1 /* 2 * IEEE 802.11 RSN / WPA Authenticator 3 * Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "utils/eloop.h" 13 #include "utils/state_machine.h" 14 #include "utils/bitfield.h" 15 #include "common/ieee802_11_defs.h" 16 #include "common/ocv.h" 17 #include "common/dpp.h" 18 #include "common/wpa_ctrl.h" 19 #include "crypto/aes.h" 20 #include "crypto/aes_wrap.h" 21 #include "crypto/aes_siv.h" 22 #include "crypto/crypto.h" 23 #include "crypto/sha1.h" 24 #include "crypto/sha256.h" 25 #include "crypto/sha384.h" 26 #include "crypto/random.h" 27 #include "eapol_auth/eapol_auth_sm.h" 28 #include "drivers/driver.h" 29 #include "ap_config.h" 30 #include "ieee802_11.h" 31 #include "wpa_auth.h" 32 #include "pmksa_cache_auth.h" 33 #include "wpa_auth_i.h" 34 #include "wpa_auth_ie.h" 35 36 #define STATE_MACHINE_DATA struct wpa_state_machine 37 #define STATE_MACHINE_DEBUG_PREFIX "WPA" 38 #define STATE_MACHINE_ADDR sm->addr 39 40 41 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx); 42 static int wpa_sm_step(struct wpa_state_machine *sm); 43 static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK, 44 u8 *data, size_t data_len); 45 #ifdef CONFIG_FILS 46 static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk, 47 u8 *buf, size_t buf_len, u16 *_key_data_len); 48 static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm, 49 const struct wpabuf *hlp); 50 #endif /* CONFIG_FILS */ 51 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx); 52 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 53 struct wpa_group *group); 54 static void wpa_request_new_ptk(struct wpa_state_machine *sm); 55 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 56 struct wpa_group *group); 57 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 58 struct wpa_group *group); 59 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce, 60 const u8 *pmk, unsigned int pmk_len, 61 struct wpa_ptk *ptk, int force_sha256); 62 static void wpa_group_free(struct wpa_authenticator *wpa_auth, 63 struct wpa_group *group); 64 static void wpa_group_get(struct wpa_authenticator *wpa_auth, 65 struct wpa_group *group); 66 static void wpa_group_put(struct wpa_authenticator *wpa_auth, 67 struct wpa_group *group); 68 static int ieee80211w_kde_len(struct wpa_state_machine *sm); 69 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos); 70 71 static const u32 eapol_key_timeout_first = 100; /* ms */ 72 static const u32 eapol_key_timeout_subseq = 1000; /* ms */ 73 static const u32 eapol_key_timeout_first_group = 500; /* ms */ 74 static const u32 eapol_key_timeout_no_retrans = 4000; /* ms */ 75 76 /* TODO: make these configurable */ 77 static const int dot11RSNAConfigPMKLifetime = 43200; 78 static const int dot11RSNAConfigPMKReauthThreshold = 70; 79 static const int dot11RSNAConfigSATimeout = 60; 80 81 82 static inline int wpa_auth_mic_failure_report( 83 struct wpa_authenticator *wpa_auth, const u8 *addr) 84 { 85 if (wpa_auth->cb->mic_failure_report) 86 return wpa_auth->cb->mic_failure_report(wpa_auth->cb_ctx, addr); 87 return 0; 88 } 89 90 91 static inline void wpa_auth_psk_failure_report( 92 struct wpa_authenticator *wpa_auth, const u8 *addr) 93 { 94 if (wpa_auth->cb->psk_failure_report) 95 wpa_auth->cb->psk_failure_report(wpa_auth->cb_ctx, addr); 96 } 97 98 99 static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth, 100 const u8 *addr, wpa_eapol_variable var, 101 int value) 102 { 103 if (wpa_auth->cb->set_eapol) 104 wpa_auth->cb->set_eapol(wpa_auth->cb_ctx, addr, var, value); 105 } 106 107 108 static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth, 109 const u8 *addr, wpa_eapol_variable var) 110 { 111 if (!wpa_auth->cb->get_eapol) 112 return -1; 113 return wpa_auth->cb->get_eapol(wpa_auth->cb_ctx, addr, var); 114 } 115 116 117 static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth, 118 const u8 *addr, 119 const u8 *p2p_dev_addr, 120 const u8 *prev_psk, size_t *psk_len, 121 int *vlan_id) 122 { 123 if (!wpa_auth->cb->get_psk) 124 return NULL; 125 return wpa_auth->cb->get_psk(wpa_auth->cb_ctx, addr, p2p_dev_addr, 126 prev_psk, psk_len, vlan_id); 127 } 128 129 130 static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth, 131 const u8 *addr, u8 *msk, size_t *len) 132 { 133 if (!wpa_auth->cb->get_msk) 134 return -1; 135 return wpa_auth->cb->get_msk(wpa_auth->cb_ctx, addr, msk, len); 136 } 137 138 139 static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth, 140 int vlan_id, 141 enum wpa_alg alg, const u8 *addr, int idx, 142 u8 *key, size_t key_len, 143 enum key_flag key_flag) 144 { 145 if (!wpa_auth->cb->set_key) 146 return -1; 147 return wpa_auth->cb->set_key(wpa_auth->cb_ctx, vlan_id, alg, addr, idx, 148 key, key_len, key_flag); 149 } 150 151 152 static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth, 153 const u8 *addr, int idx, u8 *seq) 154 { 155 int res; 156 157 if (!wpa_auth->cb->get_seqnum) 158 return -1; 159 res = wpa_auth->cb->get_seqnum(wpa_auth->cb_ctx, addr, idx, seq); 160 #ifdef CONFIG_TESTING_OPTIONS 161 if (!addr && idx < 4 && wpa_auth->conf.gtk_rsc_override_set) { 162 wpa_printf(MSG_DEBUG, 163 "TESTING: Override GTK RSC %016llx --> %016llx", 164 (long long unsigned) WPA_GET_LE64(seq), 165 (long long unsigned) 166 WPA_GET_LE64(wpa_auth->conf.gtk_rsc_override)); 167 os_memcpy(seq, wpa_auth->conf.gtk_rsc_override, 168 WPA_KEY_RSC_LEN); 169 } 170 if (!addr && idx >= 4 && idx <= 5 && 171 wpa_auth->conf.igtk_rsc_override_set) { 172 wpa_printf(MSG_DEBUG, 173 "TESTING: Override IGTK RSC %016llx --> %016llx", 174 (long long unsigned) WPA_GET_LE64(seq), 175 (long long unsigned) 176 WPA_GET_LE64(wpa_auth->conf.igtk_rsc_override)); 177 os_memcpy(seq, wpa_auth->conf.igtk_rsc_override, 178 WPA_KEY_RSC_LEN); 179 } 180 #endif /* CONFIG_TESTING_OPTIONS */ 181 return res; 182 } 183 184 185 static inline int 186 wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr, 187 const u8 *data, size_t data_len, int encrypt) 188 { 189 if (!wpa_auth->cb->send_eapol) 190 return -1; 191 return wpa_auth->cb->send_eapol(wpa_auth->cb_ctx, addr, data, data_len, 192 encrypt); 193 } 194 195 196 #ifdef CONFIG_MESH 197 static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth, 198 const u8 *addr) 199 { 200 if (!wpa_auth->cb->start_ampe) 201 return -1; 202 return wpa_auth->cb->start_ampe(wpa_auth->cb_ctx, addr); 203 } 204 #endif /* CONFIG_MESH */ 205 206 207 int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth, 208 int (*cb)(struct wpa_state_machine *sm, void *ctx), 209 void *cb_ctx) 210 { 211 if (!wpa_auth->cb->for_each_sta) 212 return 0; 213 return wpa_auth->cb->for_each_sta(wpa_auth->cb_ctx, cb, cb_ctx); 214 } 215 216 217 int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth, 218 int (*cb)(struct wpa_authenticator *a, void *ctx), 219 void *cb_ctx) 220 { 221 if (!wpa_auth->cb->for_each_auth) 222 return 0; 223 return wpa_auth->cb->for_each_auth(wpa_auth->cb_ctx, cb, cb_ctx); 224 } 225 226 227 void wpa_auth_store_ptksa(struct wpa_authenticator *wpa_auth, 228 const u8 *addr, int cipher, 229 u32 life_time, const struct wpa_ptk *ptk) 230 { 231 if (wpa_auth->cb->store_ptksa) 232 wpa_auth->cb->store_ptksa(wpa_auth->cb_ctx, addr, cipher, 233 life_time, ptk); 234 } 235 236 237 void wpa_auth_remove_ptksa(struct wpa_authenticator *wpa_auth, 238 const u8 *addr, int cipher) 239 { 240 if (wpa_auth->cb->clear_ptksa) 241 wpa_auth->cb->clear_ptksa(wpa_auth->cb_ctx, addr, cipher); 242 } 243 244 void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr, 245 logger_level level, const char *txt) 246 { 247 if (!wpa_auth->cb->logger) 248 return; 249 wpa_auth->cb->logger(wpa_auth->cb_ctx, addr, level, txt); 250 } 251 252 253 void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr, 254 logger_level level, const char *fmt, ...) 255 { 256 char *format; 257 int maxlen; 258 va_list ap; 259 260 if (!wpa_auth->cb->logger) 261 return; 262 263 maxlen = os_strlen(fmt) + 100; 264 format = os_malloc(maxlen); 265 if (!format) 266 return; 267 268 va_start(ap, fmt); 269 vsnprintf(format, maxlen, fmt, ap); 270 va_end(ap); 271 272 wpa_auth_logger(wpa_auth, addr, level, format); 273 274 os_free(format); 275 } 276 277 278 static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth, 279 const u8 *addr, u16 reason) 280 { 281 if (!wpa_auth->cb->disconnect) 282 return; 283 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR " (reason %u)", 284 MAC2STR(addr), reason); 285 wpa_auth->cb->disconnect(wpa_auth->cb_ctx, addr, reason); 286 } 287 288 289 #ifdef CONFIG_OCV 290 static int wpa_channel_info(struct wpa_authenticator *wpa_auth, 291 struct wpa_channel_info *ci) 292 { 293 if (!wpa_auth->cb->channel_info) 294 return -1; 295 return wpa_auth->cb->channel_info(wpa_auth->cb_ctx, ci); 296 } 297 #endif /* CONFIG_OCV */ 298 299 300 static int wpa_auth_update_vlan(struct wpa_authenticator *wpa_auth, 301 const u8 *addr, int vlan_id) 302 { 303 if (!wpa_auth->cb->update_vlan) 304 return -1; 305 return wpa_auth->cb->update_vlan(wpa_auth->cb_ctx, addr, vlan_id); 306 } 307 308 309 static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx) 310 { 311 struct wpa_authenticator *wpa_auth = eloop_ctx; 312 313 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) { 314 wpa_printf(MSG_ERROR, 315 "Failed to get random data for WPA initialization."); 316 } else { 317 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd"); 318 wpa_hexdump_key(MSG_DEBUG, "GMK", 319 wpa_auth->group->GMK, WPA_GMK_LEN); 320 } 321 322 if (wpa_auth->conf.wpa_gmk_rekey) { 323 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 324 wpa_rekey_gmk, wpa_auth, NULL); 325 } 326 } 327 328 329 static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx) 330 { 331 struct wpa_authenticator *wpa_auth = eloop_ctx; 332 struct wpa_group *group, *next; 333 334 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK"); 335 group = wpa_auth->group; 336 while (group) { 337 wpa_group_get(wpa_auth, group); 338 339 group->GTKReKey = true; 340 do { 341 group->changed = false; 342 wpa_group_sm_step(wpa_auth, group); 343 } while (group->changed); 344 345 next = group->next; 346 wpa_group_put(wpa_auth, group); 347 group = next; 348 } 349 350 if (wpa_auth->conf.wpa_group_rekey) { 351 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 352 0, wpa_rekey_gtk, wpa_auth, NULL); 353 } 354 } 355 356 357 static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx) 358 { 359 struct wpa_authenticator *wpa_auth = eloop_ctx; 360 struct wpa_state_machine *sm = timeout_ctx; 361 362 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK"); 363 wpa_request_new_ptk(sm); 364 wpa_sm_step(sm); 365 } 366 367 368 void wpa_auth_set_ptk_rekey_timer(struct wpa_state_machine *sm) 369 { 370 if (sm && sm->wpa_auth->conf.wpa_ptk_rekey) { 371 wpa_printf(MSG_DEBUG, "WPA: Start PTK rekeying timer for " 372 MACSTR " (%d seconds)", MAC2STR(sm->addr), 373 sm->wpa_auth->conf.wpa_ptk_rekey); 374 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 375 eloop_register_timeout(sm->wpa_auth->conf.wpa_ptk_rekey, 0, 376 wpa_rekey_ptk, sm->wpa_auth, sm); 377 } 378 } 379 380 381 static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx) 382 { 383 if (sm->pmksa == ctx) 384 sm->pmksa = NULL; 385 return 0; 386 } 387 388 389 static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry, 390 void *ctx) 391 { 392 struct wpa_authenticator *wpa_auth = ctx; 393 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry); 394 } 395 396 397 static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth, 398 struct wpa_group *group) 399 { 400 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)]; 401 u8 rkey[32]; 402 unsigned long ptr; 403 404 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0) 405 return -1; 406 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN); 407 408 /* 409 * Counter = PRF-256(Random number, "Init Counter", 410 * Local MAC Address || Time) 411 */ 412 os_memcpy(buf, wpa_auth->addr, ETH_ALEN); 413 wpa_get_ntp_timestamp(buf + ETH_ALEN); 414 ptr = (unsigned long) group; 415 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr)); 416 #ifdef TEST_FUZZ 417 os_memset(buf + ETH_ALEN, 0xab, 8); 418 os_memset(buf + ETH_ALEN + 8, 0xcd, sizeof(ptr)); 419 #endif /* TEST_FUZZ */ 420 if (random_get_bytes(rkey, sizeof(rkey)) < 0) 421 return -1; 422 423 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf), 424 group->Counter, WPA_NONCE_LEN) < 0) 425 return -1; 426 wpa_hexdump_key(MSG_DEBUG, "Key Counter", 427 group->Counter, WPA_NONCE_LEN); 428 429 return 0; 430 } 431 432 433 static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth, 434 int vlan_id, int delay_init) 435 { 436 struct wpa_group *group; 437 438 group = os_zalloc(sizeof(struct wpa_group)); 439 if (!group) 440 return NULL; 441 442 group->GTKAuthenticator = true; 443 group->vlan_id = vlan_id; 444 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 445 446 if (random_pool_ready() != 1) { 447 wpa_printf(MSG_INFO, 448 "WPA: Not enough entropy in random pool for secure operations - update keys later when the first station connects"); 449 } 450 451 /* 452 * Set initial GMK/Counter value here. The actual values that will be 453 * used in negotiations will be set once the first station tries to 454 * connect. This allows more time for collecting additional randomness 455 * on embedded devices. 456 */ 457 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) { 458 wpa_printf(MSG_ERROR, 459 "Failed to get random data for WPA initialization."); 460 os_free(group); 461 return NULL; 462 } 463 464 group->GInit = true; 465 if (delay_init) { 466 wpa_printf(MSG_DEBUG, 467 "WPA: Delay group state machine start until Beacon frames have been configured"); 468 /* Initialization is completed in wpa_init_keys(). */ 469 } else { 470 wpa_group_sm_step(wpa_auth, group); 471 group->GInit = false; 472 wpa_group_sm_step(wpa_auth, group); 473 } 474 475 return group; 476 } 477 478 479 /** 480 * wpa_init - Initialize WPA authenticator 481 * @addr: Authenticator address 482 * @conf: Configuration for WPA authenticator 483 * @cb: Callback functions for WPA authenticator 484 * Returns: Pointer to WPA authenticator data or %NULL on failure 485 */ 486 struct wpa_authenticator * wpa_init(const u8 *addr, 487 struct wpa_auth_config *conf, 488 const struct wpa_auth_callbacks *cb, 489 void *cb_ctx) 490 { 491 struct wpa_authenticator *wpa_auth; 492 493 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator)); 494 if (!wpa_auth) 495 return NULL; 496 os_memcpy(wpa_auth->addr, addr, ETH_ALEN); 497 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 498 wpa_auth->cb = cb; 499 wpa_auth->cb_ctx = cb_ctx; 500 501 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 502 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 503 os_free(wpa_auth); 504 return NULL; 505 } 506 507 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1); 508 if (!wpa_auth->group) { 509 os_free(wpa_auth->wpa_ie); 510 os_free(wpa_auth); 511 return NULL; 512 } 513 514 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb, 515 wpa_auth); 516 if (!wpa_auth->pmksa) { 517 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed."); 518 os_free(wpa_auth->group); 519 os_free(wpa_auth->wpa_ie); 520 os_free(wpa_auth); 521 return NULL; 522 } 523 524 #ifdef CONFIG_IEEE80211R_AP 525 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init(); 526 if (!wpa_auth->ft_pmk_cache) { 527 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed."); 528 os_free(wpa_auth->group); 529 os_free(wpa_auth->wpa_ie); 530 pmksa_cache_auth_deinit(wpa_auth->pmksa); 531 os_free(wpa_auth); 532 return NULL; 533 } 534 #endif /* CONFIG_IEEE80211R_AP */ 535 536 if (wpa_auth->conf.wpa_gmk_rekey) { 537 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 538 wpa_rekey_gmk, wpa_auth, NULL); 539 } 540 541 if (wpa_auth->conf.wpa_group_rekey) { 542 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0, 543 wpa_rekey_gtk, wpa_auth, NULL); 544 } 545 546 #ifdef CONFIG_P2P 547 if (WPA_GET_BE32(conf->ip_addr_start)) { 548 int count = WPA_GET_BE32(conf->ip_addr_end) - 549 WPA_GET_BE32(conf->ip_addr_start) + 1; 550 if (count > 1000) 551 count = 1000; 552 if (count > 0) 553 wpa_auth->ip_pool = bitfield_alloc(count); 554 } 555 #endif /* CONFIG_P2P */ 556 557 return wpa_auth; 558 } 559 560 561 int wpa_init_keys(struct wpa_authenticator *wpa_auth) 562 { 563 struct wpa_group *group = wpa_auth->group; 564 565 wpa_printf(MSG_DEBUG, 566 "WPA: Start group state machine to set initial keys"); 567 wpa_group_sm_step(wpa_auth, group); 568 group->GInit = false; 569 wpa_group_sm_step(wpa_auth, group); 570 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 571 return -1; 572 return 0; 573 } 574 575 576 /** 577 * wpa_deinit - Deinitialize WPA authenticator 578 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 579 */ 580 void wpa_deinit(struct wpa_authenticator *wpa_auth) 581 { 582 struct wpa_group *group, *prev; 583 584 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL); 585 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 586 587 pmksa_cache_auth_deinit(wpa_auth->pmksa); 588 589 #ifdef CONFIG_IEEE80211R_AP 590 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache); 591 wpa_auth->ft_pmk_cache = NULL; 592 wpa_ft_deinit(wpa_auth); 593 #endif /* CONFIG_IEEE80211R_AP */ 594 595 #ifdef CONFIG_P2P 596 bitfield_free(wpa_auth->ip_pool); 597 #endif /* CONFIG_P2P */ 598 599 600 os_free(wpa_auth->wpa_ie); 601 602 group = wpa_auth->group; 603 while (group) { 604 prev = group; 605 group = group->next; 606 os_free(prev); 607 } 608 609 os_free(wpa_auth); 610 } 611 612 613 /** 614 * wpa_reconfig - Update WPA authenticator configuration 615 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 616 * @conf: Configuration for WPA authenticator 617 */ 618 int wpa_reconfig(struct wpa_authenticator *wpa_auth, 619 struct wpa_auth_config *conf) 620 { 621 struct wpa_group *group; 622 623 if (!wpa_auth) 624 return 0; 625 626 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 627 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 628 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 629 return -1; 630 } 631 632 /* 633 * Reinitialize GTK to make sure it is suitable for the new 634 * configuration. 635 */ 636 group = wpa_auth->group; 637 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 638 group->GInit = true; 639 wpa_group_sm_step(wpa_auth, group); 640 group->GInit = false; 641 wpa_group_sm_step(wpa_auth, group); 642 643 return 0; 644 } 645 646 647 struct wpa_state_machine * 648 wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr, 649 const u8 *p2p_dev_addr) 650 { 651 struct wpa_state_machine *sm; 652 653 if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 654 return NULL; 655 656 sm = os_zalloc(sizeof(struct wpa_state_machine)); 657 if (!sm) 658 return NULL; 659 os_memcpy(sm->addr, addr, ETH_ALEN); 660 if (p2p_dev_addr) 661 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN); 662 663 sm->wpa_auth = wpa_auth; 664 sm->group = wpa_auth->group; 665 wpa_group_get(sm->wpa_auth, sm->group); 666 667 return sm; 668 } 669 670 671 int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth, 672 struct wpa_state_machine *sm) 673 { 674 if (!wpa_auth || !wpa_auth->conf.wpa || !sm) 675 return -1; 676 677 #ifdef CONFIG_IEEE80211R_AP 678 if (sm->ft_completed) { 679 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 680 "FT authentication already completed - do not start 4-way handshake"); 681 /* Go to PTKINITDONE state to allow GTK rekeying */ 682 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE; 683 sm->Pair = true; 684 return 0; 685 } 686 #endif /* CONFIG_IEEE80211R_AP */ 687 688 #ifdef CONFIG_FILS 689 if (sm->fils_completed) { 690 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 691 "FILS authentication already completed - do not start 4-way handshake"); 692 /* Go to PTKINITDONE state to allow GTK rekeying */ 693 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE; 694 sm->Pair = true; 695 return 0; 696 } 697 #endif /* CONFIG_FILS */ 698 699 if (sm->started) { 700 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay)); 701 sm->ReAuthenticationRequest = true; 702 return wpa_sm_step(sm); 703 } 704 705 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 706 "start authentication"); 707 sm->started = 1; 708 709 sm->Init = true; 710 if (wpa_sm_step(sm) == 1) 711 return 1; /* should not really happen */ 712 sm->Init = false; 713 sm->AuthenticationRequest = true; 714 return wpa_sm_step(sm); 715 } 716 717 718 void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm) 719 { 720 /* WPA/RSN was not used - clear WPA state. This is needed if the STA 721 * reassociates back to the same AP while the previous entry for the 722 * STA has not yet been removed. */ 723 if (!sm) 724 return; 725 726 sm->wpa_key_mgmt = 0; 727 } 728 729 730 static void wpa_free_sta_sm(struct wpa_state_machine *sm) 731 { 732 #ifdef CONFIG_P2P 733 if (WPA_GET_BE32(sm->ip_addr)) { 734 u32 start; 735 wpa_printf(MSG_DEBUG, 736 "P2P: Free assigned IP address %u.%u.%u.%u from " 737 MACSTR, 738 sm->ip_addr[0], sm->ip_addr[1], 739 sm->ip_addr[2], sm->ip_addr[3], 740 MAC2STR(sm->addr)); 741 start = WPA_GET_BE32(sm->wpa_auth->conf.ip_addr_start); 742 bitfield_clear(sm->wpa_auth->ip_pool, 743 WPA_GET_BE32(sm->ip_addr) - start); 744 } 745 #endif /* CONFIG_P2P */ 746 if (sm->GUpdateStationKeys) { 747 sm->group->GKeyDoneStations--; 748 sm->GUpdateStationKeys = false; 749 } 750 #ifdef CONFIG_IEEE80211R_AP 751 os_free(sm->assoc_resp_ftie); 752 wpabuf_free(sm->ft_pending_req_ies); 753 #endif /* CONFIG_IEEE80211R_AP */ 754 os_free(sm->last_rx_eapol_key); 755 os_free(sm->wpa_ie); 756 os_free(sm->rsnxe); 757 wpa_group_put(sm->wpa_auth, sm->group); 758 #ifdef CONFIG_DPP2 759 wpabuf_clear_free(sm->dpp_z); 760 #endif /* CONFIG_DPP2 */ 761 bin_clear_free(sm, sizeof(*sm)); 762 } 763 764 765 void wpa_auth_sta_deinit(struct wpa_state_machine *sm) 766 { 767 struct wpa_authenticator *wpa_auth; 768 769 if (!sm) 770 return; 771 772 wpa_auth = sm->wpa_auth; 773 if (wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) { 774 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 775 "strict rekeying - force GTK rekey since STA is leaving"); 776 if (eloop_deplete_timeout(0, 500000, wpa_rekey_gtk, 777 wpa_auth, NULL) == -1) 778 eloop_register_timeout(0, 500000, wpa_rekey_gtk, 779 wpa_auth, NULL); 780 } 781 782 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 783 sm->pending_1_of_4_timeout = 0; 784 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL); 785 eloop_cancel_timeout(wpa_rekey_ptk, wpa_auth, sm); 786 #ifdef CONFIG_IEEE80211R_AP 787 wpa_ft_sta_deinit(sm); 788 #endif /* CONFIG_IEEE80211R_AP */ 789 if (sm->in_step_loop) { 790 /* Must not free state machine while wpa_sm_step() is running. 791 * Freeing will be completed in the end of wpa_sm_step(). */ 792 wpa_printf(MSG_DEBUG, 793 "WPA: Registering pending STA state machine deinit for " 794 MACSTR, MAC2STR(sm->addr)); 795 sm->pending_deinit = 1; 796 } else 797 wpa_free_sta_sm(sm); 798 } 799 800 801 static void wpa_request_new_ptk(struct wpa_state_machine *sm) 802 { 803 if (!sm) 804 return; 805 806 if (!sm->use_ext_key_id && sm->wpa_auth->conf.wpa_deny_ptk0_rekey) { 807 wpa_printf(MSG_INFO, 808 "WPA: PTK0 rekey not allowed, disconnect " MACSTR, 809 MAC2STR(sm->addr)); 810 sm->Disconnect = true; 811 /* Try to encourage the STA to reconnect */ 812 sm->disconnect_reason = 813 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA; 814 } else { 815 if (sm->use_ext_key_id) 816 sm->keyidx_active ^= 1; /* flip Key ID */ 817 sm->PTKRequest = true; 818 sm->PTK_valid = 0; 819 } 820 } 821 822 823 static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr, 824 const u8 *replay_counter) 825 { 826 int i; 827 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 828 if (!ctr[i].valid) 829 break; 830 if (os_memcmp(replay_counter, ctr[i].counter, 831 WPA_REPLAY_COUNTER_LEN) == 0) 832 return 1; 833 } 834 return 0; 835 } 836 837 838 static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr, 839 const u8 *replay_counter) 840 { 841 int i; 842 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 843 if (ctr[i].valid && 844 (!replay_counter || 845 os_memcmp(replay_counter, ctr[i].counter, 846 WPA_REPLAY_COUNTER_LEN) == 0)) 847 ctr[i].valid = false; 848 } 849 } 850 851 852 #ifdef CONFIG_IEEE80211R_AP 853 static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth, 854 struct wpa_state_machine *sm, 855 struct wpa_eapol_ie_parse *kde) 856 { 857 struct wpa_ie_data ie; 858 struct rsn_mdie *mdie; 859 860 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 || 861 ie.num_pmkid != 1 || !ie.pmkid) { 862 wpa_printf(MSG_DEBUG, 863 "FT: No PMKR1Name in FT 4-way handshake message 2/4"); 864 return -1; 865 } 866 867 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN); 868 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant", 869 sm->sup_pmk_r1_name, PMKID_LEN); 870 871 if (!kde->mdie || !kde->ftie) { 872 wpa_printf(MSG_DEBUG, 873 "FT: No %s in FT 4-way handshake message 2/4", 874 kde->mdie ? "FTIE" : "MDIE"); 875 return -1; 876 } 877 878 mdie = (struct rsn_mdie *) (kde->mdie + 2); 879 if (kde->mdie[1] < sizeof(struct rsn_mdie) || 880 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain, 881 MOBILITY_DOMAIN_ID_LEN) != 0) { 882 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch"); 883 return -1; 884 } 885 886 if (sm->assoc_resp_ftie && 887 (kde->ftie[1] != sm->assoc_resp_ftie[1] || 888 os_memcmp(kde->ftie, sm->assoc_resp_ftie, 889 2 + sm->assoc_resp_ftie[1]) != 0)) { 890 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch"); 891 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4", 892 kde->ftie, kde->ftie_len); 893 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp", 894 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]); 895 return -1; 896 } 897 898 return 0; 899 } 900 #endif /* CONFIG_IEEE80211R_AP */ 901 902 903 static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth, 904 struct wpa_state_machine *sm, int group) 905 { 906 /* Supplicant reported a Michael MIC error */ 907 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 908 "received EAPOL-Key Error Request (STA detected Michael MIC failure (group=%d))", 909 group); 910 911 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) { 912 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 913 "ignore Michael MIC failure report since group cipher is not TKIP"); 914 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) { 915 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 916 "ignore Michael MIC failure report since pairwise cipher is not TKIP"); 917 } else { 918 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0) 919 return 1; /* STA entry was removed */ 920 sm->dot11RSNAStatsTKIPRemoteMICFailures++; 921 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++; 922 } 923 924 /* 925 * Error report is not a request for a new key handshake, but since 926 * Authenticator may do it, let's change the keys now anyway. 927 */ 928 wpa_request_new_ptk(sm); 929 return 0; 930 } 931 932 933 static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data, 934 size_t data_len) 935 { 936 struct wpa_ptk PTK; 937 int ok = 0; 938 const u8 *pmk = NULL; 939 size_t pmk_len; 940 int vlan_id = 0; 941 942 os_memset(&PTK, 0, sizeof(PTK)); 943 for (;;) { 944 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) && 945 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) { 946 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, 947 sm->p2p_dev_addr, pmk, &pmk_len, 948 &vlan_id); 949 if (!pmk) 950 break; 951 #ifdef CONFIG_IEEE80211R_AP 952 if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) { 953 os_memcpy(sm->xxkey, pmk, pmk_len); 954 sm->xxkey_len = pmk_len; 955 } 956 #endif /* CONFIG_IEEE80211R_AP */ 957 } else { 958 pmk = sm->PMK; 959 pmk_len = sm->pmk_len; 960 } 961 962 if (wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK, 0) < 963 0) 964 break; 965 966 if (wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK, 967 data, data_len) == 0) { 968 if (sm->PMK != pmk) { 969 os_memcpy(sm->PMK, pmk, pmk_len); 970 sm->pmk_len = pmk_len; 971 } 972 ok = 1; 973 break; 974 } 975 976 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) || 977 wpa_key_mgmt_sae(sm->wpa_key_mgmt)) 978 break; 979 } 980 981 if (!ok) { 982 wpa_printf(MSG_DEBUG, 983 "WPA: Earlier SNonce did not result in matching MIC"); 984 return -1; 985 } 986 987 wpa_printf(MSG_DEBUG, 988 "WPA: Earlier SNonce resulted in matching MIC"); 989 sm->alt_snonce_valid = 0; 990 991 if (vlan_id && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) && 992 wpa_auth_update_vlan(sm->wpa_auth, sm->addr, vlan_id) < 0) 993 return -1; 994 995 os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN); 996 os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); 997 forced_memzero(&PTK, sizeof(PTK)); 998 sm->PTK_valid = true; 999 1000 return 0; 1001 } 1002 1003 1004 static bool wpa_auth_gtk_rekey_in_process(struct wpa_authenticator *wpa_auth) 1005 { 1006 struct wpa_group *group; 1007 1008 for (group = wpa_auth->group; group; group = group->next) { 1009 if (group->GKeyDoneStations) 1010 return true; 1011 } 1012 return false; 1013 } 1014 1015 1016 void wpa_receive(struct wpa_authenticator *wpa_auth, 1017 struct wpa_state_machine *sm, 1018 u8 *data, size_t data_len) 1019 { 1020 struct ieee802_1x_hdr *hdr; 1021 struct wpa_eapol_key *key; 1022 u16 key_info, key_data_length; 1023 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST } msg; 1024 char *msgtxt; 1025 struct wpa_eapol_ie_parse kde; 1026 const u8 *key_data; 1027 size_t keyhdrlen, mic_len; 1028 u8 *mic; 1029 1030 if (!wpa_auth || !wpa_auth->conf.wpa || !sm) 1031 return; 1032 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL data", data, data_len); 1033 1034 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len); 1035 keyhdrlen = sizeof(*key) + mic_len + 2; 1036 1037 if (data_len < sizeof(*hdr) + keyhdrlen) { 1038 wpa_printf(MSG_DEBUG, "WPA: Ignore too short EAPOL-Key frame"); 1039 return; 1040 } 1041 1042 hdr = (struct ieee802_1x_hdr *) data; 1043 key = (struct wpa_eapol_key *) (hdr + 1); 1044 mic = (u8 *) (key + 1); 1045 key_info = WPA_GET_BE16(key->key_info); 1046 key_data = mic + mic_len + 2; 1047 key_data_length = WPA_GET_BE16(mic + mic_len); 1048 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR 1049 " key_info=0x%x type=%u mic_len=%zu key_data_length=%u", 1050 MAC2STR(sm->addr), key_info, key->type, 1051 mic_len, key_data_length); 1052 wpa_hexdump(MSG_MSGDUMP, 1053 "WPA: EAPOL-Key header (ending before Key MIC)", 1054 key, sizeof(*key)); 1055 wpa_hexdump(MSG_MSGDUMP, "WPA: EAPOL-Key Key MIC", 1056 mic, mic_len); 1057 if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) { 1058 wpa_printf(MSG_INFO, 1059 "WPA: Invalid EAPOL-Key frame - key_data overflow (%d > %zu)", 1060 key_data_length, 1061 data_len - sizeof(*hdr) - keyhdrlen); 1062 return; 1063 } 1064 1065 if (sm->wpa == WPA_VERSION_WPA2) { 1066 if (key->type == EAPOL_KEY_TYPE_WPA) { 1067 /* 1068 * Some deployed station implementations seem to send 1069 * msg 4/4 with incorrect type value in WPA2 mode. 1070 */ 1071 wpa_printf(MSG_DEBUG, 1072 "Workaround: Allow EAPOL-Key with unexpected WPA type in RSN mode"); 1073 } else if (key->type != EAPOL_KEY_TYPE_RSN) { 1074 wpa_printf(MSG_DEBUG, 1075 "Ignore EAPOL-Key with unexpected type %d in RSN mode", 1076 key->type); 1077 return; 1078 } 1079 } else { 1080 if (key->type != EAPOL_KEY_TYPE_WPA) { 1081 wpa_printf(MSG_DEBUG, 1082 "Ignore EAPOL-Key with unexpected type %d in WPA mode", 1083 key->type); 1084 return; 1085 } 1086 } 1087 1088 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce, 1089 WPA_NONCE_LEN); 1090 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter", 1091 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 1092 1093 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys 1094 * are set */ 1095 1096 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) { 1097 wpa_printf(MSG_DEBUG, "WPA: Ignore SMK message"); 1098 return; 1099 } 1100 1101 if (key_info & WPA_KEY_INFO_REQUEST) { 1102 msg = REQUEST; 1103 msgtxt = "Request"; 1104 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) { 1105 msg = GROUP_2; 1106 msgtxt = "2/2 Group"; 1107 } else if (key_data_length == 0 || 1108 (mic_len == 0 && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && 1109 key_data_length == AES_BLOCK_SIZE)) { 1110 msg = PAIRWISE_4; 1111 msgtxt = "4/4 Pairwise"; 1112 } else { 1113 msg = PAIRWISE_2; 1114 msgtxt = "2/4 Pairwise"; 1115 } 1116 1117 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 || 1118 msg == GROUP_2) { 1119 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK; 1120 if (sm->pairwise == WPA_CIPHER_CCMP || 1121 sm->pairwise == WPA_CIPHER_GCMP) { 1122 if (wpa_use_cmac(sm->wpa_key_mgmt) && 1123 !wpa_use_akm_defined(sm->wpa_key_mgmt) && 1124 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) { 1125 wpa_auth_logger(wpa_auth, sm->addr, 1126 LOGGER_WARNING, 1127 "advertised support for AES-128-CMAC, but did not use it"); 1128 return; 1129 } 1130 1131 if (!wpa_use_cmac(sm->wpa_key_mgmt) && 1132 !wpa_use_akm_defined(sm->wpa_key_mgmt) && 1133 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1134 wpa_auth_logger(wpa_auth, sm->addr, 1135 LOGGER_WARNING, 1136 "did not use HMAC-SHA1-AES with CCMP/GCMP"); 1137 return; 1138 } 1139 } 1140 1141 if (wpa_use_akm_defined(sm->wpa_key_mgmt) && 1142 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) { 1143 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, 1144 "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases"); 1145 return; 1146 } 1147 } 1148 1149 if (key_info & WPA_KEY_INFO_REQUEST) { 1150 if (sm->req_replay_counter_used && 1151 os_memcmp(key->replay_counter, sm->req_replay_counter, 1152 WPA_REPLAY_COUNTER_LEN) <= 0) { 1153 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, 1154 "received EAPOL-Key request with replayed counter"); 1155 return; 1156 } 1157 } 1158 1159 if (!(key_info & WPA_KEY_INFO_REQUEST) && 1160 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) { 1161 int i; 1162 1163 if (msg == PAIRWISE_2 && 1164 wpa_replay_counter_valid(sm->prev_key_replay, 1165 key->replay_counter) && 1166 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING && 1167 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0) 1168 { 1169 /* 1170 * Some supplicant implementations (e.g., Windows XP 1171 * WZC) update SNonce for each EAPOL-Key 2/4. This 1172 * breaks the workaround on accepting any of the 1173 * pending requests, so allow the SNonce to be updated 1174 * even if we have already sent out EAPOL-Key 3/4. 1175 */ 1176 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1177 "Process SNonce update from STA based on retransmitted EAPOL-Key 1/4"); 1178 sm->update_snonce = 1; 1179 os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN); 1180 sm->alt_snonce_valid = true; 1181 os_memcpy(sm->alt_replay_counter, 1182 sm->key_replay[0].counter, 1183 WPA_REPLAY_COUNTER_LEN); 1184 goto continue_processing; 1185 } 1186 1187 if (msg == PAIRWISE_4 && sm->alt_snonce_valid && 1188 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING && 1189 os_memcmp(key->replay_counter, sm->alt_replay_counter, 1190 WPA_REPLAY_COUNTER_LEN) == 0) { 1191 /* 1192 * Supplicant may still be using the old SNonce since 1193 * there was two EAPOL-Key 2/4 messages and they had 1194 * different SNonce values. 1195 */ 1196 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1197 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4"); 1198 goto continue_processing; 1199 } 1200 1201 if (msg == PAIRWISE_2 && 1202 wpa_replay_counter_valid(sm->prev_key_replay, 1203 key->replay_counter) && 1204 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) { 1205 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1206 "ignore retransmitted EAPOL-Key %s - SNonce did not change", 1207 msgtxt); 1208 } else { 1209 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1210 "received EAPOL-Key %s with unexpected replay counter", 1211 msgtxt); 1212 } 1213 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 1214 if (!sm->key_replay[i].valid) 1215 break; 1216 wpa_hexdump(MSG_DEBUG, "pending replay counter", 1217 sm->key_replay[i].counter, 1218 WPA_REPLAY_COUNTER_LEN); 1219 } 1220 wpa_hexdump(MSG_DEBUG, "received replay counter", 1221 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 1222 return; 1223 } 1224 1225 continue_processing: 1226 #ifdef CONFIG_FILS 1227 if (sm->wpa == WPA_VERSION_WPA2 && mic_len == 0 && 1228 !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 1229 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1230 "WPA: Encr Key Data bit not set even though AEAD cipher is supposed to be used - drop frame"); 1231 return; 1232 } 1233 #endif /* CONFIG_FILS */ 1234 1235 switch (msg) { 1236 case PAIRWISE_2: 1237 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART && 1238 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING && 1239 (!sm->update_snonce || 1240 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) { 1241 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1242 "received EAPOL-Key msg 2/4 in invalid state (%d) - dropped", 1243 sm->wpa_ptk_state); 1244 return; 1245 } 1246 random_add_randomness(key->key_nonce, WPA_NONCE_LEN); 1247 if (sm->group->reject_4way_hs_for_entropy) { 1248 /* 1249 * The system did not have enough entropy to generate 1250 * strong random numbers. Reject the first 4-way 1251 * handshake(s) and collect some entropy based on the 1252 * information from it. Once enough entropy is 1253 * available, the next atempt will trigger GMK/Key 1254 * Counter update and the station will be allowed to 1255 * continue. 1256 */ 1257 wpa_printf(MSG_DEBUG, 1258 "WPA: Reject 4-way handshake to collect more entropy for random number generation"); 1259 random_mark_pool_ready(); 1260 wpa_sta_disconnect(wpa_auth, sm->addr, 1261 WLAN_REASON_PREV_AUTH_NOT_VALID); 1262 return; 1263 } 1264 break; 1265 case PAIRWISE_4: 1266 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING || 1267 !sm->PTK_valid) { 1268 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1269 "received EAPOL-Key msg 4/4 in invalid state (%d) - dropped", 1270 sm->wpa_ptk_state); 1271 return; 1272 } 1273 break; 1274 case GROUP_2: 1275 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING 1276 || !sm->PTK_valid) { 1277 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1278 "received EAPOL-Key msg 2/2 in invalid state (%d) - dropped", 1279 sm->wpa_ptk_group_state); 1280 return; 1281 } 1282 break; 1283 case REQUEST: 1284 break; 1285 } 1286 1287 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1288 "received EAPOL-Key frame (%s)", msgtxt); 1289 1290 if (key_info & WPA_KEY_INFO_ACK) { 1291 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1292 "received invalid EAPOL-Key: Key Ack set"); 1293 return; 1294 } 1295 1296 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt) && 1297 !(key_info & WPA_KEY_INFO_MIC)) { 1298 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1299 "received invalid EAPOL-Key: Key MIC not set"); 1300 return; 1301 } 1302 1303 #ifdef CONFIG_FILS 1304 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) && 1305 (key_info & WPA_KEY_INFO_MIC)) { 1306 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1307 "received invalid EAPOL-Key: Key MIC set"); 1308 return; 1309 } 1310 #endif /* CONFIG_FILS */ 1311 1312 sm->MICVerified = false; 1313 if (sm->PTK_valid && !sm->update_snonce) { 1314 if (mic_len && 1315 wpa_verify_key_mic(sm->wpa_key_mgmt, sm->pmk_len, &sm->PTK, 1316 data, data_len) && 1317 (msg != PAIRWISE_4 || !sm->alt_snonce_valid || 1318 wpa_try_alt_snonce(sm, data, data_len))) { 1319 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1320 "received EAPOL-Key with invalid MIC"); 1321 #ifdef TEST_FUZZ 1322 wpa_printf(MSG_INFO, 1323 "TEST: Ignore Key MIC failure for fuzz testing"); 1324 goto continue_fuzz; 1325 #endif /* TEST_FUZZ */ 1326 return; 1327 } 1328 #ifdef CONFIG_FILS 1329 if (!mic_len && 1330 wpa_aead_decrypt(sm, &sm->PTK, data, data_len, 1331 &key_data_length) < 0) { 1332 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1333 "received EAPOL-Key with invalid MIC"); 1334 #ifdef TEST_FUZZ 1335 wpa_printf(MSG_INFO, 1336 "TEST: Ignore Key MIC failure for fuzz testing"); 1337 goto continue_fuzz; 1338 #endif /* TEST_FUZZ */ 1339 return; 1340 } 1341 #endif /* CONFIG_FILS */ 1342 #ifdef TEST_FUZZ 1343 continue_fuzz: 1344 #endif /* TEST_FUZZ */ 1345 sm->MICVerified = true; 1346 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 1347 sm->pending_1_of_4_timeout = 0; 1348 } 1349 1350 if (key_info & WPA_KEY_INFO_REQUEST) { 1351 if (sm->MICVerified) { 1352 sm->req_replay_counter_used = 1; 1353 os_memcpy(sm->req_replay_counter, key->replay_counter, 1354 WPA_REPLAY_COUNTER_LEN); 1355 } else { 1356 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1357 "received EAPOL-Key request with invalid MIC"); 1358 return; 1359 } 1360 1361 /* 1362 * TODO: should decrypt key data field if encryption was used; 1363 * even though MAC address KDE is not normally encrypted, 1364 * supplicant is allowed to encrypt it. 1365 */ 1366 if (key_info & WPA_KEY_INFO_ERROR) { 1367 if (wpa_receive_error_report( 1368 wpa_auth, sm, 1369 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0) 1370 return; /* STA entry was removed */ 1371 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) { 1372 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1373 "received EAPOL-Key Request for new 4-Way Handshake"); 1374 wpa_request_new_ptk(sm); 1375 } else if (key_data_length > 0 && 1376 wpa_parse_kde_ies(key_data, key_data_length, 1377 &kde) == 0 && 1378 kde.mac_addr) { 1379 } else { 1380 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1381 "received EAPOL-Key Request for GTK rekeying"); 1382 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 1383 if (wpa_auth_gtk_rekey_in_process(wpa_auth)) 1384 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, 1385 "skip new GTK rekey - already in process"); 1386 else 1387 wpa_rekey_gtk(wpa_auth, NULL); 1388 } 1389 } else { 1390 /* Do not allow the same key replay counter to be reused. */ 1391 wpa_replay_counter_mark_invalid(sm->key_replay, 1392 key->replay_counter); 1393 1394 if (msg == PAIRWISE_2) { 1395 /* 1396 * Maintain a copy of the pending EAPOL-Key frames in 1397 * case the EAPOL-Key frame was retransmitted. This is 1398 * needed to allow EAPOL-Key msg 2/4 reply to another 1399 * pending msg 1/4 to update the SNonce to work around 1400 * unexpected supplicant behavior. 1401 */ 1402 os_memcpy(sm->prev_key_replay, sm->key_replay, 1403 sizeof(sm->key_replay)); 1404 } else { 1405 os_memset(sm->prev_key_replay, 0, 1406 sizeof(sm->prev_key_replay)); 1407 } 1408 1409 /* 1410 * Make sure old valid counters are not accepted anymore and 1411 * do not get copied again. 1412 */ 1413 wpa_replay_counter_mark_invalid(sm->key_replay, NULL); 1414 } 1415 1416 os_free(sm->last_rx_eapol_key); 1417 sm->last_rx_eapol_key = os_memdup(data, data_len); 1418 if (!sm->last_rx_eapol_key) 1419 return; 1420 sm->last_rx_eapol_key_len = data_len; 1421 1422 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE); 1423 sm->EAPOLKeyReceived = true; 1424 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1425 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST); 1426 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN); 1427 wpa_sm_step(sm); 1428 } 1429 1430 1431 static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr, 1432 const u8 *gnonce, u8 *gtk, size_t gtk_len) 1433 { 1434 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + WPA_GTK_MAX_LEN]; 1435 u8 *pos; 1436 int ret = 0; 1437 1438 /* GTK = PRF-X(GMK, "Group key expansion", 1439 * AA || GNonce || Time || random data) 1440 * The example described in the IEEE 802.11 standard uses only AA and 1441 * GNonce as inputs here. Add some more entropy since this derivation 1442 * is done only at the Authenticator and as such, does not need to be 1443 * exactly same. 1444 */ 1445 os_memset(data, 0, sizeof(data)); 1446 os_memcpy(data, addr, ETH_ALEN); 1447 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN); 1448 pos = data + ETH_ALEN + WPA_NONCE_LEN; 1449 wpa_get_ntp_timestamp(pos); 1450 #ifdef TEST_FUZZ 1451 os_memset(pos, 0xef, 8); 1452 #endif /* TEST_FUZZ */ 1453 pos += 8; 1454 if (random_get_bytes(pos, gtk_len) < 0) 1455 ret = -1; 1456 1457 #ifdef CONFIG_SHA384 1458 if (sha384_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), 1459 gtk, gtk_len) < 0) 1460 ret = -1; 1461 #else /* CONFIG_SHA384 */ 1462 #ifdef CONFIG_SHA256 1463 if (sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), 1464 gtk, gtk_len) < 0) 1465 ret = -1; 1466 #else /* CONFIG_SHA256 */ 1467 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), 1468 gtk, gtk_len) < 0) 1469 ret = -1; 1470 #endif /* CONFIG_SHA256 */ 1471 #endif /* CONFIG_SHA384 */ 1472 1473 forced_memzero(data, sizeof(data)); 1474 1475 return ret; 1476 } 1477 1478 1479 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx) 1480 { 1481 struct wpa_authenticator *wpa_auth = eloop_ctx; 1482 struct wpa_state_machine *sm = timeout_ctx; 1483 1484 sm->pending_1_of_4_timeout = 0; 1485 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout"); 1486 sm->TimeoutEvt = true; 1487 wpa_sm_step(sm); 1488 } 1489 1490 1491 void __wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1492 struct wpa_state_machine *sm, int key_info, 1493 const u8 *key_rsc, const u8 *nonce, 1494 const u8 *kde, size_t kde_len, 1495 int keyidx, int encr, int force_version) 1496 { 1497 struct wpa_auth_config *conf = &wpa_auth->conf; 1498 struct ieee802_1x_hdr *hdr; 1499 struct wpa_eapol_key *key; 1500 size_t len, mic_len, keyhdrlen; 1501 int alg; 1502 int key_data_len, pad_len = 0; 1503 u8 *buf, *pos; 1504 int version, pairwise; 1505 int i; 1506 u8 *key_mic, *key_data; 1507 1508 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len); 1509 keyhdrlen = sizeof(*key) + mic_len + 2; 1510 1511 len = sizeof(struct ieee802_1x_hdr) + keyhdrlen; 1512 1513 if (force_version) 1514 version = force_version; 1515 else if (wpa_use_akm_defined(sm->wpa_key_mgmt)) 1516 version = WPA_KEY_INFO_TYPE_AKM_DEFINED; 1517 else if (wpa_use_cmac(sm->wpa_key_mgmt)) 1518 version = WPA_KEY_INFO_TYPE_AES_128_CMAC; 1519 else if (sm->pairwise != WPA_CIPHER_TKIP) 1520 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 1521 else 1522 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 1523 1524 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1525 1526 wpa_printf(MSG_DEBUG, 1527 "WPA: Send EAPOL(version=%d secure=%d mic=%d ack=%d install=%d pairwise=%d kde_len=%zu keyidx=%d encr=%d)", 1528 version, 1529 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0, 1530 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0, 1531 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0, 1532 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0, 1533 pairwise, kde_len, keyidx, encr); 1534 1535 key_data_len = kde_len; 1536 1537 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1538 wpa_use_aes_key_wrap(sm->wpa_key_mgmt) || 1539 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) { 1540 pad_len = key_data_len % 8; 1541 if (pad_len) 1542 pad_len = 8 - pad_len; 1543 key_data_len += pad_len + 8; 1544 } 1545 1546 len += key_data_len; 1547 if (!mic_len && encr) 1548 len += AES_BLOCK_SIZE; 1549 1550 hdr = os_zalloc(len); 1551 if (!hdr) 1552 return; 1553 hdr->version = conf->eapol_version; 1554 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 1555 hdr->length = host_to_be16(len - sizeof(*hdr)); 1556 key = (struct wpa_eapol_key *) (hdr + 1); 1557 key_mic = (u8 *) (key + 1); 1558 key_data = ((u8 *) (hdr + 1)) + keyhdrlen; 1559 1560 key->type = sm->wpa == WPA_VERSION_WPA2 ? 1561 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1562 key_info |= version; 1563 if (encr && sm->wpa == WPA_VERSION_WPA2) 1564 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 1565 if (sm->wpa != WPA_VERSION_WPA2) 1566 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT; 1567 WPA_PUT_BE16(key->key_info, key_info); 1568 1569 alg = pairwise ? sm->pairwise : conf->wpa_group; 1570 if (sm->wpa == WPA_VERSION_WPA2 && !pairwise) 1571 WPA_PUT_BE16(key->key_length, 0); 1572 else 1573 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg)); 1574 1575 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) { 1576 sm->key_replay[i].valid = sm->key_replay[i - 1].valid; 1577 os_memcpy(sm->key_replay[i].counter, 1578 sm->key_replay[i - 1].counter, 1579 WPA_REPLAY_COUNTER_LEN); 1580 } 1581 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN); 1582 os_memcpy(key->replay_counter, sm->key_replay[0].counter, 1583 WPA_REPLAY_COUNTER_LEN); 1584 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", 1585 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 1586 sm->key_replay[0].valid = true; 1587 1588 if (nonce) 1589 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN); 1590 1591 if (key_rsc) 1592 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN); 1593 1594 if (kde && !encr) { 1595 os_memcpy(key_data, kde, kde_len); 1596 WPA_PUT_BE16(key_mic + mic_len, kde_len); 1597 #ifdef CONFIG_FILS 1598 } else if (!mic_len && kde) { 1599 const u8 *aad[1]; 1600 size_t aad_len[1]; 1601 1602 WPA_PUT_BE16(key_mic, AES_BLOCK_SIZE + kde_len); 1603 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data", 1604 kde, kde_len); 1605 1606 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", 1607 sm->PTK.kek, sm->PTK.kek_len); 1608 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to 1609 * to Key Data (exclusive). */ 1610 aad[0] = (u8 *) hdr; 1611 aad_len[0] = key_mic + 2 - (u8 *) hdr; 1612 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, kde, kde_len, 1613 1, aad, aad_len, key_mic + 2) < 0) { 1614 wpa_printf(MSG_DEBUG, "WPA: AES-SIV encryption failed"); 1615 return; 1616 } 1617 1618 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV", 1619 key_mic + 2, AES_BLOCK_SIZE + kde_len); 1620 #endif /* CONFIG_FILS */ 1621 } else if (encr && kde) { 1622 buf = os_zalloc(key_data_len); 1623 if (!buf) { 1624 os_free(hdr); 1625 return; 1626 } 1627 pos = buf; 1628 os_memcpy(pos, kde, kde_len); 1629 pos += kde_len; 1630 1631 if (pad_len) 1632 *pos++ = 0xdd; 1633 1634 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data", 1635 buf, key_data_len); 1636 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1637 wpa_use_aes_key_wrap(sm->wpa_key_mgmt) || 1638 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) { 1639 wpa_printf(MSG_DEBUG, 1640 "WPA: Encrypt Key Data using AES-WRAP (KEK length %zu)", 1641 sm->PTK.kek_len); 1642 if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len, 1643 (key_data_len - 8) / 8, buf, key_data)) { 1644 os_free(hdr); 1645 os_free(buf); 1646 return; 1647 } 1648 WPA_PUT_BE16(key_mic + mic_len, key_data_len); 1649 #ifndef CONFIG_NO_RC4 1650 } else if (sm->PTK.kek_len == 16) { 1651 u8 ek[32]; 1652 1653 wpa_printf(MSG_DEBUG, 1654 "WPA: Encrypt Key Data using RC4"); 1655 os_memcpy(key->key_iv, 1656 sm->group->Counter + WPA_NONCE_LEN - 16, 16); 1657 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN); 1658 os_memcpy(ek, key->key_iv, 16); 1659 os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len); 1660 os_memcpy(key_data, buf, key_data_len); 1661 rc4_skip(ek, 32, 256, key_data, key_data_len); 1662 WPA_PUT_BE16(key_mic + mic_len, key_data_len); 1663 #endif /* CONFIG_NO_RC4 */ 1664 } else { 1665 os_free(hdr); 1666 os_free(buf); 1667 return; 1668 } 1669 os_free(buf); 1670 } 1671 1672 if (key_info & WPA_KEY_INFO_MIC) { 1673 if (!sm->PTK_valid || !mic_len) { 1674 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 1675 "PTK not valid when sending EAPOL-Key frame"); 1676 os_free(hdr); 1677 return; 1678 } 1679 1680 if (wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len, 1681 sm->wpa_key_mgmt, version, 1682 (u8 *) hdr, len, key_mic) < 0) { 1683 os_free(hdr); 1684 return; 1685 } 1686 #ifdef CONFIG_TESTING_OPTIONS 1687 if (!pairwise && 1688 conf->corrupt_gtk_rekey_mic_probability > 0.0 && 1689 drand48() < conf->corrupt_gtk_rekey_mic_probability) { 1690 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1691 "Corrupting group EAPOL-Key Key MIC"); 1692 key_mic[0]++; 1693 } 1694 #endif /* CONFIG_TESTING_OPTIONS */ 1695 } 1696 1697 wpa_auth_set_eapol(wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx, 1); 1698 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len, 1699 sm->pairwise_set); 1700 os_free(hdr); 1701 } 1702 1703 1704 static void wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1705 struct wpa_state_machine *sm, int key_info, 1706 const u8 *key_rsc, const u8 *nonce, 1707 const u8 *kde, size_t kde_len, 1708 int keyidx, int encr) 1709 { 1710 int timeout_ms; 1711 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE; 1712 u32 ctr; 1713 1714 if (!sm) 1715 return; 1716 1717 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len, 1718 keyidx, encr, 0); 1719 1720 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr; 1721 if (ctr == 1 && wpa_auth->conf.tx_status) 1722 timeout_ms = pairwise ? eapol_key_timeout_first : 1723 eapol_key_timeout_first_group; 1724 else 1725 timeout_ms = eapol_key_timeout_subseq; 1726 if (wpa_auth->conf.wpa_disable_eapol_key_retries && 1727 (!pairwise || (key_info & WPA_KEY_INFO_MIC))) 1728 timeout_ms = eapol_key_timeout_no_retrans; 1729 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC)) 1730 sm->pending_1_of_4_timeout = 1; 1731 #ifdef TEST_FUZZ 1732 timeout_ms = 1; 1733 #endif /* TEST_FUZZ */ 1734 wpa_printf(MSG_DEBUG, 1735 "WPA: Use EAPOL-Key timeout of %u ms (retry counter %u)", 1736 timeout_ms, ctr); 1737 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000, 1738 wpa_send_eapol_timeout, wpa_auth, sm); 1739 } 1740 1741 1742 static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK, 1743 u8 *data, size_t data_len) 1744 { 1745 struct ieee802_1x_hdr *hdr; 1746 struct wpa_eapol_key *key; 1747 u16 key_info; 1748 int ret = 0; 1749 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN], *mic_pos; 1750 size_t mic_len = wpa_mic_len(akmp, pmk_len); 1751 1752 if (data_len < sizeof(*hdr) + sizeof(*key)) 1753 return -1; 1754 1755 hdr = (struct ieee802_1x_hdr *) data; 1756 key = (struct wpa_eapol_key *) (hdr + 1); 1757 mic_pos = (u8 *) (key + 1); 1758 key_info = WPA_GET_BE16(key->key_info); 1759 os_memcpy(mic, mic_pos, mic_len); 1760 os_memset(mic_pos, 0, mic_len); 1761 if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp, 1762 key_info & WPA_KEY_INFO_TYPE_MASK, 1763 data, data_len, mic_pos) || 1764 os_memcmp_const(mic, mic_pos, mic_len) != 0) 1765 ret = -1; 1766 os_memcpy(mic_pos, mic, mic_len); 1767 return ret; 1768 } 1769 1770 1771 void wpa_remove_ptk(struct wpa_state_machine *sm) 1772 { 1773 sm->PTK_valid = false; 1774 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1775 1776 wpa_auth_remove_ptksa(sm->wpa_auth, sm->addr, sm->pairwise); 1777 1778 if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 1779 0, KEY_FLAG_PAIRWISE)) 1780 wpa_printf(MSG_DEBUG, 1781 "RSN: PTK removal from the driver failed"); 1782 if (sm->use_ext_key_id && 1783 wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 1, NULL, 1784 0, KEY_FLAG_PAIRWISE)) 1785 wpa_printf(MSG_DEBUG, 1786 "RSN: PTK Key ID 1 removal from the driver failed"); 1787 sm->pairwise_set = false; 1788 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 1789 } 1790 1791 1792 int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event) 1793 { 1794 int remove_ptk = 1; 1795 1796 if (!sm) 1797 return -1; 1798 1799 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1800 "event %d notification", event); 1801 1802 switch (event) { 1803 case WPA_AUTH: 1804 #ifdef CONFIG_MESH 1805 /* PTKs are derived through AMPE */ 1806 if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) { 1807 /* not mesh */ 1808 break; 1809 } 1810 return 0; 1811 #endif /* CONFIG_MESH */ 1812 case WPA_ASSOC: 1813 break; 1814 case WPA_DEAUTH: 1815 case WPA_DISASSOC: 1816 sm->DeauthenticationRequest = true; 1817 #ifdef CONFIG_IEEE80211R_AP 1818 os_memset(sm->PMK, 0, sizeof(sm->PMK)); 1819 sm->pmk_len = 0; 1820 os_memset(sm->xxkey, 0, sizeof(sm->xxkey)); 1821 sm->xxkey_len = 0; 1822 os_memset(sm->pmk_r1, 0, sizeof(sm->pmk_r1)); 1823 sm->pmk_r1_len = 0; 1824 #endif /* CONFIG_IEEE80211R_AP */ 1825 break; 1826 case WPA_REAUTH: 1827 case WPA_REAUTH_EAPOL: 1828 if (!sm->started) { 1829 /* 1830 * When using WPS, we may end up here if the STA 1831 * manages to re-associate without the previous STA 1832 * entry getting removed. Consequently, we need to make 1833 * sure that the WPA state machines gets initialized 1834 * properly at this point. 1835 */ 1836 wpa_printf(MSG_DEBUG, 1837 "WPA state machine had not been started - initialize now"); 1838 sm->started = 1; 1839 sm->Init = true; 1840 if (wpa_sm_step(sm) == 1) 1841 return 1; /* should not really happen */ 1842 sm->Init = false; 1843 sm->AuthenticationRequest = true; 1844 break; 1845 } 1846 1847 if (!sm->use_ext_key_id && 1848 sm->wpa_auth->conf.wpa_deny_ptk0_rekey) { 1849 wpa_printf(MSG_INFO, 1850 "WPA: PTK0 rekey not allowed, disconnect " 1851 MACSTR, MAC2STR(sm->addr)); 1852 sm->Disconnect = true; 1853 /* Try to encourage the STA to reconnect */ 1854 sm->disconnect_reason = 1855 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA; 1856 break; 1857 } 1858 1859 if (sm->use_ext_key_id) 1860 sm->keyidx_active ^= 1; /* flip Key ID */ 1861 1862 if (sm->GUpdateStationKeys) { 1863 /* 1864 * Reauthentication cancels the pending group key 1865 * update for this STA. 1866 */ 1867 sm->group->GKeyDoneStations--; 1868 sm->GUpdateStationKeys = false; 1869 sm->PtkGroupInit = true; 1870 } 1871 sm->ReAuthenticationRequest = true; 1872 break; 1873 case WPA_ASSOC_FT: 1874 #ifdef CONFIG_IEEE80211R_AP 1875 wpa_printf(MSG_DEBUG, 1876 "FT: Retry PTK configuration after association"); 1877 wpa_ft_install_ptk(sm, 1); 1878 1879 /* Using FT protocol, not WPA auth state machine */ 1880 sm->ft_completed = 1; 1881 wpa_auth_set_ptk_rekey_timer(sm); 1882 return 0; 1883 #else /* CONFIG_IEEE80211R_AP */ 1884 break; 1885 #endif /* CONFIG_IEEE80211R_AP */ 1886 case WPA_ASSOC_FILS: 1887 #ifdef CONFIG_FILS 1888 wpa_printf(MSG_DEBUG, 1889 "FILS: TK configuration after association"); 1890 fils_set_tk(sm); 1891 sm->fils_completed = 1; 1892 return 0; 1893 #else /* CONFIG_FILS */ 1894 break; 1895 #endif /* CONFIG_FILS */ 1896 case WPA_DRV_STA_REMOVED: 1897 sm->tk_already_set = false; 1898 return 0; 1899 } 1900 1901 #ifdef CONFIG_IEEE80211R_AP 1902 sm->ft_completed = 0; 1903 #endif /* CONFIG_IEEE80211R_AP */ 1904 1905 if (sm->mgmt_frame_prot && event == WPA_AUTH) 1906 remove_ptk = 0; 1907 #ifdef CONFIG_FILS 1908 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) && 1909 (event == WPA_AUTH || event == WPA_ASSOC)) 1910 remove_ptk = 0; 1911 #endif /* CONFIG_FILS */ 1912 1913 if (remove_ptk) { 1914 sm->PTK_valid = false; 1915 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1916 1917 if (event != WPA_REAUTH_EAPOL) 1918 wpa_remove_ptk(sm); 1919 } 1920 1921 if (sm->in_step_loop) { 1922 /* 1923 * wpa_sm_step() is already running - avoid recursive call to 1924 * it by making the existing loop process the new update. 1925 */ 1926 sm->changed = true; 1927 return 0; 1928 } 1929 return wpa_sm_step(sm); 1930 } 1931 1932 1933 SM_STATE(WPA_PTK, INITIALIZE) 1934 { 1935 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk); 1936 if (sm->Init) { 1937 /* Init flag is not cleared here, so avoid busy 1938 * loop by claiming nothing changed. */ 1939 sm->changed = false; 1940 } 1941 1942 sm->keycount = 0; 1943 if (sm->GUpdateStationKeys) 1944 sm->group->GKeyDoneStations--; 1945 sm->GUpdateStationKeys = false; 1946 if (sm->wpa == WPA_VERSION_WPA) 1947 sm->PInitAKeys = false; 1948 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and 1949 * Local AA > Remote AA)) */) { 1950 sm->Pair = true; 1951 } 1952 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0); 1953 wpa_remove_ptk(sm); 1954 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0); 1955 sm->TimeoutCtr = 0; 1956 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) || 1957 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP || 1958 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) { 1959 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 1960 WPA_EAPOL_authorized, 0); 1961 } 1962 } 1963 1964 1965 SM_STATE(WPA_PTK, DISCONNECT) 1966 { 1967 u16 reason = sm->disconnect_reason; 1968 1969 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk); 1970 sm->Disconnect = false; 1971 sm->disconnect_reason = 0; 1972 if (!reason) 1973 reason = WLAN_REASON_PREV_AUTH_NOT_VALID; 1974 wpa_sta_disconnect(sm->wpa_auth, sm->addr, reason); 1975 } 1976 1977 1978 SM_STATE(WPA_PTK, DISCONNECTED) 1979 { 1980 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk); 1981 sm->DeauthenticationRequest = false; 1982 } 1983 1984 1985 SM_STATE(WPA_PTK, AUTHENTICATION) 1986 { 1987 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk); 1988 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1989 sm->PTK_valid = false; 1990 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto, 1991 1); 1992 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1); 1993 sm->AuthenticationRequest = false; 1994 } 1995 1996 1997 static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth, 1998 struct wpa_group *group) 1999 { 2000 if (group->first_sta_seen) 2001 return; 2002 /* 2003 * System has run bit further than at the time hostapd was started 2004 * potentially very early during boot up. This provides better chances 2005 * of collecting more randomness on embedded systems. Re-initialize the 2006 * GMK and Counter here to improve their strength if there was not 2007 * enough entropy available immediately after system startup. 2008 */ 2009 wpa_printf(MSG_DEBUG, 2010 "WPA: Re-initialize GMK/Counter on first station"); 2011 if (random_pool_ready() != 1) { 2012 wpa_printf(MSG_INFO, 2013 "WPA: Not enough entropy in random pool to proceed - reject first 4-way handshake"); 2014 group->reject_4way_hs_for_entropy = true; 2015 } else { 2016 group->first_sta_seen = true; 2017 group->reject_4way_hs_for_entropy = false; 2018 } 2019 2020 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 || 2021 wpa_gtk_update(wpa_auth, group) < 0 || 2022 wpa_group_config_group_keys(wpa_auth, group) < 0) { 2023 wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed"); 2024 group->first_sta_seen = false; 2025 group->reject_4way_hs_for_entropy = true; 2026 } 2027 } 2028 2029 2030 SM_STATE(WPA_PTK, AUTHENTICATION2) 2031 { 2032 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk); 2033 2034 wpa_group_ensure_init(sm->wpa_auth, sm->group); 2035 sm->ReAuthenticationRequest = false; 2036 2037 /* 2038 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat 2039 * ambiguous. The Authenticator state machine uses a counter that is 2040 * incremented by one for each 4-way handshake. However, the security 2041 * analysis of 4-way handshake points out that unpredictable nonces 2042 * help in preventing precomputation attacks. Instead of the state 2043 * machine definition, use an unpredictable nonce value here to provide 2044 * stronger protection against potential precomputation attacks. 2045 */ 2046 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { 2047 wpa_printf(MSG_ERROR, 2048 "WPA: Failed to get random data for ANonce."); 2049 sm->Disconnect = true; 2050 return; 2051 } 2052 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce, 2053 WPA_NONCE_LEN); 2054 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more 2055 * logical place than INITIALIZE since AUTHENTICATION2 can be 2056 * re-entered on ReAuthenticationRequest without going through 2057 * INITIALIZE. */ 2058 sm->TimeoutCtr = 0; 2059 } 2060 2061 2062 static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm) 2063 { 2064 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { 2065 wpa_printf(MSG_ERROR, 2066 "WPA: Failed to get random data for ANonce"); 2067 sm->Disconnect = true; 2068 return -1; 2069 } 2070 wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce, 2071 WPA_NONCE_LEN); 2072 sm->TimeoutCtr = 0; 2073 return 0; 2074 } 2075 2076 2077 SM_STATE(WPA_PTK, INITPMK) 2078 { 2079 u8 msk[2 * PMK_LEN]; 2080 size_t len = 2 * PMK_LEN; 2081 2082 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk); 2083 #ifdef CONFIG_IEEE80211R_AP 2084 sm->xxkey_len = 0; 2085 #endif /* CONFIG_IEEE80211R_AP */ 2086 if (sm->pmksa) { 2087 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache"); 2088 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len); 2089 sm->pmk_len = sm->pmksa->pmk_len; 2090 #ifdef CONFIG_DPP 2091 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) { 2092 wpa_printf(MSG_DEBUG, 2093 "DPP: No PMKSA cache entry for STA - reject connection"); 2094 sm->Disconnect = true; 2095 sm->disconnect_reason = WLAN_REASON_INVALID_PMKID; 2096 return; 2097 #endif /* CONFIG_DPP */ 2098 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) { 2099 unsigned int pmk_len; 2100 2101 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) 2102 pmk_len = PMK_LEN_SUITE_B_192; 2103 else 2104 pmk_len = PMK_LEN; 2105 wpa_printf(MSG_DEBUG, 2106 "WPA: PMK from EAPOL state machine (MSK len=%zu PMK len=%u)", 2107 len, pmk_len); 2108 if (len < pmk_len) { 2109 wpa_printf(MSG_DEBUG, 2110 "WPA: MSK not long enough (%zu) to create PMK (%u)", 2111 len, pmk_len); 2112 sm->Disconnect = true; 2113 return; 2114 } 2115 os_memcpy(sm->PMK, msk, pmk_len); 2116 sm->pmk_len = pmk_len; 2117 #ifdef CONFIG_IEEE80211R_AP 2118 if (len >= 2 * PMK_LEN) { 2119 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) { 2120 os_memcpy(sm->xxkey, msk, SHA384_MAC_LEN); 2121 sm->xxkey_len = SHA384_MAC_LEN; 2122 } else { 2123 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN); 2124 sm->xxkey_len = PMK_LEN; 2125 } 2126 } 2127 #endif /* CONFIG_IEEE80211R_AP */ 2128 } else { 2129 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p", 2130 sm->wpa_auth->cb->get_msk); 2131 sm->Disconnect = true; 2132 return; 2133 } 2134 forced_memzero(msk, sizeof(msk)); 2135 2136 sm->req_replay_counter_used = 0; 2137 /* IEEE 802.11i does not set keyRun to false, but not doing this 2138 * will break reauthentication since EAPOL state machines may not be 2139 * get into AUTHENTICATING state that clears keyRun before WPA state 2140 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK 2141 * state and takes PMK from the previously used AAA Key. This will 2142 * eventually fail in 4-Way Handshake because Supplicant uses PMK 2143 * derived from the new AAA Key. Setting keyRun = false here seems to 2144 * be good workaround for this issue. */ 2145 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, false); 2146 } 2147 2148 2149 SM_STATE(WPA_PTK, INITPSK) 2150 { 2151 const u8 *psk; 2152 size_t psk_len; 2153 2154 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk); 2155 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL, 2156 &psk_len, NULL); 2157 if (psk) { 2158 os_memcpy(sm->PMK, psk, psk_len); 2159 sm->pmk_len = psk_len; 2160 #ifdef CONFIG_IEEE80211R_AP 2161 os_memcpy(sm->xxkey, psk, PMK_LEN); 2162 sm->xxkey_len = PMK_LEN; 2163 #endif /* CONFIG_IEEE80211R_AP */ 2164 } 2165 #ifdef CONFIG_SAE 2166 if (wpa_auth_uses_sae(sm) && sm->pmksa) { 2167 wpa_printf(MSG_DEBUG, "SAE: PMK from PMKSA cache"); 2168 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len); 2169 sm->pmk_len = sm->pmksa->pmk_len; 2170 #ifdef CONFIG_IEEE80211R_AP 2171 os_memcpy(sm->xxkey, sm->pmksa->pmk, sm->pmksa->pmk_len); 2172 sm->xxkey_len = sm->pmksa->pmk_len; 2173 #endif /* CONFIG_IEEE80211R_AP */ 2174 } 2175 #endif /* CONFIG_SAE */ 2176 sm->req_replay_counter_used = 0; 2177 } 2178 2179 2180 SM_STATE(WPA_PTK, PTKSTART) 2181 { 2182 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL; 2183 size_t pmkid_len = 0; 2184 2185 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk); 2186 sm->PTKRequest = false; 2187 sm->TimeoutEvt = false; 2188 sm->alt_snonce_valid = false; 2189 2190 sm->TimeoutCtr++; 2191 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) { 2192 /* No point in sending the EAPOL-Key - we will disconnect 2193 * immediately following this. */ 2194 return; 2195 } 2196 2197 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2198 "sending 1/4 msg of 4-Way Handshake"); 2199 /* 2200 * For infrastructure BSS cases, it is better for the AP not to include 2201 * the PMKID KDE in EAPOL-Key msg 1/4 since it could be used to initiate 2202 * offline search for the passphrase/PSK without having to be able to 2203 * capture a 4-way handshake from a STA that has access to the network. 2204 * 2205 * For IBSS cases, addition of PMKID KDE could be considered even with 2206 * WPA2-PSK cases that use multiple PSKs, but only if there is a single 2207 * possible PSK for this STA. However, this should not be done unless 2208 * there is support for using that information on the supplicant side. 2209 * The concern about exposing PMKID unnecessarily in infrastructure BSS 2210 * cases would also apply here, but at least in the IBSS case, this 2211 * would cover a potential real use case. 2212 */ 2213 if (sm->wpa == WPA_VERSION_WPA2 && 2214 (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) || 2215 (sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE && sm->pmksa) || 2216 wpa_key_mgmt_sae(sm->wpa_key_mgmt)) && 2217 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) { 2218 pmkid = buf; 2219 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN; 2220 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC; 2221 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN; 2222 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID); 2223 if (sm->pmksa) { 2224 wpa_hexdump(MSG_DEBUG, 2225 "RSN: Message 1/4 PMKID from PMKSA entry", 2226 sm->pmksa->pmkid, PMKID_LEN); 2227 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN], 2228 sm->pmksa->pmkid, PMKID_LEN); 2229 } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) { 2230 /* No KCK available to derive PMKID */ 2231 wpa_printf(MSG_DEBUG, 2232 "RSN: No KCK available to derive PMKID for message 1/4"); 2233 pmkid = NULL; 2234 #ifdef CONFIG_FILS 2235 } else if (wpa_key_mgmt_fils(sm->wpa_key_mgmt)) { 2236 if (sm->pmkid_set) { 2237 wpa_hexdump(MSG_DEBUG, 2238 "RSN: Message 1/4 PMKID from FILS/ERP", 2239 sm->pmkid, PMKID_LEN); 2240 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN], 2241 sm->pmkid, PMKID_LEN); 2242 } else { 2243 /* No PMKID available */ 2244 wpa_printf(MSG_DEBUG, 2245 "RSN: No FILS/ERP PMKID available for message 1/4"); 2246 pmkid = NULL; 2247 } 2248 #endif /* CONFIG_FILS */ 2249 #ifdef CONFIG_IEEE80211R_AP 2250 } else if (wpa_key_mgmt_ft(sm->wpa_key_mgmt) && 2251 sm->ft_completed) { 2252 wpa_printf(MSG_DEBUG, 2253 "FT: No PMKID in message 1/4 when using FT protocol"); 2254 pmkid = NULL; 2255 #endif /* CONFIG_IEEE80211R_AP */ 2256 #ifdef CONFIG_SAE 2257 } else if (wpa_key_mgmt_sae(sm->wpa_key_mgmt)) { 2258 if (sm->pmkid_set) { 2259 wpa_hexdump(MSG_DEBUG, 2260 "RSN: Message 1/4 PMKID from SAE", 2261 sm->pmkid, PMKID_LEN); 2262 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN], 2263 sm->pmkid, PMKID_LEN); 2264 } else { 2265 /* No PMKID available */ 2266 wpa_printf(MSG_DEBUG, 2267 "RSN: No SAE PMKID available for message 1/4"); 2268 pmkid = NULL; 2269 } 2270 #endif /* CONFIG_SAE */ 2271 } else { 2272 /* 2273 * Calculate PMKID since no PMKSA cache entry was 2274 * available with pre-calculated PMKID. 2275 */ 2276 rsn_pmkid(sm->PMK, sm->pmk_len, sm->wpa_auth->addr, 2277 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN], 2278 sm->wpa_key_mgmt); 2279 wpa_hexdump(MSG_DEBUG, 2280 "RSN: Message 1/4 PMKID derived from PMK", 2281 &pmkid[2 + RSN_SELECTOR_LEN], PMKID_LEN); 2282 } 2283 } 2284 if (!pmkid) 2285 pmkid_len = 0; 2286 wpa_send_eapol(sm->wpa_auth, sm, 2287 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL, 2288 sm->ANonce, pmkid, pmkid_len, 0, 0); 2289 } 2290 2291 2292 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce, 2293 const u8 *pmk, unsigned int pmk_len, 2294 struct wpa_ptk *ptk, int force_sha256) 2295 { 2296 const u8 *z = NULL; 2297 size_t z_len = 0, kdk_len; 2298 int akmp; 2299 2300 if (sm->wpa_auth->conf.force_kdk_derivation || 2301 (sm->wpa_auth->conf.secure_ltf && 2302 ieee802_11_rsnx_capab(sm->rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF))) 2303 kdk_len = WPA_KDK_MAX_LEN; 2304 else 2305 kdk_len = 0; 2306 2307 #ifdef CONFIG_IEEE80211R_AP 2308 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2309 if (sm->ft_completed) { 2310 u8 ptk_name[WPA_PMK_NAME_LEN]; 2311 2312 return wpa_pmk_r1_to_ptk(sm->pmk_r1, sm->pmk_r1_len, 2313 sm->SNonce, sm->ANonce, 2314 sm->addr, sm->wpa_auth->addr, 2315 sm->pmk_r1_name, 2316 ptk, ptk_name, 2317 sm->wpa_key_mgmt, 2318 sm->pairwise, 2319 kdk_len); 2320 } 2321 return wpa_auth_derive_ptk_ft(sm, ptk); 2322 } 2323 #endif /* CONFIG_IEEE80211R_AP */ 2324 2325 #ifdef CONFIG_DPP2 2326 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) { 2327 z = wpabuf_head(sm->dpp_z); 2328 z_len = wpabuf_len(sm->dpp_z); 2329 } 2330 #endif /* CONFIG_DPP2 */ 2331 2332 akmp = sm->wpa_key_mgmt; 2333 if (force_sha256) 2334 akmp |= WPA_KEY_MGMT_PSK_SHA256; 2335 return wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion", 2336 sm->wpa_auth->addr, sm->addr, sm->ANonce, snonce, 2337 ptk, akmp, sm->pairwise, z, z_len, kdk_len); 2338 } 2339 2340 2341 #ifdef CONFIG_FILS 2342 2343 int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk, 2344 size_t pmk_len, const u8 *snonce, const u8 *anonce, 2345 const u8 *dhss, size_t dhss_len, 2346 struct wpabuf *g_sta, struct wpabuf *g_ap) 2347 { 2348 u8 ick[FILS_ICK_MAX_LEN]; 2349 size_t ick_len; 2350 int res; 2351 u8 fils_ft[FILS_FT_MAX_LEN]; 2352 size_t fils_ft_len = 0, kdk_len; 2353 2354 if (sm->wpa_auth->conf.force_kdk_derivation || 2355 (sm->wpa_auth->conf.secure_ltf && 2356 ieee802_11_rsnx_capab(sm->rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF))) 2357 kdk_len = WPA_KDK_MAX_LEN; 2358 else 2359 kdk_len = 0; 2360 2361 res = fils_pmk_to_ptk(pmk, pmk_len, sm->addr, sm->wpa_auth->addr, 2362 snonce, anonce, dhss, dhss_len, 2363 &sm->PTK, ick, &ick_len, 2364 sm->wpa_key_mgmt, sm->pairwise, 2365 fils_ft, &fils_ft_len, kdk_len); 2366 if (res < 0) 2367 return res; 2368 sm->PTK_valid = true; 2369 sm->tk_already_set = false; 2370 2371 #ifdef CONFIG_IEEE80211R_AP 2372 if (fils_ft_len) { 2373 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 2374 struct wpa_auth_config *conf = &wpa_auth->conf; 2375 u8 pmk_r0[PMK_LEN_MAX], pmk_r0_name[WPA_PMK_NAME_LEN]; 2376 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt); 2377 2378 if (wpa_derive_pmk_r0(fils_ft, fils_ft_len, 2379 conf->ssid, conf->ssid_len, 2380 conf->mobility_domain, 2381 conf->r0_key_holder, 2382 conf->r0_key_holder_len, 2383 sm->addr, pmk_r0, pmk_r0_name, 2384 use_sha384) < 0) 2385 return -1; 2386 2387 wpa_ft_store_pmk_fils(sm, pmk_r0, pmk_r0_name); 2388 forced_memzero(fils_ft, sizeof(fils_ft)); 2389 2390 res = wpa_derive_pmk_r1_name(pmk_r0_name, conf->r1_key_holder, 2391 sm->addr, sm->pmk_r1_name, 2392 use_sha384); 2393 forced_memzero(pmk_r0, PMK_LEN_MAX); 2394 if (res < 0) 2395 return -1; 2396 wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR1Name", sm->pmk_r1_name, 2397 WPA_PMK_NAME_LEN); 2398 sm->pmk_r1_name_valid = 1; 2399 } 2400 #endif /* CONFIG_IEEE80211R_AP */ 2401 2402 res = fils_key_auth_sk(ick, ick_len, snonce, anonce, 2403 sm->addr, sm->wpa_auth->addr, 2404 g_sta ? wpabuf_head(g_sta) : NULL, 2405 g_sta ? wpabuf_len(g_sta) : 0, 2406 g_ap ? wpabuf_head(g_ap) : NULL, 2407 g_ap ? wpabuf_len(g_ap) : 0, 2408 sm->wpa_key_mgmt, sm->fils_key_auth_sta, 2409 sm->fils_key_auth_ap, 2410 &sm->fils_key_auth_len); 2411 forced_memzero(ick, sizeof(ick)); 2412 2413 /* Store nonces for (Re)Association Request/Response frame processing */ 2414 os_memcpy(sm->SNonce, snonce, FILS_NONCE_LEN); 2415 os_memcpy(sm->ANonce, anonce, FILS_NONCE_LEN); 2416 2417 return res; 2418 } 2419 2420 2421 static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk, 2422 u8 *buf, size_t buf_len, u16 *_key_data_len) 2423 { 2424 struct ieee802_1x_hdr *hdr; 2425 struct wpa_eapol_key *key; 2426 u8 *pos; 2427 u16 key_data_len; 2428 u8 *tmp; 2429 const u8 *aad[1]; 2430 size_t aad_len[1]; 2431 2432 hdr = (struct ieee802_1x_hdr *) buf; 2433 key = (struct wpa_eapol_key *) (hdr + 1); 2434 pos = (u8 *) (key + 1); 2435 key_data_len = WPA_GET_BE16(pos); 2436 if (key_data_len < AES_BLOCK_SIZE || 2437 key_data_len > buf_len - sizeof(*hdr) - sizeof(*key) - 2) { 2438 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2439 "No room for AES-SIV data in the frame"); 2440 return -1; 2441 } 2442 pos += 2; /* Pointing at the Encrypted Key Data field */ 2443 2444 tmp = os_malloc(key_data_len); 2445 if (!tmp) 2446 return -1; 2447 2448 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to 2449 * to Key Data (exclusive). */ 2450 aad[0] = buf; 2451 aad_len[0] = pos - buf; 2452 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, key_data_len, 2453 1, aad, aad_len, tmp) < 0) { 2454 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2455 "Invalid AES-SIV data in the frame"); 2456 bin_clear_free(tmp, key_data_len); 2457 return -1; 2458 } 2459 2460 /* AEAD decryption and validation completed successfully */ 2461 key_data_len -= AES_BLOCK_SIZE; 2462 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data", 2463 tmp, key_data_len); 2464 2465 /* Replace Key Data field with the decrypted version */ 2466 os_memcpy(pos, tmp, key_data_len); 2467 pos -= 2; /* Key Data Length field */ 2468 WPA_PUT_BE16(pos, key_data_len); 2469 bin_clear_free(tmp, key_data_len); 2470 if (_key_data_len) 2471 *_key_data_len = key_data_len; 2472 return 0; 2473 } 2474 2475 2476 const u8 * wpa_fils_validate_fils_session(struct wpa_state_machine *sm, 2477 const u8 *ies, size_t ies_len, 2478 const u8 *fils_session) 2479 { 2480 const u8 *ie, *end; 2481 const u8 *session = NULL; 2482 2483 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) { 2484 wpa_printf(MSG_DEBUG, 2485 "FILS: Not a FILS AKM - reject association"); 2486 return NULL; 2487 } 2488 2489 /* Verify Session element */ 2490 ie = ies; 2491 end = ((const u8 *) ie) + ies_len; 2492 while (ie + 1 < end) { 2493 if (ie + 2 + ie[1] > end) 2494 break; 2495 if (ie[0] == WLAN_EID_EXTENSION && 2496 ie[1] >= 1 + FILS_SESSION_LEN && 2497 ie[2] == WLAN_EID_EXT_FILS_SESSION) { 2498 session = ie; 2499 break; 2500 } 2501 ie += 2 + ie[1]; 2502 } 2503 2504 if (!session) { 2505 wpa_printf(MSG_DEBUG, 2506 "FILS: %s: Could not find FILS Session element in Assoc Req - reject", 2507 __func__); 2508 return NULL; 2509 } 2510 2511 if (!fils_session) { 2512 wpa_printf(MSG_DEBUG, 2513 "FILS: %s: Could not find FILS Session element in STA entry - reject", 2514 __func__); 2515 return NULL; 2516 } 2517 2518 if (os_memcmp(fils_session, session + 3, FILS_SESSION_LEN) != 0) { 2519 wpa_printf(MSG_DEBUG, "FILS: Session mismatch"); 2520 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session", 2521 fils_session, FILS_SESSION_LEN); 2522 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session", 2523 session + 3, FILS_SESSION_LEN); 2524 return NULL; 2525 } 2526 return session; 2527 } 2528 2529 2530 int wpa_fils_validate_key_confirm(struct wpa_state_machine *sm, const u8 *ies, 2531 size_t ies_len) 2532 { 2533 struct ieee802_11_elems elems; 2534 2535 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) { 2536 wpa_printf(MSG_DEBUG, 2537 "FILS: Failed to parse decrypted elements"); 2538 return -1; 2539 } 2540 2541 if (!elems.fils_session) { 2542 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element"); 2543 return -1; 2544 } 2545 2546 if (!elems.fils_key_confirm) { 2547 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element"); 2548 return -1; 2549 } 2550 2551 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) { 2552 wpa_printf(MSG_DEBUG, 2553 "FILS: Unexpected Key-Auth length %d (expected %zu)", 2554 elems.fils_key_confirm_len, 2555 sm->fils_key_auth_len); 2556 return -1; 2557 } 2558 2559 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_sta, 2560 sm->fils_key_auth_len) != 0) { 2561 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch"); 2562 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth", 2563 elems.fils_key_confirm, elems.fils_key_confirm_len); 2564 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth", 2565 sm->fils_key_auth_sta, sm->fils_key_auth_len); 2566 return -1; 2567 } 2568 2569 return 0; 2570 } 2571 2572 2573 int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session, 2574 const struct ieee80211_mgmt *mgmt, size_t frame_len, 2575 u8 *pos, size_t left) 2576 { 2577 u16 fc, stype; 2578 const u8 *end, *ie_start, *ie, *session, *crypt; 2579 const u8 *aad[5]; 2580 size_t aad_len[5]; 2581 2582 if (!sm || !sm->PTK_valid) { 2583 wpa_printf(MSG_DEBUG, 2584 "FILS: No KEK to decrypt Assocication Request frame"); 2585 return -1; 2586 } 2587 2588 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) { 2589 wpa_printf(MSG_DEBUG, 2590 "FILS: Not a FILS AKM - reject association"); 2591 return -1; 2592 } 2593 2594 end = ((const u8 *) mgmt) + frame_len; 2595 fc = le_to_host16(mgmt->frame_control); 2596 stype = WLAN_FC_GET_STYPE(fc); 2597 if (stype == WLAN_FC_STYPE_REASSOC_REQ) 2598 ie_start = mgmt->u.reassoc_req.variable; 2599 else 2600 ie_start = mgmt->u.assoc_req.variable; 2601 ie = ie_start; 2602 2603 /* 2604 * Find FILS Session element which is the last unencrypted element in 2605 * the frame. 2606 */ 2607 session = wpa_fils_validate_fils_session(sm, ie, end - ie, 2608 fils_session); 2609 if (!session) { 2610 wpa_printf(MSG_DEBUG, "FILS: Session validation failed"); 2611 return -1; 2612 } 2613 2614 crypt = session + 2 + session[1]; 2615 2616 if (end - crypt < AES_BLOCK_SIZE) { 2617 wpa_printf(MSG_DEBUG, 2618 "FILS: Too short frame to include AES-SIV data"); 2619 return -1; 2620 } 2621 2622 /* AES-SIV AAD vectors */ 2623 2624 /* The STA's MAC address */ 2625 aad[0] = mgmt->sa; 2626 aad_len[0] = ETH_ALEN; 2627 /* The AP's BSSID */ 2628 aad[1] = mgmt->da; 2629 aad_len[1] = ETH_ALEN; 2630 /* The STA's nonce */ 2631 aad[2] = sm->SNonce; 2632 aad_len[2] = FILS_NONCE_LEN; 2633 /* The AP's nonce */ 2634 aad[3] = sm->ANonce; 2635 aad_len[3] = FILS_NONCE_LEN; 2636 /* 2637 * The (Re)Association Request frame from the Capability Information 2638 * field to the FILS Session element (both inclusive). 2639 */ 2640 aad[4] = (const u8 *) &mgmt->u.assoc_req.capab_info; 2641 aad_len[4] = crypt - aad[4]; 2642 2643 if (aes_siv_decrypt(sm->PTK.kek, sm->PTK.kek_len, crypt, end - crypt, 2644 5, aad, aad_len, pos + (crypt - ie_start)) < 0) { 2645 wpa_printf(MSG_DEBUG, 2646 "FILS: Invalid AES-SIV data in the frame"); 2647 return -1; 2648 } 2649 wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Request elements", 2650 pos, left - AES_BLOCK_SIZE); 2651 2652 if (wpa_fils_validate_key_confirm(sm, pos, left - AES_BLOCK_SIZE) < 0) { 2653 wpa_printf(MSG_DEBUG, "FILS: Key Confirm validation failed"); 2654 return -1; 2655 } 2656 2657 return left - AES_BLOCK_SIZE; 2658 } 2659 2660 2661 int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf, 2662 size_t current_len, size_t max_len, 2663 const struct wpabuf *hlp) 2664 { 2665 u8 *end = buf + max_len; 2666 u8 *pos = buf + current_len; 2667 struct ieee80211_mgmt *mgmt; 2668 struct wpabuf *plain; 2669 const u8 *aad[5]; 2670 size_t aad_len[5]; 2671 2672 if (!sm || !sm->PTK_valid) 2673 return -1; 2674 2675 wpa_hexdump(MSG_DEBUG, 2676 "FILS: Association Response frame before FILS processing", 2677 buf, current_len); 2678 2679 mgmt = (struct ieee80211_mgmt *) buf; 2680 2681 /* AES-SIV AAD vectors */ 2682 2683 /* The AP's BSSID */ 2684 aad[0] = mgmt->sa; 2685 aad_len[0] = ETH_ALEN; 2686 /* The STA's MAC address */ 2687 aad[1] = mgmt->da; 2688 aad_len[1] = ETH_ALEN; 2689 /* The AP's nonce */ 2690 aad[2] = sm->ANonce; 2691 aad_len[2] = FILS_NONCE_LEN; 2692 /* The STA's nonce */ 2693 aad[3] = sm->SNonce; 2694 aad_len[3] = FILS_NONCE_LEN; 2695 /* 2696 * The (Re)Association Response frame from the Capability Information 2697 * field (the same offset in both Association and Reassociation 2698 * Response frames) to the FILS Session element (both inclusive). 2699 */ 2700 aad[4] = (const u8 *) &mgmt->u.assoc_resp.capab_info; 2701 aad_len[4] = pos - aad[4]; 2702 2703 /* The following elements will be encrypted with AES-SIV */ 2704 plain = fils_prepare_plainbuf(sm, hlp); 2705 if (!plain) { 2706 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed"); 2707 return -1; 2708 } 2709 2710 if (pos + wpabuf_len(plain) + AES_BLOCK_SIZE > end) { 2711 wpa_printf(MSG_DEBUG, 2712 "FILS: Not enough room for FILS elements"); 2713 wpabuf_clear_free(plain); 2714 return -1; 2715 } 2716 2717 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: Association Response plaintext", 2718 plain); 2719 2720 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, 2721 wpabuf_head(plain), wpabuf_len(plain), 2722 5, aad, aad_len, pos) < 0) { 2723 wpabuf_clear_free(plain); 2724 return -1; 2725 } 2726 2727 wpa_hexdump(MSG_DEBUG, 2728 "FILS: Encrypted Association Response elements", 2729 pos, AES_BLOCK_SIZE + wpabuf_len(plain)); 2730 current_len += wpabuf_len(plain) + AES_BLOCK_SIZE; 2731 wpabuf_clear_free(plain); 2732 2733 sm->fils_completed = 1; 2734 2735 return current_len; 2736 } 2737 2738 2739 static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm, 2740 const struct wpabuf *hlp) 2741 { 2742 struct wpabuf *plain; 2743 u8 *len, *tmp, *tmp2; 2744 u8 hdr[2]; 2745 u8 *gtk, stub_gtk[32]; 2746 size_t gtk_len; 2747 struct wpa_group *gsm; 2748 size_t plain_len; 2749 struct wpa_auth_config *conf = &sm->wpa_auth->conf; 2750 2751 plain_len = 1000 + ieee80211w_kde_len(sm); 2752 if (conf->transition_disable) 2753 plain_len += 2 + RSN_SELECTOR_LEN + 1; 2754 plain = wpabuf_alloc(plain_len); 2755 if (!plain) 2756 return NULL; 2757 2758 /* TODO: FILS Public Key */ 2759 2760 /* FILS Key Confirmation */ 2761 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */ 2762 wpabuf_put_u8(plain, 1 + sm->fils_key_auth_len); /* Length */ 2763 /* Element ID Extension */ 2764 wpabuf_put_u8(plain, WLAN_EID_EXT_FILS_KEY_CONFIRM); 2765 wpabuf_put_data(plain, sm->fils_key_auth_ap, sm->fils_key_auth_len); 2766 2767 /* FILS HLP Container */ 2768 if (hlp) 2769 wpabuf_put_buf(plain, hlp); 2770 2771 /* TODO: FILS IP Address Assignment */ 2772 2773 /* Key Delivery */ 2774 gsm = sm->group; 2775 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */ 2776 len = wpabuf_put(plain, 1); 2777 wpabuf_put_u8(plain, WLAN_EID_EXT_KEY_DELIVERY); 2778 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, 2779 wpabuf_put(plain, WPA_KEY_RSC_LEN)); 2780 /* GTK KDE */ 2781 gtk = gsm->GTK[gsm->GN - 1]; 2782 gtk_len = gsm->GTK_len; 2783 if (conf->disable_gtk || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) { 2784 /* 2785 * Provide unique random GTK to each STA to prevent use 2786 * of GTK in the BSS. 2787 */ 2788 if (random_get_bytes(stub_gtk, gtk_len) < 0) { 2789 wpabuf_clear_free(plain); 2790 return NULL; 2791 } 2792 gtk = stub_gtk; 2793 } 2794 hdr[0] = gsm->GN & 0x03; 2795 hdr[1] = 0; 2796 tmp = wpabuf_put(plain, 0); 2797 tmp2 = wpa_add_kde(tmp, RSN_KEY_DATA_GROUPKEY, hdr, 2, 2798 gtk, gtk_len); 2799 wpabuf_put(plain, tmp2 - tmp); 2800 2801 /* IGTK KDE and BIGTK KDE */ 2802 tmp = wpabuf_put(plain, 0); 2803 tmp2 = ieee80211w_kde_add(sm, tmp); 2804 wpabuf_put(plain, tmp2 - tmp); 2805 2806 if (conf->transition_disable) { 2807 tmp = wpabuf_put(plain, 0); 2808 tmp2 = wpa_add_kde(tmp, WFA_KEY_DATA_TRANSITION_DISABLE, 2809 &conf->transition_disable, 1, NULL, 0); 2810 wpabuf_put(plain, tmp2 - tmp); 2811 } 2812 2813 *len = (u8 *) wpabuf_put(plain, 0) - len - 1; 2814 2815 #ifdef CONFIG_OCV 2816 if (wpa_auth_uses_ocv(sm)) { 2817 struct wpa_channel_info ci; 2818 u8 *pos; 2819 2820 if (wpa_channel_info(sm->wpa_auth, &ci) != 0) { 2821 wpa_printf(MSG_WARNING, 2822 "FILS: Failed to get channel info for OCI element"); 2823 wpabuf_clear_free(plain); 2824 return NULL; 2825 } 2826 #ifdef CONFIG_TESTING_OPTIONS 2827 if (conf->oci_freq_override_fils_assoc) { 2828 wpa_printf(MSG_INFO, 2829 "TEST: Override OCI frequency %d -> %u MHz", 2830 ci.frequency, 2831 conf->oci_freq_override_fils_assoc); 2832 ci.frequency = conf->oci_freq_override_fils_assoc; 2833 } 2834 #endif /* CONFIG_TESTING_OPTIONS */ 2835 2836 pos = wpabuf_put(plain, OCV_OCI_EXTENDED_LEN); 2837 if (ocv_insert_extended_oci(&ci, pos) < 0) { 2838 wpabuf_clear_free(plain); 2839 return NULL; 2840 } 2841 } 2842 #endif /* CONFIG_OCV */ 2843 2844 return plain; 2845 } 2846 2847 2848 int fils_set_tk(struct wpa_state_machine *sm) 2849 { 2850 enum wpa_alg alg; 2851 int klen; 2852 2853 if (!sm || !sm->PTK_valid) { 2854 wpa_printf(MSG_DEBUG, "FILS: No valid PTK available to set TK"); 2855 return -1; 2856 } 2857 if (sm->tk_already_set) { 2858 wpa_printf(MSG_DEBUG, "FILS: TK already set to the driver"); 2859 return -1; 2860 } 2861 2862 alg = wpa_cipher_to_alg(sm->pairwise); 2863 klen = wpa_cipher_key_len(sm->pairwise); 2864 2865 wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver"); 2866 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0, 2867 sm->PTK.tk, klen, KEY_FLAG_PAIRWISE_RX_TX)) { 2868 wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver"); 2869 return -1; 2870 } 2871 sm->tk_already_set = true; 2872 2873 wpa_auth_store_ptksa(sm->wpa_auth, sm->addr, sm->pairwise, 2874 dot11RSNAConfigPMKLifetime, &sm->PTK); 2875 2876 return 0; 2877 } 2878 2879 2880 u8 * hostapd_eid_assoc_fils_session(struct wpa_state_machine *sm, u8 *buf, 2881 const u8 *fils_session, struct wpabuf *hlp) 2882 { 2883 struct wpabuf *plain; 2884 u8 *pos = buf; 2885 2886 /* FILS Session */ 2887 *pos++ = WLAN_EID_EXTENSION; /* Element ID */ 2888 *pos++ = 1 + FILS_SESSION_LEN; /* Length */ 2889 *pos++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */ 2890 os_memcpy(pos, fils_session, FILS_SESSION_LEN); 2891 pos += FILS_SESSION_LEN; 2892 2893 plain = fils_prepare_plainbuf(sm, hlp); 2894 if (!plain) { 2895 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed"); 2896 return NULL; 2897 } 2898 2899 os_memcpy(pos, wpabuf_head(plain), wpabuf_len(plain)); 2900 pos += wpabuf_len(plain); 2901 2902 wpa_printf(MSG_DEBUG, "%s: plain buf_len: %zu", __func__, 2903 wpabuf_len(plain)); 2904 wpabuf_clear_free(plain); 2905 sm->fils_completed = 1; 2906 return pos; 2907 } 2908 2909 #endif /* CONFIG_FILS */ 2910 2911 2912 #ifdef CONFIG_OCV 2913 int get_sta_tx_parameters(struct wpa_state_machine *sm, int ap_max_chanwidth, 2914 int ap_seg1_idx, int *bandwidth, int *seg1_idx) 2915 { 2916 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 2917 2918 if (!wpa_auth->cb->get_sta_tx_params) 2919 return -1; 2920 return wpa_auth->cb->get_sta_tx_params(wpa_auth->cb_ctx, sm->addr, 2921 ap_max_chanwidth, ap_seg1_idx, 2922 bandwidth, seg1_idx); 2923 } 2924 #endif /* CONFIG_OCV */ 2925 2926 2927 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) 2928 { 2929 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 2930 struct wpa_ptk PTK; 2931 int ok = 0, psk_found = 0; 2932 const u8 *pmk = NULL; 2933 size_t pmk_len; 2934 int ft; 2935 const u8 *eapol_key_ie, *key_data, *mic; 2936 u16 key_data_length; 2937 size_t mic_len, eapol_key_ie_len; 2938 struct ieee802_1x_hdr *hdr; 2939 struct wpa_eapol_key *key; 2940 struct wpa_eapol_ie_parse kde; 2941 int vlan_id = 0; 2942 int owe_ptk_workaround = !!wpa_auth->conf.owe_ptk_workaround; 2943 2944 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk); 2945 sm->EAPOLKeyReceived = false; 2946 sm->update_snonce = false; 2947 os_memset(&PTK, 0, sizeof(PTK)); 2948 2949 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len); 2950 2951 /* WPA with IEEE 802.1X: use the derived PMK from EAP 2952 * WPA-PSK: iterate through possible PSKs and select the one matching 2953 * the packet */ 2954 for (;;) { 2955 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) && 2956 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) { 2957 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, 2958 sm->p2p_dev_addr, pmk, &pmk_len, 2959 &vlan_id); 2960 if (!pmk) 2961 break; 2962 psk_found = 1; 2963 #ifdef CONFIG_IEEE80211R_AP 2964 if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) { 2965 os_memcpy(sm->xxkey, pmk, pmk_len); 2966 sm->xxkey_len = pmk_len; 2967 } 2968 #endif /* CONFIG_IEEE80211R_AP */ 2969 } else { 2970 pmk = sm->PMK; 2971 pmk_len = sm->pmk_len; 2972 } 2973 2974 if ((!pmk || !pmk_len) && sm->pmksa) { 2975 wpa_printf(MSG_DEBUG, "WPA: Use PMK from PMKSA cache"); 2976 pmk = sm->pmksa->pmk; 2977 pmk_len = sm->pmksa->pmk_len; 2978 } 2979 2980 if (wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK, 2981 owe_ptk_workaround == 2) < 0) 2982 break; 2983 2984 if (mic_len && 2985 wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK, 2986 sm->last_rx_eapol_key, 2987 sm->last_rx_eapol_key_len) == 0) { 2988 if (sm->PMK != pmk) { 2989 os_memcpy(sm->PMK, pmk, pmk_len); 2990 sm->pmk_len = pmk_len; 2991 } 2992 ok = 1; 2993 break; 2994 } 2995 2996 #ifdef CONFIG_FILS 2997 if (!mic_len && 2998 wpa_aead_decrypt(sm, &PTK, sm->last_rx_eapol_key, 2999 sm->last_rx_eapol_key_len, NULL) == 0) { 3000 ok = 1; 3001 break; 3002 } 3003 #endif /* CONFIG_FILS */ 3004 3005 #ifdef CONFIG_OWE 3006 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE && pmk_len > 32 && 3007 owe_ptk_workaround == 1) { 3008 wpa_printf(MSG_DEBUG, 3009 "OWE: Try PTK derivation workaround with SHA256"); 3010 owe_ptk_workaround = 2; 3011 continue; 3012 } 3013 #endif /* CONFIG_OWE */ 3014 3015 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) || 3016 wpa_key_mgmt_sae(sm->wpa_key_mgmt)) 3017 break; 3018 } 3019 3020 if (!ok) { 3021 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3022 "invalid MIC in msg 2/4 of 4-Way Handshake"); 3023 if (psk_found) 3024 wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr); 3025 return; 3026 } 3027 3028 /* 3029 * Note: last_rx_eapol_key length fields have already been validated in 3030 * wpa_receive(). 3031 */ 3032 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key; 3033 key = (struct wpa_eapol_key *) (hdr + 1); 3034 mic = (u8 *) (key + 1); 3035 key_data = mic + mic_len + 2; 3036 key_data_length = WPA_GET_BE16(mic + mic_len); 3037 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) - 3038 sizeof(*key) - mic_len - 2) 3039 return; 3040 3041 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) { 3042 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 3043 "received EAPOL-Key msg 2/4 with invalid Key Data contents"); 3044 return; 3045 } 3046 if (kde.rsn_ie) { 3047 eapol_key_ie = kde.rsn_ie; 3048 eapol_key_ie_len = kde.rsn_ie_len; 3049 } else if (kde.osen) { 3050 eapol_key_ie = kde.osen; 3051 eapol_key_ie_len = kde.osen_len; 3052 } else { 3053 eapol_key_ie = kde.wpa_ie; 3054 eapol_key_ie_len = kde.wpa_ie_len; 3055 } 3056 ft = sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt); 3057 if (!sm->wpa_ie || 3058 wpa_compare_rsn_ie(ft, sm->wpa_ie, sm->wpa_ie_len, 3059 eapol_key_ie, eapol_key_ie_len)) { 3060 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 3061 "WPA IE from (Re)AssocReq did not match with msg 2/4"); 3062 if (sm->wpa_ie) { 3063 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq", 3064 sm->wpa_ie, sm->wpa_ie_len); 3065 } 3066 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4", 3067 eapol_key_ie, eapol_key_ie_len); 3068 /* MLME-DEAUTHENTICATE.request */ 3069 wpa_sta_disconnect(wpa_auth, sm->addr, 3070 WLAN_REASON_PREV_AUTH_NOT_VALID); 3071 return; 3072 } 3073 if ((!sm->rsnxe && kde.rsnxe) || 3074 (sm->rsnxe && !kde.rsnxe) || 3075 (sm->rsnxe && kde.rsnxe && 3076 (sm->rsnxe_len != kde.rsnxe_len || 3077 os_memcmp(sm->rsnxe, kde.rsnxe, sm->rsnxe_len) != 0))) { 3078 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 3079 "RSNXE from (Re)AssocReq did not match the one in EAPOL-Key msg 2/4"); 3080 wpa_hexdump(MSG_DEBUG, "RSNXE in AssocReq", 3081 sm->rsnxe, sm->rsnxe_len); 3082 wpa_hexdump(MSG_DEBUG, "RSNXE in EAPOL-Key msg 2/4", 3083 kde.rsnxe, kde.rsnxe_len); 3084 /* MLME-DEAUTHENTICATE.request */ 3085 wpa_sta_disconnect(wpa_auth, sm->addr, 3086 WLAN_REASON_PREV_AUTH_NOT_VALID); 3087 return; 3088 } 3089 #ifdef CONFIG_OCV 3090 if (wpa_auth_uses_ocv(sm)) { 3091 struct wpa_channel_info ci; 3092 int tx_chanwidth; 3093 int tx_seg1_idx; 3094 enum oci_verify_result res; 3095 3096 if (wpa_channel_info(wpa_auth, &ci) != 0) { 3097 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 3098 "Failed to get channel info to validate received OCI in EAPOL-Key 2/4"); 3099 return; 3100 } 3101 3102 if (get_sta_tx_parameters(sm, 3103 channel_width_to_int(ci.chanwidth), 3104 ci.seg1_idx, &tx_chanwidth, 3105 &tx_seg1_idx) < 0) 3106 return; 3107 3108 res = ocv_verify_tx_params(kde.oci, kde.oci_len, &ci, 3109 tx_chanwidth, tx_seg1_idx); 3110 if (wpa_auth_uses_ocv(sm) == 2 && res == OCI_NOT_FOUND) { 3111 /* Work around misbehaving STAs */ 3112 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 3113 "Disable OCV with a STA that does not send OCI"); 3114 wpa_auth_set_ocv(sm, 0); 3115 } else if (res != OCI_SUCCESS) { 3116 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 3117 "OCV failed: %s", ocv_errorstr); 3118 if (wpa_auth->conf.msg_ctx) 3119 wpa_msg(wpa_auth->conf.msg_ctx, MSG_INFO, 3120 OCV_FAILURE "addr=" MACSTR 3121 " frame=eapol-key-m2 error=%s", 3122 MAC2STR(sm->addr), ocv_errorstr); 3123 return; 3124 } 3125 } 3126 #endif /* CONFIG_OCV */ 3127 #ifdef CONFIG_IEEE80211R_AP 3128 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) { 3129 wpa_sta_disconnect(wpa_auth, sm->addr, 3130 WLAN_REASON_PREV_AUTH_NOT_VALID); 3131 return; 3132 } 3133 #endif /* CONFIG_IEEE80211R_AP */ 3134 #ifdef CONFIG_P2P 3135 if (kde.ip_addr_req && kde.ip_addr_req[0] && 3136 wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) { 3137 int idx; 3138 wpa_printf(MSG_DEBUG, 3139 "P2P: IP address requested in EAPOL-Key exchange"); 3140 idx = bitfield_get_first_zero(wpa_auth->ip_pool); 3141 if (idx >= 0) { 3142 u32 start = WPA_GET_BE32(wpa_auth->conf.ip_addr_start); 3143 bitfield_set(wpa_auth->ip_pool, idx); 3144 WPA_PUT_BE32(sm->ip_addr, start + idx); 3145 wpa_printf(MSG_DEBUG, 3146 "P2P: Assigned IP address %u.%u.%u.%u to " 3147 MACSTR, sm->ip_addr[0], sm->ip_addr[1], 3148 sm->ip_addr[2], sm->ip_addr[3], 3149 MAC2STR(sm->addr)); 3150 } 3151 } 3152 #endif /* CONFIG_P2P */ 3153 3154 #ifdef CONFIG_DPP2 3155 if (DPP_VERSION > 1 && kde.dpp_kde) { 3156 wpa_printf(MSG_DEBUG, 3157 "DPP: peer Protocol Version %u Flags 0x%x", 3158 kde.dpp_kde[0], kde.dpp_kde[1]); 3159 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && 3160 wpa_auth->conf.dpp_pfs != 2 && 3161 (kde.dpp_kde[1] & DPP_KDE_PFS_ALLOWED) && 3162 !sm->dpp_z) { 3163 wpa_printf(MSG_INFO, 3164 "DPP: Peer indicated it supports PFS and local configuration allows this, but PFS was not negotiated for the association"); 3165 wpa_sta_disconnect(wpa_auth, sm->addr, 3166 WLAN_REASON_PREV_AUTH_NOT_VALID); 3167 return; 3168 } 3169 } 3170 #endif /* CONFIG_DPP2 */ 3171 3172 #ifdef CONFIG_IEEE80211R_AP 3173 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 3174 /* 3175 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches 3176 * with the value we derived. 3177 */ 3178 if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name, 3179 WPA_PMK_NAME_LEN) != 0) { 3180 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3181 "PMKR1Name mismatch in FT 4-way handshake"); 3182 wpa_hexdump(MSG_DEBUG, 3183 "FT: PMKR1Name from Supplicant", 3184 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN); 3185 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name", 3186 sm->pmk_r1_name, WPA_PMK_NAME_LEN); 3187 return; 3188 } 3189 } 3190 #endif /* CONFIG_IEEE80211R_AP */ 3191 3192 if (vlan_id && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) && 3193 wpa_auth_update_vlan(wpa_auth, sm->addr, vlan_id) < 0) { 3194 wpa_sta_disconnect(wpa_auth, sm->addr, 3195 WLAN_REASON_PREV_AUTH_NOT_VALID); 3196 return; 3197 } 3198 3199 sm->pending_1_of_4_timeout = 0; 3200 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 3201 3202 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) && sm->PMK != pmk) { 3203 /* PSK may have changed from the previous choice, so update 3204 * state machine data based on whatever PSK was selected here. 3205 */ 3206 os_memcpy(sm->PMK, pmk, PMK_LEN); 3207 sm->pmk_len = PMK_LEN; 3208 } 3209 3210 sm->MICVerified = true; 3211 3212 os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); 3213 forced_memzero(&PTK, sizeof(PTK)); 3214 sm->PTK_valid = true; 3215 } 3216 3217 3218 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2) 3219 { 3220 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk); 3221 sm->TimeoutCtr = 0; 3222 } 3223 3224 3225 static int ieee80211w_kde_len(struct wpa_state_machine *sm) 3226 { 3227 size_t len = 0; 3228 3229 if (sm->mgmt_frame_prot) { 3230 len += 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN; 3231 len += wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 3232 } 3233 if (sm->mgmt_frame_prot && sm->wpa_auth->conf.beacon_prot) { 3234 len += 2 + RSN_SELECTOR_LEN + WPA_BIGTK_KDE_PREFIX_LEN; 3235 len += wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 3236 } 3237 3238 return len; 3239 } 3240 3241 3242 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 3243 { 3244 struct wpa_igtk_kde igtk; 3245 struct wpa_bigtk_kde bigtk; 3246 struct wpa_group *gsm = sm->group; 3247 u8 rsc[WPA_KEY_RSC_LEN]; 3248 struct wpa_auth_config *conf = &sm->wpa_auth->conf; 3249 size_t len = wpa_cipher_key_len(conf->group_mgmt_cipher); 3250 3251 if (!sm->mgmt_frame_prot) 3252 return pos; 3253 3254 igtk.keyid[0] = gsm->GN_igtk; 3255 igtk.keyid[1] = 0; 3256 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE || 3257 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0) 3258 os_memset(igtk.pn, 0, sizeof(igtk.pn)); 3259 else 3260 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn)); 3261 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len); 3262 if (conf->disable_gtk || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) { 3263 /* 3264 * Provide unique random IGTK to each STA to prevent use of 3265 * IGTK in the BSS. 3266 */ 3267 if (random_get_bytes(igtk.igtk, len) < 0) 3268 return pos; 3269 } 3270 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK, 3271 (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len, 3272 NULL, 0); 3273 3274 if (!conf->beacon_prot) 3275 return pos; 3276 3277 bigtk.keyid[0] = gsm->GN_bigtk; 3278 bigtk.keyid[1] = 0; 3279 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE || 3280 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_bigtk, rsc) < 0) 3281 os_memset(bigtk.pn, 0, sizeof(bigtk.pn)); 3282 else 3283 os_memcpy(bigtk.pn, rsc, sizeof(bigtk.pn)); 3284 os_memcpy(bigtk.bigtk, gsm->BIGTK[gsm->GN_bigtk - 6], len); 3285 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) { 3286 /* 3287 * Provide unique random BIGTK to each OSEN STA to prevent use 3288 * of BIGTK in the BSS. 3289 */ 3290 if (random_get_bytes(bigtk.bigtk, len) < 0) 3291 return pos; 3292 } 3293 pos = wpa_add_kde(pos, RSN_KEY_DATA_BIGTK, 3294 (const u8 *) &bigtk, WPA_BIGTK_KDE_PREFIX_LEN + len, 3295 NULL, 0); 3296 3297 return pos; 3298 } 3299 3300 3301 static int ocv_oci_len(struct wpa_state_machine *sm) 3302 { 3303 #ifdef CONFIG_OCV 3304 if (wpa_auth_uses_ocv(sm)) 3305 return OCV_OCI_KDE_LEN; 3306 #endif /* CONFIG_OCV */ 3307 return 0; 3308 } 3309 3310 3311 static int ocv_oci_add(struct wpa_state_machine *sm, u8 **argpos, 3312 unsigned int freq) 3313 { 3314 #ifdef CONFIG_OCV 3315 struct wpa_channel_info ci; 3316 3317 if (!wpa_auth_uses_ocv(sm)) 3318 return 0; 3319 3320 if (wpa_channel_info(sm->wpa_auth, &ci) != 0) { 3321 wpa_printf(MSG_WARNING, 3322 "Failed to get channel info for OCI element"); 3323 return -1; 3324 } 3325 #ifdef CONFIG_TESTING_OPTIONS 3326 if (freq) { 3327 wpa_printf(MSG_INFO, 3328 "TEST: Override OCI KDE frequency %d -> %u MHz", 3329 ci.frequency, freq); 3330 ci.frequency = freq; 3331 } 3332 #endif /* CONFIG_TESTING_OPTIONS */ 3333 3334 return ocv_insert_oci_kde(&ci, argpos); 3335 #else /* CONFIG_OCV */ 3336 return 0; 3337 #endif /* CONFIG_OCV */ 3338 } 3339 3340 3341 #ifdef CONFIG_TESTING_OPTIONS 3342 static u8 * replace_ie(const char *name, const u8 *old_buf, size_t *len, u8 eid, 3343 const u8 *ie, size_t ie_len) 3344 { 3345 const u8 *elem; 3346 u8 *buf; 3347 3348 wpa_printf(MSG_DEBUG, "TESTING: %s EAPOL override", name); 3349 wpa_hexdump(MSG_DEBUG, "TESTING: wpa_ie before override", 3350 old_buf, *len); 3351 buf = os_malloc(*len + ie_len); 3352 if (!buf) 3353 return NULL; 3354 os_memcpy(buf, old_buf, *len); 3355 elem = get_ie(buf, *len, eid); 3356 if (elem) { 3357 u8 elem_len = 2 + elem[1]; 3358 3359 os_memmove((void *) elem, elem + elem_len, 3360 *len - (elem - buf) - elem_len); 3361 *len -= elem_len; 3362 } 3363 os_memcpy(buf + *len, ie, ie_len); 3364 *len += ie_len; 3365 wpa_hexdump(MSG_DEBUG, "TESTING: wpa_ie after EAPOL override", 3366 buf, *len); 3367 3368 return buf; 3369 } 3370 #endif /* CONFIG_TESTING_OPTIONS */ 3371 3372 3373 SM_STATE(WPA_PTK, PTKINITNEGOTIATING) 3374 { 3375 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde = NULL, *pos, stub_gtk[32]; 3376 size_t gtk_len, kde_len, wpa_ie_len; 3377 struct wpa_group *gsm = sm->group; 3378 u8 *wpa_ie; 3379 int secure, gtkidx, encr = 0; 3380 u8 *wpa_ie_buf = NULL, *wpa_ie_buf2 = NULL; 3381 u8 hdr[2]; 3382 struct wpa_auth_config *conf = &sm->wpa_auth->conf; 3383 3384 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk); 3385 sm->TimeoutEvt = false; 3386 3387 sm->TimeoutCtr++; 3388 if (conf->wpa_disable_eapol_key_retries && sm->TimeoutCtr > 1) { 3389 /* Do not allow retransmission of EAPOL-Key msg 3/4 */ 3390 return; 3391 } 3392 if (sm->TimeoutCtr > conf->wpa_pairwise_update_count) { 3393 /* No point in sending the EAPOL-Key - we will disconnect 3394 * immediately following this. */ 3395 return; 3396 } 3397 3398 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE], 3399 GTK[GN], IGTK, [BIGTK], [FTIE], [TIE * 2]) 3400 */ 3401 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 3402 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 3403 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */ 3404 wpa_ie = sm->wpa_auth->wpa_ie; 3405 wpa_ie_len = sm->wpa_auth->wpa_ie_len; 3406 if (sm->wpa == WPA_VERSION_WPA && (conf->wpa & WPA_PROTO_RSN) && 3407 wpa_ie_len > wpa_ie[1] + 2U && wpa_ie[0] == WLAN_EID_RSN) { 3408 /* WPA-only STA, remove RSN IE and possible MDIE */ 3409 wpa_ie = wpa_ie + wpa_ie[1] + 2; 3410 if (wpa_ie[0] == WLAN_EID_RSNX) 3411 wpa_ie = wpa_ie + wpa_ie[1] + 2; 3412 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN) 3413 wpa_ie = wpa_ie + wpa_ie[1] + 2; 3414 wpa_ie_len = wpa_ie[1] + 2; 3415 } 3416 #ifdef CONFIG_TESTING_OPTIONS 3417 if (conf->rsne_override_eapol_set) { 3418 wpa_ie_buf2 = replace_ie( 3419 "RSNE", wpa_ie, &wpa_ie_len, WLAN_EID_RSN, 3420 conf->rsne_override_eapol, 3421 conf->rsne_override_eapol_len); 3422 if (!wpa_ie_buf2) 3423 goto done; 3424 wpa_ie = wpa_ie_buf2; 3425 } 3426 if (conf->rsnxe_override_eapol_set) { 3427 wpa_ie_buf = replace_ie( 3428 "RSNXE", wpa_ie, &wpa_ie_len, WLAN_EID_RSNX, 3429 conf->rsnxe_override_eapol, 3430 conf->rsnxe_override_eapol_len); 3431 if (!wpa_ie_buf) 3432 goto done; 3433 wpa_ie = wpa_ie_buf; 3434 } 3435 #endif /* CONFIG_TESTING_OPTIONS */ 3436 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3437 "sending 3/4 msg of 4-Way Handshake"); 3438 if (sm->wpa == WPA_VERSION_WPA2) { 3439 if (sm->use_ext_key_id && sm->TimeoutCtr == 1 && 3440 wpa_auth_set_key(sm->wpa_auth, 0, 3441 wpa_cipher_to_alg(sm->pairwise), 3442 sm->addr, 3443 sm->keyidx_active, sm->PTK.tk, 3444 wpa_cipher_key_len(sm->pairwise), 3445 KEY_FLAG_PAIRWISE_RX)) { 3446 wpa_sta_disconnect(sm->wpa_auth, sm->addr, 3447 WLAN_REASON_PREV_AUTH_NOT_VALID); 3448 return; 3449 } 3450 3451 /* WPA2 send GTK in the 4-way handshake */ 3452 secure = 1; 3453 gtk = gsm->GTK[gsm->GN - 1]; 3454 gtk_len = gsm->GTK_len; 3455 if (conf->disable_gtk || 3456 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) { 3457 /* 3458 * Provide unique random GTK to each STA to prevent use 3459 * of GTK in the BSS. 3460 */ 3461 if (random_get_bytes(stub_gtk, gtk_len) < 0) 3462 goto done; 3463 gtk = stub_gtk; 3464 } 3465 gtkidx = gsm->GN; 3466 _rsc = rsc; 3467 encr = 1; 3468 } else { 3469 /* WPA does not include GTK in msg 3/4 */ 3470 secure = 0; 3471 gtk = NULL; 3472 gtk_len = 0; 3473 _rsc = NULL; 3474 if (sm->rx_eapol_key_secure) { 3475 /* 3476 * It looks like Windows 7 supplicant tries to use 3477 * Secure bit in msg 2/4 after having reported Michael 3478 * MIC failure and it then rejects the 4-way handshake 3479 * if msg 3/4 does not set Secure bit. Work around this 3480 * by setting the Secure bit here even in the case of 3481 * WPA if the supplicant used it first. 3482 */ 3483 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3484 "STA used Secure bit in WPA msg 2/4 - set Secure for 3/4 as workaround"); 3485 secure = 1; 3486 } 3487 } 3488 3489 kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm); 3490 3491 if (sm->use_ext_key_id) 3492 kde_len += 2 + RSN_SELECTOR_LEN + 2; 3493 3494 if (gtk) 3495 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len; 3496 #ifdef CONFIG_IEEE80211R_AP 3497 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 3498 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */ 3499 kde_len += 300; /* FTIE + 2 * TIE */ 3500 } 3501 #endif /* CONFIG_IEEE80211R_AP */ 3502 #ifdef CONFIG_P2P 3503 if (WPA_GET_BE32(sm->ip_addr) > 0) 3504 kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4; 3505 #endif /* CONFIG_P2P */ 3506 3507 if (conf->transition_disable) 3508 kde_len += 2 + RSN_SELECTOR_LEN + 1; 3509 3510 #ifdef CONFIG_DPP2 3511 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) 3512 kde_len += 2 + RSN_SELECTOR_LEN + 2; 3513 #endif /* CONFIG_DPP2 */ 3514 3515 kde = os_malloc(kde_len); 3516 if (!kde) 3517 goto done; 3518 3519 pos = kde; 3520 os_memcpy(pos, wpa_ie, wpa_ie_len); 3521 pos += wpa_ie_len; 3522 #ifdef CONFIG_IEEE80211R_AP 3523 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 3524 int res; 3525 size_t elen; 3526 3527 elen = pos - kde; 3528 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name); 3529 if (res < 0) { 3530 wpa_printf(MSG_ERROR, 3531 "FT: Failed to insert PMKR1Name into RSN IE in EAPOL-Key data"); 3532 goto done; 3533 } 3534 pos -= wpa_ie_len; 3535 pos += elen; 3536 } 3537 #endif /* CONFIG_IEEE80211R_AP */ 3538 hdr[1] = 0; 3539 3540 if (sm->use_ext_key_id) { 3541 hdr[0] = sm->keyidx_active & 0x01; 3542 pos = wpa_add_kde(pos, RSN_KEY_DATA_KEYID, hdr, 2, NULL, 0); 3543 } 3544 3545 if (gtk) { 3546 hdr[0] = gtkidx & 0x03; 3547 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 3548 gtk, gtk_len); 3549 } 3550 pos = ieee80211w_kde_add(sm, pos); 3551 if (ocv_oci_add(sm, &pos, conf->oci_freq_override_eapol_m3) < 0) 3552 goto done; 3553 3554 #ifdef CONFIG_IEEE80211R_AP 3555 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 3556 int res; 3557 3558 if (sm->assoc_resp_ftie && 3559 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) { 3560 os_memcpy(pos, sm->assoc_resp_ftie, 3561 2 + sm->assoc_resp_ftie[1]); 3562 res = 2 + sm->assoc_resp_ftie[1]; 3563 } else { 3564 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt); 3565 3566 res = wpa_write_ftie(conf, use_sha384, 3567 conf->r0_key_holder, 3568 conf->r0_key_holder_len, 3569 NULL, NULL, pos, 3570 kde + kde_len - pos, 3571 NULL, 0, 0); 3572 } 3573 if (res < 0) { 3574 wpa_printf(MSG_ERROR, 3575 "FT: Failed to insert FTIE into EAPOL-Key Key Data"); 3576 goto done; 3577 } 3578 pos += res; 3579 3580 /* TIE[ReassociationDeadline] (TU) */ 3581 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 3582 *pos++ = 5; 3583 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE; 3584 WPA_PUT_LE32(pos, conf->reassociation_deadline); 3585 pos += 4; 3586 3587 /* TIE[KeyLifetime] (seconds) */ 3588 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 3589 *pos++ = 5; 3590 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME; 3591 WPA_PUT_LE32(pos, conf->r0_key_lifetime); 3592 pos += 4; 3593 } 3594 #endif /* CONFIG_IEEE80211R_AP */ 3595 #ifdef CONFIG_P2P 3596 if (WPA_GET_BE32(sm->ip_addr) > 0) { 3597 u8 addr[3 * 4]; 3598 os_memcpy(addr, sm->ip_addr, 4); 3599 os_memcpy(addr + 4, conf->ip_addr_mask, 4); 3600 os_memcpy(addr + 8, conf->ip_addr_go, 4); 3601 pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC, 3602 addr, sizeof(addr), NULL, 0); 3603 } 3604 #endif /* CONFIG_P2P */ 3605 3606 if (conf->transition_disable) 3607 pos = wpa_add_kde(pos, WFA_KEY_DATA_TRANSITION_DISABLE, 3608 &conf->transition_disable, 1, NULL, 0); 3609 3610 #ifdef CONFIG_DPP2 3611 if (DPP_VERSION > 1 && sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) { 3612 u8 payload[2]; 3613 3614 payload[0] = DPP_VERSION; /* Protocol Version */ 3615 payload[1] = 0; /* Flags */ 3616 if (conf->dpp_pfs == 0) 3617 payload[1] |= DPP_KDE_PFS_ALLOWED; 3618 else if (conf->dpp_pfs == 1) 3619 payload[1] |= DPP_KDE_PFS_ALLOWED | 3620 DPP_KDE_PFS_REQUIRED; 3621 pos = wpa_add_kde(pos, WFA_KEY_DATA_DPP, 3622 payload, sizeof(payload), NULL, 0); 3623 } 3624 #endif /* CONFIG_DPP2 */ 3625 3626 wpa_send_eapol(sm->wpa_auth, sm, 3627 (secure ? WPA_KEY_INFO_SECURE : 0) | 3628 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ? 3629 WPA_KEY_INFO_MIC : 0) | 3630 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL | 3631 WPA_KEY_INFO_KEY_TYPE, 3632 _rsc, sm->ANonce, kde, pos - kde, 0, encr); 3633 done: 3634 os_free(kde); 3635 os_free(wpa_ie_buf); 3636 os_free(wpa_ie_buf2); 3637 } 3638 3639 3640 SM_STATE(WPA_PTK, PTKINITDONE) 3641 { 3642 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk); 3643 sm->EAPOLKeyReceived = false; 3644 if (sm->Pair) { 3645 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise); 3646 int klen = wpa_cipher_key_len(sm->pairwise); 3647 int res; 3648 3649 if (sm->use_ext_key_id) 3650 res = wpa_auth_set_key(sm->wpa_auth, 0, 0, sm->addr, 3651 sm->keyidx_active, NULL, 0, 3652 KEY_FLAG_PAIRWISE_RX_TX_MODIFY); 3653 else 3654 res = wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 3655 0, sm->PTK.tk, klen, 3656 KEY_FLAG_PAIRWISE_RX_TX); 3657 if (res) { 3658 wpa_sta_disconnect(sm->wpa_auth, sm->addr, 3659 WLAN_REASON_PREV_AUTH_NOT_VALID); 3660 return; 3661 } 3662 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ 3663 sm->pairwise_set = true; 3664 3665 wpa_auth_set_ptk_rekey_timer(sm); 3666 wpa_auth_store_ptksa(sm->wpa_auth, sm->addr, sm->pairwise, 3667 dot11RSNAConfigPMKLifetime, &sm->PTK); 3668 3669 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) || 3670 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP || 3671 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) { 3672 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 3673 WPA_EAPOL_authorized, 1); 3674 } 3675 } 3676 3677 if (0 /* IBSS == TRUE */) { 3678 sm->keycount++; 3679 if (sm->keycount == 2) { 3680 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 3681 WPA_EAPOL_portValid, 1); 3682 } 3683 } else { 3684 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 3685 1); 3686 } 3687 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 3688 false); 3689 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, true); 3690 if (sm->wpa == WPA_VERSION_WPA) 3691 sm->PInitAKeys = true; 3692 else 3693 sm->has_GTK = true; 3694 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 3695 "pairwise key handshake completed (%s)", 3696 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 3697 wpa_msg(sm->wpa_auth->conf.msg_ctx, MSG_INFO, "EAPOL-4WAY-HS-COMPLETED " 3698 MACSTR, MAC2STR(sm->addr)); 3699 3700 #ifdef CONFIG_IEEE80211R_AP 3701 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr); 3702 #endif /* CONFIG_IEEE80211R_AP */ 3703 } 3704 3705 3706 SM_STEP(WPA_PTK) 3707 { 3708 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 3709 struct wpa_auth_config *conf = &wpa_auth->conf; 3710 3711 if (sm->Init) 3712 SM_ENTER(WPA_PTK, INITIALIZE); 3713 else if (sm->Disconnect 3714 /* || FIX: dot11RSNAConfigSALifetime timeout */) { 3715 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 3716 "WPA_PTK: sm->Disconnect"); 3717 SM_ENTER(WPA_PTK, DISCONNECT); 3718 } 3719 else if (sm->DeauthenticationRequest) 3720 SM_ENTER(WPA_PTK, DISCONNECTED); 3721 else if (sm->AuthenticationRequest) 3722 SM_ENTER(WPA_PTK, AUTHENTICATION); 3723 else if (sm->ReAuthenticationRequest) 3724 SM_ENTER(WPA_PTK, AUTHENTICATION2); 3725 else if (sm->PTKRequest) { 3726 if (wpa_auth_sm_ptk_update(sm) < 0) 3727 SM_ENTER(WPA_PTK, DISCONNECTED); 3728 else 3729 SM_ENTER(WPA_PTK, PTKSTART); 3730 } else switch (sm->wpa_ptk_state) { 3731 case WPA_PTK_INITIALIZE: 3732 break; 3733 case WPA_PTK_DISCONNECT: 3734 SM_ENTER(WPA_PTK, DISCONNECTED); 3735 break; 3736 case WPA_PTK_DISCONNECTED: 3737 SM_ENTER(WPA_PTK, INITIALIZE); 3738 break; 3739 case WPA_PTK_AUTHENTICATION: 3740 SM_ENTER(WPA_PTK, AUTHENTICATION2); 3741 break; 3742 case WPA_PTK_AUTHENTICATION2: 3743 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) && 3744 wpa_auth_get_eapol(wpa_auth, sm->addr, 3745 WPA_EAPOL_keyRun)) 3746 SM_ENTER(WPA_PTK, INITPMK); 3747 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) || 3748 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE 3749 /* FIX: && 802.1X::keyRun */) 3750 SM_ENTER(WPA_PTK, INITPSK); 3751 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) 3752 SM_ENTER(WPA_PTK, INITPMK); 3753 break; 3754 case WPA_PTK_INITPMK: 3755 if (wpa_auth_get_eapol(wpa_auth, sm->addr, 3756 WPA_EAPOL_keyAvailable)) { 3757 SM_ENTER(WPA_PTK, PTKSTART); 3758 #ifdef CONFIG_DPP 3759 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->pmksa) { 3760 SM_ENTER(WPA_PTK, PTKSTART); 3761 #endif /* CONFIG_DPP */ 3762 } else { 3763 wpa_auth->dot11RSNA4WayHandshakeFailures++; 3764 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 3765 "INITPMK - keyAvailable = false"); 3766 SM_ENTER(WPA_PTK, DISCONNECT); 3767 } 3768 break; 3769 case WPA_PTK_INITPSK: 3770 if (wpa_auth_get_psk(wpa_auth, sm->addr, sm->p2p_dev_addr, 3771 NULL, NULL, NULL)) { 3772 SM_ENTER(WPA_PTK, PTKSTART); 3773 #ifdef CONFIG_SAE 3774 } else if (wpa_auth_uses_sae(sm) && sm->pmksa) { 3775 SM_ENTER(WPA_PTK, PTKSTART); 3776 #endif /* CONFIG_SAE */ 3777 } else { 3778 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 3779 "no PSK configured for the STA"); 3780 wpa_auth->dot11RSNA4WayHandshakeFailures++; 3781 SM_ENTER(WPA_PTK, DISCONNECT); 3782 } 3783 break; 3784 case WPA_PTK_PTKSTART: 3785 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 3786 sm->EAPOLKeyPairwise) 3787 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 3788 else if (sm->TimeoutCtr > conf->wpa_pairwise_update_count) { 3789 wpa_auth->dot11RSNA4WayHandshakeFailures++; 3790 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 3791 "PTKSTART: Retry limit %u reached", 3792 conf->wpa_pairwise_update_count); 3793 sm->disconnect_reason = 3794 WLAN_REASON_4WAY_HANDSHAKE_TIMEOUT; 3795 SM_ENTER(WPA_PTK, DISCONNECT); 3796 } else if (sm->TimeoutEvt) 3797 SM_ENTER(WPA_PTK, PTKSTART); 3798 break; 3799 case WPA_PTK_PTKCALCNEGOTIATING: 3800 if (sm->MICVerified) 3801 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2); 3802 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 3803 sm->EAPOLKeyPairwise) 3804 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 3805 else if (sm->TimeoutEvt) 3806 SM_ENTER(WPA_PTK, PTKSTART); 3807 break; 3808 case WPA_PTK_PTKCALCNEGOTIATING2: 3809 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 3810 break; 3811 case WPA_PTK_PTKINITNEGOTIATING: 3812 if (sm->update_snonce) 3813 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 3814 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 3815 sm->EAPOLKeyPairwise && sm->MICVerified) 3816 SM_ENTER(WPA_PTK, PTKINITDONE); 3817 else if (sm->TimeoutCtr > 3818 conf->wpa_pairwise_update_count || 3819 (conf->wpa_disable_eapol_key_retries && 3820 sm->TimeoutCtr > 1)) { 3821 wpa_auth->dot11RSNA4WayHandshakeFailures++; 3822 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 3823 "PTKINITNEGOTIATING: Retry limit %u reached", 3824 conf->wpa_pairwise_update_count); 3825 sm->disconnect_reason = 3826 WLAN_REASON_4WAY_HANDSHAKE_TIMEOUT; 3827 SM_ENTER(WPA_PTK, DISCONNECT); 3828 } else if (sm->TimeoutEvt) 3829 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 3830 break; 3831 case WPA_PTK_PTKINITDONE: 3832 break; 3833 } 3834 } 3835 3836 3837 SM_STATE(WPA_PTK_GROUP, IDLE) 3838 { 3839 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group); 3840 if (sm->Init) { 3841 /* Init flag is not cleared here, so avoid busy 3842 * loop by claiming nothing changed. */ 3843 sm->changed = false; 3844 } 3845 sm->GTimeoutCtr = 0; 3846 } 3847 3848 3849 SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING) 3850 { 3851 u8 rsc[WPA_KEY_RSC_LEN]; 3852 struct wpa_group *gsm = sm->group; 3853 const u8 *kde; 3854 u8 *kde_buf = NULL, *pos, hdr[2]; 3855 size_t kde_len; 3856 u8 *gtk, stub_gtk[32]; 3857 struct wpa_auth_config *conf = &sm->wpa_auth->conf; 3858 3859 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group); 3860 3861 sm->GTimeoutCtr++; 3862 if (conf->wpa_disable_eapol_key_retries && sm->GTimeoutCtr > 1) { 3863 /* Do not allow retransmission of EAPOL-Key group msg 1/2 */ 3864 return; 3865 } 3866 if (sm->GTimeoutCtr > conf->wpa_group_update_count) { 3867 /* No point in sending the EAPOL-Key - we will disconnect 3868 * immediately following this. */ 3869 return; 3870 } 3871 3872 if (sm->wpa == WPA_VERSION_WPA) 3873 sm->PInitAKeys = false; 3874 sm->TimeoutEvt = false; 3875 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */ 3876 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 3877 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE) 3878 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 3879 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3880 "sending 1/2 msg of Group Key Handshake"); 3881 3882 gtk = gsm->GTK[gsm->GN - 1]; 3883 if (conf->disable_gtk || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) { 3884 /* 3885 * Provide unique random GTK to each STA to prevent use 3886 * of GTK in the BSS. 3887 */ 3888 if (random_get_bytes(stub_gtk, gsm->GTK_len) < 0) 3889 return; 3890 gtk = stub_gtk; 3891 } 3892 if (sm->wpa == WPA_VERSION_WPA2) { 3893 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len + 3894 ieee80211w_kde_len(sm) + ocv_oci_len(sm); 3895 kde_buf = os_malloc(kde_len); 3896 if (!kde_buf) 3897 return; 3898 3899 kde = pos = kde_buf; 3900 hdr[0] = gsm->GN & 0x03; 3901 hdr[1] = 0; 3902 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 3903 gtk, gsm->GTK_len); 3904 pos = ieee80211w_kde_add(sm, pos); 3905 if (ocv_oci_add(sm, &pos, 3906 conf->oci_freq_override_eapol_g1) < 0) { 3907 os_free(kde_buf); 3908 return; 3909 } 3910 kde_len = pos - kde; 3911 } else { 3912 kde = gtk; 3913 kde_len = gsm->GTK_len; 3914 } 3915 3916 wpa_send_eapol(sm->wpa_auth, sm, 3917 WPA_KEY_INFO_SECURE | 3918 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ? 3919 WPA_KEY_INFO_MIC : 0) | 3920 WPA_KEY_INFO_ACK | 3921 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0), 3922 rsc, NULL, kde, kde_len, gsm->GN, 1); 3923 3924 os_free(kde_buf); 3925 } 3926 3927 3928 SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED) 3929 { 3930 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 3931 #ifdef CONFIG_OCV 3932 const u8 *key_data, *mic; 3933 struct ieee802_1x_hdr *hdr; 3934 struct wpa_eapol_key *key; 3935 struct wpa_eapol_ie_parse kde; 3936 size_t mic_len; 3937 u16 key_data_length; 3938 #endif /* CONFIG_OCV */ 3939 3940 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group); 3941 sm->EAPOLKeyReceived = false; 3942 3943 #ifdef CONFIG_OCV 3944 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len); 3945 3946 /* 3947 * Note: last_rx_eapol_key length fields have already been validated in 3948 * wpa_receive(). 3949 */ 3950 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key; 3951 key = (struct wpa_eapol_key *) (hdr + 1); 3952 mic = (u8 *) (key + 1); 3953 key_data = mic + mic_len + 2; 3954 key_data_length = WPA_GET_BE16(mic + mic_len); 3955 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) - 3956 sizeof(*key) - mic_len - 2) 3957 return; 3958 3959 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) { 3960 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 3961 "received EAPOL-Key group msg 2/2 with invalid Key Data contents"); 3962 return; 3963 } 3964 3965 if (wpa_auth_uses_ocv(sm)) { 3966 struct wpa_channel_info ci; 3967 int tx_chanwidth; 3968 int tx_seg1_idx; 3969 3970 if (wpa_channel_info(wpa_auth, &ci) != 0) { 3971 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 3972 "Failed to get channel info to validate received OCI in EAPOL-Key group 2/2"); 3973 return; 3974 } 3975 3976 if (get_sta_tx_parameters(sm, 3977 channel_width_to_int(ci.chanwidth), 3978 ci.seg1_idx, &tx_chanwidth, 3979 &tx_seg1_idx) < 0) 3980 return; 3981 3982 if (ocv_verify_tx_params(kde.oci, kde.oci_len, &ci, 3983 tx_chanwidth, tx_seg1_idx) != 3984 OCI_SUCCESS) { 3985 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 3986 "OCV failed: %s", ocv_errorstr); 3987 if (wpa_auth->conf.msg_ctx) 3988 wpa_msg(wpa_auth->conf.msg_ctx, MSG_INFO, 3989 OCV_FAILURE "addr=" MACSTR 3990 " frame=eapol-key-g2 error=%s", 3991 MAC2STR(sm->addr), ocv_errorstr); 3992 return; 3993 } 3994 } 3995 #endif /* CONFIG_OCV */ 3996 3997 if (sm->GUpdateStationKeys) 3998 sm->group->GKeyDoneStations--; 3999 sm->GUpdateStationKeys = false; 4000 sm->GTimeoutCtr = 0; 4001 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */ 4002 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 4003 "group key handshake completed (%s)", 4004 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 4005 sm->has_GTK = true; 4006 } 4007 4008 4009 SM_STATE(WPA_PTK_GROUP, KEYERROR) 4010 { 4011 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group); 4012 if (sm->GUpdateStationKeys) 4013 sm->group->GKeyDoneStations--; 4014 sm->GUpdateStationKeys = false; 4015 sm->Disconnect = true; 4016 sm->disconnect_reason = WLAN_REASON_GROUP_KEY_UPDATE_TIMEOUT; 4017 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 4018 "group key handshake failed (%s) after %u tries", 4019 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN", 4020 sm->wpa_auth->conf.wpa_group_update_count); 4021 } 4022 4023 4024 SM_STEP(WPA_PTK_GROUP) 4025 { 4026 if (sm->Init || sm->PtkGroupInit) { 4027 SM_ENTER(WPA_PTK_GROUP, IDLE); 4028 sm->PtkGroupInit = false; 4029 } else switch (sm->wpa_ptk_group_state) { 4030 case WPA_PTK_GROUP_IDLE: 4031 if (sm->GUpdateStationKeys || 4032 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys)) 4033 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 4034 break; 4035 case WPA_PTK_GROUP_REKEYNEGOTIATING: 4036 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 4037 !sm->EAPOLKeyPairwise && sm->MICVerified) 4038 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED); 4039 else if (sm->GTimeoutCtr > 4040 sm->wpa_auth->conf.wpa_group_update_count || 4041 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries && 4042 sm->GTimeoutCtr > 1)) 4043 SM_ENTER(WPA_PTK_GROUP, KEYERROR); 4044 else if (sm->TimeoutEvt) 4045 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 4046 break; 4047 case WPA_PTK_GROUP_KEYERROR: 4048 SM_ENTER(WPA_PTK_GROUP, IDLE); 4049 break; 4050 case WPA_PTK_GROUP_REKEYESTABLISHED: 4051 SM_ENTER(WPA_PTK_GROUP, IDLE); 4052 break; 4053 } 4054 } 4055 4056 4057 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 4058 struct wpa_group *group) 4059 { 4060 struct wpa_auth_config *conf = &wpa_auth->conf; 4061 int ret = 0; 4062 size_t len; 4063 4064 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 4065 inc_byte_array(group->Counter, WPA_NONCE_LEN); 4066 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion", 4067 wpa_auth->addr, group->GNonce, 4068 group->GTK[group->GN - 1], group->GTK_len) < 0) 4069 ret = -1; 4070 wpa_hexdump_key(MSG_DEBUG, "GTK", 4071 group->GTK[group->GN - 1], group->GTK_len); 4072 4073 if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) { 4074 len = wpa_cipher_key_len(conf->group_mgmt_cipher); 4075 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 4076 inc_byte_array(group->Counter, WPA_NONCE_LEN); 4077 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion", 4078 wpa_auth->addr, group->GNonce, 4079 group->IGTK[group->GN_igtk - 4], len) < 0) 4080 ret = -1; 4081 wpa_hexdump_key(MSG_DEBUG, "IGTK", 4082 group->IGTK[group->GN_igtk - 4], len); 4083 } 4084 4085 if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION && 4086 conf->beacon_prot) { 4087 len = wpa_cipher_key_len(conf->group_mgmt_cipher); 4088 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 4089 inc_byte_array(group->Counter, WPA_NONCE_LEN); 4090 if (wpa_gmk_to_gtk(group->GMK, "BIGTK key expansion", 4091 wpa_auth->addr, group->GNonce, 4092 group->BIGTK[group->GN_bigtk - 6], len) < 0) 4093 ret = -1; 4094 wpa_hexdump_key(MSG_DEBUG, "BIGTK", 4095 group->BIGTK[group->GN_bigtk - 6], len); 4096 } 4097 4098 return ret; 4099 } 4100 4101 4102 static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth, 4103 struct wpa_group *group) 4104 { 4105 wpa_printf(MSG_DEBUG, 4106 "WPA: group state machine entering state GTK_INIT (VLAN-ID %d)", 4107 group->vlan_id); 4108 group->changed = false; /* GInit is not cleared here; avoid loop */ 4109 group->wpa_group_state = WPA_GROUP_GTK_INIT; 4110 4111 /* GTK[0..N] = 0 */ 4112 os_memset(group->GTK, 0, sizeof(group->GTK)); 4113 group->GN = 1; 4114 group->GM = 2; 4115 group->GN_igtk = 4; 4116 group->GM_igtk = 5; 4117 group->GN_bigtk = 6; 4118 group->GM_bigtk = 7; 4119 /* GTK[GN] = CalcGTK() */ 4120 wpa_gtk_update(wpa_auth, group); 4121 } 4122 4123 4124 static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx) 4125 { 4126 if (ctx != NULL && ctx != sm->group) 4127 return 0; 4128 4129 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) { 4130 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 4131 "Not in PTKINITDONE; skip Group Key update"); 4132 sm->GUpdateStationKeys = false; 4133 return 0; 4134 } 4135 if (sm->GUpdateStationKeys) { 4136 /* 4137 * This should not really happen, so add a debug log entry. 4138 * Since we clear the GKeyDoneStations before the loop, the 4139 * station needs to be counted here anyway. 4140 */ 4141 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 4142 "GUpdateStationKeys was already set when marking station for GTK rekeying"); 4143 } 4144 4145 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */ 4146 if (sm->is_wnmsleep) 4147 return 0; 4148 4149 sm->group->GKeyDoneStations++; 4150 sm->GUpdateStationKeys = true; 4151 4152 wpa_sm_step(sm); 4153 return 0; 4154 } 4155 4156 4157 #ifdef CONFIG_WNM_AP 4158 /* update GTK when exiting WNM-Sleep Mode */ 4159 void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm) 4160 { 4161 if (!sm || sm->is_wnmsleep) 4162 return; 4163 4164 wpa_group_update_sta(sm, NULL); 4165 } 4166 4167 4168 void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag) 4169 { 4170 if (sm) 4171 sm->is_wnmsleep = !!flag; 4172 } 4173 4174 4175 int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos) 4176 { 4177 struct wpa_auth_config *conf = &sm->wpa_auth->conf; 4178 struct wpa_group *gsm = sm->group; 4179 u8 *start = pos; 4180 4181 /* 4182 * GTK subelement: 4183 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] | 4184 * Key[5..32] 4185 */ 4186 *pos++ = WNM_SLEEP_SUBELEM_GTK; 4187 *pos++ = 11 + gsm->GTK_len; 4188 /* Key ID in B0-B1 of Key Info */ 4189 WPA_PUT_LE16(pos, gsm->GN & 0x03); 4190 pos += 2; 4191 *pos++ = gsm->GTK_len; 4192 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0) 4193 return 0; 4194 pos += 8; 4195 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len); 4196 if (conf->disable_gtk || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) { 4197 /* 4198 * Provide unique random GTK to each STA to prevent use 4199 * of GTK in the BSS. 4200 */ 4201 if (random_get_bytes(pos, gsm->GTK_len) < 0) 4202 return 0; 4203 } 4204 pos += gsm->GTK_len; 4205 4206 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit", 4207 gsm->GN); 4208 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit", 4209 gsm->GTK[gsm->GN - 1], gsm->GTK_len); 4210 4211 return pos - start; 4212 } 4213 4214 4215 int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos) 4216 { 4217 struct wpa_auth_config *conf = &sm->wpa_auth->conf; 4218 struct wpa_group *gsm = sm->group; 4219 u8 *start = pos; 4220 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 4221 4222 /* 4223 * IGTK subelement: 4224 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16] 4225 */ 4226 *pos++ = WNM_SLEEP_SUBELEM_IGTK; 4227 *pos++ = 2 + 6 + len; 4228 WPA_PUT_LE16(pos, gsm->GN_igtk); 4229 pos += 2; 4230 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0) 4231 return 0; 4232 pos += 6; 4233 4234 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len); 4235 if (conf->disable_gtk || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) { 4236 /* 4237 * Provide unique random IGTK to each STA to prevent use 4238 * of IGTK in the BSS. 4239 */ 4240 if (random_get_bytes(pos, len) < 0) 4241 return 0; 4242 } 4243 pos += len; 4244 4245 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit", 4246 gsm->GN_igtk); 4247 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit", 4248 gsm->IGTK[gsm->GN_igtk - 4], len); 4249 4250 return pos - start; 4251 } 4252 4253 4254 int wpa_wnmsleep_bigtk_subelem(struct wpa_state_machine *sm, u8 *pos) 4255 { 4256 struct wpa_group *gsm = sm->group; 4257 u8 *start = pos; 4258 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 4259 4260 /* 4261 * BIGTK subelement: 4262 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16] 4263 */ 4264 *pos++ = WNM_SLEEP_SUBELEM_BIGTK; 4265 *pos++ = 2 + 6 + len; 4266 WPA_PUT_LE16(pos, gsm->GN_bigtk); 4267 pos += 2; 4268 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_bigtk, pos) != 0) 4269 return 0; 4270 pos += 6; 4271 4272 os_memcpy(pos, gsm->BIGTK[gsm->GN_bigtk - 6], len); 4273 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) { 4274 /* 4275 * Provide unique random BIGTK to each STA to prevent use 4276 * of BIGTK in the BSS. 4277 */ 4278 if (random_get_bytes(pos, len) < 0) 4279 return 0; 4280 } 4281 pos += len; 4282 4283 wpa_printf(MSG_DEBUG, "WNM: BIGTK Key ID %u in WNM-Sleep Mode exit", 4284 gsm->GN_bigtk); 4285 wpa_hexdump_key(MSG_DEBUG, "WNM: BIGTK in WNM-Sleep Mode exit", 4286 gsm->BIGTK[gsm->GN_bigtk - 6], len); 4287 4288 return pos - start; 4289 } 4290 4291 #endif /* CONFIG_WNM_AP */ 4292 4293 4294 static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth, 4295 struct wpa_group *group) 4296 { 4297 int tmp; 4298 4299 wpa_printf(MSG_DEBUG, 4300 "WPA: group state machine entering state SETKEYS (VLAN-ID %d)", 4301 group->vlan_id); 4302 group->changed = true; 4303 group->wpa_group_state = WPA_GROUP_SETKEYS; 4304 group->GTKReKey = false; 4305 tmp = group->GM; 4306 group->GM = group->GN; 4307 group->GN = tmp; 4308 tmp = group->GM_igtk; 4309 group->GM_igtk = group->GN_igtk; 4310 group->GN_igtk = tmp; 4311 tmp = group->GM_bigtk; 4312 group->GM_bigtk = group->GN_bigtk; 4313 group->GN_bigtk = tmp; 4314 /* "GKeyDoneStations = GNoStations" is done in more robust way by 4315 * counting the STAs that are marked with GUpdateStationKeys instead of 4316 * including all STAs that could be in not-yet-completed state. */ 4317 wpa_gtk_update(wpa_auth, group); 4318 4319 if (group->GKeyDoneStations) { 4320 wpa_printf(MSG_DEBUG, 4321 "wpa_group_setkeys: Unexpected GKeyDoneStations=%d when starting new GTK rekey", 4322 group->GKeyDoneStations); 4323 group->GKeyDoneStations = 0; 4324 } 4325 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group); 4326 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d", 4327 group->GKeyDoneStations); 4328 } 4329 4330 4331 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 4332 struct wpa_group *group) 4333 { 4334 struct wpa_auth_config *conf = &wpa_auth->conf; 4335 int ret = 0; 4336 4337 if (wpa_auth_set_key(wpa_auth, group->vlan_id, 4338 wpa_cipher_to_alg(conf->wpa_group), 4339 broadcast_ether_addr, group->GN, 4340 group->GTK[group->GN - 1], group->GTK_len, 4341 KEY_FLAG_GROUP_TX_DEFAULT) < 0) 4342 ret = -1; 4343 4344 if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) { 4345 enum wpa_alg alg; 4346 size_t len; 4347 4348 alg = wpa_cipher_to_alg(conf->group_mgmt_cipher); 4349 len = wpa_cipher_key_len(conf->group_mgmt_cipher); 4350 4351 if (ret == 0 && 4352 wpa_auth_set_key(wpa_auth, group->vlan_id, alg, 4353 broadcast_ether_addr, group->GN_igtk, 4354 group->IGTK[group->GN_igtk - 4], len, 4355 KEY_FLAG_GROUP_TX_DEFAULT) < 0) 4356 ret = -1; 4357 4358 if (ret == 0 && conf->beacon_prot && 4359 wpa_auth_set_key(wpa_auth, group->vlan_id, alg, 4360 broadcast_ether_addr, group->GN_bigtk, 4361 group->BIGTK[group->GN_bigtk - 6], len, 4362 KEY_FLAG_GROUP_TX_DEFAULT) < 0) 4363 ret = -1; 4364 } 4365 4366 return ret; 4367 } 4368 4369 4370 static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx) 4371 { 4372 if (sm->group == ctx) { 4373 wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR 4374 " for disconnection due to fatal failure", 4375 MAC2STR(sm->addr)); 4376 sm->Disconnect = true; 4377 } 4378 4379 return 0; 4380 } 4381 4382 4383 static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth, 4384 struct wpa_group *group) 4385 { 4386 wpa_printf(MSG_DEBUG, 4387 "WPA: group state machine entering state FATAL_FAILURE"); 4388 group->changed = true; 4389 group->wpa_group_state = WPA_GROUP_FATAL_FAILURE; 4390 wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group); 4391 } 4392 4393 4394 static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth, 4395 struct wpa_group *group) 4396 { 4397 wpa_printf(MSG_DEBUG, 4398 "WPA: group state machine entering state SETKEYSDONE (VLAN-ID %d)", 4399 group->vlan_id); 4400 group->changed = true; 4401 group->wpa_group_state = WPA_GROUP_SETKEYSDONE; 4402 4403 if (wpa_group_config_group_keys(wpa_auth, group) < 0) { 4404 wpa_group_fatal_failure(wpa_auth, group); 4405 return -1; 4406 } 4407 4408 return 0; 4409 } 4410 4411 4412 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 4413 struct wpa_group *group) 4414 { 4415 if (group->GInit) { 4416 wpa_group_gtk_init(wpa_auth, group); 4417 } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) { 4418 /* Do not allow group operations */ 4419 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT && 4420 group->GTKAuthenticator) { 4421 wpa_group_setkeysdone(wpa_auth, group); 4422 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE && 4423 group->GTKReKey) { 4424 wpa_group_setkeys(wpa_auth, group); 4425 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) { 4426 if (group->GKeyDoneStations == 0) 4427 wpa_group_setkeysdone(wpa_auth, group); 4428 else if (group->GTKReKey) 4429 wpa_group_setkeys(wpa_auth, group); 4430 } 4431 } 4432 4433 4434 static int wpa_sm_step(struct wpa_state_machine *sm) 4435 { 4436 if (!sm) 4437 return 0; 4438 4439 if (sm->in_step_loop) { 4440 /* This should not happen, but if it does, make sure we do not 4441 * end up freeing the state machine too early by exiting the 4442 * recursive call. */ 4443 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively"); 4444 return 0; 4445 } 4446 4447 sm->in_step_loop = 1; 4448 do { 4449 if (sm->pending_deinit) 4450 break; 4451 4452 sm->changed = false; 4453 sm->wpa_auth->group->changed = false; 4454 4455 SM_STEP_RUN(WPA_PTK); 4456 if (sm->pending_deinit) 4457 break; 4458 SM_STEP_RUN(WPA_PTK_GROUP); 4459 if (sm->pending_deinit) 4460 break; 4461 wpa_group_sm_step(sm->wpa_auth, sm->group); 4462 } while (sm->changed || sm->wpa_auth->group->changed); 4463 sm->in_step_loop = 0; 4464 4465 if (sm->pending_deinit) { 4466 wpa_printf(MSG_DEBUG, 4467 "WPA: Completing pending STA state machine deinit for " 4468 MACSTR, MAC2STR(sm->addr)); 4469 wpa_free_sta_sm(sm); 4470 return 1; 4471 } 4472 return 0; 4473 } 4474 4475 4476 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx) 4477 { 4478 struct wpa_state_machine *sm = eloop_ctx; 4479 wpa_sm_step(sm); 4480 } 4481 4482 4483 void wpa_auth_sm_notify(struct wpa_state_machine *sm) 4484 { 4485 if (!sm) 4486 return; 4487 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL); 4488 } 4489 4490 4491 void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth) 4492 { 4493 int tmp, i; 4494 struct wpa_group *group; 4495 4496 if (!wpa_auth) 4497 return; 4498 4499 group = wpa_auth->group; 4500 4501 for (i = 0; i < 2; i++) { 4502 tmp = group->GM; 4503 group->GM = group->GN; 4504 group->GN = tmp; 4505 tmp = group->GM_igtk; 4506 group->GM_igtk = group->GN_igtk; 4507 group->GN_igtk = tmp; 4508 tmp = group->GM_bigtk; 4509 group->GM_bigtk = group->GN_bigtk; 4510 group->GN_bigtk = tmp; 4511 wpa_gtk_update(wpa_auth, group); 4512 wpa_group_config_group_keys(wpa_auth, group); 4513 } 4514 } 4515 4516 4517 static const char * wpa_bool_txt(int val) 4518 { 4519 return val ? "TRUE" : "FALSE"; 4520 } 4521 4522 4523 #define RSN_SUITE "%02x-%02x-%02x-%d" 4524 #define RSN_SUITE_ARG(s) \ 4525 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff 4526 4527 int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen) 4528 { 4529 struct wpa_auth_config *conf; 4530 int len = 0, ret; 4531 char pmkid_txt[PMKID_LEN * 2 + 1]; 4532 #ifdef CONFIG_RSN_PREAUTH 4533 const int preauth = 1; 4534 #else /* CONFIG_RSN_PREAUTH */ 4535 const int preauth = 0; 4536 #endif /* CONFIG_RSN_PREAUTH */ 4537 4538 if (!wpa_auth) 4539 return len; 4540 conf = &wpa_auth->conf; 4541 4542 ret = os_snprintf(buf + len, buflen - len, 4543 "dot11RSNAOptionImplemented=TRUE\n" 4544 "dot11RSNAPreauthenticationImplemented=%s\n" 4545 "dot11RSNAEnabled=%s\n" 4546 "dot11RSNAPreauthenticationEnabled=%s\n", 4547 wpa_bool_txt(preauth), 4548 wpa_bool_txt(conf->wpa & WPA_PROTO_RSN), 4549 wpa_bool_txt(conf->rsn_preauth)); 4550 if (os_snprintf_error(buflen - len, ret)) 4551 return len; 4552 len += ret; 4553 4554 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt), 4555 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN); 4556 4557 ret = os_snprintf( 4558 buf + len, buflen - len, 4559 "dot11RSNAConfigVersion=%u\n" 4560 "dot11RSNAConfigPairwiseKeysSupported=9999\n" 4561 /* FIX: dot11RSNAConfigGroupCipher */ 4562 /* FIX: dot11RSNAConfigGroupRekeyMethod */ 4563 /* FIX: dot11RSNAConfigGroupRekeyTime */ 4564 /* FIX: dot11RSNAConfigGroupRekeyPackets */ 4565 "dot11RSNAConfigGroupRekeyStrict=%u\n" 4566 "dot11RSNAConfigGroupUpdateCount=%u\n" 4567 "dot11RSNAConfigPairwiseUpdateCount=%u\n" 4568 "dot11RSNAConfigGroupCipherSize=%u\n" 4569 "dot11RSNAConfigPMKLifetime=%u\n" 4570 "dot11RSNAConfigPMKReauthThreshold=%u\n" 4571 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n" 4572 "dot11RSNAConfigSATimeout=%u\n" 4573 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n" 4574 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n" 4575 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n" 4576 "dot11RSNAPMKIDUsed=%s\n" 4577 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n" 4578 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n" 4579 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n" 4580 "dot11RSNATKIPCounterMeasuresInvoked=%u\n" 4581 "dot11RSNA4WayHandshakeFailures=%u\n" 4582 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n", 4583 RSN_VERSION, 4584 !!conf->wpa_strict_rekey, 4585 conf->wpa_group_update_count, 4586 conf->wpa_pairwise_update_count, 4587 wpa_cipher_key_len(conf->wpa_group) * 8, 4588 dot11RSNAConfigPMKLifetime, 4589 dot11RSNAConfigPMKReauthThreshold, 4590 dot11RSNAConfigSATimeout, 4591 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected), 4592 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected), 4593 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected), 4594 pmkid_txt, 4595 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested), 4596 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested), 4597 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested), 4598 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked, 4599 wpa_auth->dot11RSNA4WayHandshakeFailures); 4600 if (os_snprintf_error(buflen - len, ret)) 4601 return len; 4602 len += ret; 4603 4604 /* TODO: dot11RSNAConfigPairwiseCiphersTable */ 4605 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */ 4606 4607 /* Private MIB */ 4608 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n", 4609 wpa_auth->group->wpa_group_state); 4610 if (os_snprintf_error(buflen - len, ret)) 4611 return len; 4612 len += ret; 4613 4614 return len; 4615 } 4616 4617 4618 int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen) 4619 { 4620 int len = 0, ret; 4621 u32 pairwise = 0; 4622 4623 if (!sm) 4624 return 0; 4625 4626 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */ 4627 4628 /* dot11RSNAStatsEntry */ 4629 4630 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ? 4631 WPA_PROTO_RSN : WPA_PROTO_WPA, 4632 sm->pairwise); 4633 if (pairwise == 0) 4634 return 0; 4635 4636 ret = os_snprintf( 4637 buf + len, buflen - len, 4638 /* TODO: dot11RSNAStatsIndex */ 4639 "dot11RSNAStatsSTAAddress=" MACSTR "\n" 4640 "dot11RSNAStatsVersion=1\n" 4641 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n" 4642 /* TODO: dot11RSNAStatsTKIPICVErrors */ 4643 "dot11RSNAStatsTKIPLocalMICFailures=%u\n" 4644 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n" 4645 /* TODO: dot11RSNAStatsCCMPReplays */ 4646 /* TODO: dot11RSNAStatsCCMPDecryptErrors */ 4647 /* TODO: dot11RSNAStatsTKIPReplays */, 4648 MAC2STR(sm->addr), 4649 RSN_SUITE_ARG(pairwise), 4650 sm->dot11RSNAStatsTKIPLocalMICFailures, 4651 sm->dot11RSNAStatsTKIPRemoteMICFailures); 4652 if (os_snprintf_error(buflen - len, ret)) 4653 return len; 4654 len += ret; 4655 4656 /* Private MIB */ 4657 ret = os_snprintf(buf + len, buflen - len, 4658 "wpa=%d\n" 4659 "AKMSuiteSelector=" RSN_SUITE "\n" 4660 "hostapdWPAPTKState=%d\n" 4661 "hostapdWPAPTKGroupState=%d\n", 4662 sm->wpa, 4663 RSN_SUITE_ARG(wpa_akm_to_suite(sm->wpa_key_mgmt)), 4664 sm->wpa_ptk_state, 4665 sm->wpa_ptk_group_state); 4666 if (os_snprintf_error(buflen - len, ret)) 4667 return len; 4668 len += ret; 4669 4670 return len; 4671 } 4672 4673 4674 void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth) 4675 { 4676 if (wpa_auth) 4677 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++; 4678 } 4679 4680 4681 int wpa_auth_pairwise_set(struct wpa_state_machine *sm) 4682 { 4683 return sm && sm->pairwise_set; 4684 } 4685 4686 4687 int wpa_auth_get_pairwise(struct wpa_state_machine *sm) 4688 { 4689 return sm->pairwise; 4690 } 4691 4692 4693 const u8 * wpa_auth_get_pmk(struct wpa_state_machine *sm, int *len) 4694 { 4695 if (!sm) 4696 return NULL; 4697 *len = sm->pmk_len; 4698 return sm->PMK; 4699 } 4700 4701 4702 int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm) 4703 { 4704 if (!sm) 4705 return -1; 4706 return sm->wpa_key_mgmt; 4707 } 4708 4709 4710 int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm) 4711 { 4712 if (!sm) 4713 return 0; 4714 return sm->wpa; 4715 } 4716 4717 4718 int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm) 4719 { 4720 if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 4721 return 0; 4722 return sm->tk_already_set; 4723 } 4724 4725 4726 int wpa_auth_sta_fils_tk_already_set(struct wpa_state_machine *sm) 4727 { 4728 if (!sm || !wpa_key_mgmt_fils(sm->wpa_key_mgmt)) 4729 return 0; 4730 return sm->tk_already_set; 4731 } 4732 4733 4734 int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, 4735 struct rsn_pmksa_cache_entry *entry) 4736 { 4737 if (!sm || sm->pmksa != entry) 4738 return -1; 4739 sm->pmksa = NULL; 4740 return 0; 4741 } 4742 4743 4744 struct rsn_pmksa_cache_entry * 4745 wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm) 4746 { 4747 return sm ? sm->pmksa : NULL; 4748 } 4749 4750 4751 void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm) 4752 { 4753 if (sm) 4754 sm->dot11RSNAStatsTKIPLocalMICFailures++; 4755 } 4756 4757 4758 const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len) 4759 { 4760 if (!wpa_auth) 4761 return NULL; 4762 *len = wpa_auth->wpa_ie_len; 4763 return wpa_auth->wpa_ie; 4764 } 4765 4766 4767 int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk, 4768 unsigned int pmk_len, 4769 int session_timeout, struct eapol_state_machine *eapol) 4770 { 4771 if (!sm || sm->wpa != WPA_VERSION_WPA2 || 4772 sm->wpa_auth->conf.disable_pmksa_caching) 4773 return -1; 4774 4775 #ifdef CONFIG_IEEE80211R_AP 4776 if (pmk_len >= 2 * PMK_LEN && wpa_key_mgmt_ft(sm->wpa_key_mgmt) && 4777 wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) && 4778 !wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) { 4779 /* Cache MPMK/XXKey instead of initial part from MSK */ 4780 pmk = pmk + PMK_LEN; 4781 pmk_len = PMK_LEN; 4782 } else 4783 #endif /* CONFIG_IEEE80211R_AP */ 4784 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) { 4785 if (pmk_len > PMK_LEN_SUITE_B_192) 4786 pmk_len = PMK_LEN_SUITE_B_192; 4787 } else if (pmk_len > PMK_LEN) { 4788 pmk_len = PMK_LEN; 4789 } 4790 4791 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK", pmk, pmk_len); 4792 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL, 4793 sm->PTK.kck, sm->PTK.kck_len, 4794 sm->wpa_auth->addr, sm->addr, session_timeout, 4795 eapol, sm->wpa_key_mgmt)) 4796 return 0; 4797 4798 return -1; 4799 } 4800 4801 4802 int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth, 4803 const u8 *pmk, size_t len, const u8 *sta_addr, 4804 int session_timeout, 4805 struct eapol_state_machine *eapol) 4806 { 4807 if (!wpa_auth) 4808 return -1; 4809 4810 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK from preauth", pmk, len); 4811 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL, 4812 NULL, 0, 4813 wpa_auth->addr, 4814 sta_addr, session_timeout, eapol, 4815 WPA_KEY_MGMT_IEEE8021X)) 4816 return 0; 4817 4818 return -1; 4819 } 4820 4821 4822 int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr, 4823 const u8 *pmk, const u8 *pmkid) 4824 { 4825 if (wpa_auth->conf.disable_pmksa_caching) 4826 return -1; 4827 4828 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK from SAE", pmk, PMK_LEN); 4829 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN, pmkid, 4830 NULL, 0, 4831 wpa_auth->addr, addr, 0, NULL, 4832 WPA_KEY_MGMT_SAE)) 4833 return 0; 4834 4835 return -1; 4836 } 4837 4838 4839 void wpa_auth_add_sae_pmkid(struct wpa_state_machine *sm, const u8 *pmkid) 4840 { 4841 os_memcpy(sm->pmkid, pmkid, PMKID_LEN); 4842 sm->pmkid_set = 1; 4843 } 4844 4845 4846 int wpa_auth_pmksa_add2(struct wpa_authenticator *wpa_auth, const u8 *addr, 4847 const u8 *pmk, size_t pmk_len, const u8 *pmkid, 4848 int session_timeout, int akmp) 4849 { 4850 if (!wpa_auth || wpa_auth->conf.disable_pmksa_caching) 4851 return -1; 4852 4853 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK (2)", pmk, PMK_LEN); 4854 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, pmk_len, pmkid, 4855 NULL, 0, wpa_auth->addr, addr, session_timeout, 4856 NULL, akmp)) 4857 return 0; 4858 4859 return -1; 4860 } 4861 4862 4863 void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth, 4864 const u8 *sta_addr) 4865 { 4866 struct rsn_pmksa_cache_entry *pmksa; 4867 4868 if (!wpa_auth || !wpa_auth->pmksa) 4869 return; 4870 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL); 4871 if (pmksa) { 4872 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for " 4873 MACSTR " based on request", MAC2STR(sta_addr)); 4874 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa); 4875 } 4876 } 4877 4878 4879 int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf, 4880 size_t len) 4881 { 4882 if (!wpa_auth || !wpa_auth->pmksa) 4883 return 0; 4884 return pmksa_cache_auth_list(wpa_auth->pmksa, buf, len); 4885 } 4886 4887 4888 void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth) 4889 { 4890 if (wpa_auth && wpa_auth->pmksa) 4891 pmksa_cache_auth_flush(wpa_auth->pmksa); 4892 } 4893 4894 4895 #ifdef CONFIG_PMKSA_CACHE_EXTERNAL 4896 #ifdef CONFIG_MESH 4897 4898 int wpa_auth_pmksa_list_mesh(struct wpa_authenticator *wpa_auth, const u8 *addr, 4899 char *buf, size_t len) 4900 { 4901 if (!wpa_auth || !wpa_auth->pmksa) 4902 return 0; 4903 4904 return pmksa_cache_auth_list_mesh(wpa_auth->pmksa, addr, buf, len); 4905 } 4906 4907 4908 struct rsn_pmksa_cache_entry * 4909 wpa_auth_pmksa_create_entry(const u8 *aa, const u8 *spa, const u8 *pmk, 4910 const u8 *pmkid, int expiration) 4911 { 4912 struct rsn_pmksa_cache_entry *entry; 4913 struct os_reltime now; 4914 4915 entry = pmksa_cache_auth_create_entry(pmk, PMK_LEN, pmkid, NULL, 0, aa, 4916 spa, 0, NULL, WPA_KEY_MGMT_SAE); 4917 if (!entry) 4918 return NULL; 4919 4920 os_get_reltime(&now); 4921 entry->expiration = now.sec + expiration; 4922 return entry; 4923 } 4924 4925 4926 int wpa_auth_pmksa_add_entry(struct wpa_authenticator *wpa_auth, 4927 struct rsn_pmksa_cache_entry *entry) 4928 { 4929 int ret; 4930 4931 if (!wpa_auth || !wpa_auth->pmksa) 4932 return -1; 4933 4934 ret = pmksa_cache_auth_add_entry(wpa_auth->pmksa, entry); 4935 if (ret < 0) 4936 wpa_printf(MSG_DEBUG, 4937 "RSN: Failed to store external PMKSA cache for " 4938 MACSTR, MAC2STR(entry->spa)); 4939 4940 return ret; 4941 } 4942 4943 #endif /* CONFIG_MESH */ 4944 #endif /* CONFIG_PMKSA_CACHE_EXTERNAL */ 4945 4946 4947 struct rsn_pmksa_cache_entry * 4948 wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr, 4949 const u8 *pmkid) 4950 { 4951 if (!wpa_auth || !wpa_auth->pmksa) 4952 return NULL; 4953 return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, pmkid); 4954 } 4955 4956 4957 void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa, 4958 struct wpa_state_machine *sm, 4959 struct wpa_authenticator *wpa_auth, 4960 u8 *pmkid, u8 *pmk) 4961 { 4962 if (!sm) 4963 return; 4964 4965 sm->pmksa = pmksa; 4966 os_memcpy(pmk, pmksa->pmk, PMK_LEN); 4967 os_memcpy(pmkid, pmksa->pmkid, PMKID_LEN); 4968 os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmksa->pmkid, PMKID_LEN); 4969 } 4970 4971 4972 /* 4973 * Remove and free the group from wpa_authenticator. This is triggered by a 4974 * callback to make sure nobody is currently iterating the group list while it 4975 * gets modified. 4976 */ 4977 static void wpa_group_free(struct wpa_authenticator *wpa_auth, 4978 struct wpa_group *group) 4979 { 4980 struct wpa_group *prev = wpa_auth->group; 4981 4982 wpa_printf(MSG_DEBUG, "WPA: Remove group state machine for VLAN-ID %d", 4983 group->vlan_id); 4984 4985 while (prev) { 4986 if (prev->next == group) { 4987 /* This never frees the special first group as needed */ 4988 prev->next = group->next; 4989 os_free(group); 4990 break; 4991 } 4992 prev = prev->next; 4993 } 4994 4995 } 4996 4997 4998 /* Increase the reference counter for group */ 4999 static void wpa_group_get(struct wpa_authenticator *wpa_auth, 5000 struct wpa_group *group) 5001 { 5002 /* Skip the special first group */ 5003 if (wpa_auth->group == group) 5004 return; 5005 5006 group->references++; 5007 } 5008 5009 5010 /* Decrease the reference counter and maybe free the group */ 5011 static void wpa_group_put(struct wpa_authenticator *wpa_auth, 5012 struct wpa_group *group) 5013 { 5014 /* Skip the special first group */ 5015 if (wpa_auth->group == group) 5016 return; 5017 5018 group->references--; 5019 if (group->references) 5020 return; 5021 wpa_group_free(wpa_auth, group); 5022 } 5023 5024 5025 /* 5026 * Add a group that has its references counter set to zero. Caller needs to 5027 * call wpa_group_get() on the return value to mark the entry in use. 5028 */ 5029 static struct wpa_group * 5030 wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id) 5031 { 5032 struct wpa_group *group; 5033 5034 if (!wpa_auth || !wpa_auth->group) 5035 return NULL; 5036 5037 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d", 5038 vlan_id); 5039 group = wpa_group_init(wpa_auth, vlan_id, 0); 5040 if (!group) 5041 return NULL; 5042 5043 group->next = wpa_auth->group->next; 5044 wpa_auth->group->next = group; 5045 5046 return group; 5047 } 5048 5049 5050 /* 5051 * Enforce that the group state machine for the VLAN is running, increase 5052 * reference counter as interface is up. References might have been increased 5053 * even if a negative value is returned. 5054 * Returns: -1 on error (group missing, group already failed); otherwise, 0 5055 */ 5056 int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id) 5057 { 5058 struct wpa_group *group; 5059 5060 if (!wpa_auth) 5061 return 0; 5062 5063 group = wpa_auth->group; 5064 while (group) { 5065 if (group->vlan_id == vlan_id) 5066 break; 5067 group = group->next; 5068 } 5069 5070 if (!group) { 5071 group = wpa_auth_add_group(wpa_auth, vlan_id); 5072 if (!group) 5073 return -1; 5074 } 5075 5076 wpa_printf(MSG_DEBUG, 5077 "WPA: Ensure group state machine running for VLAN ID %d", 5078 vlan_id); 5079 5080 wpa_group_get(wpa_auth, group); 5081 group->num_setup_iface++; 5082 5083 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 5084 return -1; 5085 5086 return 0; 5087 } 5088 5089 5090 /* 5091 * Decrease reference counter, expected to be zero afterwards. 5092 * returns: -1 on error (group not found, group in fail state) 5093 * -2 if wpa_group is still referenced 5094 * 0 else 5095 */ 5096 int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id) 5097 { 5098 struct wpa_group *group; 5099 int ret = 0; 5100 5101 if (!wpa_auth) 5102 return 0; 5103 5104 group = wpa_auth->group; 5105 while (group) { 5106 if (group->vlan_id == vlan_id) 5107 break; 5108 group = group->next; 5109 } 5110 5111 if (!group) 5112 return -1; 5113 5114 wpa_printf(MSG_DEBUG, 5115 "WPA: Try stopping group state machine for VLAN ID %d", 5116 vlan_id); 5117 5118 if (group->num_setup_iface <= 0) { 5119 wpa_printf(MSG_ERROR, 5120 "WPA: wpa_auth_release_group called more often than wpa_auth_ensure_group for VLAN ID %d, skipping.", 5121 vlan_id); 5122 return -1; 5123 } 5124 group->num_setup_iface--; 5125 5126 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 5127 ret = -1; 5128 5129 if (group->references > 1) { 5130 wpa_printf(MSG_DEBUG, 5131 "WPA: Cannot stop group state machine for VLAN ID %d as references are still hold", 5132 vlan_id); 5133 ret = -2; 5134 } 5135 5136 wpa_group_put(wpa_auth, group); 5137 5138 return ret; 5139 } 5140 5141 5142 int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id) 5143 { 5144 struct wpa_group *group; 5145 5146 if (!sm || !sm->wpa_auth) 5147 return 0; 5148 5149 group = sm->wpa_auth->group; 5150 while (group) { 5151 if (group->vlan_id == vlan_id) 5152 break; 5153 group = group->next; 5154 } 5155 5156 if (!group) { 5157 group = wpa_auth_add_group(sm->wpa_auth, vlan_id); 5158 if (!group) 5159 return -1; 5160 } 5161 5162 if (sm->group == group) 5163 return 0; 5164 5165 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 5166 return -1; 5167 5168 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR 5169 " to use group state machine for VLAN ID %d", 5170 MAC2STR(sm->addr), vlan_id); 5171 5172 wpa_group_get(sm->wpa_auth, group); 5173 wpa_group_put(sm->wpa_auth, sm->group); 5174 sm->group = group; 5175 5176 return 0; 5177 } 5178 5179 5180 void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth, 5181 struct wpa_state_machine *sm, int ack) 5182 { 5183 if (!wpa_auth || !sm) 5184 return; 5185 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR 5186 " ack=%d", MAC2STR(sm->addr), ack); 5187 if (sm->pending_1_of_4_timeout && ack) { 5188 /* 5189 * Some deployed supplicant implementations update their SNonce 5190 * for each EAPOL-Key 2/4 message even within the same 4-way 5191 * handshake and then fail to use the first SNonce when 5192 * deriving the PTK. This results in unsuccessful 4-way 5193 * handshake whenever the relatively short initial timeout is 5194 * reached and EAPOL-Key 1/4 is retransmitted. Try to work 5195 * around this by increasing the timeout now that we know that 5196 * the station has received the frame. 5197 */ 5198 int timeout_ms = eapol_key_timeout_subseq; 5199 wpa_printf(MSG_DEBUG, 5200 "WPA: Increase initial EAPOL-Key 1/4 timeout by %u ms because of acknowledged frame", 5201 timeout_ms); 5202 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 5203 eloop_register_timeout(timeout_ms / 1000, 5204 (timeout_ms % 1000) * 1000, 5205 wpa_send_eapol_timeout, wpa_auth, sm); 5206 } 5207 5208 #ifdef CONFIG_TESTING_OPTIONS 5209 if (sm->eapol_status_cb) { 5210 sm->eapol_status_cb(sm->eapol_status_cb_ctx1, 5211 sm->eapol_status_cb_ctx2); 5212 sm->eapol_status_cb = NULL; 5213 } 5214 #endif /* CONFIG_TESTING_OPTIONS */ 5215 } 5216 5217 5218 int wpa_auth_uses_sae(struct wpa_state_machine *sm) 5219 { 5220 if (!sm) 5221 return 0; 5222 return wpa_key_mgmt_sae(sm->wpa_key_mgmt); 5223 } 5224 5225 5226 int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm) 5227 { 5228 if (!sm) 5229 return 0; 5230 return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE; 5231 } 5232 5233 5234 #ifdef CONFIG_P2P 5235 int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr) 5236 { 5237 if (!sm || WPA_GET_BE32(sm->ip_addr) == 0) 5238 return -1; 5239 os_memcpy(addr, sm->ip_addr, 4); 5240 return 0; 5241 } 5242 #endif /* CONFIG_P2P */ 5243 5244 5245 int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth, 5246 struct radius_das_attrs *attr) 5247 { 5248 return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr); 5249 } 5250 5251 5252 void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth) 5253 { 5254 struct wpa_group *group; 5255 5256 if (!wpa_auth) 5257 return; 5258 for (group = wpa_auth->group; group; group = group->next) 5259 wpa_group_config_group_keys(wpa_auth, group); 5260 } 5261 5262 5263 #ifdef CONFIG_FILS 5264 5265 struct wpa_auth_fils_iter_data { 5266 struct wpa_authenticator *auth; 5267 const u8 *cache_id; 5268 struct rsn_pmksa_cache_entry *pmksa; 5269 const u8 *spa; 5270 const u8 *pmkid; 5271 }; 5272 5273 5274 static int wpa_auth_fils_iter(struct wpa_authenticator *a, void *ctx) 5275 { 5276 struct wpa_auth_fils_iter_data *data = ctx; 5277 5278 if (a == data->auth || !a->conf.fils_cache_id_set || 5279 os_memcmp(a->conf.fils_cache_id, data->cache_id, 5280 FILS_CACHE_ID_LEN) != 0) 5281 return 0; 5282 data->pmksa = pmksa_cache_auth_get(a->pmksa, data->spa, data->pmkid); 5283 return data->pmksa != NULL; 5284 } 5285 5286 5287 struct rsn_pmksa_cache_entry * 5288 wpa_auth_pmksa_get_fils_cache_id(struct wpa_authenticator *wpa_auth, 5289 const u8 *sta_addr, const u8 *pmkid) 5290 { 5291 struct wpa_auth_fils_iter_data idata; 5292 5293 if (!wpa_auth->conf.fils_cache_id_set) 5294 return NULL; 5295 idata.auth = wpa_auth; 5296 idata.cache_id = wpa_auth->conf.fils_cache_id; 5297 idata.pmksa = NULL; 5298 idata.spa = sta_addr; 5299 idata.pmkid = pmkid; 5300 wpa_auth_for_each_auth(wpa_auth, wpa_auth_fils_iter, &idata); 5301 return idata.pmksa; 5302 } 5303 5304 5305 #ifdef CONFIG_IEEE80211R_AP 5306 int wpa_auth_write_fte(struct wpa_authenticator *wpa_auth, int use_sha384, 5307 u8 *buf, size_t len) 5308 { 5309 struct wpa_auth_config *conf = &wpa_auth->conf; 5310 5311 return wpa_write_ftie(conf, use_sha384, conf->r0_key_holder, 5312 conf->r0_key_holder_len, 5313 NULL, NULL, buf, len, NULL, 0, 0); 5314 } 5315 #endif /* CONFIG_IEEE80211R_AP */ 5316 5317 5318 void wpa_auth_get_fils_aead_params(struct wpa_state_machine *sm, 5319 u8 *fils_anonce, u8 *fils_snonce, 5320 u8 *fils_kek, size_t *fils_kek_len) 5321 { 5322 os_memcpy(fils_anonce, sm->ANonce, WPA_NONCE_LEN); 5323 os_memcpy(fils_snonce, sm->SNonce, WPA_NONCE_LEN); 5324 os_memcpy(fils_kek, sm->PTK.kek, WPA_KEK_MAX_LEN); 5325 *fils_kek_len = sm->PTK.kek_len; 5326 } 5327 5328 5329 void wpa_auth_add_fils_pmk_pmkid(struct wpa_state_machine *sm, const u8 *pmk, 5330 size_t pmk_len, const u8 *pmkid) 5331 { 5332 os_memcpy(sm->PMK, pmk, pmk_len); 5333 sm->pmk_len = pmk_len; 5334 os_memcpy(sm->pmkid, pmkid, PMKID_LEN); 5335 sm->pmkid_set = 1; 5336 } 5337 5338 #endif /* CONFIG_FILS */ 5339 5340 5341 void wpa_auth_set_auth_alg(struct wpa_state_machine *sm, u16 auth_alg) 5342 { 5343 if (sm) 5344 sm->auth_alg = auth_alg; 5345 } 5346 5347 5348 #ifdef CONFIG_DPP2 5349 void wpa_auth_set_dpp_z(struct wpa_state_machine *sm, const struct wpabuf *z) 5350 { 5351 if (sm) { 5352 wpabuf_clear_free(sm->dpp_z); 5353 sm->dpp_z = z ? wpabuf_dup(z) : NULL; 5354 } 5355 } 5356 #endif /* CONFIG_DPP2 */ 5357 5358 5359 void wpa_auth_set_transition_disable(struct wpa_authenticator *wpa_auth, 5360 u8 val) 5361 { 5362 if (wpa_auth) 5363 wpa_auth->conf.transition_disable = val; 5364 } 5365 5366 5367 #ifdef CONFIG_TESTING_OPTIONS 5368 5369 int wpa_auth_resend_m1(struct wpa_state_machine *sm, int change_anonce, 5370 void (*cb)(void *ctx1, void *ctx2), 5371 void *ctx1, void *ctx2) 5372 { 5373 const u8 *anonce = sm->ANonce; 5374 u8 anonce_buf[WPA_NONCE_LEN]; 5375 5376 if (change_anonce) { 5377 if (random_get_bytes(anonce_buf, WPA_NONCE_LEN)) 5378 return -1; 5379 anonce = anonce_buf; 5380 } 5381 5382 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 5383 "sending 1/4 msg of 4-Way Handshake (TESTING)"); 5384 wpa_send_eapol(sm->wpa_auth, sm, 5385 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL, 5386 anonce, NULL, 0, 0, 0); 5387 return 0; 5388 } 5389 5390 5391 int wpa_auth_resend_m3(struct wpa_state_machine *sm, 5392 void (*cb)(void *ctx1, void *ctx2), 5393 void *ctx1, void *ctx2) 5394 { 5395 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos; 5396 u8 *opos; 5397 size_t gtk_len, kde_len; 5398 struct wpa_auth_config *conf = &sm->wpa_auth->conf; 5399 struct wpa_group *gsm = sm->group; 5400 u8 *wpa_ie; 5401 int wpa_ie_len, secure, gtkidx, encr = 0; 5402 u8 hdr[2]; 5403 5404 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE], 5405 GTK[GN], IGTK, [BIGTK], [FTIE], [TIE * 2]) 5406 */ 5407 5408 /* Use 0 RSC */ 5409 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 5410 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */ 5411 wpa_ie = sm->wpa_auth->wpa_ie; 5412 wpa_ie_len = sm->wpa_auth->wpa_ie_len; 5413 if (sm->wpa == WPA_VERSION_WPA && 5414 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) && 5415 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) { 5416 /* WPA-only STA, remove RSN IE and possible MDIE */ 5417 wpa_ie = wpa_ie + wpa_ie[1] + 2; 5418 if (wpa_ie[0] == WLAN_EID_RSNX) 5419 wpa_ie = wpa_ie + wpa_ie[1] + 2; 5420 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN) 5421 wpa_ie = wpa_ie + wpa_ie[1] + 2; 5422 wpa_ie_len = wpa_ie[1] + 2; 5423 } 5424 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 5425 "sending 3/4 msg of 4-Way Handshake (TESTING)"); 5426 if (sm->wpa == WPA_VERSION_WPA2) { 5427 /* WPA2 send GTK in the 4-way handshake */ 5428 secure = 1; 5429 gtk = gsm->GTK[gsm->GN - 1]; 5430 gtk_len = gsm->GTK_len; 5431 gtkidx = gsm->GN; 5432 _rsc = rsc; 5433 encr = 1; 5434 } else { 5435 /* WPA does not include GTK in msg 3/4 */ 5436 secure = 0; 5437 gtk = NULL; 5438 gtk_len = 0; 5439 _rsc = NULL; 5440 if (sm->rx_eapol_key_secure) { 5441 /* 5442 * It looks like Windows 7 supplicant tries to use 5443 * Secure bit in msg 2/4 after having reported Michael 5444 * MIC failure and it then rejects the 4-way handshake 5445 * if msg 3/4 does not set Secure bit. Work around this 5446 * by setting the Secure bit here even in the case of 5447 * WPA if the supplicant used it first. 5448 */ 5449 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 5450 "STA used Secure bit in WPA msg 2/4 - set Secure for 3/4 as workaround"); 5451 secure = 1; 5452 } 5453 } 5454 5455 kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm); 5456 5457 if (sm->use_ext_key_id) 5458 kde_len += 2 + RSN_SELECTOR_LEN + 2; 5459 5460 if (gtk) 5461 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len; 5462 #ifdef CONFIG_IEEE80211R_AP 5463 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 5464 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */ 5465 kde_len += 300; /* FTIE + 2 * TIE */ 5466 } 5467 #endif /* CONFIG_IEEE80211R_AP */ 5468 kde = os_malloc(kde_len); 5469 if (!kde) 5470 return -1; 5471 5472 pos = kde; 5473 os_memcpy(pos, wpa_ie, wpa_ie_len); 5474 pos += wpa_ie_len; 5475 #ifdef CONFIG_IEEE80211R_AP 5476 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 5477 int res; 5478 size_t elen; 5479 5480 elen = pos - kde; 5481 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name); 5482 if (res < 0) { 5483 wpa_printf(MSG_ERROR, 5484 "FT: Failed to insert PMKR1Name into RSN IE in EAPOL-Key data"); 5485 os_free(kde); 5486 return -1; 5487 } 5488 pos -= wpa_ie_len; 5489 pos += elen; 5490 } 5491 #endif /* CONFIG_IEEE80211R_AP */ 5492 hdr[1] = 0; 5493 5494 if (sm->use_ext_key_id) { 5495 hdr[0] = sm->keyidx_active & 0x01; 5496 pos = wpa_add_kde(pos, RSN_KEY_DATA_KEYID, hdr, 2, NULL, 0); 5497 } 5498 5499 if (gtk) { 5500 hdr[0] = gtkidx & 0x03; 5501 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 5502 gtk, gtk_len); 5503 } 5504 opos = pos; 5505 pos = ieee80211w_kde_add(sm, pos); 5506 if (pos - opos >= 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) { 5507 /* skip KDE header and keyid */ 5508 opos += 2 + RSN_SELECTOR_LEN + 2; 5509 os_memset(opos, 0, 6); /* clear PN */ 5510 } 5511 if (ocv_oci_add(sm, &pos, conf->oci_freq_override_eapol_m3) < 0) { 5512 os_free(kde); 5513 return -1; 5514 } 5515 5516 #ifdef CONFIG_IEEE80211R_AP 5517 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 5518 int res; 5519 5520 if (sm->assoc_resp_ftie && 5521 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) { 5522 os_memcpy(pos, sm->assoc_resp_ftie, 5523 2 + sm->assoc_resp_ftie[1]); 5524 res = 2 + sm->assoc_resp_ftie[1]; 5525 } else { 5526 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt); 5527 5528 res = wpa_write_ftie(conf, use_sha384, 5529 conf->r0_key_holder, 5530 conf->r0_key_holder_len, 5531 NULL, NULL, pos, 5532 kde + kde_len - pos, 5533 NULL, 0, 0); 5534 } 5535 if (res < 0) { 5536 wpa_printf(MSG_ERROR, 5537 "FT: Failed to insert FTIE into EAPOL-Key Key Data"); 5538 os_free(kde); 5539 return -1; 5540 } 5541 pos += res; 5542 5543 /* TIE[ReassociationDeadline] (TU) */ 5544 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 5545 *pos++ = 5; 5546 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE; 5547 WPA_PUT_LE32(pos, conf->reassociation_deadline); 5548 pos += 4; 5549 5550 /* TIE[KeyLifetime] (seconds) */ 5551 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 5552 *pos++ = 5; 5553 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME; 5554 WPA_PUT_LE32(pos, conf->r0_key_lifetime); 5555 pos += 4; 5556 } 5557 #endif /* CONFIG_IEEE80211R_AP */ 5558 5559 wpa_send_eapol(sm->wpa_auth, sm, 5560 (secure ? WPA_KEY_INFO_SECURE : 0) | 5561 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ? 5562 WPA_KEY_INFO_MIC : 0) | 5563 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL | 5564 WPA_KEY_INFO_KEY_TYPE, 5565 _rsc, sm->ANonce, kde, pos - kde, 0, encr); 5566 os_free(kde); 5567 return 0; 5568 } 5569 5570 5571 int wpa_auth_resend_group_m1(struct wpa_state_machine *sm, 5572 void (*cb)(void *ctx1, void *ctx2), 5573 void *ctx1, void *ctx2) 5574 { 5575 u8 rsc[WPA_KEY_RSC_LEN]; 5576 struct wpa_auth_config *conf = &sm->wpa_auth->conf; 5577 struct wpa_group *gsm = sm->group; 5578 const u8 *kde; 5579 u8 *kde_buf = NULL, *pos, hdr[2]; 5580 u8 *opos; 5581 size_t kde_len; 5582 u8 *gtk; 5583 5584 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */ 5585 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 5586 /* Use 0 RSC */ 5587 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 5588 "sending 1/2 msg of Group Key Handshake (TESTING)"); 5589 5590 gtk = gsm->GTK[gsm->GN - 1]; 5591 if (sm->wpa == WPA_VERSION_WPA2) { 5592 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len + 5593 ieee80211w_kde_len(sm) + ocv_oci_len(sm); 5594 kde_buf = os_malloc(kde_len); 5595 if (!kde_buf) 5596 return -1; 5597 5598 kde = pos = kde_buf; 5599 hdr[0] = gsm->GN & 0x03; 5600 hdr[1] = 0; 5601 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 5602 gtk, gsm->GTK_len); 5603 opos = pos; 5604 pos = ieee80211w_kde_add(sm, pos); 5605 if (pos - opos >= 5606 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) { 5607 /* skip KDE header and keyid */ 5608 opos += 2 + RSN_SELECTOR_LEN + 2; 5609 os_memset(opos, 0, 6); /* clear PN */ 5610 } 5611 if (ocv_oci_add(sm, &pos, 5612 conf->oci_freq_override_eapol_g1) < 0) { 5613 os_free(kde_buf); 5614 return -1; 5615 } 5616 kde_len = pos - kde; 5617 } else { 5618 kde = gtk; 5619 kde_len = gsm->GTK_len; 5620 } 5621 5622 sm->eapol_status_cb = cb; 5623 sm->eapol_status_cb_ctx1 = ctx1; 5624 sm->eapol_status_cb_ctx2 = ctx2; 5625 5626 wpa_send_eapol(sm->wpa_auth, sm, 5627 WPA_KEY_INFO_SECURE | 5628 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ? 5629 WPA_KEY_INFO_MIC : 0) | 5630 WPA_KEY_INFO_ACK | 5631 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0), 5632 rsc, NULL, kde, kde_len, gsm->GN, 1); 5633 5634 os_free(kde_buf); 5635 return 0; 5636 } 5637 5638 5639 int wpa_auth_rekey_gtk(struct wpa_authenticator *wpa_auth) 5640 { 5641 if (!wpa_auth) 5642 return -1; 5643 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 5644 return eloop_register_timeout(0, 0, wpa_rekey_gtk, wpa_auth, NULL); 5645 } 5646 5647 5648 int wpa_auth_rekey_ptk(struct wpa_authenticator *wpa_auth, 5649 struct wpa_state_machine *sm) 5650 { 5651 if (!wpa_auth || !sm) 5652 return -1; 5653 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK"); 5654 wpa_request_new_ptk(sm); 5655 wpa_sm_step(sm); 5656 return 0; 5657 } 5658 5659 5660 void wpa_auth_set_ft_rsnxe_used(struct wpa_authenticator *wpa_auth, int val) 5661 { 5662 if (wpa_auth) 5663 wpa_auth->conf.ft_rsnxe_used = val; 5664 } 5665 5666 5667 void wpa_auth_set_ocv_override_freq(struct wpa_authenticator *wpa_auth, 5668 enum wpa_auth_ocv_override_frame frame, 5669 unsigned int freq) 5670 { 5671 if (!wpa_auth) 5672 return; 5673 switch (frame) { 5674 case WPA_AUTH_OCV_OVERRIDE_EAPOL_M3: 5675 wpa_auth->conf.oci_freq_override_eapol_m3 = freq; 5676 break; 5677 case WPA_AUTH_OCV_OVERRIDE_EAPOL_G1: 5678 wpa_auth->conf.oci_freq_override_eapol_g1 = freq; 5679 break; 5680 case WPA_AUTH_OCV_OVERRIDE_FT_ASSOC: 5681 wpa_auth->conf.oci_freq_override_ft_assoc = freq; 5682 break; 5683 case WPA_AUTH_OCV_OVERRIDE_FILS_ASSOC: 5684 wpa_auth->conf.oci_freq_override_fils_assoc = freq; 5685 break; 5686 } 5687 } 5688 5689 #endif /* CONFIG_TESTING_OPTIONS */ 5690