1 /* 2 * IEEE 802.11 RSN / WPA Authenticator 3 * Copyright (c) 2004-2018, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "utils/eloop.h" 13 #include "utils/state_machine.h" 14 #include "utils/bitfield.h" 15 #include "common/ieee802_11_defs.h" 16 #include "crypto/aes.h" 17 #include "crypto/aes_wrap.h" 18 #include "crypto/aes_siv.h" 19 #include "crypto/crypto.h" 20 #include "crypto/sha1.h" 21 #include "crypto/sha256.h" 22 #include "crypto/sha384.h" 23 #include "crypto/random.h" 24 #include "eapol_auth/eapol_auth_sm.h" 25 #include "ap_config.h" 26 #include "ieee802_11.h" 27 #include "wpa_auth.h" 28 #include "pmksa_cache_auth.h" 29 #include "wpa_auth_i.h" 30 #include "wpa_auth_ie.h" 31 32 #define STATE_MACHINE_DATA struct wpa_state_machine 33 #define STATE_MACHINE_DEBUG_PREFIX "WPA" 34 #define STATE_MACHINE_ADDR sm->addr 35 36 37 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx); 38 static int wpa_sm_step(struct wpa_state_machine *sm); 39 static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK, 40 u8 *data, size_t data_len); 41 #ifdef CONFIG_FILS 42 static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk, 43 u8 *buf, size_t buf_len, u16 *_key_data_len); 44 static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm, 45 const struct wpabuf *hlp); 46 #endif /* CONFIG_FILS */ 47 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx); 48 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 49 struct wpa_group *group); 50 static void wpa_request_new_ptk(struct wpa_state_machine *sm); 51 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 52 struct wpa_group *group); 53 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 54 struct wpa_group *group); 55 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce, 56 const u8 *pmk, unsigned int pmk_len, 57 struct wpa_ptk *ptk); 58 static void wpa_group_free(struct wpa_authenticator *wpa_auth, 59 struct wpa_group *group); 60 static void wpa_group_get(struct wpa_authenticator *wpa_auth, 61 struct wpa_group *group); 62 static void wpa_group_put(struct wpa_authenticator *wpa_auth, 63 struct wpa_group *group); 64 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos); 65 66 static const u32 eapol_key_timeout_first = 100; /* ms */ 67 static const u32 eapol_key_timeout_subseq = 1000; /* ms */ 68 static const u32 eapol_key_timeout_first_group = 500; /* ms */ 69 static const u32 eapol_key_timeout_no_retrans = 4000; /* ms */ 70 71 /* TODO: make these configurable */ 72 static const int dot11RSNAConfigPMKLifetime = 43200; 73 static const int dot11RSNAConfigPMKReauthThreshold = 70; 74 static const int dot11RSNAConfigSATimeout = 60; 75 76 77 static inline int wpa_auth_mic_failure_report( 78 struct wpa_authenticator *wpa_auth, const u8 *addr) 79 { 80 if (wpa_auth->cb->mic_failure_report) 81 return wpa_auth->cb->mic_failure_report(wpa_auth->cb_ctx, addr); 82 return 0; 83 } 84 85 86 static inline void wpa_auth_psk_failure_report( 87 struct wpa_authenticator *wpa_auth, const u8 *addr) 88 { 89 if (wpa_auth->cb->psk_failure_report) 90 wpa_auth->cb->psk_failure_report(wpa_auth->cb_ctx, addr); 91 } 92 93 94 static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth, 95 const u8 *addr, wpa_eapol_variable var, 96 int value) 97 { 98 if (wpa_auth->cb->set_eapol) 99 wpa_auth->cb->set_eapol(wpa_auth->cb_ctx, addr, var, value); 100 } 101 102 103 static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth, 104 const u8 *addr, wpa_eapol_variable var) 105 { 106 if (wpa_auth->cb->get_eapol == NULL) 107 return -1; 108 return wpa_auth->cb->get_eapol(wpa_auth->cb_ctx, addr, var); 109 } 110 111 112 static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth, 113 const u8 *addr, 114 const u8 *p2p_dev_addr, 115 const u8 *prev_psk, size_t *psk_len) 116 { 117 if (wpa_auth->cb->get_psk == NULL) 118 return NULL; 119 return wpa_auth->cb->get_psk(wpa_auth->cb_ctx, addr, p2p_dev_addr, 120 prev_psk, psk_len); 121 } 122 123 124 static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth, 125 const u8 *addr, u8 *msk, size_t *len) 126 { 127 if (wpa_auth->cb->get_msk == NULL) 128 return -1; 129 return wpa_auth->cb->get_msk(wpa_auth->cb_ctx, addr, msk, len); 130 } 131 132 133 static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth, 134 int vlan_id, 135 enum wpa_alg alg, const u8 *addr, int idx, 136 u8 *key, size_t key_len) 137 { 138 if (wpa_auth->cb->set_key == NULL) 139 return -1; 140 return wpa_auth->cb->set_key(wpa_auth->cb_ctx, vlan_id, alg, addr, idx, 141 key, key_len); 142 } 143 144 145 static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth, 146 const u8 *addr, int idx, u8 *seq) 147 { 148 if (wpa_auth->cb->get_seqnum == NULL) 149 return -1; 150 return wpa_auth->cb->get_seqnum(wpa_auth->cb_ctx, addr, idx, seq); 151 } 152 153 154 static inline int 155 wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr, 156 const u8 *data, size_t data_len, int encrypt) 157 { 158 if (wpa_auth->cb->send_eapol == NULL) 159 return -1; 160 return wpa_auth->cb->send_eapol(wpa_auth->cb_ctx, addr, data, data_len, 161 encrypt); 162 } 163 164 165 #ifdef CONFIG_MESH 166 static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth, 167 const u8 *addr) 168 { 169 if (wpa_auth->cb->start_ampe == NULL) 170 return -1; 171 return wpa_auth->cb->start_ampe(wpa_auth->cb_ctx, addr); 172 } 173 #endif /* CONFIG_MESH */ 174 175 176 int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth, 177 int (*cb)(struct wpa_state_machine *sm, void *ctx), 178 void *cb_ctx) 179 { 180 if (wpa_auth->cb->for_each_sta == NULL) 181 return 0; 182 return wpa_auth->cb->for_each_sta(wpa_auth->cb_ctx, cb, cb_ctx); 183 } 184 185 186 int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth, 187 int (*cb)(struct wpa_authenticator *a, void *ctx), 188 void *cb_ctx) 189 { 190 if (wpa_auth->cb->for_each_auth == NULL) 191 return 0; 192 return wpa_auth->cb->for_each_auth(wpa_auth->cb_ctx, cb, cb_ctx); 193 } 194 195 196 void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr, 197 logger_level level, const char *txt) 198 { 199 if (wpa_auth->cb->logger == NULL) 200 return; 201 wpa_auth->cb->logger(wpa_auth->cb_ctx, addr, level, txt); 202 } 203 204 205 void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr, 206 logger_level level, const char *fmt, ...) 207 { 208 char *format; 209 int maxlen; 210 va_list ap; 211 212 if (wpa_auth->cb->logger == NULL) 213 return; 214 215 maxlen = os_strlen(fmt) + 100; 216 format = os_malloc(maxlen); 217 if (!format) 218 return; 219 220 va_start(ap, fmt); 221 vsnprintf(format, maxlen, fmt, ap); 222 va_end(ap); 223 224 wpa_auth_logger(wpa_auth, addr, level, format); 225 226 os_free(format); 227 } 228 229 230 static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth, 231 const u8 *addr, u16 reason) 232 { 233 if (wpa_auth->cb->disconnect == NULL) 234 return; 235 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR " (reason %u)", 236 MAC2STR(addr), reason); 237 wpa_auth->cb->disconnect(wpa_auth->cb_ctx, addr, reason); 238 } 239 240 241 static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx) 242 { 243 struct wpa_authenticator *wpa_auth = eloop_ctx; 244 245 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) { 246 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 247 "initialization."); 248 } else { 249 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd"); 250 wpa_hexdump_key(MSG_DEBUG, "GMK", 251 wpa_auth->group->GMK, WPA_GMK_LEN); 252 } 253 254 if (wpa_auth->conf.wpa_gmk_rekey) { 255 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 256 wpa_rekey_gmk, wpa_auth, NULL); 257 } 258 } 259 260 261 static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx) 262 { 263 struct wpa_authenticator *wpa_auth = eloop_ctx; 264 struct wpa_group *group, *next; 265 266 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK"); 267 group = wpa_auth->group; 268 while (group) { 269 wpa_group_get(wpa_auth, group); 270 271 group->GTKReKey = TRUE; 272 do { 273 group->changed = FALSE; 274 wpa_group_sm_step(wpa_auth, group); 275 } while (group->changed); 276 277 next = group->next; 278 wpa_group_put(wpa_auth, group); 279 group = next; 280 } 281 282 if (wpa_auth->conf.wpa_group_rekey) { 283 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 284 0, wpa_rekey_gtk, wpa_auth, NULL); 285 } 286 } 287 288 289 static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx) 290 { 291 struct wpa_authenticator *wpa_auth = eloop_ctx; 292 struct wpa_state_machine *sm = timeout_ctx; 293 294 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK"); 295 wpa_request_new_ptk(sm); 296 wpa_sm_step(sm); 297 } 298 299 300 static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx) 301 { 302 if (sm->pmksa == ctx) 303 sm->pmksa = NULL; 304 return 0; 305 } 306 307 308 static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry, 309 void *ctx) 310 { 311 struct wpa_authenticator *wpa_auth = ctx; 312 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry); 313 } 314 315 316 static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth, 317 struct wpa_group *group) 318 { 319 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)]; 320 u8 rkey[32]; 321 unsigned long ptr; 322 323 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0) 324 return -1; 325 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN); 326 327 /* 328 * Counter = PRF-256(Random number, "Init Counter", 329 * Local MAC Address || Time) 330 */ 331 os_memcpy(buf, wpa_auth->addr, ETH_ALEN); 332 wpa_get_ntp_timestamp(buf + ETH_ALEN); 333 ptr = (unsigned long) group; 334 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr)); 335 if (random_get_bytes(rkey, sizeof(rkey)) < 0) 336 return -1; 337 338 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf), 339 group->Counter, WPA_NONCE_LEN) < 0) 340 return -1; 341 wpa_hexdump_key(MSG_DEBUG, "Key Counter", 342 group->Counter, WPA_NONCE_LEN); 343 344 return 0; 345 } 346 347 348 static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth, 349 int vlan_id, int delay_init) 350 { 351 struct wpa_group *group; 352 353 group = os_zalloc(sizeof(struct wpa_group)); 354 if (group == NULL) 355 return NULL; 356 357 group->GTKAuthenticator = TRUE; 358 group->vlan_id = vlan_id; 359 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 360 361 if (random_pool_ready() != 1) { 362 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 363 "for secure operations - update keys later when " 364 "the first station connects"); 365 } 366 367 /* 368 * Set initial GMK/Counter value here. The actual values that will be 369 * used in negotiations will be set once the first station tries to 370 * connect. This allows more time for collecting additional randomness 371 * on embedded devices. 372 */ 373 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) { 374 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 375 "initialization."); 376 os_free(group); 377 return NULL; 378 } 379 380 group->GInit = TRUE; 381 if (delay_init) { 382 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start " 383 "until Beacon frames have been configured"); 384 /* Initialization is completed in wpa_init_keys(). */ 385 } else { 386 wpa_group_sm_step(wpa_auth, group); 387 group->GInit = FALSE; 388 wpa_group_sm_step(wpa_auth, group); 389 } 390 391 return group; 392 } 393 394 395 /** 396 * wpa_init - Initialize WPA authenticator 397 * @addr: Authenticator address 398 * @conf: Configuration for WPA authenticator 399 * @cb: Callback functions for WPA authenticator 400 * Returns: Pointer to WPA authenticator data or %NULL on failure 401 */ 402 struct wpa_authenticator * wpa_init(const u8 *addr, 403 struct wpa_auth_config *conf, 404 const struct wpa_auth_callbacks *cb, 405 void *cb_ctx) 406 { 407 struct wpa_authenticator *wpa_auth; 408 409 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator)); 410 if (wpa_auth == NULL) 411 return NULL; 412 os_memcpy(wpa_auth->addr, addr, ETH_ALEN); 413 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 414 wpa_auth->cb = cb; 415 wpa_auth->cb_ctx = cb_ctx; 416 417 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 418 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 419 os_free(wpa_auth); 420 return NULL; 421 } 422 423 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1); 424 if (wpa_auth->group == NULL) { 425 os_free(wpa_auth->wpa_ie); 426 os_free(wpa_auth); 427 return NULL; 428 } 429 430 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb, 431 wpa_auth); 432 if (wpa_auth->pmksa == NULL) { 433 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed."); 434 os_free(wpa_auth->group); 435 os_free(wpa_auth->wpa_ie); 436 os_free(wpa_auth); 437 return NULL; 438 } 439 440 #ifdef CONFIG_IEEE80211R_AP 441 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init(); 442 if (wpa_auth->ft_pmk_cache == NULL) { 443 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed."); 444 os_free(wpa_auth->group); 445 os_free(wpa_auth->wpa_ie); 446 pmksa_cache_auth_deinit(wpa_auth->pmksa); 447 os_free(wpa_auth); 448 return NULL; 449 } 450 #endif /* CONFIG_IEEE80211R_AP */ 451 452 if (wpa_auth->conf.wpa_gmk_rekey) { 453 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 454 wpa_rekey_gmk, wpa_auth, NULL); 455 } 456 457 if (wpa_auth->conf.wpa_group_rekey) { 458 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0, 459 wpa_rekey_gtk, wpa_auth, NULL); 460 } 461 462 #ifdef CONFIG_P2P 463 if (WPA_GET_BE32(conf->ip_addr_start)) { 464 int count = WPA_GET_BE32(conf->ip_addr_end) - 465 WPA_GET_BE32(conf->ip_addr_start) + 1; 466 if (count > 1000) 467 count = 1000; 468 if (count > 0) 469 wpa_auth->ip_pool = bitfield_alloc(count); 470 } 471 #endif /* CONFIG_P2P */ 472 473 return wpa_auth; 474 } 475 476 477 int wpa_init_keys(struct wpa_authenticator *wpa_auth) 478 { 479 struct wpa_group *group = wpa_auth->group; 480 481 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial " 482 "keys"); 483 wpa_group_sm_step(wpa_auth, group); 484 group->GInit = FALSE; 485 wpa_group_sm_step(wpa_auth, group); 486 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 487 return -1; 488 return 0; 489 } 490 491 492 /** 493 * wpa_deinit - Deinitialize WPA authenticator 494 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 495 */ 496 void wpa_deinit(struct wpa_authenticator *wpa_auth) 497 { 498 struct wpa_group *group, *prev; 499 500 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL); 501 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 502 503 pmksa_cache_auth_deinit(wpa_auth->pmksa); 504 505 #ifdef CONFIG_IEEE80211R_AP 506 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache); 507 wpa_auth->ft_pmk_cache = NULL; 508 wpa_ft_deinit(wpa_auth); 509 #endif /* CONFIG_IEEE80211R_AP */ 510 511 #ifdef CONFIG_P2P 512 bitfield_free(wpa_auth->ip_pool); 513 #endif /* CONFIG_P2P */ 514 515 516 os_free(wpa_auth->wpa_ie); 517 518 group = wpa_auth->group; 519 while (group) { 520 prev = group; 521 group = group->next; 522 os_free(prev); 523 } 524 525 os_free(wpa_auth); 526 } 527 528 529 /** 530 * wpa_reconfig - Update WPA authenticator configuration 531 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 532 * @conf: Configuration for WPA authenticator 533 */ 534 int wpa_reconfig(struct wpa_authenticator *wpa_auth, 535 struct wpa_auth_config *conf) 536 { 537 struct wpa_group *group; 538 if (wpa_auth == NULL) 539 return 0; 540 541 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 542 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 543 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 544 return -1; 545 } 546 547 /* 548 * Reinitialize GTK to make sure it is suitable for the new 549 * configuration. 550 */ 551 group = wpa_auth->group; 552 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 553 group->GInit = TRUE; 554 wpa_group_sm_step(wpa_auth, group); 555 group->GInit = FALSE; 556 wpa_group_sm_step(wpa_auth, group); 557 558 return 0; 559 } 560 561 562 struct wpa_state_machine * 563 wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr, 564 const u8 *p2p_dev_addr) 565 { 566 struct wpa_state_machine *sm; 567 568 if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 569 return NULL; 570 571 sm = os_zalloc(sizeof(struct wpa_state_machine)); 572 if (sm == NULL) 573 return NULL; 574 os_memcpy(sm->addr, addr, ETH_ALEN); 575 if (p2p_dev_addr) 576 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN); 577 578 sm->wpa_auth = wpa_auth; 579 sm->group = wpa_auth->group; 580 wpa_group_get(sm->wpa_auth, sm->group); 581 582 return sm; 583 } 584 585 586 int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth, 587 struct wpa_state_machine *sm) 588 { 589 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 590 return -1; 591 592 #ifdef CONFIG_IEEE80211R_AP 593 if (sm->ft_completed) { 594 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 595 "FT authentication already completed - do not " 596 "start 4-way handshake"); 597 /* Go to PTKINITDONE state to allow GTK rekeying */ 598 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE; 599 sm->Pair = TRUE; 600 return 0; 601 } 602 #endif /* CONFIG_IEEE80211R_AP */ 603 604 #ifdef CONFIG_FILS 605 if (sm->fils_completed) { 606 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 607 "FILS authentication already completed - do not start 4-way handshake"); 608 /* Go to PTKINITDONE state to allow GTK rekeying */ 609 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE; 610 sm->Pair = TRUE; 611 return 0; 612 } 613 #endif /* CONFIG_FILS */ 614 615 if (sm->started) { 616 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay)); 617 sm->ReAuthenticationRequest = TRUE; 618 return wpa_sm_step(sm); 619 } 620 621 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 622 "start authentication"); 623 sm->started = 1; 624 625 sm->Init = TRUE; 626 if (wpa_sm_step(sm) == 1) 627 return 1; /* should not really happen */ 628 sm->Init = FALSE; 629 sm->AuthenticationRequest = TRUE; 630 return wpa_sm_step(sm); 631 } 632 633 634 void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm) 635 { 636 /* WPA/RSN was not used - clear WPA state. This is needed if the STA 637 * reassociates back to the same AP while the previous entry for the 638 * STA has not yet been removed. */ 639 if (sm == NULL) 640 return; 641 642 sm->wpa_key_mgmt = 0; 643 } 644 645 646 static void wpa_free_sta_sm(struct wpa_state_machine *sm) 647 { 648 #ifdef CONFIG_P2P 649 if (WPA_GET_BE32(sm->ip_addr)) { 650 u32 start; 651 wpa_printf(MSG_DEBUG, "P2P: Free assigned IP " 652 "address %u.%u.%u.%u from " MACSTR, 653 sm->ip_addr[0], sm->ip_addr[1], 654 sm->ip_addr[2], sm->ip_addr[3], 655 MAC2STR(sm->addr)); 656 start = WPA_GET_BE32(sm->wpa_auth->conf.ip_addr_start); 657 bitfield_clear(sm->wpa_auth->ip_pool, 658 WPA_GET_BE32(sm->ip_addr) - start); 659 } 660 #endif /* CONFIG_P2P */ 661 if (sm->GUpdateStationKeys) { 662 sm->group->GKeyDoneStations--; 663 sm->GUpdateStationKeys = FALSE; 664 } 665 #ifdef CONFIG_IEEE80211R_AP 666 os_free(sm->assoc_resp_ftie); 667 wpabuf_free(sm->ft_pending_req_ies); 668 #endif /* CONFIG_IEEE80211R_AP */ 669 os_free(sm->last_rx_eapol_key); 670 os_free(sm->wpa_ie); 671 wpa_group_put(sm->wpa_auth, sm->group); 672 os_free(sm); 673 } 674 675 676 void wpa_auth_sta_deinit(struct wpa_state_machine *sm) 677 { 678 if (sm == NULL) 679 return; 680 681 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) { 682 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 683 "strict rekeying - force GTK rekey since STA " 684 "is leaving"); 685 if (eloop_deplete_timeout(0, 500000, wpa_rekey_gtk, 686 sm->wpa_auth, NULL) == -1) 687 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth, 688 NULL); 689 } 690 691 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 692 sm->pending_1_of_4_timeout = 0; 693 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL); 694 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 695 #ifdef CONFIG_IEEE80211R_AP 696 wpa_ft_sta_deinit(sm); 697 #endif /* CONFIG_IEEE80211R_AP */ 698 if (sm->in_step_loop) { 699 /* Must not free state machine while wpa_sm_step() is running. 700 * Freeing will be completed in the end of wpa_sm_step(). */ 701 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state " 702 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 703 sm->pending_deinit = 1; 704 } else 705 wpa_free_sta_sm(sm); 706 } 707 708 709 static void wpa_request_new_ptk(struct wpa_state_machine *sm) 710 { 711 if (sm == NULL) 712 return; 713 714 sm->PTKRequest = TRUE; 715 sm->PTK_valid = 0; 716 } 717 718 719 static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr, 720 const u8 *replay_counter) 721 { 722 int i; 723 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 724 if (!ctr[i].valid) 725 break; 726 if (os_memcmp(replay_counter, ctr[i].counter, 727 WPA_REPLAY_COUNTER_LEN) == 0) 728 return 1; 729 } 730 return 0; 731 } 732 733 734 static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr, 735 const u8 *replay_counter) 736 { 737 int i; 738 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 739 if (ctr[i].valid && 740 (replay_counter == NULL || 741 os_memcmp(replay_counter, ctr[i].counter, 742 WPA_REPLAY_COUNTER_LEN) == 0)) 743 ctr[i].valid = FALSE; 744 } 745 } 746 747 748 #ifdef CONFIG_IEEE80211R_AP 749 static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth, 750 struct wpa_state_machine *sm, 751 struct wpa_eapol_ie_parse *kde) 752 { 753 struct wpa_ie_data ie; 754 struct rsn_mdie *mdie; 755 756 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 || 757 ie.num_pmkid != 1 || ie.pmkid == NULL) { 758 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in " 759 "FT 4-way handshake message 2/4"); 760 return -1; 761 } 762 763 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN); 764 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant", 765 sm->sup_pmk_r1_name, PMKID_LEN); 766 767 if (!kde->mdie || !kde->ftie) { 768 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake " 769 "message 2/4", kde->mdie ? "FTIE" : "MDIE"); 770 return -1; 771 } 772 773 mdie = (struct rsn_mdie *) (kde->mdie + 2); 774 if (kde->mdie[1] < sizeof(struct rsn_mdie) || 775 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain, 776 MOBILITY_DOMAIN_ID_LEN) != 0) { 777 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch"); 778 return -1; 779 } 780 781 if (sm->assoc_resp_ftie && 782 (kde->ftie[1] != sm->assoc_resp_ftie[1] || 783 os_memcmp(kde->ftie, sm->assoc_resp_ftie, 784 2 + sm->assoc_resp_ftie[1]) != 0)) { 785 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch"); 786 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4", 787 kde->ftie, kde->ftie_len); 788 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp", 789 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]); 790 return -1; 791 } 792 793 return 0; 794 } 795 #endif /* CONFIG_IEEE80211R_AP */ 796 797 798 static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth, 799 struct wpa_state_machine *sm, int group) 800 { 801 /* Supplicant reported a Michael MIC error */ 802 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 803 "received EAPOL-Key Error Request " 804 "(STA detected Michael MIC failure (group=%d))", 805 group); 806 807 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) { 808 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 809 "ignore Michael MIC failure report since " 810 "group cipher is not TKIP"); 811 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) { 812 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 813 "ignore Michael MIC failure report since " 814 "pairwise cipher is not TKIP"); 815 } else { 816 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0) 817 return 1; /* STA entry was removed */ 818 sm->dot11RSNAStatsTKIPRemoteMICFailures++; 819 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++; 820 } 821 822 /* 823 * Error report is not a request for a new key handshake, but since 824 * Authenticator may do it, let's change the keys now anyway. 825 */ 826 wpa_request_new_ptk(sm); 827 return 0; 828 } 829 830 831 static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data, 832 size_t data_len) 833 { 834 struct wpa_ptk PTK; 835 int ok = 0; 836 const u8 *pmk = NULL; 837 size_t pmk_len; 838 839 os_memset(&PTK, 0, sizeof(PTK)); 840 for (;;) { 841 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) && 842 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) { 843 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, 844 sm->p2p_dev_addr, pmk, &pmk_len); 845 if (pmk == NULL) 846 break; 847 #ifdef CONFIG_IEEE80211R_AP 848 if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) { 849 os_memcpy(sm->xxkey, pmk, pmk_len); 850 sm->xxkey_len = pmk_len; 851 } 852 #endif /* CONFIG_IEEE80211R_AP */ 853 } else { 854 pmk = sm->PMK; 855 pmk_len = sm->pmk_len; 856 } 857 858 if (wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK) < 0) 859 break; 860 861 if (wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK, 862 data, data_len) == 0) { 863 ok = 1; 864 break; 865 } 866 867 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) || 868 wpa_key_mgmt_sae(sm->wpa_key_mgmt)) 869 break; 870 } 871 872 if (!ok) { 873 wpa_printf(MSG_DEBUG, 874 "WPA: Earlier SNonce did not result in matching MIC"); 875 return -1; 876 } 877 878 wpa_printf(MSG_DEBUG, 879 "WPA: Earlier SNonce resulted in matching MIC"); 880 sm->alt_snonce_valid = 0; 881 os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN); 882 os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); 883 sm->PTK_valid = TRUE; 884 885 return 0; 886 } 887 888 889 void wpa_receive(struct wpa_authenticator *wpa_auth, 890 struct wpa_state_machine *sm, 891 u8 *data, size_t data_len) 892 { 893 struct ieee802_1x_hdr *hdr; 894 struct wpa_eapol_key *key; 895 u16 key_info, key_data_length; 896 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST } msg; 897 char *msgtxt; 898 struct wpa_eapol_ie_parse kde; 899 const u8 *key_data; 900 size_t keyhdrlen, mic_len; 901 u8 *mic; 902 903 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 904 return; 905 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL data", data, data_len); 906 907 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len); 908 keyhdrlen = sizeof(*key) + mic_len + 2; 909 910 if (data_len < sizeof(*hdr) + keyhdrlen) { 911 wpa_printf(MSG_DEBUG, "WPA: Ignore too short EAPOL-Key frame"); 912 return; 913 } 914 915 hdr = (struct ieee802_1x_hdr *) data; 916 key = (struct wpa_eapol_key *) (hdr + 1); 917 mic = (u8 *) (key + 1); 918 key_info = WPA_GET_BE16(key->key_info); 919 key_data = mic + mic_len + 2; 920 key_data_length = WPA_GET_BE16(mic + mic_len); 921 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR 922 " key_info=0x%x type=%u mic_len=%u key_data_length=%u", 923 MAC2STR(sm->addr), key_info, key->type, 924 (unsigned int) mic_len, key_data_length); 925 wpa_hexdump(MSG_MSGDUMP, 926 "WPA: EAPOL-Key header (ending before Key MIC)", 927 key, sizeof(*key)); 928 wpa_hexdump(MSG_MSGDUMP, "WPA: EAPOL-Key Key MIC", 929 mic, mic_len); 930 if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) { 931 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - " 932 "key_data overflow (%d > %lu)", 933 key_data_length, 934 (unsigned long) (data_len - sizeof(*hdr) - 935 keyhdrlen)); 936 return; 937 } 938 939 if (sm->wpa == WPA_VERSION_WPA2) { 940 if (key->type == EAPOL_KEY_TYPE_WPA) { 941 /* 942 * Some deployed station implementations seem to send 943 * msg 4/4 with incorrect type value in WPA2 mode. 944 */ 945 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key " 946 "with unexpected WPA type in RSN mode"); 947 } else if (key->type != EAPOL_KEY_TYPE_RSN) { 948 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 949 "unexpected type %d in RSN mode", 950 key->type); 951 return; 952 } 953 } else { 954 if (key->type != EAPOL_KEY_TYPE_WPA) { 955 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 956 "unexpected type %d in WPA mode", 957 key->type); 958 return; 959 } 960 } 961 962 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce, 963 WPA_NONCE_LEN); 964 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter", 965 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 966 967 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys 968 * are set */ 969 970 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) { 971 wpa_printf(MSG_DEBUG, "WPA: Ignore SMK message"); 972 return; 973 } 974 975 if (key_info & WPA_KEY_INFO_REQUEST) { 976 msg = REQUEST; 977 msgtxt = "Request"; 978 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) { 979 msg = GROUP_2; 980 msgtxt = "2/2 Group"; 981 } else if (key_data_length == 0 || 982 (mic_len == 0 && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && 983 key_data_length == AES_BLOCK_SIZE)) { 984 msg = PAIRWISE_4; 985 msgtxt = "4/4 Pairwise"; 986 } else { 987 msg = PAIRWISE_2; 988 msgtxt = "2/4 Pairwise"; 989 } 990 991 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 || 992 msg == GROUP_2) { 993 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK; 994 if (sm->pairwise == WPA_CIPHER_CCMP || 995 sm->pairwise == WPA_CIPHER_GCMP) { 996 if (wpa_use_cmac(sm->wpa_key_mgmt) && 997 !wpa_use_akm_defined(sm->wpa_key_mgmt) && 998 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) { 999 wpa_auth_logger(wpa_auth, sm->addr, 1000 LOGGER_WARNING, 1001 "advertised support for " 1002 "AES-128-CMAC, but did not " 1003 "use it"); 1004 return; 1005 } 1006 1007 if (!wpa_use_cmac(sm->wpa_key_mgmt) && 1008 !wpa_use_akm_defined(sm->wpa_key_mgmt) && 1009 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1010 wpa_auth_logger(wpa_auth, sm->addr, 1011 LOGGER_WARNING, 1012 "did not use HMAC-SHA1-AES " 1013 "with CCMP/GCMP"); 1014 return; 1015 } 1016 } 1017 1018 if (wpa_use_akm_defined(sm->wpa_key_mgmt) && 1019 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) { 1020 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, 1021 "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases"); 1022 return; 1023 } 1024 } 1025 1026 if (key_info & WPA_KEY_INFO_REQUEST) { 1027 if (sm->req_replay_counter_used && 1028 os_memcmp(key->replay_counter, sm->req_replay_counter, 1029 WPA_REPLAY_COUNTER_LEN) <= 0) { 1030 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, 1031 "received EAPOL-Key request with " 1032 "replayed counter"); 1033 return; 1034 } 1035 } 1036 1037 if (!(key_info & WPA_KEY_INFO_REQUEST) && 1038 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) { 1039 int i; 1040 1041 if (msg == PAIRWISE_2 && 1042 wpa_replay_counter_valid(sm->prev_key_replay, 1043 key->replay_counter) && 1044 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING && 1045 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0) 1046 { 1047 /* 1048 * Some supplicant implementations (e.g., Windows XP 1049 * WZC) update SNonce for each EAPOL-Key 2/4. This 1050 * breaks the workaround on accepting any of the 1051 * pending requests, so allow the SNonce to be updated 1052 * even if we have already sent out EAPOL-Key 3/4. 1053 */ 1054 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1055 "Process SNonce update from STA " 1056 "based on retransmitted EAPOL-Key " 1057 "1/4"); 1058 sm->update_snonce = 1; 1059 os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN); 1060 sm->alt_snonce_valid = TRUE; 1061 os_memcpy(sm->alt_replay_counter, 1062 sm->key_replay[0].counter, 1063 WPA_REPLAY_COUNTER_LEN); 1064 goto continue_processing; 1065 } 1066 1067 if (msg == PAIRWISE_4 && sm->alt_snonce_valid && 1068 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING && 1069 os_memcmp(key->replay_counter, sm->alt_replay_counter, 1070 WPA_REPLAY_COUNTER_LEN) == 0) { 1071 /* 1072 * Supplicant may still be using the old SNonce since 1073 * there was two EAPOL-Key 2/4 messages and they had 1074 * different SNonce values. 1075 */ 1076 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1077 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4"); 1078 goto continue_processing; 1079 } 1080 1081 if (msg == PAIRWISE_2 && 1082 wpa_replay_counter_valid(sm->prev_key_replay, 1083 key->replay_counter) && 1084 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) { 1085 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1086 "ignore retransmitted EAPOL-Key %s - " 1087 "SNonce did not change", msgtxt); 1088 } else { 1089 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1090 "received EAPOL-Key %s with " 1091 "unexpected replay counter", msgtxt); 1092 } 1093 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 1094 if (!sm->key_replay[i].valid) 1095 break; 1096 wpa_hexdump(MSG_DEBUG, "pending replay counter", 1097 sm->key_replay[i].counter, 1098 WPA_REPLAY_COUNTER_LEN); 1099 } 1100 wpa_hexdump(MSG_DEBUG, "received replay counter", 1101 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 1102 return; 1103 } 1104 1105 continue_processing: 1106 #ifdef CONFIG_FILS 1107 if (sm->wpa == WPA_VERSION_WPA2 && mic_len == 0 && 1108 !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 1109 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1110 "WPA: Encr Key Data bit not set even though AEAD cipher is supposed to be used - drop frame"); 1111 return; 1112 } 1113 #endif /* CONFIG_FILS */ 1114 1115 switch (msg) { 1116 case PAIRWISE_2: 1117 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART && 1118 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING && 1119 (!sm->update_snonce || 1120 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) { 1121 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1122 "received EAPOL-Key msg 2/4 in " 1123 "invalid state (%d) - dropped", 1124 sm->wpa_ptk_state); 1125 return; 1126 } 1127 random_add_randomness(key->key_nonce, WPA_NONCE_LEN); 1128 if (sm->group->reject_4way_hs_for_entropy) { 1129 /* 1130 * The system did not have enough entropy to generate 1131 * strong random numbers. Reject the first 4-way 1132 * handshake(s) and collect some entropy based on the 1133 * information from it. Once enough entropy is 1134 * available, the next atempt will trigger GMK/Key 1135 * Counter update and the station will be allowed to 1136 * continue. 1137 */ 1138 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to " 1139 "collect more entropy for random number " 1140 "generation"); 1141 random_mark_pool_ready(); 1142 wpa_sta_disconnect(wpa_auth, sm->addr, 1143 WLAN_REASON_PREV_AUTH_NOT_VALID); 1144 return; 1145 } 1146 break; 1147 case PAIRWISE_4: 1148 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING || 1149 !sm->PTK_valid) { 1150 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1151 "received EAPOL-Key msg 4/4 in " 1152 "invalid state (%d) - dropped", 1153 sm->wpa_ptk_state); 1154 return; 1155 } 1156 break; 1157 case GROUP_2: 1158 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING 1159 || !sm->PTK_valid) { 1160 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1161 "received EAPOL-Key msg 2/2 in " 1162 "invalid state (%d) - dropped", 1163 sm->wpa_ptk_group_state); 1164 return; 1165 } 1166 break; 1167 case REQUEST: 1168 break; 1169 } 1170 1171 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1172 "received EAPOL-Key frame (%s)", msgtxt); 1173 1174 if (key_info & WPA_KEY_INFO_ACK) { 1175 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1176 "received invalid EAPOL-Key: Key Ack set"); 1177 return; 1178 } 1179 1180 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt) && 1181 !(key_info & WPA_KEY_INFO_MIC)) { 1182 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1183 "received invalid EAPOL-Key: Key MIC not set"); 1184 return; 1185 } 1186 1187 #ifdef CONFIG_FILS 1188 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) && 1189 (key_info & WPA_KEY_INFO_MIC)) { 1190 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1191 "received invalid EAPOL-Key: Key MIC set"); 1192 return; 1193 } 1194 #endif /* CONFIG_FILS */ 1195 1196 sm->MICVerified = FALSE; 1197 if (sm->PTK_valid && !sm->update_snonce) { 1198 if (mic_len && 1199 wpa_verify_key_mic(sm->wpa_key_mgmt, sm->pmk_len, &sm->PTK, 1200 data, data_len) && 1201 (msg != PAIRWISE_4 || !sm->alt_snonce_valid || 1202 wpa_try_alt_snonce(sm, data, data_len))) { 1203 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1204 "received EAPOL-Key with invalid MIC"); 1205 return; 1206 } 1207 #ifdef CONFIG_FILS 1208 if (!mic_len && 1209 wpa_aead_decrypt(sm, &sm->PTK, data, data_len, 1210 &key_data_length) < 0) { 1211 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1212 "received EAPOL-Key with invalid MIC"); 1213 return; 1214 } 1215 #endif /* CONFIG_FILS */ 1216 sm->MICVerified = TRUE; 1217 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 1218 sm->pending_1_of_4_timeout = 0; 1219 } 1220 1221 if (key_info & WPA_KEY_INFO_REQUEST) { 1222 if (sm->MICVerified) { 1223 sm->req_replay_counter_used = 1; 1224 os_memcpy(sm->req_replay_counter, key->replay_counter, 1225 WPA_REPLAY_COUNTER_LEN); 1226 } else { 1227 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1228 "received EAPOL-Key request with " 1229 "invalid MIC"); 1230 return; 1231 } 1232 1233 /* 1234 * TODO: should decrypt key data field if encryption was used; 1235 * even though MAC address KDE is not normally encrypted, 1236 * supplicant is allowed to encrypt it. 1237 */ 1238 if (key_info & WPA_KEY_INFO_ERROR) { 1239 if (wpa_receive_error_report( 1240 wpa_auth, sm, 1241 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0) 1242 return; /* STA entry was removed */ 1243 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) { 1244 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1245 "received EAPOL-Key Request for new " 1246 "4-Way Handshake"); 1247 wpa_request_new_ptk(sm); 1248 } else if (key_data_length > 0 && 1249 wpa_parse_kde_ies(key_data, key_data_length, 1250 &kde) == 0 && 1251 kde.mac_addr) { 1252 } else { 1253 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1254 "received EAPOL-Key Request for GTK " 1255 "rekeying"); 1256 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 1257 wpa_rekey_gtk(wpa_auth, NULL); 1258 } 1259 } else { 1260 /* Do not allow the same key replay counter to be reused. */ 1261 wpa_replay_counter_mark_invalid(sm->key_replay, 1262 key->replay_counter); 1263 1264 if (msg == PAIRWISE_2) { 1265 /* 1266 * Maintain a copy of the pending EAPOL-Key frames in 1267 * case the EAPOL-Key frame was retransmitted. This is 1268 * needed to allow EAPOL-Key msg 2/4 reply to another 1269 * pending msg 1/4 to update the SNonce to work around 1270 * unexpected supplicant behavior. 1271 */ 1272 os_memcpy(sm->prev_key_replay, sm->key_replay, 1273 sizeof(sm->key_replay)); 1274 } else { 1275 os_memset(sm->prev_key_replay, 0, 1276 sizeof(sm->prev_key_replay)); 1277 } 1278 1279 /* 1280 * Make sure old valid counters are not accepted anymore and 1281 * do not get copied again. 1282 */ 1283 wpa_replay_counter_mark_invalid(sm->key_replay, NULL); 1284 } 1285 1286 os_free(sm->last_rx_eapol_key); 1287 sm->last_rx_eapol_key = os_memdup(data, data_len); 1288 if (sm->last_rx_eapol_key == NULL) 1289 return; 1290 sm->last_rx_eapol_key_len = data_len; 1291 1292 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE); 1293 sm->EAPOLKeyReceived = TRUE; 1294 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1295 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST); 1296 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN); 1297 wpa_sm_step(sm); 1298 } 1299 1300 1301 static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr, 1302 const u8 *gnonce, u8 *gtk, size_t gtk_len) 1303 { 1304 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + WPA_GTK_MAX_LEN]; 1305 u8 *pos; 1306 int ret = 0; 1307 1308 /* GTK = PRF-X(GMK, "Group key expansion", 1309 * AA || GNonce || Time || random data) 1310 * The example described in the IEEE 802.11 standard uses only AA and 1311 * GNonce as inputs here. Add some more entropy since this derivation 1312 * is done only at the Authenticator and as such, does not need to be 1313 * exactly same. 1314 */ 1315 os_memset(data, 0, sizeof(data)); 1316 os_memcpy(data, addr, ETH_ALEN); 1317 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN); 1318 pos = data + ETH_ALEN + WPA_NONCE_LEN; 1319 wpa_get_ntp_timestamp(pos); 1320 pos += 8; 1321 if (random_get_bytes(pos, gtk_len) < 0) 1322 ret = -1; 1323 1324 #ifdef CONFIG_SHA384 1325 if (sha384_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), 1326 gtk, gtk_len) < 0) 1327 ret = -1; 1328 #else /* CONFIG_SHA384 */ 1329 #ifdef CONFIG_SHA256 1330 if (sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), 1331 gtk, gtk_len) < 0) 1332 ret = -1; 1333 #else /* CONFIG_SHA256 */ 1334 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), 1335 gtk, gtk_len) < 0) 1336 ret = -1; 1337 #endif /* CONFIG_SHA256 */ 1338 #endif /* CONFIG_SHA384 */ 1339 1340 return ret; 1341 } 1342 1343 1344 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx) 1345 { 1346 struct wpa_authenticator *wpa_auth = eloop_ctx; 1347 struct wpa_state_machine *sm = timeout_ctx; 1348 1349 sm->pending_1_of_4_timeout = 0; 1350 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout"); 1351 sm->TimeoutEvt = TRUE; 1352 wpa_sm_step(sm); 1353 } 1354 1355 1356 void __wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1357 struct wpa_state_machine *sm, int key_info, 1358 const u8 *key_rsc, const u8 *nonce, 1359 const u8 *kde, size_t kde_len, 1360 int keyidx, int encr, int force_version) 1361 { 1362 struct ieee802_1x_hdr *hdr; 1363 struct wpa_eapol_key *key; 1364 size_t len, mic_len, keyhdrlen; 1365 int alg; 1366 int key_data_len, pad_len = 0; 1367 u8 *buf, *pos; 1368 int version, pairwise; 1369 int i; 1370 u8 *key_mic, *key_data; 1371 1372 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len); 1373 keyhdrlen = sizeof(*key) + mic_len + 2; 1374 1375 len = sizeof(struct ieee802_1x_hdr) + keyhdrlen; 1376 1377 if (force_version) 1378 version = force_version; 1379 else if (wpa_use_akm_defined(sm->wpa_key_mgmt)) 1380 version = WPA_KEY_INFO_TYPE_AKM_DEFINED; 1381 else if (wpa_use_cmac(sm->wpa_key_mgmt)) 1382 version = WPA_KEY_INFO_TYPE_AES_128_CMAC; 1383 else if (sm->pairwise != WPA_CIPHER_TKIP) 1384 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 1385 else 1386 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 1387 1388 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1389 1390 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d " 1391 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d " 1392 "encr=%d)", 1393 version, 1394 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0, 1395 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0, 1396 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0, 1397 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0, 1398 pairwise, (unsigned long) kde_len, keyidx, encr); 1399 1400 key_data_len = kde_len; 1401 1402 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1403 wpa_use_aes_key_wrap(sm->wpa_key_mgmt) || 1404 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) { 1405 pad_len = key_data_len % 8; 1406 if (pad_len) 1407 pad_len = 8 - pad_len; 1408 key_data_len += pad_len + 8; 1409 } 1410 1411 len += key_data_len; 1412 if (!mic_len && encr) 1413 len += AES_BLOCK_SIZE; 1414 1415 hdr = os_zalloc(len); 1416 if (hdr == NULL) 1417 return; 1418 hdr->version = wpa_auth->conf.eapol_version; 1419 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 1420 hdr->length = host_to_be16(len - sizeof(*hdr)); 1421 key = (struct wpa_eapol_key *) (hdr + 1); 1422 key_mic = (u8 *) (key + 1); 1423 key_data = ((u8 *) (hdr + 1)) + keyhdrlen; 1424 1425 key->type = sm->wpa == WPA_VERSION_WPA2 ? 1426 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1427 key_info |= version; 1428 if (encr && sm->wpa == WPA_VERSION_WPA2) 1429 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 1430 if (sm->wpa != WPA_VERSION_WPA2) 1431 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT; 1432 WPA_PUT_BE16(key->key_info, key_info); 1433 1434 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group; 1435 if (sm->wpa == WPA_VERSION_WPA2 && !pairwise) 1436 WPA_PUT_BE16(key->key_length, 0); 1437 else 1438 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg)); 1439 1440 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) { 1441 sm->key_replay[i].valid = sm->key_replay[i - 1].valid; 1442 os_memcpy(sm->key_replay[i].counter, 1443 sm->key_replay[i - 1].counter, 1444 WPA_REPLAY_COUNTER_LEN); 1445 } 1446 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN); 1447 os_memcpy(key->replay_counter, sm->key_replay[0].counter, 1448 WPA_REPLAY_COUNTER_LEN); 1449 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", 1450 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 1451 sm->key_replay[0].valid = TRUE; 1452 1453 if (nonce) 1454 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN); 1455 1456 if (key_rsc) 1457 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN); 1458 1459 if (kde && !encr) { 1460 os_memcpy(key_data, kde, kde_len); 1461 WPA_PUT_BE16(key_mic + mic_len, kde_len); 1462 #ifdef CONFIG_FILS 1463 } else if (!mic_len && kde) { 1464 const u8 *aad[1]; 1465 size_t aad_len[1]; 1466 1467 WPA_PUT_BE16(key_mic, AES_BLOCK_SIZE + kde_len); 1468 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data", 1469 kde, kde_len); 1470 1471 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", 1472 sm->PTK.kek, sm->PTK.kek_len); 1473 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to 1474 * to Key Data (exclusive). */ 1475 aad[0] = (u8 *) hdr; 1476 aad_len[0] = key_mic + 2 - (u8 *) hdr; 1477 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, kde, kde_len, 1478 1, aad, aad_len, key_mic + 2) < 0) { 1479 wpa_printf(MSG_DEBUG, "WPA: AES-SIV encryption failed"); 1480 return; 1481 } 1482 1483 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV", 1484 key_mic + 2, AES_BLOCK_SIZE + kde_len); 1485 #endif /* CONFIG_FILS */ 1486 } else if (encr && kde) { 1487 buf = os_zalloc(key_data_len); 1488 if (buf == NULL) { 1489 os_free(hdr); 1490 return; 1491 } 1492 pos = buf; 1493 os_memcpy(pos, kde, kde_len); 1494 pos += kde_len; 1495 1496 if (pad_len) 1497 *pos++ = 0xdd; 1498 1499 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data", 1500 buf, key_data_len); 1501 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1502 wpa_use_aes_key_wrap(sm->wpa_key_mgmt) || 1503 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) { 1504 wpa_printf(MSG_DEBUG, 1505 "WPA: Encrypt Key Data using AES-WRAP (KEK length %u)", 1506 (unsigned int) sm->PTK.kek_len); 1507 if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len, 1508 (key_data_len - 8) / 8, buf, key_data)) { 1509 os_free(hdr); 1510 os_free(buf); 1511 return; 1512 } 1513 WPA_PUT_BE16(key_mic + mic_len, key_data_len); 1514 #ifndef CONFIG_NO_RC4 1515 } else if (sm->PTK.kek_len == 16) { 1516 u8 ek[32]; 1517 1518 wpa_printf(MSG_DEBUG, 1519 "WPA: Encrypt Key Data using RC4"); 1520 os_memcpy(key->key_iv, 1521 sm->group->Counter + WPA_NONCE_LEN - 16, 16); 1522 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN); 1523 os_memcpy(ek, key->key_iv, 16); 1524 os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len); 1525 os_memcpy(key_data, buf, key_data_len); 1526 rc4_skip(ek, 32, 256, key_data, key_data_len); 1527 WPA_PUT_BE16(key_mic + mic_len, key_data_len); 1528 #endif /* CONFIG_NO_RC4 */ 1529 } else { 1530 os_free(hdr); 1531 os_free(buf); 1532 return; 1533 } 1534 os_free(buf); 1535 } 1536 1537 if (key_info & WPA_KEY_INFO_MIC) { 1538 if (!sm->PTK_valid || !mic_len) { 1539 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 1540 "PTK not valid when sending EAPOL-Key " 1541 "frame"); 1542 os_free(hdr); 1543 return; 1544 } 1545 1546 if (wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len, 1547 sm->wpa_key_mgmt, version, 1548 (u8 *) hdr, len, key_mic) < 0) { 1549 os_free(hdr); 1550 return; 1551 } 1552 #ifdef CONFIG_TESTING_OPTIONS 1553 if (!pairwise && 1554 wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0 && 1555 drand48() < 1556 wpa_auth->conf.corrupt_gtk_rekey_mic_probability) { 1557 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1558 "Corrupting group EAPOL-Key Key MIC"); 1559 key_mic[0]++; 1560 } 1561 #endif /* CONFIG_TESTING_OPTIONS */ 1562 } 1563 1564 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx, 1565 1); 1566 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len, 1567 sm->pairwise_set); 1568 os_free(hdr); 1569 } 1570 1571 1572 static void wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1573 struct wpa_state_machine *sm, int key_info, 1574 const u8 *key_rsc, const u8 *nonce, 1575 const u8 *kde, size_t kde_len, 1576 int keyidx, int encr) 1577 { 1578 int timeout_ms; 1579 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE; 1580 u32 ctr; 1581 1582 if (sm == NULL) 1583 return; 1584 1585 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len, 1586 keyidx, encr, 0); 1587 1588 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr; 1589 if (ctr == 1 && wpa_auth->conf.tx_status) 1590 timeout_ms = pairwise ? eapol_key_timeout_first : 1591 eapol_key_timeout_first_group; 1592 else 1593 timeout_ms = eapol_key_timeout_subseq; 1594 if (wpa_auth->conf.wpa_disable_eapol_key_retries && 1595 (!pairwise || (key_info & WPA_KEY_INFO_MIC))) 1596 timeout_ms = eapol_key_timeout_no_retrans; 1597 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC)) 1598 sm->pending_1_of_4_timeout = 1; 1599 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry " 1600 "counter %u)", timeout_ms, ctr); 1601 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000, 1602 wpa_send_eapol_timeout, wpa_auth, sm); 1603 } 1604 1605 1606 static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK, 1607 u8 *data, size_t data_len) 1608 { 1609 struct ieee802_1x_hdr *hdr; 1610 struct wpa_eapol_key *key; 1611 u16 key_info; 1612 int ret = 0; 1613 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN], *mic_pos; 1614 size_t mic_len = wpa_mic_len(akmp, pmk_len); 1615 1616 if (data_len < sizeof(*hdr) + sizeof(*key)) 1617 return -1; 1618 1619 hdr = (struct ieee802_1x_hdr *) data; 1620 key = (struct wpa_eapol_key *) (hdr + 1); 1621 mic_pos = (u8 *) (key + 1); 1622 key_info = WPA_GET_BE16(key->key_info); 1623 os_memcpy(mic, mic_pos, mic_len); 1624 os_memset(mic_pos, 0, mic_len); 1625 if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp, 1626 key_info & WPA_KEY_INFO_TYPE_MASK, 1627 data, data_len, mic_pos) || 1628 os_memcmp_const(mic, mic_pos, mic_len) != 0) 1629 ret = -1; 1630 os_memcpy(mic_pos, mic, mic_len); 1631 return ret; 1632 } 1633 1634 1635 void wpa_remove_ptk(struct wpa_state_machine *sm) 1636 { 1637 sm->PTK_valid = FALSE; 1638 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1639 if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 1640 0)) 1641 wpa_printf(MSG_DEBUG, 1642 "RSN: PTK removal from the driver failed"); 1643 sm->pairwise_set = FALSE; 1644 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 1645 } 1646 1647 1648 int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event) 1649 { 1650 int remove_ptk = 1; 1651 1652 if (sm == NULL) 1653 return -1; 1654 1655 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1656 "event %d notification", event); 1657 1658 switch (event) { 1659 case WPA_AUTH: 1660 #ifdef CONFIG_MESH 1661 /* PTKs are derived through AMPE */ 1662 if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) { 1663 /* not mesh */ 1664 break; 1665 } 1666 return 0; 1667 #endif /* CONFIG_MESH */ 1668 case WPA_ASSOC: 1669 break; 1670 case WPA_DEAUTH: 1671 case WPA_DISASSOC: 1672 sm->DeauthenticationRequest = TRUE; 1673 break; 1674 case WPA_REAUTH: 1675 case WPA_REAUTH_EAPOL: 1676 if (!sm->started) { 1677 /* 1678 * When using WPS, we may end up here if the STA 1679 * manages to re-associate without the previous STA 1680 * entry getting removed. Consequently, we need to make 1681 * sure that the WPA state machines gets initialized 1682 * properly at this point. 1683 */ 1684 wpa_printf(MSG_DEBUG, "WPA state machine had not been " 1685 "started - initialize now"); 1686 sm->started = 1; 1687 sm->Init = TRUE; 1688 if (wpa_sm_step(sm) == 1) 1689 return 1; /* should not really happen */ 1690 sm->Init = FALSE; 1691 sm->AuthenticationRequest = TRUE; 1692 break; 1693 } 1694 if (sm->GUpdateStationKeys) { 1695 /* 1696 * Reauthentication cancels the pending group key 1697 * update for this STA. 1698 */ 1699 sm->group->GKeyDoneStations--; 1700 sm->GUpdateStationKeys = FALSE; 1701 sm->PtkGroupInit = TRUE; 1702 } 1703 sm->ReAuthenticationRequest = TRUE; 1704 break; 1705 case WPA_ASSOC_FT: 1706 #ifdef CONFIG_IEEE80211R_AP 1707 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration " 1708 "after association"); 1709 wpa_ft_install_ptk(sm); 1710 1711 /* Using FT protocol, not WPA auth state machine */ 1712 sm->ft_completed = 1; 1713 return 0; 1714 #else /* CONFIG_IEEE80211R_AP */ 1715 break; 1716 #endif /* CONFIG_IEEE80211R_AP */ 1717 case WPA_ASSOC_FILS: 1718 #ifdef CONFIG_FILS 1719 wpa_printf(MSG_DEBUG, 1720 "FILS: TK configuration after association"); 1721 fils_set_tk(sm); 1722 sm->fils_completed = 1; 1723 return 0; 1724 #else /* CONFIG_FILS */ 1725 break; 1726 #endif /* CONFIG_FILS */ 1727 case WPA_DRV_STA_REMOVED: 1728 sm->tk_already_set = FALSE; 1729 return 0; 1730 } 1731 1732 #ifdef CONFIG_IEEE80211R_AP 1733 sm->ft_completed = 0; 1734 #endif /* CONFIG_IEEE80211R_AP */ 1735 1736 #ifdef CONFIG_IEEE80211W 1737 if (sm->mgmt_frame_prot && event == WPA_AUTH) 1738 remove_ptk = 0; 1739 #endif /* CONFIG_IEEE80211W */ 1740 #ifdef CONFIG_FILS 1741 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) && 1742 (event == WPA_AUTH || event == WPA_ASSOC)) 1743 remove_ptk = 0; 1744 #endif /* CONFIG_FILS */ 1745 1746 if (remove_ptk) { 1747 sm->PTK_valid = FALSE; 1748 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1749 1750 if (event != WPA_REAUTH_EAPOL) 1751 wpa_remove_ptk(sm); 1752 } 1753 1754 if (sm->in_step_loop) { 1755 /* 1756 * wpa_sm_step() is already running - avoid recursive call to 1757 * it by making the existing loop process the new update. 1758 */ 1759 sm->changed = TRUE; 1760 return 0; 1761 } 1762 return wpa_sm_step(sm); 1763 } 1764 1765 1766 SM_STATE(WPA_PTK, INITIALIZE) 1767 { 1768 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk); 1769 if (sm->Init) { 1770 /* Init flag is not cleared here, so avoid busy 1771 * loop by claiming nothing changed. */ 1772 sm->changed = FALSE; 1773 } 1774 1775 sm->keycount = 0; 1776 if (sm->GUpdateStationKeys) 1777 sm->group->GKeyDoneStations--; 1778 sm->GUpdateStationKeys = FALSE; 1779 if (sm->wpa == WPA_VERSION_WPA) 1780 sm->PInitAKeys = FALSE; 1781 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and 1782 * Local AA > Remote AA)) */) { 1783 sm->Pair = TRUE; 1784 } 1785 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0); 1786 wpa_remove_ptk(sm); 1787 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0); 1788 sm->TimeoutCtr = 0; 1789 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) || 1790 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP || 1791 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) { 1792 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 1793 WPA_EAPOL_authorized, 0); 1794 } 1795 } 1796 1797 1798 SM_STATE(WPA_PTK, DISCONNECT) 1799 { 1800 u16 reason = sm->disconnect_reason; 1801 1802 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk); 1803 sm->Disconnect = FALSE; 1804 sm->disconnect_reason = 0; 1805 if (!reason) 1806 reason = WLAN_REASON_PREV_AUTH_NOT_VALID; 1807 wpa_sta_disconnect(sm->wpa_auth, sm->addr, reason); 1808 } 1809 1810 1811 SM_STATE(WPA_PTK, DISCONNECTED) 1812 { 1813 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk); 1814 sm->DeauthenticationRequest = FALSE; 1815 } 1816 1817 1818 SM_STATE(WPA_PTK, AUTHENTICATION) 1819 { 1820 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk); 1821 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1822 sm->PTK_valid = FALSE; 1823 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto, 1824 1); 1825 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1); 1826 sm->AuthenticationRequest = FALSE; 1827 } 1828 1829 1830 static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth, 1831 struct wpa_group *group) 1832 { 1833 if (group->first_sta_seen) 1834 return; 1835 /* 1836 * System has run bit further than at the time hostapd was started 1837 * potentially very early during boot up. This provides better chances 1838 * of collecting more randomness on embedded systems. Re-initialize the 1839 * GMK and Counter here to improve their strength if there was not 1840 * enough entropy available immediately after system startup. 1841 */ 1842 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first " 1843 "station"); 1844 if (random_pool_ready() != 1) { 1845 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 1846 "to proceed - reject first 4-way handshake"); 1847 group->reject_4way_hs_for_entropy = TRUE; 1848 } else { 1849 group->first_sta_seen = TRUE; 1850 group->reject_4way_hs_for_entropy = FALSE; 1851 } 1852 1853 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 || 1854 wpa_gtk_update(wpa_auth, group) < 0 || 1855 wpa_group_config_group_keys(wpa_auth, group) < 0) { 1856 wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed"); 1857 group->first_sta_seen = FALSE; 1858 group->reject_4way_hs_for_entropy = TRUE; 1859 } 1860 } 1861 1862 1863 SM_STATE(WPA_PTK, AUTHENTICATION2) 1864 { 1865 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk); 1866 1867 wpa_group_ensure_init(sm->wpa_auth, sm->group); 1868 sm->ReAuthenticationRequest = FALSE; 1869 1870 /* 1871 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat 1872 * ambiguous. The Authenticator state machine uses a counter that is 1873 * incremented by one for each 4-way handshake. However, the security 1874 * analysis of 4-way handshake points out that unpredictable nonces 1875 * help in preventing precomputation attacks. Instead of the state 1876 * machine definition, use an unpredictable nonce value here to provide 1877 * stronger protection against potential precomputation attacks. 1878 */ 1879 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { 1880 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for " 1881 "ANonce."); 1882 sm->Disconnect = TRUE; 1883 return; 1884 } 1885 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce, 1886 WPA_NONCE_LEN); 1887 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more 1888 * logical place than INITIALIZE since AUTHENTICATION2 can be 1889 * re-entered on ReAuthenticationRequest without going through 1890 * INITIALIZE. */ 1891 sm->TimeoutCtr = 0; 1892 } 1893 1894 1895 static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm) 1896 { 1897 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { 1898 wpa_printf(MSG_ERROR, 1899 "WPA: Failed to get random data for ANonce"); 1900 sm->Disconnect = TRUE; 1901 return -1; 1902 } 1903 wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce, 1904 WPA_NONCE_LEN); 1905 sm->TimeoutCtr = 0; 1906 return 0; 1907 } 1908 1909 1910 SM_STATE(WPA_PTK, INITPMK) 1911 { 1912 u8 msk[2 * PMK_LEN]; 1913 size_t len = 2 * PMK_LEN; 1914 1915 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk); 1916 #ifdef CONFIG_IEEE80211R_AP 1917 sm->xxkey_len = 0; 1918 #endif /* CONFIG_IEEE80211R_AP */ 1919 if (sm->pmksa) { 1920 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache"); 1921 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len); 1922 sm->pmk_len = sm->pmksa->pmk_len; 1923 #ifdef CONFIG_DPP 1924 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) { 1925 wpa_printf(MSG_DEBUG, 1926 "DPP: No PMKSA cache entry for STA - reject connection"); 1927 sm->Disconnect = TRUE; 1928 sm->disconnect_reason = WLAN_REASON_INVALID_PMKID; 1929 return; 1930 #endif /* CONFIG_DPP */ 1931 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) { 1932 unsigned int pmk_len; 1933 1934 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) 1935 pmk_len = PMK_LEN_SUITE_B_192; 1936 else 1937 pmk_len = PMK_LEN; 1938 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine " 1939 "(MSK len=%lu PMK len=%u)", (unsigned long) len, 1940 pmk_len); 1941 if (len < pmk_len) { 1942 wpa_printf(MSG_DEBUG, 1943 "WPA: MSK not long enough (%u) to create PMK (%u)", 1944 (unsigned int) len, (unsigned int) pmk_len); 1945 sm->Disconnect = TRUE; 1946 return; 1947 } 1948 os_memcpy(sm->PMK, msk, pmk_len); 1949 sm->pmk_len = pmk_len; 1950 #ifdef CONFIG_IEEE80211R_AP 1951 if (len >= 2 * PMK_LEN) { 1952 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) { 1953 os_memcpy(sm->xxkey, msk, SHA384_MAC_LEN); 1954 sm->xxkey_len = SHA384_MAC_LEN; 1955 } else { 1956 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN); 1957 sm->xxkey_len = PMK_LEN; 1958 } 1959 } 1960 #endif /* CONFIG_IEEE80211R_AP */ 1961 } else { 1962 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p", 1963 sm->wpa_auth->cb->get_msk); 1964 sm->Disconnect = TRUE; 1965 return; 1966 } 1967 os_memset(msk, 0, sizeof(msk)); 1968 1969 sm->req_replay_counter_used = 0; 1970 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this 1971 * will break reauthentication since EAPOL state machines may not be 1972 * get into AUTHENTICATING state that clears keyRun before WPA state 1973 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK 1974 * state and takes PMK from the previously used AAA Key. This will 1975 * eventually fail in 4-Way Handshake because Supplicant uses PMK 1976 * derived from the new AAA Key. Setting keyRun = FALSE here seems to 1977 * be good workaround for this issue. */ 1978 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0); 1979 } 1980 1981 1982 SM_STATE(WPA_PTK, INITPSK) 1983 { 1984 const u8 *psk; 1985 size_t psk_len; 1986 1987 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk); 1988 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL, 1989 &psk_len); 1990 if (psk) { 1991 os_memcpy(sm->PMK, psk, psk_len); 1992 sm->pmk_len = psk_len; 1993 #ifdef CONFIG_IEEE80211R_AP 1994 os_memcpy(sm->xxkey, psk, PMK_LEN); 1995 sm->xxkey_len = PMK_LEN; 1996 #endif /* CONFIG_IEEE80211R_AP */ 1997 } 1998 #ifdef CONFIG_SAE 1999 if (wpa_auth_uses_sae(sm) && sm->pmksa) { 2000 wpa_printf(MSG_DEBUG, "SAE: PMK from PMKSA cache"); 2001 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len); 2002 sm->pmk_len = sm->pmksa->pmk_len; 2003 } 2004 #endif /* CONFIG_SAE */ 2005 sm->req_replay_counter_used = 0; 2006 } 2007 2008 2009 SM_STATE(WPA_PTK, PTKSTART) 2010 { 2011 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL; 2012 size_t pmkid_len = 0; 2013 2014 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk); 2015 sm->PTKRequest = FALSE; 2016 sm->TimeoutEvt = FALSE; 2017 sm->alt_snonce_valid = FALSE; 2018 2019 sm->TimeoutCtr++; 2020 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) { 2021 /* No point in sending the EAPOL-Key - we will disconnect 2022 * immediately following this. */ 2023 return; 2024 } 2025 2026 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2027 "sending 1/4 msg of 4-Way Handshake"); 2028 /* 2029 * For infrastructure BSS cases, it is better for the AP not to include 2030 * the PMKID KDE in EAPOL-Key msg 1/4 since it could be used to initiate 2031 * offline search for the passphrase/PSK without having to be able to 2032 * capture a 4-way handshake from a STA that has access to the network. 2033 * 2034 * For IBSS cases, addition of PMKID KDE could be considered even with 2035 * WPA2-PSK cases that use multiple PSKs, but only if there is a single 2036 * possible PSK for this STA. However, this should not be done unless 2037 * there is support for using that information on the supplicant side. 2038 * The concern about exposing PMKID unnecessarily in infrastructure BSS 2039 * cases would also apply here, but at least in the IBSS case, this 2040 * would cover a potential real use case. 2041 */ 2042 if (sm->wpa == WPA_VERSION_WPA2 && 2043 (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) || 2044 (sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE && sm->pmksa) || 2045 wpa_key_mgmt_sae(sm->wpa_key_mgmt)) && 2046 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) { 2047 pmkid = buf; 2048 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN; 2049 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC; 2050 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN; 2051 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID); 2052 if (sm->pmksa) { 2053 wpa_hexdump(MSG_DEBUG, 2054 "RSN: Message 1/4 PMKID from PMKSA entry", 2055 sm->pmksa->pmkid, PMKID_LEN); 2056 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN], 2057 sm->pmksa->pmkid, PMKID_LEN); 2058 } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) { 2059 /* No KCK available to derive PMKID */ 2060 wpa_printf(MSG_DEBUG, 2061 "RSN: No KCK available to derive PMKID for message 1/4"); 2062 pmkid = NULL; 2063 #ifdef CONFIG_SAE 2064 } else if (wpa_key_mgmt_sae(sm->wpa_key_mgmt)) { 2065 if (sm->pmkid_set) { 2066 wpa_hexdump(MSG_DEBUG, 2067 "RSN: Message 1/4 PMKID from SAE", 2068 sm->pmkid, PMKID_LEN); 2069 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN], 2070 sm->pmkid, PMKID_LEN); 2071 } else { 2072 /* No PMKID available */ 2073 wpa_printf(MSG_DEBUG, 2074 "RSN: No SAE PMKID available for message 1/4"); 2075 pmkid = NULL; 2076 } 2077 #endif /* CONFIG_SAE */ 2078 } else { 2079 /* 2080 * Calculate PMKID since no PMKSA cache entry was 2081 * available with pre-calculated PMKID. 2082 */ 2083 rsn_pmkid(sm->PMK, sm->pmk_len, sm->wpa_auth->addr, 2084 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN], 2085 sm->wpa_key_mgmt); 2086 wpa_hexdump(MSG_DEBUG, 2087 "RSN: Message 1/4 PMKID derived from PMK", 2088 &pmkid[2 + RSN_SELECTOR_LEN], PMKID_LEN); 2089 } 2090 } 2091 wpa_send_eapol(sm->wpa_auth, sm, 2092 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL, 2093 sm->ANonce, pmkid, pmkid_len, 0, 0); 2094 } 2095 2096 2097 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce, 2098 const u8 *pmk, unsigned int pmk_len, 2099 struct wpa_ptk *ptk) 2100 { 2101 #ifdef CONFIG_IEEE80211R_AP 2102 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 2103 return wpa_auth_derive_ptk_ft(sm, pmk, ptk); 2104 #endif /* CONFIG_IEEE80211R_AP */ 2105 2106 return wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion", 2107 sm->wpa_auth->addr, sm->addr, sm->ANonce, snonce, 2108 ptk, sm->wpa_key_mgmt, sm->pairwise); 2109 } 2110 2111 2112 #ifdef CONFIG_FILS 2113 2114 int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk, 2115 size_t pmk_len, const u8 *snonce, const u8 *anonce, 2116 const u8 *dhss, size_t dhss_len, 2117 struct wpabuf *g_sta, struct wpabuf *g_ap) 2118 { 2119 u8 ick[FILS_ICK_MAX_LEN]; 2120 size_t ick_len; 2121 int res; 2122 u8 fils_ft[FILS_FT_MAX_LEN]; 2123 size_t fils_ft_len = 0; 2124 2125 res = fils_pmk_to_ptk(pmk, pmk_len, sm->addr, sm->wpa_auth->addr, 2126 snonce, anonce, dhss, dhss_len, 2127 &sm->PTK, ick, &ick_len, 2128 sm->wpa_key_mgmt, sm->pairwise, 2129 fils_ft, &fils_ft_len); 2130 if (res < 0) 2131 return res; 2132 sm->PTK_valid = TRUE; 2133 sm->tk_already_set = FALSE; 2134 2135 #ifdef CONFIG_IEEE80211R_AP 2136 if (fils_ft_len) { 2137 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 2138 struct wpa_auth_config *conf = &wpa_auth->conf; 2139 u8 pmk_r0[PMK_LEN_MAX], pmk_r0_name[WPA_PMK_NAME_LEN]; 2140 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt); 2141 size_t pmk_r0_len = use_sha384 ? SHA384_MAC_LEN : PMK_LEN; 2142 2143 if (wpa_derive_pmk_r0(fils_ft, fils_ft_len, 2144 conf->ssid, conf->ssid_len, 2145 conf->mobility_domain, 2146 conf->r0_key_holder, 2147 conf->r0_key_holder_len, 2148 sm->addr, pmk_r0, pmk_r0_name, 2149 use_sha384) < 0) 2150 return -1; 2151 2152 wpa_hexdump_key(MSG_DEBUG, "FILS+FT: PMK-R0", 2153 pmk_r0, pmk_r0_len); 2154 wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR0Name", 2155 pmk_r0_name, WPA_PMK_NAME_LEN); 2156 wpa_ft_store_pmk_fils(sm, pmk_r0, pmk_r0_name); 2157 os_memset(fils_ft, 0, sizeof(fils_ft)); 2158 } 2159 #endif /* CONFIG_IEEE80211R_AP */ 2160 2161 res = fils_key_auth_sk(ick, ick_len, snonce, anonce, 2162 sm->addr, sm->wpa_auth->addr, 2163 g_sta ? wpabuf_head(g_sta) : NULL, 2164 g_sta ? wpabuf_len(g_sta) : 0, 2165 g_ap ? wpabuf_head(g_ap) : NULL, 2166 g_ap ? wpabuf_len(g_ap) : 0, 2167 sm->wpa_key_mgmt, sm->fils_key_auth_sta, 2168 sm->fils_key_auth_ap, 2169 &sm->fils_key_auth_len); 2170 os_memset(ick, 0, sizeof(ick)); 2171 2172 /* Store nonces for (Re)Association Request/Response frame processing */ 2173 os_memcpy(sm->SNonce, snonce, FILS_NONCE_LEN); 2174 os_memcpy(sm->ANonce, anonce, FILS_NONCE_LEN); 2175 2176 return res; 2177 } 2178 2179 2180 static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk, 2181 u8 *buf, size_t buf_len, u16 *_key_data_len) 2182 { 2183 struct ieee802_1x_hdr *hdr; 2184 struct wpa_eapol_key *key; 2185 u8 *pos; 2186 u16 key_data_len; 2187 u8 *tmp; 2188 const u8 *aad[1]; 2189 size_t aad_len[1]; 2190 2191 hdr = (struct ieee802_1x_hdr *) buf; 2192 key = (struct wpa_eapol_key *) (hdr + 1); 2193 pos = (u8 *) (key + 1); 2194 key_data_len = WPA_GET_BE16(pos); 2195 if (key_data_len < AES_BLOCK_SIZE || 2196 key_data_len > buf_len - sizeof(*hdr) - sizeof(*key) - 2) { 2197 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2198 "No room for AES-SIV data in the frame"); 2199 return -1; 2200 } 2201 pos += 2; /* Pointing at the Encrypted Key Data field */ 2202 2203 tmp = os_malloc(key_data_len); 2204 if (!tmp) 2205 return -1; 2206 2207 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to 2208 * to Key Data (exclusive). */ 2209 aad[0] = buf; 2210 aad_len[0] = pos - buf; 2211 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, key_data_len, 2212 1, aad, aad_len, tmp) < 0) { 2213 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2214 "Invalid AES-SIV data in the frame"); 2215 bin_clear_free(tmp, key_data_len); 2216 return -1; 2217 } 2218 2219 /* AEAD decryption and validation completed successfully */ 2220 key_data_len -= AES_BLOCK_SIZE; 2221 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data", 2222 tmp, key_data_len); 2223 2224 /* Replace Key Data field with the decrypted version */ 2225 os_memcpy(pos, tmp, key_data_len); 2226 pos -= 2; /* Key Data Length field */ 2227 WPA_PUT_BE16(pos, key_data_len); 2228 bin_clear_free(tmp, key_data_len); 2229 if (_key_data_len) 2230 *_key_data_len = key_data_len; 2231 return 0; 2232 } 2233 2234 2235 const u8 * wpa_fils_validate_fils_session(struct wpa_state_machine *sm, 2236 const u8 *ies, size_t ies_len, 2237 const u8 *fils_session) 2238 { 2239 const u8 *ie, *end; 2240 const u8 *session = NULL; 2241 2242 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) { 2243 wpa_printf(MSG_DEBUG, 2244 "FILS: Not a FILS AKM - reject association"); 2245 return NULL; 2246 } 2247 2248 /* Verify Session element */ 2249 ie = ies; 2250 end = ((const u8 *) ie) + ies_len; 2251 while (ie + 1 < end) { 2252 if (ie + 2 + ie[1] > end) 2253 break; 2254 if (ie[0] == WLAN_EID_EXTENSION && 2255 ie[1] >= 1 + FILS_SESSION_LEN && 2256 ie[2] == WLAN_EID_EXT_FILS_SESSION) { 2257 session = ie; 2258 break; 2259 } 2260 ie += 2 + ie[1]; 2261 } 2262 2263 if (!session) { 2264 wpa_printf(MSG_DEBUG, 2265 "FILS: %s: Could not find FILS Session element in Assoc Req - reject", 2266 __func__); 2267 return NULL; 2268 } 2269 2270 if (!fils_session) { 2271 wpa_printf(MSG_DEBUG, 2272 "FILS: %s: Could not find FILS Session element in STA entry - reject", 2273 __func__); 2274 return NULL; 2275 } 2276 2277 if (os_memcmp(fils_session, session + 3, FILS_SESSION_LEN) != 0) { 2278 wpa_printf(MSG_DEBUG, "FILS: Session mismatch"); 2279 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session", 2280 fils_session, FILS_SESSION_LEN); 2281 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session", 2282 session + 3, FILS_SESSION_LEN); 2283 return NULL; 2284 } 2285 return session; 2286 } 2287 2288 2289 int wpa_fils_validate_key_confirm(struct wpa_state_machine *sm, const u8 *ies, 2290 size_t ies_len) 2291 { 2292 struct ieee802_11_elems elems; 2293 2294 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) { 2295 wpa_printf(MSG_DEBUG, 2296 "FILS: Failed to parse decrypted elements"); 2297 return -1; 2298 } 2299 2300 if (!elems.fils_session) { 2301 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element"); 2302 return -1; 2303 } 2304 2305 if (!elems.fils_key_confirm) { 2306 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element"); 2307 return -1; 2308 } 2309 2310 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) { 2311 wpa_printf(MSG_DEBUG, 2312 "FILS: Unexpected Key-Auth length %d (expected %d)", 2313 elems.fils_key_confirm_len, 2314 (int) sm->fils_key_auth_len); 2315 return -1; 2316 } 2317 2318 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_sta, 2319 sm->fils_key_auth_len) != 0) { 2320 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch"); 2321 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth", 2322 elems.fils_key_confirm, elems.fils_key_confirm_len); 2323 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth", 2324 sm->fils_key_auth_sta, sm->fils_key_auth_len); 2325 return -1; 2326 } 2327 2328 return 0; 2329 } 2330 2331 2332 int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session, 2333 const struct ieee80211_mgmt *mgmt, size_t frame_len, 2334 u8 *pos, size_t left) 2335 { 2336 u16 fc, stype; 2337 const u8 *end, *ie_start, *ie, *session, *crypt; 2338 const u8 *aad[5]; 2339 size_t aad_len[5]; 2340 2341 if (!sm || !sm->PTK_valid) { 2342 wpa_printf(MSG_DEBUG, 2343 "FILS: No KEK to decrypt Assocication Request frame"); 2344 return -1; 2345 } 2346 2347 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) { 2348 wpa_printf(MSG_DEBUG, 2349 "FILS: Not a FILS AKM - reject association"); 2350 return -1; 2351 } 2352 2353 end = ((const u8 *) mgmt) + frame_len; 2354 fc = le_to_host16(mgmt->frame_control); 2355 stype = WLAN_FC_GET_STYPE(fc); 2356 if (stype == WLAN_FC_STYPE_REASSOC_REQ) 2357 ie_start = mgmt->u.reassoc_req.variable; 2358 else 2359 ie_start = mgmt->u.assoc_req.variable; 2360 ie = ie_start; 2361 2362 /* 2363 * Find FILS Session element which is the last unencrypted element in 2364 * the frame. 2365 */ 2366 session = wpa_fils_validate_fils_session(sm, ie, end - ie, 2367 fils_session); 2368 if (!session) { 2369 wpa_printf(MSG_DEBUG, "FILS: Session validation failed"); 2370 return -1; 2371 } 2372 2373 crypt = session + 2 + session[1]; 2374 2375 if (end - crypt < AES_BLOCK_SIZE) { 2376 wpa_printf(MSG_DEBUG, 2377 "FILS: Too short frame to include AES-SIV data"); 2378 return -1; 2379 } 2380 2381 /* AES-SIV AAD vectors */ 2382 2383 /* The STA's MAC address */ 2384 aad[0] = mgmt->sa; 2385 aad_len[0] = ETH_ALEN; 2386 /* The AP's BSSID */ 2387 aad[1] = mgmt->da; 2388 aad_len[1] = ETH_ALEN; 2389 /* The STA's nonce */ 2390 aad[2] = sm->SNonce; 2391 aad_len[2] = FILS_NONCE_LEN; 2392 /* The AP's nonce */ 2393 aad[3] = sm->ANonce; 2394 aad_len[3] = FILS_NONCE_LEN; 2395 /* 2396 * The (Re)Association Request frame from the Capability Information 2397 * field to the FILS Session element (both inclusive). 2398 */ 2399 aad[4] = (const u8 *) &mgmt->u.assoc_req.capab_info; 2400 aad_len[4] = crypt - aad[4]; 2401 2402 if (aes_siv_decrypt(sm->PTK.kek, sm->PTK.kek_len, crypt, end - crypt, 2403 5, aad, aad_len, pos + (crypt - ie_start)) < 0) { 2404 wpa_printf(MSG_DEBUG, 2405 "FILS: Invalid AES-SIV data in the frame"); 2406 return -1; 2407 } 2408 wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Request elements", 2409 pos, left - AES_BLOCK_SIZE); 2410 2411 if (wpa_fils_validate_key_confirm(sm, pos, left - AES_BLOCK_SIZE) < 0) { 2412 wpa_printf(MSG_DEBUG, "FILS: Key Confirm validation failed"); 2413 return -1; 2414 } 2415 2416 return left - AES_BLOCK_SIZE; 2417 } 2418 2419 2420 int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf, 2421 size_t current_len, size_t max_len, 2422 const struct wpabuf *hlp) 2423 { 2424 u8 *end = buf + max_len; 2425 u8 *pos = buf + current_len; 2426 struct ieee80211_mgmt *mgmt; 2427 struct wpabuf *plain; 2428 const u8 *aad[5]; 2429 size_t aad_len[5]; 2430 2431 if (!sm || !sm->PTK_valid) 2432 return -1; 2433 2434 wpa_hexdump(MSG_DEBUG, 2435 "FILS: Association Response frame before FILS processing", 2436 buf, current_len); 2437 2438 mgmt = (struct ieee80211_mgmt *) buf; 2439 2440 /* AES-SIV AAD vectors */ 2441 2442 /* The AP's BSSID */ 2443 aad[0] = mgmt->sa; 2444 aad_len[0] = ETH_ALEN; 2445 /* The STA's MAC address */ 2446 aad[1] = mgmt->da; 2447 aad_len[1] = ETH_ALEN; 2448 /* The AP's nonce */ 2449 aad[2] = sm->ANonce; 2450 aad_len[2] = FILS_NONCE_LEN; 2451 /* The STA's nonce */ 2452 aad[3] = sm->SNonce; 2453 aad_len[3] = FILS_NONCE_LEN; 2454 /* 2455 * The (Re)Association Response frame from the Capability Information 2456 * field (the same offset in both Association and Reassociation 2457 * Response frames) to the FILS Session element (both inclusive). 2458 */ 2459 aad[4] = (const u8 *) &mgmt->u.assoc_resp.capab_info; 2460 aad_len[4] = pos - aad[4]; 2461 2462 /* The following elements will be encrypted with AES-SIV */ 2463 plain = fils_prepare_plainbuf(sm, hlp); 2464 if (!plain) { 2465 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed"); 2466 return -1; 2467 } 2468 2469 if (pos + wpabuf_len(plain) + AES_BLOCK_SIZE > end) { 2470 wpa_printf(MSG_DEBUG, 2471 "FILS: Not enough room for FILS elements"); 2472 wpabuf_free(plain); 2473 return -1; 2474 } 2475 2476 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: Association Response plaintext", 2477 plain); 2478 2479 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, 2480 wpabuf_head(plain), wpabuf_len(plain), 2481 5, aad, aad_len, pos) < 0) { 2482 wpabuf_free(plain); 2483 return -1; 2484 } 2485 2486 wpa_hexdump(MSG_DEBUG, 2487 "FILS: Encrypted Association Response elements", 2488 pos, AES_BLOCK_SIZE + wpabuf_len(plain)); 2489 current_len += wpabuf_len(plain) + AES_BLOCK_SIZE; 2490 wpabuf_free(plain); 2491 2492 sm->fils_completed = 1; 2493 2494 return current_len; 2495 } 2496 2497 2498 static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm, 2499 const struct wpabuf *hlp) 2500 { 2501 struct wpabuf *plain; 2502 u8 *len, *tmp, *tmp2; 2503 u8 hdr[2]; 2504 u8 *gtk, dummy_gtk[32]; 2505 size_t gtk_len; 2506 struct wpa_group *gsm; 2507 2508 plain = wpabuf_alloc(1000); 2509 if (!plain) 2510 return NULL; 2511 2512 /* TODO: FILS Public Key */ 2513 2514 /* FILS Key Confirmation */ 2515 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */ 2516 wpabuf_put_u8(plain, 1 + sm->fils_key_auth_len); /* Length */ 2517 /* Element ID Extension */ 2518 wpabuf_put_u8(plain, WLAN_EID_EXT_FILS_KEY_CONFIRM); 2519 wpabuf_put_data(plain, sm->fils_key_auth_ap, sm->fils_key_auth_len); 2520 2521 /* FILS HLP Container */ 2522 if (hlp) 2523 wpabuf_put_buf(plain, hlp); 2524 2525 /* TODO: FILS IP Address Assignment */ 2526 2527 /* Key Delivery */ 2528 gsm = sm->group; 2529 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */ 2530 len = wpabuf_put(plain, 1); 2531 wpabuf_put_u8(plain, WLAN_EID_EXT_KEY_DELIVERY); 2532 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, 2533 wpabuf_put(plain, WPA_KEY_RSC_LEN)); 2534 /* GTK KDE */ 2535 gtk = gsm->GTK[gsm->GN - 1]; 2536 gtk_len = gsm->GTK_len; 2537 if (sm->wpa_auth->conf.disable_gtk || 2538 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) { 2539 /* 2540 * Provide unique random GTK to each STA to prevent use 2541 * of GTK in the BSS. 2542 */ 2543 if (random_get_bytes(dummy_gtk, gtk_len) < 0) { 2544 wpabuf_free(plain); 2545 return NULL; 2546 } 2547 gtk = dummy_gtk; 2548 } 2549 hdr[0] = gsm->GN & 0x03; 2550 hdr[1] = 0; 2551 tmp = wpabuf_put(plain, 0); 2552 tmp2 = wpa_add_kde(tmp, RSN_KEY_DATA_GROUPKEY, hdr, 2, 2553 gtk, gtk_len); 2554 wpabuf_put(plain, tmp2 - tmp); 2555 2556 /* IGTK KDE */ 2557 tmp = wpabuf_put(plain, 0); 2558 tmp2 = ieee80211w_kde_add(sm, tmp); 2559 wpabuf_put(plain, tmp2 - tmp); 2560 2561 *len = (u8 *) wpabuf_put(plain, 0) - len - 1; 2562 return plain; 2563 } 2564 2565 2566 int fils_set_tk(struct wpa_state_machine *sm) 2567 { 2568 enum wpa_alg alg; 2569 int klen; 2570 2571 if (!sm || !sm->PTK_valid) { 2572 wpa_printf(MSG_DEBUG, "FILS: No valid PTK available to set TK"); 2573 return -1; 2574 } 2575 if (sm->tk_already_set) { 2576 wpa_printf(MSG_DEBUG, "FILS: TK already set to the driver"); 2577 return -1; 2578 } 2579 2580 alg = wpa_cipher_to_alg(sm->pairwise); 2581 klen = wpa_cipher_key_len(sm->pairwise); 2582 2583 wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver"); 2584 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0, 2585 sm->PTK.tk, klen)) { 2586 wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver"); 2587 return -1; 2588 } 2589 sm->tk_already_set = TRUE; 2590 2591 return 0; 2592 } 2593 2594 2595 u8 * hostapd_eid_assoc_fils_session(struct wpa_state_machine *sm, u8 *buf, 2596 const u8 *fils_session, struct wpabuf *hlp) 2597 { 2598 struct wpabuf *plain; 2599 u8 *pos = buf; 2600 2601 /* FILS Session */ 2602 *pos++ = WLAN_EID_EXTENSION; /* Element ID */ 2603 *pos++ = 1 + FILS_SESSION_LEN; /* Length */ 2604 *pos++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */ 2605 os_memcpy(pos, fils_session, FILS_SESSION_LEN); 2606 pos += FILS_SESSION_LEN; 2607 2608 plain = fils_prepare_plainbuf(sm, hlp); 2609 if (!plain) { 2610 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed"); 2611 return NULL; 2612 } 2613 2614 os_memcpy(pos, wpabuf_head(plain), wpabuf_len(plain)); 2615 pos += wpabuf_len(plain); 2616 2617 wpa_printf(MSG_DEBUG, "%s: plain buf_len: %u", __func__, 2618 (unsigned int) wpabuf_len(plain)); 2619 wpabuf_free(plain); 2620 sm->fils_completed = 1; 2621 return pos; 2622 } 2623 2624 #endif /* CONFIG_FILS */ 2625 2626 2627 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) 2628 { 2629 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 2630 struct wpa_ptk PTK; 2631 int ok = 0, psk_found = 0; 2632 const u8 *pmk = NULL; 2633 size_t pmk_len; 2634 int ft; 2635 const u8 *eapol_key_ie, *key_data, *mic; 2636 u16 key_data_length; 2637 size_t mic_len, eapol_key_ie_len; 2638 struct ieee802_1x_hdr *hdr; 2639 struct wpa_eapol_key *key; 2640 struct wpa_eapol_ie_parse kde; 2641 2642 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk); 2643 sm->EAPOLKeyReceived = FALSE; 2644 sm->update_snonce = FALSE; 2645 os_memset(&PTK, 0, sizeof(PTK)); 2646 2647 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len); 2648 2649 /* WPA with IEEE 802.1X: use the derived PMK from EAP 2650 * WPA-PSK: iterate through possible PSKs and select the one matching 2651 * the packet */ 2652 for (;;) { 2653 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) && 2654 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) { 2655 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, 2656 sm->p2p_dev_addr, pmk, &pmk_len); 2657 if (pmk == NULL) 2658 break; 2659 psk_found = 1; 2660 #ifdef CONFIG_IEEE80211R_AP 2661 if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) { 2662 os_memcpy(sm->xxkey, pmk, pmk_len); 2663 sm->xxkey_len = pmk_len; 2664 } 2665 #endif /* CONFIG_IEEE80211R_AP */ 2666 } else { 2667 pmk = sm->PMK; 2668 pmk_len = sm->pmk_len; 2669 } 2670 2671 if (wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK) < 0) 2672 break; 2673 2674 if (mic_len && 2675 wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK, 2676 sm->last_rx_eapol_key, 2677 sm->last_rx_eapol_key_len) == 0) { 2678 ok = 1; 2679 break; 2680 } 2681 2682 #ifdef CONFIG_FILS 2683 if (!mic_len && 2684 wpa_aead_decrypt(sm, &PTK, sm->last_rx_eapol_key, 2685 sm->last_rx_eapol_key_len, NULL) == 0) { 2686 ok = 1; 2687 break; 2688 } 2689 #endif /* CONFIG_FILS */ 2690 2691 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) || 2692 wpa_key_mgmt_sae(sm->wpa_key_mgmt)) 2693 break; 2694 } 2695 2696 if (!ok) { 2697 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2698 "invalid MIC in msg 2/4 of 4-Way Handshake"); 2699 if (psk_found) 2700 wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr); 2701 return; 2702 } 2703 2704 /* 2705 * Note: last_rx_eapol_key length fields have already been validated in 2706 * wpa_receive(). 2707 */ 2708 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key; 2709 key = (struct wpa_eapol_key *) (hdr + 1); 2710 mic = (u8 *) (key + 1); 2711 key_data = mic + mic_len + 2; 2712 key_data_length = WPA_GET_BE16(mic + mic_len); 2713 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) - 2714 sizeof(*key) - mic_len - 2) 2715 return; 2716 2717 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) { 2718 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 2719 "received EAPOL-Key msg 2/4 with invalid Key Data contents"); 2720 return; 2721 } 2722 if (kde.rsn_ie) { 2723 eapol_key_ie = kde.rsn_ie; 2724 eapol_key_ie_len = kde.rsn_ie_len; 2725 } else if (kde.osen) { 2726 eapol_key_ie = kde.osen; 2727 eapol_key_ie_len = kde.osen_len; 2728 } else { 2729 eapol_key_ie = kde.wpa_ie; 2730 eapol_key_ie_len = kde.wpa_ie_len; 2731 } 2732 ft = sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt); 2733 if (sm->wpa_ie == NULL || 2734 wpa_compare_rsn_ie(ft, sm->wpa_ie, sm->wpa_ie_len, 2735 eapol_key_ie, eapol_key_ie_len)) { 2736 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 2737 "WPA IE from (Re)AssocReq did not match with msg 2/4"); 2738 if (sm->wpa_ie) { 2739 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq", 2740 sm->wpa_ie, sm->wpa_ie_len); 2741 } 2742 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4", 2743 eapol_key_ie, eapol_key_ie_len); 2744 /* MLME-DEAUTHENTICATE.request */ 2745 wpa_sta_disconnect(wpa_auth, sm->addr, 2746 WLAN_REASON_PREV_AUTH_NOT_VALID); 2747 return; 2748 } 2749 #ifdef CONFIG_IEEE80211R_AP 2750 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) { 2751 wpa_sta_disconnect(wpa_auth, sm->addr, 2752 WLAN_REASON_PREV_AUTH_NOT_VALID); 2753 return; 2754 } 2755 #endif /* CONFIG_IEEE80211R_AP */ 2756 #ifdef CONFIG_P2P 2757 if (kde.ip_addr_req && kde.ip_addr_req[0] && 2758 wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) { 2759 int idx; 2760 wpa_printf(MSG_DEBUG, 2761 "P2P: IP address requested in EAPOL-Key exchange"); 2762 idx = bitfield_get_first_zero(wpa_auth->ip_pool); 2763 if (idx >= 0) { 2764 u32 start = WPA_GET_BE32(wpa_auth->conf.ip_addr_start); 2765 bitfield_set(wpa_auth->ip_pool, idx); 2766 WPA_PUT_BE32(sm->ip_addr, start + idx); 2767 wpa_printf(MSG_DEBUG, 2768 "P2P: Assigned IP address %u.%u.%u.%u to " 2769 MACSTR, sm->ip_addr[0], sm->ip_addr[1], 2770 sm->ip_addr[2], sm->ip_addr[3], 2771 MAC2STR(sm->addr)); 2772 } 2773 } 2774 #endif /* CONFIG_P2P */ 2775 2776 #ifdef CONFIG_IEEE80211R_AP 2777 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2778 /* 2779 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches 2780 * with the value we derived. 2781 */ 2782 if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name, 2783 WPA_PMK_NAME_LEN) != 0) { 2784 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2785 "PMKR1Name mismatch in FT 4-way " 2786 "handshake"); 2787 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from " 2788 "Supplicant", 2789 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN); 2790 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name", 2791 sm->pmk_r1_name, WPA_PMK_NAME_LEN); 2792 return; 2793 } 2794 } 2795 #endif /* CONFIG_IEEE80211R_AP */ 2796 2797 sm->pending_1_of_4_timeout = 0; 2798 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 2799 2800 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 2801 /* PSK may have changed from the previous choice, so update 2802 * state machine data based on whatever PSK was selected here. 2803 */ 2804 os_memcpy(sm->PMK, pmk, PMK_LEN); 2805 sm->pmk_len = PMK_LEN; 2806 } 2807 2808 sm->MICVerified = TRUE; 2809 2810 os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); 2811 sm->PTK_valid = TRUE; 2812 } 2813 2814 2815 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2) 2816 { 2817 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk); 2818 sm->TimeoutCtr = 0; 2819 } 2820 2821 2822 #ifdef CONFIG_IEEE80211W 2823 2824 static int ieee80211w_kde_len(struct wpa_state_machine *sm) 2825 { 2826 if (sm->mgmt_frame_prot) { 2827 size_t len; 2828 len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 2829 return 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN + len; 2830 } 2831 2832 return 0; 2833 } 2834 2835 2836 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 2837 { 2838 struct wpa_igtk_kde igtk; 2839 struct wpa_group *gsm = sm->group; 2840 u8 rsc[WPA_KEY_RSC_LEN]; 2841 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 2842 2843 if (!sm->mgmt_frame_prot) 2844 return pos; 2845 2846 igtk.keyid[0] = gsm->GN_igtk; 2847 igtk.keyid[1] = 0; 2848 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE || 2849 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0) 2850 os_memset(igtk.pn, 0, sizeof(igtk.pn)); 2851 else 2852 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn)); 2853 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len); 2854 if (sm->wpa_auth->conf.disable_gtk || 2855 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) { 2856 /* 2857 * Provide unique random IGTK to each STA to prevent use of 2858 * IGTK in the BSS. 2859 */ 2860 if (random_get_bytes(igtk.igtk, len) < 0) 2861 return pos; 2862 } 2863 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK, 2864 (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len, 2865 NULL, 0); 2866 2867 return pos; 2868 } 2869 2870 #else /* CONFIG_IEEE80211W */ 2871 2872 static int ieee80211w_kde_len(struct wpa_state_machine *sm) 2873 { 2874 return 0; 2875 } 2876 2877 2878 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 2879 { 2880 return pos; 2881 } 2882 2883 #endif /* CONFIG_IEEE80211W */ 2884 2885 2886 SM_STATE(WPA_PTK, PTKINITNEGOTIATING) 2887 { 2888 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32]; 2889 size_t gtk_len, kde_len; 2890 struct wpa_group *gsm = sm->group; 2891 u8 *wpa_ie; 2892 int wpa_ie_len, secure, keyidx, encr = 0; 2893 2894 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk); 2895 sm->TimeoutEvt = FALSE; 2896 2897 sm->TimeoutCtr++; 2898 if (sm->wpa_auth->conf.wpa_disable_eapol_key_retries && 2899 sm->TimeoutCtr > 1) { 2900 /* Do not allow retransmission of EAPOL-Key msg 3/4 */ 2901 return; 2902 } 2903 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) { 2904 /* No point in sending the EAPOL-Key - we will disconnect 2905 * immediately following this. */ 2906 return; 2907 } 2908 2909 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE], 2910 GTK[GN], IGTK, [FTIE], [TIE * 2]) 2911 */ 2912 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 2913 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 2914 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */ 2915 wpa_ie = sm->wpa_auth->wpa_ie; 2916 wpa_ie_len = sm->wpa_auth->wpa_ie_len; 2917 if (sm->wpa == WPA_VERSION_WPA && 2918 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) && 2919 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) { 2920 /* WPA-only STA, remove RSN IE and possible MDIE */ 2921 wpa_ie = wpa_ie + wpa_ie[1] + 2; 2922 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN) 2923 wpa_ie = wpa_ie + wpa_ie[1] + 2; 2924 wpa_ie_len = wpa_ie[1] + 2; 2925 } 2926 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2927 "sending 3/4 msg of 4-Way Handshake"); 2928 if (sm->wpa == WPA_VERSION_WPA2) { 2929 /* WPA2 send GTK in the 4-way handshake */ 2930 secure = 1; 2931 gtk = gsm->GTK[gsm->GN - 1]; 2932 gtk_len = gsm->GTK_len; 2933 if (sm->wpa_auth->conf.disable_gtk || 2934 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) { 2935 /* 2936 * Provide unique random GTK to each STA to prevent use 2937 * of GTK in the BSS. 2938 */ 2939 if (random_get_bytes(dummy_gtk, gtk_len) < 0) 2940 return; 2941 gtk = dummy_gtk; 2942 } 2943 keyidx = gsm->GN; 2944 _rsc = rsc; 2945 encr = 1; 2946 } else { 2947 /* WPA does not include GTK in msg 3/4 */ 2948 secure = 0; 2949 gtk = NULL; 2950 gtk_len = 0; 2951 keyidx = 0; 2952 _rsc = NULL; 2953 if (sm->rx_eapol_key_secure) { 2954 /* 2955 * It looks like Windows 7 supplicant tries to use 2956 * Secure bit in msg 2/4 after having reported Michael 2957 * MIC failure and it then rejects the 4-way handshake 2958 * if msg 3/4 does not set Secure bit. Work around this 2959 * by setting the Secure bit here even in the case of 2960 * WPA if the supplicant used it first. 2961 */ 2962 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2963 "STA used Secure bit in WPA msg 2/4 - " 2964 "set Secure for 3/4 as workaround"); 2965 secure = 1; 2966 } 2967 } 2968 2969 kde_len = wpa_ie_len + ieee80211w_kde_len(sm); 2970 if (gtk) 2971 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len; 2972 #ifdef CONFIG_IEEE80211R_AP 2973 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2974 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */ 2975 kde_len += 300; /* FTIE + 2 * TIE */ 2976 } 2977 #endif /* CONFIG_IEEE80211R_AP */ 2978 #ifdef CONFIG_P2P 2979 if (WPA_GET_BE32(sm->ip_addr) > 0) 2980 kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4; 2981 #endif /* CONFIG_P2P */ 2982 kde = os_malloc(kde_len); 2983 if (kde == NULL) 2984 return; 2985 2986 pos = kde; 2987 os_memcpy(pos, wpa_ie, wpa_ie_len); 2988 pos += wpa_ie_len; 2989 #ifdef CONFIG_IEEE80211R_AP 2990 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2991 int res; 2992 size_t elen; 2993 2994 elen = pos - kde; 2995 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name); 2996 if (res < 0) { 2997 wpa_printf(MSG_ERROR, "FT: Failed to insert " 2998 "PMKR1Name into RSN IE in EAPOL-Key data"); 2999 os_free(kde); 3000 return; 3001 } 3002 pos -= wpa_ie_len; 3003 pos += elen; 3004 } 3005 #endif /* CONFIG_IEEE80211R_AP */ 3006 if (gtk) { 3007 u8 hdr[2]; 3008 hdr[0] = keyidx & 0x03; 3009 hdr[1] = 0; 3010 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 3011 gtk, gtk_len); 3012 } 3013 pos = ieee80211w_kde_add(sm, pos); 3014 3015 #ifdef CONFIG_IEEE80211R_AP 3016 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 3017 int res; 3018 struct wpa_auth_config *conf; 3019 3020 conf = &sm->wpa_auth->conf; 3021 if (sm->assoc_resp_ftie && 3022 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) { 3023 os_memcpy(pos, sm->assoc_resp_ftie, 3024 2 + sm->assoc_resp_ftie[1]); 3025 res = 2 + sm->assoc_resp_ftie[1]; 3026 } else { 3027 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt); 3028 3029 res = wpa_write_ftie(conf, use_sha384, 3030 conf->r0_key_holder, 3031 conf->r0_key_holder_len, 3032 NULL, NULL, pos, 3033 kde + kde_len - pos, 3034 NULL, 0); 3035 } 3036 if (res < 0) { 3037 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE " 3038 "into EAPOL-Key Key Data"); 3039 os_free(kde); 3040 return; 3041 } 3042 pos += res; 3043 3044 /* TIE[ReassociationDeadline] (TU) */ 3045 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 3046 *pos++ = 5; 3047 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE; 3048 WPA_PUT_LE32(pos, conf->reassociation_deadline); 3049 pos += 4; 3050 3051 /* TIE[KeyLifetime] (seconds) */ 3052 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 3053 *pos++ = 5; 3054 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME; 3055 WPA_PUT_LE32(pos, conf->r0_key_lifetime); 3056 pos += 4; 3057 } 3058 #endif /* CONFIG_IEEE80211R_AP */ 3059 #ifdef CONFIG_P2P 3060 if (WPA_GET_BE32(sm->ip_addr) > 0) { 3061 u8 addr[3 * 4]; 3062 os_memcpy(addr, sm->ip_addr, 4); 3063 os_memcpy(addr + 4, sm->wpa_auth->conf.ip_addr_mask, 4); 3064 os_memcpy(addr + 8, sm->wpa_auth->conf.ip_addr_go, 4); 3065 pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC, 3066 addr, sizeof(addr), NULL, 0); 3067 } 3068 #endif /* CONFIG_P2P */ 3069 3070 wpa_send_eapol(sm->wpa_auth, sm, 3071 (secure ? WPA_KEY_INFO_SECURE : 0) | 3072 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ? 3073 WPA_KEY_INFO_MIC : 0) | 3074 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL | 3075 WPA_KEY_INFO_KEY_TYPE, 3076 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr); 3077 os_free(kde); 3078 } 3079 3080 3081 SM_STATE(WPA_PTK, PTKINITDONE) 3082 { 3083 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk); 3084 sm->EAPOLKeyReceived = FALSE; 3085 if (sm->Pair) { 3086 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise); 3087 int klen = wpa_cipher_key_len(sm->pairwise); 3088 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0, 3089 sm->PTK.tk, klen)) { 3090 wpa_sta_disconnect(sm->wpa_auth, sm->addr, 3091 WLAN_REASON_PREV_AUTH_NOT_VALID); 3092 return; 3093 } 3094 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ 3095 sm->pairwise_set = TRUE; 3096 3097 if (sm->wpa_auth->conf.wpa_ptk_rekey) { 3098 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 3099 eloop_register_timeout(sm->wpa_auth->conf. 3100 wpa_ptk_rekey, 0, wpa_rekey_ptk, 3101 sm->wpa_auth, sm); 3102 } 3103 3104 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) || 3105 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP || 3106 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) { 3107 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 3108 WPA_EAPOL_authorized, 1); 3109 } 3110 } 3111 3112 if (0 /* IBSS == TRUE */) { 3113 sm->keycount++; 3114 if (sm->keycount == 2) { 3115 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 3116 WPA_EAPOL_portValid, 1); 3117 } 3118 } else { 3119 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 3120 1); 3121 } 3122 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0); 3123 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1); 3124 if (sm->wpa == WPA_VERSION_WPA) 3125 sm->PInitAKeys = TRUE; 3126 else 3127 sm->has_GTK = TRUE; 3128 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 3129 "pairwise key handshake completed (%s)", 3130 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 3131 3132 #ifdef CONFIG_IEEE80211R_AP 3133 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr); 3134 #endif /* CONFIG_IEEE80211R_AP */ 3135 } 3136 3137 3138 SM_STEP(WPA_PTK) 3139 { 3140 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 3141 3142 if (sm->Init) 3143 SM_ENTER(WPA_PTK, INITIALIZE); 3144 else if (sm->Disconnect 3145 /* || FIX: dot11RSNAConfigSALifetime timeout */) { 3146 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 3147 "WPA_PTK: sm->Disconnect"); 3148 SM_ENTER(WPA_PTK, DISCONNECT); 3149 } 3150 else if (sm->DeauthenticationRequest) 3151 SM_ENTER(WPA_PTK, DISCONNECTED); 3152 else if (sm->AuthenticationRequest) 3153 SM_ENTER(WPA_PTK, AUTHENTICATION); 3154 else if (sm->ReAuthenticationRequest) 3155 SM_ENTER(WPA_PTK, AUTHENTICATION2); 3156 else if (sm->PTKRequest) { 3157 if (wpa_auth_sm_ptk_update(sm) < 0) 3158 SM_ENTER(WPA_PTK, DISCONNECTED); 3159 else 3160 SM_ENTER(WPA_PTK, PTKSTART); 3161 } else switch (sm->wpa_ptk_state) { 3162 case WPA_PTK_INITIALIZE: 3163 break; 3164 case WPA_PTK_DISCONNECT: 3165 SM_ENTER(WPA_PTK, DISCONNECTED); 3166 break; 3167 case WPA_PTK_DISCONNECTED: 3168 SM_ENTER(WPA_PTK, INITIALIZE); 3169 break; 3170 case WPA_PTK_AUTHENTICATION: 3171 SM_ENTER(WPA_PTK, AUTHENTICATION2); 3172 break; 3173 case WPA_PTK_AUTHENTICATION2: 3174 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) && 3175 wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 3176 WPA_EAPOL_keyRun) > 0) 3177 SM_ENTER(WPA_PTK, INITPMK); 3178 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) || 3179 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE 3180 /* FIX: && 802.1X::keyRun */) 3181 SM_ENTER(WPA_PTK, INITPSK); 3182 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) 3183 SM_ENTER(WPA_PTK, INITPMK); 3184 break; 3185 case WPA_PTK_INITPMK: 3186 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 3187 WPA_EAPOL_keyAvailable) > 0) { 3188 SM_ENTER(WPA_PTK, PTKSTART); 3189 #ifdef CONFIG_DPP 3190 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->pmksa) { 3191 SM_ENTER(WPA_PTK, PTKSTART); 3192 #endif /* CONFIG_DPP */ 3193 } else { 3194 wpa_auth->dot11RSNA4WayHandshakeFailures++; 3195 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 3196 "INITPMK - keyAvailable = false"); 3197 SM_ENTER(WPA_PTK, DISCONNECT); 3198 } 3199 break; 3200 case WPA_PTK_INITPSK: 3201 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, 3202 NULL, NULL)) { 3203 SM_ENTER(WPA_PTK, PTKSTART); 3204 #ifdef CONFIG_SAE 3205 } else if (wpa_auth_uses_sae(sm) && sm->pmksa) { 3206 SM_ENTER(WPA_PTK, PTKSTART); 3207 #endif /* CONFIG_SAE */ 3208 } else { 3209 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 3210 "no PSK configured for the STA"); 3211 wpa_auth->dot11RSNA4WayHandshakeFailures++; 3212 SM_ENTER(WPA_PTK, DISCONNECT); 3213 } 3214 break; 3215 case WPA_PTK_PTKSTART: 3216 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 3217 sm->EAPOLKeyPairwise) 3218 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 3219 else if (sm->TimeoutCtr > 3220 sm->wpa_auth->conf.wpa_pairwise_update_count) { 3221 wpa_auth->dot11RSNA4WayHandshakeFailures++; 3222 wpa_auth_vlogger( 3223 sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3224 "PTKSTART: Retry limit %u reached", 3225 sm->wpa_auth->conf.wpa_pairwise_update_count); 3226 SM_ENTER(WPA_PTK, DISCONNECT); 3227 } else if (sm->TimeoutEvt) 3228 SM_ENTER(WPA_PTK, PTKSTART); 3229 break; 3230 case WPA_PTK_PTKCALCNEGOTIATING: 3231 if (sm->MICVerified) 3232 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2); 3233 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 3234 sm->EAPOLKeyPairwise) 3235 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 3236 else if (sm->TimeoutEvt) 3237 SM_ENTER(WPA_PTK, PTKSTART); 3238 break; 3239 case WPA_PTK_PTKCALCNEGOTIATING2: 3240 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 3241 break; 3242 case WPA_PTK_PTKINITNEGOTIATING: 3243 if (sm->update_snonce) 3244 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 3245 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 3246 sm->EAPOLKeyPairwise && sm->MICVerified) 3247 SM_ENTER(WPA_PTK, PTKINITDONE); 3248 else if (sm->TimeoutCtr > 3249 sm->wpa_auth->conf.wpa_pairwise_update_count || 3250 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries && 3251 sm->TimeoutCtr > 1)) { 3252 wpa_auth->dot11RSNA4WayHandshakeFailures++; 3253 wpa_auth_vlogger( 3254 sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3255 "PTKINITNEGOTIATING: Retry limit %u reached", 3256 sm->wpa_auth->conf.wpa_pairwise_update_count); 3257 SM_ENTER(WPA_PTK, DISCONNECT); 3258 } else if (sm->TimeoutEvt) 3259 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 3260 break; 3261 case WPA_PTK_PTKINITDONE: 3262 break; 3263 } 3264 } 3265 3266 3267 SM_STATE(WPA_PTK_GROUP, IDLE) 3268 { 3269 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group); 3270 if (sm->Init) { 3271 /* Init flag is not cleared here, so avoid busy 3272 * loop by claiming nothing changed. */ 3273 sm->changed = FALSE; 3274 } 3275 sm->GTimeoutCtr = 0; 3276 } 3277 3278 3279 SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING) 3280 { 3281 u8 rsc[WPA_KEY_RSC_LEN]; 3282 struct wpa_group *gsm = sm->group; 3283 const u8 *kde; 3284 u8 *kde_buf = NULL, *pos, hdr[2]; 3285 size_t kde_len; 3286 u8 *gtk, dummy_gtk[32]; 3287 3288 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group); 3289 3290 sm->GTimeoutCtr++; 3291 if (sm->wpa_auth->conf.wpa_disable_eapol_key_retries && 3292 sm->GTimeoutCtr > 1) { 3293 /* Do not allow retransmission of EAPOL-Key group msg 1/2 */ 3294 return; 3295 } 3296 if (sm->GTimeoutCtr > sm->wpa_auth->conf.wpa_group_update_count) { 3297 /* No point in sending the EAPOL-Key - we will disconnect 3298 * immediately following this. */ 3299 return; 3300 } 3301 3302 if (sm->wpa == WPA_VERSION_WPA) 3303 sm->PInitAKeys = FALSE; 3304 sm->TimeoutEvt = FALSE; 3305 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */ 3306 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 3307 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE) 3308 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 3309 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3310 "sending 1/2 msg of Group Key Handshake"); 3311 3312 gtk = gsm->GTK[gsm->GN - 1]; 3313 if (sm->wpa_auth->conf.disable_gtk || 3314 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) { 3315 /* 3316 * Provide unique random GTK to each STA to prevent use 3317 * of GTK in the BSS. 3318 */ 3319 if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0) 3320 return; 3321 gtk = dummy_gtk; 3322 } 3323 if (sm->wpa == WPA_VERSION_WPA2) { 3324 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len + 3325 ieee80211w_kde_len(sm); 3326 kde_buf = os_malloc(kde_len); 3327 if (kde_buf == NULL) 3328 return; 3329 3330 kde = pos = kde_buf; 3331 hdr[0] = gsm->GN & 0x03; 3332 hdr[1] = 0; 3333 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 3334 gtk, gsm->GTK_len); 3335 pos = ieee80211w_kde_add(sm, pos); 3336 kde_len = pos - kde; 3337 } else { 3338 kde = gtk; 3339 kde_len = gsm->GTK_len; 3340 } 3341 3342 wpa_send_eapol(sm->wpa_auth, sm, 3343 WPA_KEY_INFO_SECURE | 3344 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ? 3345 WPA_KEY_INFO_MIC : 0) | 3346 WPA_KEY_INFO_ACK | 3347 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0), 3348 rsc, NULL, kde, kde_len, gsm->GN, 1); 3349 3350 os_free(kde_buf); 3351 } 3352 3353 3354 SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED) 3355 { 3356 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group); 3357 sm->EAPOLKeyReceived = FALSE; 3358 if (sm->GUpdateStationKeys) 3359 sm->group->GKeyDoneStations--; 3360 sm->GUpdateStationKeys = FALSE; 3361 sm->GTimeoutCtr = 0; 3362 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */ 3363 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 3364 "group key handshake completed (%s)", 3365 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 3366 sm->has_GTK = TRUE; 3367 } 3368 3369 3370 SM_STATE(WPA_PTK_GROUP, KEYERROR) 3371 { 3372 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group); 3373 if (sm->GUpdateStationKeys) 3374 sm->group->GKeyDoneStations--; 3375 sm->GUpdateStationKeys = FALSE; 3376 sm->Disconnect = TRUE; 3377 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 3378 "group key handshake failed (%s) after %u tries", 3379 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN", 3380 sm->wpa_auth->conf.wpa_group_update_count); 3381 } 3382 3383 3384 SM_STEP(WPA_PTK_GROUP) 3385 { 3386 if (sm->Init || sm->PtkGroupInit) { 3387 SM_ENTER(WPA_PTK_GROUP, IDLE); 3388 sm->PtkGroupInit = FALSE; 3389 } else switch (sm->wpa_ptk_group_state) { 3390 case WPA_PTK_GROUP_IDLE: 3391 if (sm->GUpdateStationKeys || 3392 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys)) 3393 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 3394 break; 3395 case WPA_PTK_GROUP_REKEYNEGOTIATING: 3396 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 3397 !sm->EAPOLKeyPairwise && sm->MICVerified) 3398 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED); 3399 else if (sm->GTimeoutCtr > 3400 sm->wpa_auth->conf.wpa_group_update_count || 3401 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries && 3402 sm->GTimeoutCtr > 1)) 3403 SM_ENTER(WPA_PTK_GROUP, KEYERROR); 3404 else if (sm->TimeoutEvt) 3405 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 3406 break; 3407 case WPA_PTK_GROUP_KEYERROR: 3408 SM_ENTER(WPA_PTK_GROUP, IDLE); 3409 break; 3410 case WPA_PTK_GROUP_REKEYESTABLISHED: 3411 SM_ENTER(WPA_PTK_GROUP, IDLE); 3412 break; 3413 } 3414 } 3415 3416 3417 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 3418 struct wpa_group *group) 3419 { 3420 int ret = 0; 3421 3422 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 3423 inc_byte_array(group->Counter, WPA_NONCE_LEN); 3424 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion", 3425 wpa_auth->addr, group->GNonce, 3426 group->GTK[group->GN - 1], group->GTK_len) < 0) 3427 ret = -1; 3428 wpa_hexdump_key(MSG_DEBUG, "GTK", 3429 group->GTK[group->GN - 1], group->GTK_len); 3430 3431 #ifdef CONFIG_IEEE80211W 3432 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) { 3433 size_t len; 3434 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher); 3435 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 3436 inc_byte_array(group->Counter, WPA_NONCE_LEN); 3437 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion", 3438 wpa_auth->addr, group->GNonce, 3439 group->IGTK[group->GN_igtk - 4], len) < 0) 3440 ret = -1; 3441 wpa_hexdump_key(MSG_DEBUG, "IGTK", 3442 group->IGTK[group->GN_igtk - 4], len); 3443 } 3444 #endif /* CONFIG_IEEE80211W */ 3445 3446 return ret; 3447 } 3448 3449 3450 static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth, 3451 struct wpa_group *group) 3452 { 3453 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 3454 "GTK_INIT (VLAN-ID %d)", group->vlan_id); 3455 group->changed = FALSE; /* GInit is not cleared here; avoid loop */ 3456 group->wpa_group_state = WPA_GROUP_GTK_INIT; 3457 3458 /* GTK[0..N] = 0 */ 3459 os_memset(group->GTK, 0, sizeof(group->GTK)); 3460 group->GN = 1; 3461 group->GM = 2; 3462 #ifdef CONFIG_IEEE80211W 3463 group->GN_igtk = 4; 3464 group->GM_igtk = 5; 3465 #endif /* CONFIG_IEEE80211W */ 3466 /* GTK[GN] = CalcGTK() */ 3467 wpa_gtk_update(wpa_auth, group); 3468 } 3469 3470 3471 static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx) 3472 { 3473 if (ctx != NULL && ctx != sm->group) 3474 return 0; 3475 3476 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) { 3477 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3478 "Not in PTKINITDONE; skip Group Key update"); 3479 sm->GUpdateStationKeys = FALSE; 3480 return 0; 3481 } 3482 if (sm->GUpdateStationKeys) { 3483 /* 3484 * This should not really happen, so add a debug log entry. 3485 * Since we clear the GKeyDoneStations before the loop, the 3486 * station needs to be counted here anyway. 3487 */ 3488 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3489 "GUpdateStationKeys was already set when " 3490 "marking station for GTK rekeying"); 3491 } 3492 3493 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */ 3494 if (sm->is_wnmsleep) 3495 return 0; 3496 3497 sm->group->GKeyDoneStations++; 3498 sm->GUpdateStationKeys = TRUE; 3499 3500 wpa_sm_step(sm); 3501 return 0; 3502 } 3503 3504 3505 #ifdef CONFIG_WNM_AP 3506 /* update GTK when exiting WNM-Sleep Mode */ 3507 void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm) 3508 { 3509 if (sm == NULL || sm->is_wnmsleep) 3510 return; 3511 3512 wpa_group_update_sta(sm, NULL); 3513 } 3514 3515 3516 void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag) 3517 { 3518 if (sm) 3519 sm->is_wnmsleep = !!flag; 3520 } 3521 3522 3523 int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos) 3524 { 3525 struct wpa_group *gsm = sm->group; 3526 u8 *start = pos; 3527 3528 /* 3529 * GTK subelement: 3530 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] | 3531 * Key[5..32] 3532 */ 3533 *pos++ = WNM_SLEEP_SUBELEM_GTK; 3534 *pos++ = 11 + gsm->GTK_len; 3535 /* Key ID in B0-B1 of Key Info */ 3536 WPA_PUT_LE16(pos, gsm->GN & 0x03); 3537 pos += 2; 3538 *pos++ = gsm->GTK_len; 3539 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0) 3540 return 0; 3541 pos += 8; 3542 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len); 3543 pos += gsm->GTK_len; 3544 3545 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit", 3546 gsm->GN); 3547 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit", 3548 gsm->GTK[gsm->GN - 1], gsm->GTK_len); 3549 3550 return pos - start; 3551 } 3552 3553 3554 #ifdef CONFIG_IEEE80211W 3555 int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos) 3556 { 3557 struct wpa_group *gsm = sm->group; 3558 u8 *start = pos; 3559 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 3560 3561 /* 3562 * IGTK subelement: 3563 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16] 3564 */ 3565 *pos++ = WNM_SLEEP_SUBELEM_IGTK; 3566 *pos++ = 2 + 6 + len; 3567 WPA_PUT_LE16(pos, gsm->GN_igtk); 3568 pos += 2; 3569 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0) 3570 return 0; 3571 pos += 6; 3572 3573 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len); 3574 pos += len; 3575 3576 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit", 3577 gsm->GN_igtk); 3578 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit", 3579 gsm->IGTK[gsm->GN_igtk - 4], len); 3580 3581 return pos - start; 3582 } 3583 #endif /* CONFIG_IEEE80211W */ 3584 #endif /* CONFIG_WNM_AP */ 3585 3586 3587 static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth, 3588 struct wpa_group *group) 3589 { 3590 int tmp; 3591 3592 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 3593 "SETKEYS (VLAN-ID %d)", group->vlan_id); 3594 group->changed = TRUE; 3595 group->wpa_group_state = WPA_GROUP_SETKEYS; 3596 group->GTKReKey = FALSE; 3597 tmp = group->GM; 3598 group->GM = group->GN; 3599 group->GN = tmp; 3600 #ifdef CONFIG_IEEE80211W 3601 tmp = group->GM_igtk; 3602 group->GM_igtk = group->GN_igtk; 3603 group->GN_igtk = tmp; 3604 #endif /* CONFIG_IEEE80211W */ 3605 /* "GKeyDoneStations = GNoStations" is done in more robust way by 3606 * counting the STAs that are marked with GUpdateStationKeys instead of 3607 * including all STAs that could be in not-yet-completed state. */ 3608 wpa_gtk_update(wpa_auth, group); 3609 3610 if (group->GKeyDoneStations) { 3611 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected " 3612 "GKeyDoneStations=%d when starting new GTK rekey", 3613 group->GKeyDoneStations); 3614 group->GKeyDoneStations = 0; 3615 } 3616 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group); 3617 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d", 3618 group->GKeyDoneStations); 3619 } 3620 3621 3622 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 3623 struct wpa_group *group) 3624 { 3625 int ret = 0; 3626 3627 if (wpa_auth_set_key(wpa_auth, group->vlan_id, 3628 wpa_cipher_to_alg(wpa_auth->conf.wpa_group), 3629 broadcast_ether_addr, group->GN, 3630 group->GTK[group->GN - 1], group->GTK_len) < 0) 3631 ret = -1; 3632 3633 #ifdef CONFIG_IEEE80211W 3634 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) { 3635 enum wpa_alg alg; 3636 size_t len; 3637 3638 alg = wpa_cipher_to_alg(wpa_auth->conf.group_mgmt_cipher); 3639 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher); 3640 3641 if (ret == 0 && 3642 wpa_auth_set_key(wpa_auth, group->vlan_id, alg, 3643 broadcast_ether_addr, group->GN_igtk, 3644 group->IGTK[group->GN_igtk - 4], len) < 0) 3645 ret = -1; 3646 } 3647 #endif /* CONFIG_IEEE80211W */ 3648 3649 return ret; 3650 } 3651 3652 3653 static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx) 3654 { 3655 if (sm->group == ctx) { 3656 wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR 3657 " for discconnection due to fatal failure", 3658 MAC2STR(sm->addr)); 3659 sm->Disconnect = TRUE; 3660 } 3661 3662 return 0; 3663 } 3664 3665 3666 static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth, 3667 struct wpa_group *group) 3668 { 3669 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state FATAL_FAILURE"); 3670 group->changed = TRUE; 3671 group->wpa_group_state = WPA_GROUP_FATAL_FAILURE; 3672 wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group); 3673 } 3674 3675 3676 static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth, 3677 struct wpa_group *group) 3678 { 3679 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 3680 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id); 3681 group->changed = TRUE; 3682 group->wpa_group_state = WPA_GROUP_SETKEYSDONE; 3683 3684 if (wpa_group_config_group_keys(wpa_auth, group) < 0) { 3685 wpa_group_fatal_failure(wpa_auth, group); 3686 return -1; 3687 } 3688 3689 return 0; 3690 } 3691 3692 3693 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 3694 struct wpa_group *group) 3695 { 3696 if (group->GInit) { 3697 wpa_group_gtk_init(wpa_auth, group); 3698 } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) { 3699 /* Do not allow group operations */ 3700 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT && 3701 group->GTKAuthenticator) { 3702 wpa_group_setkeysdone(wpa_auth, group); 3703 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE && 3704 group->GTKReKey) { 3705 wpa_group_setkeys(wpa_auth, group); 3706 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) { 3707 if (group->GKeyDoneStations == 0) 3708 wpa_group_setkeysdone(wpa_auth, group); 3709 else if (group->GTKReKey) 3710 wpa_group_setkeys(wpa_auth, group); 3711 } 3712 } 3713 3714 3715 static int wpa_sm_step(struct wpa_state_machine *sm) 3716 { 3717 if (sm == NULL) 3718 return 0; 3719 3720 if (sm->in_step_loop) { 3721 /* This should not happen, but if it does, make sure we do not 3722 * end up freeing the state machine too early by exiting the 3723 * recursive call. */ 3724 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively"); 3725 return 0; 3726 } 3727 3728 sm->in_step_loop = 1; 3729 do { 3730 if (sm->pending_deinit) 3731 break; 3732 3733 sm->changed = FALSE; 3734 sm->wpa_auth->group->changed = FALSE; 3735 3736 SM_STEP_RUN(WPA_PTK); 3737 if (sm->pending_deinit) 3738 break; 3739 SM_STEP_RUN(WPA_PTK_GROUP); 3740 if (sm->pending_deinit) 3741 break; 3742 wpa_group_sm_step(sm->wpa_auth, sm->group); 3743 } while (sm->changed || sm->wpa_auth->group->changed); 3744 sm->in_step_loop = 0; 3745 3746 if (sm->pending_deinit) { 3747 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state " 3748 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 3749 wpa_free_sta_sm(sm); 3750 return 1; 3751 } 3752 return 0; 3753 } 3754 3755 3756 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx) 3757 { 3758 struct wpa_state_machine *sm = eloop_ctx; 3759 wpa_sm_step(sm); 3760 } 3761 3762 3763 void wpa_auth_sm_notify(struct wpa_state_machine *sm) 3764 { 3765 if (sm == NULL) 3766 return; 3767 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL); 3768 } 3769 3770 3771 void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth) 3772 { 3773 int tmp, i; 3774 struct wpa_group *group; 3775 3776 if (wpa_auth == NULL) 3777 return; 3778 3779 group = wpa_auth->group; 3780 3781 for (i = 0; i < 2; i++) { 3782 tmp = group->GM; 3783 group->GM = group->GN; 3784 group->GN = tmp; 3785 #ifdef CONFIG_IEEE80211W 3786 tmp = group->GM_igtk; 3787 group->GM_igtk = group->GN_igtk; 3788 group->GN_igtk = tmp; 3789 #endif /* CONFIG_IEEE80211W */ 3790 wpa_gtk_update(wpa_auth, group); 3791 wpa_group_config_group_keys(wpa_auth, group); 3792 } 3793 } 3794 3795 3796 static const char * wpa_bool_txt(int val) 3797 { 3798 return val ? "TRUE" : "FALSE"; 3799 } 3800 3801 3802 #define RSN_SUITE "%02x-%02x-%02x-%d" 3803 #define RSN_SUITE_ARG(s) \ 3804 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff 3805 3806 int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen) 3807 { 3808 int len = 0, ret; 3809 char pmkid_txt[PMKID_LEN * 2 + 1]; 3810 #ifdef CONFIG_RSN_PREAUTH 3811 const int preauth = 1; 3812 #else /* CONFIG_RSN_PREAUTH */ 3813 const int preauth = 0; 3814 #endif /* CONFIG_RSN_PREAUTH */ 3815 3816 if (wpa_auth == NULL) 3817 return len; 3818 3819 ret = os_snprintf(buf + len, buflen - len, 3820 "dot11RSNAOptionImplemented=TRUE\n" 3821 "dot11RSNAPreauthenticationImplemented=%s\n" 3822 "dot11RSNAEnabled=%s\n" 3823 "dot11RSNAPreauthenticationEnabled=%s\n", 3824 wpa_bool_txt(preauth), 3825 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN), 3826 wpa_bool_txt(wpa_auth->conf.rsn_preauth)); 3827 if (os_snprintf_error(buflen - len, ret)) 3828 return len; 3829 len += ret; 3830 3831 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt), 3832 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN); 3833 3834 ret = os_snprintf( 3835 buf + len, buflen - len, 3836 "dot11RSNAConfigVersion=%u\n" 3837 "dot11RSNAConfigPairwiseKeysSupported=9999\n" 3838 /* FIX: dot11RSNAConfigGroupCipher */ 3839 /* FIX: dot11RSNAConfigGroupRekeyMethod */ 3840 /* FIX: dot11RSNAConfigGroupRekeyTime */ 3841 /* FIX: dot11RSNAConfigGroupRekeyPackets */ 3842 "dot11RSNAConfigGroupRekeyStrict=%u\n" 3843 "dot11RSNAConfigGroupUpdateCount=%u\n" 3844 "dot11RSNAConfigPairwiseUpdateCount=%u\n" 3845 "dot11RSNAConfigGroupCipherSize=%u\n" 3846 "dot11RSNAConfigPMKLifetime=%u\n" 3847 "dot11RSNAConfigPMKReauthThreshold=%u\n" 3848 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n" 3849 "dot11RSNAConfigSATimeout=%u\n" 3850 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n" 3851 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n" 3852 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n" 3853 "dot11RSNAPMKIDUsed=%s\n" 3854 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n" 3855 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n" 3856 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n" 3857 "dot11RSNATKIPCounterMeasuresInvoked=%u\n" 3858 "dot11RSNA4WayHandshakeFailures=%u\n" 3859 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n", 3860 RSN_VERSION, 3861 !!wpa_auth->conf.wpa_strict_rekey, 3862 wpa_auth->conf.wpa_group_update_count, 3863 wpa_auth->conf.wpa_pairwise_update_count, 3864 wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8, 3865 dot11RSNAConfigPMKLifetime, 3866 dot11RSNAConfigPMKReauthThreshold, 3867 dot11RSNAConfigSATimeout, 3868 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected), 3869 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected), 3870 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected), 3871 pmkid_txt, 3872 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested), 3873 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested), 3874 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested), 3875 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked, 3876 wpa_auth->dot11RSNA4WayHandshakeFailures); 3877 if (os_snprintf_error(buflen - len, ret)) 3878 return len; 3879 len += ret; 3880 3881 /* TODO: dot11RSNAConfigPairwiseCiphersTable */ 3882 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */ 3883 3884 /* Private MIB */ 3885 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n", 3886 wpa_auth->group->wpa_group_state); 3887 if (os_snprintf_error(buflen - len, ret)) 3888 return len; 3889 len += ret; 3890 3891 return len; 3892 } 3893 3894 3895 int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen) 3896 { 3897 int len = 0, ret; 3898 u32 pairwise = 0; 3899 3900 if (sm == NULL) 3901 return 0; 3902 3903 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */ 3904 3905 /* dot11RSNAStatsEntry */ 3906 3907 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ? 3908 WPA_PROTO_RSN : WPA_PROTO_WPA, 3909 sm->pairwise); 3910 if (pairwise == 0) 3911 return 0; 3912 3913 ret = os_snprintf( 3914 buf + len, buflen - len, 3915 /* TODO: dot11RSNAStatsIndex */ 3916 "dot11RSNAStatsSTAAddress=" MACSTR "\n" 3917 "dot11RSNAStatsVersion=1\n" 3918 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n" 3919 /* TODO: dot11RSNAStatsTKIPICVErrors */ 3920 "dot11RSNAStatsTKIPLocalMICFailures=%u\n" 3921 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n" 3922 /* TODO: dot11RSNAStatsCCMPReplays */ 3923 /* TODO: dot11RSNAStatsCCMPDecryptErrors */ 3924 /* TODO: dot11RSNAStatsTKIPReplays */, 3925 MAC2STR(sm->addr), 3926 RSN_SUITE_ARG(pairwise), 3927 sm->dot11RSNAStatsTKIPLocalMICFailures, 3928 sm->dot11RSNAStatsTKIPRemoteMICFailures); 3929 if (os_snprintf_error(buflen - len, ret)) 3930 return len; 3931 len += ret; 3932 3933 /* Private MIB */ 3934 ret = os_snprintf(buf + len, buflen - len, 3935 "hostapdWPAPTKState=%d\n" 3936 "hostapdWPAPTKGroupState=%d\n", 3937 sm->wpa_ptk_state, 3938 sm->wpa_ptk_group_state); 3939 if (os_snprintf_error(buflen - len, ret)) 3940 return len; 3941 len += ret; 3942 3943 return len; 3944 } 3945 3946 3947 void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth) 3948 { 3949 if (wpa_auth) 3950 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++; 3951 } 3952 3953 3954 int wpa_auth_pairwise_set(struct wpa_state_machine *sm) 3955 { 3956 return sm && sm->pairwise_set; 3957 } 3958 3959 3960 int wpa_auth_get_pairwise(struct wpa_state_machine *sm) 3961 { 3962 return sm->pairwise; 3963 } 3964 3965 3966 int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm) 3967 { 3968 if (sm == NULL) 3969 return -1; 3970 return sm->wpa_key_mgmt; 3971 } 3972 3973 3974 int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm) 3975 { 3976 if (sm == NULL) 3977 return 0; 3978 return sm->wpa; 3979 } 3980 3981 3982 int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm) 3983 { 3984 if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 3985 return 0; 3986 return sm->tk_already_set; 3987 } 3988 3989 3990 int wpa_auth_sta_fils_tk_already_set(struct wpa_state_machine *sm) 3991 { 3992 if (!sm || !wpa_key_mgmt_fils(sm->wpa_key_mgmt)) 3993 return 0; 3994 return sm->tk_already_set; 3995 } 3996 3997 3998 int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, 3999 struct rsn_pmksa_cache_entry *entry) 4000 { 4001 if (sm == NULL || sm->pmksa != entry) 4002 return -1; 4003 sm->pmksa = NULL; 4004 return 0; 4005 } 4006 4007 4008 struct rsn_pmksa_cache_entry * 4009 wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm) 4010 { 4011 return sm ? sm->pmksa : NULL; 4012 } 4013 4014 4015 void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm) 4016 { 4017 if (sm) 4018 sm->dot11RSNAStatsTKIPLocalMICFailures++; 4019 } 4020 4021 4022 const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len) 4023 { 4024 if (wpa_auth == NULL) 4025 return NULL; 4026 *len = wpa_auth->wpa_ie_len; 4027 return wpa_auth->wpa_ie; 4028 } 4029 4030 4031 int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk, 4032 unsigned int pmk_len, 4033 int session_timeout, struct eapol_state_machine *eapol) 4034 { 4035 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 || 4036 sm->wpa_auth->conf.disable_pmksa_caching) 4037 return -1; 4038 4039 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) { 4040 if (pmk_len > PMK_LEN_SUITE_B_192) 4041 pmk_len = PMK_LEN_SUITE_B_192; 4042 } else if (pmk_len > PMK_LEN) { 4043 pmk_len = PMK_LEN; 4044 } 4045 4046 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL, 4047 sm->PTK.kck, sm->PTK.kck_len, 4048 sm->wpa_auth->addr, sm->addr, session_timeout, 4049 eapol, sm->wpa_key_mgmt)) 4050 return 0; 4051 4052 return -1; 4053 } 4054 4055 4056 int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth, 4057 const u8 *pmk, size_t len, const u8 *sta_addr, 4058 int session_timeout, 4059 struct eapol_state_machine *eapol) 4060 { 4061 if (wpa_auth == NULL) 4062 return -1; 4063 4064 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL, 4065 NULL, 0, 4066 wpa_auth->addr, 4067 sta_addr, session_timeout, eapol, 4068 WPA_KEY_MGMT_IEEE8021X)) 4069 return 0; 4070 4071 return -1; 4072 } 4073 4074 4075 int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr, 4076 const u8 *pmk, const u8 *pmkid) 4077 { 4078 if (wpa_auth->conf.disable_pmksa_caching) 4079 return -1; 4080 4081 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN, pmkid, 4082 NULL, 0, 4083 wpa_auth->addr, addr, 0, NULL, 4084 WPA_KEY_MGMT_SAE)) 4085 return 0; 4086 4087 return -1; 4088 } 4089 4090 4091 void wpa_auth_add_sae_pmkid(struct wpa_state_machine *sm, const u8 *pmkid) 4092 { 4093 os_memcpy(sm->pmkid, pmkid, PMKID_LEN); 4094 sm->pmkid_set = 1; 4095 } 4096 4097 4098 int wpa_auth_pmksa_add2(struct wpa_authenticator *wpa_auth, const u8 *addr, 4099 const u8 *pmk, size_t pmk_len, const u8 *pmkid, 4100 int session_timeout, int akmp) 4101 { 4102 if (wpa_auth->conf.disable_pmksa_caching) 4103 return -1; 4104 4105 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, pmk_len, pmkid, 4106 NULL, 0, wpa_auth->addr, addr, session_timeout, 4107 NULL, akmp)) 4108 return 0; 4109 4110 return -1; 4111 } 4112 4113 4114 void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth, 4115 const u8 *sta_addr) 4116 { 4117 struct rsn_pmksa_cache_entry *pmksa; 4118 4119 if (wpa_auth == NULL || wpa_auth->pmksa == NULL) 4120 return; 4121 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL); 4122 if (pmksa) { 4123 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for " 4124 MACSTR " based on request", MAC2STR(sta_addr)); 4125 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa); 4126 } 4127 } 4128 4129 4130 int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf, 4131 size_t len) 4132 { 4133 if (!wpa_auth || !wpa_auth->pmksa) 4134 return 0; 4135 return pmksa_cache_auth_list(wpa_auth->pmksa, buf, len); 4136 } 4137 4138 4139 void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth) 4140 { 4141 if (wpa_auth && wpa_auth->pmksa) 4142 pmksa_cache_auth_flush(wpa_auth->pmksa); 4143 } 4144 4145 4146 #ifdef CONFIG_PMKSA_CACHE_EXTERNAL 4147 #ifdef CONFIG_MESH 4148 4149 int wpa_auth_pmksa_list_mesh(struct wpa_authenticator *wpa_auth, const u8 *addr, 4150 char *buf, size_t len) 4151 { 4152 if (!wpa_auth || !wpa_auth->pmksa) 4153 return 0; 4154 4155 return pmksa_cache_auth_list_mesh(wpa_auth->pmksa, addr, buf, len); 4156 } 4157 4158 4159 struct rsn_pmksa_cache_entry * 4160 wpa_auth_pmksa_create_entry(const u8 *aa, const u8 *spa, const u8 *pmk, 4161 const u8 *pmkid, int expiration) 4162 { 4163 struct rsn_pmksa_cache_entry *entry; 4164 struct os_reltime now; 4165 4166 entry = pmksa_cache_auth_create_entry(pmk, PMK_LEN, pmkid, NULL, 0, aa, 4167 spa, 0, NULL, WPA_KEY_MGMT_SAE); 4168 if (!entry) 4169 return NULL; 4170 4171 os_get_reltime(&now); 4172 entry->expiration = now.sec + expiration; 4173 return entry; 4174 } 4175 4176 4177 int wpa_auth_pmksa_add_entry(struct wpa_authenticator *wpa_auth, 4178 struct rsn_pmksa_cache_entry *entry) 4179 { 4180 int ret; 4181 4182 if (!wpa_auth || !wpa_auth->pmksa) 4183 return -1; 4184 4185 ret = pmksa_cache_auth_add_entry(wpa_auth->pmksa, entry); 4186 if (ret < 0) 4187 wpa_printf(MSG_DEBUG, 4188 "RSN: Failed to store external PMKSA cache for " 4189 MACSTR, MAC2STR(entry->spa)); 4190 4191 return ret; 4192 } 4193 4194 #endif /* CONFIG_MESH */ 4195 #endif /* CONFIG_PMKSA_CACHE_EXTERNAL */ 4196 4197 4198 struct rsn_pmksa_cache_entry * 4199 wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr, 4200 const u8 *pmkid) 4201 { 4202 if (!wpa_auth || !wpa_auth->pmksa) 4203 return NULL; 4204 return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, pmkid); 4205 } 4206 4207 4208 void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa, 4209 struct wpa_state_machine *sm, 4210 struct wpa_authenticator *wpa_auth, 4211 u8 *pmkid, u8 *pmk) 4212 { 4213 if (!sm) 4214 return; 4215 4216 sm->pmksa = pmksa; 4217 os_memcpy(pmk, pmksa->pmk, PMK_LEN); 4218 os_memcpy(pmkid, pmksa->pmkid, PMKID_LEN); 4219 os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmksa->pmkid, PMKID_LEN); 4220 } 4221 4222 4223 /* 4224 * Remove and free the group from wpa_authenticator. This is triggered by a 4225 * callback to make sure nobody is currently iterating the group list while it 4226 * gets modified. 4227 */ 4228 static void wpa_group_free(struct wpa_authenticator *wpa_auth, 4229 struct wpa_group *group) 4230 { 4231 struct wpa_group *prev = wpa_auth->group; 4232 4233 wpa_printf(MSG_DEBUG, "WPA: Remove group state machine for VLAN-ID %d", 4234 group->vlan_id); 4235 4236 while (prev) { 4237 if (prev->next == group) { 4238 /* This never frees the special first group as needed */ 4239 prev->next = group->next; 4240 os_free(group); 4241 break; 4242 } 4243 prev = prev->next; 4244 } 4245 4246 } 4247 4248 4249 /* Increase the reference counter for group */ 4250 static void wpa_group_get(struct wpa_authenticator *wpa_auth, 4251 struct wpa_group *group) 4252 { 4253 /* Skip the special first group */ 4254 if (wpa_auth->group == group) 4255 return; 4256 4257 group->references++; 4258 } 4259 4260 4261 /* Decrease the reference counter and maybe free the group */ 4262 static void wpa_group_put(struct wpa_authenticator *wpa_auth, 4263 struct wpa_group *group) 4264 { 4265 /* Skip the special first group */ 4266 if (wpa_auth->group == group) 4267 return; 4268 4269 group->references--; 4270 if (group->references) 4271 return; 4272 wpa_group_free(wpa_auth, group); 4273 } 4274 4275 4276 /* 4277 * Add a group that has its references counter set to zero. Caller needs to 4278 * call wpa_group_get() on the return value to mark the entry in use. 4279 */ 4280 static struct wpa_group * 4281 wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id) 4282 { 4283 struct wpa_group *group; 4284 4285 if (wpa_auth == NULL || wpa_auth->group == NULL) 4286 return NULL; 4287 4288 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d", 4289 vlan_id); 4290 group = wpa_group_init(wpa_auth, vlan_id, 0); 4291 if (group == NULL) 4292 return NULL; 4293 4294 group->next = wpa_auth->group->next; 4295 wpa_auth->group->next = group; 4296 4297 return group; 4298 } 4299 4300 4301 /* 4302 * Enforce that the group state machine for the VLAN is running, increase 4303 * reference counter as interface is up. References might have been increased 4304 * even if a negative value is returned. 4305 * Returns: -1 on error (group missing, group already failed); otherwise, 0 4306 */ 4307 int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id) 4308 { 4309 struct wpa_group *group; 4310 4311 if (wpa_auth == NULL) 4312 return 0; 4313 4314 group = wpa_auth->group; 4315 while (group) { 4316 if (group->vlan_id == vlan_id) 4317 break; 4318 group = group->next; 4319 } 4320 4321 if (group == NULL) { 4322 group = wpa_auth_add_group(wpa_auth, vlan_id); 4323 if (group == NULL) 4324 return -1; 4325 } 4326 4327 wpa_printf(MSG_DEBUG, 4328 "WPA: Ensure group state machine running for VLAN ID %d", 4329 vlan_id); 4330 4331 wpa_group_get(wpa_auth, group); 4332 group->num_setup_iface++; 4333 4334 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 4335 return -1; 4336 4337 return 0; 4338 } 4339 4340 4341 /* 4342 * Decrease reference counter, expected to be zero afterwards. 4343 * returns: -1 on error (group not found, group in fail state) 4344 * -2 if wpa_group is still referenced 4345 * 0 else 4346 */ 4347 int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id) 4348 { 4349 struct wpa_group *group; 4350 int ret = 0; 4351 4352 if (wpa_auth == NULL) 4353 return 0; 4354 4355 group = wpa_auth->group; 4356 while (group) { 4357 if (group->vlan_id == vlan_id) 4358 break; 4359 group = group->next; 4360 } 4361 4362 if (group == NULL) 4363 return -1; 4364 4365 wpa_printf(MSG_DEBUG, 4366 "WPA: Try stopping group state machine for VLAN ID %d", 4367 vlan_id); 4368 4369 if (group->num_setup_iface <= 0) { 4370 wpa_printf(MSG_ERROR, 4371 "WPA: wpa_auth_release_group called more often than wpa_auth_ensure_group for VLAN ID %d, skipping.", 4372 vlan_id); 4373 return -1; 4374 } 4375 group->num_setup_iface--; 4376 4377 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 4378 ret = -1; 4379 4380 if (group->references > 1) { 4381 wpa_printf(MSG_DEBUG, 4382 "WPA: Cannot stop group state machine for VLAN ID %d as references are still hold", 4383 vlan_id); 4384 ret = -2; 4385 } 4386 4387 wpa_group_put(wpa_auth, group); 4388 4389 return ret; 4390 } 4391 4392 4393 int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id) 4394 { 4395 struct wpa_group *group; 4396 4397 if (sm == NULL || sm->wpa_auth == NULL) 4398 return 0; 4399 4400 group = sm->wpa_auth->group; 4401 while (group) { 4402 if (group->vlan_id == vlan_id) 4403 break; 4404 group = group->next; 4405 } 4406 4407 if (group == NULL) { 4408 group = wpa_auth_add_group(sm->wpa_auth, vlan_id); 4409 if (group == NULL) 4410 return -1; 4411 } 4412 4413 if (sm->group == group) 4414 return 0; 4415 4416 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 4417 return -1; 4418 4419 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state " 4420 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id); 4421 4422 wpa_group_get(sm->wpa_auth, group); 4423 wpa_group_put(sm->wpa_auth, sm->group); 4424 sm->group = group; 4425 4426 return 0; 4427 } 4428 4429 4430 void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth, 4431 struct wpa_state_machine *sm, int ack) 4432 { 4433 if (wpa_auth == NULL || sm == NULL) 4434 return; 4435 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR 4436 " ack=%d", MAC2STR(sm->addr), ack); 4437 if (sm->pending_1_of_4_timeout && ack) { 4438 /* 4439 * Some deployed supplicant implementations update their SNonce 4440 * for each EAPOL-Key 2/4 message even within the same 4-way 4441 * handshake and then fail to use the first SNonce when 4442 * deriving the PTK. This results in unsuccessful 4-way 4443 * handshake whenever the relatively short initial timeout is 4444 * reached and EAPOL-Key 1/4 is retransmitted. Try to work 4445 * around this by increasing the timeout now that we know that 4446 * the station has received the frame. 4447 */ 4448 int timeout_ms = eapol_key_timeout_subseq; 4449 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 " 4450 "timeout by %u ms because of acknowledged frame", 4451 timeout_ms); 4452 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 4453 eloop_register_timeout(timeout_ms / 1000, 4454 (timeout_ms % 1000) * 1000, 4455 wpa_send_eapol_timeout, wpa_auth, sm); 4456 } 4457 4458 #ifdef CONFIG_TESTING_OPTIONS 4459 if (sm->eapol_status_cb) { 4460 sm->eapol_status_cb(sm->eapol_status_cb_ctx1, 4461 sm->eapol_status_cb_ctx2); 4462 sm->eapol_status_cb = NULL; 4463 } 4464 #endif /* CONFIG_TESTING_OPTIONS */ 4465 } 4466 4467 4468 int wpa_auth_uses_sae(struct wpa_state_machine *sm) 4469 { 4470 if (sm == NULL) 4471 return 0; 4472 return wpa_key_mgmt_sae(sm->wpa_key_mgmt); 4473 } 4474 4475 4476 int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm) 4477 { 4478 if (sm == NULL) 4479 return 0; 4480 return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE; 4481 } 4482 4483 4484 #ifdef CONFIG_P2P 4485 int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr) 4486 { 4487 if (sm == NULL || WPA_GET_BE32(sm->ip_addr) == 0) 4488 return -1; 4489 os_memcpy(addr, sm->ip_addr, 4); 4490 return 0; 4491 } 4492 #endif /* CONFIG_P2P */ 4493 4494 4495 int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth, 4496 struct radius_das_attrs *attr) 4497 { 4498 return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr); 4499 } 4500 4501 4502 void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth) 4503 { 4504 struct wpa_group *group; 4505 4506 if (!wpa_auth) 4507 return; 4508 for (group = wpa_auth->group; group; group = group->next) 4509 wpa_group_config_group_keys(wpa_auth, group); 4510 } 4511 4512 4513 #ifdef CONFIG_FILS 4514 4515 struct wpa_auth_fils_iter_data { 4516 struct wpa_authenticator *auth; 4517 const u8 *cache_id; 4518 struct rsn_pmksa_cache_entry *pmksa; 4519 const u8 *spa; 4520 const u8 *pmkid; 4521 }; 4522 4523 4524 static int wpa_auth_fils_iter(struct wpa_authenticator *a, void *ctx) 4525 { 4526 struct wpa_auth_fils_iter_data *data = ctx; 4527 4528 if (a == data->auth || !a->conf.fils_cache_id_set || 4529 os_memcmp(a->conf.fils_cache_id, data->cache_id, 4530 FILS_CACHE_ID_LEN) != 0) 4531 return 0; 4532 data->pmksa = pmksa_cache_auth_get(a->pmksa, data->spa, data->pmkid); 4533 return data->pmksa != NULL; 4534 } 4535 4536 4537 struct rsn_pmksa_cache_entry * 4538 wpa_auth_pmksa_get_fils_cache_id(struct wpa_authenticator *wpa_auth, 4539 const u8 *sta_addr, const u8 *pmkid) 4540 { 4541 struct wpa_auth_fils_iter_data idata; 4542 4543 if (!wpa_auth->conf.fils_cache_id_set) 4544 return NULL; 4545 idata.auth = wpa_auth; 4546 idata.cache_id = wpa_auth->conf.fils_cache_id; 4547 idata.pmksa = NULL; 4548 idata.spa = sta_addr; 4549 idata.pmkid = pmkid; 4550 wpa_auth_for_each_auth(wpa_auth, wpa_auth_fils_iter, &idata); 4551 return idata.pmksa; 4552 } 4553 4554 4555 #ifdef CONFIG_IEEE80211R_AP 4556 int wpa_auth_write_fte(struct wpa_authenticator *wpa_auth, int use_sha384, 4557 u8 *buf, size_t len) 4558 { 4559 struct wpa_auth_config *conf = &wpa_auth->conf; 4560 4561 return wpa_write_ftie(conf, use_sha384, conf->r0_key_holder, 4562 conf->r0_key_holder_len, 4563 NULL, NULL, buf, len, NULL, 0); 4564 } 4565 #endif /* CONFIG_IEEE80211R_AP */ 4566 4567 4568 void wpa_auth_get_fils_aead_params(struct wpa_state_machine *sm, 4569 u8 *fils_anonce, u8 *fils_snonce, 4570 u8 *fils_kek, size_t *fils_kek_len) 4571 { 4572 os_memcpy(fils_anonce, sm->ANonce, WPA_NONCE_LEN); 4573 os_memcpy(fils_snonce, sm->SNonce, WPA_NONCE_LEN); 4574 os_memcpy(fils_kek, sm->PTK.kek, WPA_KEK_MAX_LEN); 4575 *fils_kek_len = sm->PTK.kek_len; 4576 } 4577 4578 #endif /* CONFIG_FILS */ 4579 4580 4581 #ifdef CONFIG_TESTING_OPTIONS 4582 4583 int wpa_auth_resend_m1(struct wpa_state_machine *sm, int change_anonce, 4584 void (*cb)(void *ctx1, void *ctx2), 4585 void *ctx1, void *ctx2) 4586 { 4587 const u8 *anonce = sm->ANonce; 4588 u8 anonce_buf[WPA_NONCE_LEN]; 4589 4590 if (change_anonce) { 4591 if (random_get_bytes(anonce_buf, WPA_NONCE_LEN)) 4592 return -1; 4593 anonce = anonce_buf; 4594 } 4595 4596 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 4597 "sending 1/4 msg of 4-Way Handshake (TESTING)"); 4598 wpa_send_eapol(sm->wpa_auth, sm, 4599 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL, 4600 anonce, NULL, 0, 0, 0); 4601 return 0; 4602 } 4603 4604 4605 int wpa_auth_resend_m3(struct wpa_state_machine *sm, 4606 void (*cb)(void *ctx1, void *ctx2), 4607 void *ctx1, void *ctx2) 4608 { 4609 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos; 4610 #ifdef CONFIG_IEEE80211W 4611 u8 *opos; 4612 #endif /* CONFIG_IEEE80211W */ 4613 size_t gtk_len, kde_len; 4614 struct wpa_group *gsm = sm->group; 4615 u8 *wpa_ie; 4616 int wpa_ie_len, secure, keyidx, encr = 0; 4617 4618 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE], 4619 GTK[GN], IGTK, [FTIE], [TIE * 2]) 4620 */ 4621 4622 /* Use 0 RSC */ 4623 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 4624 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */ 4625 wpa_ie = sm->wpa_auth->wpa_ie; 4626 wpa_ie_len = sm->wpa_auth->wpa_ie_len; 4627 if (sm->wpa == WPA_VERSION_WPA && 4628 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) && 4629 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) { 4630 /* WPA-only STA, remove RSN IE and possible MDIE */ 4631 wpa_ie = wpa_ie + wpa_ie[1] + 2; 4632 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN) 4633 wpa_ie = wpa_ie + wpa_ie[1] + 2; 4634 wpa_ie_len = wpa_ie[1] + 2; 4635 } 4636 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 4637 "sending 3/4 msg of 4-Way Handshake (TESTING)"); 4638 if (sm->wpa == WPA_VERSION_WPA2) { 4639 /* WPA2 send GTK in the 4-way handshake */ 4640 secure = 1; 4641 gtk = gsm->GTK[gsm->GN - 1]; 4642 gtk_len = gsm->GTK_len; 4643 keyidx = gsm->GN; 4644 _rsc = rsc; 4645 encr = 1; 4646 } else { 4647 /* WPA does not include GTK in msg 3/4 */ 4648 secure = 0; 4649 gtk = NULL; 4650 gtk_len = 0; 4651 keyidx = 0; 4652 _rsc = NULL; 4653 if (sm->rx_eapol_key_secure) { 4654 /* 4655 * It looks like Windows 7 supplicant tries to use 4656 * Secure bit in msg 2/4 after having reported Michael 4657 * MIC failure and it then rejects the 4-way handshake 4658 * if msg 3/4 does not set Secure bit. Work around this 4659 * by setting the Secure bit here even in the case of 4660 * WPA if the supplicant used it first. 4661 */ 4662 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 4663 "STA used Secure bit in WPA msg 2/4 - " 4664 "set Secure for 3/4 as workaround"); 4665 secure = 1; 4666 } 4667 } 4668 4669 kde_len = wpa_ie_len + ieee80211w_kde_len(sm); 4670 if (gtk) 4671 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len; 4672 #ifdef CONFIG_IEEE80211R_AP 4673 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 4674 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */ 4675 kde_len += 300; /* FTIE + 2 * TIE */ 4676 } 4677 #endif /* CONFIG_IEEE80211R_AP */ 4678 kde = os_malloc(kde_len); 4679 if (kde == NULL) 4680 return -1; 4681 4682 pos = kde; 4683 os_memcpy(pos, wpa_ie, wpa_ie_len); 4684 pos += wpa_ie_len; 4685 #ifdef CONFIG_IEEE80211R_AP 4686 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 4687 int res; 4688 size_t elen; 4689 4690 elen = pos - kde; 4691 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name); 4692 if (res < 0) { 4693 wpa_printf(MSG_ERROR, "FT: Failed to insert " 4694 "PMKR1Name into RSN IE in EAPOL-Key data"); 4695 os_free(kde); 4696 return -1; 4697 } 4698 pos -= wpa_ie_len; 4699 pos += elen; 4700 } 4701 #endif /* CONFIG_IEEE80211R_AP */ 4702 if (gtk) { 4703 u8 hdr[2]; 4704 hdr[0] = keyidx & 0x03; 4705 hdr[1] = 0; 4706 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 4707 gtk, gtk_len); 4708 } 4709 #ifdef CONFIG_IEEE80211W 4710 opos = pos; 4711 pos = ieee80211w_kde_add(sm, pos); 4712 if (pos - opos >= 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) { 4713 /* skip KDE header and keyid */ 4714 opos += 2 + RSN_SELECTOR_LEN + 2; 4715 os_memset(opos, 0, 6); /* clear PN */ 4716 } 4717 #endif /* CONFIG_IEEE80211W */ 4718 4719 #ifdef CONFIG_IEEE80211R_AP 4720 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 4721 int res; 4722 struct wpa_auth_config *conf; 4723 4724 conf = &sm->wpa_auth->conf; 4725 if (sm->assoc_resp_ftie && 4726 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) { 4727 os_memcpy(pos, sm->assoc_resp_ftie, 4728 2 + sm->assoc_resp_ftie[1]); 4729 res = 2 + sm->assoc_resp_ftie[1]; 4730 } else { 4731 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt); 4732 4733 res = wpa_write_ftie(conf, use_sha384, 4734 conf->r0_key_holder, 4735 conf->r0_key_holder_len, 4736 NULL, NULL, pos, 4737 kde + kde_len - pos, 4738 NULL, 0); 4739 } 4740 if (res < 0) { 4741 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE " 4742 "into EAPOL-Key Key Data"); 4743 os_free(kde); 4744 return -1; 4745 } 4746 pos += res; 4747 4748 /* TIE[ReassociationDeadline] (TU) */ 4749 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 4750 *pos++ = 5; 4751 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE; 4752 WPA_PUT_LE32(pos, conf->reassociation_deadline); 4753 pos += 4; 4754 4755 /* TIE[KeyLifetime] (seconds) */ 4756 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 4757 *pos++ = 5; 4758 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME; 4759 WPA_PUT_LE32(pos, conf->r0_key_lifetime); 4760 pos += 4; 4761 } 4762 #endif /* CONFIG_IEEE80211R_AP */ 4763 4764 wpa_send_eapol(sm->wpa_auth, sm, 4765 (secure ? WPA_KEY_INFO_SECURE : 0) | 4766 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ? 4767 WPA_KEY_INFO_MIC : 0) | 4768 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL | 4769 WPA_KEY_INFO_KEY_TYPE, 4770 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr); 4771 os_free(kde); 4772 return 0; 4773 } 4774 4775 4776 int wpa_auth_resend_group_m1(struct wpa_state_machine *sm, 4777 void (*cb)(void *ctx1, void *ctx2), 4778 void *ctx1, void *ctx2) 4779 { 4780 u8 rsc[WPA_KEY_RSC_LEN]; 4781 struct wpa_group *gsm = sm->group; 4782 const u8 *kde; 4783 u8 *kde_buf = NULL, *pos, hdr[2]; 4784 #ifdef CONFIG_IEEE80211W 4785 u8 *opos; 4786 #endif /* CONFIG_IEEE80211W */ 4787 size_t kde_len; 4788 u8 *gtk; 4789 4790 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */ 4791 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 4792 /* Use 0 RSC */ 4793 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 4794 "sending 1/2 msg of Group Key Handshake (TESTING)"); 4795 4796 gtk = gsm->GTK[gsm->GN - 1]; 4797 if (sm->wpa == WPA_VERSION_WPA2) { 4798 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len + 4799 ieee80211w_kde_len(sm); 4800 kde_buf = os_malloc(kde_len); 4801 if (kde_buf == NULL) 4802 return -1; 4803 4804 kde = pos = kde_buf; 4805 hdr[0] = gsm->GN & 0x03; 4806 hdr[1] = 0; 4807 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 4808 gtk, gsm->GTK_len); 4809 #ifdef CONFIG_IEEE80211W 4810 opos = pos; 4811 pos = ieee80211w_kde_add(sm, pos); 4812 if (pos - opos >= 4813 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) { 4814 /* skip KDE header and keyid */ 4815 opos += 2 + RSN_SELECTOR_LEN + 2; 4816 os_memset(opos, 0, 6); /* clear PN */ 4817 } 4818 #endif /* CONFIG_IEEE80211W */ 4819 kde_len = pos - kde; 4820 } else { 4821 kde = gtk; 4822 kde_len = gsm->GTK_len; 4823 } 4824 4825 sm->eapol_status_cb = cb; 4826 sm->eapol_status_cb_ctx1 = ctx1; 4827 sm->eapol_status_cb_ctx2 = ctx2; 4828 4829 wpa_send_eapol(sm->wpa_auth, sm, 4830 WPA_KEY_INFO_SECURE | 4831 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ? 4832 WPA_KEY_INFO_MIC : 0) | 4833 WPA_KEY_INFO_ACK | 4834 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0), 4835 rsc, NULL, kde, kde_len, gsm->GN, 1); 4836 4837 os_free(kde_buf); 4838 return 0; 4839 } 4840 4841 4842 int wpa_auth_rekey_gtk(struct wpa_authenticator *wpa_auth) 4843 { 4844 if (!wpa_auth) 4845 return -1; 4846 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 4847 return eloop_register_timeout(0, 0, wpa_rekey_gtk, wpa_auth, NULL); 4848 } 4849 4850 #endif /* CONFIG_TESTING_OPTIONS */ 4851