1 /* 2 * WPA Supplicant - WPA state machine and EAPOL-Key processing 3 * Copyright (c) 2003-2018, Jouni Malinen <j@w1.fi> 4 * Copyright(c) 2015 Intel Deutschland GmbH 5 * 6 * This software may be distributed under the terms of the BSD license. 7 * See README for more details. 8 */ 9 10 #include "includes.h" 11 12 #include "common.h" 13 #include "crypto/aes.h" 14 #include "crypto/aes_wrap.h" 15 #include "crypto/crypto.h" 16 #include "crypto/random.h" 17 #include "crypto/aes_siv.h" 18 #include "crypto/sha256.h" 19 #include "crypto/sha384.h" 20 #include "crypto/sha512.h" 21 #include "common/ieee802_11_defs.h" 22 #include "common/ieee802_11_common.h" 23 #include "common/ocv.h" 24 #include "common/dpp.h" 25 #include "common/wpa_ctrl.h" 26 #include "eap_common/eap_defs.h" 27 #include "eapol_supp/eapol_supp_sm.h" 28 #include "drivers/driver.h" 29 #include "wpa.h" 30 #include "eloop.h" 31 #include "preauth.h" 32 #include "pmksa_cache.h" 33 #include "wpa_i.h" 34 #include "wpa_ie.h" 35 36 37 static const u8 null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 }; 38 39 40 /** 41 * wpa_eapol_key_send - Send WPA/RSN EAPOL-Key message 42 * @sm: Pointer to WPA state machine data from wpa_sm_init() 43 * @ptk: PTK for Key Confirmation/Encryption Key 44 * @ver: Version field from Key Info 45 * @dest: Destination address for the frame 46 * @proto: Ethertype (usually ETH_P_EAPOL) 47 * @msg: EAPOL-Key message 48 * @msg_len: Length of message 49 * @key_mic: Pointer to the buffer to which the EAPOL-Key MIC is written 50 * Returns: >= 0 on success, < 0 on failure 51 */ 52 int wpa_eapol_key_send(struct wpa_sm *sm, struct wpa_ptk *ptk, 53 int ver, const u8 *dest, u16 proto, 54 u8 *msg, size_t msg_len, u8 *key_mic) 55 { 56 int ret = -1; 57 size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len); 58 59 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL-Key frame to " MACSTR 60 " ver=%d mic_len=%d key_mgmt=0x%x", 61 MAC2STR(dest), ver, (int) mic_len, sm->key_mgmt); 62 if (is_zero_ether_addr(dest) && is_zero_ether_addr(sm->bssid)) { 63 /* 64 * Association event was not yet received; try to fetch 65 * BSSID from the driver. 66 */ 67 if (wpa_sm_get_bssid(sm, sm->bssid) < 0) { 68 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 69 "WPA: Failed to read BSSID for " 70 "EAPOL-Key destination address"); 71 } else { 72 dest = sm->bssid; 73 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 74 "WPA: Use BSSID (" MACSTR 75 ") as the destination for EAPOL-Key", 76 MAC2STR(dest)); 77 } 78 } 79 80 if (mic_len) { 81 if (key_mic && (!ptk || !ptk->kck_len)) 82 goto out; 83 84 if (key_mic && 85 wpa_eapol_key_mic(ptk->kck, ptk->kck_len, sm->key_mgmt, ver, 86 msg, msg_len, key_mic)) { 87 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR, 88 "WPA: Failed to generate EAPOL-Key version %d key_mgmt 0x%x MIC", 89 ver, sm->key_mgmt); 90 goto out; 91 } 92 if (ptk) 93 wpa_hexdump_key(MSG_DEBUG, "WPA: KCK", 94 ptk->kck, ptk->kck_len); 95 wpa_hexdump(MSG_DEBUG, "WPA: Derived Key MIC", 96 key_mic, mic_len); 97 } else { 98 #ifdef CONFIG_FILS 99 /* AEAD cipher - Key MIC field not used */ 100 struct ieee802_1x_hdr *s_hdr, *hdr; 101 struct wpa_eapol_key *s_key, *key; 102 u8 *buf, *s_key_data, *key_data; 103 size_t buf_len = msg_len + AES_BLOCK_SIZE; 104 size_t key_data_len; 105 u16 eapol_len; 106 const u8 *aad[1]; 107 size_t aad_len[1]; 108 109 if (!ptk || !ptk->kek_len) 110 goto out; 111 112 key_data_len = msg_len - sizeof(struct ieee802_1x_hdr) - 113 sizeof(struct wpa_eapol_key) - 2; 114 115 buf = os_malloc(buf_len); 116 if (!buf) 117 goto out; 118 119 os_memcpy(buf, msg, msg_len); 120 hdr = (struct ieee802_1x_hdr *) buf; 121 key = (struct wpa_eapol_key *) (hdr + 1); 122 key_data = ((u8 *) (key + 1)) + 2; 123 124 /* Update EAPOL header to include AES-SIV overhead */ 125 eapol_len = be_to_host16(hdr->length); 126 eapol_len += AES_BLOCK_SIZE; 127 hdr->length = host_to_be16(eapol_len); 128 129 /* Update Key Data Length field to include AES-SIV overhead */ 130 WPA_PUT_BE16((u8 *) (key + 1), AES_BLOCK_SIZE + key_data_len); 131 132 s_hdr = (struct ieee802_1x_hdr *) msg; 133 s_key = (struct wpa_eapol_key *) (s_hdr + 1); 134 s_key_data = ((u8 *) (s_key + 1)) + 2; 135 136 wpa_hexdump_key(MSG_DEBUG, "WPA: Plaintext Key Data", 137 s_key_data, key_data_len); 138 139 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len); 140 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to 141 * to Key Data (exclusive). */ 142 aad[0] = buf; 143 aad_len[0] = key_data - buf; 144 if (aes_siv_encrypt(ptk->kek, ptk->kek_len, 145 s_key_data, key_data_len, 146 1, aad, aad_len, key_data) < 0) { 147 os_free(buf); 148 goto out; 149 } 150 151 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV", 152 key_data, AES_BLOCK_SIZE + key_data_len); 153 154 os_free(msg); 155 msg = buf; 156 msg_len = buf_len; 157 #else /* CONFIG_FILS */ 158 goto out; 159 #endif /* CONFIG_FILS */ 160 } 161 162 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key", msg, msg_len); 163 ret = wpa_sm_ether_send(sm, dest, proto, msg, msg_len); 164 eapol_sm_notify_tx_eapol_key(sm->eapol); 165 out: 166 os_free(msg); 167 return ret; 168 } 169 170 171 /** 172 * wpa_sm_key_request - Send EAPOL-Key Request 173 * @sm: Pointer to WPA state machine data from wpa_sm_init() 174 * @error: Indicate whether this is an Michael MIC error report 175 * @pairwise: 1 = error report for pairwise packet, 0 = for group packet 176 * 177 * Send an EAPOL-Key Request to the current authenticator. This function is 178 * used to request rekeying and it is usually called when a local Michael MIC 179 * failure is detected. 180 */ 181 void wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise) 182 { 183 size_t mic_len, hdrlen, rlen; 184 struct wpa_eapol_key *reply; 185 int key_info, ver; 186 u8 bssid[ETH_ALEN], *rbuf, *key_mic, *mic; 187 188 if (pairwise && sm->wpa_deny_ptk0_rekey && !sm->use_ext_key_id && 189 wpa_sm_get_state(sm) == WPA_COMPLETED) { 190 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 191 "WPA: PTK0 rekey not allowed, reconnecting"); 192 wpa_sm_reconnect(sm); 193 return; 194 } 195 196 if (wpa_use_akm_defined(sm->key_mgmt)) 197 ver = WPA_KEY_INFO_TYPE_AKM_DEFINED; 198 else if (wpa_key_mgmt_ft(sm->key_mgmt) || 199 wpa_key_mgmt_sha256(sm->key_mgmt)) 200 ver = WPA_KEY_INFO_TYPE_AES_128_CMAC; 201 else if (sm->pairwise_cipher != WPA_CIPHER_TKIP) 202 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 203 else 204 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 205 206 if (wpa_sm_get_bssid(sm, bssid) < 0) { 207 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 208 "Failed to read BSSID for EAPOL-Key request"); 209 return; 210 } 211 212 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len); 213 hdrlen = sizeof(*reply) + mic_len + 2; 214 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL, 215 hdrlen, &rlen, (void *) &reply); 216 if (rbuf == NULL) 217 return; 218 219 reply->type = (sm->proto == WPA_PROTO_RSN || 220 sm->proto == WPA_PROTO_OSEN) ? 221 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 222 key_info = WPA_KEY_INFO_REQUEST | ver; 223 if (sm->ptk_set) 224 key_info |= WPA_KEY_INFO_SECURE; 225 if (sm->ptk_set && mic_len) 226 key_info |= WPA_KEY_INFO_MIC; 227 if (error) 228 key_info |= WPA_KEY_INFO_ERROR; 229 if (pairwise) 230 key_info |= WPA_KEY_INFO_KEY_TYPE; 231 WPA_PUT_BE16(reply->key_info, key_info); 232 WPA_PUT_BE16(reply->key_length, 0); 233 os_memcpy(reply->replay_counter, sm->request_counter, 234 WPA_REPLAY_COUNTER_LEN); 235 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN); 236 237 mic = (u8 *) (reply + 1); 238 WPA_PUT_BE16(mic + mic_len, 0); 239 if (!(key_info & WPA_KEY_INFO_MIC)) 240 key_mic = NULL; 241 else 242 key_mic = mic; 243 244 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 245 "WPA: Sending EAPOL-Key Request (error=%d " 246 "pairwise=%d ptk_set=%d len=%lu)", 247 error, pairwise, sm->ptk_set, (unsigned long) rlen); 248 wpa_eapol_key_send(sm, &sm->ptk, ver, bssid, ETH_P_EAPOL, rbuf, rlen, 249 key_mic); 250 } 251 252 253 static void wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm *sm) 254 { 255 #ifdef CONFIG_IEEE80211R 256 if (sm->key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X) { 257 if (wpa_sm_key_mgmt_set_pmk(sm, sm->xxkey, sm->xxkey_len)) 258 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 259 "RSN: Cannot set low order 256 bits of MSK for key management offload"); 260 } else { 261 #endif /* CONFIG_IEEE80211R */ 262 if (wpa_sm_key_mgmt_set_pmk(sm, sm->pmk, sm->pmk_len)) 263 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 264 "RSN: Cannot set PMK for key management offload"); 265 #ifdef CONFIG_IEEE80211R 266 } 267 #endif /* CONFIG_IEEE80211R */ 268 } 269 270 271 static int wpa_supplicant_get_pmk(struct wpa_sm *sm, 272 const unsigned char *src_addr, 273 const u8 *pmkid) 274 { 275 int abort_cached = 0; 276 277 if (pmkid && !sm->cur_pmksa) { 278 /* When using drivers that generate RSN IE, wpa_supplicant may 279 * not have enough time to get the association information 280 * event before receiving this 1/4 message, so try to find a 281 * matching PMKSA cache entry here. */ 282 sm->cur_pmksa = pmksa_cache_get(sm->pmksa, src_addr, pmkid, 283 NULL, 0); 284 if (sm->cur_pmksa) { 285 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 286 "RSN: found matching PMKID from PMKSA cache"); 287 } else { 288 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 289 "RSN: no matching PMKID found"); 290 abort_cached = 1; 291 } 292 } 293 294 if (pmkid && sm->cur_pmksa && 295 os_memcmp_const(pmkid, sm->cur_pmksa->pmkid, PMKID_LEN) == 0) { 296 wpa_hexdump(MSG_DEBUG, "RSN: matched PMKID", pmkid, PMKID_LEN); 297 wpa_sm_set_pmk_from_pmksa(sm); 298 wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from PMKSA cache", 299 sm->pmk, sm->pmk_len); 300 eapol_sm_notify_cached(sm->eapol); 301 #ifdef CONFIG_IEEE80211R 302 sm->xxkey_len = 0; 303 #ifdef CONFIG_SAE 304 if (sm->key_mgmt == WPA_KEY_MGMT_FT_SAE && 305 sm->pmk_len == PMK_LEN) { 306 /* Need to allow FT key derivation to proceed with 307 * PMK from SAE being used as the XXKey in cases where 308 * the PMKID in msg 1/4 matches the PMKSA entry that was 309 * just added based on SAE authentication for the 310 * initial mobility domain association. */ 311 os_memcpy(sm->xxkey, sm->pmk, sm->pmk_len); 312 sm->xxkey_len = sm->pmk_len; 313 } 314 #endif /* CONFIG_SAE */ 315 #endif /* CONFIG_IEEE80211R */ 316 } else if (wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && sm->eapol) { 317 int res, pmk_len; 318 #ifdef CONFIG_IEEE80211R 319 u8 buf[2 * PMK_LEN]; 320 #endif /* CONFIG_IEEE80211R */ 321 322 if (wpa_key_mgmt_sha384(sm->key_mgmt)) 323 pmk_len = PMK_LEN_SUITE_B_192; 324 else 325 pmk_len = PMK_LEN; 326 res = eapol_sm_get_key(sm->eapol, sm->pmk, pmk_len); 327 if (res) { 328 if (pmk_len == PMK_LEN) { 329 /* 330 * EAP-LEAP is an exception from other EAP 331 * methods: it uses only 16-byte PMK. 332 */ 333 res = eapol_sm_get_key(sm->eapol, sm->pmk, 16); 334 pmk_len = 16; 335 } 336 } 337 #ifdef CONFIG_IEEE80211R 338 if (res == 0 && 339 eapol_sm_get_key(sm->eapol, buf, 2 * PMK_LEN) == 0) { 340 if (wpa_key_mgmt_sha384(sm->key_mgmt)) { 341 os_memcpy(sm->xxkey, buf, SHA384_MAC_LEN); 342 sm->xxkey_len = SHA384_MAC_LEN; 343 } else { 344 os_memcpy(sm->xxkey, buf + PMK_LEN, PMK_LEN); 345 sm->xxkey_len = PMK_LEN; 346 } 347 forced_memzero(buf, sizeof(buf)); 348 if (sm->proto == WPA_PROTO_RSN && 349 wpa_key_mgmt_ft(sm->key_mgmt)) { 350 struct rsn_pmksa_cache_entry *sa = NULL; 351 const u8 *fils_cache_id = NULL; 352 353 #ifdef CONFIG_FILS 354 if (sm->fils_cache_id_set) 355 fils_cache_id = sm->fils_cache_id; 356 #endif /* CONFIG_FILS */ 357 wpa_hexdump_key(MSG_DEBUG, 358 "FT: Cache XXKey/MPMK", 359 sm->xxkey, sm->xxkey_len); 360 sa = pmksa_cache_add(sm->pmksa, 361 sm->xxkey, sm->xxkey_len, 362 NULL, NULL, 0, 363 src_addr, sm->own_addr, 364 sm->network_ctx, 365 sm->key_mgmt, 366 fils_cache_id); 367 if (!sm->cur_pmksa) 368 sm->cur_pmksa = sa; 369 } 370 } 371 #endif /* CONFIG_IEEE80211R */ 372 if (res == 0) { 373 struct rsn_pmksa_cache_entry *sa = NULL; 374 const u8 *fils_cache_id = NULL; 375 376 #ifdef CONFIG_FILS 377 if (sm->fils_cache_id_set) 378 fils_cache_id = sm->fils_cache_id; 379 #endif /* CONFIG_FILS */ 380 381 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK from EAPOL state " 382 "machines", sm->pmk, pmk_len); 383 sm->pmk_len = pmk_len; 384 wpa_supplicant_key_mgmt_set_pmk(sm); 385 if (sm->proto == WPA_PROTO_RSN && 386 !wpa_key_mgmt_suite_b(sm->key_mgmt) && 387 !wpa_key_mgmt_ft(sm->key_mgmt)) { 388 sa = pmksa_cache_add(sm->pmksa, 389 sm->pmk, pmk_len, NULL, 390 NULL, 0, 391 src_addr, sm->own_addr, 392 sm->network_ctx, 393 sm->key_mgmt, 394 fils_cache_id); 395 } 396 if (!sm->cur_pmksa && pmkid && 397 pmksa_cache_get(sm->pmksa, src_addr, pmkid, NULL, 398 0)) { 399 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 400 "RSN: the new PMK matches with the " 401 "PMKID"); 402 abort_cached = 0; 403 } else if (sa && !sm->cur_pmksa && pmkid) { 404 /* 405 * It looks like the authentication server 406 * derived mismatching MSK. This should not 407 * really happen, but bugs happen.. There is not 408 * much we can do here without knowing what 409 * exactly caused the server to misbehave. 410 */ 411 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 412 "RSN: PMKID mismatch - authentication server may have derived different MSK?!"); 413 return -1; 414 } 415 416 if (!sm->cur_pmksa) 417 sm->cur_pmksa = sa; 418 #ifdef CONFIG_IEEE80211R 419 } else if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->ft_protocol) { 420 wpa_printf(MSG_DEBUG, 421 "FT: Continue 4-way handshake without PMK/PMKID for association using FT protocol"); 422 #endif /* CONFIG_IEEE80211R */ 423 } else { 424 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 425 "WPA: Failed to get master session key from " 426 "EAPOL state machines - key handshake " 427 "aborted"); 428 if (sm->cur_pmksa) { 429 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 430 "RSN: Cancelled PMKSA caching " 431 "attempt"); 432 sm->cur_pmksa = NULL; 433 abort_cached = 1; 434 } else if (!abort_cached) { 435 return -1; 436 } 437 } 438 } 439 440 if (abort_cached && wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && 441 !wpa_key_mgmt_suite_b(sm->key_mgmt) && 442 !wpa_key_mgmt_ft(sm->key_mgmt) && sm->key_mgmt != WPA_KEY_MGMT_OSEN) 443 { 444 /* Send EAPOL-Start to trigger full EAP authentication. */ 445 u8 *buf; 446 size_t buflen; 447 448 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 449 "RSN: no PMKSA entry found - trigger " 450 "full EAP authentication"); 451 buf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_START, 452 NULL, 0, &buflen, NULL); 453 if (buf) { 454 /* Set and reset eapFail to allow EAP state machine to 455 * proceed with new authentication. */ 456 eapol_sm_notify_eap_fail(sm->eapol, true); 457 eapol_sm_notify_eap_fail(sm->eapol, false); 458 wpa_sm_ether_send(sm, sm->bssid, ETH_P_EAPOL, 459 buf, buflen); 460 os_free(buf); 461 return -2; 462 } 463 464 return -1; 465 } 466 467 return 0; 468 } 469 470 471 /** 472 * wpa_supplicant_send_2_of_4 - Send message 2 of WPA/RSN 4-Way Handshake 473 * @sm: Pointer to WPA state machine data from wpa_sm_init() 474 * @dst: Destination address for the frame 475 * @key: Pointer to the EAPOL-Key frame header 476 * @ver: Version bits from EAPOL-Key Key Info 477 * @nonce: Nonce value for the EAPOL-Key frame 478 * @wpa_ie: WPA/RSN IE 479 * @wpa_ie_len: Length of the WPA/RSN IE 480 * @ptk: PTK to use for keyed hash and encryption 481 * Returns: >= 0 on success, < 0 on failure 482 */ 483 int wpa_supplicant_send_2_of_4(struct wpa_sm *sm, const unsigned char *dst, 484 const struct wpa_eapol_key *key, 485 int ver, const u8 *nonce, 486 const u8 *wpa_ie, size_t wpa_ie_len, 487 struct wpa_ptk *ptk) 488 { 489 size_t mic_len, hdrlen, rlen; 490 struct wpa_eapol_key *reply; 491 u8 *rbuf, *key_mic; 492 u8 *rsn_ie_buf = NULL; 493 u16 key_info; 494 495 if (wpa_ie == NULL) { 496 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No wpa_ie set - " 497 "cannot generate msg 2/4"); 498 return -1; 499 } 500 501 #ifdef CONFIG_IEEE80211R 502 if (wpa_key_mgmt_ft(sm->key_mgmt)) { 503 int res; 504 505 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE before FT processing", 506 wpa_ie, wpa_ie_len); 507 /* 508 * Add PMKR1Name into RSN IE (PMKID-List) and add MDIE and 509 * FTIE from (Re)Association Response. 510 */ 511 rsn_ie_buf = os_malloc(wpa_ie_len + 2 + 2 + PMKID_LEN + 512 sm->assoc_resp_ies_len); 513 if (rsn_ie_buf == NULL) 514 return -1; 515 os_memcpy(rsn_ie_buf, wpa_ie, wpa_ie_len); 516 res = wpa_insert_pmkid(rsn_ie_buf, &wpa_ie_len, 517 sm->pmk_r1_name); 518 if (res < 0) { 519 os_free(rsn_ie_buf); 520 return -1; 521 } 522 wpa_hexdump(MSG_DEBUG, 523 "WPA: WPA IE after PMKID[PMKR1Name] addition into RSNE", 524 rsn_ie_buf, wpa_ie_len); 525 526 if (sm->assoc_resp_ies) { 527 wpa_hexdump(MSG_DEBUG, "WPA: Add assoc_resp_ies", 528 sm->assoc_resp_ies, 529 sm->assoc_resp_ies_len); 530 os_memcpy(rsn_ie_buf + wpa_ie_len, sm->assoc_resp_ies, 531 sm->assoc_resp_ies_len); 532 wpa_ie_len += sm->assoc_resp_ies_len; 533 } 534 535 wpa_ie = rsn_ie_buf; 536 } 537 #endif /* CONFIG_IEEE80211R */ 538 539 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE for msg 2/4", wpa_ie, wpa_ie_len); 540 541 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len); 542 hdrlen = sizeof(*reply) + mic_len + 2; 543 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, 544 NULL, hdrlen + wpa_ie_len, 545 &rlen, (void *) &reply); 546 if (rbuf == NULL) { 547 os_free(rsn_ie_buf); 548 return -1; 549 } 550 551 reply->type = (sm->proto == WPA_PROTO_RSN || 552 sm->proto == WPA_PROTO_OSEN) ? 553 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 554 key_info = ver | WPA_KEY_INFO_KEY_TYPE; 555 if (mic_len) 556 key_info |= WPA_KEY_INFO_MIC; 557 else 558 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 559 WPA_PUT_BE16(reply->key_info, key_info); 560 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) 561 WPA_PUT_BE16(reply->key_length, 0); 562 else 563 os_memcpy(reply->key_length, key->key_length, 2); 564 os_memcpy(reply->replay_counter, key->replay_counter, 565 WPA_REPLAY_COUNTER_LEN); 566 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", reply->replay_counter, 567 WPA_REPLAY_COUNTER_LEN); 568 569 key_mic = (u8 *) (reply + 1); 570 WPA_PUT_BE16(key_mic + mic_len, wpa_ie_len); /* Key Data Length */ 571 os_memcpy(key_mic + mic_len + 2, wpa_ie, wpa_ie_len); /* Key Data */ 572 os_free(rsn_ie_buf); 573 574 os_memcpy(reply->key_nonce, nonce, WPA_NONCE_LEN); 575 576 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/4"); 577 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen, 578 key_mic); 579 } 580 581 582 static int wpa_derive_ptk(struct wpa_sm *sm, const unsigned char *src_addr, 583 const struct wpa_eapol_key *key, struct wpa_ptk *ptk) 584 { 585 const u8 *z = NULL; 586 size_t z_len = 0, kdk_len; 587 int akmp; 588 589 #ifdef CONFIG_IEEE80211R 590 if (wpa_key_mgmt_ft(sm->key_mgmt)) 591 return wpa_derive_ptk_ft(sm, src_addr, key, ptk); 592 #endif /* CONFIG_IEEE80211R */ 593 594 #ifdef CONFIG_DPP2 595 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) { 596 z = wpabuf_head(sm->dpp_z); 597 z_len = wpabuf_len(sm->dpp_z); 598 } 599 #endif /* CONFIG_DPP2 */ 600 601 akmp = sm->key_mgmt; 602 #ifdef CONFIG_OWE 603 if (sm->owe_ptk_workaround && akmp == WPA_KEY_MGMT_OWE && 604 sm->pmk_len > 32) { 605 wpa_printf(MSG_DEBUG, 606 "OWE: Force SHA256 for PTK derivation"); 607 akmp |= WPA_KEY_MGMT_PSK_SHA256; 608 } 609 #endif /* CONFIG_OWE */ 610 611 if (sm->force_kdk_derivation || 612 (sm->secure_ltf && 613 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF))) 614 kdk_len = WPA_KDK_MAX_LEN; 615 else 616 kdk_len = 0; 617 618 return wpa_pmk_to_ptk(sm->pmk, sm->pmk_len, "Pairwise key expansion", 619 sm->own_addr, sm->bssid, sm->snonce, 620 key->key_nonce, ptk, akmp, 621 sm->pairwise_cipher, z, z_len, 622 kdk_len); 623 } 624 625 626 static int wpa_handle_ext_key_id(struct wpa_sm *sm, 627 struct wpa_eapol_ie_parse *kde) 628 { 629 if (sm->ext_key_id) { 630 u16 key_id; 631 632 if (!kde->key_id) { 633 wpa_msg(sm->ctx->msg_ctx, 634 sm->use_ext_key_id ? MSG_INFO : MSG_DEBUG, 635 "RSN: No Key ID in Extended Key ID handshake"); 636 sm->keyidx_active = 0; 637 return sm->use_ext_key_id ? -1 : 0; 638 } 639 640 key_id = kde->key_id[0] & 0x03; 641 if (key_id > 1) { 642 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 643 "RSN: Invalid Extended Key ID: %d", key_id); 644 return -1; 645 } 646 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 647 "RSN: Using Extended Key ID %d", key_id); 648 sm->keyidx_active = key_id; 649 sm->use_ext_key_id = 1; 650 } else { 651 if (kde->key_id && (kde->key_id[0] & 0x03)) { 652 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 653 "RSN: Non-zero Extended Key ID Key ID in PTK0 handshake"); 654 return -1; 655 } 656 657 if (kde->key_id) { 658 /* This is not supposed to be included here, but ignore 659 * the case of matching Key ID 0 just in case. */ 660 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG, 661 "RSN: Extended Key ID Key ID 0 in PTK0 handshake"); 662 } 663 sm->keyidx_active = 0; 664 sm->use_ext_key_id = 0; 665 } 666 667 return 0; 668 } 669 670 671 static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm, 672 const unsigned char *src_addr, 673 const struct wpa_eapol_key *key, 674 u16 ver, const u8 *key_data, 675 size_t key_data_len) 676 { 677 struct wpa_eapol_ie_parse ie; 678 struct wpa_ptk *ptk; 679 int res; 680 u8 *kde, *kde_buf = NULL; 681 size_t kde_len; 682 683 if (wpa_sm_get_network_ctx(sm) == NULL) { 684 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No SSID info " 685 "found (msg 1 of 4)"); 686 return; 687 } 688 689 if (sm->wpa_deny_ptk0_rekey && !sm->use_ext_key_id && 690 wpa_sm_get_state(sm) == WPA_COMPLETED) { 691 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 692 "WPA: PTK0 rekey not allowed, reconnecting"); 693 wpa_sm_reconnect(sm); 694 return; 695 } 696 697 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE); 698 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of 4-Way " 699 "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver); 700 701 os_memset(&ie, 0, sizeof(ie)); 702 703 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) { 704 /* RSN: msg 1/4 should contain PMKID for the selected PMK */ 705 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data", 706 key_data, key_data_len); 707 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0) 708 goto failed; 709 if (ie.pmkid) { 710 wpa_hexdump(MSG_DEBUG, "RSN: PMKID from " 711 "Authenticator", ie.pmkid, PMKID_LEN); 712 } 713 } 714 715 res = wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid); 716 if (res == -2) { 717 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: Do not reply to " 718 "msg 1/4 - requesting full EAP authentication"); 719 return; 720 } 721 if (res) 722 goto failed; 723 724 if (sm->renew_snonce) { 725 if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) { 726 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 727 "WPA: Failed to get random data for SNonce"); 728 goto failed; 729 } 730 sm->renew_snonce = 0; 731 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce", 732 sm->snonce, WPA_NONCE_LEN); 733 } 734 735 /* Calculate PTK which will be stored as a temporary PTK until it has 736 * been verified when processing message 3/4. */ 737 ptk = &sm->tptk; 738 if (wpa_derive_ptk(sm, src_addr, key, ptk) < 0) 739 goto failed; 740 if (sm->pairwise_cipher == WPA_CIPHER_TKIP) { 741 u8 buf[8]; 742 /* Supplicant: swap tx/rx Mic keys */ 743 os_memcpy(buf, &ptk->tk[16], 8); 744 os_memcpy(&ptk->tk[16], &ptk->tk[24], 8); 745 os_memcpy(&ptk->tk[24], buf, 8); 746 forced_memzero(buf, sizeof(buf)); 747 } 748 sm->tptk_set = 1; 749 750 kde = sm->assoc_wpa_ie; 751 kde_len = sm->assoc_wpa_ie_len; 752 kde_buf = os_malloc(kde_len + 753 2 + RSN_SELECTOR_LEN + 3 + 754 sm->assoc_rsnxe_len + 755 2 + RSN_SELECTOR_LEN + 1 + 756 2 + RSN_SELECTOR_LEN + 2); 757 if (!kde_buf) 758 goto failed; 759 os_memcpy(kde_buf, kde, kde_len); 760 kde = kde_buf; 761 762 #ifdef CONFIG_OCV 763 if (wpa_sm_ocv_enabled(sm)) { 764 struct wpa_channel_info ci; 765 u8 *pos; 766 767 pos = kde + kde_len; 768 if (wpa_sm_channel_info(sm, &ci) != 0) { 769 wpa_printf(MSG_WARNING, 770 "Failed to get channel info for OCI element in EAPOL-Key 2/4"); 771 goto failed; 772 } 773 #ifdef CONFIG_TESTING_OPTIONS 774 if (sm->oci_freq_override_eapol) { 775 wpa_printf(MSG_INFO, 776 "TEST: Override OCI KDE frequency %d -> %d MHz", 777 ci.frequency, sm->oci_freq_override_eapol); 778 ci.frequency = sm->oci_freq_override_eapol; 779 } 780 #endif /* CONFIG_TESTING_OPTIONS */ 781 782 if (ocv_insert_oci_kde(&ci, &pos) < 0) 783 goto failed; 784 kde_len = pos - kde; 785 } 786 #endif /* CONFIG_OCV */ 787 788 if (sm->assoc_rsnxe && sm->assoc_rsnxe_len) { 789 os_memcpy(kde + kde_len, sm->assoc_rsnxe, sm->assoc_rsnxe_len); 790 kde_len += sm->assoc_rsnxe_len; 791 } 792 793 #ifdef CONFIG_P2P 794 if (sm->p2p) { 795 u8 *pos; 796 797 wpa_printf(MSG_DEBUG, 798 "P2P: Add IP Address Request KDE into EAPOL-Key 2/4"); 799 pos = kde + kde_len; 800 *pos++ = WLAN_EID_VENDOR_SPECIFIC; 801 *pos++ = RSN_SELECTOR_LEN + 1; 802 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_IP_ADDR_REQ); 803 pos += RSN_SELECTOR_LEN; 804 *pos++ = 0x01; 805 kde_len = pos - kde; 806 } 807 #endif /* CONFIG_P2P */ 808 809 #ifdef CONFIG_DPP2 810 if (DPP_VERSION > 1 && sm->key_mgmt == WPA_KEY_MGMT_DPP) { 811 u8 *pos; 812 813 wpa_printf(MSG_DEBUG, "DPP: Add DPP KDE into EAPOL-Key 2/4"); 814 pos = kde + kde_len; 815 *pos++ = WLAN_EID_VENDOR_SPECIFIC; 816 *pos++ = RSN_SELECTOR_LEN + 2; 817 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_DPP); 818 pos += RSN_SELECTOR_LEN; 819 *pos++ = DPP_VERSION; /* Protocol Version */ 820 *pos = 0; /* Flags */ 821 if (sm->dpp_pfs == 0) 822 *pos |= DPP_KDE_PFS_ALLOWED; 823 else if (sm->dpp_pfs == 1) 824 *pos |= DPP_KDE_PFS_ALLOWED | DPP_KDE_PFS_REQUIRED; 825 pos++; 826 kde_len = pos - kde; 827 } 828 #endif /* CONFIG_DPP2 */ 829 830 if (wpa_supplicant_send_2_of_4(sm, sm->bssid, key, ver, sm->snonce, 831 kde, kde_len, ptk) < 0) 832 goto failed; 833 834 os_free(kde_buf); 835 os_memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN); 836 return; 837 838 failed: 839 os_free(kde_buf); 840 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED); 841 } 842 843 844 static void wpa_sm_start_preauth(void *eloop_ctx, void *timeout_ctx) 845 { 846 struct wpa_sm *sm = eloop_ctx; 847 rsn_preauth_candidate_process(sm); 848 } 849 850 851 static void wpa_supplicant_key_neg_complete(struct wpa_sm *sm, 852 const u8 *addr, int secure) 853 { 854 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 855 "WPA: Key negotiation completed with " 856 MACSTR " [PTK=%s GTK=%s]", MAC2STR(addr), 857 wpa_cipher_txt(sm->pairwise_cipher), 858 wpa_cipher_txt(sm->group_cipher)); 859 wpa_sm_cancel_auth_timeout(sm); 860 wpa_sm_set_state(sm, WPA_COMPLETED); 861 862 if (secure) { 863 wpa_sm_mlme_setprotection( 864 sm, addr, MLME_SETPROTECTION_PROTECT_TYPE_RX_TX, 865 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE); 866 eapol_sm_notify_portValid(sm->eapol, true); 867 if (wpa_key_mgmt_wpa_psk(sm->key_mgmt) || 868 sm->key_mgmt == WPA_KEY_MGMT_DPP || 869 sm->key_mgmt == WPA_KEY_MGMT_OWE) 870 eapol_sm_notify_eap_success(sm->eapol, true); 871 /* 872 * Start preauthentication after a short wait to avoid a 873 * possible race condition between the data receive and key 874 * configuration after the 4-Way Handshake. This increases the 875 * likelihood of the first preauth EAPOL-Start frame getting to 876 * the target AP. 877 */ 878 if (!dl_list_empty(&sm->pmksa_candidates)) 879 eloop_register_timeout(1, 0, wpa_sm_start_preauth, 880 sm, NULL); 881 } 882 883 if (sm->cur_pmksa && sm->cur_pmksa->opportunistic) { 884 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 885 "RSN: Authenticator accepted " 886 "opportunistic PMKSA entry - marking it valid"); 887 sm->cur_pmksa->opportunistic = 0; 888 } 889 890 #ifdef CONFIG_IEEE80211R 891 if (wpa_key_mgmt_ft(sm->key_mgmt)) { 892 /* Prepare for the next transition */ 893 wpa_ft_prepare_auth_request(sm, NULL); 894 } 895 #endif /* CONFIG_IEEE80211R */ 896 } 897 898 899 static void wpa_sm_rekey_ptk(void *eloop_ctx, void *timeout_ctx) 900 { 901 struct wpa_sm *sm = eloop_ctx; 902 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Request PTK rekeying"); 903 wpa_sm_key_request(sm, 0, 1); 904 } 905 906 907 static int wpa_supplicant_install_ptk(struct wpa_sm *sm, 908 const struct wpa_eapol_key *key, 909 enum key_flag key_flag) 910 { 911 int keylen, rsclen; 912 enum wpa_alg alg; 913 const u8 *key_rsc; 914 915 if (sm->ptk.installed) { 916 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 917 "WPA: Do not re-install same PTK to the driver"); 918 return 0; 919 } 920 921 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 922 "WPA: Installing PTK to the driver"); 923 924 if (sm->pairwise_cipher == WPA_CIPHER_NONE) { 925 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Pairwise Cipher " 926 "Suite: NONE - do not use pairwise keys"); 927 return 0; 928 } 929 930 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) { 931 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 932 "WPA: Unsupported pairwise cipher %d", 933 sm->pairwise_cipher); 934 return -1; 935 } 936 937 alg = wpa_cipher_to_alg(sm->pairwise_cipher); 938 keylen = wpa_cipher_key_len(sm->pairwise_cipher); 939 if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) { 940 wpa_printf(MSG_DEBUG, "WPA: TK length mismatch: %d != %lu", 941 keylen, (long unsigned int) sm->ptk.tk_len); 942 return -1; 943 } 944 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher); 945 946 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) { 947 key_rsc = null_rsc; 948 } else { 949 key_rsc = key->key_rsc; 950 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen); 951 } 952 953 if (wpa_sm_set_key(sm, alg, sm->bssid, sm->keyidx_active, 1, key_rsc, 954 rsclen, sm->ptk.tk, keylen, 955 KEY_FLAG_PAIRWISE | key_flag) < 0) { 956 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 957 "WPA: Failed to set PTK to the driver (alg=%d keylen=%d bssid=" 958 MACSTR " idx=%d key_flag=0x%x)", 959 alg, keylen, MAC2STR(sm->bssid), 960 sm->keyidx_active, key_flag); 961 return -1; 962 } 963 964 wpa_sm_store_ptk(sm, sm->bssid, sm->pairwise_cipher, 965 sm->dot11RSNAConfigPMKLifetime, &sm->ptk); 966 967 /* TK is not needed anymore in supplicant */ 968 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN); 969 sm->ptk.tk_len = 0; 970 sm->ptk.installed = 1; 971 972 if (sm->wpa_ptk_rekey) { 973 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL); 974 eloop_register_timeout(sm->wpa_ptk_rekey, 0, wpa_sm_rekey_ptk, 975 sm, NULL); 976 } 977 return 0; 978 } 979 980 981 static int wpa_supplicant_activate_ptk(struct wpa_sm *sm) 982 { 983 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 984 "WPA: Activate PTK (idx=%d bssid=" MACSTR ")", 985 sm->keyidx_active, MAC2STR(sm->bssid)); 986 987 if (wpa_sm_set_key(sm, 0, sm->bssid, sm->keyidx_active, 0, NULL, 0, 988 NULL, 0, KEY_FLAG_PAIRWISE_RX_TX_MODIFY) < 0) { 989 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 990 "WPA: Failed to activate PTK for TX (idx=%d bssid=" 991 MACSTR ")", sm->keyidx_active, MAC2STR(sm->bssid)); 992 return -1; 993 } 994 return 0; 995 } 996 997 998 static int wpa_supplicant_check_group_cipher(struct wpa_sm *sm, 999 int group_cipher, 1000 int keylen, int maxkeylen, 1001 int *key_rsc_len, 1002 enum wpa_alg *alg) 1003 { 1004 int klen; 1005 1006 *alg = wpa_cipher_to_alg(group_cipher); 1007 if (*alg == WPA_ALG_NONE) { 1008 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1009 "WPA: Unsupported Group Cipher %d", 1010 group_cipher); 1011 return -1; 1012 } 1013 *key_rsc_len = wpa_cipher_rsc_len(group_cipher); 1014 1015 klen = wpa_cipher_key_len(group_cipher); 1016 if (keylen != klen || maxkeylen < klen) { 1017 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1018 "WPA: Unsupported %s Group Cipher key length %d (%d)", 1019 wpa_cipher_txt(group_cipher), keylen, maxkeylen); 1020 return -1; 1021 } 1022 return 0; 1023 } 1024 1025 1026 struct wpa_gtk_data { 1027 enum wpa_alg alg; 1028 int tx, key_rsc_len, keyidx; 1029 u8 gtk[32]; 1030 int gtk_len; 1031 }; 1032 1033 1034 static int wpa_supplicant_install_gtk(struct wpa_sm *sm, 1035 const struct wpa_gtk_data *gd, 1036 const u8 *key_rsc, int wnm_sleep) 1037 { 1038 const u8 *_gtk = gd->gtk; 1039 u8 gtk_buf[32]; 1040 1041 /* Detect possible key reinstallation */ 1042 if ((sm->gtk.gtk_len == (size_t) gd->gtk_len && 1043 os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) || 1044 (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len && 1045 os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk, 1046 sm->gtk_wnm_sleep.gtk_len) == 0)) { 1047 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1048 "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)", 1049 gd->keyidx, gd->tx, gd->gtk_len); 1050 return 0; 1051 } 1052 1053 wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len); 1054 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1055 "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)", 1056 gd->keyidx, gd->tx, gd->gtk_len); 1057 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, gd->key_rsc_len); 1058 if (sm->group_cipher == WPA_CIPHER_TKIP) { 1059 /* Swap Tx/Rx keys for Michael MIC */ 1060 os_memcpy(gtk_buf, gd->gtk, 16); 1061 os_memcpy(gtk_buf + 16, gd->gtk + 24, 8); 1062 os_memcpy(gtk_buf + 24, gd->gtk + 16, 8); 1063 _gtk = gtk_buf; 1064 } 1065 if (sm->pairwise_cipher == WPA_CIPHER_NONE) { 1066 if (wpa_sm_set_key(sm, gd->alg, NULL, 1067 gd->keyidx, 1, key_rsc, gd->key_rsc_len, 1068 _gtk, gd->gtk_len, 1069 KEY_FLAG_GROUP_RX_TX_DEFAULT) < 0) { 1070 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1071 "WPA: Failed to set GTK to the driver " 1072 "(Group only)"); 1073 forced_memzero(gtk_buf, sizeof(gtk_buf)); 1074 return -1; 1075 } 1076 } else if (wpa_sm_set_key(sm, gd->alg, broadcast_ether_addr, 1077 gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len, 1078 _gtk, gd->gtk_len, KEY_FLAG_GROUP_RX) < 0) { 1079 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1080 "WPA: Failed to set GTK to " 1081 "the driver (alg=%d keylen=%d keyidx=%d)", 1082 gd->alg, gd->gtk_len, gd->keyidx); 1083 forced_memzero(gtk_buf, sizeof(gtk_buf)); 1084 return -1; 1085 } 1086 forced_memzero(gtk_buf, sizeof(gtk_buf)); 1087 1088 if (wnm_sleep) { 1089 sm->gtk_wnm_sleep.gtk_len = gd->gtk_len; 1090 os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk, 1091 sm->gtk_wnm_sleep.gtk_len); 1092 } else { 1093 sm->gtk.gtk_len = gd->gtk_len; 1094 os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); 1095 } 1096 1097 return 0; 1098 } 1099 1100 1101 static int wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm *sm, 1102 int tx) 1103 { 1104 if (tx && sm->pairwise_cipher != WPA_CIPHER_NONE) { 1105 /* Ignore Tx bit for GTK if a pairwise key is used. One AP 1106 * seemed to set this bit (incorrectly, since Tx is only when 1107 * doing Group Key only APs) and without this workaround, the 1108 * data connection does not work because wpa_supplicant 1109 * configured non-zero keyidx to be used for unicast. */ 1110 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1111 "WPA: Tx bit set for GTK, but pairwise " 1112 "keys are used - ignore Tx bit"); 1113 return 0; 1114 } 1115 return tx; 1116 } 1117 1118 1119 static int wpa_supplicant_rsc_relaxation(const struct wpa_sm *sm, 1120 const u8 *rsc) 1121 { 1122 int rsclen; 1123 1124 if (!sm->wpa_rsc_relaxation) 1125 return 0; 1126 1127 rsclen = wpa_cipher_rsc_len(sm->group_cipher); 1128 1129 /* 1130 * Try to detect RSC (endian) corruption issue where the AP sends 1131 * the RSC bytes in EAPOL-Key message in the wrong order, both if 1132 * it's actually a 6-byte field (as it should be) and if it treats 1133 * it as an 8-byte field. 1134 * An AP model known to have this bug is the Sapido RB-1632. 1135 */ 1136 if (rsclen == 6 && ((rsc[5] && !rsc[0]) || rsc[6] || rsc[7])) { 1137 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1138 "RSC %02x%02x%02x%02x%02x%02x%02x%02x is likely bogus, using 0", 1139 rsc[0], rsc[1], rsc[2], rsc[3], 1140 rsc[4], rsc[5], rsc[6], rsc[7]); 1141 1142 return 1; 1143 } 1144 1145 return 0; 1146 } 1147 1148 1149 static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, 1150 const struct wpa_eapol_key *key, 1151 const u8 *gtk, size_t gtk_len, 1152 int key_info) 1153 { 1154 struct wpa_gtk_data gd; 1155 const u8 *key_rsc; 1156 1157 /* 1158 * IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames - Figure 43x 1159 * GTK KDE format: 1160 * KeyID[bits 0-1], Tx [bit 2], Reserved [bits 3-7] 1161 * Reserved [bits 0-7] 1162 * GTK 1163 */ 1164 1165 os_memset(&gd, 0, sizeof(gd)); 1166 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in pairwise handshake", 1167 gtk, gtk_len); 1168 1169 if (gtk_len < 2 || gtk_len - 2 > sizeof(gd.gtk)) 1170 return -1; 1171 1172 gd.keyidx = gtk[0] & 0x3; 1173 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm, 1174 !!(gtk[0] & BIT(2))); 1175 gtk += 2; 1176 gtk_len -= 2; 1177 1178 os_memcpy(gd.gtk, gtk, gtk_len); 1179 gd.gtk_len = gtk_len; 1180 1181 key_rsc = key->key_rsc; 1182 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc)) 1183 key_rsc = null_rsc; 1184 1185 if (sm->group_cipher != WPA_CIPHER_GTK_NOT_USED && 1186 (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, 1187 gtk_len, gtk_len, 1188 &gd.key_rsc_len, &gd.alg) || 1189 wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) { 1190 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1191 "RSN: Failed to install GTK"); 1192 forced_memzero(&gd, sizeof(gd)); 1193 return -1; 1194 } 1195 forced_memzero(&gd, sizeof(gd)); 1196 1197 return 0; 1198 } 1199 1200 1201 static int wpa_supplicant_install_igtk(struct wpa_sm *sm, 1202 const struct wpa_igtk_kde *igtk, 1203 int wnm_sleep) 1204 { 1205 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher); 1206 u16 keyidx = WPA_GET_LE16(igtk->keyid); 1207 1208 /* Detect possible key reinstallation */ 1209 if ((sm->igtk.igtk_len == len && 1210 os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) || 1211 (sm->igtk_wnm_sleep.igtk_len == len && 1212 os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk, 1213 sm->igtk_wnm_sleep.igtk_len) == 0)) { 1214 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1215 "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)", 1216 keyidx); 1217 return 0; 1218 } 1219 1220 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1221 "WPA: IGTK keyid %d pn " COMPACT_MACSTR, 1222 keyidx, MAC2STR(igtk->pn)); 1223 wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len); 1224 if (keyidx > 4095) { 1225 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1226 "WPA: Invalid IGTK KeyID %d", keyidx); 1227 return -1; 1228 } 1229 if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), 1230 broadcast_ether_addr, 1231 keyidx, 0, igtk->pn, sizeof(igtk->pn), 1232 igtk->igtk, len, KEY_FLAG_GROUP_RX) < 0) { 1233 if (keyidx == 0x0400 || keyidx == 0x0500) { 1234 /* Assume the AP has broken PMF implementation since it 1235 * seems to have swapped the KeyID bytes. The AP cannot 1236 * be trusted to implement BIP correctly or provide a 1237 * valid IGTK, so do not try to configure this key with 1238 * swapped KeyID bytes. Instead, continue without 1239 * configuring the IGTK so that the driver can drop any 1240 * received group-addressed robust management frames due 1241 * to missing keys. 1242 * 1243 * Normally, this error behavior would result in us 1244 * disconnecting, but there are number of deployed APs 1245 * with this broken behavior, so as an interoperability 1246 * workaround, allow the connection to proceed. */ 1247 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1248 "WPA: Ignore IGTK configuration error due to invalid IGTK KeyID byte order"); 1249 } else { 1250 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1251 "WPA: Failed to configure IGTK to the driver"); 1252 return -1; 1253 } 1254 } 1255 1256 if (wnm_sleep) { 1257 sm->igtk_wnm_sleep.igtk_len = len; 1258 os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk, 1259 sm->igtk_wnm_sleep.igtk_len); 1260 } else { 1261 sm->igtk.igtk_len = len; 1262 os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); 1263 } 1264 1265 return 0; 1266 } 1267 1268 1269 static int wpa_supplicant_install_bigtk(struct wpa_sm *sm, 1270 const struct wpa_bigtk_kde *bigtk, 1271 int wnm_sleep) 1272 { 1273 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher); 1274 u16 keyidx = WPA_GET_LE16(bigtk->keyid); 1275 1276 /* Detect possible key reinstallation */ 1277 if ((sm->bigtk.bigtk_len == len && 1278 os_memcmp(sm->bigtk.bigtk, bigtk->bigtk, 1279 sm->bigtk.bigtk_len) == 0) || 1280 (sm->bigtk_wnm_sleep.bigtk_len == len && 1281 os_memcmp(sm->bigtk_wnm_sleep.bigtk, bigtk->bigtk, 1282 sm->bigtk_wnm_sleep.bigtk_len) == 0)) { 1283 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1284 "WPA: Not reinstalling already in-use BIGTK to the driver (keyidx=%d)", 1285 keyidx); 1286 return 0; 1287 } 1288 1289 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1290 "WPA: BIGTK keyid %d pn " COMPACT_MACSTR, 1291 keyidx, MAC2STR(bigtk->pn)); 1292 wpa_hexdump_key(MSG_DEBUG, "WPA: BIGTK", bigtk->bigtk, len); 1293 if (keyidx < 6 || keyidx > 7) { 1294 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1295 "WPA: Invalid BIGTK KeyID %d", keyidx); 1296 return -1; 1297 } 1298 if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), 1299 broadcast_ether_addr, 1300 keyidx, 0, bigtk->pn, sizeof(bigtk->pn), 1301 bigtk->bigtk, len, KEY_FLAG_GROUP_RX) < 0) { 1302 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1303 "WPA: Failed to configure BIGTK to the driver"); 1304 return -1; 1305 } 1306 1307 if (wnm_sleep) { 1308 sm->bigtk_wnm_sleep.bigtk_len = len; 1309 os_memcpy(sm->bigtk_wnm_sleep.bigtk, bigtk->bigtk, 1310 sm->bigtk_wnm_sleep.bigtk_len); 1311 } else { 1312 sm->bigtk.bigtk_len = len; 1313 os_memcpy(sm->bigtk.bigtk, bigtk->bigtk, sm->bigtk.bigtk_len); 1314 } 1315 1316 return 0; 1317 } 1318 1319 1320 static int ieee80211w_set_keys(struct wpa_sm *sm, 1321 struct wpa_eapol_ie_parse *ie) 1322 { 1323 size_t len; 1324 1325 if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) || 1326 sm->mgmt_group_cipher == WPA_CIPHER_GTK_NOT_USED) 1327 return 0; 1328 1329 if (ie->igtk) { 1330 const struct wpa_igtk_kde *igtk; 1331 1332 len = wpa_cipher_key_len(sm->mgmt_group_cipher); 1333 if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len) 1334 return -1; 1335 1336 igtk = (const struct wpa_igtk_kde *) ie->igtk; 1337 if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0) 1338 return -1; 1339 } 1340 1341 if (ie->bigtk && sm->beacon_prot) { 1342 const struct wpa_bigtk_kde *bigtk; 1343 1344 len = wpa_cipher_key_len(sm->mgmt_group_cipher); 1345 if (ie->bigtk_len != WPA_BIGTK_KDE_PREFIX_LEN + len) 1346 return -1; 1347 1348 bigtk = (const struct wpa_bigtk_kde *) ie->bigtk; 1349 if (wpa_supplicant_install_bigtk(sm, bigtk, 0) < 0) 1350 return -1; 1351 } 1352 1353 return 0; 1354 } 1355 1356 1357 static void wpa_report_ie_mismatch(struct wpa_sm *sm, 1358 const char *reason, const u8 *src_addr, 1359 const u8 *wpa_ie, size_t wpa_ie_len, 1360 const u8 *rsn_ie, size_t rsn_ie_len) 1361 { 1362 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: %s (src=" MACSTR ")", 1363 reason, MAC2STR(src_addr)); 1364 1365 if (sm->ap_wpa_ie) { 1366 wpa_hexdump(MSG_INFO, "WPA: WPA IE in Beacon/ProbeResp", 1367 sm->ap_wpa_ie, sm->ap_wpa_ie_len); 1368 } 1369 if (wpa_ie) { 1370 if (!sm->ap_wpa_ie) { 1371 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1372 "WPA: No WPA IE in Beacon/ProbeResp"); 1373 } 1374 wpa_hexdump(MSG_INFO, "WPA: WPA IE in 3/4 msg", 1375 wpa_ie, wpa_ie_len); 1376 } 1377 1378 if (sm->ap_rsn_ie) { 1379 wpa_hexdump(MSG_INFO, "WPA: RSN IE in Beacon/ProbeResp", 1380 sm->ap_rsn_ie, sm->ap_rsn_ie_len); 1381 } 1382 if (rsn_ie) { 1383 if (!sm->ap_rsn_ie) { 1384 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1385 "WPA: No RSN IE in Beacon/ProbeResp"); 1386 } 1387 wpa_hexdump(MSG_INFO, "WPA: RSN IE in 3/4 msg", 1388 rsn_ie, rsn_ie_len); 1389 } 1390 1391 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS); 1392 } 1393 1394 1395 #ifdef CONFIG_IEEE80211R 1396 1397 static int ft_validate_mdie(struct wpa_sm *sm, 1398 const unsigned char *src_addr, 1399 struct wpa_eapol_ie_parse *ie, 1400 const u8 *assoc_resp_mdie) 1401 { 1402 struct rsn_mdie *mdie; 1403 1404 mdie = (struct rsn_mdie *) (ie->mdie + 2); 1405 if (ie->mdie == NULL || ie->mdie_len < 2 + sizeof(*mdie) || 1406 os_memcmp(mdie->mobility_domain, sm->mobility_domain, 1407 MOBILITY_DOMAIN_ID_LEN) != 0) { 1408 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE in msg 3/4 did " 1409 "not match with the current mobility domain"); 1410 return -1; 1411 } 1412 1413 if (assoc_resp_mdie && 1414 (assoc_resp_mdie[1] != ie->mdie[1] || 1415 os_memcmp(assoc_resp_mdie, ie->mdie, 2 + ie->mdie[1]) != 0)) { 1416 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE mismatch"); 1417 wpa_hexdump(MSG_DEBUG, "FT: MDIE in EAPOL-Key msg 3/4", 1418 ie->mdie, 2 + ie->mdie[1]); 1419 wpa_hexdump(MSG_DEBUG, "FT: MDIE in (Re)Association Response", 1420 assoc_resp_mdie, 2 + assoc_resp_mdie[1]); 1421 return -1; 1422 } 1423 1424 return 0; 1425 } 1426 1427 1428 static int ft_validate_ftie(struct wpa_sm *sm, 1429 const unsigned char *src_addr, 1430 struct wpa_eapol_ie_parse *ie, 1431 const u8 *assoc_resp_ftie) 1432 { 1433 if (ie->ftie == NULL) { 1434 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1435 "FT: No FTIE in EAPOL-Key msg 3/4"); 1436 return -1; 1437 } 1438 1439 if (assoc_resp_ftie == NULL) 1440 return 0; 1441 1442 if (assoc_resp_ftie[1] != ie->ftie[1] || 1443 os_memcmp(assoc_resp_ftie, ie->ftie, 2 + ie->ftie[1]) != 0) { 1444 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: FTIE mismatch"); 1445 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 3/4", 1446 ie->ftie, 2 + ie->ftie[1]); 1447 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)Association Response", 1448 assoc_resp_ftie, 2 + assoc_resp_ftie[1]); 1449 return -1; 1450 } 1451 1452 return 0; 1453 } 1454 1455 1456 static int ft_validate_rsnie(struct wpa_sm *sm, 1457 const unsigned char *src_addr, 1458 struct wpa_eapol_ie_parse *ie) 1459 { 1460 struct wpa_ie_data rsn; 1461 1462 if (!ie->rsn_ie) 1463 return 0; 1464 1465 /* 1466 * Verify that PMKR1Name from EAPOL-Key message 3/4 1467 * matches with the value we derived. 1468 */ 1469 if (wpa_parse_wpa_ie_rsn(ie->rsn_ie, ie->rsn_ie_len, &rsn) < 0 || 1470 rsn.num_pmkid != 1 || rsn.pmkid == NULL) { 1471 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: No PMKR1Name in " 1472 "FT 4-way handshake message 3/4"); 1473 return -1; 1474 } 1475 1476 if (os_memcmp_const(rsn.pmkid, sm->pmk_r1_name, WPA_PMK_NAME_LEN) != 0) 1477 { 1478 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1479 "FT: PMKR1Name mismatch in " 1480 "FT 4-way handshake message 3/4"); 1481 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Authenticator", 1482 rsn.pmkid, WPA_PMK_NAME_LEN); 1483 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name", 1484 sm->pmk_r1_name, WPA_PMK_NAME_LEN); 1485 return -1; 1486 } 1487 1488 return 0; 1489 } 1490 1491 1492 static int wpa_supplicant_validate_ie_ft(struct wpa_sm *sm, 1493 const unsigned char *src_addr, 1494 struct wpa_eapol_ie_parse *ie) 1495 { 1496 const u8 *pos, *end, *mdie = NULL, *ftie = NULL; 1497 1498 if (sm->assoc_resp_ies) { 1499 pos = sm->assoc_resp_ies; 1500 end = pos + sm->assoc_resp_ies_len; 1501 while (end - pos > 2) { 1502 if (2 + pos[1] > end - pos) 1503 break; 1504 switch (*pos) { 1505 case WLAN_EID_MOBILITY_DOMAIN: 1506 mdie = pos; 1507 break; 1508 case WLAN_EID_FAST_BSS_TRANSITION: 1509 ftie = pos; 1510 break; 1511 } 1512 pos += 2 + pos[1]; 1513 } 1514 } 1515 1516 if (ft_validate_mdie(sm, src_addr, ie, mdie) < 0 || 1517 ft_validate_ftie(sm, src_addr, ie, ftie) < 0 || 1518 ft_validate_rsnie(sm, src_addr, ie) < 0) 1519 return -1; 1520 1521 return 0; 1522 } 1523 1524 #endif /* CONFIG_IEEE80211R */ 1525 1526 1527 static int wpa_supplicant_validate_ie(struct wpa_sm *sm, 1528 const unsigned char *src_addr, 1529 struct wpa_eapol_ie_parse *ie) 1530 { 1531 if (sm->ap_wpa_ie == NULL && sm->ap_rsn_ie == NULL) { 1532 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1533 "WPA: No WPA/RSN IE for this AP known. " 1534 "Trying to get from scan results"); 1535 if (wpa_sm_get_beacon_ie(sm) < 0) { 1536 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1537 "WPA: Could not find AP from " 1538 "the scan results"); 1539 return -1; 1540 } 1541 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG, 1542 "WPA: Found the current AP from updated scan results"); 1543 } 1544 1545 if (ie->wpa_ie == NULL && ie->rsn_ie == NULL && 1546 (sm->ap_wpa_ie || sm->ap_rsn_ie)) { 1547 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match " 1548 "with IE in Beacon/ProbeResp (no IE?)", 1549 src_addr, ie->wpa_ie, ie->wpa_ie_len, 1550 ie->rsn_ie, ie->rsn_ie_len); 1551 return -1; 1552 } 1553 1554 if ((ie->wpa_ie && sm->ap_wpa_ie && 1555 (ie->wpa_ie_len != sm->ap_wpa_ie_len || 1556 os_memcmp(ie->wpa_ie, sm->ap_wpa_ie, ie->wpa_ie_len) != 0)) || 1557 (ie->rsn_ie && sm->ap_rsn_ie && 1558 wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt), 1559 sm->ap_rsn_ie, sm->ap_rsn_ie_len, 1560 ie->rsn_ie, ie->rsn_ie_len))) { 1561 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match " 1562 "with IE in Beacon/ProbeResp", 1563 src_addr, ie->wpa_ie, ie->wpa_ie_len, 1564 ie->rsn_ie, ie->rsn_ie_len); 1565 return -1; 1566 } 1567 1568 if (sm->proto == WPA_PROTO_WPA && 1569 ie->rsn_ie && sm->ap_rsn_ie == NULL && sm->rsn_enabled) { 1570 wpa_report_ie_mismatch(sm, "Possible downgrade attack " 1571 "detected - RSN was enabled and RSN IE " 1572 "was in msg 3/4, but not in " 1573 "Beacon/ProbeResp", 1574 src_addr, ie->wpa_ie, ie->wpa_ie_len, 1575 ie->rsn_ie, ie->rsn_ie_len); 1576 return -1; 1577 } 1578 1579 if (sm->proto == WPA_PROTO_RSN && 1580 ((sm->ap_rsnxe && !ie->rsnxe) || 1581 (!sm->ap_rsnxe && ie->rsnxe) || 1582 (sm->ap_rsnxe && ie->rsnxe && 1583 (sm->ap_rsnxe_len != ie->rsnxe_len || 1584 os_memcmp(sm->ap_rsnxe, ie->rsnxe, sm->ap_rsnxe_len) != 0)))) { 1585 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1586 "WPA: RSNXE mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4"); 1587 wpa_hexdump(MSG_INFO, "RSNXE in Beacon/ProbeResp", 1588 sm->ap_rsnxe, sm->ap_rsnxe_len); 1589 wpa_hexdump(MSG_INFO, "RSNXE in EAPOL-Key msg 3/4", 1590 ie->rsnxe, ie->rsnxe_len); 1591 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS); 1592 return -1; 1593 } 1594 1595 #ifdef CONFIG_IEEE80211R 1596 if (wpa_key_mgmt_ft(sm->key_mgmt) && 1597 wpa_supplicant_validate_ie_ft(sm, src_addr, ie) < 0) 1598 return -1; 1599 #endif /* CONFIG_IEEE80211R */ 1600 1601 return 0; 1602 } 1603 1604 1605 /** 1606 * wpa_supplicant_send_4_of_4 - Send message 4 of WPA/RSN 4-Way Handshake 1607 * @sm: Pointer to WPA state machine data from wpa_sm_init() 1608 * @dst: Destination address for the frame 1609 * @key: Pointer to the EAPOL-Key frame header 1610 * @ver: Version bits from EAPOL-Key Key Info 1611 * @key_info: Key Info 1612 * @ptk: PTK to use for keyed hash and encryption 1613 * Returns: >= 0 on success, < 0 on failure 1614 */ 1615 int wpa_supplicant_send_4_of_4(struct wpa_sm *sm, const unsigned char *dst, 1616 const struct wpa_eapol_key *key, 1617 u16 ver, u16 key_info, 1618 struct wpa_ptk *ptk) 1619 { 1620 size_t mic_len, hdrlen, rlen; 1621 struct wpa_eapol_key *reply; 1622 u8 *rbuf, *key_mic; 1623 1624 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len); 1625 hdrlen = sizeof(*reply) + mic_len + 2; 1626 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL, 1627 hdrlen, &rlen, (void *) &reply); 1628 if (rbuf == NULL) 1629 return -1; 1630 1631 reply->type = (sm->proto == WPA_PROTO_RSN || 1632 sm->proto == WPA_PROTO_OSEN) ? 1633 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1634 key_info &= WPA_KEY_INFO_SECURE; 1635 key_info |= ver | WPA_KEY_INFO_KEY_TYPE; 1636 if (mic_len) 1637 key_info |= WPA_KEY_INFO_MIC; 1638 else 1639 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 1640 WPA_PUT_BE16(reply->key_info, key_info); 1641 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) 1642 WPA_PUT_BE16(reply->key_length, 0); 1643 else 1644 os_memcpy(reply->key_length, key->key_length, 2); 1645 os_memcpy(reply->replay_counter, key->replay_counter, 1646 WPA_REPLAY_COUNTER_LEN); 1647 1648 key_mic = (u8 *) (reply + 1); 1649 WPA_PUT_BE16(key_mic + mic_len, 0); 1650 1651 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 4/4"); 1652 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen, 1653 key_mic); 1654 } 1655 1656 1657 static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm, 1658 const struct wpa_eapol_key *key, 1659 u16 ver, const u8 *key_data, 1660 size_t key_data_len) 1661 { 1662 u16 key_info, keylen; 1663 struct wpa_eapol_ie_parse ie; 1664 1665 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE); 1666 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 3 of 4-Way " 1667 "Handshake from " MACSTR " (ver=%d)", MAC2STR(sm->bssid), ver); 1668 1669 key_info = WPA_GET_BE16(key->key_info); 1670 1671 wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", key_data, key_data_len); 1672 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0) 1673 goto failed; 1674 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 1675 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1676 "WPA: GTK IE in unencrypted key data"); 1677 goto failed; 1678 } 1679 if (ie.igtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 1680 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1681 "WPA: IGTK KDE in unencrypted key data"); 1682 goto failed; 1683 } 1684 1685 if (ie.igtk && 1686 sm->mgmt_group_cipher != WPA_CIPHER_GTK_NOT_USED && 1687 wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) && 1688 ie.igtk_len != WPA_IGTK_KDE_PREFIX_LEN + 1689 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) { 1690 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1691 "WPA: Invalid IGTK KDE length %lu", 1692 (unsigned long) ie.igtk_len); 1693 goto failed; 1694 } 1695 1696 if (wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0) 1697 goto failed; 1698 1699 if (wpa_handle_ext_key_id(sm, &ie)) 1700 goto failed; 1701 1702 if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) { 1703 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1704 "WPA: ANonce from message 1 of 4-Way Handshake " 1705 "differs from 3 of 4-Way Handshake - drop packet (src=" 1706 MACSTR ")", MAC2STR(sm->bssid)); 1707 goto failed; 1708 } 1709 1710 keylen = WPA_GET_BE16(key->key_length); 1711 if (keylen != wpa_cipher_key_len(sm->pairwise_cipher)) { 1712 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1713 "WPA: Invalid %s key length %d (src=" MACSTR 1714 ")", wpa_cipher_txt(sm->pairwise_cipher), keylen, 1715 MAC2STR(sm->bssid)); 1716 goto failed; 1717 } 1718 1719 #ifdef CONFIG_P2P 1720 if (ie.ip_addr_alloc) { 1721 os_memcpy(sm->p2p_ip_addr, ie.ip_addr_alloc, 3 * 4); 1722 wpa_hexdump(MSG_DEBUG, "P2P: IP address info", 1723 sm->p2p_ip_addr, sizeof(sm->p2p_ip_addr)); 1724 } 1725 #endif /* CONFIG_P2P */ 1726 1727 #ifdef CONFIG_OCV 1728 if (wpa_sm_ocv_enabled(sm)) { 1729 struct wpa_channel_info ci; 1730 1731 if (wpa_sm_channel_info(sm, &ci) != 0) { 1732 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1733 "Failed to get channel info to validate received OCI in EAPOL-Key 3/4"); 1734 return; 1735 } 1736 1737 if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci, 1738 channel_width_to_int(ci.chanwidth), 1739 ci.seg1_idx) != OCI_SUCCESS) { 1740 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE 1741 "addr=" MACSTR " frame=eapol-key-m3 error=%s", 1742 MAC2STR(sm->bssid), ocv_errorstr); 1743 return; 1744 } 1745 } 1746 #endif /* CONFIG_OCV */ 1747 1748 #ifdef CONFIG_DPP2 1749 if (DPP_VERSION > 1 && ie.dpp_kde) { 1750 wpa_printf(MSG_DEBUG, 1751 "DPP: peer Protocol Version %u Flags 0x%x", 1752 ie.dpp_kde[0], ie.dpp_kde[1]); 1753 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_pfs != 2 && 1754 (ie.dpp_kde[1] & DPP_KDE_PFS_ALLOWED) && !sm->dpp_z) { 1755 wpa_printf(MSG_INFO, 1756 "DPP: Peer indicated it supports PFS and local configuration allows this, but PFS was not negotiated for the association"); 1757 goto failed; 1758 } 1759 } 1760 #endif /* CONFIG_DPP2 */ 1761 1762 if (sm->use_ext_key_id && 1763 wpa_supplicant_install_ptk(sm, key, KEY_FLAG_RX)) 1764 goto failed; 1765 1766 if (wpa_supplicant_send_4_of_4(sm, sm->bssid, key, ver, key_info, 1767 &sm->ptk) < 0) { 1768 goto failed; 1769 } 1770 1771 /* SNonce was successfully used in msg 3/4, so mark it to be renewed 1772 * for the next 4-Way Handshake. If msg 3 is received again, the old 1773 * SNonce will still be used to avoid changing PTK. */ 1774 sm->renew_snonce = 1; 1775 1776 if (key_info & WPA_KEY_INFO_INSTALL) { 1777 int res; 1778 1779 if (sm->use_ext_key_id) 1780 res = wpa_supplicant_activate_ptk(sm); 1781 else 1782 res = wpa_supplicant_install_ptk(sm, key, 1783 KEY_FLAG_RX_TX); 1784 if (res) 1785 goto failed; 1786 } 1787 1788 if (key_info & WPA_KEY_INFO_SECURE) { 1789 wpa_sm_mlme_setprotection( 1790 sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX, 1791 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE); 1792 eapol_sm_notify_portValid(sm->eapol, true); 1793 } 1794 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE); 1795 1796 if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED) { 1797 /* No GTK to be set to the driver */ 1798 } else if (!ie.gtk && sm->proto == WPA_PROTO_RSN) { 1799 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1800 "RSN: No GTK KDE included in EAPOL-Key msg 3/4"); 1801 goto failed; 1802 } else if (ie.gtk && 1803 wpa_supplicant_pairwise_gtk(sm, key, 1804 ie.gtk, ie.gtk_len, key_info) < 0) { 1805 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1806 "RSN: Failed to configure GTK"); 1807 goto failed; 1808 } 1809 1810 if (ieee80211w_set_keys(sm, &ie) < 0) { 1811 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1812 "RSN: Failed to configure IGTK"); 1813 goto failed; 1814 } 1815 1816 if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED || ie.gtk) 1817 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1818 key_info & WPA_KEY_INFO_SECURE); 1819 1820 if (ie.gtk) 1821 wpa_sm_set_rekey_offload(sm); 1822 1823 /* Add PMKSA cache entry for Suite B AKMs here since PMKID can be 1824 * calculated only after KCK has been derived. Though, do not replace an 1825 * existing PMKSA entry after each 4-way handshake (i.e., new KCK/PMKID) 1826 * to avoid unnecessary changes of PMKID while continuing to use the 1827 * same PMK. */ 1828 if (sm->proto == WPA_PROTO_RSN && wpa_key_mgmt_suite_b(sm->key_mgmt) && 1829 !sm->cur_pmksa) { 1830 struct rsn_pmksa_cache_entry *sa; 1831 1832 sa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, NULL, 1833 sm->ptk.kck, sm->ptk.kck_len, 1834 sm->bssid, sm->own_addr, 1835 sm->network_ctx, sm->key_mgmt, NULL); 1836 if (!sm->cur_pmksa) 1837 sm->cur_pmksa = sa; 1838 } 1839 1840 if (ie.transition_disable) 1841 wpa_sm_transition_disable(sm, ie.transition_disable[0]); 1842 sm->msg_3_of_4_ok = 1; 1843 return; 1844 1845 failed: 1846 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED); 1847 } 1848 1849 1850 static int wpa_supplicant_process_1_of_2_rsn(struct wpa_sm *sm, 1851 const u8 *keydata, 1852 size_t keydatalen, 1853 u16 key_info, 1854 struct wpa_gtk_data *gd) 1855 { 1856 int maxkeylen; 1857 struct wpa_eapol_ie_parse ie; 1858 u16 gtk_len; 1859 1860 wpa_hexdump_key(MSG_DEBUG, "RSN: msg 1/2 key data", 1861 keydata, keydatalen); 1862 if (wpa_supplicant_parse_ies(keydata, keydatalen, &ie) < 0) 1863 return -1; 1864 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 1865 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1866 "WPA: GTK IE in unencrypted key data"); 1867 return -1; 1868 } 1869 if (ie.gtk == NULL) { 1870 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1871 "WPA: No GTK IE in Group Key msg 1/2"); 1872 return -1; 1873 } 1874 gtk_len = ie.gtk_len; 1875 if (gtk_len < 2) { 1876 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1877 "RSN: Invalid GTK KDE length (%u) in Group Key msg 1/2", 1878 gtk_len); 1879 return -1; 1880 } 1881 gtk_len -= 2; 1882 if (gtk_len > sizeof(gd->gtk)) { 1883 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1884 "RSN: Too long GTK in GTK KDE (len=%u)", gtk_len); 1885 return -1; 1886 } 1887 maxkeylen = gd->gtk_len = gtk_len; 1888 1889 #ifdef CONFIG_OCV 1890 if (wpa_sm_ocv_enabled(sm)) { 1891 struct wpa_channel_info ci; 1892 1893 if (wpa_sm_channel_info(sm, &ci) != 0) { 1894 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1895 "Failed to get channel info to validate received OCI in EAPOL-Key group msg 1/2"); 1896 return -1; 1897 } 1898 1899 if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci, 1900 channel_width_to_int(ci.chanwidth), 1901 ci.seg1_idx) != OCI_SUCCESS) { 1902 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE 1903 "addr=" MACSTR " frame=eapol-key-g1 error=%s", 1904 MAC2STR(sm->bssid), ocv_errorstr); 1905 return -1; 1906 } 1907 } 1908 #endif /* CONFIG_OCV */ 1909 1910 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, 1911 gtk_len, maxkeylen, 1912 &gd->key_rsc_len, &gd->alg)) 1913 return -1; 1914 1915 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in group key handshake", 1916 ie.gtk, 2 + gtk_len); 1917 gd->keyidx = ie.gtk[0] & 0x3; 1918 gd->tx = wpa_supplicant_gtk_tx_bit_workaround(sm, 1919 !!(ie.gtk[0] & BIT(2))); 1920 os_memcpy(gd->gtk, ie.gtk + 2, gtk_len); 1921 1922 if (ieee80211w_set_keys(sm, &ie) < 0) 1923 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1924 "RSN: Failed to configure IGTK"); 1925 1926 return 0; 1927 } 1928 1929 1930 static int wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm, 1931 const struct wpa_eapol_key *key, 1932 const u8 *key_data, 1933 size_t key_data_len, u16 key_info, 1934 u16 ver, struct wpa_gtk_data *gd) 1935 { 1936 size_t maxkeylen; 1937 u16 gtk_len; 1938 1939 gtk_len = WPA_GET_BE16(key->key_length); 1940 maxkeylen = key_data_len; 1941 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1942 if (maxkeylen < 8) { 1943 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1944 "WPA: Too short maxkeylen (%lu)", 1945 (unsigned long) maxkeylen); 1946 return -1; 1947 } 1948 maxkeylen -= 8; 1949 } 1950 1951 if (gtk_len > maxkeylen || 1952 wpa_supplicant_check_group_cipher(sm, sm->group_cipher, 1953 gtk_len, maxkeylen, 1954 &gd->key_rsc_len, &gd->alg)) 1955 return -1; 1956 1957 gd->gtk_len = gtk_len; 1958 gd->keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >> 1959 WPA_KEY_INFO_KEY_INDEX_SHIFT; 1960 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) { 1961 #ifdef CONFIG_NO_RC4 1962 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1963 "WPA: RC4 not supported in the build"); 1964 return -1; 1965 #else /* CONFIG_NO_RC4 */ 1966 u8 ek[32]; 1967 if (key_data_len > sizeof(gd->gtk)) { 1968 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1969 "WPA: RC4 key data too long (%lu)", 1970 (unsigned long) key_data_len); 1971 return -1; 1972 } 1973 os_memcpy(ek, key->key_iv, 16); 1974 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len); 1975 os_memcpy(gd->gtk, key_data, key_data_len); 1976 if (rc4_skip(ek, 32, 256, gd->gtk, key_data_len)) { 1977 forced_memzero(ek, sizeof(ek)); 1978 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR, 1979 "WPA: RC4 failed"); 1980 return -1; 1981 } 1982 forced_memzero(ek, sizeof(ek)); 1983 #endif /* CONFIG_NO_RC4 */ 1984 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1985 if (maxkeylen % 8) { 1986 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1987 "WPA: Unsupported AES-WRAP len %lu", 1988 (unsigned long) maxkeylen); 1989 return -1; 1990 } 1991 if (maxkeylen > sizeof(gd->gtk)) { 1992 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1993 "WPA: AES-WRAP key data " 1994 "too long (keydatalen=%lu maxkeylen=%lu)", 1995 (unsigned long) key_data_len, 1996 (unsigned long) maxkeylen); 1997 return -1; 1998 } 1999 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, maxkeylen / 8, 2000 key_data, gd->gtk)) { 2001 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2002 "WPA: AES unwrap failed - could not decrypt " 2003 "GTK"); 2004 return -1; 2005 } 2006 } else { 2007 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2008 "WPA: Unsupported key_info type %d", ver); 2009 return -1; 2010 } 2011 gd->tx = wpa_supplicant_gtk_tx_bit_workaround( 2012 sm, !!(key_info & WPA_KEY_INFO_TXRX)); 2013 return 0; 2014 } 2015 2016 2017 static int wpa_supplicant_send_2_of_2(struct wpa_sm *sm, 2018 const struct wpa_eapol_key *key, 2019 int ver, u16 key_info) 2020 { 2021 size_t mic_len, hdrlen, rlen; 2022 struct wpa_eapol_key *reply; 2023 u8 *rbuf, *key_mic; 2024 size_t kde_len = 0; 2025 2026 #ifdef CONFIG_OCV 2027 if (wpa_sm_ocv_enabled(sm)) 2028 kde_len = OCV_OCI_KDE_LEN; 2029 #endif /* CONFIG_OCV */ 2030 2031 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len); 2032 hdrlen = sizeof(*reply) + mic_len + 2; 2033 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL, 2034 hdrlen + kde_len, &rlen, (void *) &reply); 2035 if (rbuf == NULL) 2036 return -1; 2037 2038 reply->type = (sm->proto == WPA_PROTO_RSN || 2039 sm->proto == WPA_PROTO_OSEN) ? 2040 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 2041 key_info &= WPA_KEY_INFO_KEY_INDEX_MASK; 2042 key_info |= ver | WPA_KEY_INFO_SECURE; 2043 if (mic_len) 2044 key_info |= WPA_KEY_INFO_MIC; 2045 else 2046 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 2047 WPA_PUT_BE16(reply->key_info, key_info); 2048 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) 2049 WPA_PUT_BE16(reply->key_length, 0); 2050 else 2051 os_memcpy(reply->key_length, key->key_length, 2); 2052 os_memcpy(reply->replay_counter, key->replay_counter, 2053 WPA_REPLAY_COUNTER_LEN); 2054 2055 key_mic = (u8 *) (reply + 1); 2056 WPA_PUT_BE16(key_mic + mic_len, kde_len); /* Key Data Length */ 2057 2058 #ifdef CONFIG_OCV 2059 if (wpa_sm_ocv_enabled(sm)) { 2060 struct wpa_channel_info ci; 2061 u8 *pos; 2062 2063 if (wpa_sm_channel_info(sm, &ci) != 0) { 2064 wpa_printf(MSG_WARNING, 2065 "Failed to get channel info for OCI element in EAPOL-Key 2/2"); 2066 os_free(rbuf); 2067 return -1; 2068 } 2069 #ifdef CONFIG_TESTING_OPTIONS 2070 if (sm->oci_freq_override_eapol_g2) { 2071 wpa_printf(MSG_INFO, 2072 "TEST: Override OCI KDE frequency %d -> %d MHz", 2073 ci.frequency, 2074 sm->oci_freq_override_eapol_g2); 2075 ci.frequency = sm->oci_freq_override_eapol_g2; 2076 } 2077 #endif /* CONFIG_TESTING_OPTIONS */ 2078 2079 pos = key_mic + mic_len + 2; /* Key Data */ 2080 if (ocv_insert_oci_kde(&ci, &pos) < 0) { 2081 os_free(rbuf); 2082 return -1; 2083 } 2084 } 2085 #endif /* CONFIG_OCV */ 2086 2087 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/2"); 2088 return wpa_eapol_key_send(sm, &sm->ptk, ver, sm->bssid, ETH_P_EAPOL, 2089 rbuf, rlen, key_mic); 2090 } 2091 2092 2093 static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm, 2094 const unsigned char *src_addr, 2095 const struct wpa_eapol_key *key, 2096 const u8 *key_data, 2097 size_t key_data_len, u16 ver) 2098 { 2099 u16 key_info; 2100 int rekey, ret; 2101 struct wpa_gtk_data gd; 2102 const u8 *key_rsc; 2103 2104 if (!sm->msg_3_of_4_ok && !wpa_fils_is_completed(sm)) { 2105 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2106 "WPA: Group Key Handshake started prior to completion of 4-way handshake"); 2107 goto failed; 2108 } 2109 2110 os_memset(&gd, 0, sizeof(gd)); 2111 2112 rekey = wpa_sm_get_state(sm) == WPA_COMPLETED; 2113 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of Group Key " 2114 "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver); 2115 2116 key_info = WPA_GET_BE16(key->key_info); 2117 2118 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) { 2119 ret = wpa_supplicant_process_1_of_2_rsn(sm, key_data, 2120 key_data_len, key_info, 2121 &gd); 2122 } else { 2123 ret = wpa_supplicant_process_1_of_2_wpa(sm, key, key_data, 2124 key_data_len, 2125 key_info, ver, &gd); 2126 } 2127 2128 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE); 2129 2130 if (ret) 2131 goto failed; 2132 2133 key_rsc = key->key_rsc; 2134 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc)) 2135 key_rsc = null_rsc; 2136 2137 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) || 2138 wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0) 2139 goto failed; 2140 forced_memzero(&gd, sizeof(gd)); 2141 2142 if (rekey) { 2143 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Group rekeying " 2144 "completed with " MACSTR " [GTK=%s]", 2145 MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher)); 2146 wpa_sm_cancel_auth_timeout(sm); 2147 wpa_sm_set_state(sm, WPA_COMPLETED); 2148 } else { 2149 wpa_supplicant_key_neg_complete(sm, sm->bssid, 2150 key_info & 2151 WPA_KEY_INFO_SECURE); 2152 } 2153 2154 wpa_sm_set_rekey_offload(sm); 2155 2156 return; 2157 2158 failed: 2159 forced_memzero(&gd, sizeof(gd)); 2160 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED); 2161 } 2162 2163 2164 static int wpa_supplicant_verify_eapol_key_mic(struct wpa_sm *sm, 2165 struct wpa_eapol_key *key, 2166 u16 ver, 2167 const u8 *buf, size_t len) 2168 { 2169 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN]; 2170 int ok = 0; 2171 size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len); 2172 2173 os_memcpy(mic, key + 1, mic_len); 2174 if (sm->tptk_set) { 2175 os_memset(key + 1, 0, mic_len); 2176 if (wpa_eapol_key_mic(sm->tptk.kck, sm->tptk.kck_len, 2177 sm->key_mgmt, 2178 ver, buf, len, (u8 *) (key + 1)) < 0 || 2179 os_memcmp_const(mic, key + 1, mic_len) != 0) { 2180 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2181 "WPA: Invalid EAPOL-Key MIC " 2182 "when using TPTK - ignoring TPTK"); 2183 #ifdef TEST_FUZZ 2184 wpa_printf(MSG_INFO, 2185 "TEST: Ignore Key MIC failure for fuzz testing"); 2186 goto continue_fuzz; 2187 #endif /* TEST_FUZZ */ 2188 } else { 2189 #ifdef TEST_FUZZ 2190 continue_fuzz: 2191 #endif /* TEST_FUZZ */ 2192 ok = 1; 2193 sm->tptk_set = 0; 2194 sm->ptk_set = 1; 2195 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk)); 2196 os_memset(&sm->tptk, 0, sizeof(sm->tptk)); 2197 /* 2198 * This assures the same TPTK in sm->tptk can never be 2199 * copied twice to sm->ptk as the new PTK. In 2200 * combination with the installed flag in the wpa_ptk 2201 * struct, this assures the same PTK is only installed 2202 * once. 2203 */ 2204 sm->renew_snonce = 1; 2205 } 2206 } 2207 2208 if (!ok && sm->ptk_set) { 2209 os_memset(key + 1, 0, mic_len); 2210 if (wpa_eapol_key_mic(sm->ptk.kck, sm->ptk.kck_len, 2211 sm->key_mgmt, 2212 ver, buf, len, (u8 *) (key + 1)) < 0 || 2213 os_memcmp_const(mic, key + 1, mic_len) != 0) { 2214 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2215 "WPA: Invalid EAPOL-Key MIC - " 2216 "dropping packet"); 2217 #ifdef TEST_FUZZ 2218 wpa_printf(MSG_INFO, 2219 "TEST: Ignore Key MIC failure for fuzz testing"); 2220 goto continue_fuzz2; 2221 #endif /* TEST_FUZZ */ 2222 return -1; 2223 } 2224 #ifdef TEST_FUZZ 2225 continue_fuzz2: 2226 #endif /* TEST_FUZZ */ 2227 ok = 1; 2228 } 2229 2230 if (!ok) { 2231 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2232 "WPA: Could not verify EAPOL-Key MIC - " 2233 "dropping packet"); 2234 return -1; 2235 } 2236 2237 os_memcpy(sm->rx_replay_counter, key->replay_counter, 2238 WPA_REPLAY_COUNTER_LEN); 2239 sm->rx_replay_counter_set = 1; 2240 return 0; 2241 } 2242 2243 2244 /* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */ 2245 static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm, 2246 struct wpa_eapol_key *key, 2247 size_t mic_len, u16 ver, 2248 u8 *key_data, size_t *key_data_len) 2249 { 2250 wpa_hexdump(MSG_DEBUG, "RSN: encrypted key data", 2251 key_data, *key_data_len); 2252 if (!sm->ptk_set) { 2253 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2254 "WPA: PTK not available, cannot decrypt EAPOL-Key Key " 2255 "Data"); 2256 return -1; 2257 } 2258 2259 /* Decrypt key data here so that this operation does not need 2260 * to be implemented separately for each message type. */ 2261 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) { 2262 #ifdef CONFIG_NO_RC4 2263 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2264 "WPA: RC4 not supported in the build"); 2265 return -1; 2266 #else /* CONFIG_NO_RC4 */ 2267 u8 ek[32]; 2268 2269 wpa_printf(MSG_DEBUG, "WPA: Decrypt Key Data using RC4"); 2270 os_memcpy(ek, key->key_iv, 16); 2271 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len); 2272 if (rc4_skip(ek, 32, 256, key_data, *key_data_len)) { 2273 forced_memzero(ek, sizeof(ek)); 2274 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR, 2275 "WPA: RC4 failed"); 2276 return -1; 2277 } 2278 forced_memzero(ek, sizeof(ek)); 2279 #endif /* CONFIG_NO_RC4 */ 2280 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 2281 ver == WPA_KEY_INFO_TYPE_AES_128_CMAC || 2282 wpa_use_aes_key_wrap(sm->key_mgmt)) { 2283 u8 *buf; 2284 2285 wpa_printf(MSG_DEBUG, 2286 "WPA: Decrypt Key Data using AES-UNWRAP (KEK length %u)", 2287 (unsigned int) sm->ptk.kek_len); 2288 if (*key_data_len < 8 || *key_data_len % 8) { 2289 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2290 "WPA: Unsupported AES-WRAP len %u", 2291 (unsigned int) *key_data_len); 2292 return -1; 2293 } 2294 *key_data_len -= 8; /* AES-WRAP adds 8 bytes */ 2295 buf = os_malloc(*key_data_len); 2296 if (buf == NULL) { 2297 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2298 "WPA: No memory for AES-UNWRAP buffer"); 2299 return -1; 2300 } 2301 #ifdef TEST_FUZZ 2302 os_memset(buf, 0x11, *key_data_len); 2303 #endif /* TEST_FUZZ */ 2304 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, *key_data_len / 8, 2305 key_data, buf)) { 2306 #ifdef TEST_FUZZ 2307 wpa_printf(MSG_INFO, 2308 "TEST: Ignore AES unwrap failure for fuzz testing"); 2309 goto continue_fuzz; 2310 #endif /* TEST_FUZZ */ 2311 bin_clear_free(buf, *key_data_len); 2312 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2313 "WPA: AES unwrap failed - " 2314 "could not decrypt EAPOL-Key key data"); 2315 return -1; 2316 } 2317 #ifdef TEST_FUZZ 2318 continue_fuzz: 2319 #endif /* TEST_FUZZ */ 2320 os_memcpy(key_data, buf, *key_data_len); 2321 bin_clear_free(buf, *key_data_len); 2322 WPA_PUT_BE16(((u8 *) (key + 1)) + mic_len, *key_data_len); 2323 } else { 2324 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2325 "WPA: Unsupported key_info type %d", ver); 2326 return -1; 2327 } 2328 wpa_hexdump_key(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data", 2329 key_data, *key_data_len); 2330 return 0; 2331 } 2332 2333 2334 /** 2335 * wpa_sm_aborted_cached - Notify WPA that PMKSA caching was aborted 2336 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2337 */ 2338 void wpa_sm_aborted_cached(struct wpa_sm *sm) 2339 { 2340 if (sm && sm->cur_pmksa) { 2341 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2342 "RSN: Cancelling PMKSA caching attempt"); 2343 sm->cur_pmksa = NULL; 2344 } 2345 } 2346 2347 2348 void wpa_sm_aborted_external_cached(struct wpa_sm *sm) 2349 { 2350 if (sm && sm->cur_pmksa && sm->cur_pmksa->external) { 2351 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2352 "RSN: Cancelling external PMKSA caching attempt"); 2353 sm->cur_pmksa = NULL; 2354 } 2355 } 2356 2357 2358 static void wpa_eapol_key_dump(struct wpa_sm *sm, 2359 const struct wpa_eapol_key *key, 2360 unsigned int key_data_len, 2361 const u8 *mic, unsigned int mic_len) 2362 { 2363 #ifndef CONFIG_NO_STDOUT_DEBUG 2364 u16 key_info = WPA_GET_BE16(key->key_info); 2365 2366 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, " EAPOL-Key type=%d", key->type); 2367 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2368 " key_info 0x%x (ver=%d keyidx=%d rsvd=%d %s%s%s%s%s%s%s%s)", 2369 key_info, key_info & WPA_KEY_INFO_TYPE_MASK, 2370 (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >> 2371 WPA_KEY_INFO_KEY_INDEX_SHIFT, 2372 (key_info & (BIT(13) | BIT(14) | BIT(15))) >> 13, 2373 key_info & WPA_KEY_INFO_KEY_TYPE ? "Pairwise" : "Group", 2374 key_info & WPA_KEY_INFO_INSTALL ? " Install" : "", 2375 key_info & WPA_KEY_INFO_ACK ? " Ack" : "", 2376 key_info & WPA_KEY_INFO_MIC ? " MIC" : "", 2377 key_info & WPA_KEY_INFO_SECURE ? " Secure" : "", 2378 key_info & WPA_KEY_INFO_ERROR ? " Error" : "", 2379 key_info & WPA_KEY_INFO_REQUEST ? " Request" : "", 2380 key_info & WPA_KEY_INFO_ENCR_KEY_DATA ? " Encr" : ""); 2381 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2382 " key_length=%u key_data_length=%u", 2383 WPA_GET_BE16(key->key_length), key_data_len); 2384 wpa_hexdump(MSG_DEBUG, " replay_counter", 2385 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 2386 wpa_hexdump(MSG_DEBUG, " key_nonce", key->key_nonce, WPA_NONCE_LEN); 2387 wpa_hexdump(MSG_DEBUG, " key_iv", key->key_iv, 16); 2388 wpa_hexdump(MSG_DEBUG, " key_rsc", key->key_rsc, 8); 2389 wpa_hexdump(MSG_DEBUG, " key_id (reserved)", key->key_id, 8); 2390 wpa_hexdump(MSG_DEBUG, " key_mic", mic, mic_len); 2391 #endif /* CONFIG_NO_STDOUT_DEBUG */ 2392 } 2393 2394 2395 #ifdef CONFIG_FILS 2396 static int wpa_supp_aead_decrypt(struct wpa_sm *sm, u8 *buf, size_t buf_len, 2397 size_t *key_data_len) 2398 { 2399 struct wpa_ptk *ptk; 2400 struct ieee802_1x_hdr *hdr; 2401 struct wpa_eapol_key *key; 2402 u8 *pos, *tmp; 2403 const u8 *aad[1]; 2404 size_t aad_len[1]; 2405 2406 if (*key_data_len < AES_BLOCK_SIZE) { 2407 wpa_printf(MSG_INFO, "No room for AES-SIV data in the frame"); 2408 return -1; 2409 } 2410 2411 if (sm->tptk_set) 2412 ptk = &sm->tptk; 2413 else if (sm->ptk_set) 2414 ptk = &sm->ptk; 2415 else 2416 return -1; 2417 2418 hdr = (struct ieee802_1x_hdr *) buf; 2419 key = (struct wpa_eapol_key *) (hdr + 1); 2420 pos = (u8 *) (key + 1); 2421 pos += 2; /* Pointing at the Encrypted Key Data field */ 2422 2423 tmp = os_malloc(*key_data_len); 2424 if (!tmp) 2425 return -1; 2426 2427 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to 2428 * to Key Data (exclusive). */ 2429 aad[0] = buf; 2430 aad_len[0] = pos - buf; 2431 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, *key_data_len, 2432 1, aad, aad_len, tmp) < 0) { 2433 wpa_printf(MSG_INFO, "Invalid AES-SIV data in the frame"); 2434 bin_clear_free(tmp, *key_data_len); 2435 return -1; 2436 } 2437 2438 /* AEAD decryption and validation completed successfully */ 2439 (*key_data_len) -= AES_BLOCK_SIZE; 2440 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data", 2441 tmp, *key_data_len); 2442 2443 /* Replace Key Data field with the decrypted version */ 2444 os_memcpy(pos, tmp, *key_data_len); 2445 pos -= 2; /* Key Data Length field */ 2446 WPA_PUT_BE16(pos, *key_data_len); 2447 bin_clear_free(tmp, *key_data_len); 2448 2449 if (sm->tptk_set) { 2450 sm->tptk_set = 0; 2451 sm->ptk_set = 1; 2452 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk)); 2453 os_memset(&sm->tptk, 0, sizeof(sm->tptk)); 2454 } 2455 2456 os_memcpy(sm->rx_replay_counter, key->replay_counter, 2457 WPA_REPLAY_COUNTER_LEN); 2458 sm->rx_replay_counter_set = 1; 2459 2460 return 0; 2461 } 2462 #endif /* CONFIG_FILS */ 2463 2464 2465 /** 2466 * wpa_sm_rx_eapol - Process received WPA EAPOL frames 2467 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2468 * @src_addr: Source MAC address of the EAPOL packet 2469 * @buf: Pointer to the beginning of the EAPOL data (EAPOL header) 2470 * @len: Length of the EAPOL frame 2471 * Returns: 1 = WPA EAPOL-Key processed, 0 = not a WPA EAPOL-Key, -1 failure 2472 * 2473 * This function is called for each received EAPOL frame. Other than EAPOL-Key 2474 * frames can be skipped if filtering is done elsewhere. wpa_sm_rx_eapol() is 2475 * only processing WPA and WPA2 EAPOL-Key frames. 2476 * 2477 * The received EAPOL-Key packets are validated and valid packets are replied 2478 * to. In addition, key material (PTK, GTK) is configured at the end of a 2479 * successful key handshake. 2480 */ 2481 int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr, 2482 const u8 *buf, size_t len) 2483 { 2484 size_t plen, data_len, key_data_len; 2485 const struct ieee802_1x_hdr *hdr; 2486 struct wpa_eapol_key *key; 2487 u16 key_info, ver; 2488 u8 *tmp = NULL; 2489 int ret = -1; 2490 u8 *mic, *key_data; 2491 size_t mic_len, keyhdrlen, pmk_len; 2492 2493 #ifdef CONFIG_IEEE80211R 2494 sm->ft_completed = 0; 2495 #endif /* CONFIG_IEEE80211R */ 2496 2497 pmk_len = sm->pmk_len; 2498 if (!pmk_len && sm->cur_pmksa) 2499 pmk_len = sm->cur_pmksa->pmk_len; 2500 mic_len = wpa_mic_len(sm->key_mgmt, pmk_len); 2501 keyhdrlen = sizeof(*key) + mic_len + 2; 2502 2503 if (len < sizeof(*hdr) + keyhdrlen) { 2504 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2505 "WPA: EAPOL frame too short to be a WPA " 2506 "EAPOL-Key (len %lu, expecting at least %lu)", 2507 (unsigned long) len, 2508 (unsigned long) sizeof(*hdr) + keyhdrlen); 2509 return 0; 2510 } 2511 2512 hdr = (const struct ieee802_1x_hdr *) buf; 2513 plen = be_to_host16(hdr->length); 2514 data_len = plen + sizeof(*hdr); 2515 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2516 "IEEE 802.1X RX: version=%d type=%d length=%lu", 2517 hdr->version, hdr->type, (unsigned long) plen); 2518 2519 if (hdr->version < EAPOL_VERSION) { 2520 /* TODO: backwards compatibility */ 2521 } 2522 if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) { 2523 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2524 "WPA: EAPOL frame (type %u) discarded, " 2525 "not a Key frame", hdr->type); 2526 ret = 0; 2527 goto out; 2528 } 2529 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", buf, len); 2530 if (plen > len - sizeof(*hdr) || plen < keyhdrlen) { 2531 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2532 "WPA: EAPOL frame payload size %lu " 2533 "invalid (frame size %lu)", 2534 (unsigned long) plen, (unsigned long) len); 2535 ret = 0; 2536 goto out; 2537 } 2538 if (data_len < len) { 2539 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2540 "WPA: ignoring %lu bytes after the IEEE 802.1X data", 2541 (unsigned long) len - data_len); 2542 } 2543 2544 /* 2545 * Make a copy of the frame since we need to modify the buffer during 2546 * MAC validation and Key Data decryption. 2547 */ 2548 tmp = os_memdup(buf, data_len); 2549 if (tmp == NULL) 2550 goto out; 2551 key = (struct wpa_eapol_key *) (tmp + sizeof(struct ieee802_1x_hdr)); 2552 mic = (u8 *) (key + 1); 2553 key_data = mic + mic_len + 2; 2554 2555 if (key->type != EAPOL_KEY_TYPE_WPA && key->type != EAPOL_KEY_TYPE_RSN) 2556 { 2557 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2558 "WPA: EAPOL-Key type (%d) unknown, discarded", 2559 key->type); 2560 ret = 0; 2561 goto out; 2562 } 2563 2564 key_data_len = WPA_GET_BE16(mic + mic_len); 2565 wpa_eapol_key_dump(sm, key, key_data_len, mic, mic_len); 2566 2567 if (key_data_len > plen - keyhdrlen) { 2568 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Invalid EAPOL-Key " 2569 "frame - key_data overflow (%u > %u)", 2570 (unsigned int) key_data_len, 2571 (unsigned int) (plen - keyhdrlen)); 2572 goto out; 2573 } 2574 2575 eapol_sm_notify_lower_layer_success(sm->eapol, 0); 2576 key_info = WPA_GET_BE16(key->key_info); 2577 ver = key_info & WPA_KEY_INFO_TYPE_MASK; 2578 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && 2579 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC && 2580 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES && 2581 !wpa_use_akm_defined(sm->key_mgmt)) { 2582 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2583 "WPA: Unsupported EAPOL-Key descriptor version %d", 2584 ver); 2585 goto out; 2586 } 2587 2588 if (wpa_use_akm_defined(sm->key_mgmt) && 2589 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) { 2590 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2591 "RSN: Unsupported EAPOL-Key descriptor version %d (expected AKM defined = 0)", 2592 ver); 2593 goto out; 2594 } 2595 2596 #ifdef CONFIG_IEEE80211R 2597 if (wpa_key_mgmt_ft(sm->key_mgmt)) { 2598 /* IEEE 802.11r uses a new key_info type (AES-128-CMAC). */ 2599 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC && 2600 !wpa_use_akm_defined(sm->key_mgmt)) { 2601 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2602 "FT: AP did not use AES-128-CMAC"); 2603 goto out; 2604 } 2605 } else 2606 #endif /* CONFIG_IEEE80211R */ 2607 if (wpa_key_mgmt_sha256(sm->key_mgmt)) { 2608 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC && 2609 !wpa_use_akm_defined(sm->key_mgmt)) { 2610 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2611 "WPA: AP did not use the " 2612 "negotiated AES-128-CMAC"); 2613 goto out; 2614 } 2615 } else if (sm->pairwise_cipher == WPA_CIPHER_CCMP && 2616 !wpa_use_akm_defined(sm->key_mgmt) && 2617 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 2618 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2619 "WPA: CCMP is used, but EAPOL-Key " 2620 "descriptor version (%d) is not 2", ver); 2621 if (sm->group_cipher != WPA_CIPHER_CCMP && 2622 !(key_info & WPA_KEY_INFO_KEY_TYPE)) { 2623 /* Earlier versions of IEEE 802.11i did not explicitly 2624 * require version 2 descriptor for all EAPOL-Key 2625 * packets, so allow group keys to use version 1 if 2626 * CCMP is not used for them. */ 2627 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2628 "WPA: Backwards compatibility: allow invalid " 2629 "version for non-CCMP group keys"); 2630 } else if (ver == WPA_KEY_INFO_TYPE_AES_128_CMAC) { 2631 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2632 "WPA: Interoperability workaround: allow incorrect (should have been HMAC-SHA1), but stronger (is AES-128-CMAC), descriptor version to be used"); 2633 } else 2634 goto out; 2635 } else if (sm->pairwise_cipher == WPA_CIPHER_GCMP && 2636 !wpa_use_akm_defined(sm->key_mgmt) && 2637 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 2638 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2639 "WPA: GCMP is used, but EAPOL-Key " 2640 "descriptor version (%d) is not 2", ver); 2641 goto out; 2642 } 2643 2644 if (sm->rx_replay_counter_set && 2645 os_memcmp(key->replay_counter, sm->rx_replay_counter, 2646 WPA_REPLAY_COUNTER_LEN) <= 0) { 2647 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2648 "WPA: EAPOL-Key Replay Counter did not increase - " 2649 "dropping packet"); 2650 goto out; 2651 } 2652 2653 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) { 2654 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2655 "WPA: Unsupported SMK bit in key_info"); 2656 goto out; 2657 } 2658 2659 if (!(key_info & WPA_KEY_INFO_ACK)) { 2660 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2661 "WPA: No Ack bit in key_info"); 2662 goto out; 2663 } 2664 2665 if (key_info & WPA_KEY_INFO_REQUEST) { 2666 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2667 "WPA: EAPOL-Key with Request bit - dropped"); 2668 goto out; 2669 } 2670 2671 if ((key_info & WPA_KEY_INFO_MIC) && 2672 wpa_supplicant_verify_eapol_key_mic(sm, key, ver, tmp, data_len)) 2673 goto out; 2674 2675 #ifdef CONFIG_FILS 2676 if (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 2677 if (wpa_supp_aead_decrypt(sm, tmp, data_len, &key_data_len)) 2678 goto out; 2679 } 2680 #endif /* CONFIG_FILS */ 2681 2682 if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) && 2683 (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && mic_len) { 2684 /* 2685 * Only decrypt the Key Data field if the frame's authenticity 2686 * was verified. When using AES-SIV (FILS), the MIC flag is not 2687 * set, so this check should only be performed if mic_len != 0 2688 * which is the case in this code branch. 2689 */ 2690 if (!(key_info & WPA_KEY_INFO_MIC)) { 2691 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2692 "WPA: Ignore EAPOL-Key with encrypted but unauthenticated data"); 2693 goto out; 2694 } 2695 if (wpa_supplicant_decrypt_key_data(sm, key, mic_len, 2696 ver, key_data, 2697 &key_data_len)) 2698 goto out; 2699 } 2700 2701 if (key_info & WPA_KEY_INFO_KEY_TYPE) { 2702 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) { 2703 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2704 "WPA: Ignored EAPOL-Key (Pairwise) with " 2705 "non-zero key index"); 2706 goto out; 2707 } 2708 if (key_info & (WPA_KEY_INFO_MIC | 2709 WPA_KEY_INFO_ENCR_KEY_DATA)) { 2710 /* 3/4 4-Way Handshake */ 2711 wpa_supplicant_process_3_of_4(sm, key, ver, key_data, 2712 key_data_len); 2713 } else { 2714 /* 1/4 4-Way Handshake */ 2715 wpa_supplicant_process_1_of_4(sm, src_addr, key, 2716 ver, key_data, 2717 key_data_len); 2718 } 2719 } else { 2720 if ((mic_len && (key_info & WPA_KEY_INFO_MIC)) || 2721 (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA))) { 2722 /* 1/2 Group Key Handshake */ 2723 wpa_supplicant_process_1_of_2(sm, src_addr, key, 2724 key_data, key_data_len, 2725 ver); 2726 } else { 2727 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2728 "WPA: EAPOL-Key (Group) without Mic/Encr bit - " 2729 "dropped"); 2730 } 2731 } 2732 2733 ret = 1; 2734 2735 out: 2736 bin_clear_free(tmp, data_len); 2737 return ret; 2738 } 2739 2740 2741 #ifdef CONFIG_CTRL_IFACE 2742 static u32 wpa_key_mgmt_suite(struct wpa_sm *sm) 2743 { 2744 switch (sm->key_mgmt) { 2745 case WPA_KEY_MGMT_IEEE8021X: 2746 return ((sm->proto == WPA_PROTO_RSN || 2747 sm->proto == WPA_PROTO_OSEN) ? 2748 RSN_AUTH_KEY_MGMT_UNSPEC_802_1X : 2749 WPA_AUTH_KEY_MGMT_UNSPEC_802_1X); 2750 case WPA_KEY_MGMT_PSK: 2751 return (sm->proto == WPA_PROTO_RSN ? 2752 RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X : 2753 WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X); 2754 #ifdef CONFIG_IEEE80211R 2755 case WPA_KEY_MGMT_FT_IEEE8021X: 2756 return RSN_AUTH_KEY_MGMT_FT_802_1X; 2757 case WPA_KEY_MGMT_FT_PSK: 2758 return RSN_AUTH_KEY_MGMT_FT_PSK; 2759 #endif /* CONFIG_IEEE80211R */ 2760 case WPA_KEY_MGMT_IEEE8021X_SHA256: 2761 return RSN_AUTH_KEY_MGMT_802_1X_SHA256; 2762 case WPA_KEY_MGMT_PSK_SHA256: 2763 return RSN_AUTH_KEY_MGMT_PSK_SHA256; 2764 case WPA_KEY_MGMT_CCKM: 2765 return (sm->proto == WPA_PROTO_RSN ? 2766 RSN_AUTH_KEY_MGMT_CCKM: 2767 WPA_AUTH_KEY_MGMT_CCKM); 2768 case WPA_KEY_MGMT_WPA_NONE: 2769 return WPA_AUTH_KEY_MGMT_NONE; 2770 case WPA_KEY_MGMT_IEEE8021X_SUITE_B: 2771 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B; 2772 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192: 2773 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192; 2774 default: 2775 return 0; 2776 } 2777 } 2778 2779 2780 #define RSN_SUITE "%02x-%02x-%02x-%d" 2781 #define RSN_SUITE_ARG(s) \ 2782 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff 2783 2784 /** 2785 * wpa_sm_get_mib - Dump text list of MIB entries 2786 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2787 * @buf: Buffer for the list 2788 * @buflen: Length of the buffer 2789 * Returns: Number of bytes written to buffer 2790 * 2791 * This function is used fetch dot11 MIB variables. 2792 */ 2793 int wpa_sm_get_mib(struct wpa_sm *sm, char *buf, size_t buflen) 2794 { 2795 char pmkid_txt[PMKID_LEN * 2 + 1]; 2796 bool rsna; 2797 int ret; 2798 size_t len; 2799 2800 if (sm->cur_pmksa) { 2801 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt), 2802 sm->cur_pmksa->pmkid, PMKID_LEN); 2803 } else 2804 pmkid_txt[0] = '\0'; 2805 2806 rsna = (wpa_key_mgmt_wpa_psk(sm->key_mgmt) || 2807 wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt)) && 2808 sm->proto == WPA_PROTO_RSN; 2809 2810 ret = os_snprintf(buf, buflen, 2811 "dot11RSNAOptionImplemented=TRUE\n" 2812 "dot11RSNAPreauthenticationImplemented=TRUE\n" 2813 "dot11RSNAEnabled=%s\n" 2814 "dot11RSNAPreauthenticationEnabled=%s\n" 2815 "dot11RSNAConfigVersion=%d\n" 2816 "dot11RSNAConfigPairwiseKeysSupported=5\n" 2817 "dot11RSNAConfigGroupCipherSize=%d\n" 2818 "dot11RSNAConfigPMKLifetime=%d\n" 2819 "dot11RSNAConfigPMKReauthThreshold=%d\n" 2820 "dot11RSNAConfigNumberOfPTKSAReplayCounters=1\n" 2821 "dot11RSNAConfigSATimeout=%d\n", 2822 rsna ? "TRUE" : "FALSE", 2823 rsna ? "TRUE" : "FALSE", 2824 RSN_VERSION, 2825 wpa_cipher_key_len(sm->group_cipher) * 8, 2826 sm->dot11RSNAConfigPMKLifetime, 2827 sm->dot11RSNAConfigPMKReauthThreshold, 2828 sm->dot11RSNAConfigSATimeout); 2829 if (os_snprintf_error(buflen, ret)) 2830 return 0; 2831 len = ret; 2832 2833 ret = os_snprintf( 2834 buf + len, buflen - len, 2835 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n" 2836 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n" 2837 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n" 2838 "dot11RSNAPMKIDUsed=%s\n" 2839 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n" 2840 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n" 2841 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n" 2842 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n" 2843 "dot11RSNA4WayHandshakeFailures=%u\n", 2844 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)), 2845 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto, 2846 sm->pairwise_cipher)), 2847 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto, 2848 sm->group_cipher)), 2849 pmkid_txt, 2850 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)), 2851 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto, 2852 sm->pairwise_cipher)), 2853 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto, 2854 sm->group_cipher)), 2855 sm->dot11RSNA4WayHandshakeFailures); 2856 if (!os_snprintf_error(buflen - len, ret)) 2857 len += ret; 2858 2859 return (int) len; 2860 } 2861 #endif /* CONFIG_CTRL_IFACE */ 2862 2863 2864 static void wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry, 2865 void *ctx, enum pmksa_free_reason reason) 2866 { 2867 struct wpa_sm *sm = ctx; 2868 int deauth = 0; 2869 2870 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: PMKSA cache entry free_cb: " 2871 MACSTR " reason=%d", MAC2STR(entry->aa), reason); 2872 2873 if (sm->cur_pmksa == entry) { 2874 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2875 "RSN: %s current PMKSA entry", 2876 reason == PMKSA_REPLACE ? "replaced" : "removed"); 2877 pmksa_cache_clear_current(sm); 2878 2879 /* 2880 * If an entry is simply being replaced, there's no need to 2881 * deauthenticate because it will be immediately re-added. 2882 * This happens when EAP authentication is completed again 2883 * (reauth or failed PMKSA caching attempt). 2884 */ 2885 if (reason != PMKSA_REPLACE) 2886 deauth = 1; 2887 } 2888 2889 if (reason == PMKSA_EXPIRE && 2890 (sm->pmk_len == entry->pmk_len && 2891 os_memcmp(sm->pmk, entry->pmk, sm->pmk_len) == 0)) { 2892 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2893 "RSN: deauthenticating due to expired PMK"); 2894 pmksa_cache_clear_current(sm); 2895 deauth = 1; 2896 } 2897 2898 if (deauth) { 2899 sm->pmk_len = 0; 2900 os_memset(sm->pmk, 0, sizeof(sm->pmk)); 2901 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED); 2902 } 2903 } 2904 2905 2906 /** 2907 * wpa_sm_init - Initialize WPA state machine 2908 * @ctx: Context pointer for callbacks; this needs to be an allocated buffer 2909 * Returns: Pointer to the allocated WPA state machine data 2910 * 2911 * This function is used to allocate a new WPA state machine and the returned 2912 * value is passed to all WPA state machine calls. 2913 */ 2914 struct wpa_sm * wpa_sm_init(struct wpa_sm_ctx *ctx) 2915 { 2916 struct wpa_sm *sm; 2917 2918 sm = os_zalloc(sizeof(*sm)); 2919 if (sm == NULL) 2920 return NULL; 2921 dl_list_init(&sm->pmksa_candidates); 2922 sm->renew_snonce = 1; 2923 sm->ctx = ctx; 2924 2925 sm->dot11RSNAConfigPMKLifetime = 43200; 2926 sm->dot11RSNAConfigPMKReauthThreshold = 70; 2927 sm->dot11RSNAConfigSATimeout = 60; 2928 2929 sm->pmksa = pmksa_cache_init(wpa_sm_pmksa_free_cb, sm, sm); 2930 if (sm->pmksa == NULL) { 2931 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR, 2932 "RSN: PMKSA cache initialization failed"); 2933 os_free(sm); 2934 return NULL; 2935 } 2936 2937 return sm; 2938 } 2939 2940 2941 /** 2942 * wpa_sm_deinit - Deinitialize WPA state machine 2943 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2944 */ 2945 void wpa_sm_deinit(struct wpa_sm *sm) 2946 { 2947 if (sm == NULL) 2948 return; 2949 pmksa_cache_deinit(sm->pmksa); 2950 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL); 2951 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL); 2952 os_free(sm->assoc_wpa_ie); 2953 os_free(sm->assoc_rsnxe); 2954 os_free(sm->ap_wpa_ie); 2955 os_free(sm->ap_rsn_ie); 2956 os_free(sm->ap_rsnxe); 2957 wpa_sm_drop_sa(sm); 2958 os_free(sm->ctx); 2959 #ifdef CONFIG_IEEE80211R 2960 os_free(sm->assoc_resp_ies); 2961 #endif /* CONFIG_IEEE80211R */ 2962 #ifdef CONFIG_TESTING_OPTIONS 2963 wpabuf_free(sm->test_assoc_ie); 2964 #endif /* CONFIG_TESTING_OPTIONS */ 2965 #ifdef CONFIG_FILS_SK_PFS 2966 crypto_ecdh_deinit(sm->fils_ecdh); 2967 #endif /* CONFIG_FILS_SK_PFS */ 2968 #ifdef CONFIG_FILS 2969 wpabuf_free(sm->fils_ft_ies); 2970 #endif /* CONFIG_FILS */ 2971 #ifdef CONFIG_OWE 2972 crypto_ecdh_deinit(sm->owe_ecdh); 2973 #endif /* CONFIG_OWE */ 2974 #ifdef CONFIG_DPP2 2975 wpabuf_clear_free(sm->dpp_z); 2976 #endif /* CONFIG_DPP2 */ 2977 os_free(sm); 2978 } 2979 2980 2981 /** 2982 * wpa_sm_notify_assoc - Notify WPA state machine about association 2983 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2984 * @bssid: The BSSID of the new association 2985 * 2986 * This function is called to let WPA state machine know that the connection 2987 * was established. 2988 */ 2989 void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) 2990 { 2991 int clear_keys = 1; 2992 2993 if (sm == NULL) 2994 return; 2995 2996 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2997 "WPA: Association event - clear replay counter"); 2998 os_memcpy(sm->bssid, bssid, ETH_ALEN); 2999 os_memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN); 3000 sm->rx_replay_counter_set = 0; 3001 sm->renew_snonce = 1; 3002 if (os_memcmp(sm->preauth_bssid, bssid, ETH_ALEN) == 0) 3003 rsn_preauth_deinit(sm); 3004 3005 #ifdef CONFIG_IEEE80211R 3006 if (wpa_ft_is_completed(sm)) { 3007 /* 3008 * Clear portValid to kick EAPOL state machine to re-enter 3009 * AUTHENTICATED state to get the EAPOL port Authorized. 3010 */ 3011 eapol_sm_notify_portValid(sm->eapol, false); 3012 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1); 3013 3014 /* Prepare for the next transition */ 3015 wpa_ft_prepare_auth_request(sm, NULL); 3016 3017 clear_keys = 0; 3018 sm->ft_protocol = 1; 3019 } else { 3020 sm->ft_protocol = 0; 3021 } 3022 #endif /* CONFIG_IEEE80211R */ 3023 #ifdef CONFIG_FILS 3024 if (sm->fils_completed) { 3025 /* 3026 * Clear portValid to kick EAPOL state machine to re-enter 3027 * AUTHENTICATED state to get the EAPOL port Authorized. 3028 */ 3029 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1); 3030 clear_keys = 0; 3031 } 3032 #endif /* CONFIG_FILS */ 3033 3034 if (clear_keys) { 3035 /* 3036 * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if 3037 * this is not part of a Fast BSS Transition. 3038 */ 3039 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PTK"); 3040 sm->ptk_set = 0; 3041 os_memset(&sm->ptk, 0, sizeof(sm->ptk)); 3042 sm->tptk_set = 0; 3043 os_memset(&sm->tptk, 0, sizeof(sm->tptk)); 3044 os_memset(&sm->gtk, 0, sizeof(sm->gtk)); 3045 os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep)); 3046 os_memset(&sm->igtk, 0, sizeof(sm->igtk)); 3047 os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep)); 3048 } 3049 3050 #ifdef CONFIG_TDLS 3051 wpa_tdls_assoc(sm); 3052 #endif /* CONFIG_TDLS */ 3053 3054 #ifdef CONFIG_P2P 3055 os_memset(sm->p2p_ip_addr, 0, sizeof(sm->p2p_ip_addr)); 3056 #endif /* CONFIG_P2P */ 3057 3058 sm->keyidx_active = 0; 3059 } 3060 3061 3062 /** 3063 * wpa_sm_notify_disassoc - Notify WPA state machine about disassociation 3064 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3065 * 3066 * This function is called to let WPA state machine know that the connection 3067 * was lost. This will abort any existing pre-authentication session. 3068 */ 3069 void wpa_sm_notify_disassoc(struct wpa_sm *sm) 3070 { 3071 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL); 3072 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL); 3073 rsn_preauth_deinit(sm); 3074 pmksa_cache_clear_current(sm); 3075 if (wpa_sm_get_state(sm) == WPA_4WAY_HANDSHAKE) 3076 sm->dot11RSNA4WayHandshakeFailures++; 3077 #ifdef CONFIG_TDLS 3078 wpa_tdls_disassoc(sm); 3079 #endif /* CONFIG_TDLS */ 3080 #ifdef CONFIG_FILS 3081 sm->fils_completed = 0; 3082 #endif /* CONFIG_FILS */ 3083 #ifdef CONFIG_IEEE80211R 3084 sm->ft_reassoc_completed = 0; 3085 sm->ft_protocol = 0; 3086 #endif /* CONFIG_IEEE80211R */ 3087 3088 /* Keys are not needed in the WPA state machine anymore */ 3089 wpa_sm_drop_sa(sm); 3090 sm->keyidx_active = 0; 3091 3092 sm->msg_3_of_4_ok = 0; 3093 os_memset(sm->bssid, 0, ETH_ALEN); 3094 } 3095 3096 3097 /** 3098 * wpa_sm_set_pmk - Set PMK 3099 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3100 * @pmk: The new PMK 3101 * @pmk_len: The length of the new PMK in bytes 3102 * @pmkid: Calculated PMKID 3103 * @bssid: AA to add into PMKSA cache or %NULL to not cache the PMK 3104 * 3105 * Configure the PMK for WPA state machine. 3106 */ 3107 void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len, 3108 const u8 *pmkid, const u8 *bssid) 3109 { 3110 if (sm == NULL) 3111 return; 3112 3113 wpa_hexdump_key(MSG_DEBUG, "WPA: Set PMK based on external data", 3114 pmk, pmk_len); 3115 sm->pmk_len = pmk_len; 3116 os_memcpy(sm->pmk, pmk, pmk_len); 3117 3118 #ifdef CONFIG_IEEE80211R 3119 /* Set XXKey to be PSK for FT key derivation */ 3120 sm->xxkey_len = pmk_len; 3121 os_memcpy(sm->xxkey, pmk, pmk_len); 3122 #endif /* CONFIG_IEEE80211R */ 3123 3124 if (bssid) { 3125 pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0, 3126 bssid, sm->own_addr, 3127 sm->network_ctx, sm->key_mgmt, NULL); 3128 } 3129 } 3130 3131 3132 /** 3133 * wpa_sm_set_pmk_from_pmksa - Set PMK based on the current PMKSA 3134 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3135 * 3136 * Take the PMK from the current PMKSA into use. If no PMKSA is active, the PMK 3137 * will be cleared. 3138 */ 3139 void wpa_sm_set_pmk_from_pmksa(struct wpa_sm *sm) 3140 { 3141 if (sm == NULL) 3142 return; 3143 3144 if (sm->cur_pmksa) { 3145 wpa_hexdump_key(MSG_DEBUG, 3146 "WPA: Set PMK based on current PMKSA", 3147 sm->cur_pmksa->pmk, sm->cur_pmksa->pmk_len); 3148 sm->pmk_len = sm->cur_pmksa->pmk_len; 3149 os_memcpy(sm->pmk, sm->cur_pmksa->pmk, sm->pmk_len); 3150 } else { 3151 wpa_printf(MSG_DEBUG, "WPA: No current PMKSA - clear PMK"); 3152 sm->pmk_len = 0; 3153 os_memset(sm->pmk, 0, PMK_LEN_MAX); 3154 } 3155 } 3156 3157 3158 /** 3159 * wpa_sm_set_fast_reauth - Set fast reauthentication (EAP) enabled/disabled 3160 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3161 * @fast_reauth: Whether fast reauthentication (EAP) is allowed 3162 */ 3163 void wpa_sm_set_fast_reauth(struct wpa_sm *sm, int fast_reauth) 3164 { 3165 if (sm) 3166 sm->fast_reauth = fast_reauth; 3167 } 3168 3169 3170 /** 3171 * wpa_sm_set_scard_ctx - Set context pointer for smartcard callbacks 3172 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3173 * @scard_ctx: Context pointer for smartcard related callback functions 3174 */ 3175 void wpa_sm_set_scard_ctx(struct wpa_sm *sm, void *scard_ctx) 3176 { 3177 if (sm == NULL) 3178 return; 3179 sm->scard_ctx = scard_ctx; 3180 if (sm->preauth_eapol) 3181 eapol_sm_register_scard_ctx(sm->preauth_eapol, scard_ctx); 3182 } 3183 3184 3185 /** 3186 * wpa_sm_set_config - Notification of current configuration change 3187 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3188 * @config: Pointer to current network configuration 3189 * 3190 * Notify WPA state machine that configuration has changed. config will be 3191 * stored as a backpointer to network configuration. This can be %NULL to clear 3192 * the stored pointed. 3193 */ 3194 void wpa_sm_set_config(struct wpa_sm *sm, struct rsn_supp_config *config) 3195 { 3196 if (!sm) 3197 return; 3198 3199 if (config) { 3200 sm->network_ctx = config->network_ctx; 3201 sm->allowed_pairwise_cipher = config->allowed_pairwise_cipher; 3202 sm->proactive_key_caching = config->proactive_key_caching; 3203 sm->eap_workaround = config->eap_workaround; 3204 sm->eap_conf_ctx = config->eap_conf_ctx; 3205 if (config->ssid) { 3206 os_memcpy(sm->ssid, config->ssid, config->ssid_len); 3207 sm->ssid_len = config->ssid_len; 3208 } else 3209 sm->ssid_len = 0; 3210 sm->wpa_ptk_rekey = config->wpa_ptk_rekey; 3211 sm->p2p = config->p2p; 3212 sm->wpa_rsc_relaxation = config->wpa_rsc_relaxation; 3213 sm->owe_ptk_workaround = config->owe_ptk_workaround; 3214 sm->force_kdk_derivation = config->force_kdk_derivation; 3215 #ifdef CONFIG_FILS 3216 if (config->fils_cache_id) { 3217 sm->fils_cache_id_set = 1; 3218 os_memcpy(sm->fils_cache_id, config->fils_cache_id, 3219 FILS_CACHE_ID_LEN); 3220 } else { 3221 sm->fils_cache_id_set = 0; 3222 } 3223 #endif /* CONFIG_FILS */ 3224 sm->beacon_prot = config->beacon_prot; 3225 } else { 3226 sm->network_ctx = NULL; 3227 sm->allowed_pairwise_cipher = 0; 3228 sm->proactive_key_caching = 0; 3229 sm->eap_workaround = 0; 3230 sm->eap_conf_ctx = NULL; 3231 sm->ssid_len = 0; 3232 sm->wpa_ptk_rekey = 0; 3233 sm->p2p = 0; 3234 sm->wpa_rsc_relaxation = 0; 3235 sm->owe_ptk_workaround = 0; 3236 sm->beacon_prot = 0; 3237 sm->force_kdk_derivation = false; 3238 } 3239 } 3240 3241 3242 /** 3243 * wpa_sm_set_own_addr - Set own MAC address 3244 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3245 * @addr: Own MAC address 3246 */ 3247 void wpa_sm_set_own_addr(struct wpa_sm *sm, const u8 *addr) 3248 { 3249 if (sm) 3250 os_memcpy(sm->own_addr, addr, ETH_ALEN); 3251 } 3252 3253 3254 /** 3255 * wpa_sm_set_ifname - Set network interface name 3256 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3257 * @ifname: Interface name 3258 * @bridge_ifname: Optional bridge interface name (for pre-auth) 3259 */ 3260 void wpa_sm_set_ifname(struct wpa_sm *sm, const char *ifname, 3261 const char *bridge_ifname) 3262 { 3263 if (sm) { 3264 sm->ifname = ifname; 3265 sm->bridge_ifname = bridge_ifname; 3266 } 3267 } 3268 3269 3270 /** 3271 * wpa_sm_set_eapol - Set EAPOL state machine pointer 3272 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3273 * @eapol: Pointer to EAPOL state machine allocated with eapol_sm_init() 3274 */ 3275 void wpa_sm_set_eapol(struct wpa_sm *sm, struct eapol_sm *eapol) 3276 { 3277 if (sm) 3278 sm->eapol = eapol; 3279 } 3280 3281 3282 /** 3283 * wpa_sm_set_param - Set WPA state machine parameters 3284 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3285 * @param: Parameter field 3286 * @value: Parameter value 3287 * Returns: 0 on success, -1 on failure 3288 */ 3289 int wpa_sm_set_param(struct wpa_sm *sm, enum wpa_sm_conf_params param, 3290 unsigned int value) 3291 { 3292 int ret = 0; 3293 3294 if (sm == NULL) 3295 return -1; 3296 3297 switch (param) { 3298 case RSNA_PMK_LIFETIME: 3299 if (value > 0) 3300 sm->dot11RSNAConfigPMKLifetime = value; 3301 else 3302 ret = -1; 3303 break; 3304 case RSNA_PMK_REAUTH_THRESHOLD: 3305 if (value > 0 && value <= 100) 3306 sm->dot11RSNAConfigPMKReauthThreshold = value; 3307 else 3308 ret = -1; 3309 break; 3310 case RSNA_SA_TIMEOUT: 3311 if (value > 0) 3312 sm->dot11RSNAConfigSATimeout = value; 3313 else 3314 ret = -1; 3315 break; 3316 case WPA_PARAM_PROTO: 3317 sm->proto = value; 3318 break; 3319 case WPA_PARAM_PAIRWISE: 3320 sm->pairwise_cipher = value; 3321 break; 3322 case WPA_PARAM_GROUP: 3323 sm->group_cipher = value; 3324 break; 3325 case WPA_PARAM_KEY_MGMT: 3326 sm->key_mgmt = value; 3327 break; 3328 case WPA_PARAM_MGMT_GROUP: 3329 sm->mgmt_group_cipher = value; 3330 break; 3331 case WPA_PARAM_RSN_ENABLED: 3332 sm->rsn_enabled = value; 3333 break; 3334 case WPA_PARAM_MFP: 3335 sm->mfp = value; 3336 break; 3337 case WPA_PARAM_OCV: 3338 sm->ocv = value; 3339 break; 3340 case WPA_PARAM_SAE_PWE: 3341 sm->sae_pwe = value; 3342 break; 3343 case WPA_PARAM_SAE_PK: 3344 sm->sae_pk = value; 3345 break; 3346 case WPA_PARAM_DENY_PTK0_REKEY: 3347 sm->wpa_deny_ptk0_rekey = value; 3348 break; 3349 case WPA_PARAM_EXT_KEY_ID: 3350 sm->ext_key_id = value; 3351 break; 3352 case WPA_PARAM_USE_EXT_KEY_ID: 3353 sm->use_ext_key_id = value; 3354 break; 3355 #ifdef CONFIG_TESTING_OPTIONS 3356 case WPA_PARAM_FT_RSNXE_USED: 3357 sm->ft_rsnxe_used = value; 3358 break; 3359 case WPA_PARAM_OCI_FREQ_EAPOL: 3360 sm->oci_freq_override_eapol = value; 3361 break; 3362 case WPA_PARAM_OCI_FREQ_EAPOL_G2: 3363 sm->oci_freq_override_eapol_g2 = value; 3364 break; 3365 case WPA_PARAM_OCI_FREQ_FT_ASSOC: 3366 sm->oci_freq_override_ft_assoc = value; 3367 break; 3368 case WPA_PARAM_OCI_FREQ_FILS_ASSOC: 3369 sm->oci_freq_override_fils_assoc = value; 3370 break; 3371 #endif /* CONFIG_TESTING_OPTIONS */ 3372 #ifdef CONFIG_DPP2 3373 case WPA_PARAM_DPP_PFS: 3374 sm->dpp_pfs = value; 3375 break; 3376 #endif /* CONFIG_DPP2 */ 3377 default: 3378 break; 3379 } 3380 3381 return ret; 3382 } 3383 3384 3385 /** 3386 * wpa_sm_get_status - Get WPA state machine 3387 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3388 * @buf: Buffer for status information 3389 * @buflen: Maximum buffer length 3390 * @verbose: Whether to include verbose status information 3391 * Returns: Number of bytes written to buf. 3392 * 3393 * Query WPA state machine for status information. This function fills in 3394 * a text area with current status information. If the buffer (buf) is not 3395 * large enough, status information will be truncated to fit the buffer. 3396 */ 3397 int wpa_sm_get_status(struct wpa_sm *sm, char *buf, size_t buflen, 3398 int verbose) 3399 { 3400 char *pos = buf, *end = buf + buflen; 3401 int ret; 3402 3403 ret = os_snprintf(pos, end - pos, 3404 "pairwise_cipher=%s\n" 3405 "group_cipher=%s\n" 3406 "key_mgmt=%s\n", 3407 wpa_cipher_txt(sm->pairwise_cipher), 3408 wpa_cipher_txt(sm->group_cipher), 3409 wpa_key_mgmt_txt(sm->key_mgmt, sm->proto)); 3410 if (os_snprintf_error(end - pos, ret)) 3411 return pos - buf; 3412 pos += ret; 3413 3414 #ifdef CONFIG_DPP2 3415 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) { 3416 ret = os_snprintf(pos, end - pos, "dpp_pfs=1\n"); 3417 if (os_snprintf_error(end - pos, ret)) 3418 return pos - buf; 3419 pos += ret; 3420 } 3421 #endif /* CONFIG_DPP2 */ 3422 3423 if (sm->mfp != NO_MGMT_FRAME_PROTECTION && sm->ap_rsn_ie) { 3424 struct wpa_ie_data rsn; 3425 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn) 3426 >= 0 && 3427 rsn.capabilities & (WPA_CAPABILITY_MFPR | 3428 WPA_CAPABILITY_MFPC)) { 3429 ret = os_snprintf(pos, end - pos, "pmf=%d\n" 3430 "mgmt_group_cipher=%s\n", 3431 (rsn.capabilities & 3432 WPA_CAPABILITY_MFPR) ? 2 : 1, 3433 wpa_cipher_txt( 3434 sm->mgmt_group_cipher)); 3435 if (os_snprintf_error(end - pos, ret)) 3436 return pos - buf; 3437 pos += ret; 3438 } 3439 } 3440 3441 return pos - buf; 3442 } 3443 3444 3445 int wpa_sm_pmf_enabled(struct wpa_sm *sm) 3446 { 3447 struct wpa_ie_data rsn; 3448 3449 if (sm->mfp == NO_MGMT_FRAME_PROTECTION || !sm->ap_rsn_ie) 3450 return 0; 3451 3452 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn) >= 0 && 3453 rsn.capabilities & (WPA_CAPABILITY_MFPR | WPA_CAPABILITY_MFPC)) 3454 return 1; 3455 3456 return 0; 3457 } 3458 3459 3460 int wpa_sm_ext_key_id(struct wpa_sm *sm) 3461 { 3462 return sm ? sm->ext_key_id : 0; 3463 } 3464 3465 3466 int wpa_sm_ext_key_id_active(struct wpa_sm *sm) 3467 { 3468 return sm ? sm->use_ext_key_id : 0; 3469 } 3470 3471 3472 int wpa_sm_ocv_enabled(struct wpa_sm *sm) 3473 { 3474 struct wpa_ie_data rsn; 3475 3476 if (!sm->ocv || !sm->ap_rsn_ie) 3477 return 0; 3478 3479 return wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, 3480 &rsn) >= 0 && 3481 (rsn.capabilities & WPA_CAPABILITY_OCVC); 3482 } 3483 3484 3485 /** 3486 * wpa_sm_set_assoc_wpa_ie_default - Generate own WPA/RSN IE from configuration 3487 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3488 * @wpa_ie: Pointer to buffer for WPA/RSN IE 3489 * @wpa_ie_len: Pointer to the length of the wpa_ie buffer 3490 * Returns: 0 on success, -1 on failure 3491 */ 3492 int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm *sm, u8 *wpa_ie, 3493 size_t *wpa_ie_len) 3494 { 3495 int res; 3496 3497 if (sm == NULL) 3498 return -1; 3499 3500 #ifdef CONFIG_TESTING_OPTIONS 3501 if (sm->test_assoc_ie) { 3502 wpa_printf(MSG_DEBUG, 3503 "TESTING: Replace association WPA/RSN IE"); 3504 if (*wpa_ie_len < wpabuf_len(sm->test_assoc_ie)) 3505 return -1; 3506 os_memcpy(wpa_ie, wpabuf_head(sm->test_assoc_ie), 3507 wpabuf_len(sm->test_assoc_ie)); 3508 res = wpabuf_len(sm->test_assoc_ie); 3509 } else 3510 #endif /* CONFIG_TESTING_OPTIONS */ 3511 res = wpa_gen_wpa_ie(sm, wpa_ie, *wpa_ie_len); 3512 if (res < 0) 3513 return -1; 3514 *wpa_ie_len = res; 3515 3516 wpa_hexdump(MSG_DEBUG, "WPA: Set own WPA IE default", 3517 wpa_ie, *wpa_ie_len); 3518 3519 if (sm->assoc_wpa_ie == NULL) { 3520 /* 3521 * Make a copy of the WPA/RSN IE so that 4-Way Handshake gets 3522 * the correct version of the IE even if PMKSA caching is 3523 * aborted (which would remove PMKID from IE generation). 3524 */ 3525 sm->assoc_wpa_ie = os_memdup(wpa_ie, *wpa_ie_len); 3526 if (sm->assoc_wpa_ie == NULL) 3527 return -1; 3528 3529 sm->assoc_wpa_ie_len = *wpa_ie_len; 3530 } else { 3531 wpa_hexdump(MSG_DEBUG, 3532 "WPA: Leave previously set WPA IE default", 3533 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len); 3534 } 3535 3536 return 0; 3537 } 3538 3539 3540 /** 3541 * wpa_sm_set_assoc_wpa_ie - Set own WPA/RSN IE from (Re)AssocReq 3542 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3543 * @ie: Pointer to IE data (starting from id) 3544 * @len: IE length 3545 * Returns: 0 on success, -1 on failure 3546 * 3547 * Inform WPA state machine about the WPA/RSN IE used in (Re)Association 3548 * Request frame. The IE will be used to override the default value generated 3549 * with wpa_sm_set_assoc_wpa_ie_default(). 3550 */ 3551 int wpa_sm_set_assoc_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len) 3552 { 3553 if (sm == NULL) 3554 return -1; 3555 3556 os_free(sm->assoc_wpa_ie); 3557 if (ie == NULL || len == 0) { 3558 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 3559 "WPA: clearing own WPA/RSN IE"); 3560 sm->assoc_wpa_ie = NULL; 3561 sm->assoc_wpa_ie_len = 0; 3562 } else { 3563 wpa_hexdump(MSG_DEBUG, "WPA: set own WPA/RSN IE", ie, len); 3564 sm->assoc_wpa_ie = os_memdup(ie, len); 3565 if (sm->assoc_wpa_ie == NULL) 3566 return -1; 3567 3568 sm->assoc_wpa_ie_len = len; 3569 } 3570 3571 return 0; 3572 } 3573 3574 3575 /** 3576 * wpa_sm_set_assoc_rsnxe_default - Generate own RSNXE from configuration 3577 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3578 * @rsnxe: Pointer to buffer for RSNXE 3579 * @rsnxe_len: Pointer to the length of the rsne buffer 3580 * Returns: 0 on success, -1 on failure 3581 */ 3582 int wpa_sm_set_assoc_rsnxe_default(struct wpa_sm *sm, u8 *rsnxe, 3583 size_t *rsnxe_len) 3584 { 3585 int res; 3586 3587 if (!sm) 3588 return -1; 3589 3590 res = wpa_gen_rsnxe(sm, rsnxe, *rsnxe_len); 3591 if (res < 0) 3592 return -1; 3593 *rsnxe_len = res; 3594 3595 wpa_hexdump(MSG_DEBUG, "RSN: Set own RSNXE default", rsnxe, *rsnxe_len); 3596 3597 if (sm->assoc_rsnxe) { 3598 wpa_hexdump(MSG_DEBUG, 3599 "RSN: Leave previously set RSNXE default", 3600 sm->assoc_rsnxe, sm->assoc_rsnxe_len); 3601 } else if (*rsnxe_len > 0) { 3602 /* 3603 * Make a copy of the RSNXE so that 4-Way Handshake gets the 3604 * correct version of the IE even if it gets changed. 3605 */ 3606 sm->assoc_rsnxe = os_memdup(rsnxe, *rsnxe_len); 3607 if (!sm->assoc_rsnxe) 3608 return -1; 3609 3610 sm->assoc_rsnxe_len = *rsnxe_len; 3611 } 3612 3613 return 0; 3614 } 3615 3616 3617 /** 3618 * wpa_sm_set_assoc_rsnxe - Set own RSNXE from (Re)AssocReq 3619 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3620 * @ie: Pointer to IE data (starting from id) 3621 * @len: IE length 3622 * Returns: 0 on success, -1 on failure 3623 * 3624 * Inform WPA state machine about the RSNXE used in (Re)Association Request 3625 * frame. The IE will be used to override the default value generated 3626 * with wpa_sm_set_assoc_rsnxe_default(). 3627 */ 3628 int wpa_sm_set_assoc_rsnxe(struct wpa_sm *sm, const u8 *ie, size_t len) 3629 { 3630 if (!sm) 3631 return -1; 3632 3633 os_free(sm->assoc_rsnxe); 3634 if (!ie || len == 0) { 3635 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 3636 "RSN: clearing own RSNXE"); 3637 sm->assoc_rsnxe = NULL; 3638 sm->assoc_rsnxe_len = 0; 3639 } else { 3640 wpa_hexdump(MSG_DEBUG, "RSN: set own RSNXE", ie, len); 3641 sm->assoc_rsnxe = os_memdup(ie, len); 3642 if (!sm->assoc_rsnxe) 3643 return -1; 3644 3645 sm->assoc_rsnxe_len = len; 3646 } 3647 3648 return 0; 3649 } 3650 3651 3652 /** 3653 * wpa_sm_set_ap_wpa_ie - Set AP WPA IE from Beacon/ProbeResp 3654 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3655 * @ie: Pointer to IE data (starting from id) 3656 * @len: IE length 3657 * Returns: 0 on success, -1 on failure 3658 * 3659 * Inform WPA state machine about the WPA IE used in Beacon / Probe Response 3660 * frame. 3661 */ 3662 int wpa_sm_set_ap_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len) 3663 { 3664 if (sm == NULL) 3665 return -1; 3666 3667 os_free(sm->ap_wpa_ie); 3668 if (ie == NULL || len == 0) { 3669 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 3670 "WPA: clearing AP WPA IE"); 3671 sm->ap_wpa_ie = NULL; 3672 sm->ap_wpa_ie_len = 0; 3673 } else { 3674 wpa_hexdump(MSG_DEBUG, "WPA: set AP WPA IE", ie, len); 3675 sm->ap_wpa_ie = os_memdup(ie, len); 3676 if (sm->ap_wpa_ie == NULL) 3677 return -1; 3678 3679 sm->ap_wpa_ie_len = len; 3680 } 3681 3682 return 0; 3683 } 3684 3685 3686 /** 3687 * wpa_sm_set_ap_rsn_ie - Set AP RSN IE from Beacon/ProbeResp 3688 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3689 * @ie: Pointer to IE data (starting from id) 3690 * @len: IE length 3691 * Returns: 0 on success, -1 on failure 3692 * 3693 * Inform WPA state machine about the RSN IE used in Beacon / Probe Response 3694 * frame. 3695 */ 3696 int wpa_sm_set_ap_rsn_ie(struct wpa_sm *sm, const u8 *ie, size_t len) 3697 { 3698 if (sm == NULL) 3699 return -1; 3700 3701 os_free(sm->ap_rsn_ie); 3702 if (ie == NULL || len == 0) { 3703 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 3704 "WPA: clearing AP RSN IE"); 3705 sm->ap_rsn_ie = NULL; 3706 sm->ap_rsn_ie_len = 0; 3707 } else { 3708 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSN IE", ie, len); 3709 sm->ap_rsn_ie = os_memdup(ie, len); 3710 if (sm->ap_rsn_ie == NULL) 3711 return -1; 3712 3713 sm->ap_rsn_ie_len = len; 3714 } 3715 3716 return 0; 3717 } 3718 3719 3720 /** 3721 * wpa_sm_set_ap_rsnxe - Set AP RSNXE from Beacon/ProbeResp 3722 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3723 * @ie: Pointer to IE data (starting from id) 3724 * @len: IE length 3725 * Returns: 0 on success, -1 on failure 3726 * 3727 * Inform WPA state machine about the RSNXE used in Beacon / Probe Response 3728 * frame. 3729 */ 3730 int wpa_sm_set_ap_rsnxe(struct wpa_sm *sm, const u8 *ie, size_t len) 3731 { 3732 if (!sm) 3733 return -1; 3734 3735 os_free(sm->ap_rsnxe); 3736 if (!ie || len == 0) { 3737 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: clearing AP RSNXE"); 3738 sm->ap_rsnxe = NULL; 3739 sm->ap_rsnxe_len = 0; 3740 } else { 3741 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSNXE", ie, len); 3742 sm->ap_rsnxe = os_memdup(ie, len); 3743 if (!sm->ap_rsnxe) 3744 return -1; 3745 3746 sm->ap_rsnxe_len = len; 3747 } 3748 3749 return 0; 3750 } 3751 3752 3753 /** 3754 * wpa_sm_parse_own_wpa_ie - Parse own WPA/RSN IE 3755 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3756 * @data: Pointer to data area for parsing results 3757 * Returns: 0 on success, -1 if IE is not known, or -2 on parsing failure 3758 * 3759 * Parse the contents of the own WPA or RSN IE from (Re)AssocReq and write the 3760 * parsed data into data. 3761 */ 3762 int wpa_sm_parse_own_wpa_ie(struct wpa_sm *sm, struct wpa_ie_data *data) 3763 { 3764 if (sm == NULL) 3765 return -1; 3766 3767 if (sm->assoc_wpa_ie == NULL) { 3768 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 3769 "WPA: No WPA/RSN IE available from association info"); 3770 return -1; 3771 } 3772 if (wpa_parse_wpa_ie(sm->assoc_wpa_ie, sm->assoc_wpa_ie_len, data)) 3773 return -2; 3774 return 0; 3775 } 3776 3777 3778 int wpa_sm_pmksa_cache_list(struct wpa_sm *sm, char *buf, size_t len) 3779 { 3780 return pmksa_cache_list(sm->pmksa, buf, len); 3781 } 3782 3783 3784 struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_head(struct wpa_sm *sm) 3785 { 3786 return pmksa_cache_head(sm->pmksa); 3787 } 3788 3789 3790 struct rsn_pmksa_cache_entry * 3791 wpa_sm_pmksa_cache_add_entry(struct wpa_sm *sm, 3792 struct rsn_pmksa_cache_entry * entry) 3793 { 3794 return pmksa_cache_add_entry(sm->pmksa, entry); 3795 } 3796 3797 3798 void wpa_sm_pmksa_cache_add(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len, 3799 const u8 *pmkid, const u8 *bssid, 3800 const u8 *fils_cache_id) 3801 { 3802 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0, 3803 bssid, sm->own_addr, sm->network_ctx, 3804 sm->key_mgmt, fils_cache_id); 3805 } 3806 3807 3808 int wpa_sm_pmksa_exists(struct wpa_sm *sm, const u8 *bssid, 3809 const void *network_ctx) 3810 { 3811 return pmksa_cache_get(sm->pmksa, bssid, NULL, network_ctx, 0) != NULL; 3812 } 3813 3814 3815 struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_get(struct wpa_sm *sm, 3816 const u8 *aa, 3817 const u8 *pmkid, 3818 const void *network_ctx, 3819 int akmp) 3820 { 3821 return pmksa_cache_get(sm->pmksa, aa, pmkid, network_ctx, akmp); 3822 } 3823 3824 3825 void wpa_sm_drop_sa(struct wpa_sm *sm) 3826 { 3827 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PMK and PTK"); 3828 sm->ptk_set = 0; 3829 sm->tptk_set = 0; 3830 sm->pmk_len = 0; 3831 os_memset(sm->pmk, 0, sizeof(sm->pmk)); 3832 os_memset(&sm->ptk, 0, sizeof(sm->ptk)); 3833 os_memset(&sm->tptk, 0, sizeof(sm->tptk)); 3834 os_memset(&sm->gtk, 0, sizeof(sm->gtk)); 3835 os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep)); 3836 os_memset(&sm->igtk, 0, sizeof(sm->igtk)); 3837 os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep)); 3838 #ifdef CONFIG_IEEE80211R 3839 os_memset(sm->xxkey, 0, sizeof(sm->xxkey)); 3840 sm->xxkey_len = 0; 3841 os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0)); 3842 sm->pmk_r0_len = 0; 3843 os_memset(sm->pmk_r1, 0, sizeof(sm->pmk_r1)); 3844 sm->pmk_r1_len = 0; 3845 #ifdef CONFIG_PASN 3846 os_free(sm->pasn_r1kh); 3847 sm->pasn_r1kh = NULL; 3848 sm->n_pasn_r1kh = 0; 3849 #endif /* CONFIG_PASN */ 3850 #endif /* CONFIG_IEEE80211R */ 3851 } 3852 3853 3854 int wpa_sm_has_ptk(struct wpa_sm *sm) 3855 { 3856 if (sm == NULL) 3857 return 0; 3858 return sm->ptk_set; 3859 } 3860 3861 3862 int wpa_sm_has_ptk_installed(struct wpa_sm *sm) 3863 { 3864 if (!sm) 3865 return 0; 3866 return sm->ptk.installed; 3867 } 3868 3869 3870 void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr) 3871 { 3872 os_memcpy(sm->rx_replay_counter, replay_ctr, WPA_REPLAY_COUNTER_LEN); 3873 } 3874 3875 3876 void wpa_sm_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx) 3877 { 3878 pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0, false); 3879 } 3880 3881 3882 void wpa_sm_external_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx) 3883 { 3884 pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0, true); 3885 } 3886 3887 3888 #ifdef CONFIG_WNM 3889 int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) 3890 { 3891 u16 keyinfo; 3892 u8 keylen; /* plaintext key len */ 3893 u8 *key_rsc; 3894 3895 if (subelem_id == WNM_SLEEP_SUBELEM_GTK) { 3896 struct wpa_gtk_data gd; 3897 3898 os_memset(&gd, 0, sizeof(gd)); 3899 keylen = wpa_cipher_key_len(sm->group_cipher); 3900 gd.key_rsc_len = wpa_cipher_rsc_len(sm->group_cipher); 3901 gd.alg = wpa_cipher_to_alg(sm->group_cipher); 3902 if (gd.alg == WPA_ALG_NONE) { 3903 wpa_printf(MSG_DEBUG, "Unsupported group cipher suite"); 3904 return -1; 3905 } 3906 3907 key_rsc = buf + 5; 3908 keyinfo = WPA_GET_LE16(buf + 2); 3909 gd.gtk_len = keylen; 3910 if (gd.gtk_len != buf[4]) { 3911 wpa_printf(MSG_DEBUG, "GTK len mismatch len %d vs %d", 3912 gd.gtk_len, buf[4]); 3913 return -1; 3914 } 3915 gd.keyidx = keyinfo & 0x03; /* B0 - B1 */ 3916 gd.tx = wpa_supplicant_gtk_tx_bit_workaround( 3917 sm, !!(keyinfo & WPA_KEY_INFO_TXRX)); 3918 3919 os_memcpy(gd.gtk, buf + 13, gd.gtk_len); 3920 3921 wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)", 3922 gd.gtk, gd.gtk_len); 3923 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) { 3924 forced_memzero(&gd, sizeof(gd)); 3925 wpa_printf(MSG_DEBUG, "Failed to install the GTK in " 3926 "WNM mode"); 3927 return -1; 3928 } 3929 forced_memzero(&gd, sizeof(gd)); 3930 } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) { 3931 const struct wpa_igtk_kde *igtk; 3932 3933 igtk = (const struct wpa_igtk_kde *) (buf + 2); 3934 if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0) 3935 return -1; 3936 } else if (subelem_id == WNM_SLEEP_SUBELEM_BIGTK) { 3937 const struct wpa_bigtk_kde *bigtk; 3938 3939 bigtk = (const struct wpa_bigtk_kde *) (buf + 2); 3940 if (sm->beacon_prot && 3941 wpa_supplicant_install_bigtk(sm, bigtk, 1) < 0) 3942 return -1; 3943 } else { 3944 wpa_printf(MSG_DEBUG, "Unknown element id"); 3945 return -1; 3946 } 3947 3948 return 0; 3949 } 3950 #endif /* CONFIG_WNM */ 3951 3952 3953 #ifdef CONFIG_P2P 3954 3955 int wpa_sm_get_p2p_ip_addr(struct wpa_sm *sm, u8 *buf) 3956 { 3957 if (sm == NULL || WPA_GET_BE32(sm->p2p_ip_addr) == 0) 3958 return -1; 3959 os_memcpy(buf, sm->p2p_ip_addr, 3 * 4); 3960 return 0; 3961 } 3962 3963 #endif /* CONFIG_P2P */ 3964 3965 3966 void wpa_sm_set_rx_replay_ctr(struct wpa_sm *sm, const u8 *rx_replay_counter) 3967 { 3968 if (rx_replay_counter == NULL) 3969 return; 3970 3971 os_memcpy(sm->rx_replay_counter, rx_replay_counter, 3972 WPA_REPLAY_COUNTER_LEN); 3973 sm->rx_replay_counter_set = 1; 3974 wpa_printf(MSG_DEBUG, "Updated key replay counter"); 3975 } 3976 3977 3978 void wpa_sm_set_ptk_kck_kek(struct wpa_sm *sm, 3979 const u8 *ptk_kck, size_t ptk_kck_len, 3980 const u8 *ptk_kek, size_t ptk_kek_len) 3981 { 3982 if (ptk_kck && ptk_kck_len <= WPA_KCK_MAX_LEN) { 3983 os_memcpy(sm->ptk.kck, ptk_kck, ptk_kck_len); 3984 sm->ptk.kck_len = ptk_kck_len; 3985 wpa_printf(MSG_DEBUG, "Updated PTK KCK"); 3986 } 3987 if (ptk_kek && ptk_kek_len <= WPA_KEK_MAX_LEN) { 3988 os_memcpy(sm->ptk.kek, ptk_kek, ptk_kek_len); 3989 sm->ptk.kek_len = ptk_kek_len; 3990 wpa_printf(MSG_DEBUG, "Updated PTK KEK"); 3991 } 3992 sm->ptk_set = 1; 3993 } 3994 3995 3996 #ifdef CONFIG_TESTING_OPTIONS 3997 3998 void wpa_sm_set_test_assoc_ie(struct wpa_sm *sm, struct wpabuf *buf) 3999 { 4000 wpabuf_free(sm->test_assoc_ie); 4001 sm->test_assoc_ie = buf; 4002 } 4003 4004 4005 const u8 * wpa_sm_get_anonce(struct wpa_sm *sm) 4006 { 4007 return sm->anonce; 4008 } 4009 4010 #endif /* CONFIG_TESTING_OPTIONS */ 4011 4012 4013 unsigned int wpa_sm_get_key_mgmt(struct wpa_sm *sm) 4014 { 4015 return sm->key_mgmt; 4016 } 4017 4018 4019 #ifdef CONFIG_FILS 4020 4021 struct wpabuf * fils_build_auth(struct wpa_sm *sm, int dh_group, const u8 *md) 4022 { 4023 struct wpabuf *buf = NULL; 4024 struct wpabuf *erp_msg; 4025 struct wpabuf *pub = NULL; 4026 4027 erp_msg = eapol_sm_build_erp_reauth_start(sm->eapol); 4028 if (!erp_msg && !sm->cur_pmksa) { 4029 wpa_printf(MSG_DEBUG, 4030 "FILS: Neither ERP EAP-Initiate/Re-auth nor PMKSA cache entry is available - skip FILS"); 4031 goto fail; 4032 } 4033 4034 wpa_printf(MSG_DEBUG, "FILS: Try to use FILS (erp=%d pmksa_cache=%d)", 4035 erp_msg != NULL, sm->cur_pmksa != NULL); 4036 4037 sm->fils_completed = 0; 4038 4039 if (!sm->assoc_wpa_ie) { 4040 wpa_printf(MSG_INFO, "FILS: No own RSN IE set for FILS"); 4041 goto fail; 4042 } 4043 4044 if (random_get_bytes(sm->fils_nonce, FILS_NONCE_LEN) < 0 || 4045 random_get_bytes(sm->fils_session, FILS_SESSION_LEN) < 0) 4046 goto fail; 4047 4048 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Nonce", 4049 sm->fils_nonce, FILS_NONCE_LEN); 4050 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Session", 4051 sm->fils_session, FILS_SESSION_LEN); 4052 4053 #ifdef CONFIG_FILS_SK_PFS 4054 sm->fils_dh_group = dh_group; 4055 if (dh_group) { 4056 crypto_ecdh_deinit(sm->fils_ecdh); 4057 sm->fils_ecdh = crypto_ecdh_init(dh_group); 4058 if (!sm->fils_ecdh) { 4059 wpa_printf(MSG_INFO, 4060 "FILS: Could not initialize ECDH with group %d", 4061 dh_group); 4062 goto fail; 4063 } 4064 pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1); 4065 if (!pub) 4066 goto fail; 4067 wpa_hexdump_buf(MSG_DEBUG, "FILS: Element (DH public key)", 4068 pub); 4069 sm->fils_dh_elem_len = wpabuf_len(pub); 4070 } 4071 #endif /* CONFIG_FILS_SK_PFS */ 4072 4073 buf = wpabuf_alloc(1000 + sm->assoc_wpa_ie_len + 4074 (pub ? wpabuf_len(pub) : 0)); 4075 if (!buf) 4076 goto fail; 4077 4078 /* Fields following the Authentication algorithm number field */ 4079 4080 /* Authentication Transaction seq# */ 4081 wpabuf_put_le16(buf, 1); 4082 4083 /* Status Code */ 4084 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS); 4085 4086 /* TODO: FILS PK */ 4087 #ifdef CONFIG_FILS_SK_PFS 4088 if (dh_group) { 4089 /* Finite Cyclic Group */ 4090 wpabuf_put_le16(buf, dh_group); 4091 /* Element */ 4092 wpabuf_put_buf(buf, pub); 4093 } 4094 #endif /* CONFIG_FILS_SK_PFS */ 4095 4096 /* RSNE */ 4097 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in FILS Authentication frame", 4098 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len); 4099 wpabuf_put_data(buf, sm->assoc_wpa_ie, sm->assoc_wpa_ie_len); 4100 4101 if (md) { 4102 /* MDE when using FILS for FT initial association */ 4103 struct rsn_mdie *mdie; 4104 4105 wpabuf_put_u8(buf, WLAN_EID_MOBILITY_DOMAIN); 4106 wpabuf_put_u8(buf, sizeof(*mdie)); 4107 mdie = wpabuf_put(buf, sizeof(*mdie)); 4108 os_memcpy(mdie->mobility_domain, md, MOBILITY_DOMAIN_ID_LEN); 4109 mdie->ft_capab = 0; 4110 } 4111 4112 /* FILS Nonce */ 4113 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */ 4114 wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN); /* Length */ 4115 /* Element ID Extension */ 4116 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE); 4117 wpabuf_put_data(buf, sm->fils_nonce, FILS_NONCE_LEN); 4118 4119 /* FILS Session */ 4120 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */ 4121 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */ 4122 /* Element ID Extension */ 4123 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION); 4124 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN); 4125 4126 /* Wrapped Data */ 4127 sm->fils_erp_pmkid_set = 0; 4128 if (erp_msg) { 4129 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */ 4130 wpabuf_put_u8(buf, 1 + wpabuf_len(erp_msg)); /* Length */ 4131 /* Element ID Extension */ 4132 wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA); 4133 wpabuf_put_buf(buf, erp_msg); 4134 /* Calculate pending PMKID here so that we do not need to 4135 * maintain a copy of the EAP-Initiate/Reauth message. */ 4136 if (fils_pmkid_erp(sm->key_mgmt, wpabuf_head(erp_msg), 4137 wpabuf_len(erp_msg), 4138 sm->fils_erp_pmkid) == 0) 4139 sm->fils_erp_pmkid_set = 1; 4140 } 4141 4142 wpa_hexdump_buf(MSG_DEBUG, "RSN: FILS fields for Authentication frame", 4143 buf); 4144 4145 fail: 4146 wpabuf_free(erp_msg); 4147 wpabuf_free(pub); 4148 return buf; 4149 } 4150 4151 4152 int fils_process_auth(struct wpa_sm *sm, const u8 *bssid, const u8 *data, 4153 size_t len) 4154 { 4155 const u8 *pos, *end; 4156 struct ieee802_11_elems elems; 4157 struct wpa_ie_data rsn; 4158 int pmkid_match = 0; 4159 u8 ick[FILS_ICK_MAX_LEN]; 4160 size_t ick_len; 4161 int res; 4162 struct wpabuf *dh_ss = NULL; 4163 const u8 *g_sta = NULL; 4164 size_t g_sta_len = 0; 4165 const u8 *g_ap = NULL; 4166 size_t g_ap_len = 0, kdk_len; 4167 struct wpabuf *pub = NULL; 4168 4169 os_memcpy(sm->bssid, bssid, ETH_ALEN); 4170 4171 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields", 4172 data, len); 4173 pos = data; 4174 end = data + len; 4175 4176 /* TODO: FILS PK */ 4177 #ifdef CONFIG_FILS_SK_PFS 4178 if (sm->fils_dh_group) { 4179 u16 group; 4180 4181 /* Using FILS PFS */ 4182 4183 /* Finite Cyclic Group */ 4184 if (end - pos < 2) { 4185 wpa_printf(MSG_DEBUG, 4186 "FILS: No room for Finite Cyclic Group"); 4187 goto fail; 4188 } 4189 group = WPA_GET_LE16(pos); 4190 pos += 2; 4191 if (group != sm->fils_dh_group) { 4192 wpa_printf(MSG_DEBUG, 4193 "FILS: Unexpected change in Finite Cyclic Group: %u (expected %u)", 4194 group, sm->fils_dh_group); 4195 goto fail; 4196 } 4197 4198 /* Element */ 4199 if ((size_t) (end - pos) < sm->fils_dh_elem_len) { 4200 wpa_printf(MSG_DEBUG, "FILS: No room for Element"); 4201 goto fail; 4202 } 4203 4204 if (!sm->fils_ecdh) { 4205 wpa_printf(MSG_DEBUG, "FILS: No ECDH state available"); 4206 goto fail; 4207 } 4208 dh_ss = crypto_ecdh_set_peerkey(sm->fils_ecdh, 1, pos, 4209 sm->fils_dh_elem_len); 4210 if (!dh_ss) { 4211 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed"); 4212 goto fail; 4213 } 4214 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", dh_ss); 4215 g_ap = pos; 4216 g_ap_len = sm->fils_dh_elem_len; 4217 pos += sm->fils_dh_elem_len; 4218 } 4219 #endif /* CONFIG_FILS_SK_PFS */ 4220 4221 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos); 4222 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) { 4223 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements"); 4224 goto fail; 4225 } 4226 4227 /* RSNE */ 4228 wpa_hexdump(MSG_DEBUG, "FILS: RSN element", elems.rsn_ie, 4229 elems.rsn_ie_len); 4230 if (!elems.rsn_ie || 4231 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2, 4232 &rsn) < 0) { 4233 wpa_printf(MSG_DEBUG, "FILS: No RSN element"); 4234 goto fail; 4235 } 4236 4237 if (!elems.fils_nonce) { 4238 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field"); 4239 goto fail; 4240 } 4241 os_memcpy(sm->fils_anonce, elems.fils_nonce, FILS_NONCE_LEN); 4242 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", sm->fils_anonce, FILS_NONCE_LEN); 4243 4244 #ifdef CONFIG_IEEE80211R 4245 if (wpa_key_mgmt_ft(sm->key_mgmt)) { 4246 struct wpa_ft_ies parse; 4247 4248 if (!elems.mdie || !elems.ftie) { 4249 wpa_printf(MSG_DEBUG, "FILS+FT: No MDE or FTE"); 4250 goto fail; 4251 } 4252 4253 if (wpa_ft_parse_ies(pos, end - pos, &parse, 4254 wpa_key_mgmt_sha384(sm->key_mgmt)) < 0) { 4255 wpa_printf(MSG_DEBUG, "FILS+FT: Failed to parse IEs"); 4256 goto fail; 4257 } 4258 4259 if (!parse.r0kh_id) { 4260 wpa_printf(MSG_DEBUG, 4261 "FILS+FT: No R0KH-ID subelem in FTE"); 4262 goto fail; 4263 } 4264 os_memcpy(sm->r0kh_id, parse.r0kh_id, parse.r0kh_id_len); 4265 sm->r0kh_id_len = parse.r0kh_id_len; 4266 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID", 4267 sm->r0kh_id, sm->r0kh_id_len); 4268 4269 if (!parse.r1kh_id) { 4270 wpa_printf(MSG_DEBUG, 4271 "FILS+FT: No R1KH-ID subelem in FTE"); 4272 goto fail; 4273 } 4274 os_memcpy(sm->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN); 4275 wpa_hexdump(MSG_DEBUG, "FILS+FT: R1KH-ID", 4276 sm->r1kh_id, FT_R1KH_ID_LEN); 4277 4278 /* TODO: Check MDE and FTE payload */ 4279 4280 wpabuf_free(sm->fils_ft_ies); 4281 sm->fils_ft_ies = wpabuf_alloc(2 + elems.mdie_len + 4282 2 + elems.ftie_len); 4283 if (!sm->fils_ft_ies) 4284 goto fail; 4285 wpabuf_put_data(sm->fils_ft_ies, elems.mdie - 2, 4286 2 + elems.mdie_len); 4287 wpabuf_put_data(sm->fils_ft_ies, elems.ftie - 2, 4288 2 + elems.ftie_len); 4289 } else { 4290 wpabuf_free(sm->fils_ft_ies); 4291 sm->fils_ft_ies = NULL; 4292 } 4293 #endif /* CONFIG_IEEE80211R */ 4294 4295 /* PMKID List */ 4296 if (rsn.pmkid && rsn.num_pmkid > 0) { 4297 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List", 4298 rsn.pmkid, rsn.num_pmkid * PMKID_LEN); 4299 4300 if (rsn.num_pmkid != 1) { 4301 wpa_printf(MSG_DEBUG, "FILS: Invalid PMKID selection"); 4302 goto fail; 4303 } 4304 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", rsn.pmkid, PMKID_LEN); 4305 if (os_memcmp(sm->cur_pmksa->pmkid, rsn.pmkid, PMKID_LEN) != 0) 4306 { 4307 wpa_printf(MSG_DEBUG, "FILS: PMKID mismatch"); 4308 wpa_hexdump(MSG_DEBUG, "FILS: Expected PMKID", 4309 sm->cur_pmksa->pmkid, PMKID_LEN); 4310 goto fail; 4311 } 4312 wpa_printf(MSG_DEBUG, 4313 "FILS: Matching PMKID - continue using PMKSA caching"); 4314 pmkid_match = 1; 4315 } 4316 if (!pmkid_match && sm->cur_pmksa) { 4317 wpa_printf(MSG_DEBUG, 4318 "FILS: No PMKID match - cannot use cached PMKSA entry"); 4319 sm->cur_pmksa = NULL; 4320 } 4321 4322 /* FILS Session */ 4323 if (!elems.fils_session) { 4324 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element"); 4325 goto fail; 4326 } 4327 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session, 4328 FILS_SESSION_LEN); 4329 if (os_memcmp(sm->fils_session, elems.fils_session, FILS_SESSION_LEN) 4330 != 0) { 4331 wpa_printf(MSG_DEBUG, "FILS: Session mismatch"); 4332 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session", 4333 sm->fils_session, FILS_SESSION_LEN); 4334 goto fail; 4335 } 4336 4337 /* Wrapped Data */ 4338 if (!sm->cur_pmksa && elems.wrapped_data) { 4339 u8 rmsk[ERP_MAX_KEY_LEN]; 4340 size_t rmsk_len; 4341 4342 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data", 4343 elems.wrapped_data, 4344 elems.wrapped_data_len); 4345 eapol_sm_process_erp_finish(sm->eapol, elems.wrapped_data, 4346 elems.wrapped_data_len); 4347 if (eapol_sm_failed(sm->eapol)) 4348 goto fail; 4349 4350 rmsk_len = ERP_MAX_KEY_LEN; 4351 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len); 4352 if (res == PMK_LEN) { 4353 rmsk_len = PMK_LEN; 4354 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len); 4355 } 4356 if (res) 4357 goto fail; 4358 4359 res = fils_rmsk_to_pmk(sm->key_mgmt, rmsk, rmsk_len, 4360 sm->fils_nonce, sm->fils_anonce, 4361 dh_ss ? wpabuf_head(dh_ss) : NULL, 4362 dh_ss ? wpabuf_len(dh_ss) : 0, 4363 sm->pmk, &sm->pmk_len); 4364 forced_memzero(rmsk, sizeof(rmsk)); 4365 4366 /* Don't use DHss in PTK derivation if PMKSA caching is not 4367 * used. */ 4368 wpabuf_clear_free(dh_ss); 4369 dh_ss = NULL; 4370 4371 if (res) 4372 goto fail; 4373 4374 if (!sm->fils_erp_pmkid_set) { 4375 wpa_printf(MSG_DEBUG, "FILS: PMKID not available"); 4376 goto fail; 4377 } 4378 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", sm->fils_erp_pmkid, 4379 PMKID_LEN); 4380 wpa_printf(MSG_DEBUG, "FILS: ERP processing succeeded - add PMKSA cache entry for the result"); 4381 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, 4382 sm->fils_erp_pmkid, NULL, 0, 4383 sm->bssid, sm->own_addr, 4384 sm->network_ctx, sm->key_mgmt, 4385 NULL); 4386 } 4387 4388 if (!sm->cur_pmksa) { 4389 wpa_printf(MSG_DEBUG, 4390 "FILS: No remaining options to continue FILS authentication"); 4391 goto fail; 4392 } 4393 4394 if (sm->force_kdk_derivation || 4395 (sm->secure_ltf && 4396 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF))) 4397 kdk_len = WPA_KDK_MAX_LEN; 4398 else 4399 kdk_len = 0; 4400 4401 if (fils_pmk_to_ptk(sm->pmk, sm->pmk_len, sm->own_addr, sm->bssid, 4402 sm->fils_nonce, sm->fils_anonce, 4403 dh_ss ? wpabuf_head(dh_ss) : NULL, 4404 dh_ss ? wpabuf_len(dh_ss) : 0, 4405 &sm->ptk, ick, &ick_len, 4406 sm->key_mgmt, sm->pairwise_cipher, 4407 sm->fils_ft, &sm->fils_ft_len, 4408 kdk_len) < 0) { 4409 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PTK"); 4410 goto fail; 4411 } 4412 4413 wpabuf_clear_free(dh_ss); 4414 dh_ss = NULL; 4415 4416 sm->ptk_set = 1; 4417 sm->tptk_set = 0; 4418 os_memset(&sm->tptk, 0, sizeof(sm->tptk)); 4419 4420 #ifdef CONFIG_FILS_SK_PFS 4421 if (sm->fils_dh_group) { 4422 if (!sm->fils_ecdh) { 4423 wpa_printf(MSG_INFO, "FILS: ECDH not initialized"); 4424 goto fail; 4425 } 4426 pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1); 4427 if (!pub) 4428 goto fail; 4429 wpa_hexdump_buf(MSG_DEBUG, "FILS: gSTA", pub); 4430 g_sta = wpabuf_head(pub); 4431 g_sta_len = wpabuf_len(pub); 4432 if (!g_ap) { 4433 wpa_printf(MSG_INFO, "FILS: gAP not available"); 4434 goto fail; 4435 } 4436 wpa_hexdump(MSG_DEBUG, "FILS: gAP", g_ap, g_ap_len); 4437 } 4438 #endif /* CONFIG_FILS_SK_PFS */ 4439 4440 res = fils_key_auth_sk(ick, ick_len, sm->fils_nonce, 4441 sm->fils_anonce, sm->own_addr, sm->bssid, 4442 g_sta, g_sta_len, g_ap, g_ap_len, 4443 sm->key_mgmt, sm->fils_key_auth_sta, 4444 sm->fils_key_auth_ap, 4445 &sm->fils_key_auth_len); 4446 wpabuf_free(pub); 4447 forced_memzero(ick, sizeof(ick)); 4448 return res; 4449 fail: 4450 wpabuf_free(pub); 4451 wpabuf_clear_free(dh_ss); 4452 return -1; 4453 } 4454 4455 4456 #ifdef CONFIG_IEEE80211R 4457 static int fils_ft_build_assoc_req_rsne(struct wpa_sm *sm, struct wpabuf *buf) 4458 { 4459 struct rsn_ie_hdr *rsnie; 4460 u16 capab; 4461 u8 *pos; 4462 int use_sha384 = wpa_key_mgmt_sha384(sm->key_mgmt); 4463 4464 /* RSNIE[PMKR0Name/PMKR1Name] */ 4465 rsnie = wpabuf_put(buf, sizeof(*rsnie)); 4466 rsnie->elem_id = WLAN_EID_RSN; 4467 WPA_PUT_LE16(rsnie->version, RSN_VERSION); 4468 4469 /* Group Suite Selector */ 4470 if (!wpa_cipher_valid_group(sm->group_cipher)) { 4471 wpa_printf(MSG_WARNING, "FT: Invalid group cipher (%d)", 4472 sm->group_cipher); 4473 return -1; 4474 } 4475 pos = wpabuf_put(buf, RSN_SELECTOR_LEN); 4476 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN, 4477 sm->group_cipher)); 4478 4479 /* Pairwise Suite Count */ 4480 wpabuf_put_le16(buf, 1); 4481 4482 /* Pairwise Suite List */ 4483 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) { 4484 wpa_printf(MSG_WARNING, "FT: Invalid pairwise cipher (%d)", 4485 sm->pairwise_cipher); 4486 return -1; 4487 } 4488 pos = wpabuf_put(buf, RSN_SELECTOR_LEN); 4489 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN, 4490 sm->pairwise_cipher)); 4491 4492 /* Authenticated Key Management Suite Count */ 4493 wpabuf_put_le16(buf, 1); 4494 4495 /* Authenticated Key Management Suite List */ 4496 pos = wpabuf_put(buf, RSN_SELECTOR_LEN); 4497 if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA256) 4498 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA256); 4499 else if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA384) 4500 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA384); 4501 else { 4502 wpa_printf(MSG_WARNING, 4503 "FILS+FT: Invalid key management type (%d)", 4504 sm->key_mgmt); 4505 return -1; 4506 } 4507 4508 /* RSN Capabilities */ 4509 capab = 0; 4510 if (sm->mfp) 4511 capab |= WPA_CAPABILITY_MFPC; 4512 if (sm->mfp == 2) 4513 capab |= WPA_CAPABILITY_MFPR; 4514 if (sm->ocv) 4515 capab |= WPA_CAPABILITY_OCVC; 4516 if (sm->ext_key_id) 4517 capab |= WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST; 4518 wpabuf_put_le16(buf, capab); 4519 4520 /* PMKID Count */ 4521 wpabuf_put_le16(buf, 1); 4522 4523 /* PMKID List [PMKR1Name] */ 4524 wpa_hexdump_key(MSG_DEBUG, "FILS+FT: XXKey (FILS-FT)", 4525 sm->fils_ft, sm->fils_ft_len); 4526 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: SSID", sm->ssid, sm->ssid_len); 4527 wpa_hexdump(MSG_DEBUG, "FILS+FT: MDID", 4528 sm->mobility_domain, MOBILITY_DOMAIN_ID_LEN); 4529 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID", 4530 sm->r0kh_id, sm->r0kh_id_len); 4531 if (wpa_derive_pmk_r0(sm->fils_ft, sm->fils_ft_len, sm->ssid, 4532 sm->ssid_len, sm->mobility_domain, 4533 sm->r0kh_id, sm->r0kh_id_len, sm->own_addr, 4534 sm->pmk_r0, sm->pmk_r0_name, use_sha384) < 0) { 4535 wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMK-R0"); 4536 return -1; 4537 } 4538 sm->pmk_r0_len = use_sha384 ? SHA384_MAC_LEN : PMK_LEN; 4539 wpa_printf(MSG_DEBUG, "FILS+FT: R1KH-ID: " MACSTR, 4540 MAC2STR(sm->r1kh_id)); 4541 pos = wpabuf_put(buf, WPA_PMK_NAME_LEN); 4542 if (wpa_derive_pmk_r1_name(sm->pmk_r0_name, sm->r1kh_id, sm->own_addr, 4543 sm->pmk_r1_name, use_sha384) < 0) { 4544 wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMKR1Name"); 4545 return -1; 4546 } 4547 os_memcpy(pos, sm->pmk_r1_name, WPA_PMK_NAME_LEN); 4548 4549 if (sm->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC) { 4550 /* Management Group Cipher Suite */ 4551 pos = wpabuf_put(buf, RSN_SELECTOR_LEN); 4552 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_AES_128_CMAC); 4553 } 4554 4555 rsnie->len = ((u8 *) wpabuf_put(buf, 0) - (u8 *) rsnie) - 2; 4556 return 0; 4557 } 4558 #endif /* CONFIG_IEEE80211R */ 4559 4560 4561 struct wpabuf * fils_build_assoc_req(struct wpa_sm *sm, const u8 **kek, 4562 size_t *kek_len, const u8 **snonce, 4563 const u8 **anonce, 4564 const struct wpabuf **hlp, 4565 unsigned int num_hlp) 4566 { 4567 struct wpabuf *buf; 4568 size_t len; 4569 unsigned int i; 4570 4571 len = 1000; 4572 #ifdef CONFIG_IEEE80211R 4573 if (sm->fils_ft_ies) 4574 len += wpabuf_len(sm->fils_ft_ies); 4575 if (wpa_key_mgmt_ft(sm->key_mgmt)) 4576 len += 256; 4577 #endif /* CONFIG_IEEE80211R */ 4578 for (i = 0; hlp && i < num_hlp; i++) 4579 len += 10 + wpabuf_len(hlp[i]); 4580 buf = wpabuf_alloc(len); 4581 if (!buf) 4582 return NULL; 4583 4584 #ifdef CONFIG_IEEE80211R 4585 if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) { 4586 /* MDE and FTE when using FILS+FT */ 4587 wpabuf_put_buf(buf, sm->fils_ft_ies); 4588 /* RSNE with PMKR1Name in PMKID field */ 4589 if (fils_ft_build_assoc_req_rsne(sm, buf) < 0) { 4590 wpabuf_free(buf); 4591 return NULL; 4592 } 4593 } 4594 #endif /* CONFIG_IEEE80211R */ 4595 4596 /* FILS Session */ 4597 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */ 4598 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */ 4599 /* Element ID Extension */ 4600 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION); 4601 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN); 4602 4603 /* Everything after FILS Session element gets encrypted in the driver 4604 * with KEK. The buffer returned from here is the plaintext version. */ 4605 4606 /* TODO: FILS Public Key */ 4607 4608 /* FILS Key Confirm */ 4609 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */ 4610 wpabuf_put_u8(buf, 1 + sm->fils_key_auth_len); /* Length */ 4611 /* Element ID Extension */ 4612 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_KEY_CONFIRM); 4613 wpabuf_put_data(buf, sm->fils_key_auth_sta, sm->fils_key_auth_len); 4614 4615 /* FILS HLP Container */ 4616 for (i = 0; hlp && i < num_hlp; i++) { 4617 const u8 *pos = wpabuf_head(hlp[i]); 4618 size_t left = wpabuf_len(hlp[i]); 4619 4620 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */ 4621 if (left <= 254) 4622 len = 1 + left; 4623 else 4624 len = 255; 4625 wpabuf_put_u8(buf, len); /* Length */ 4626 /* Element ID Extension */ 4627 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_HLP_CONTAINER); 4628 /* Destination MAC Address, Source MAC Address, HLP Packet. 4629 * HLP Packet is in MSDU format (i.e., included the LLC/SNAP 4630 * header when LPD is used). */ 4631 wpabuf_put_data(buf, pos, len - 1); 4632 pos += len - 1; 4633 left -= len - 1; 4634 while (left) { 4635 wpabuf_put_u8(buf, WLAN_EID_FRAGMENT); 4636 len = left > 255 ? 255 : left; 4637 wpabuf_put_u8(buf, len); 4638 wpabuf_put_data(buf, pos, len); 4639 pos += len; 4640 left -= len; 4641 } 4642 } 4643 4644 /* TODO: FILS IP Address Assignment */ 4645 4646 #ifdef CONFIG_OCV 4647 if (wpa_sm_ocv_enabled(sm)) { 4648 struct wpa_channel_info ci; 4649 u8 *pos; 4650 4651 if (wpa_sm_channel_info(sm, &ci) != 0) { 4652 wpa_printf(MSG_WARNING, 4653 "FILS: Failed to get channel info for OCI element"); 4654 wpabuf_free(buf); 4655 return NULL; 4656 } 4657 #ifdef CONFIG_TESTING_OPTIONS 4658 if (sm->oci_freq_override_fils_assoc) { 4659 wpa_printf(MSG_INFO, 4660 "TEST: Override OCI KDE frequency %d -> %d MHz", 4661 ci.frequency, 4662 sm->oci_freq_override_fils_assoc); 4663 ci.frequency = sm->oci_freq_override_fils_assoc; 4664 } 4665 #endif /* CONFIG_TESTING_OPTIONS */ 4666 4667 pos = wpabuf_put(buf, OCV_OCI_EXTENDED_LEN); 4668 if (ocv_insert_extended_oci(&ci, pos) < 0) { 4669 wpabuf_free(buf); 4670 return NULL; 4671 } 4672 } 4673 #endif /* CONFIG_OCV */ 4674 4675 wpa_hexdump_buf(MSG_DEBUG, "FILS: Association Request plaintext", buf); 4676 4677 *kek = sm->ptk.kek; 4678 *kek_len = sm->ptk.kek_len; 4679 wpa_hexdump_key(MSG_DEBUG, "FILS: KEK for AEAD", *kek, *kek_len); 4680 *snonce = sm->fils_nonce; 4681 wpa_hexdump(MSG_DEBUG, "FILS: SNonce for AEAD AAD", 4682 *snonce, FILS_NONCE_LEN); 4683 *anonce = sm->fils_anonce; 4684 wpa_hexdump(MSG_DEBUG, "FILS: ANonce for AEAD AAD", 4685 *anonce, FILS_NONCE_LEN); 4686 4687 return buf; 4688 } 4689 4690 4691 static void fils_process_hlp_resp(struct wpa_sm *sm, const u8 *resp, size_t len) 4692 { 4693 const u8 *pos, *end; 4694 4695 wpa_hexdump(MSG_MSGDUMP, "FILS: HLP response", resp, len); 4696 if (len < 2 * ETH_ALEN) 4697 return; 4698 pos = resp + 2 * ETH_ALEN; 4699 end = resp + len; 4700 if (end - pos >= 6 && 4701 os_memcmp(pos, "\xaa\xaa\x03\x00\x00\x00", 6) == 0) 4702 pos += 6; /* Remove SNAP/LLC header */ 4703 wpa_sm_fils_hlp_rx(sm, resp, resp + ETH_ALEN, pos, end - pos); 4704 } 4705 4706 4707 static void fils_process_hlp_container(struct wpa_sm *sm, const u8 *pos, 4708 size_t len) 4709 { 4710 const u8 *end = pos + len; 4711 u8 *tmp, *tmp_pos; 4712 4713 /* Check if there are any FILS HLP Container elements */ 4714 while (end - pos >= 2) { 4715 if (2 + pos[1] > end - pos) 4716 return; 4717 if (pos[0] == WLAN_EID_EXTENSION && 4718 pos[1] >= 1 + 2 * ETH_ALEN && 4719 pos[2] == WLAN_EID_EXT_FILS_HLP_CONTAINER) 4720 break; 4721 pos += 2 + pos[1]; 4722 } 4723 if (end - pos < 2) 4724 return; /* No FILS HLP Container elements */ 4725 4726 tmp = os_malloc(end - pos); 4727 if (!tmp) 4728 return; 4729 4730 while (end - pos >= 2) { 4731 if (2 + pos[1] > end - pos || 4732 pos[0] != WLAN_EID_EXTENSION || 4733 pos[1] < 1 + 2 * ETH_ALEN || 4734 pos[2] != WLAN_EID_EXT_FILS_HLP_CONTAINER) 4735 break; 4736 tmp_pos = tmp; 4737 os_memcpy(tmp_pos, pos + 3, pos[1] - 1); 4738 tmp_pos += pos[1] - 1; 4739 pos += 2 + pos[1]; 4740 4741 /* Add possible fragments */ 4742 while (end - pos >= 2 && pos[0] == WLAN_EID_FRAGMENT && 4743 2 + pos[1] <= end - pos) { 4744 os_memcpy(tmp_pos, pos + 2, pos[1]); 4745 tmp_pos += pos[1]; 4746 pos += 2 + pos[1]; 4747 } 4748 4749 fils_process_hlp_resp(sm, tmp, tmp_pos - tmp); 4750 } 4751 4752 os_free(tmp); 4753 } 4754 4755 4756 int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len) 4757 { 4758 const struct ieee80211_mgmt *mgmt; 4759 const u8 *end, *ie_start; 4760 struct ieee802_11_elems elems; 4761 int keylen, rsclen; 4762 enum wpa_alg alg; 4763 struct wpa_gtk_data gd; 4764 int maxkeylen; 4765 struct wpa_eapol_ie_parse kde; 4766 4767 if (!sm || !sm->ptk_set) { 4768 wpa_printf(MSG_DEBUG, "FILS: No KEK available"); 4769 return -1; 4770 } 4771 4772 if (!wpa_key_mgmt_fils(sm->key_mgmt)) { 4773 wpa_printf(MSG_DEBUG, "FILS: Not a FILS AKM"); 4774 return -1; 4775 } 4776 4777 if (sm->fils_completed) { 4778 wpa_printf(MSG_DEBUG, 4779 "FILS: Association has already been completed for this FILS authentication - ignore unexpected retransmission"); 4780 return -1; 4781 } 4782 4783 wpa_hexdump(MSG_DEBUG, "FILS: (Re)Association Response frame", 4784 resp, len); 4785 4786 mgmt = (const struct ieee80211_mgmt *) resp; 4787 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_resp)) 4788 return -1; 4789 4790 end = resp + len; 4791 /* Same offset for Association Response and Reassociation Response */ 4792 ie_start = mgmt->u.assoc_resp.variable; 4793 4794 if (ieee802_11_parse_elems(ie_start, end - ie_start, &elems, 1) == 4795 ParseFailed) { 4796 wpa_printf(MSG_DEBUG, 4797 "FILS: Failed to parse decrypted elements"); 4798 goto fail; 4799 } 4800 4801 if (!elems.fils_session) { 4802 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element"); 4803 return -1; 4804 } 4805 if (os_memcmp(elems.fils_session, sm->fils_session, 4806 FILS_SESSION_LEN) != 0) { 4807 wpa_printf(MSG_DEBUG, "FILS: FILS Session mismatch"); 4808 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session", 4809 elems.fils_session, FILS_SESSION_LEN); 4810 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session", 4811 sm->fils_session, FILS_SESSION_LEN); 4812 } 4813 4814 if (!elems.rsn_ie) { 4815 wpa_printf(MSG_DEBUG, 4816 "FILS: No RSNE in (Re)Association Response"); 4817 /* As an interop workaround, allow this for now since IEEE Std 4818 * 802.11ai-2016 did not include all the needed changes to make 4819 * a FILS AP include RSNE in the frame. This workaround might 4820 * eventually be removed and replaced with rejection (goto fail) 4821 * to follow a strict interpretation of the standard. */ 4822 } else if (wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt), 4823 sm->ap_rsn_ie, sm->ap_rsn_ie_len, 4824 elems.rsn_ie - 2, elems.rsn_ie_len + 2)) { 4825 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 4826 "FILS: RSNE mismatch between Beacon/Probe Response and (Re)Association Response"); 4827 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in Beacon/Probe Response", 4828 sm->ap_rsn_ie, sm->ap_rsn_ie_len); 4829 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in (Re)Association Response", 4830 elems.rsn_ie, elems.rsn_ie_len); 4831 goto fail; 4832 } 4833 4834 /* TODO: FILS Public Key */ 4835 4836 if (!elems.fils_key_confirm) { 4837 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element"); 4838 goto fail; 4839 } 4840 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) { 4841 wpa_printf(MSG_DEBUG, 4842 "FILS: Unexpected Key-Auth length %d (expected %d)", 4843 elems.fils_key_confirm_len, 4844 (int) sm->fils_key_auth_len); 4845 goto fail; 4846 } 4847 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_ap, 4848 sm->fils_key_auth_len) != 0) { 4849 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch"); 4850 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth", 4851 elems.fils_key_confirm, 4852 elems.fils_key_confirm_len); 4853 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth", 4854 sm->fils_key_auth_ap, sm->fils_key_auth_len); 4855 goto fail; 4856 } 4857 4858 #ifdef CONFIG_OCV 4859 if (wpa_sm_ocv_enabled(sm)) { 4860 struct wpa_channel_info ci; 4861 4862 if (wpa_sm_channel_info(sm, &ci) != 0) { 4863 wpa_printf(MSG_WARNING, 4864 "Failed to get channel info to validate received OCI in FILS (Re)Association Response frame"); 4865 goto fail; 4866 } 4867 4868 if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci, 4869 channel_width_to_int(ci.chanwidth), 4870 ci.seg1_idx) != OCI_SUCCESS) { 4871 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE 4872 "addr=" MACSTR " frame=fils-assoc error=%s", 4873 MAC2STR(sm->bssid), ocv_errorstr); 4874 goto fail; 4875 } 4876 } 4877 #endif /* CONFIG_OCV */ 4878 4879 #ifdef CONFIG_IEEE80211R 4880 if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) { 4881 struct wpa_ie_data rsn; 4882 4883 /* Check that PMKR1Name derived by the AP matches */ 4884 if (!elems.rsn_ie || 4885 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2, 4886 &rsn) < 0 || 4887 !rsn.pmkid || rsn.num_pmkid != 1 || 4888 os_memcmp(rsn.pmkid, sm->pmk_r1_name, 4889 WPA_PMK_NAME_LEN) != 0) { 4890 wpa_printf(MSG_DEBUG, 4891 "FILS+FT: No RSNE[PMKR1Name] match in AssocResp"); 4892 goto fail; 4893 } 4894 } 4895 #endif /* CONFIG_IEEE80211R */ 4896 4897 /* Key Delivery */ 4898 if (!elems.key_delivery) { 4899 wpa_printf(MSG_DEBUG, "FILS: No Key Delivery element"); 4900 goto fail; 4901 } 4902 4903 /* Parse GTK and set the key to the driver */ 4904 os_memset(&gd, 0, sizeof(gd)); 4905 if (wpa_supplicant_parse_ies(elems.key_delivery + WPA_KEY_RSC_LEN, 4906 elems.key_delivery_len - WPA_KEY_RSC_LEN, 4907 &kde) < 0) { 4908 wpa_printf(MSG_DEBUG, "FILS: Failed to parse KDEs"); 4909 goto fail; 4910 } 4911 if (!kde.gtk) { 4912 wpa_printf(MSG_DEBUG, "FILS: No GTK KDE"); 4913 goto fail; 4914 } 4915 maxkeylen = gd.gtk_len = kde.gtk_len - 2; 4916 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, 4917 gd.gtk_len, maxkeylen, 4918 &gd.key_rsc_len, &gd.alg)) 4919 goto fail; 4920 4921 wpa_hexdump_key(MSG_DEBUG, "FILS: Received GTK", kde.gtk, kde.gtk_len); 4922 gd.keyidx = kde.gtk[0] & 0x3; 4923 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm, 4924 !!(kde.gtk[0] & BIT(2))); 4925 if (kde.gtk_len - 2 > sizeof(gd.gtk)) { 4926 wpa_printf(MSG_DEBUG, "FILS: Too long GTK in GTK KDE (len=%lu)", 4927 (unsigned long) kde.gtk_len - 2); 4928 goto fail; 4929 } 4930 os_memcpy(gd.gtk, kde.gtk + 2, kde.gtk_len - 2); 4931 4932 wpa_printf(MSG_DEBUG, "FILS: Set GTK to driver"); 4933 if (wpa_supplicant_install_gtk(sm, &gd, elems.key_delivery, 0) < 0) { 4934 wpa_printf(MSG_DEBUG, "FILS: Failed to set GTK"); 4935 goto fail; 4936 } 4937 4938 if (ieee80211w_set_keys(sm, &kde) < 0) { 4939 wpa_printf(MSG_DEBUG, "FILS: Failed to set IGTK"); 4940 goto fail; 4941 } 4942 4943 alg = wpa_cipher_to_alg(sm->pairwise_cipher); 4944 keylen = wpa_cipher_key_len(sm->pairwise_cipher); 4945 if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) { 4946 wpa_printf(MSG_DEBUG, "FILS: TK length mismatch: %u != %lu", 4947 keylen, (long unsigned int) sm->ptk.tk_len); 4948 goto fail; 4949 } 4950 4951 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher); 4952 wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver", 4953 sm->ptk.tk, keylen); 4954 if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, null_rsc, rsclen, 4955 sm->ptk.tk, keylen, KEY_FLAG_PAIRWISE_RX_TX) < 0) { 4956 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 4957 "FILS: Failed to set PTK to the driver (alg=%d keylen=%d bssid=" 4958 MACSTR ")", 4959 alg, keylen, MAC2STR(sm->bssid)); 4960 goto fail; 4961 } 4962 4963 wpa_sm_store_ptk(sm, sm->bssid, sm->pairwise_cipher, 4964 sm->dot11RSNAConfigPMKLifetime, &sm->ptk); 4965 4966 /* TODO: TK could be cleared after auth frame exchange now that driver 4967 * takes care of association frame encryption/decryption. */ 4968 /* TK is not needed anymore in supplicant */ 4969 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN); 4970 sm->ptk.tk_len = 0; 4971 sm->ptk.installed = 1; 4972 4973 /* FILS HLP Container */ 4974 fils_process_hlp_container(sm, ie_start, end - ie_start); 4975 4976 /* TODO: FILS IP Address Assignment */ 4977 4978 wpa_printf(MSG_DEBUG, "FILS: Auth+Assoc completed successfully"); 4979 sm->fils_completed = 1; 4980 forced_memzero(&gd, sizeof(gd)); 4981 4982 if (kde.transition_disable) 4983 wpa_sm_transition_disable(sm, kde.transition_disable[0]); 4984 4985 return 0; 4986 fail: 4987 forced_memzero(&gd, sizeof(gd)); 4988 return -1; 4989 } 4990 4991 4992 void wpa_sm_set_reset_fils_completed(struct wpa_sm *sm, int set) 4993 { 4994 if (sm) 4995 sm->fils_completed = !!set; 4996 } 4997 4998 #endif /* CONFIG_FILS */ 4999 5000 5001 int wpa_fils_is_completed(struct wpa_sm *sm) 5002 { 5003 #ifdef CONFIG_FILS 5004 return sm && sm->fils_completed; 5005 #else /* CONFIG_FILS */ 5006 return 0; 5007 #endif /* CONFIG_FILS */ 5008 } 5009 5010 5011 #ifdef CONFIG_OWE 5012 5013 struct wpabuf * owe_build_assoc_req(struct wpa_sm *sm, u16 group) 5014 { 5015 struct wpabuf *ie = NULL, *pub = NULL; 5016 size_t prime_len; 5017 5018 if (group == 19) 5019 prime_len = 32; 5020 else if (group == 20) 5021 prime_len = 48; 5022 else if (group == 21) 5023 prime_len = 66; 5024 else 5025 return NULL; 5026 5027 crypto_ecdh_deinit(sm->owe_ecdh); 5028 sm->owe_ecdh = crypto_ecdh_init(group); 5029 if (!sm->owe_ecdh) 5030 goto fail; 5031 sm->owe_group = group; 5032 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0); 5033 pub = wpabuf_zeropad(pub, prime_len); 5034 if (!pub) 5035 goto fail; 5036 5037 ie = wpabuf_alloc(5 + wpabuf_len(pub)); 5038 if (!ie) 5039 goto fail; 5040 wpabuf_put_u8(ie, WLAN_EID_EXTENSION); 5041 wpabuf_put_u8(ie, 1 + 2 + wpabuf_len(pub)); 5042 wpabuf_put_u8(ie, WLAN_EID_EXT_OWE_DH_PARAM); 5043 wpabuf_put_le16(ie, group); 5044 wpabuf_put_buf(ie, pub); 5045 wpabuf_free(pub); 5046 wpa_hexdump_buf(MSG_DEBUG, "OWE: Diffie-Hellman Parameter element", 5047 ie); 5048 5049 return ie; 5050 fail: 5051 wpabuf_free(pub); 5052 crypto_ecdh_deinit(sm->owe_ecdh); 5053 sm->owe_ecdh = NULL; 5054 return NULL; 5055 } 5056 5057 5058 int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *bssid, 5059 const u8 *resp_ies, size_t resp_ies_len) 5060 { 5061 struct ieee802_11_elems elems; 5062 u16 group; 5063 struct wpabuf *secret, *pub, *hkey; 5064 int res; 5065 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN]; 5066 const char *info = "OWE Key Generation"; 5067 const u8 *addr[2]; 5068 size_t len[2]; 5069 size_t hash_len, prime_len; 5070 struct wpa_ie_data data; 5071 5072 if (!resp_ies || 5073 ieee802_11_parse_elems(resp_ies, resp_ies_len, &elems, 1) == 5074 ParseFailed) { 5075 wpa_printf(MSG_INFO, 5076 "OWE: Could not parse Association Response frame elements"); 5077 return -1; 5078 } 5079 5080 if (sm->cur_pmksa && elems.rsn_ie && 5081 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, 2 + elems.rsn_ie_len, 5082 &data) == 0 && 5083 data.num_pmkid == 1 && data.pmkid && 5084 os_memcmp(sm->cur_pmksa->pmkid, data.pmkid, PMKID_LEN) == 0) { 5085 wpa_printf(MSG_DEBUG, "OWE: Use PMKSA caching"); 5086 wpa_sm_set_pmk_from_pmksa(sm); 5087 return 0; 5088 } 5089 5090 if (!elems.owe_dh) { 5091 wpa_printf(MSG_INFO, 5092 "OWE: No Diffie-Hellman Parameter element found in Association Response frame"); 5093 return -1; 5094 } 5095 5096 group = WPA_GET_LE16(elems.owe_dh); 5097 if (group != sm->owe_group) { 5098 wpa_printf(MSG_INFO, 5099 "OWE: Unexpected Diffie-Hellman group in response: %u", 5100 group); 5101 return -1; 5102 } 5103 5104 if (!sm->owe_ecdh) { 5105 wpa_printf(MSG_INFO, "OWE: No ECDH state available"); 5106 return -1; 5107 } 5108 5109 if (group == 19) 5110 prime_len = 32; 5111 else if (group == 20) 5112 prime_len = 48; 5113 else if (group == 21) 5114 prime_len = 66; 5115 else 5116 return -1; 5117 5118 secret = crypto_ecdh_set_peerkey(sm->owe_ecdh, 0, 5119 elems.owe_dh + 2, 5120 elems.owe_dh_len - 2); 5121 secret = wpabuf_zeropad(secret, prime_len); 5122 if (!secret) { 5123 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key"); 5124 return -1; 5125 } 5126 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret); 5127 5128 /* prk = HKDF-extract(C | A | group, z) */ 5129 5130 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0); 5131 if (!pub) { 5132 wpabuf_clear_free(secret); 5133 return -1; 5134 } 5135 5136 /* PMKID = Truncate-128(Hash(C | A)) */ 5137 addr[0] = wpabuf_head(pub); 5138 len[0] = wpabuf_len(pub); 5139 addr[1] = elems.owe_dh + 2; 5140 len[1] = elems.owe_dh_len - 2; 5141 if (group == 19) { 5142 res = sha256_vector(2, addr, len, pmkid); 5143 hash_len = SHA256_MAC_LEN; 5144 } else if (group == 20) { 5145 res = sha384_vector(2, addr, len, pmkid); 5146 hash_len = SHA384_MAC_LEN; 5147 } else if (group == 21) { 5148 res = sha512_vector(2, addr, len, pmkid); 5149 hash_len = SHA512_MAC_LEN; 5150 } else { 5151 res = -1; 5152 hash_len = 0; 5153 } 5154 pub = wpabuf_zeropad(pub, prime_len); 5155 if (res < 0 || !pub) { 5156 wpabuf_free(pub); 5157 wpabuf_clear_free(secret); 5158 return -1; 5159 } 5160 5161 hkey = wpabuf_alloc(wpabuf_len(pub) + elems.owe_dh_len - 2 + 2); 5162 if (!hkey) { 5163 wpabuf_free(pub); 5164 wpabuf_clear_free(secret); 5165 return -1; 5166 } 5167 5168 wpabuf_put_buf(hkey, pub); /* C */ 5169 wpabuf_free(pub); 5170 wpabuf_put_data(hkey, elems.owe_dh + 2, elems.owe_dh_len - 2); /* A */ 5171 wpabuf_put_le16(hkey, sm->owe_group); /* group */ 5172 if (group == 19) 5173 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey), 5174 wpabuf_head(secret), wpabuf_len(secret), prk); 5175 else if (group == 20) 5176 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey), 5177 wpabuf_head(secret), wpabuf_len(secret), prk); 5178 else if (group == 21) 5179 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey), 5180 wpabuf_head(secret), wpabuf_len(secret), prk); 5181 wpabuf_clear_free(hkey); 5182 wpabuf_clear_free(secret); 5183 if (res < 0) 5184 return -1; 5185 5186 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len); 5187 5188 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */ 5189 5190 if (group == 19) 5191 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info, 5192 os_strlen(info), sm->pmk, hash_len); 5193 else if (group == 20) 5194 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info, 5195 os_strlen(info), sm->pmk, hash_len); 5196 else if (group == 21) 5197 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info, 5198 os_strlen(info), sm->pmk, hash_len); 5199 forced_memzero(prk, SHA512_MAC_LEN); 5200 if (res < 0) { 5201 sm->pmk_len = 0; 5202 return -1; 5203 } 5204 sm->pmk_len = hash_len; 5205 5206 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sm->pmk, sm->pmk_len); 5207 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN); 5208 pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, pmkid, NULL, 0, 5209 bssid, sm->own_addr, sm->network_ctx, sm->key_mgmt, 5210 NULL); 5211 5212 return 0; 5213 } 5214 5215 #endif /* CONFIG_OWE */ 5216 5217 5218 void wpa_sm_set_fils_cache_id(struct wpa_sm *sm, const u8 *fils_cache_id) 5219 { 5220 #ifdef CONFIG_FILS 5221 if (sm && fils_cache_id) { 5222 sm->fils_cache_id_set = 1; 5223 os_memcpy(sm->fils_cache_id, fils_cache_id, FILS_CACHE_ID_LEN); 5224 } 5225 #endif /* CONFIG_FILS */ 5226 } 5227 5228 5229 #ifdef CONFIG_DPP2 5230 void wpa_sm_set_dpp_z(struct wpa_sm *sm, const struct wpabuf *z) 5231 { 5232 if (sm) { 5233 wpabuf_clear_free(sm->dpp_z); 5234 sm->dpp_z = z ? wpabuf_dup(z) : NULL; 5235 } 5236 } 5237 #endif /* CONFIG_DPP2 */ 5238 5239 5240 #ifdef CONFIG_PASN 5241 void wpa_pasn_pmksa_cache_add(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len, 5242 const u8 *pmkid, const u8 *bssid, int key_mgmt) 5243 { 5244 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0, 5245 bssid, sm->own_addr, NULL, 5246 key_mgmt, 0); 5247 } 5248 #endif /* CONFIG_PASN */ 5249