 const u8 *pmkid, int expiration)
6367 {
6368 struct rsn_pmksa_cache_entry *entry;
6369 struct os_reltime now;
6370
6371 entry = pmksa_cache_auth_create_entry(pmk, pmk_len, pmkid, NULL, 0, aa,
6372 spa, 0, NULL, akmp);
6373 if (!entry)
6374 return NULL;
6375
6376 os_get_reltime(&now);
6377 entry->expiration = now.sec + expiration;
6378 return entry;
6379 }
6380
6381
6382 int wpa_auth_pmksa_add_entry(struct wpa_authenticator *wpa_auth,
6383 struct rsn_pmksa_cache_entry *entry)
6384 {
6385 int ret;
6386
6387 if (!wpa_auth || !wpa_auth->pmksa)
6388 return -1;
6389
6390 ret = pmksa_cache_auth_add_entry(wpa_auth->pmksa, entry);
6391 if (ret < 0)
6392 wpa_printf(MSG_DEBUG,
6393 "RSN: Failed to store external PMKSA cache for "
6394 MACSTR, MAC2STR(entry->spa));
6395
6396 return ret;
6397 }
6398
6399 #endif /* CONFIG_MESH */
6400 #endif /* CONFIG_PMKSA_CACHE_EXTERNAL */
6401
6402
6403 struct rsn_pmksa_cache *
6404 wpa_auth_get_pmksa_cache(struct wpa_authenticator *wpa_auth)
6405 {
6406 if (!wpa_auth || !wpa_auth->pmksa)
6407 return NULL;
6408 return wpa_auth->pmksa;
6409 }
6410
6411
6412 struct rsn_pmksa_cache_entry *
6413 wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
6414 const u8 *pmkid)
6415 {
6416 if (!wpa_auth || !wpa_auth->pmksa)
6417 return NULL;
6418 return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, pmkid);
6419 }
6420
6421
6422 void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa,
6423 struct wpa_state_machine *sm,
6424 struct wpa_authenticator *wpa_auth,
6425 u8 *pmkid, u8 *pmk, size_t *pmk_len)
6426 {
6427 if (!sm)
6428 return;
6429
6430 sm->pmksa = pmksa;
6431 os_memcpy(pmk, pmksa->pmk, pmksa->pmk_len);
6432 *pmk_len = pmksa->pmk_len;
6433 os_memcpy(pmkid, pmksa->pmkid, PMKID_LEN);
6434 os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmksa->pmkid, PMKID_LEN);
6435 }
6436
6437
6438 /*
6439 * Remove and free the group from wpa_authenticator. This is triggered by a
6440 * callback to make sure nobody is currently iterating the group list while it
6441 * gets modified.
6442 */
6443 static void wpa_group_free(struct wpa_authenticator *wpa_auth,
6444 struct wpa_group *group)
6445 {
6446 struct wpa_group *prev = wpa_auth->group;
6447
6448 wpa_printf(MSG_DEBUG, "WPA: Remove group state machine for VLAN-ID %d",
6449 group->vlan_id);
6450
6451 while (prev) {
6452 if (prev->next == group) {
6453 /* This never frees the special first group as needed */
6454 prev->next = group->next;
6455 os_free(group);
6456 break;
6457 }
6458 prev = prev->next;
6459 }
6460
6461 }
6462
6463
6464 /* Increase the reference counter for group */
6465 static void wpa_group_get(struct wpa_authenticator *wpa_auth,
6466 struct wpa_group *group)
6467 {
6468 /* Skip the special first group */
6469 if (wpa_auth->group == group)
6470 return;
6471
6472 group->references++;
6473 }
6474
6475
6476 /* Decrease the reference counter and maybe free the group */
6477 static void wpa_group_put(struct wpa_authenticator *wpa_auth,
6478 struct wpa_group *group)
6479 {
6480 /* Skip the special first group */
6481 if (wpa_auth->group == group)
6482 return;
6483
6484 group->references--;
6485 if (group->references)
6486 return;
6487 wpa_group_free(wpa_auth, group);
6488 }
6489
6490
6491 /*
6492 * Add a group that has its references counter set to zero. Caller needs to
6493 * call wpa_group_get() on the return value to mark the entry in use.
6494 */
6495 static struct wpa_group *
6496 wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id)
6497 {
6498 struct wpa_group *group;
6499
6500 if (!wpa_auth || !wpa_auth->group)
6501 return NULL;
6502
6503 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d",
6504 vlan_id);
6505 group = wpa_group_init(wpa_auth, vlan_id, 0);
6506 if (!group)
6507 return NULL;
6508
6509 group->next = wpa_auth->group->next;
6510 wpa_auth->group->next = group;
6511
6512 return group;
6513 }
6514
6515
6516 /*
6517 * Enforce that the group state machine for the VLAN is running, increase
6518 * reference counter as interface is up. References might have been increased
6519 * even if a negative value is returned.
6520 * Returns: -1 on error (group missing, group already failed); otherwise, 0
6521 */
6522 int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id)
6523 {
6524 struct wpa_group *group;
6525
6526 if (!wpa_auth)
6527 return 0;
6528
6529 group = wpa_auth->group;
6530 while (group) {
6531 if (group->vlan_id == vlan_id)
6532 break;
6533 group = group->next;
6534 }
6535
6536 if (!group) {
6537 group = wpa_auth_add_group(wpa_auth, vlan_id);
6538 if (!group)
6539 return -1;
6540 }
6541
6542 wpa_printf(MSG_DEBUG,
6543 "WPA: Ensure group state machine running for VLAN ID %d",
6544 vlan_id);
6545
6546 wpa_group_get(wpa_auth, group);
6547 group->num_setup_iface++;
6548
6549 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
6550 return -1;
6551
6552 return 0;
6553 }
6554
6555
6556 /*
6557 * Decrease reference counter, expected to be zero afterwards.
6558 * returns: -1 on error (group not found, group in fail state)
6559 * -2 if wpa_group is still referenced
6560 * 0 else
6561 */
6562 int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id)
6563 {
6564 struct wpa_group *group;
6565 int ret = 0;
6566
6567 if (!wpa_auth)
6568 return 0;
6569
6570 group = wpa_auth->group;
6571 while (group) {
6572 if (group->vlan_id == vlan_id)
6573 break;
6574 group = group->next;
6575 }
6576
6577 if (!group)
6578 return -1;
6579
6580 wpa_printf(MSG_DEBUG,
6581 "WPA: Try stopping group state machine for VLAN ID %d",
6582 vlan_id);
6583
6584 if (group->num_setup_iface <= 0) {
6585 wpa_printf(MSG_ERROR,
6586 "WPA: wpa_auth_release_group called more often than wpa_auth_ensure_group for VLAN ID %d, skipping.",
6587 vlan_id);
6588 return -1;
6589 }
6590 group->num_setup_iface--;
6591
6592 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
6593 ret = -1;
6594
6595 if (group->references > 1) {
6596 wpa_printf(MSG_DEBUG,
6597 "WPA: Cannot stop group state machine for VLAN ID %d as references are still hold",
6598 vlan_id);
6599 ret = -2;
6600 }
6601
6602 wpa_group_put(wpa_auth, group);
6603
6604 return ret;
6605 }
6606
6607
6608 int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id)
6609 {
6610 struct wpa_group *group;
6611
6612 if (!sm || !sm->wpa_auth)
6613 return 0;
6614
6615 group = sm->wpa_auth->group;
6616 while (group) {
6617 if (group->vlan_id == vlan_id)
6618 break;
6619 group = group->next;
6620 }
6621
6622 if (!group) {
6623 group = wpa_auth_add_group(sm->wpa_auth, vlan_id);
6624 if (!group)
6625 return -1;
6626 }
6627
6628 if (sm->group == group)
6629 return 0;
6630
6631 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
6632 return -1;
6633
6634 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR
6635 " to use group state machine for VLAN ID %d",
6636 MAC2STR(wpa_auth_get_spa(sm)), vlan_id);
6637
6638 wpa_group_get(sm->wpa_auth, group);
6639 wpa_group_put(sm->wpa_auth, sm->group);
6640 sm->group = group;
6641
6642 return 0;
6643 }
6644
6645
6646 void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
6647 struct wpa_state_machine *sm, int ack)
6648 {
6649 if (!wpa_auth || !sm)
6650 return;
6651 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR
6652 " ack=%d", MAC2STR(wpa_auth_get_spa(sm)), ack);
6653 if (sm->pending_1_of_4_timeout && ack) {
6654 /*
6655 * Some deployed supplicant implementations update their SNonce
6656 * for each EAPOL-Key 2/4 message even within the same 4-way
6657 * handshake and then fail to use the first SNonce when
6658 * deriving the PTK. This results in unsuccessful 4-way
6659 * handshake whenever the relatively short initial timeout is
6660 * reached and EAPOL-Key 1/4 is retransmitted. Try to work
6661 * around this by increasing the timeout now that we know that
6662 * the station has received the frame.
6663 */
6664 int timeout_ms = eapol_key_timeout_subseq;
6665 wpa_printf(MSG_DEBUG,
6666 "WPA: Increase initial EAPOL-Key 1/4 timeout by %u ms because of acknowledged frame",
6667 timeout_ms);
6668 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
6669 eloop_register_timeout(timeout_ms / 1000,
6670 (timeout_ms % 1000) * 1000,
6671 wpa_send_eapol_timeout, wpa_auth, sm);
6672 }
6673
6674 #ifdef CONFIG_TESTING_OPTIONS
6675 if (sm->eapol_status_cb) {
6676 sm->eapol_status_cb(sm->eapol_status_cb_ctx1,
6677 sm->eapol_status_cb_ctx2);
6678 sm->eapol_status_cb = NULL;
6679 }
6680 #endif /* CONFIG_TESTING_OPTIONS */
6681 }
6682
6683
6684 int wpa_auth_uses_sae(struct wpa_state_machine *sm)
6685 {
6686 if (!sm)
6687 return 0;
6688 return wpa_key_mgmt_sae(sm->wpa_key_mgmt);
6689 }
6690
6691
6692 int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm)
6693 {
6694 if (!sm)
6695 return 0;
6696 return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE ||
6697 sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY;
6698 }
6699
6700
6701 #ifdef CONFIG_P2P
6702 int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr)
6703 {
6704 if (!sm || WPA_GET_BE32(sm->ip_addr) == 0)
6705 return -1;
6706 os_memcpy(addr, sm->ip_addr, 4);
6707 return 0;
6708 }
6709 #endif /* CONFIG_P2P */
6710
6711
6712 int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth,
6713 struct radius_das_attrs *attr)
6714 {
6715 return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr);
6716 }
6717
6718
6719 void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth)
6720 {
6721 struct wpa_group *group;
6722
6723 if (!wpa_auth)
6724 return;
6725 for (group = wpa_auth->group; group; group = group->next)
6726 wpa_group_config_group_keys(wpa_auth, group);
6727 }
6728
6729
6730 #ifdef CONFIG_FILS
6731
6732 struct wpa_auth_fils_iter_data {
6733 struct wpa_authenticator *auth;
6734 const u8 *cache_id;
6735 struct rsn_pmksa_cache_entry *pmksa;
6736 const u8 *spa;
6737 const u8 *pmkid;
6738 };
6739
6740
6741 static int wpa_auth_fils_iter(struct wpa_authenticator *a, void *ctx)
6742 {
6743 struct wpa_auth_fils_iter_data *data = ctx;
6744
6745 if (a == data->auth || !a->conf.fils_cache_id_set ||
6746 os_memcmp(a->conf.fils_cache_id, data->cache_id,
6747 FILS_CACHE_ID_LEN) != 0)
6748 return 0;
6749 data->pmksa = pmksa_cache_auth_get(a->pmksa, data->spa, data->pmkid);
6750 return data->pmksa != NULL;
6751 }
6752
6753
6754 struct rsn_pmksa_cache_entry *
6755 wpa_auth_pmksa_get_fils_cache_id(struct wpa_authenticator *wpa_auth,
6756 const u8 *sta_addr, const u8 *pmkid)
6757 {
6758 struct wpa_auth_fils_iter_data idata;
6759
6760 if (!wpa_auth->conf.fils_cache_id_set)
6761 return NULL;
6762 idata.auth = wpa_auth;
6763 idata.cache_id = wpa_auth->conf.fils_cache_id;
6764 idata.pmksa = NULL;
6765 idata.spa = sta_addr;
6766 idata.pmkid = pmkid;
6767 wpa_auth_for_each_auth(wpa_auth, wpa_auth_fils_iter, &idata);
6768 return idata.pmksa;
6769 }
6770
6771
6772 #ifdef CONFIG_IEEE80211R_AP
6773 int wpa_auth_write_fte(struct wpa_authenticator *wpa_auth,
6774 struct wpa_state_machine *sm,
6775 u8 *buf, size_t len)
6776 {
6777 struct wpa_auth_config *conf = &wpa_auth->conf;
6778
6779 return wpa_write_ftie(conf, sm->wpa_key_mgmt, sm->xxkey_len,
6780 conf->r0_key_holder, conf->r0_key_holder_len,
6781 NULL, NULL, buf, len, NULL, 0, 0);
6782 }
6783 #endif /* CONFIG_IEEE80211R_AP */
6784
6785
6786 void wpa_auth_get_fils_aead_params(struct wpa_state_machine *sm,
6787 u8 *fils_anonce, u8 *fils_snonce,
6788 u8 *fils_kek, size_t *fils_kek_len)
6789 {
6790 os_memcpy(fils_anonce, sm->ANonce, WPA_NONCE_LEN);
6791 os_memcpy(fils_snonce, sm->SNonce, WPA_NONCE_LEN);
6792 os_memcpy(fils_kek, sm->PTK.kek, WPA_KEK_MAX_LEN);
6793 *fils_kek_len = sm->PTK.kek_len;
6794 }
6795
6796
6797 void wpa_auth_add_fils_pmk_pmkid(struct wpa_state_machine *sm, const u8 *pmk,
6798 size_t pmk_len, const u8 *pmkid)
6799 {
6800 os_memcpy(sm->PMK, pmk, pmk_len);
6801 sm->pmk_len = pmk_len;
6802 os_memcpy(sm->pmkid, pmkid, PMKID_LEN);
6803 sm->pmkid_set = 1;
6804 }
6805
6806 #endif /* CONFIG_FILS */
6807
6808
6809 void wpa_auth_set_auth_alg(struct wpa_state_machine *sm, u16 auth_alg)
6810 {
6811 if (sm)
6812 sm->auth_alg = auth_alg;
6813 }
6814
6815
6816 #ifdef CONFIG_DPP2
6817 void wpa_auth_set_dpp_z(struct wpa_state_machine *sm, const struct wpabuf *z)
6818 {
6819 if (sm) {
6820 wpabuf_clear_free(sm->dpp_z);
6821 sm->dpp_z = z ? wpabuf_dup(z) : NULL;
6822 }
6823 }
6824 #endif /* CONFIG_DPP2 */
6825
6826
6827 void wpa_auth_set_ssid_protection(struct wpa_state_machine *sm, bool val)
6828 {
6829 if (sm)
6830 sm->ssid_protection = val;
6831 }
6832
6833
6834 void wpa_auth_set_transition_disable(struct wpa_authenticator *wpa_auth,
6835 u8 val)
6836 {
6837 if (wpa_auth)
6838 wpa_auth->conf.transition_disable = val;
6839 }
6840
6841
6842 #ifdef CONFIG_TESTING_OPTIONS
6843
6844 int wpa_auth_resend_m1(struct wpa_state_machine *sm, int change_anonce,
6845 void (*cb)(void *ctx1, void *ctx2),
6846 void *ctx1, void *ctx2)
6847 {
6848 const u8 *anonce = sm->ANonce;
6849 u8 anonce_buf[WPA_NONCE_LEN];
6850
6851 if (change_anonce) {
6852 if (random_get_bytes(anonce_buf, WPA_NONCE_LEN))
6853 return -1;
6854 anonce = anonce_buf;
6855 }
6856
6857 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
6858 "sending 1/4 msg of 4-Way Handshake (TESTING)");
6859 wpa_send_eapol(sm->wpa_auth, sm,
6860 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
6861 anonce, NULL, 0, 0, 0);
6862 return 0;
6863 }
6864
6865
6866 int wpa_auth_resend_m3(struct wpa_state_machine *sm,
6867 void (*cb)(void *ctx1, void *ctx2),
6868 void *ctx1, void *ctx2)
6869 {
6870 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos;
6871 u8 *opos;
6872 size_t gtk_len, kde_len;
6873 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
6874 struct wpa_group *gsm = sm->group;
6875 u8 *wpa_ie;
6876 int wpa_ie_len, secure, gtkidx, encr = 0;
6877 u8 hdr[2];
6878
6879 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
6880 GTK[GN], IGTK, [BIGTK], [FTIE], [TIE * 2])
6881 */
6882
6883 /* Use 0 RSC */
6884 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
6885 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
6886 wpa_ie = sm->wpa_auth->wpa_ie;
6887 wpa_ie_len = sm->wpa_auth->wpa_ie_len;
6888 if (sm->wpa == WPA_VERSION_WPA &&
6889 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
6890 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
6891 /* WPA-only STA, remove RSN IE and possible MDIE */
6892 wpa_ie = wpa_ie + wpa_ie[1] + 2;
6893 if (wpa_ie[0] == WLAN_EID_RSNX)
6894 wpa_ie = wpa_ie + wpa_ie[1] + 2;
6895 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
6896 wpa_ie = wpa_ie + wpa_ie[1] + 2;
6897 wpa_ie_len = wpa_ie[1] + 2;
6898 }
6899 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
6900 "sending 3/4 msg of 4-Way Handshake (TESTING)");
6901 if (sm->wpa == WPA_VERSION_WPA2) {
6902 /* WPA2 send GTK in the 4-way handshake */
6903 secure = 1;
6904 gtk = gsm->GTK[gsm->GN - 1];
6905 gtk_len = gsm->GTK_len;
6906 gtkidx = gsm->GN;
6907 _rsc = rsc;
6908 encr = 1;
6909 } else {
6910 /* WPA does not include GTK in msg 3/4 */
6911 secure = 0;
6912 gtk = NULL;
6913 gtk_len = 0;
6914 _rsc = NULL;
6915 if (sm->rx_eapol_key_secure) {
6916 /*
6917 * It looks like Windows 7 supplicant tries to use
6918 * Secure bit in msg 2/4 after having reported Michael
6919 * MIC failure and it then rejects the 4-way handshake
6920 * if msg 3/4 does not set Secure bit. Work around this
6921 * by setting the Secure bit here even in the case of
6922 * WPA if the supplicant used it first.
6923 */
6924 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm),
6925 LOGGER_DEBUG,
6926 "STA used Secure bit in WPA msg 2/4 - set Secure for 3/4 as workaround");
6927 secure = 1;
6928 }
6929 }
6930
6931 kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm);
6932
6933 if (sm->use_ext_key_id)
6934 kde_len += 2 + RSN_SELECTOR_LEN + 2;
6935
6936 if (gtk)
6937 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
6938 #ifdef CONFIG_IEEE80211R_AP
6939 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
6940 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
6941 kde_len += 300; /* FTIE + 2 * TIE */
6942 }
6943 #endif /* CONFIG_IEEE80211R_AP */
6944 kde = os_malloc(kde_len);
6945 if (!kde)
6946 return -1;
6947
6948 pos = kde;
6949 os_memcpy(pos, wpa_ie, wpa_ie_len);
6950 pos += wpa_ie_len;
6951 #ifdef CONFIG_IEEE80211R_AP
6952 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
6953 int res;
6954 size_t elen;
6955
6956 elen = pos - kde;
6957 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name, true);
6958 if (res < 0) {
6959 wpa_printf(MSG_ERROR,
6960 "FT: Failed to insert PMKR1Name into RSN IE in EAPOL-Key data");
6961 os_free(kde);
6962 return -1;
6963 }
6964 pos -= wpa_ie_len;
6965 pos += elen;
6966 }
6967 #endif /* CONFIG_IEEE80211R_AP */
6968 hdr[1] = 0;
6969
6970 if (sm->use_ext_key_id) {
6971 hdr[0] = sm->keyidx_active & 0x01;
6972 pos = wpa_add_kde(pos, RSN_KEY_DATA_KEYID, hdr, 2, NULL, 0);
6973 }
6974
6975 if (gtk) {
6976 hdr[0] = gtkidx & 0x03;
6977 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
6978 gtk, gtk_len);
6979 }
6980 opos = pos;
6981 pos = ieee80211w_kde_add(sm, pos);
6982 if (pos - opos >= 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) {
6983 /* skip KDE header and keyid */
6984 opos += 2 + RSN_SELECTOR_LEN + 2;
6985 os_memset(opos, 0, 6); /* clear PN */
6986 }
6987 if (ocv_oci_add(sm, &pos, conf->oci_freq_override_eapol_m3) < 0) {
6988 os_free(kde);
6989 return -1;
6990 }
6991
6992 #ifdef CONFIG_IEEE80211R_AP
6993 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
6994 int res;
6995
6996 if (sm->assoc_resp_ftie &&
6997 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) {
6998 os_memcpy(pos, sm->assoc_resp_ftie,
6999 2 + sm->assoc_resp_ftie[1]);
7000 res = 2 + sm->assoc_resp_ftie[1];
7001 } else {
7002 res = wpa_write_ftie(conf, sm->wpa_key_mgmt,
7003 sm->xxkey_len,
7004 conf->r0_key_holder,
7005 conf->r0_key_holder_len,
7006 NULL, NULL, pos,
7007 kde + kde_len - pos,
7008 NULL, 0, 0);
7009 }
7010 if (res < 0) {
7011 wpa_printf(MSG_ERROR,
7012 "FT: Failed to insert FTIE into EAPOL-Key Key Data");
7013 os_free(kde);
7014 return -1;
7015 }
7016 pos += res;
7017
7018 /* TIE[ReassociationDeadline] (TU) */
7019 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
7020 *pos++ = 5;
7021 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
7022 WPA_PUT_LE32(pos, conf->reassociation_deadline);
7023 pos += 4;
7024
7025 /* TIE[KeyLifetime] (seconds) */
7026 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
7027 *pos++ = 5;
7028 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
7029 WPA_PUT_LE32(pos, conf->r0_key_lifetime);
7030 pos += 4;
7031 }
7032 #endif /* CONFIG_IEEE80211R_AP */
7033
7034 wpa_send_eapol(sm->wpa_auth, sm,
7035 (secure ? WPA_KEY_INFO_SECURE : 0) |
7036 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
7037 WPA_KEY_INFO_MIC : 0) |
7038 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
7039 WPA_KEY_INFO_KEY_TYPE,
7040 _rsc, sm->ANonce, kde, pos - kde, 0, encr);
7041 bin_clear_free(kde, kde_len);
7042 return 0;
7043 }
7044
7045
7046 int wpa_auth_resend_group_m1(struct wpa_state_machine *sm,
7047 void (*cb)(void *ctx1, void *ctx2),
7048 void *ctx1, void *ctx2)
7049 {
7050 u8 rsc[WPA_KEY_RSC_LEN];
7051 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
7052 struct wpa_group *gsm = sm->group;
7053 const u8 *kde;
7054 u8 *kde_buf = NULL, *pos, hdr[2];
7055 u8 *opos;
7056 size_t kde_len;
7057 u8 *gtk;
7058
7059 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
7060 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
7061 /* Use 0 RSC */
7062 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
7063 "sending 1/2 msg of Group Key Handshake (TESTING)");
7064
7065 gtk = gsm->GTK[gsm->GN - 1];
7066 if (sm->wpa == WPA_VERSION_WPA2) {
7067 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
7068 ieee80211w_kde_len(sm) + ocv_oci_len(sm);
7069 kde_buf = os_malloc(kde_len);
7070 if (!kde_buf)
7071 return -1;
7072
7073 kde = pos = kde_buf;
7074 hdr[0] = gsm->GN & 0x03;
7075 hdr[1] = 0;
7076 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
7077 gtk, gsm->GTK_len);
7078 opos = pos;
7079 pos = ieee80211w_kde_add(sm, pos);
7080 if (pos - opos >=
7081 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) {
7082 /* skip KDE header and keyid */
7083 opos += 2 + RSN_SELECTOR_LEN + 2;
7084 os_memset(opos, 0, 6); /* clear PN */
7085 }
7086 if (ocv_oci_add(sm, &pos,
7087 conf->oci_freq_override_eapol_g1) < 0) {
7088 os_free(kde_buf);
7089 return -1;
7090 }
7091 kde_len = pos - kde;
7092 } else {
7093 kde = gtk;
7094 kde_len = gsm->GTK_len;
7095 }
7096
7097 sm->eapol_status_cb = cb;
7098 sm->eapol_status_cb_ctx1 = ctx1;
7099 sm->eapol_status_cb_ctx2 = ctx2;
7100
7101 wpa_send_eapol(sm->wpa_auth, sm,
7102 WPA_KEY_INFO_SECURE |
7103 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
7104 WPA_KEY_INFO_MIC : 0) |
7105 WPA_KEY_INFO_ACK |
7106 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
7107 rsc, NULL, kde, kde_len, gsm->GN, 1);
7108
7109 bin_clear_free(kde_buf, kde_len);
7110 return 0;
7111 }
7112
7113
7114 int wpa_auth_rekey_gtk(struct wpa_authenticator *wpa_auth)
7115 {
7116 if (!wpa_auth)
7117 return -1;
7118 eloop_cancel_timeout(wpa_rekey_gtk,
7119 wpa_get_primary_auth(wpa_auth), NULL);
7120 return eloop_register_timeout(0, 0, wpa_rekey_gtk,
7121 wpa_get_primary_auth(wpa_auth), NULL);
7122 }
7123
7124
7125 int wpa_auth_rekey_ptk(struct wpa_authenticator *wpa_auth,
7126 struct wpa_state_machine *sm)
7127 {
7128 if (!wpa_auth || !sm)
7129 return -1;
7130 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK");
7131 wpa_request_new_ptk(sm);
7132 wpa_sm_step(sm);
7133 return 0;
7134 }
7135
7136
7137 void wpa_auth_set_ft_rsnxe_used(struct wpa_authenticator *wpa_auth, int val)
7138 {
7139 if (wpa_auth)
7140 wpa_auth->conf.ft_rsnxe_used = val;
7141 }
7142
7143
7144 void wpa_auth_set_ocv_override_freq(struct wpa_authenticator *wpa_auth,
7145 enum wpa_auth_ocv_override_frame frame,
7146 unsigned int freq)
7147 {
7148 if (!wpa_auth)
7149 return;
7150 switch (frame) {
7151 case WPA_AUTH_OCV_OVERRIDE_EAPOL_M3:
7152 wpa_auth->conf.oci_freq_override_eapol_m3 = freq;
7153 break;
7154 case WPA_AUTH_OCV_OVERRIDE_EAPOL_G1:
7155 wpa_auth->conf.oci_freq_override_eapol_g1 = freq;
7156 break;
7157 case WPA_AUTH_OCV_OVERRIDE_FT_ASSOC:
7158 wpa_auth->conf.oci_freq_override_ft_assoc = freq;
7159 break;
7160 case WPA_AUTH_OCV_OVERRIDE_FILS_ASSOC:
7161 wpa_auth->conf.oci_freq_override_fils_assoc = freq;
7162 break;
7163 }
7164 }
7165
7166 #endif /* CONFIG_TESTING_OPTIONS */
7167
7168
7169 void wpa_auth_sta_radius_psk_resp(struct wpa_state_machine *sm, bool success)
7170 {
7171 if (!sm->waiting_radius_psk) {
7172 wpa_printf(MSG_DEBUG,
7173 "Ignore RADIUS PSK response for " MACSTR
7174 " that did not wait one",
7175 MAC2STR(sm->addr));
7176 return;
7177 }
7178
7179 wpa_printf(MSG_DEBUG, "RADIUS PSK response for " MACSTR " (%s)",
7180 MAC2STR(sm->addr), success ? "success" : "fail");
7181 sm->waiting_radius_psk = 0;
7182
7183 if (success) {
7184 /* Try to process the EAPOL-Key msg 2/4 again */
7185 sm->EAPOLKeyReceived = true;
7186 } else {
7187 sm->Disconnect = true;
7188 }
7189
7190 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
7191 }
7192
7193
7194 void wpa_auth_set_ml_info(struct wpa_state_machine *sm,
7195 u8 mld_assoc_link_id, struct mld_info *info)
7196 {
7197 #ifdef CONFIG_IEEE80211BE
7198 unsigned int link_id;
7199
7200 if (!info)
7201 return;
7202
7203 os_memset(sm->mld_links, 0, sizeof(sm->mld_links));
7204 sm->n_mld_affiliated_links = 0;
7205
7206 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
7207 "MLD: Initialization");
7208
7209 os_memcpy(sm->peer_mld_addr, info->common_info.mld_addr, ETH_ALEN);
7210
7211 sm->mld_assoc_link_id = mld_assoc_link_id;
7212
7213 for (link_id = 0; link_id < MAX_NUM_MLD_LINKS; link_id++) {
7214 struct mld_link_info *link = &info->links[link_id];
7215 struct mld_link *sm_link = &sm->mld_links[link_id];
7216 struct wpa_get_link_auth_ctx ctx;
7217
7218 sm_link->valid = link->valid;
7219 if (!link->valid)
7220 continue;
7221
7222 os_memcpy(sm_link->peer_addr, link->peer_addr, ETH_ALEN);
7223
7224 wpa_printf(MSG_DEBUG,
7225 "WPA_AUTH: MLD: id=%u, peer=" MACSTR,
7226 link_id,
7227 MAC2STR(sm_link->peer_addr));
7228
7229 if (link_id != mld_assoc_link_id) {
7230 sm->n_mld_affiliated_links++;
7231 ctx.addr = link->local_addr;
7232 ctx.mld_addr = NULL;
7233 ctx.link_id = -1;
7234 ctx.wpa_auth = NULL;
7235 wpa_auth_for_each_auth(sm->wpa_auth,
7236 wpa_get_link_sta_auth, &ctx);
7237 if (ctx.wpa_auth) {
7238 sm_link->wpa_auth = ctx.wpa_auth;
7239 wpa_group_get(sm_link->wpa_auth,
7240 sm_link->wpa_auth->group);
7241 }
7242 } else {
7243 sm_link->wpa_auth = sm->wpa_auth;
7244 }
7245
7246 if (!sm_link->wpa_auth)
7247 wpa_printf(MSG_ERROR,
7248 "Unable to find authenticator object for ML STA "
7249 MACSTR " on link id %d",
7250 MAC2STR(sm->wpa_auth->mld_addr),
7251 link_id);
7252 }
7253 #endif /* CONFIG_IEEE80211BE */
7254 }
7255