xref: /freebsd/contrib/wpa/src/rsn_supp/wpa.c (revision 86aa9539fef591a363b06a0ebd3aa7a07f4c1579)
1 /*
2  * WPA Supplicant - WPA state machine and EAPOL-Key processing
3  * Copyright (c) 2003-2018, Jouni Malinen <j@w1.fi>
4  * Copyright(c) 2015 Intel Deutschland GmbH
5  *
6  * This software may be distributed under the terms of the BSD license.
7  * See README for more details.
8  */
9 
10 #include "includes.h"
11 
12 #include "common.h"
13 #include "crypto/aes.h"
14 #include "crypto/aes_wrap.h"
15 #include "crypto/crypto.h"
16 #include "crypto/random.h"
17 #include "crypto/aes_siv.h"
18 #include "crypto/sha256.h"
19 #include "crypto/sha384.h"
20 #include "crypto/sha512.h"
21 #include "common/ieee802_11_defs.h"
22 #include "common/ieee802_11_common.h"
23 #include "common/ocv.h"
24 #include "eap_common/eap_defs.h"
25 #include "eapol_supp/eapol_supp_sm.h"
26 #include "drivers/driver.h"
27 #include "wpa.h"
28 #include "eloop.h"
29 #include "preauth.h"
30 #include "pmksa_cache.h"
31 #include "wpa_i.h"
32 #include "wpa_ie.h"
33 
34 
35 static const u8 null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
36 
37 
38 /**
39  * wpa_eapol_key_send - Send WPA/RSN EAPOL-Key message
40  * @sm: Pointer to WPA state machine data from wpa_sm_init()
41  * @ptk: PTK for Key Confirmation/Encryption Key
42  * @ver: Version field from Key Info
43  * @dest: Destination address for the frame
44  * @proto: Ethertype (usually ETH_P_EAPOL)
45  * @msg: EAPOL-Key message
46  * @msg_len: Length of message
47  * @key_mic: Pointer to the buffer to which the EAPOL-Key MIC is written
48  * Returns: >= 0 on success, < 0 on failure
49  */
50 int wpa_eapol_key_send(struct wpa_sm *sm, struct wpa_ptk *ptk,
51 		       int ver, const u8 *dest, u16 proto,
52 		       u8 *msg, size_t msg_len, u8 *key_mic)
53 {
54 	int ret = -1;
55 	size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
56 
57 	wpa_printf(MSG_DEBUG, "WPA: Send EAPOL-Key frame to " MACSTR
58 		   " ver=%d mic_len=%d key_mgmt=0x%x",
59 		   MAC2STR(dest), ver, (int) mic_len, sm->key_mgmt);
60 	if (is_zero_ether_addr(dest) && is_zero_ether_addr(sm->bssid)) {
61 		/*
62 		 * Association event was not yet received; try to fetch
63 		 * BSSID from the driver.
64 		 */
65 		if (wpa_sm_get_bssid(sm, sm->bssid) < 0) {
66 			wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
67 				"WPA: Failed to read BSSID for "
68 				"EAPOL-Key destination address");
69 		} else {
70 			dest = sm->bssid;
71 			wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
72 				"WPA: Use BSSID (" MACSTR
73 				") as the destination for EAPOL-Key",
74 				MAC2STR(dest));
75 		}
76 	}
77 
78 	if (mic_len) {
79 		if (key_mic && (!ptk || !ptk->kck_len))
80 			goto out;
81 
82 		if (key_mic &&
83 		    wpa_eapol_key_mic(ptk->kck, ptk->kck_len, sm->key_mgmt, ver,
84 				      msg, msg_len, key_mic)) {
85 			wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
86 				"WPA: Failed to generate EAPOL-Key version %d key_mgmt 0x%x MIC",
87 				ver, sm->key_mgmt);
88 			goto out;
89 		}
90 		if (ptk)
91 			wpa_hexdump_key(MSG_DEBUG, "WPA: KCK",
92 					ptk->kck, ptk->kck_len);
93 		wpa_hexdump(MSG_DEBUG, "WPA: Derived Key MIC",
94 			    key_mic, mic_len);
95 	} else {
96 #ifdef CONFIG_FILS
97 		/* AEAD cipher - Key MIC field not used */
98 		struct ieee802_1x_hdr *s_hdr, *hdr;
99 		struct wpa_eapol_key *s_key, *key;
100 		u8 *buf, *s_key_data, *key_data;
101 		size_t buf_len = msg_len + AES_BLOCK_SIZE;
102 		size_t key_data_len;
103 		u16 eapol_len;
104 		const u8 *aad[1];
105 		size_t aad_len[1];
106 
107 		if (!ptk || !ptk->kek_len)
108 			goto out;
109 
110 		key_data_len = msg_len - sizeof(struct ieee802_1x_hdr) -
111 			sizeof(struct wpa_eapol_key) - 2;
112 
113 		buf = os_malloc(buf_len);
114 		if (!buf)
115 			goto out;
116 
117 		os_memcpy(buf, msg, msg_len);
118 		hdr = (struct ieee802_1x_hdr *) buf;
119 		key = (struct wpa_eapol_key *) (hdr + 1);
120 		key_data = ((u8 *) (key + 1)) + 2;
121 
122 		/* Update EAPOL header to include AES-SIV overhead */
123 		eapol_len = be_to_host16(hdr->length);
124 		eapol_len += AES_BLOCK_SIZE;
125 		hdr->length = host_to_be16(eapol_len);
126 
127 		/* Update Key Data Length field to include AES-SIV overhead */
128 		WPA_PUT_BE16((u8 *) (key + 1), AES_BLOCK_SIZE + key_data_len);
129 
130 		s_hdr = (struct ieee802_1x_hdr *) msg;
131 		s_key = (struct wpa_eapol_key *) (s_hdr + 1);
132 		s_key_data = ((u8 *) (s_key + 1)) + 2;
133 
134 		wpa_hexdump_key(MSG_DEBUG, "WPA: Plaintext Key Data",
135 				s_key_data, key_data_len);
136 
137 		wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len);
138 		 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
139 		  * to Key Data (exclusive). */
140 		aad[0] = buf;
141 		aad_len[0] = key_data - buf;
142 		if (aes_siv_encrypt(ptk->kek, ptk->kek_len,
143 				    s_key_data, key_data_len,
144 				    1, aad, aad_len, key_data) < 0) {
145 			os_free(buf);
146 			goto out;
147 		}
148 
149 		wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
150 			    key_data, AES_BLOCK_SIZE + key_data_len);
151 
152 		os_free(msg);
153 		msg = buf;
154 		msg_len = buf_len;
155 #else /* CONFIG_FILS */
156 		goto out;
157 #endif /* CONFIG_FILS */
158 	}
159 
160 	wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key", msg, msg_len);
161 	ret = wpa_sm_ether_send(sm, dest, proto, msg, msg_len);
162 	eapol_sm_notify_tx_eapol_key(sm->eapol);
163 out:
164 	os_free(msg);
165 	return ret;
166 }
167 
168 
169 /**
170  * wpa_sm_key_request - Send EAPOL-Key Request
171  * @sm: Pointer to WPA state machine data from wpa_sm_init()
172  * @error: Indicate whether this is an Michael MIC error report
173  * @pairwise: 1 = error report for pairwise packet, 0 = for group packet
174  *
175  * Send an EAPOL-Key Request to the current authenticator. This function is
176  * used to request rekeying and it is usually called when a local Michael MIC
177  * failure is detected.
178  */
179 void wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise)
180 {
181 	size_t mic_len, hdrlen, rlen;
182 	struct wpa_eapol_key *reply;
183 	int key_info, ver;
184 	u8 bssid[ETH_ALEN], *rbuf, *key_mic, *mic;
185 
186 	if (wpa_use_akm_defined(sm->key_mgmt))
187 		ver = WPA_KEY_INFO_TYPE_AKM_DEFINED;
188 	else if (wpa_key_mgmt_ft(sm->key_mgmt) ||
189 		 wpa_key_mgmt_sha256(sm->key_mgmt))
190 		ver = WPA_KEY_INFO_TYPE_AES_128_CMAC;
191 	else if (sm->pairwise_cipher != WPA_CIPHER_TKIP)
192 		ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
193 	else
194 		ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
195 
196 	if (wpa_sm_get_bssid(sm, bssid) < 0) {
197 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
198 			"Failed to read BSSID for EAPOL-Key request");
199 		return;
200 	}
201 
202 	mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
203 	hdrlen = sizeof(*reply) + mic_len + 2;
204 	rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
205 				  hdrlen, &rlen, (void *) &reply);
206 	if (rbuf == NULL)
207 		return;
208 
209 	reply->type = (sm->proto == WPA_PROTO_RSN ||
210 		       sm->proto == WPA_PROTO_OSEN) ?
211 		EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
212 	key_info = WPA_KEY_INFO_REQUEST | ver;
213 	if (sm->ptk_set)
214 		key_info |= WPA_KEY_INFO_SECURE;
215 	if (sm->ptk_set && mic_len)
216 		key_info |= WPA_KEY_INFO_MIC;
217 	if (error)
218 		key_info |= WPA_KEY_INFO_ERROR;
219 	if (pairwise)
220 		key_info |= WPA_KEY_INFO_KEY_TYPE;
221 	WPA_PUT_BE16(reply->key_info, key_info);
222 	WPA_PUT_BE16(reply->key_length, 0);
223 	os_memcpy(reply->replay_counter, sm->request_counter,
224 		  WPA_REPLAY_COUNTER_LEN);
225 	inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
226 
227 	mic = (u8 *) (reply + 1);
228 	WPA_PUT_BE16(mic + mic_len, 0);
229 	if (!(key_info & WPA_KEY_INFO_MIC))
230 		key_mic = NULL;
231 	else
232 		key_mic = mic;
233 
234 	wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
235 		"WPA: Sending EAPOL-Key Request (error=%d "
236 		"pairwise=%d ptk_set=%d len=%lu)",
237 		error, pairwise, sm->ptk_set, (unsigned long) rlen);
238 	wpa_eapol_key_send(sm, &sm->ptk, ver, bssid, ETH_P_EAPOL, rbuf, rlen,
239 			   key_mic);
240 }
241 
242 
243 static void wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm *sm)
244 {
245 #ifdef CONFIG_IEEE80211R
246 	if (sm->key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X) {
247 		if (wpa_sm_key_mgmt_set_pmk(sm, sm->xxkey, sm->xxkey_len))
248 			wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
249 				"RSN: Cannot set low order 256 bits of MSK for key management offload");
250 	} else {
251 #endif /* CONFIG_IEEE80211R */
252 		if (wpa_sm_key_mgmt_set_pmk(sm, sm->pmk, sm->pmk_len))
253 			wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
254 				"RSN: Cannot set PMK for key management offload");
255 #ifdef CONFIG_IEEE80211R
256 	}
257 #endif /* CONFIG_IEEE80211R */
258 }
259 
260 
261 static int wpa_supplicant_get_pmk(struct wpa_sm *sm,
262 				  const unsigned char *src_addr,
263 				  const u8 *pmkid)
264 {
265 	int abort_cached = 0;
266 
267 	if (pmkid && !sm->cur_pmksa) {
268 		/* When using drivers that generate RSN IE, wpa_supplicant may
269 		 * not have enough time to get the association information
270 		 * event before receiving this 1/4 message, so try to find a
271 		 * matching PMKSA cache entry here. */
272 		sm->cur_pmksa = pmksa_cache_get(sm->pmksa, src_addr, pmkid,
273 						NULL, 0);
274 		if (sm->cur_pmksa) {
275 			wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
276 				"RSN: found matching PMKID from PMKSA cache");
277 		} else {
278 			wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
279 				"RSN: no matching PMKID found");
280 			abort_cached = 1;
281 		}
282 	}
283 
284 	if (pmkid && sm->cur_pmksa &&
285 	    os_memcmp_const(pmkid, sm->cur_pmksa->pmkid, PMKID_LEN) == 0) {
286 		wpa_hexdump(MSG_DEBUG, "RSN: matched PMKID", pmkid, PMKID_LEN);
287 		wpa_sm_set_pmk_from_pmksa(sm);
288 		wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from PMKSA cache",
289 				sm->pmk, sm->pmk_len);
290 		eapol_sm_notify_cached(sm->eapol);
291 #ifdef CONFIG_IEEE80211R
292 		sm->xxkey_len = 0;
293 #ifdef CONFIG_SAE
294 		if (sm->key_mgmt == WPA_KEY_MGMT_FT_SAE &&
295 		    sm->pmk_len == PMK_LEN) {
296 			/* Need to allow FT key derivation to proceed with
297 			 * PMK from SAE being used as the XXKey in cases where
298 			 * the PMKID in msg 1/4 matches the PMKSA entry that was
299 			 * just added based on SAE authentication for the
300 			 * initial mobility domain association. */
301 			os_memcpy(sm->xxkey, sm->pmk, sm->pmk_len);
302 			sm->xxkey_len = sm->pmk_len;
303 		}
304 #endif /* CONFIG_SAE */
305 #endif /* CONFIG_IEEE80211R */
306 	} else if (wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && sm->eapol) {
307 		int res, pmk_len;
308 
309 		if (wpa_key_mgmt_sha384(sm->key_mgmt))
310 			pmk_len = PMK_LEN_SUITE_B_192;
311 		else
312 			pmk_len = PMK_LEN;
313 		res = eapol_sm_get_key(sm->eapol, sm->pmk, pmk_len);
314 		if (res) {
315 			if (pmk_len == PMK_LEN) {
316 				/*
317 				 * EAP-LEAP is an exception from other EAP
318 				 * methods: it uses only 16-byte PMK.
319 				 */
320 				res = eapol_sm_get_key(sm->eapol, sm->pmk, 16);
321 				pmk_len = 16;
322 			}
323 		} else {
324 #ifdef CONFIG_IEEE80211R
325 			u8 buf[2 * PMK_LEN];
326 			if (eapol_sm_get_key(sm->eapol, buf, 2 * PMK_LEN) == 0)
327 			{
328 				if (wpa_key_mgmt_sha384(sm->key_mgmt)) {
329 					os_memcpy(sm->xxkey, buf,
330 						  SHA384_MAC_LEN);
331 					sm->xxkey_len = SHA384_MAC_LEN;
332 				} else {
333 					os_memcpy(sm->xxkey, buf + PMK_LEN,
334 						  PMK_LEN);
335 					sm->xxkey_len = PMK_LEN;
336 				}
337 				os_memset(buf, 0, sizeof(buf));
338 			}
339 #endif /* CONFIG_IEEE80211R */
340 		}
341 		if (res == 0) {
342 			struct rsn_pmksa_cache_entry *sa = NULL;
343 			const u8 *fils_cache_id = NULL;
344 
345 #ifdef CONFIG_FILS
346 			if (sm->fils_cache_id_set)
347 				fils_cache_id = sm->fils_cache_id;
348 #endif /* CONFIG_FILS */
349 
350 			wpa_hexdump_key(MSG_DEBUG, "WPA: PMK from EAPOL state "
351 					"machines", sm->pmk, pmk_len);
352 			sm->pmk_len = pmk_len;
353 			wpa_supplicant_key_mgmt_set_pmk(sm);
354 			if (sm->proto == WPA_PROTO_RSN &&
355 			    !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
356 			    !wpa_key_mgmt_ft(sm->key_mgmt)) {
357 				sa = pmksa_cache_add(sm->pmksa,
358 						     sm->pmk, pmk_len, NULL,
359 						     NULL, 0,
360 						     src_addr, sm->own_addr,
361 						     sm->network_ctx,
362 						     sm->key_mgmt,
363 						     fils_cache_id);
364 			}
365 			if (!sm->cur_pmksa && pmkid &&
366 			    pmksa_cache_get(sm->pmksa, src_addr, pmkid, NULL,
367 				    0)) {
368 				wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
369 					"RSN: the new PMK matches with the "
370 					"PMKID");
371 				abort_cached = 0;
372 			} else if (sa && !sm->cur_pmksa && pmkid) {
373 				/*
374 				 * It looks like the authentication server
375 				 * derived mismatching MSK. This should not
376 				 * really happen, but bugs happen.. There is not
377 				 * much we can do here without knowing what
378 				 * exactly caused the server to misbehave.
379 				 */
380 				wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
381 					"RSN: PMKID mismatch - authentication server may have derived different MSK?!");
382 				return -1;
383 			}
384 
385 			if (!sm->cur_pmksa)
386 				sm->cur_pmksa = sa;
387 #ifdef CONFIG_IEEE80211R
388 		} else if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->ft_protocol) {
389 			wpa_printf(MSG_DEBUG,
390 				   "FT: Continue 4-way handshake without PMK/PMKID for association using FT protocol");
391 #endif /* CONFIG_IEEE80211R */
392 		} else {
393 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
394 				"WPA: Failed to get master session key from "
395 				"EAPOL state machines - key handshake "
396 				"aborted");
397 			if (sm->cur_pmksa) {
398 				wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
399 					"RSN: Cancelled PMKSA caching "
400 					"attempt");
401 				sm->cur_pmksa = NULL;
402 				abort_cached = 1;
403 			} else if (!abort_cached) {
404 				return -1;
405 			}
406 		}
407 	}
408 
409 	if (abort_cached && wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) &&
410 	    !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
411 	    !wpa_key_mgmt_ft(sm->key_mgmt) && sm->key_mgmt != WPA_KEY_MGMT_OSEN)
412 	{
413 		/* Send EAPOL-Start to trigger full EAP authentication. */
414 		u8 *buf;
415 		size_t buflen;
416 
417 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
418 			"RSN: no PMKSA entry found - trigger "
419 			"full EAP authentication");
420 		buf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_START,
421 					 NULL, 0, &buflen, NULL);
422 		if (buf) {
423 			wpa_sm_ether_send(sm, sm->bssid, ETH_P_EAPOL,
424 					  buf, buflen);
425 			os_free(buf);
426 			return -2;
427 		}
428 
429 		return -1;
430 	}
431 
432 	return 0;
433 }
434 
435 
436 /**
437  * wpa_supplicant_send_2_of_4 - Send message 2 of WPA/RSN 4-Way Handshake
438  * @sm: Pointer to WPA state machine data from wpa_sm_init()
439  * @dst: Destination address for the frame
440  * @key: Pointer to the EAPOL-Key frame header
441  * @ver: Version bits from EAPOL-Key Key Info
442  * @nonce: Nonce value for the EAPOL-Key frame
443  * @wpa_ie: WPA/RSN IE
444  * @wpa_ie_len: Length of the WPA/RSN IE
445  * @ptk: PTK to use for keyed hash and encryption
446  * Returns: >= 0 on success, < 0 on failure
447  */
448 int wpa_supplicant_send_2_of_4(struct wpa_sm *sm, const unsigned char *dst,
449 			       const struct wpa_eapol_key *key,
450 			       int ver, const u8 *nonce,
451 			       const u8 *wpa_ie, size_t wpa_ie_len,
452 			       struct wpa_ptk *ptk)
453 {
454 	size_t mic_len, hdrlen, rlen;
455 	struct wpa_eapol_key *reply;
456 	u8 *rbuf, *key_mic;
457 	u8 *rsn_ie_buf = NULL;
458 	u16 key_info;
459 
460 	if (wpa_ie == NULL) {
461 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No wpa_ie set - "
462 			"cannot generate msg 2/4");
463 		return -1;
464 	}
465 
466 #ifdef CONFIG_IEEE80211R
467 	if (wpa_key_mgmt_ft(sm->key_mgmt)) {
468 		int res;
469 
470 		/*
471 		 * Add PMKR1Name into RSN IE (PMKID-List) and add MDIE and
472 		 * FTIE from (Re)Association Response.
473 		 */
474 		rsn_ie_buf = os_malloc(wpa_ie_len + 2 + 2 + PMKID_LEN +
475 				       sm->assoc_resp_ies_len);
476 		if (rsn_ie_buf == NULL)
477 			return -1;
478 		os_memcpy(rsn_ie_buf, wpa_ie, wpa_ie_len);
479 		res = wpa_insert_pmkid(rsn_ie_buf, &wpa_ie_len,
480 				       sm->pmk_r1_name);
481 		if (res < 0) {
482 			os_free(rsn_ie_buf);
483 			return -1;
484 		}
485 
486 		if (sm->assoc_resp_ies) {
487 			os_memcpy(rsn_ie_buf + wpa_ie_len, sm->assoc_resp_ies,
488 				  sm->assoc_resp_ies_len);
489 			wpa_ie_len += sm->assoc_resp_ies_len;
490 		}
491 
492 		wpa_ie = rsn_ie_buf;
493 	}
494 #endif /* CONFIG_IEEE80211R */
495 
496 	wpa_hexdump(MSG_DEBUG, "WPA: WPA IE for msg 2/4", wpa_ie, wpa_ie_len);
497 
498 	mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
499 	hdrlen = sizeof(*reply) + mic_len + 2;
500 	rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY,
501 				  NULL, hdrlen + wpa_ie_len,
502 				  &rlen, (void *) &reply);
503 	if (rbuf == NULL) {
504 		os_free(rsn_ie_buf);
505 		return -1;
506 	}
507 
508 	reply->type = (sm->proto == WPA_PROTO_RSN ||
509 		       sm->proto == WPA_PROTO_OSEN) ?
510 		EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
511 	key_info = ver | WPA_KEY_INFO_KEY_TYPE;
512 	if (mic_len)
513 		key_info |= WPA_KEY_INFO_MIC;
514 	else
515 		key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
516 	WPA_PUT_BE16(reply->key_info, key_info);
517 	if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
518 		WPA_PUT_BE16(reply->key_length, 0);
519 	else
520 		os_memcpy(reply->key_length, key->key_length, 2);
521 	os_memcpy(reply->replay_counter, key->replay_counter,
522 		  WPA_REPLAY_COUNTER_LEN);
523 	wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", reply->replay_counter,
524 		    WPA_REPLAY_COUNTER_LEN);
525 
526 	key_mic = (u8 *) (reply + 1);
527 	WPA_PUT_BE16(key_mic + mic_len, wpa_ie_len); /* Key Data Length */
528 	os_memcpy(key_mic + mic_len + 2, wpa_ie, wpa_ie_len); /* Key Data */
529 	os_free(rsn_ie_buf);
530 
531 	os_memcpy(reply->key_nonce, nonce, WPA_NONCE_LEN);
532 
533 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/4");
534 	return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
535 				  key_mic);
536 }
537 
538 
539 static int wpa_derive_ptk(struct wpa_sm *sm, const unsigned char *src_addr,
540 			  const struct wpa_eapol_key *key, struct wpa_ptk *ptk)
541 {
542 	const u8 *z = NULL;
543 	size_t z_len = 0;
544 
545 #ifdef CONFIG_IEEE80211R
546 	if (wpa_key_mgmt_ft(sm->key_mgmt))
547 		return wpa_derive_ptk_ft(sm, src_addr, key, ptk);
548 #endif /* CONFIG_IEEE80211R */
549 
550 #ifdef CONFIG_DPP2
551 	if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
552 		z = wpabuf_head(sm->dpp_z);
553 		z_len = wpabuf_len(sm->dpp_z);
554 	}
555 #endif /* CONFIG_DPP2 */
556 
557 	return wpa_pmk_to_ptk(sm->pmk, sm->pmk_len, "Pairwise key expansion",
558 			      sm->own_addr, sm->bssid, sm->snonce,
559 			      key->key_nonce, ptk, sm->key_mgmt,
560 			      sm->pairwise_cipher, z, z_len);
561 }
562 
563 
564 static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
565 					  const unsigned char *src_addr,
566 					  const struct wpa_eapol_key *key,
567 					  u16 ver, const u8 *key_data,
568 					  size_t key_data_len)
569 {
570 	struct wpa_eapol_ie_parse ie;
571 	struct wpa_ptk *ptk;
572 	int res;
573 	u8 *kde, *kde_buf = NULL;
574 	size_t kde_len;
575 
576 	if (wpa_sm_get_network_ctx(sm) == NULL) {
577 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No SSID info "
578 			"found (msg 1 of 4)");
579 		return;
580 	}
581 
582 	wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
583 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of 4-Way "
584 		"Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
585 
586 	os_memset(&ie, 0, sizeof(ie));
587 
588 	if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
589 		/* RSN: msg 1/4 should contain PMKID for the selected PMK */
590 		wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data",
591 			    key_data, key_data_len);
592 		if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
593 			goto failed;
594 		if (ie.pmkid) {
595 			wpa_hexdump(MSG_DEBUG, "RSN: PMKID from "
596 				    "Authenticator", ie.pmkid, PMKID_LEN);
597 		}
598 	}
599 
600 	res = wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid);
601 	if (res == -2) {
602 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: Do not reply to "
603 			"msg 1/4 - requesting full EAP authentication");
604 		return;
605 	}
606 	if (res)
607 		goto failed;
608 
609 	if (sm->renew_snonce) {
610 		if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) {
611 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
612 				"WPA: Failed to get random data for SNonce");
613 			goto failed;
614 		}
615 		sm->renew_snonce = 0;
616 		wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce",
617 			    sm->snonce, WPA_NONCE_LEN);
618 	}
619 
620 	/* Calculate PTK which will be stored as a temporary PTK until it has
621 	 * been verified when processing message 3/4. */
622 	ptk = &sm->tptk;
623 	if (wpa_derive_ptk(sm, src_addr, key, ptk) < 0)
624 		goto failed;
625 	if (sm->pairwise_cipher == WPA_CIPHER_TKIP) {
626 		u8 buf[8];
627 		/* Supplicant: swap tx/rx Mic keys */
628 		os_memcpy(buf, &ptk->tk[16], 8);
629 		os_memcpy(&ptk->tk[16], &ptk->tk[24], 8);
630 		os_memcpy(&ptk->tk[24], buf, 8);
631 		os_memset(buf, 0, sizeof(buf));
632 	}
633 	sm->tptk_set = 1;
634 
635 	kde = sm->assoc_wpa_ie;
636 	kde_len = sm->assoc_wpa_ie_len;
637 
638 #ifdef CONFIG_OCV
639 	if (wpa_sm_ocv_enabled(sm)) {
640 		struct wpa_channel_info ci;
641 		u8 *pos;
642 
643 		if (wpa_sm_channel_info(sm, &ci) != 0) {
644 			wpa_printf(MSG_WARNING,
645 				   "Failed to get channel info for OCI element in EAPOL-Key 2/4");
646 			goto failed;
647 		}
648 
649 		kde_buf = os_malloc(kde_len + 2 + RSN_SELECTOR_LEN + 3);
650 		if (!kde_buf) {
651 			wpa_printf(MSG_WARNING,
652 				   "Failed to allocate memory for KDE with OCI in EAPOL-Key 2/4");
653 			goto failed;
654 		}
655 
656 		os_memcpy(kde_buf, kde, kde_len);
657 		kde = kde_buf;
658 		pos = kde + kde_len;
659 		if (ocv_insert_oci_kde(&ci, &pos) < 0)
660 			goto failed;
661 		kde_len = pos - kde;
662 	}
663 #endif /* CONFIG_OCV */
664 
665 #ifdef CONFIG_P2P
666 	if (sm->p2p) {
667 		kde_buf = os_malloc(kde_len + 2 + RSN_SELECTOR_LEN + 1);
668 		if (kde_buf) {
669 			u8 *pos;
670 			wpa_printf(MSG_DEBUG, "P2P: Add IP Address Request KDE "
671 				   "into EAPOL-Key 2/4");
672 			os_memcpy(kde_buf, kde, kde_len);
673 			kde = kde_buf;
674 			pos = kde + kde_len;
675 			*pos++ = WLAN_EID_VENDOR_SPECIFIC;
676 			*pos++ = RSN_SELECTOR_LEN + 1;
677 			RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_IP_ADDR_REQ);
678 			pos += RSN_SELECTOR_LEN;
679 			*pos++ = 0x01;
680 			kde_len = pos - kde;
681 		}
682 	}
683 #endif /* CONFIG_P2P */
684 
685 	if (wpa_supplicant_send_2_of_4(sm, sm->bssid, key, ver, sm->snonce,
686 				       kde, kde_len, ptk) < 0)
687 		goto failed;
688 
689 	os_free(kde_buf);
690 	os_memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN);
691 	return;
692 
693 failed:
694 	os_free(kde_buf);
695 	wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
696 }
697 
698 
699 static void wpa_sm_start_preauth(void *eloop_ctx, void *timeout_ctx)
700 {
701 	struct wpa_sm *sm = eloop_ctx;
702 	rsn_preauth_candidate_process(sm);
703 }
704 
705 
706 static void wpa_supplicant_key_neg_complete(struct wpa_sm *sm,
707 					    const u8 *addr, int secure)
708 {
709 	wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
710 		"WPA: Key negotiation completed with "
711 		MACSTR " [PTK=%s GTK=%s]", MAC2STR(addr),
712 		wpa_cipher_txt(sm->pairwise_cipher),
713 		wpa_cipher_txt(sm->group_cipher));
714 	wpa_sm_cancel_auth_timeout(sm);
715 	wpa_sm_set_state(sm, WPA_COMPLETED);
716 
717 	if (secure) {
718 		wpa_sm_mlme_setprotection(
719 			sm, addr, MLME_SETPROTECTION_PROTECT_TYPE_RX_TX,
720 			MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
721 		eapol_sm_notify_portValid(sm->eapol, TRUE);
722 		if (wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
723 		    sm->key_mgmt == WPA_KEY_MGMT_DPP ||
724 		    sm->key_mgmt == WPA_KEY_MGMT_OWE)
725 			eapol_sm_notify_eap_success(sm->eapol, TRUE);
726 		/*
727 		 * Start preauthentication after a short wait to avoid a
728 		 * possible race condition between the data receive and key
729 		 * configuration after the 4-Way Handshake. This increases the
730 		 * likelihood of the first preauth EAPOL-Start frame getting to
731 		 * the target AP.
732 		 */
733 		if (!dl_list_empty(&sm->pmksa_candidates))
734 			eloop_register_timeout(1, 0, wpa_sm_start_preauth,
735 					       sm, NULL);
736 	}
737 
738 	if (sm->cur_pmksa && sm->cur_pmksa->opportunistic) {
739 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
740 			"RSN: Authenticator accepted "
741 			"opportunistic PMKSA entry - marking it valid");
742 		sm->cur_pmksa->opportunistic = 0;
743 	}
744 
745 #ifdef CONFIG_IEEE80211R
746 	if (wpa_key_mgmt_ft(sm->key_mgmt)) {
747 		/* Prepare for the next transition */
748 		wpa_ft_prepare_auth_request(sm, NULL);
749 	}
750 #endif /* CONFIG_IEEE80211R */
751 }
752 
753 
754 static void wpa_sm_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
755 {
756 	struct wpa_sm *sm = eloop_ctx;
757 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Request PTK rekeying");
758 	wpa_sm_key_request(sm, 0, 1);
759 }
760 
761 
762 static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
763 				      const struct wpa_eapol_key *key)
764 {
765 	int keylen, rsclen;
766 	enum wpa_alg alg;
767 	const u8 *key_rsc;
768 
769 	if (sm->ptk.installed) {
770 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
771 			"WPA: Do not re-install same PTK to the driver");
772 		return 0;
773 	}
774 
775 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
776 		"WPA: Installing PTK to the driver");
777 
778 	if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
779 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Pairwise Cipher "
780 			"Suite: NONE - do not use pairwise keys");
781 		return 0;
782 	}
783 
784 	if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
785 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
786 			"WPA: Unsupported pairwise cipher %d",
787 			sm->pairwise_cipher);
788 		return -1;
789 	}
790 
791 	alg = wpa_cipher_to_alg(sm->pairwise_cipher);
792 	keylen = wpa_cipher_key_len(sm->pairwise_cipher);
793 	if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) {
794 		wpa_printf(MSG_DEBUG, "WPA: TK length mismatch: %d != %lu",
795 			   keylen, (long unsigned int) sm->ptk.tk_len);
796 		return -1;
797 	}
798 	rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
799 
800 	if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
801 		key_rsc = null_rsc;
802 	} else {
803 		key_rsc = key->key_rsc;
804 		wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen);
805 	}
806 
807 	if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, key_rsc, rsclen,
808 			   sm->ptk.tk, keylen) < 0) {
809 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
810 			"WPA: Failed to set PTK to the "
811 			"driver (alg=%d keylen=%d bssid=" MACSTR ")",
812 			alg, keylen, MAC2STR(sm->bssid));
813 		return -1;
814 	}
815 
816 	/* TK is not needed anymore in supplicant */
817 	os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
818 	sm->ptk.tk_len = 0;
819 	sm->ptk.installed = 1;
820 
821 	if (sm->wpa_ptk_rekey) {
822 		eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
823 		eloop_register_timeout(sm->wpa_ptk_rekey, 0, wpa_sm_rekey_ptk,
824 				       sm, NULL);
825 	}
826 
827 	return 0;
828 }
829 
830 
831 static int wpa_supplicant_check_group_cipher(struct wpa_sm *sm,
832 					     int group_cipher,
833 					     int keylen, int maxkeylen,
834 					     int *key_rsc_len,
835 					     enum wpa_alg *alg)
836 {
837 	int klen;
838 
839 	*alg = wpa_cipher_to_alg(group_cipher);
840 	if (*alg == WPA_ALG_NONE) {
841 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
842 			"WPA: Unsupported Group Cipher %d",
843 			group_cipher);
844 		return -1;
845 	}
846 	*key_rsc_len = wpa_cipher_rsc_len(group_cipher);
847 
848 	klen = wpa_cipher_key_len(group_cipher);
849 	if (keylen != klen || maxkeylen < klen) {
850 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
851 			"WPA: Unsupported %s Group Cipher key length %d (%d)",
852 			wpa_cipher_txt(group_cipher), keylen, maxkeylen);
853 		return -1;
854 	}
855 	return 0;
856 }
857 
858 
859 struct wpa_gtk_data {
860 	enum wpa_alg alg;
861 	int tx, key_rsc_len, keyidx;
862 	u8 gtk[32];
863 	int gtk_len;
864 };
865 
866 
867 static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
868 				      const struct wpa_gtk_data *gd,
869 				      const u8 *key_rsc, int wnm_sleep)
870 {
871 	const u8 *_gtk = gd->gtk;
872 	u8 gtk_buf[32];
873 
874 	/* Detect possible key reinstallation */
875 	if ((sm->gtk.gtk_len == (size_t) gd->gtk_len &&
876 	     os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) ||
877 	    (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len &&
878 	     os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk,
879 		       sm->gtk_wnm_sleep.gtk_len) == 0)) {
880 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
881 			"WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
882 			gd->keyidx, gd->tx, gd->gtk_len);
883 		return 0;
884 	}
885 
886 	wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
887 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
888 		"WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
889 		gd->keyidx, gd->tx, gd->gtk_len);
890 	wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, gd->key_rsc_len);
891 	if (sm->group_cipher == WPA_CIPHER_TKIP) {
892 		/* Swap Tx/Rx keys for Michael MIC */
893 		os_memcpy(gtk_buf, gd->gtk, 16);
894 		os_memcpy(gtk_buf + 16, gd->gtk + 24, 8);
895 		os_memcpy(gtk_buf + 24, gd->gtk + 16, 8);
896 		_gtk = gtk_buf;
897 	}
898 	if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
899 		if (wpa_sm_set_key(sm, gd->alg, NULL,
900 				   gd->keyidx, 1, key_rsc, gd->key_rsc_len,
901 				   _gtk, gd->gtk_len) < 0) {
902 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
903 				"WPA: Failed to set GTK to the driver "
904 				"(Group only)");
905 			os_memset(gtk_buf, 0, sizeof(gtk_buf));
906 			return -1;
907 		}
908 	} else if (wpa_sm_set_key(sm, gd->alg, broadcast_ether_addr,
909 				  gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len,
910 				  _gtk, gd->gtk_len) < 0) {
911 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
912 			"WPA: Failed to set GTK to "
913 			"the driver (alg=%d keylen=%d keyidx=%d)",
914 			gd->alg, gd->gtk_len, gd->keyidx);
915 		os_memset(gtk_buf, 0, sizeof(gtk_buf));
916 		return -1;
917 	}
918 	os_memset(gtk_buf, 0, sizeof(gtk_buf));
919 
920 	if (wnm_sleep) {
921 		sm->gtk_wnm_sleep.gtk_len = gd->gtk_len;
922 		os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk,
923 			  sm->gtk_wnm_sleep.gtk_len);
924 	} else {
925 		sm->gtk.gtk_len = gd->gtk_len;
926 		os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
927 	}
928 
929 	return 0;
930 }
931 
932 
933 static int wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm *sm,
934 						int tx)
935 {
936 	if (tx && sm->pairwise_cipher != WPA_CIPHER_NONE) {
937 		/* Ignore Tx bit for GTK if a pairwise key is used. One AP
938 		 * seemed to set this bit (incorrectly, since Tx is only when
939 		 * doing Group Key only APs) and without this workaround, the
940 		 * data connection does not work because wpa_supplicant
941 		 * configured non-zero keyidx to be used for unicast. */
942 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
943 			"WPA: Tx bit set for GTK, but pairwise "
944 			"keys are used - ignore Tx bit");
945 		return 0;
946 	}
947 	return tx;
948 }
949 
950 
951 static int wpa_supplicant_rsc_relaxation(const struct wpa_sm *sm,
952 					 const u8 *rsc)
953 {
954 	int rsclen;
955 
956 	if (!sm->wpa_rsc_relaxation)
957 		return 0;
958 
959 	rsclen = wpa_cipher_rsc_len(sm->group_cipher);
960 
961 	/*
962 	 * Try to detect RSC (endian) corruption issue where the AP sends
963 	 * the RSC bytes in EAPOL-Key message in the wrong order, both if
964 	 * it's actually a 6-byte field (as it should be) and if it treats
965 	 * it as an 8-byte field.
966 	 * An AP model known to have this bug is the Sapido RB-1632.
967 	 */
968 	if (rsclen == 6 && ((rsc[5] && !rsc[0]) || rsc[6] || rsc[7])) {
969 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
970 			"RSC %02x%02x%02x%02x%02x%02x%02x%02x is likely bogus, using 0",
971 			rsc[0], rsc[1], rsc[2], rsc[3],
972 			rsc[4], rsc[5], rsc[6], rsc[7]);
973 
974 		return 1;
975 	}
976 
977 	return 0;
978 }
979 
980 
981 static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
982 				       const struct wpa_eapol_key *key,
983 				       const u8 *gtk, size_t gtk_len,
984 				       int key_info)
985 {
986 	struct wpa_gtk_data gd;
987 	const u8 *key_rsc;
988 
989 	/*
990 	 * IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames - Figure 43x
991 	 * GTK KDE format:
992 	 * KeyID[bits 0-1], Tx [bit 2], Reserved [bits 3-7]
993 	 * Reserved [bits 0-7]
994 	 * GTK
995 	 */
996 
997 	os_memset(&gd, 0, sizeof(gd));
998 	wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in pairwise handshake",
999 			gtk, gtk_len);
1000 
1001 	if (gtk_len < 2 || gtk_len - 2 > sizeof(gd.gtk))
1002 		return -1;
1003 
1004 	gd.keyidx = gtk[0] & 0x3;
1005 	gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
1006 						     !!(gtk[0] & BIT(2)));
1007 	gtk += 2;
1008 	gtk_len -= 2;
1009 
1010 	os_memcpy(gd.gtk, gtk, gtk_len);
1011 	gd.gtk_len = gtk_len;
1012 
1013 	key_rsc = key->key_rsc;
1014 	if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
1015 		key_rsc = null_rsc;
1016 
1017 	if (sm->group_cipher != WPA_CIPHER_GTK_NOT_USED &&
1018 	    (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
1019 					       gtk_len, gtk_len,
1020 					       &gd.key_rsc_len, &gd.alg) ||
1021 	     wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) {
1022 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1023 			"RSN: Failed to install GTK");
1024 		os_memset(&gd, 0, sizeof(gd));
1025 		return -1;
1026 	}
1027 	os_memset(&gd, 0, sizeof(gd));
1028 
1029 	return 0;
1030 }
1031 
1032 
1033 #ifdef CONFIG_IEEE80211W
1034 static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
1035 				       const struct wpa_igtk_kde *igtk,
1036 				       int wnm_sleep)
1037 {
1038 	size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1039 	u16 keyidx = WPA_GET_LE16(igtk->keyid);
1040 
1041 	/* Detect possible key reinstallation */
1042 	if ((sm->igtk.igtk_len == len &&
1043 	     os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) ||
1044 	    (sm->igtk_wnm_sleep.igtk_len == len &&
1045 	     os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk,
1046 		       sm->igtk_wnm_sleep.igtk_len) == 0)) {
1047 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1048 			"WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
1049 			keyidx);
1050 		return  0;
1051 	}
1052 
1053 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1054 		"WPA: IGTK keyid %d pn " COMPACT_MACSTR,
1055 		keyidx, MAC2STR(igtk->pn));
1056 	wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len);
1057 	if (keyidx > 4095) {
1058 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1059 			"WPA: Invalid IGTK KeyID %d", keyidx);
1060 		return -1;
1061 	}
1062 	if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
1063 			   broadcast_ether_addr,
1064 			   keyidx, 0, igtk->pn, sizeof(igtk->pn),
1065 			   igtk->igtk, len) < 0) {
1066 		if (keyidx == 0x0400 || keyidx == 0x0500) {
1067 			/* Assume the AP has broken PMF implementation since it
1068 			 * seems to have swapped the KeyID bytes. The AP cannot
1069 			 * be trusted to implement BIP correctly or provide a
1070 			 * valid IGTK, so do not try to configure this key with
1071 			 * swapped KeyID bytes. Instead, continue without
1072 			 * configuring the IGTK so that the driver can drop any
1073 			 * received group-addressed robust management frames due
1074 			 * to missing keys.
1075 			 *
1076 			 * Normally, this error behavior would result in us
1077 			 * disconnecting, but there are number of deployed APs
1078 			 * with this broken behavior, so as an interoperability
1079 			 * workaround, allow the connection to proceed. */
1080 			wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1081 				"WPA: Ignore IGTK configuration error due to invalid IGTK KeyID byte order");
1082 		} else {
1083 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1084 				"WPA: Failed to configure IGTK to the driver");
1085 			return -1;
1086 		}
1087 	}
1088 
1089 	if (wnm_sleep) {
1090 		sm->igtk_wnm_sleep.igtk_len = len;
1091 		os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk,
1092 			  sm->igtk_wnm_sleep.igtk_len);
1093 	} else {
1094 		sm->igtk.igtk_len = len;
1095 		os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
1096 	}
1097 
1098 	return 0;
1099 }
1100 #endif /* CONFIG_IEEE80211W */
1101 
1102 
1103 static int ieee80211w_set_keys(struct wpa_sm *sm,
1104 			       struct wpa_eapol_ie_parse *ie)
1105 {
1106 #ifdef CONFIG_IEEE80211W
1107 	if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher))
1108 		return 0;
1109 
1110 	if (ie->igtk) {
1111 		size_t len;
1112 		const struct wpa_igtk_kde *igtk;
1113 
1114 		len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1115 		if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
1116 			return -1;
1117 
1118 		igtk = (const struct wpa_igtk_kde *) ie->igtk;
1119 		if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0)
1120 			return -1;
1121 	}
1122 
1123 	return 0;
1124 #else /* CONFIG_IEEE80211W */
1125 	return 0;
1126 #endif /* CONFIG_IEEE80211W */
1127 }
1128 
1129 
1130 static void wpa_report_ie_mismatch(struct wpa_sm *sm,
1131 				   const char *reason, const u8 *src_addr,
1132 				   const u8 *wpa_ie, size_t wpa_ie_len,
1133 				   const u8 *rsn_ie, size_t rsn_ie_len)
1134 {
1135 	wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: %s (src=" MACSTR ")",
1136 		reason, MAC2STR(src_addr));
1137 
1138 	if (sm->ap_wpa_ie) {
1139 		wpa_hexdump(MSG_INFO, "WPA: WPA IE in Beacon/ProbeResp",
1140 			    sm->ap_wpa_ie, sm->ap_wpa_ie_len);
1141 	}
1142 	if (wpa_ie) {
1143 		if (!sm->ap_wpa_ie) {
1144 			wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1145 				"WPA: No WPA IE in Beacon/ProbeResp");
1146 		}
1147 		wpa_hexdump(MSG_INFO, "WPA: WPA IE in 3/4 msg",
1148 			    wpa_ie, wpa_ie_len);
1149 	}
1150 
1151 	if (sm->ap_rsn_ie) {
1152 		wpa_hexdump(MSG_INFO, "WPA: RSN IE in Beacon/ProbeResp",
1153 			    sm->ap_rsn_ie, sm->ap_rsn_ie_len);
1154 	}
1155 	if (rsn_ie) {
1156 		if (!sm->ap_rsn_ie) {
1157 			wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1158 				"WPA: No RSN IE in Beacon/ProbeResp");
1159 		}
1160 		wpa_hexdump(MSG_INFO, "WPA: RSN IE in 3/4 msg",
1161 			    rsn_ie, rsn_ie_len);
1162 	}
1163 
1164 	wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
1165 }
1166 
1167 
1168 #ifdef CONFIG_IEEE80211R
1169 
1170 static int ft_validate_mdie(struct wpa_sm *sm,
1171 			    const unsigned char *src_addr,
1172 			    struct wpa_eapol_ie_parse *ie,
1173 			    const u8 *assoc_resp_mdie)
1174 {
1175 	struct rsn_mdie *mdie;
1176 
1177 	mdie = (struct rsn_mdie *) (ie->mdie + 2);
1178 	if (ie->mdie == NULL || ie->mdie_len < 2 + sizeof(*mdie) ||
1179 	    os_memcmp(mdie->mobility_domain, sm->mobility_domain,
1180 		      MOBILITY_DOMAIN_ID_LEN) != 0) {
1181 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE in msg 3/4 did "
1182 			"not match with the current mobility domain");
1183 		return -1;
1184 	}
1185 
1186 	if (assoc_resp_mdie &&
1187 	    (assoc_resp_mdie[1] != ie->mdie[1] ||
1188 	     os_memcmp(assoc_resp_mdie, ie->mdie, 2 + ie->mdie[1]) != 0)) {
1189 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE mismatch");
1190 		wpa_hexdump(MSG_DEBUG, "FT: MDIE in EAPOL-Key msg 3/4",
1191 			    ie->mdie, 2 + ie->mdie[1]);
1192 		wpa_hexdump(MSG_DEBUG, "FT: MDIE in (Re)Association Response",
1193 			    assoc_resp_mdie, 2 + assoc_resp_mdie[1]);
1194 		return -1;
1195 	}
1196 
1197 	return 0;
1198 }
1199 
1200 
1201 static int ft_validate_ftie(struct wpa_sm *sm,
1202 			    const unsigned char *src_addr,
1203 			    struct wpa_eapol_ie_parse *ie,
1204 			    const u8 *assoc_resp_ftie)
1205 {
1206 	if (ie->ftie == NULL) {
1207 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1208 			"FT: No FTIE in EAPOL-Key msg 3/4");
1209 		return -1;
1210 	}
1211 
1212 	if (assoc_resp_ftie == NULL)
1213 		return 0;
1214 
1215 	if (assoc_resp_ftie[1] != ie->ftie[1] ||
1216 	    os_memcmp(assoc_resp_ftie, ie->ftie, 2 + ie->ftie[1]) != 0) {
1217 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: FTIE mismatch");
1218 		wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 3/4",
1219 			    ie->ftie, 2 + ie->ftie[1]);
1220 		wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)Association Response",
1221 			    assoc_resp_ftie, 2 + assoc_resp_ftie[1]);
1222 		return -1;
1223 	}
1224 
1225 	return 0;
1226 }
1227 
1228 
1229 static int ft_validate_rsnie(struct wpa_sm *sm,
1230 			     const unsigned char *src_addr,
1231 			     struct wpa_eapol_ie_parse *ie)
1232 {
1233 	struct wpa_ie_data rsn;
1234 
1235 	if (!ie->rsn_ie)
1236 		return 0;
1237 
1238 	/*
1239 	 * Verify that PMKR1Name from EAPOL-Key message 3/4
1240 	 * matches with the value we derived.
1241 	 */
1242 	if (wpa_parse_wpa_ie_rsn(ie->rsn_ie, ie->rsn_ie_len, &rsn) < 0 ||
1243 	    rsn.num_pmkid != 1 || rsn.pmkid == NULL) {
1244 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: No PMKR1Name in "
1245 			"FT 4-way handshake message 3/4");
1246 		return -1;
1247 	}
1248 
1249 	if (os_memcmp_const(rsn.pmkid, sm->pmk_r1_name, WPA_PMK_NAME_LEN) != 0)
1250 	{
1251 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1252 			"FT: PMKR1Name mismatch in "
1253 			"FT 4-way handshake message 3/4");
1254 		wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Authenticator",
1255 			    rsn.pmkid, WPA_PMK_NAME_LEN);
1256 		wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
1257 			    sm->pmk_r1_name, WPA_PMK_NAME_LEN);
1258 		return -1;
1259 	}
1260 
1261 	return 0;
1262 }
1263 
1264 
1265 static int wpa_supplicant_validate_ie_ft(struct wpa_sm *sm,
1266 					 const unsigned char *src_addr,
1267 					 struct wpa_eapol_ie_parse *ie)
1268 {
1269 	const u8 *pos, *end, *mdie = NULL, *ftie = NULL;
1270 
1271 	if (sm->assoc_resp_ies) {
1272 		pos = sm->assoc_resp_ies;
1273 		end = pos + sm->assoc_resp_ies_len;
1274 		while (end - pos > 2) {
1275 			if (2 + pos[1] > end - pos)
1276 				break;
1277 			switch (*pos) {
1278 			case WLAN_EID_MOBILITY_DOMAIN:
1279 				mdie = pos;
1280 				break;
1281 			case WLAN_EID_FAST_BSS_TRANSITION:
1282 				ftie = pos;
1283 				break;
1284 			}
1285 			pos += 2 + pos[1];
1286 		}
1287 	}
1288 
1289 	if (ft_validate_mdie(sm, src_addr, ie, mdie) < 0 ||
1290 	    ft_validate_ftie(sm, src_addr, ie, ftie) < 0 ||
1291 	    ft_validate_rsnie(sm, src_addr, ie) < 0)
1292 		return -1;
1293 
1294 	return 0;
1295 }
1296 
1297 #endif /* CONFIG_IEEE80211R */
1298 
1299 
1300 static int wpa_supplicant_validate_ie(struct wpa_sm *sm,
1301 				      const unsigned char *src_addr,
1302 				      struct wpa_eapol_ie_parse *ie)
1303 {
1304 	if (sm->ap_wpa_ie == NULL && sm->ap_rsn_ie == NULL) {
1305 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1306 			"WPA: No WPA/RSN IE for this AP known. "
1307 			"Trying to get from scan results");
1308 		if (wpa_sm_get_beacon_ie(sm) < 0) {
1309 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1310 				"WPA: Could not find AP from "
1311 				"the scan results");
1312 		} else {
1313 			wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
1314 				"WPA: Found the current AP from "
1315 				"updated scan results");
1316 		}
1317 	}
1318 
1319 	if (ie->wpa_ie == NULL && ie->rsn_ie == NULL &&
1320 	    (sm->ap_wpa_ie || sm->ap_rsn_ie)) {
1321 		wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
1322 				       "with IE in Beacon/ProbeResp (no IE?)",
1323 				       src_addr, ie->wpa_ie, ie->wpa_ie_len,
1324 				       ie->rsn_ie, ie->rsn_ie_len);
1325 		return -1;
1326 	}
1327 
1328 	if ((ie->wpa_ie && sm->ap_wpa_ie &&
1329 	     (ie->wpa_ie_len != sm->ap_wpa_ie_len ||
1330 	      os_memcmp(ie->wpa_ie, sm->ap_wpa_ie, ie->wpa_ie_len) != 0)) ||
1331 	    (ie->rsn_ie && sm->ap_rsn_ie &&
1332 	     wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
1333 				sm->ap_rsn_ie, sm->ap_rsn_ie_len,
1334 				ie->rsn_ie, ie->rsn_ie_len))) {
1335 		wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
1336 				       "with IE in Beacon/ProbeResp",
1337 				       src_addr, ie->wpa_ie, ie->wpa_ie_len,
1338 				       ie->rsn_ie, ie->rsn_ie_len);
1339 		return -1;
1340 	}
1341 
1342 	if (sm->proto == WPA_PROTO_WPA &&
1343 	    ie->rsn_ie && sm->ap_rsn_ie == NULL && sm->rsn_enabled) {
1344 		wpa_report_ie_mismatch(sm, "Possible downgrade attack "
1345 				       "detected - RSN was enabled and RSN IE "
1346 				       "was in msg 3/4, but not in "
1347 				       "Beacon/ProbeResp",
1348 				       src_addr, ie->wpa_ie, ie->wpa_ie_len,
1349 				       ie->rsn_ie, ie->rsn_ie_len);
1350 		return -1;
1351 	}
1352 
1353 #ifdef CONFIG_IEEE80211R
1354 	if (wpa_key_mgmt_ft(sm->key_mgmt) &&
1355 	    wpa_supplicant_validate_ie_ft(sm, src_addr, ie) < 0)
1356 		return -1;
1357 #endif /* CONFIG_IEEE80211R */
1358 
1359 	return 0;
1360 }
1361 
1362 
1363 /**
1364  * wpa_supplicant_send_4_of_4 - Send message 4 of WPA/RSN 4-Way Handshake
1365  * @sm: Pointer to WPA state machine data from wpa_sm_init()
1366  * @dst: Destination address for the frame
1367  * @key: Pointer to the EAPOL-Key frame header
1368  * @ver: Version bits from EAPOL-Key Key Info
1369  * @key_info: Key Info
1370  * @ptk: PTK to use for keyed hash and encryption
1371  * Returns: >= 0 on success, < 0 on failure
1372  */
1373 int wpa_supplicant_send_4_of_4(struct wpa_sm *sm, const unsigned char *dst,
1374 			       const struct wpa_eapol_key *key,
1375 			       u16 ver, u16 key_info,
1376 			       struct wpa_ptk *ptk)
1377 {
1378 	size_t mic_len, hdrlen, rlen;
1379 	struct wpa_eapol_key *reply;
1380 	u8 *rbuf, *key_mic;
1381 
1382 	mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
1383 	hdrlen = sizeof(*reply) + mic_len + 2;
1384 	rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
1385 				  hdrlen, &rlen, (void *) &reply);
1386 	if (rbuf == NULL)
1387 		return -1;
1388 
1389 	reply->type = (sm->proto == WPA_PROTO_RSN ||
1390 		       sm->proto == WPA_PROTO_OSEN) ?
1391 		EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1392 	key_info &= WPA_KEY_INFO_SECURE;
1393 	key_info |= ver | WPA_KEY_INFO_KEY_TYPE;
1394 	if (mic_len)
1395 		key_info |= WPA_KEY_INFO_MIC;
1396 	else
1397 		key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1398 	WPA_PUT_BE16(reply->key_info, key_info);
1399 	if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
1400 		WPA_PUT_BE16(reply->key_length, 0);
1401 	else
1402 		os_memcpy(reply->key_length, key->key_length, 2);
1403 	os_memcpy(reply->replay_counter, key->replay_counter,
1404 		  WPA_REPLAY_COUNTER_LEN);
1405 
1406 	key_mic = (u8 *) (reply + 1);
1407 	WPA_PUT_BE16(key_mic + mic_len, 0);
1408 
1409 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 4/4");
1410 	return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
1411 				  key_mic);
1412 }
1413 
1414 
1415 static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
1416 					  const struct wpa_eapol_key *key,
1417 					  u16 ver, const u8 *key_data,
1418 					  size_t key_data_len)
1419 {
1420 	u16 key_info, keylen;
1421 	struct wpa_eapol_ie_parse ie;
1422 
1423 	wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
1424 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 3 of 4-Way "
1425 		"Handshake from " MACSTR " (ver=%d)", MAC2STR(sm->bssid), ver);
1426 
1427 	key_info = WPA_GET_BE16(key->key_info);
1428 
1429 	wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", key_data, key_data_len);
1430 	if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
1431 		goto failed;
1432 	if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1433 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1434 			"WPA: GTK IE in unencrypted key data");
1435 		goto failed;
1436 	}
1437 #ifdef CONFIG_IEEE80211W
1438 	if (ie.igtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1439 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1440 			"WPA: IGTK KDE in unencrypted key data");
1441 		goto failed;
1442 	}
1443 
1444 	if (ie.igtk &&
1445 	    wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) &&
1446 	    ie.igtk_len != WPA_IGTK_KDE_PREFIX_LEN +
1447 	    (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
1448 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1449 			"WPA: Invalid IGTK KDE length %lu",
1450 			(unsigned long) ie.igtk_len);
1451 		goto failed;
1452 	}
1453 #endif /* CONFIG_IEEE80211W */
1454 
1455 	if (wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0)
1456 		goto failed;
1457 
1458 	if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
1459 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1460 			"WPA: ANonce from message 1 of 4-Way Handshake "
1461 			"differs from 3 of 4-Way Handshake - drop packet (src="
1462 			MACSTR ")", MAC2STR(sm->bssid));
1463 		goto failed;
1464 	}
1465 
1466 	keylen = WPA_GET_BE16(key->key_length);
1467 	if (keylen != wpa_cipher_key_len(sm->pairwise_cipher)) {
1468 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1469 			"WPA: Invalid %s key length %d (src=" MACSTR
1470 			")", wpa_cipher_txt(sm->pairwise_cipher), keylen,
1471 			MAC2STR(sm->bssid));
1472 		goto failed;
1473 	}
1474 
1475 #ifdef CONFIG_P2P
1476 	if (ie.ip_addr_alloc) {
1477 		os_memcpy(sm->p2p_ip_addr, ie.ip_addr_alloc, 3 * 4);
1478 		wpa_hexdump(MSG_DEBUG, "P2P: IP address info",
1479 			    sm->p2p_ip_addr, sizeof(sm->p2p_ip_addr));
1480 	}
1481 #endif /* CONFIG_P2P */
1482 
1483 #ifdef CONFIG_OCV
1484 	if (wpa_sm_ocv_enabled(sm)) {
1485 		struct wpa_channel_info ci;
1486 
1487 		if (wpa_sm_channel_info(sm, &ci) != 0) {
1488 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1489 				"Failed to get channel info to validate received OCI in EAPOL-Key 3/4");
1490 			return;
1491 		}
1492 
1493 		if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci,
1494 					 channel_width_to_int(ci.chanwidth),
1495 					 ci.seg1_idx) != 0) {
1496 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "%s",
1497 				ocv_errorstr);
1498 			return;
1499 		}
1500 	}
1501 #endif /* CONFIG_OCV */
1502 
1503 	if (wpa_supplicant_send_4_of_4(sm, sm->bssid, key, ver, key_info,
1504 				       &sm->ptk) < 0) {
1505 		goto failed;
1506 	}
1507 
1508 	/* SNonce was successfully used in msg 3/4, so mark it to be renewed
1509 	 * for the next 4-Way Handshake. If msg 3 is received again, the old
1510 	 * SNonce will still be used to avoid changing PTK. */
1511 	sm->renew_snonce = 1;
1512 
1513 	if (key_info & WPA_KEY_INFO_INSTALL) {
1514 		if (wpa_supplicant_install_ptk(sm, key))
1515 			goto failed;
1516 	}
1517 
1518 	if (key_info & WPA_KEY_INFO_SECURE) {
1519 		wpa_sm_mlme_setprotection(
1520 			sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX,
1521 			MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
1522 		eapol_sm_notify_portValid(sm->eapol, TRUE);
1523 	}
1524 	wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
1525 
1526 	if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED) {
1527 		/* No GTK to be set to the driver */
1528 	} else if (!ie.gtk && sm->proto == WPA_PROTO_RSN) {
1529 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1530 			"RSN: No GTK KDE included in EAPOL-Key msg 3/4");
1531 		goto failed;
1532 	} else if (ie.gtk &&
1533 	    wpa_supplicant_pairwise_gtk(sm, key,
1534 					ie.gtk, ie.gtk_len, key_info) < 0) {
1535 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1536 			"RSN: Failed to configure GTK");
1537 		goto failed;
1538 	}
1539 
1540 	if (ieee80211w_set_keys(sm, &ie) < 0) {
1541 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1542 			"RSN: Failed to configure IGTK");
1543 		goto failed;
1544 	}
1545 
1546 	if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED || ie.gtk)
1547 		wpa_supplicant_key_neg_complete(sm, sm->bssid,
1548 						key_info & WPA_KEY_INFO_SECURE);
1549 
1550 	if (ie.gtk)
1551 		wpa_sm_set_rekey_offload(sm);
1552 
1553 	/* Add PMKSA cache entry for Suite B AKMs here since PMKID can be
1554 	 * calculated only after KCK has been derived. Though, do not replace an
1555 	 * existing PMKSA entry after each 4-way handshake (i.e., new KCK/PMKID)
1556 	 * to avoid unnecessary changes of PMKID while continuing to use the
1557 	 * same PMK. */
1558 	if (sm->proto == WPA_PROTO_RSN && wpa_key_mgmt_suite_b(sm->key_mgmt) &&
1559 	    !sm->cur_pmksa) {
1560 		struct rsn_pmksa_cache_entry *sa;
1561 
1562 		sa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, NULL,
1563 				     sm->ptk.kck, sm->ptk.kck_len,
1564 				     sm->bssid, sm->own_addr,
1565 				     sm->network_ctx, sm->key_mgmt, NULL);
1566 		if (!sm->cur_pmksa)
1567 			sm->cur_pmksa = sa;
1568 	}
1569 
1570 	sm->msg_3_of_4_ok = 1;
1571 	return;
1572 
1573 failed:
1574 	wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
1575 }
1576 
1577 
1578 static int wpa_supplicant_process_1_of_2_rsn(struct wpa_sm *sm,
1579 					     const u8 *keydata,
1580 					     size_t keydatalen,
1581 					     u16 key_info,
1582 					     struct wpa_gtk_data *gd)
1583 {
1584 	int maxkeylen;
1585 	struct wpa_eapol_ie_parse ie;
1586 
1587 	wpa_hexdump_key(MSG_DEBUG, "RSN: msg 1/2 key data",
1588 			keydata, keydatalen);
1589 	if (wpa_supplicant_parse_ies(keydata, keydatalen, &ie) < 0)
1590 		return -1;
1591 	if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1592 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1593 			"WPA: GTK IE in unencrypted key data");
1594 		return -1;
1595 	}
1596 	if (ie.gtk == NULL) {
1597 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1598 			"WPA: No GTK IE in Group Key msg 1/2");
1599 		return -1;
1600 	}
1601 	maxkeylen = gd->gtk_len = ie.gtk_len - 2;
1602 
1603 #ifdef CONFIG_OCV
1604 	if (wpa_sm_ocv_enabled(sm)) {
1605 		struct wpa_channel_info ci;
1606 
1607 		if (wpa_sm_channel_info(sm, &ci) != 0) {
1608 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1609 				"Failed to get channel info to validate received OCI in EAPOL-Key group msg 1/2");
1610 			return -1;
1611 		}
1612 
1613 		if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci,
1614 					 channel_width_to_int(ci.chanwidth),
1615 					 ci.seg1_idx) != 0) {
1616 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "%s",
1617 				ocv_errorstr);
1618 			return -1;
1619 		}
1620 	}
1621 #endif /* CONFIG_OCV */
1622 
1623 	if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
1624 					      gd->gtk_len, maxkeylen,
1625 					      &gd->key_rsc_len, &gd->alg))
1626 		return -1;
1627 
1628 	wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in group key handshake",
1629 			ie.gtk, ie.gtk_len);
1630 	gd->keyidx = ie.gtk[0] & 0x3;
1631 	gd->tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
1632 						      !!(ie.gtk[0] & BIT(2)));
1633 	if (ie.gtk_len - 2 > sizeof(gd->gtk)) {
1634 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1635 			"RSN: Too long GTK in GTK IE (len=%lu)",
1636 			(unsigned long) ie.gtk_len - 2);
1637 		return -1;
1638 	}
1639 	os_memcpy(gd->gtk, ie.gtk + 2, ie.gtk_len - 2);
1640 
1641 	if (ieee80211w_set_keys(sm, &ie) < 0)
1642 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1643 			"RSN: Failed to configure IGTK");
1644 
1645 	return 0;
1646 }
1647 
1648 
1649 static int wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm,
1650 					     const struct wpa_eapol_key *key,
1651 					     const u8 *key_data,
1652 					     size_t key_data_len, u16 key_info,
1653 					     u16 ver, struct wpa_gtk_data *gd)
1654 {
1655 	size_t maxkeylen;
1656 	u16 gtk_len;
1657 
1658 	gtk_len = WPA_GET_BE16(key->key_length);
1659 	maxkeylen = key_data_len;
1660 	if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1661 		if (maxkeylen < 8) {
1662 			wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1663 				"WPA: Too short maxkeylen (%lu)",
1664 				(unsigned long) maxkeylen);
1665 			return -1;
1666 		}
1667 		maxkeylen -= 8;
1668 	}
1669 
1670 	if (gtk_len > maxkeylen ||
1671 	    wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
1672 					      gtk_len, maxkeylen,
1673 					      &gd->key_rsc_len, &gd->alg))
1674 		return -1;
1675 
1676 	gd->gtk_len = gtk_len;
1677 	gd->keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
1678 		WPA_KEY_INFO_KEY_INDEX_SHIFT;
1679 	if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
1680 #ifdef CONFIG_NO_RC4
1681 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1682 			"WPA: RC4 not supported in the build");
1683 		return -1;
1684 #else /* CONFIG_NO_RC4 */
1685 		u8 ek[32];
1686 		if (key_data_len > sizeof(gd->gtk)) {
1687 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1688 				"WPA: RC4 key data too long (%lu)",
1689 				(unsigned long) key_data_len);
1690 			return -1;
1691 		}
1692 		os_memcpy(ek, key->key_iv, 16);
1693 		os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
1694 		os_memcpy(gd->gtk, key_data, key_data_len);
1695 		if (rc4_skip(ek, 32, 256, gd->gtk, key_data_len)) {
1696 			os_memset(ek, 0, sizeof(ek));
1697 			wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
1698 				"WPA: RC4 failed");
1699 			return -1;
1700 		}
1701 		os_memset(ek, 0, sizeof(ek));
1702 #endif /* CONFIG_NO_RC4 */
1703 	} else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1704 		if (maxkeylen % 8) {
1705 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1706 				"WPA: Unsupported AES-WRAP len %lu",
1707 				(unsigned long) maxkeylen);
1708 			return -1;
1709 		}
1710 		if (maxkeylen > sizeof(gd->gtk)) {
1711 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1712 				"WPA: AES-WRAP key data "
1713 				"too long (keydatalen=%lu maxkeylen=%lu)",
1714 				(unsigned long) key_data_len,
1715 				(unsigned long) maxkeylen);
1716 			return -1;
1717 		}
1718 		if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, maxkeylen / 8,
1719 			       key_data, gd->gtk)) {
1720 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1721 				"WPA: AES unwrap failed - could not decrypt "
1722 				"GTK");
1723 			return -1;
1724 		}
1725 	} else {
1726 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1727 			"WPA: Unsupported key_info type %d", ver);
1728 		return -1;
1729 	}
1730 	gd->tx = wpa_supplicant_gtk_tx_bit_workaround(
1731 		sm, !!(key_info & WPA_KEY_INFO_TXRX));
1732 	return 0;
1733 }
1734 
1735 
1736 static int wpa_supplicant_send_2_of_2(struct wpa_sm *sm,
1737 				      const struct wpa_eapol_key *key,
1738 				      int ver, u16 key_info)
1739 {
1740 	size_t mic_len, hdrlen, rlen;
1741 	struct wpa_eapol_key *reply;
1742 	u8 *rbuf, *key_mic;
1743 	size_t kde_len = 0;
1744 
1745 #ifdef CONFIG_OCV
1746 	if (wpa_sm_ocv_enabled(sm))
1747 		kde_len = OCV_OCI_KDE_LEN;
1748 #endif /* CONFIG_OCV */
1749 
1750 	mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
1751 	hdrlen = sizeof(*reply) + mic_len + 2;
1752 	rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
1753 				  hdrlen + kde_len, &rlen, (void *) &reply);
1754 	if (rbuf == NULL)
1755 		return -1;
1756 
1757 	reply->type = (sm->proto == WPA_PROTO_RSN ||
1758 		       sm->proto == WPA_PROTO_OSEN) ?
1759 		EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1760 	key_info &= WPA_KEY_INFO_KEY_INDEX_MASK;
1761 	key_info |= ver | WPA_KEY_INFO_SECURE;
1762 	if (mic_len)
1763 		key_info |= WPA_KEY_INFO_MIC;
1764 	else
1765 		key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1766 	WPA_PUT_BE16(reply->key_info, key_info);
1767 	if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
1768 		WPA_PUT_BE16(reply->key_length, 0);
1769 	else
1770 		os_memcpy(reply->key_length, key->key_length, 2);
1771 	os_memcpy(reply->replay_counter, key->replay_counter,
1772 		  WPA_REPLAY_COUNTER_LEN);
1773 
1774 	key_mic = (u8 *) (reply + 1);
1775 	WPA_PUT_BE16(key_mic + mic_len, kde_len); /* Key Data Length */
1776 
1777 #ifdef CONFIG_OCV
1778 	if (wpa_sm_ocv_enabled(sm)) {
1779 		struct wpa_channel_info ci;
1780 		u8 *pos;
1781 
1782 		if (wpa_sm_channel_info(sm, &ci) != 0) {
1783 			wpa_printf(MSG_WARNING,
1784 				   "Failed to get channel info for OCI element in EAPOL-Key 2/2");
1785 			os_free(rbuf);
1786 			return -1;
1787 		}
1788 
1789 		pos = key_mic + mic_len + 2; /* Key Data */
1790 		if (ocv_insert_oci_kde(&ci, &pos) < 0) {
1791 			os_free(rbuf);
1792 			return -1;
1793 		}
1794 	}
1795 #endif /* CONFIG_OCV */
1796 
1797 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/2");
1798 	return wpa_eapol_key_send(sm, &sm->ptk, ver, sm->bssid, ETH_P_EAPOL,
1799 				  rbuf, rlen, key_mic);
1800 }
1801 
1802 
1803 static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
1804 					  const unsigned char *src_addr,
1805 					  const struct wpa_eapol_key *key,
1806 					  const u8 *key_data,
1807 					  size_t key_data_len, u16 ver)
1808 {
1809 	u16 key_info;
1810 	int rekey, ret;
1811 	struct wpa_gtk_data gd;
1812 	const u8 *key_rsc;
1813 
1814 	if (!sm->msg_3_of_4_ok && !wpa_fils_is_completed(sm)) {
1815 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1816 			"WPA: Group Key Handshake started prior to completion of 4-way handshake");
1817 		goto failed;
1818 	}
1819 
1820 	os_memset(&gd, 0, sizeof(gd));
1821 
1822 	rekey = wpa_sm_get_state(sm) == WPA_COMPLETED;
1823 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of Group Key "
1824 		"Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
1825 
1826 	key_info = WPA_GET_BE16(key->key_info);
1827 
1828 	if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
1829 		ret = wpa_supplicant_process_1_of_2_rsn(sm, key_data,
1830 							key_data_len, key_info,
1831 							&gd);
1832 	} else {
1833 		ret = wpa_supplicant_process_1_of_2_wpa(sm, key, key_data,
1834 							key_data_len,
1835 							key_info, ver, &gd);
1836 	}
1837 
1838 	wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
1839 
1840 	if (ret)
1841 		goto failed;
1842 
1843 	key_rsc = key->key_rsc;
1844 	if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
1845 		key_rsc = null_rsc;
1846 
1847 	if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
1848 	    wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
1849 		goto failed;
1850 	os_memset(&gd, 0, sizeof(gd));
1851 
1852 	if (rekey) {
1853 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Group rekeying "
1854 			"completed with " MACSTR " [GTK=%s]",
1855 			MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher));
1856 		wpa_sm_cancel_auth_timeout(sm);
1857 		wpa_sm_set_state(sm, WPA_COMPLETED);
1858 	} else {
1859 		wpa_supplicant_key_neg_complete(sm, sm->bssid,
1860 						key_info &
1861 						WPA_KEY_INFO_SECURE);
1862 	}
1863 
1864 	wpa_sm_set_rekey_offload(sm);
1865 
1866 	return;
1867 
1868 failed:
1869 	os_memset(&gd, 0, sizeof(gd));
1870 	wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
1871 }
1872 
1873 
1874 static int wpa_supplicant_verify_eapol_key_mic(struct wpa_sm *sm,
1875 					       struct wpa_eapol_key *key,
1876 					       u16 ver,
1877 					       const u8 *buf, size_t len)
1878 {
1879 	u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN];
1880 	int ok = 0;
1881 	size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
1882 
1883 	os_memcpy(mic, key + 1, mic_len);
1884 	if (sm->tptk_set) {
1885 		os_memset(key + 1, 0, mic_len);
1886 		if (wpa_eapol_key_mic(sm->tptk.kck, sm->tptk.kck_len,
1887 				      sm->key_mgmt,
1888 				      ver, buf, len, (u8 *) (key + 1)) < 0 ||
1889 		    os_memcmp_const(mic, key + 1, mic_len) != 0) {
1890 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1891 				"WPA: Invalid EAPOL-Key MIC "
1892 				"when using TPTK - ignoring TPTK");
1893 #ifdef TEST_FUZZ
1894 			wpa_printf(MSG_INFO,
1895 				   "TEST: Ignore Key MIC failure for fuzz testing");
1896 			goto continue_fuzz;
1897 #endif /* TEST_FUZZ */
1898 		} else {
1899 #ifdef TEST_FUZZ
1900 		continue_fuzz:
1901 #endif /* TEST_FUZZ */
1902 			ok = 1;
1903 			sm->tptk_set = 0;
1904 			sm->ptk_set = 1;
1905 			os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
1906 			os_memset(&sm->tptk, 0, sizeof(sm->tptk));
1907 			/*
1908 			 * This assures the same TPTK in sm->tptk can never be
1909 			 * copied twice to sm->ptk as the new PTK. In
1910 			 * combination with the installed flag in the wpa_ptk
1911 			 * struct, this assures the same PTK is only installed
1912 			 * once.
1913 			 */
1914 			sm->renew_snonce = 1;
1915 		}
1916 	}
1917 
1918 	if (!ok && sm->ptk_set) {
1919 		os_memset(key + 1, 0, mic_len);
1920 		if (wpa_eapol_key_mic(sm->ptk.kck, sm->ptk.kck_len,
1921 				      sm->key_mgmt,
1922 				      ver, buf, len, (u8 *) (key + 1)) < 0 ||
1923 		    os_memcmp_const(mic, key + 1, mic_len) != 0) {
1924 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1925 				"WPA: Invalid EAPOL-Key MIC - "
1926 				"dropping packet");
1927 #ifdef TEST_FUZZ
1928 			wpa_printf(MSG_INFO,
1929 				   "TEST: Ignore Key MIC failure for fuzz testing");
1930 			goto continue_fuzz2;
1931 #endif /* TEST_FUZZ */
1932 			return -1;
1933 		}
1934 #ifdef TEST_FUZZ
1935 	continue_fuzz2:
1936 #endif /* TEST_FUZZ */
1937 		ok = 1;
1938 	}
1939 
1940 	if (!ok) {
1941 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1942 			"WPA: Could not verify EAPOL-Key MIC - "
1943 			"dropping packet");
1944 		return -1;
1945 	}
1946 
1947 	os_memcpy(sm->rx_replay_counter, key->replay_counter,
1948 		  WPA_REPLAY_COUNTER_LEN);
1949 	sm->rx_replay_counter_set = 1;
1950 	return 0;
1951 }
1952 
1953 
1954 /* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */
1955 static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm,
1956 					   struct wpa_eapol_key *key,
1957 					   size_t mic_len, u16 ver,
1958 					   u8 *key_data, size_t *key_data_len)
1959 {
1960 	wpa_hexdump(MSG_DEBUG, "RSN: encrypted key data",
1961 		    key_data, *key_data_len);
1962 	if (!sm->ptk_set) {
1963 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1964 			"WPA: PTK not available, cannot decrypt EAPOL-Key Key "
1965 			"Data");
1966 		return -1;
1967 	}
1968 
1969 	/* Decrypt key data here so that this operation does not need
1970 	 * to be implemented separately for each message type. */
1971 	if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
1972 #ifdef CONFIG_NO_RC4
1973 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1974 			"WPA: RC4 not supported in the build");
1975 		return -1;
1976 #else /* CONFIG_NO_RC4 */
1977 		u8 ek[32];
1978 
1979 		wpa_printf(MSG_DEBUG, "WPA: Decrypt Key Data using RC4");
1980 		os_memcpy(ek, key->key_iv, 16);
1981 		os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
1982 		if (rc4_skip(ek, 32, 256, key_data, *key_data_len)) {
1983 			os_memset(ek, 0, sizeof(ek));
1984 			wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
1985 				"WPA: RC4 failed");
1986 			return -1;
1987 		}
1988 		os_memset(ek, 0, sizeof(ek));
1989 #endif /* CONFIG_NO_RC4 */
1990 	} else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1991 		   ver == WPA_KEY_INFO_TYPE_AES_128_CMAC ||
1992 		   wpa_use_aes_key_wrap(sm->key_mgmt)) {
1993 		u8 *buf;
1994 
1995 		wpa_printf(MSG_DEBUG,
1996 			   "WPA: Decrypt Key Data using AES-UNWRAP (KEK length %u)",
1997 			   (unsigned int) sm->ptk.kek_len);
1998 		if (*key_data_len < 8 || *key_data_len % 8) {
1999 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2000 				"WPA: Unsupported AES-WRAP len %u",
2001 				(unsigned int) *key_data_len);
2002 			return -1;
2003 		}
2004 		*key_data_len -= 8; /* AES-WRAP adds 8 bytes */
2005 		buf = os_malloc(*key_data_len);
2006 		if (buf == NULL) {
2007 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2008 				"WPA: No memory for AES-UNWRAP buffer");
2009 			return -1;
2010 		}
2011 #ifdef TEST_FUZZ
2012 		os_memset(buf, 0x11, *key_data_len);
2013 #endif /* TEST_FUZZ */
2014 		if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, *key_data_len / 8,
2015 			       key_data, buf)) {
2016 #ifdef TEST_FUZZ
2017 			wpa_printf(MSG_INFO,
2018 				   "TEST: Ignore AES unwrap failure for fuzz testing");
2019 			goto continue_fuzz;
2020 #endif /* TEST_FUZZ */
2021 			bin_clear_free(buf, *key_data_len);
2022 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2023 				"WPA: AES unwrap failed - "
2024 				"could not decrypt EAPOL-Key key data");
2025 			return -1;
2026 		}
2027 #ifdef TEST_FUZZ
2028 	continue_fuzz:
2029 #endif /* TEST_FUZZ */
2030 		os_memcpy(key_data, buf, *key_data_len);
2031 		bin_clear_free(buf, *key_data_len);
2032 		WPA_PUT_BE16(((u8 *) (key + 1)) + mic_len, *key_data_len);
2033 	} else {
2034 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2035 			"WPA: Unsupported key_info type %d", ver);
2036 		return -1;
2037 	}
2038 	wpa_hexdump_key(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data",
2039 			key_data, *key_data_len);
2040 	return 0;
2041 }
2042 
2043 
2044 /**
2045  * wpa_sm_aborted_cached - Notify WPA that PMKSA caching was aborted
2046  * @sm: Pointer to WPA state machine data from wpa_sm_init()
2047  */
2048 void wpa_sm_aborted_cached(struct wpa_sm *sm)
2049 {
2050 	if (sm && sm->cur_pmksa) {
2051 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2052 			"RSN: Cancelling PMKSA caching attempt");
2053 		sm->cur_pmksa = NULL;
2054 	}
2055 }
2056 
2057 
2058 static void wpa_eapol_key_dump(struct wpa_sm *sm,
2059 			       const struct wpa_eapol_key *key,
2060 			       unsigned int key_data_len,
2061 			       const u8 *mic, unsigned int mic_len)
2062 {
2063 #ifndef CONFIG_NO_STDOUT_DEBUG
2064 	u16 key_info = WPA_GET_BE16(key->key_info);
2065 
2066 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "  EAPOL-Key type=%d", key->type);
2067 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2068 		"  key_info 0x%x (ver=%d keyidx=%d rsvd=%d %s%s%s%s%s%s%s%s)",
2069 		key_info, key_info & WPA_KEY_INFO_TYPE_MASK,
2070 		(key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
2071 		WPA_KEY_INFO_KEY_INDEX_SHIFT,
2072 		(key_info & (BIT(13) | BIT(14) | BIT(15))) >> 13,
2073 		key_info & WPA_KEY_INFO_KEY_TYPE ? "Pairwise" : "Group",
2074 		key_info & WPA_KEY_INFO_INSTALL ? " Install" : "",
2075 		key_info & WPA_KEY_INFO_ACK ? " Ack" : "",
2076 		key_info & WPA_KEY_INFO_MIC ? " MIC" : "",
2077 		key_info & WPA_KEY_INFO_SECURE ? " Secure" : "",
2078 		key_info & WPA_KEY_INFO_ERROR ? " Error" : "",
2079 		key_info & WPA_KEY_INFO_REQUEST ? " Request" : "",
2080 		key_info & WPA_KEY_INFO_ENCR_KEY_DATA ? " Encr" : "");
2081 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2082 		"  key_length=%u key_data_length=%u",
2083 		WPA_GET_BE16(key->key_length), key_data_len);
2084 	wpa_hexdump(MSG_DEBUG, "  replay_counter",
2085 		    key->replay_counter, WPA_REPLAY_COUNTER_LEN);
2086 	wpa_hexdump(MSG_DEBUG, "  key_nonce", key->key_nonce, WPA_NONCE_LEN);
2087 	wpa_hexdump(MSG_DEBUG, "  key_iv", key->key_iv, 16);
2088 	wpa_hexdump(MSG_DEBUG, "  key_rsc", key->key_rsc, 8);
2089 	wpa_hexdump(MSG_DEBUG, "  key_id (reserved)", key->key_id, 8);
2090 	wpa_hexdump(MSG_DEBUG, "  key_mic", mic, mic_len);
2091 #endif /* CONFIG_NO_STDOUT_DEBUG */
2092 }
2093 
2094 
2095 #ifdef CONFIG_FILS
2096 static int wpa_supp_aead_decrypt(struct wpa_sm *sm, u8 *buf, size_t buf_len,
2097 				 size_t *key_data_len)
2098 {
2099 	struct wpa_ptk *ptk;
2100 	struct ieee802_1x_hdr *hdr;
2101 	struct wpa_eapol_key *key;
2102 	u8 *pos, *tmp;
2103 	const u8 *aad[1];
2104 	size_t aad_len[1];
2105 
2106 	if (*key_data_len < AES_BLOCK_SIZE) {
2107 		wpa_printf(MSG_INFO, "No room for AES-SIV data in the frame");
2108 		return -1;
2109 	}
2110 
2111 	if (sm->tptk_set)
2112 		ptk = &sm->tptk;
2113 	else if (sm->ptk_set)
2114 		ptk = &sm->ptk;
2115 	else
2116 		return -1;
2117 
2118 	hdr = (struct ieee802_1x_hdr *) buf;
2119 	key = (struct wpa_eapol_key *) (hdr + 1);
2120 	pos = (u8 *) (key + 1);
2121 	pos += 2; /* Pointing at the Encrypted Key Data field */
2122 
2123 	tmp = os_malloc(*key_data_len);
2124 	if (!tmp)
2125 		return -1;
2126 
2127 	/* AES-SIV AAD from EAPOL protocol version field (inclusive) to
2128 	 * to Key Data (exclusive). */
2129 	aad[0] = buf;
2130 	aad_len[0] = pos - buf;
2131 	if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, *key_data_len,
2132 			    1, aad, aad_len, tmp) < 0) {
2133 		wpa_printf(MSG_INFO, "Invalid AES-SIV data in the frame");
2134 		bin_clear_free(tmp, *key_data_len);
2135 		return -1;
2136 	}
2137 
2138 	/* AEAD decryption and validation completed successfully */
2139 	(*key_data_len) -= AES_BLOCK_SIZE;
2140 	wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
2141 			tmp, *key_data_len);
2142 
2143 	/* Replace Key Data field with the decrypted version */
2144 	os_memcpy(pos, tmp, *key_data_len);
2145 	pos -= 2; /* Key Data Length field */
2146 	WPA_PUT_BE16(pos, *key_data_len);
2147 	bin_clear_free(tmp, *key_data_len);
2148 
2149 	if (sm->tptk_set) {
2150 		sm->tptk_set = 0;
2151 		sm->ptk_set = 1;
2152 		os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
2153 		os_memset(&sm->tptk, 0, sizeof(sm->tptk));
2154 	}
2155 
2156 	os_memcpy(sm->rx_replay_counter, key->replay_counter,
2157 		  WPA_REPLAY_COUNTER_LEN);
2158 	sm->rx_replay_counter_set = 1;
2159 
2160 	return 0;
2161 }
2162 #endif /* CONFIG_FILS */
2163 
2164 
2165 /**
2166  * wpa_sm_rx_eapol - Process received WPA EAPOL frames
2167  * @sm: Pointer to WPA state machine data from wpa_sm_init()
2168  * @src_addr: Source MAC address of the EAPOL packet
2169  * @buf: Pointer to the beginning of the EAPOL data (EAPOL header)
2170  * @len: Length of the EAPOL frame
2171  * Returns: 1 = WPA EAPOL-Key processed, 0 = not a WPA EAPOL-Key, -1 failure
2172  *
2173  * This function is called for each received EAPOL frame. Other than EAPOL-Key
2174  * frames can be skipped if filtering is done elsewhere. wpa_sm_rx_eapol() is
2175  * only processing WPA and WPA2 EAPOL-Key frames.
2176  *
2177  * The received EAPOL-Key packets are validated and valid packets are replied
2178  * to. In addition, key material (PTK, GTK) is configured at the end of a
2179  * successful key handshake.
2180  */
2181 int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr,
2182 		    const u8 *buf, size_t len)
2183 {
2184 	size_t plen, data_len, key_data_len;
2185 	const struct ieee802_1x_hdr *hdr;
2186 	struct wpa_eapol_key *key;
2187 	u16 key_info, ver;
2188 	u8 *tmp = NULL;
2189 	int ret = -1;
2190 	u8 *mic, *key_data;
2191 	size_t mic_len, keyhdrlen;
2192 
2193 #ifdef CONFIG_IEEE80211R
2194 	sm->ft_completed = 0;
2195 #endif /* CONFIG_IEEE80211R */
2196 
2197 	mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
2198 	keyhdrlen = sizeof(*key) + mic_len + 2;
2199 
2200 	if (len < sizeof(*hdr) + keyhdrlen) {
2201 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2202 			"WPA: EAPOL frame too short to be a WPA "
2203 			"EAPOL-Key (len %lu, expecting at least %lu)",
2204 			(unsigned long) len,
2205 			(unsigned long) sizeof(*hdr) + keyhdrlen);
2206 		return 0;
2207 	}
2208 
2209 	hdr = (const struct ieee802_1x_hdr *) buf;
2210 	plen = be_to_host16(hdr->length);
2211 	data_len = plen + sizeof(*hdr);
2212 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2213 		"IEEE 802.1X RX: version=%d type=%d length=%lu",
2214 		hdr->version, hdr->type, (unsigned long) plen);
2215 
2216 	if (hdr->version < EAPOL_VERSION) {
2217 		/* TODO: backwards compatibility */
2218 	}
2219 	if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) {
2220 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2221 			"WPA: EAPOL frame (type %u) discarded, "
2222 			"not a Key frame", hdr->type);
2223 		ret = 0;
2224 		goto out;
2225 	}
2226 	wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", buf, len);
2227 	if (plen > len - sizeof(*hdr) || plen < keyhdrlen) {
2228 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2229 			"WPA: EAPOL frame payload size %lu "
2230 			"invalid (frame size %lu)",
2231 			(unsigned long) plen, (unsigned long) len);
2232 		ret = 0;
2233 		goto out;
2234 	}
2235 	if (data_len < len) {
2236 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2237 			"WPA: ignoring %lu bytes after the IEEE 802.1X data",
2238 			(unsigned long) len - data_len);
2239 	}
2240 
2241 	/*
2242 	 * Make a copy of the frame since we need to modify the buffer during
2243 	 * MAC validation and Key Data decryption.
2244 	 */
2245 	tmp = os_memdup(buf, data_len);
2246 	if (tmp == NULL)
2247 		goto out;
2248 	key = (struct wpa_eapol_key *) (tmp + sizeof(struct ieee802_1x_hdr));
2249 	mic = (u8 *) (key + 1);
2250 	key_data = mic + mic_len + 2;
2251 
2252 	if (key->type != EAPOL_KEY_TYPE_WPA && key->type != EAPOL_KEY_TYPE_RSN)
2253 	{
2254 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2255 			"WPA: EAPOL-Key type (%d) unknown, discarded",
2256 			key->type);
2257 		ret = 0;
2258 		goto out;
2259 	}
2260 
2261 	key_data_len = WPA_GET_BE16(mic + mic_len);
2262 	wpa_eapol_key_dump(sm, key, key_data_len, mic, mic_len);
2263 
2264 	if (key_data_len > plen - keyhdrlen) {
2265 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Invalid EAPOL-Key "
2266 			"frame - key_data overflow (%u > %u)",
2267 			(unsigned int) key_data_len,
2268 			(unsigned int) (plen - keyhdrlen));
2269 		goto out;
2270 	}
2271 
2272 	eapol_sm_notify_lower_layer_success(sm->eapol, 0);
2273 	key_info = WPA_GET_BE16(key->key_info);
2274 	ver = key_info & WPA_KEY_INFO_TYPE_MASK;
2275 	if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
2276 #if defined(CONFIG_IEEE80211R) || defined(CONFIG_IEEE80211W)
2277 	    ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
2278 #endif /* CONFIG_IEEE80211R || CONFIG_IEEE80211W */
2279 	    ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES &&
2280 	    !wpa_use_akm_defined(sm->key_mgmt)) {
2281 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2282 			"WPA: Unsupported EAPOL-Key descriptor version %d",
2283 			ver);
2284 		goto out;
2285 	}
2286 
2287 	if (wpa_use_akm_defined(sm->key_mgmt) &&
2288 	    ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
2289 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2290 			"RSN: Unsupported EAPOL-Key descriptor version %d (expected AKM defined = 0)",
2291 			ver);
2292 		goto out;
2293 	}
2294 
2295 #ifdef CONFIG_IEEE80211R
2296 	if (wpa_key_mgmt_ft(sm->key_mgmt)) {
2297 		/* IEEE 802.11r uses a new key_info type (AES-128-CMAC). */
2298 		if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
2299 		    !wpa_use_akm_defined(sm->key_mgmt)) {
2300 			wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2301 				"FT: AP did not use AES-128-CMAC");
2302 			goto out;
2303 		}
2304 	} else
2305 #endif /* CONFIG_IEEE80211R */
2306 #ifdef CONFIG_IEEE80211W
2307 	if (wpa_key_mgmt_sha256(sm->key_mgmt)) {
2308 		if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
2309 		    !wpa_use_akm_defined(sm->key_mgmt)) {
2310 			wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2311 				"WPA: AP did not use the "
2312 				"negotiated AES-128-CMAC");
2313 			goto out;
2314 		}
2315 	} else
2316 #endif /* CONFIG_IEEE80211W */
2317 	if (sm->pairwise_cipher == WPA_CIPHER_CCMP &&
2318 	    !wpa_use_akm_defined(sm->key_mgmt) &&
2319 	    ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
2320 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2321 			"WPA: CCMP is used, but EAPOL-Key "
2322 			"descriptor version (%d) is not 2", ver);
2323 		if (sm->group_cipher != WPA_CIPHER_CCMP &&
2324 		    !(key_info & WPA_KEY_INFO_KEY_TYPE)) {
2325 			/* Earlier versions of IEEE 802.11i did not explicitly
2326 			 * require version 2 descriptor for all EAPOL-Key
2327 			 * packets, so allow group keys to use version 1 if
2328 			 * CCMP is not used for them. */
2329 			wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2330 				"WPA: Backwards compatibility: allow invalid "
2331 				"version for non-CCMP group keys");
2332 		} else if (ver == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
2333 			wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2334 				"WPA: Interoperability workaround: allow incorrect (should have been HMAC-SHA1), but stronger (is AES-128-CMAC), descriptor version to be used");
2335 		} else
2336 			goto out;
2337 	} else if (sm->pairwise_cipher == WPA_CIPHER_GCMP &&
2338 		   !wpa_use_akm_defined(sm->key_mgmt) &&
2339 		   ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
2340 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2341 			"WPA: GCMP is used, but EAPOL-Key "
2342 			"descriptor version (%d) is not 2", ver);
2343 		goto out;
2344 	}
2345 
2346 	if (sm->rx_replay_counter_set &&
2347 	    os_memcmp(key->replay_counter, sm->rx_replay_counter,
2348 		      WPA_REPLAY_COUNTER_LEN) <= 0) {
2349 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2350 			"WPA: EAPOL-Key Replay Counter did not increase - "
2351 			"dropping packet");
2352 		goto out;
2353 	}
2354 
2355 	if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
2356 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2357 			"WPA: Unsupported SMK bit in key_info");
2358 		goto out;
2359 	}
2360 
2361 	if (!(key_info & WPA_KEY_INFO_ACK)) {
2362 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2363 			"WPA: No Ack bit in key_info");
2364 		goto out;
2365 	}
2366 
2367 	if (key_info & WPA_KEY_INFO_REQUEST) {
2368 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2369 			"WPA: EAPOL-Key with Request bit - dropped");
2370 		goto out;
2371 	}
2372 
2373 	if ((key_info & WPA_KEY_INFO_MIC) &&
2374 	    wpa_supplicant_verify_eapol_key_mic(sm, key, ver, tmp, data_len))
2375 		goto out;
2376 
2377 #ifdef CONFIG_FILS
2378 	if (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
2379 		if (wpa_supp_aead_decrypt(sm, tmp, data_len, &key_data_len))
2380 			goto out;
2381 	}
2382 #endif /* CONFIG_FILS */
2383 
2384 	if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
2385 	    (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && mic_len) {
2386 		/*
2387 		 * Only decrypt the Key Data field if the frame's authenticity
2388 		 * was verified. When using AES-SIV (FILS), the MIC flag is not
2389 		 * set, so this check should only be performed if mic_len != 0
2390 		 * which is the case in this code branch.
2391 		 */
2392 		if (!(key_info & WPA_KEY_INFO_MIC)) {
2393 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2394 				"WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
2395 			goto out;
2396 		}
2397 		if (wpa_supplicant_decrypt_key_data(sm, key, mic_len,
2398 						    ver, key_data,
2399 						    &key_data_len))
2400 			goto out;
2401 	}
2402 
2403 	if (key_info & WPA_KEY_INFO_KEY_TYPE) {
2404 		if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) {
2405 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2406 				"WPA: Ignored EAPOL-Key (Pairwise) with "
2407 				"non-zero key index");
2408 			goto out;
2409 		}
2410 		if (key_info & (WPA_KEY_INFO_MIC |
2411 				WPA_KEY_INFO_ENCR_KEY_DATA)) {
2412 			/* 3/4 4-Way Handshake */
2413 			wpa_supplicant_process_3_of_4(sm, key, ver, key_data,
2414 						      key_data_len);
2415 		} else {
2416 			/* 1/4 4-Way Handshake */
2417 			wpa_supplicant_process_1_of_4(sm, src_addr, key,
2418 						      ver, key_data,
2419 						      key_data_len);
2420 		}
2421 	} else {
2422 		if ((mic_len && (key_info & WPA_KEY_INFO_MIC)) ||
2423 		    (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA))) {
2424 			/* 1/2 Group Key Handshake */
2425 			wpa_supplicant_process_1_of_2(sm, src_addr, key,
2426 						      key_data, key_data_len,
2427 						      ver);
2428 		} else {
2429 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2430 				"WPA: EAPOL-Key (Group) without Mic/Encr bit - "
2431 				"dropped");
2432 		}
2433 	}
2434 
2435 	ret = 1;
2436 
2437 out:
2438 	bin_clear_free(tmp, data_len);
2439 	return ret;
2440 }
2441 
2442 
2443 #ifdef CONFIG_CTRL_IFACE
2444 static u32 wpa_key_mgmt_suite(struct wpa_sm *sm)
2445 {
2446 	switch (sm->key_mgmt) {
2447 	case WPA_KEY_MGMT_IEEE8021X:
2448 		return ((sm->proto == WPA_PROTO_RSN ||
2449 			 sm->proto == WPA_PROTO_OSEN) ?
2450 			RSN_AUTH_KEY_MGMT_UNSPEC_802_1X :
2451 			WPA_AUTH_KEY_MGMT_UNSPEC_802_1X);
2452 	case WPA_KEY_MGMT_PSK:
2453 		return (sm->proto == WPA_PROTO_RSN ?
2454 			RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X :
2455 			WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X);
2456 #ifdef CONFIG_IEEE80211R
2457 	case WPA_KEY_MGMT_FT_IEEE8021X:
2458 		return RSN_AUTH_KEY_MGMT_FT_802_1X;
2459 	case WPA_KEY_MGMT_FT_PSK:
2460 		return RSN_AUTH_KEY_MGMT_FT_PSK;
2461 #endif /* CONFIG_IEEE80211R */
2462 #ifdef CONFIG_IEEE80211W
2463 	case WPA_KEY_MGMT_IEEE8021X_SHA256:
2464 		return RSN_AUTH_KEY_MGMT_802_1X_SHA256;
2465 	case WPA_KEY_MGMT_PSK_SHA256:
2466 		return RSN_AUTH_KEY_MGMT_PSK_SHA256;
2467 #endif /* CONFIG_IEEE80211W */
2468 	case WPA_KEY_MGMT_CCKM:
2469 		return (sm->proto == WPA_PROTO_RSN ?
2470 			RSN_AUTH_KEY_MGMT_CCKM:
2471 			WPA_AUTH_KEY_MGMT_CCKM);
2472 	case WPA_KEY_MGMT_WPA_NONE:
2473 		return WPA_AUTH_KEY_MGMT_NONE;
2474 	case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
2475 		return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B;
2476 	case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
2477 		return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192;
2478 	default:
2479 		return 0;
2480 	}
2481 }
2482 
2483 
2484 #define RSN_SUITE "%02x-%02x-%02x-%d"
2485 #define RSN_SUITE_ARG(s) \
2486 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
2487 
2488 /**
2489  * wpa_sm_get_mib - Dump text list of MIB entries
2490  * @sm: Pointer to WPA state machine data from wpa_sm_init()
2491  * @buf: Buffer for the list
2492  * @buflen: Length of the buffer
2493  * Returns: Number of bytes written to buffer
2494  *
2495  * This function is used fetch dot11 MIB variables.
2496  */
2497 int wpa_sm_get_mib(struct wpa_sm *sm, char *buf, size_t buflen)
2498 {
2499 	char pmkid_txt[PMKID_LEN * 2 + 1];
2500 	int rsna, ret;
2501 	size_t len;
2502 
2503 	if (sm->cur_pmksa) {
2504 		wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
2505 				 sm->cur_pmksa->pmkid, PMKID_LEN);
2506 	} else
2507 		pmkid_txt[0] = '\0';
2508 
2509 	if ((wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
2510 	     wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt)) &&
2511 	    sm->proto == WPA_PROTO_RSN)
2512 		rsna = 1;
2513 	else
2514 		rsna = 0;
2515 
2516 	ret = os_snprintf(buf, buflen,
2517 			  "dot11RSNAOptionImplemented=TRUE\n"
2518 			  "dot11RSNAPreauthenticationImplemented=TRUE\n"
2519 			  "dot11RSNAEnabled=%s\n"
2520 			  "dot11RSNAPreauthenticationEnabled=%s\n"
2521 			  "dot11RSNAConfigVersion=%d\n"
2522 			  "dot11RSNAConfigPairwiseKeysSupported=5\n"
2523 			  "dot11RSNAConfigGroupCipherSize=%d\n"
2524 			  "dot11RSNAConfigPMKLifetime=%d\n"
2525 			  "dot11RSNAConfigPMKReauthThreshold=%d\n"
2526 			  "dot11RSNAConfigNumberOfPTKSAReplayCounters=1\n"
2527 			  "dot11RSNAConfigSATimeout=%d\n",
2528 			  rsna ? "TRUE" : "FALSE",
2529 			  rsna ? "TRUE" : "FALSE",
2530 			  RSN_VERSION,
2531 			  wpa_cipher_key_len(sm->group_cipher) * 8,
2532 			  sm->dot11RSNAConfigPMKLifetime,
2533 			  sm->dot11RSNAConfigPMKReauthThreshold,
2534 			  sm->dot11RSNAConfigSATimeout);
2535 	if (os_snprintf_error(buflen, ret))
2536 		return 0;
2537 	len = ret;
2538 
2539 	ret = os_snprintf(
2540 		buf + len, buflen - len,
2541 		"dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
2542 		"dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
2543 		"dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
2544 		"dot11RSNAPMKIDUsed=%s\n"
2545 		"dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
2546 		"dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
2547 		"dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
2548 		"dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n"
2549 		"dot11RSNA4WayHandshakeFailures=%u\n",
2550 		RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
2551 		RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2552 						  sm->pairwise_cipher)),
2553 		RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2554 						  sm->group_cipher)),
2555 		pmkid_txt,
2556 		RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
2557 		RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2558 						  sm->pairwise_cipher)),
2559 		RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2560 						  sm->group_cipher)),
2561 		sm->dot11RSNA4WayHandshakeFailures);
2562 	if (!os_snprintf_error(buflen - len, ret))
2563 		len += ret;
2564 
2565 	return (int) len;
2566 }
2567 #endif /* CONFIG_CTRL_IFACE */
2568 
2569 
2570 static void wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
2571 				 void *ctx, enum pmksa_free_reason reason)
2572 {
2573 	struct wpa_sm *sm = ctx;
2574 	int deauth = 0;
2575 
2576 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: PMKSA cache entry free_cb: "
2577 		MACSTR " reason=%d", MAC2STR(entry->aa), reason);
2578 
2579 	if (sm->cur_pmksa == entry) {
2580 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2581 			"RSN: %s current PMKSA entry",
2582 			reason == PMKSA_REPLACE ? "replaced" : "removed");
2583 		pmksa_cache_clear_current(sm);
2584 
2585 		/*
2586 		 * If an entry is simply being replaced, there's no need to
2587 		 * deauthenticate because it will be immediately re-added.
2588 		 * This happens when EAP authentication is completed again
2589 		 * (reauth or failed PMKSA caching attempt).
2590 		 */
2591 		if (reason != PMKSA_REPLACE)
2592 			deauth = 1;
2593 	}
2594 
2595 	if (reason == PMKSA_EXPIRE &&
2596 	    (sm->pmk_len == entry->pmk_len &&
2597 	     os_memcmp(sm->pmk, entry->pmk, sm->pmk_len) == 0)) {
2598 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2599 			"RSN: deauthenticating due to expired PMK");
2600 		pmksa_cache_clear_current(sm);
2601 		deauth = 1;
2602 	}
2603 
2604 	if (deauth) {
2605 		sm->pmk_len = 0;
2606 		os_memset(sm->pmk, 0, sizeof(sm->pmk));
2607 		wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
2608 	}
2609 }
2610 
2611 
2612 /**
2613  * wpa_sm_init - Initialize WPA state machine
2614  * @ctx: Context pointer for callbacks; this needs to be an allocated buffer
2615  * Returns: Pointer to the allocated WPA state machine data
2616  *
2617  * This function is used to allocate a new WPA state machine and the returned
2618  * value is passed to all WPA state machine calls.
2619  */
2620 struct wpa_sm * wpa_sm_init(struct wpa_sm_ctx *ctx)
2621 {
2622 	struct wpa_sm *sm;
2623 
2624 	sm = os_zalloc(sizeof(*sm));
2625 	if (sm == NULL)
2626 		return NULL;
2627 	dl_list_init(&sm->pmksa_candidates);
2628 	sm->renew_snonce = 1;
2629 	sm->ctx = ctx;
2630 
2631 	sm->dot11RSNAConfigPMKLifetime = 43200;
2632 	sm->dot11RSNAConfigPMKReauthThreshold = 70;
2633 	sm->dot11RSNAConfigSATimeout = 60;
2634 
2635 	sm->pmksa = pmksa_cache_init(wpa_sm_pmksa_free_cb, sm, sm);
2636 	if (sm->pmksa == NULL) {
2637 		wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
2638 			"RSN: PMKSA cache initialization failed");
2639 		os_free(sm);
2640 		return NULL;
2641 	}
2642 
2643 	return sm;
2644 }
2645 
2646 
2647 /**
2648  * wpa_sm_deinit - Deinitialize WPA state machine
2649  * @sm: Pointer to WPA state machine data from wpa_sm_init()
2650  */
2651 void wpa_sm_deinit(struct wpa_sm *sm)
2652 {
2653 	if (sm == NULL)
2654 		return;
2655 	pmksa_cache_deinit(sm->pmksa);
2656 	eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
2657 	eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
2658 	os_free(sm->assoc_wpa_ie);
2659 	os_free(sm->ap_wpa_ie);
2660 	os_free(sm->ap_rsn_ie);
2661 	wpa_sm_drop_sa(sm);
2662 	os_free(sm->ctx);
2663 #ifdef CONFIG_IEEE80211R
2664 	os_free(sm->assoc_resp_ies);
2665 #endif /* CONFIG_IEEE80211R */
2666 #ifdef CONFIG_TESTING_OPTIONS
2667 	wpabuf_free(sm->test_assoc_ie);
2668 #endif /* CONFIG_TESTING_OPTIONS */
2669 #ifdef CONFIG_FILS_SK_PFS
2670 	crypto_ecdh_deinit(sm->fils_ecdh);
2671 #endif /* CONFIG_FILS_SK_PFS */
2672 #ifdef CONFIG_FILS
2673 	wpabuf_free(sm->fils_ft_ies);
2674 #endif /* CONFIG_FILS */
2675 #ifdef CONFIG_OWE
2676 	crypto_ecdh_deinit(sm->owe_ecdh);
2677 #endif /* CONFIG_OWE */
2678 #ifdef CONFIG_DPP2
2679 	wpabuf_clear_free(sm->dpp_z);
2680 #endif /* CONFIG_DPP2 */
2681 	os_free(sm);
2682 }
2683 
2684 
2685 /**
2686  * wpa_sm_notify_assoc - Notify WPA state machine about association
2687  * @sm: Pointer to WPA state machine data from wpa_sm_init()
2688  * @bssid: The BSSID of the new association
2689  *
2690  * This function is called to let WPA state machine know that the connection
2691  * was established.
2692  */
2693 void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
2694 {
2695 	int clear_keys = 1;
2696 
2697 	if (sm == NULL)
2698 		return;
2699 
2700 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2701 		"WPA: Association event - clear replay counter");
2702 	os_memcpy(sm->bssid, bssid, ETH_ALEN);
2703 	os_memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN);
2704 	sm->rx_replay_counter_set = 0;
2705 	sm->renew_snonce = 1;
2706 	if (os_memcmp(sm->preauth_bssid, bssid, ETH_ALEN) == 0)
2707 		rsn_preauth_deinit(sm);
2708 
2709 #ifdef CONFIG_IEEE80211R
2710 	if (wpa_ft_is_completed(sm)) {
2711 		/*
2712 		 * Clear portValid to kick EAPOL state machine to re-enter
2713 		 * AUTHENTICATED state to get the EAPOL port Authorized.
2714 		 */
2715 		eapol_sm_notify_portValid(sm->eapol, FALSE);
2716 		wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
2717 
2718 		/* Prepare for the next transition */
2719 		wpa_ft_prepare_auth_request(sm, NULL);
2720 
2721 		clear_keys = 0;
2722 		sm->ft_protocol = 1;
2723 	} else {
2724 		sm->ft_protocol = 0;
2725 	}
2726 #endif /* CONFIG_IEEE80211R */
2727 #ifdef CONFIG_FILS
2728 	if (sm->fils_completed) {
2729 		/*
2730 		 * Clear portValid to kick EAPOL state machine to re-enter
2731 		 * AUTHENTICATED state to get the EAPOL port Authorized.
2732 		 */
2733 		wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
2734 		clear_keys = 0;
2735 	}
2736 #endif /* CONFIG_FILS */
2737 
2738 	if (clear_keys) {
2739 		/*
2740 		 * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
2741 		 * this is not part of a Fast BSS Transition.
2742 		 */
2743 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PTK");
2744 		sm->ptk_set = 0;
2745 		os_memset(&sm->ptk, 0, sizeof(sm->ptk));
2746 		sm->tptk_set = 0;
2747 		os_memset(&sm->tptk, 0, sizeof(sm->tptk));
2748 		os_memset(&sm->gtk, 0, sizeof(sm->gtk));
2749 		os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
2750 #ifdef CONFIG_IEEE80211W
2751 		os_memset(&sm->igtk, 0, sizeof(sm->igtk));
2752 		os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
2753 #endif /* CONFIG_IEEE80211W */
2754 	}
2755 
2756 #ifdef CONFIG_TDLS
2757 	wpa_tdls_assoc(sm);
2758 #endif /* CONFIG_TDLS */
2759 
2760 #ifdef CONFIG_P2P
2761 	os_memset(sm->p2p_ip_addr, 0, sizeof(sm->p2p_ip_addr));
2762 #endif /* CONFIG_P2P */
2763 }
2764 
2765 
2766 /**
2767  * wpa_sm_notify_disassoc - Notify WPA state machine about disassociation
2768  * @sm: Pointer to WPA state machine data from wpa_sm_init()
2769  *
2770  * This function is called to let WPA state machine know that the connection
2771  * was lost. This will abort any existing pre-authentication session.
2772  */
2773 void wpa_sm_notify_disassoc(struct wpa_sm *sm)
2774 {
2775 	eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
2776 	eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
2777 	rsn_preauth_deinit(sm);
2778 	pmksa_cache_clear_current(sm);
2779 	if (wpa_sm_get_state(sm) == WPA_4WAY_HANDSHAKE)
2780 		sm->dot11RSNA4WayHandshakeFailures++;
2781 #ifdef CONFIG_TDLS
2782 	wpa_tdls_disassoc(sm);
2783 #endif /* CONFIG_TDLS */
2784 #ifdef CONFIG_FILS
2785 	sm->fils_completed = 0;
2786 #endif /* CONFIG_FILS */
2787 #ifdef CONFIG_IEEE80211R
2788 	sm->ft_reassoc_completed = 0;
2789 	sm->ft_protocol = 0;
2790 #endif /* CONFIG_IEEE80211R */
2791 
2792 	/* Keys are not needed in the WPA state machine anymore */
2793 	wpa_sm_drop_sa(sm);
2794 
2795 	sm->msg_3_of_4_ok = 0;
2796 	os_memset(sm->bssid, 0, ETH_ALEN);
2797 }
2798 
2799 
2800 /**
2801  * wpa_sm_set_pmk - Set PMK
2802  * @sm: Pointer to WPA state machine data from wpa_sm_init()
2803  * @pmk: The new PMK
2804  * @pmk_len: The length of the new PMK in bytes
2805  * @pmkid: Calculated PMKID
2806  * @bssid: AA to add into PMKSA cache or %NULL to not cache the PMK
2807  *
2808  * Configure the PMK for WPA state machine.
2809  */
2810 void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
2811 		    const u8 *pmkid, const u8 *bssid)
2812 {
2813 	if (sm == NULL)
2814 		return;
2815 
2816 	wpa_hexdump_key(MSG_DEBUG, "WPA: Set PMK based on external data",
2817 			pmk, pmk_len);
2818 	sm->pmk_len = pmk_len;
2819 	os_memcpy(sm->pmk, pmk, pmk_len);
2820 
2821 #ifdef CONFIG_IEEE80211R
2822 	/* Set XXKey to be PSK for FT key derivation */
2823 	sm->xxkey_len = pmk_len;
2824 	os_memcpy(sm->xxkey, pmk, pmk_len);
2825 #endif /* CONFIG_IEEE80211R */
2826 
2827 	if (bssid) {
2828 		pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0,
2829 				bssid, sm->own_addr,
2830 				sm->network_ctx, sm->key_mgmt, NULL);
2831 	}
2832 }
2833 
2834 
2835 /**
2836  * wpa_sm_set_pmk_from_pmksa - Set PMK based on the current PMKSA
2837  * @sm: Pointer to WPA state machine data from wpa_sm_init()
2838  *
2839  * Take the PMK from the current PMKSA into use. If no PMKSA is active, the PMK
2840  * will be cleared.
2841  */
2842 void wpa_sm_set_pmk_from_pmksa(struct wpa_sm *sm)
2843 {
2844 	if (sm == NULL)
2845 		return;
2846 
2847 	if (sm->cur_pmksa) {
2848 		wpa_hexdump_key(MSG_DEBUG,
2849 				"WPA: Set PMK based on current PMKSA",
2850 				sm->cur_pmksa->pmk, sm->cur_pmksa->pmk_len);
2851 		sm->pmk_len = sm->cur_pmksa->pmk_len;
2852 		os_memcpy(sm->pmk, sm->cur_pmksa->pmk, sm->pmk_len);
2853 	} else {
2854 		wpa_printf(MSG_DEBUG, "WPA: No current PMKSA - clear PMK");
2855 		sm->pmk_len = 0;
2856 		os_memset(sm->pmk, 0, PMK_LEN_MAX);
2857 	}
2858 }
2859 
2860 
2861 /**
2862  * wpa_sm_set_fast_reauth - Set fast reauthentication (EAP) enabled/disabled
2863  * @sm: Pointer to WPA state machine data from wpa_sm_init()
2864  * @fast_reauth: Whether fast reauthentication (EAP) is allowed
2865  */
2866 void wpa_sm_set_fast_reauth(struct wpa_sm *sm, int fast_reauth)
2867 {
2868 	if (sm)
2869 		sm->fast_reauth = fast_reauth;
2870 }
2871 
2872 
2873 /**
2874  * wpa_sm_set_scard_ctx - Set context pointer for smartcard callbacks
2875  * @sm: Pointer to WPA state machine data from wpa_sm_init()
2876  * @scard_ctx: Context pointer for smartcard related callback functions
2877  */
2878 void wpa_sm_set_scard_ctx(struct wpa_sm *sm, void *scard_ctx)
2879 {
2880 	if (sm == NULL)
2881 		return;
2882 	sm->scard_ctx = scard_ctx;
2883 	if (sm->preauth_eapol)
2884 		eapol_sm_register_scard_ctx(sm->preauth_eapol, scard_ctx);
2885 }
2886 
2887 
2888 /**
2889  * wpa_sm_set_config - Notification of current configration change
2890  * @sm: Pointer to WPA state machine data from wpa_sm_init()
2891  * @config: Pointer to current network configuration
2892  *
2893  * Notify WPA state machine that configuration has changed. config will be
2894  * stored as a backpointer to network configuration. This can be %NULL to clear
2895  * the stored pointed.
2896  */
2897 void wpa_sm_set_config(struct wpa_sm *sm, struct rsn_supp_config *config)
2898 {
2899 	if (!sm)
2900 		return;
2901 
2902 	if (config) {
2903 		sm->network_ctx = config->network_ctx;
2904 		sm->allowed_pairwise_cipher = config->allowed_pairwise_cipher;
2905 		sm->proactive_key_caching = config->proactive_key_caching;
2906 		sm->eap_workaround = config->eap_workaround;
2907 		sm->eap_conf_ctx = config->eap_conf_ctx;
2908 		if (config->ssid) {
2909 			os_memcpy(sm->ssid, config->ssid, config->ssid_len);
2910 			sm->ssid_len = config->ssid_len;
2911 		} else
2912 			sm->ssid_len = 0;
2913 		sm->wpa_ptk_rekey = config->wpa_ptk_rekey;
2914 		sm->p2p = config->p2p;
2915 		sm->wpa_rsc_relaxation = config->wpa_rsc_relaxation;
2916 #ifdef CONFIG_FILS
2917 		if (config->fils_cache_id) {
2918 			sm->fils_cache_id_set = 1;
2919 			os_memcpy(sm->fils_cache_id, config->fils_cache_id,
2920 				  FILS_CACHE_ID_LEN);
2921 		} else {
2922 			sm->fils_cache_id_set = 0;
2923 		}
2924 #endif /* CONFIG_FILS */
2925 	} else {
2926 		sm->network_ctx = NULL;
2927 		sm->allowed_pairwise_cipher = 0;
2928 		sm->proactive_key_caching = 0;
2929 		sm->eap_workaround = 0;
2930 		sm->eap_conf_ctx = NULL;
2931 		sm->ssid_len = 0;
2932 		sm->wpa_ptk_rekey = 0;
2933 		sm->p2p = 0;
2934 		sm->wpa_rsc_relaxation = 0;
2935 	}
2936 }
2937 
2938 
2939 /**
2940  * wpa_sm_set_own_addr - Set own MAC address
2941  * @sm: Pointer to WPA state machine data from wpa_sm_init()
2942  * @addr: Own MAC address
2943  */
2944 void wpa_sm_set_own_addr(struct wpa_sm *sm, const u8 *addr)
2945 {
2946 	if (sm)
2947 		os_memcpy(sm->own_addr, addr, ETH_ALEN);
2948 }
2949 
2950 
2951 /**
2952  * wpa_sm_set_ifname - Set network interface name
2953  * @sm: Pointer to WPA state machine data from wpa_sm_init()
2954  * @ifname: Interface name
2955  * @bridge_ifname: Optional bridge interface name (for pre-auth)
2956  */
2957 void wpa_sm_set_ifname(struct wpa_sm *sm, const char *ifname,
2958 		       const char *bridge_ifname)
2959 {
2960 	if (sm) {
2961 		sm->ifname = ifname;
2962 		sm->bridge_ifname = bridge_ifname;
2963 	}
2964 }
2965 
2966 
2967 /**
2968  * wpa_sm_set_eapol - Set EAPOL state machine pointer
2969  * @sm: Pointer to WPA state machine data from wpa_sm_init()
2970  * @eapol: Pointer to EAPOL state machine allocated with eapol_sm_init()
2971  */
2972 void wpa_sm_set_eapol(struct wpa_sm *sm, struct eapol_sm *eapol)
2973 {
2974 	if (sm)
2975 		sm->eapol = eapol;
2976 }
2977 
2978 
2979 /**
2980  * wpa_sm_set_param - Set WPA state machine parameters
2981  * @sm: Pointer to WPA state machine data from wpa_sm_init()
2982  * @param: Parameter field
2983  * @value: Parameter value
2984  * Returns: 0 on success, -1 on failure
2985  */
2986 int wpa_sm_set_param(struct wpa_sm *sm, enum wpa_sm_conf_params param,
2987 		     unsigned int value)
2988 {
2989 	int ret = 0;
2990 
2991 	if (sm == NULL)
2992 		return -1;
2993 
2994 	switch (param) {
2995 	case RSNA_PMK_LIFETIME:
2996 		if (value > 0)
2997 			sm->dot11RSNAConfigPMKLifetime = value;
2998 		else
2999 			ret = -1;
3000 		break;
3001 	case RSNA_PMK_REAUTH_THRESHOLD:
3002 		if (value > 0 && value <= 100)
3003 			sm->dot11RSNAConfigPMKReauthThreshold = value;
3004 		else
3005 			ret = -1;
3006 		break;
3007 	case RSNA_SA_TIMEOUT:
3008 		if (value > 0)
3009 			sm->dot11RSNAConfigSATimeout = value;
3010 		else
3011 			ret = -1;
3012 		break;
3013 	case WPA_PARAM_PROTO:
3014 		sm->proto = value;
3015 		break;
3016 	case WPA_PARAM_PAIRWISE:
3017 		sm->pairwise_cipher = value;
3018 		break;
3019 	case WPA_PARAM_GROUP:
3020 		sm->group_cipher = value;
3021 		break;
3022 	case WPA_PARAM_KEY_MGMT:
3023 		sm->key_mgmt = value;
3024 		break;
3025 #ifdef CONFIG_IEEE80211W
3026 	case WPA_PARAM_MGMT_GROUP:
3027 		sm->mgmt_group_cipher = value;
3028 		break;
3029 #endif /* CONFIG_IEEE80211W */
3030 	case WPA_PARAM_RSN_ENABLED:
3031 		sm->rsn_enabled = value;
3032 		break;
3033 	case WPA_PARAM_MFP:
3034 		sm->mfp = value;
3035 		break;
3036 	case WPA_PARAM_OCV:
3037 		sm->ocv = value;
3038 		break;
3039 	default:
3040 		break;
3041 	}
3042 
3043 	return ret;
3044 }
3045 
3046 
3047 /**
3048  * wpa_sm_get_status - Get WPA state machine
3049  * @sm: Pointer to WPA state machine data from wpa_sm_init()
3050  * @buf: Buffer for status information
3051  * @buflen: Maximum buffer length
3052  * @verbose: Whether to include verbose status information
3053  * Returns: Number of bytes written to buf.
3054  *
3055  * Query WPA state machine for status information. This function fills in
3056  * a text area with current status information. If the buffer (buf) is not
3057  * large enough, status information will be truncated to fit the buffer.
3058  */
3059 int wpa_sm_get_status(struct wpa_sm *sm, char *buf, size_t buflen,
3060 		      int verbose)
3061 {
3062 	char *pos = buf, *end = buf + buflen;
3063 	int ret;
3064 
3065 	ret = os_snprintf(pos, end - pos,
3066 			  "pairwise_cipher=%s\n"
3067 			  "group_cipher=%s\n"
3068 			  "key_mgmt=%s\n",
3069 			  wpa_cipher_txt(sm->pairwise_cipher),
3070 			  wpa_cipher_txt(sm->group_cipher),
3071 			  wpa_key_mgmt_txt(sm->key_mgmt, sm->proto));
3072 	if (os_snprintf_error(end - pos, ret))
3073 		return pos - buf;
3074 	pos += ret;
3075 
3076 	if (sm->mfp != NO_MGMT_FRAME_PROTECTION && sm->ap_rsn_ie) {
3077 		struct wpa_ie_data rsn;
3078 		if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn)
3079 		    >= 0 &&
3080 		    rsn.capabilities & (WPA_CAPABILITY_MFPR |
3081 					WPA_CAPABILITY_MFPC)) {
3082 			ret = os_snprintf(pos, end - pos, "pmf=%d\n"
3083 					  "mgmt_group_cipher=%s\n",
3084 					  (rsn.capabilities &
3085 					   WPA_CAPABILITY_MFPR) ? 2 : 1,
3086 					  wpa_cipher_txt(
3087 						  sm->mgmt_group_cipher));
3088 			if (os_snprintf_error(end - pos, ret))
3089 				return pos - buf;
3090 			pos += ret;
3091 		}
3092 	}
3093 
3094 	return pos - buf;
3095 }
3096 
3097 
3098 int wpa_sm_pmf_enabled(struct wpa_sm *sm)
3099 {
3100 	struct wpa_ie_data rsn;
3101 
3102 	if (sm->mfp == NO_MGMT_FRAME_PROTECTION || !sm->ap_rsn_ie)
3103 		return 0;
3104 
3105 	if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn) >= 0 &&
3106 	    rsn.capabilities & (WPA_CAPABILITY_MFPR | WPA_CAPABILITY_MFPC))
3107 		return 1;
3108 
3109 	return 0;
3110 }
3111 
3112 
3113 int wpa_sm_ocv_enabled(struct wpa_sm *sm)
3114 {
3115 	struct wpa_ie_data rsn;
3116 
3117 	if (!sm->ocv || !sm->ap_rsn_ie)
3118 		return 0;
3119 
3120 	return wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len,
3121 				    &rsn) >= 0 &&
3122 		(rsn.capabilities & WPA_CAPABILITY_OCVC);
3123 }
3124 
3125 
3126 /**
3127  * wpa_sm_set_assoc_wpa_ie_default - Generate own WPA/RSN IE from configuration
3128  * @sm: Pointer to WPA state machine data from wpa_sm_init()
3129  * @wpa_ie: Pointer to buffer for WPA/RSN IE
3130  * @wpa_ie_len: Pointer to the length of the wpa_ie buffer
3131  * Returns: 0 on success, -1 on failure
3132  */
3133 int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm *sm, u8 *wpa_ie,
3134 				    size_t *wpa_ie_len)
3135 {
3136 	int res;
3137 
3138 	if (sm == NULL)
3139 		return -1;
3140 
3141 #ifdef CONFIG_TESTING_OPTIONS
3142 	if (sm->test_assoc_ie) {
3143 		wpa_printf(MSG_DEBUG,
3144 			   "TESTING: Replace association WPA/RSN IE");
3145 		if (*wpa_ie_len < wpabuf_len(sm->test_assoc_ie))
3146 			return -1;
3147 		os_memcpy(wpa_ie, wpabuf_head(sm->test_assoc_ie),
3148 			  wpabuf_len(sm->test_assoc_ie));
3149 		res = wpabuf_len(sm->test_assoc_ie);
3150 	} else
3151 #endif /* CONFIG_TESTING_OPTIONS */
3152 	res = wpa_gen_wpa_ie(sm, wpa_ie, *wpa_ie_len);
3153 	if (res < 0)
3154 		return -1;
3155 	*wpa_ie_len = res;
3156 
3157 	wpa_hexdump(MSG_DEBUG, "WPA: Set own WPA IE default",
3158 		    wpa_ie, *wpa_ie_len);
3159 
3160 	if (sm->assoc_wpa_ie == NULL) {
3161 		/*
3162 		 * Make a copy of the WPA/RSN IE so that 4-Way Handshake gets
3163 		 * the correct version of the IE even if PMKSA caching is
3164 		 * aborted (which would remove PMKID from IE generation).
3165 		 */
3166 		sm->assoc_wpa_ie = os_memdup(wpa_ie, *wpa_ie_len);
3167 		if (sm->assoc_wpa_ie == NULL)
3168 			return -1;
3169 
3170 		sm->assoc_wpa_ie_len = *wpa_ie_len;
3171 	} else {
3172 		wpa_hexdump(MSG_DEBUG,
3173 			    "WPA: Leave previously set WPA IE default",
3174 			    sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
3175 	}
3176 
3177 	return 0;
3178 }
3179 
3180 
3181 /**
3182  * wpa_sm_set_assoc_wpa_ie - Set own WPA/RSN IE from (Re)AssocReq
3183  * @sm: Pointer to WPA state machine data from wpa_sm_init()
3184  * @ie: Pointer to IE data (starting from id)
3185  * @len: IE length
3186  * Returns: 0 on success, -1 on failure
3187  *
3188  * Inform WPA state machine about the WPA/RSN IE used in (Re)Association
3189  * Request frame. The IE will be used to override the default value generated
3190  * with wpa_sm_set_assoc_wpa_ie_default().
3191  */
3192 int wpa_sm_set_assoc_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
3193 {
3194 	if (sm == NULL)
3195 		return -1;
3196 
3197 	os_free(sm->assoc_wpa_ie);
3198 	if (ie == NULL || len == 0) {
3199 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3200 			"WPA: clearing own WPA/RSN IE");
3201 		sm->assoc_wpa_ie = NULL;
3202 		sm->assoc_wpa_ie_len = 0;
3203 	} else {
3204 		wpa_hexdump(MSG_DEBUG, "WPA: set own WPA/RSN IE", ie, len);
3205 		sm->assoc_wpa_ie = os_memdup(ie, len);
3206 		if (sm->assoc_wpa_ie == NULL)
3207 			return -1;
3208 
3209 		sm->assoc_wpa_ie_len = len;
3210 	}
3211 
3212 	return 0;
3213 }
3214 
3215 
3216 /**
3217  * wpa_sm_set_ap_wpa_ie - Set AP WPA IE from Beacon/ProbeResp
3218  * @sm: Pointer to WPA state machine data from wpa_sm_init()
3219  * @ie: Pointer to IE data (starting from id)
3220  * @len: IE length
3221  * Returns: 0 on success, -1 on failure
3222  *
3223  * Inform WPA state machine about the WPA IE used in Beacon / Probe Response
3224  * frame.
3225  */
3226 int wpa_sm_set_ap_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
3227 {
3228 	if (sm == NULL)
3229 		return -1;
3230 
3231 	os_free(sm->ap_wpa_ie);
3232 	if (ie == NULL || len == 0) {
3233 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3234 			"WPA: clearing AP WPA IE");
3235 		sm->ap_wpa_ie = NULL;
3236 		sm->ap_wpa_ie_len = 0;
3237 	} else {
3238 		wpa_hexdump(MSG_DEBUG, "WPA: set AP WPA IE", ie, len);
3239 		sm->ap_wpa_ie = os_memdup(ie, len);
3240 		if (sm->ap_wpa_ie == NULL)
3241 			return -1;
3242 
3243 		sm->ap_wpa_ie_len = len;
3244 	}
3245 
3246 	return 0;
3247 }
3248 
3249 
3250 /**
3251  * wpa_sm_set_ap_rsn_ie - Set AP RSN IE from Beacon/ProbeResp
3252  * @sm: Pointer to WPA state machine data from wpa_sm_init()
3253  * @ie: Pointer to IE data (starting from id)
3254  * @len: IE length
3255  * Returns: 0 on success, -1 on failure
3256  *
3257  * Inform WPA state machine about the RSN IE used in Beacon / Probe Response
3258  * frame.
3259  */
3260 int wpa_sm_set_ap_rsn_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
3261 {
3262 	if (sm == NULL)
3263 		return -1;
3264 
3265 	os_free(sm->ap_rsn_ie);
3266 	if (ie == NULL || len == 0) {
3267 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3268 			"WPA: clearing AP RSN IE");
3269 		sm->ap_rsn_ie = NULL;
3270 		sm->ap_rsn_ie_len = 0;
3271 	} else {
3272 		wpa_hexdump(MSG_DEBUG, "WPA: set AP RSN IE", ie, len);
3273 		sm->ap_rsn_ie = os_memdup(ie, len);
3274 		if (sm->ap_rsn_ie == NULL)
3275 			return -1;
3276 
3277 		sm->ap_rsn_ie_len = len;
3278 	}
3279 
3280 	return 0;
3281 }
3282 
3283 
3284 /**
3285  * wpa_sm_parse_own_wpa_ie - Parse own WPA/RSN IE
3286  * @sm: Pointer to WPA state machine data from wpa_sm_init()
3287  * @data: Pointer to data area for parsing results
3288  * Returns: 0 on success, -1 if IE is not known, or -2 on parsing failure
3289  *
3290  * Parse the contents of the own WPA or RSN IE from (Re)AssocReq and write the
3291  * parsed data into data.
3292  */
3293 int wpa_sm_parse_own_wpa_ie(struct wpa_sm *sm, struct wpa_ie_data *data)
3294 {
3295 	if (sm == NULL)
3296 		return -1;
3297 
3298 	if (sm->assoc_wpa_ie == NULL) {
3299 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3300 			"WPA: No WPA/RSN IE available from association info");
3301 		return -1;
3302 	}
3303 	if (wpa_parse_wpa_ie(sm->assoc_wpa_ie, sm->assoc_wpa_ie_len, data))
3304 		return -2;
3305 	return 0;
3306 }
3307 
3308 
3309 int wpa_sm_pmksa_cache_list(struct wpa_sm *sm, char *buf, size_t len)
3310 {
3311 	return pmksa_cache_list(sm->pmksa, buf, len);
3312 }
3313 
3314 
3315 struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_head(struct wpa_sm *sm)
3316 {
3317 	return pmksa_cache_head(sm->pmksa);
3318 }
3319 
3320 
3321 struct rsn_pmksa_cache_entry *
3322 wpa_sm_pmksa_cache_add_entry(struct wpa_sm *sm,
3323 			     struct rsn_pmksa_cache_entry * entry)
3324 {
3325 	return pmksa_cache_add_entry(sm->pmksa, entry);
3326 }
3327 
3328 
3329 void wpa_sm_pmksa_cache_add(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
3330 			    const u8 *pmkid, const u8 *bssid,
3331 			    const u8 *fils_cache_id)
3332 {
3333 	sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0,
3334 					bssid, sm->own_addr, sm->network_ctx,
3335 					sm->key_mgmt, fils_cache_id);
3336 }
3337 
3338 
3339 int wpa_sm_pmksa_exists(struct wpa_sm *sm, const u8 *bssid,
3340 			const void *network_ctx)
3341 {
3342 	return pmksa_cache_get(sm->pmksa, bssid, NULL, network_ctx, 0) != NULL;
3343 }
3344 
3345 
3346 void wpa_sm_drop_sa(struct wpa_sm *sm)
3347 {
3348 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PMK and PTK");
3349 	sm->ptk_set = 0;
3350 	sm->tptk_set = 0;
3351 	sm->pmk_len = 0;
3352 	os_memset(sm->pmk, 0, sizeof(sm->pmk));
3353 	os_memset(&sm->ptk, 0, sizeof(sm->ptk));
3354 	os_memset(&sm->tptk, 0, sizeof(sm->tptk));
3355 	os_memset(&sm->gtk, 0, sizeof(sm->gtk));
3356 	os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
3357 #ifdef CONFIG_IEEE80211W
3358 	os_memset(&sm->igtk, 0, sizeof(sm->igtk));
3359 	os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
3360 #endif /* CONFIG_IEEE80211W */
3361 #ifdef CONFIG_IEEE80211R
3362 	os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
3363 	sm->xxkey_len = 0;
3364 	os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
3365 	sm->pmk_r0_len = 0;
3366 	os_memset(sm->pmk_r1, 0, sizeof(sm->pmk_r1));
3367 	sm->pmk_r1_len = 0;
3368 #endif /* CONFIG_IEEE80211R */
3369 }
3370 
3371 
3372 int wpa_sm_has_ptk(struct wpa_sm *sm)
3373 {
3374 	if (sm == NULL)
3375 		return 0;
3376 	return sm->ptk_set;
3377 }
3378 
3379 
3380 void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr)
3381 {
3382 	os_memcpy(sm->rx_replay_counter, replay_ctr, WPA_REPLAY_COUNTER_LEN);
3383 }
3384 
3385 
3386 void wpa_sm_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx)
3387 {
3388 	pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0);
3389 }
3390 
3391 
3392 #ifdef CONFIG_WNM
3393 int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
3394 {
3395 	u16 keyinfo;
3396 	u8 keylen;  /* plaintext key len */
3397 	u8 *key_rsc;
3398 
3399 	if (subelem_id == WNM_SLEEP_SUBELEM_GTK) {
3400 		struct wpa_gtk_data gd;
3401 
3402 		os_memset(&gd, 0, sizeof(gd));
3403 		keylen = wpa_cipher_key_len(sm->group_cipher);
3404 		gd.key_rsc_len = wpa_cipher_rsc_len(sm->group_cipher);
3405 		gd.alg = wpa_cipher_to_alg(sm->group_cipher);
3406 		if (gd.alg == WPA_ALG_NONE) {
3407 			wpa_printf(MSG_DEBUG, "Unsupported group cipher suite");
3408 			return -1;
3409 		}
3410 
3411 		key_rsc = buf + 5;
3412 		keyinfo = WPA_GET_LE16(buf + 2);
3413 		gd.gtk_len = keylen;
3414 		if (gd.gtk_len != buf[4]) {
3415 			wpa_printf(MSG_DEBUG, "GTK len mismatch len %d vs %d",
3416 				   gd.gtk_len, buf[4]);
3417 			return -1;
3418 		}
3419 		gd.keyidx = keyinfo & 0x03; /* B0 - B1 */
3420 		gd.tx = wpa_supplicant_gtk_tx_bit_workaround(
3421 		         sm, !!(keyinfo & WPA_KEY_INFO_TXRX));
3422 
3423 		os_memcpy(gd.gtk, buf + 13, gd.gtk_len);
3424 
3425 		wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)",
3426 				gd.gtk, gd.gtk_len);
3427 		if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) {
3428 			os_memset(&gd, 0, sizeof(gd));
3429 			wpa_printf(MSG_DEBUG, "Failed to install the GTK in "
3430 				   "WNM mode");
3431 			return -1;
3432 		}
3433 		os_memset(&gd, 0, sizeof(gd));
3434 #ifdef CONFIG_IEEE80211W
3435 	} else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
3436 		const struct wpa_igtk_kde *igtk;
3437 
3438 		igtk = (const struct wpa_igtk_kde *) (buf + 2);
3439 		if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0)
3440 			return -1;
3441 #endif /* CONFIG_IEEE80211W */
3442 	} else {
3443 		wpa_printf(MSG_DEBUG, "Unknown element id");
3444 		return -1;
3445 	}
3446 
3447 	return 0;
3448 }
3449 #endif /* CONFIG_WNM */
3450 
3451 
3452 #ifdef CONFIG_P2P
3453 
3454 int wpa_sm_get_p2p_ip_addr(struct wpa_sm *sm, u8 *buf)
3455 {
3456 	if (sm == NULL || WPA_GET_BE32(sm->p2p_ip_addr) == 0)
3457 		return -1;
3458 	os_memcpy(buf, sm->p2p_ip_addr, 3 * 4);
3459 	return 0;
3460 }
3461 
3462 #endif /* CONFIG_P2P */
3463 
3464 
3465 void wpa_sm_set_rx_replay_ctr(struct wpa_sm *sm, const u8 *rx_replay_counter)
3466 {
3467 	if (rx_replay_counter == NULL)
3468 		return;
3469 
3470 	os_memcpy(sm->rx_replay_counter, rx_replay_counter,
3471 		  WPA_REPLAY_COUNTER_LEN);
3472 	sm->rx_replay_counter_set = 1;
3473 	wpa_printf(MSG_DEBUG, "Updated key replay counter");
3474 }
3475 
3476 
3477 void wpa_sm_set_ptk_kck_kek(struct wpa_sm *sm,
3478 			    const u8 *ptk_kck, size_t ptk_kck_len,
3479 			    const u8 *ptk_kek, size_t ptk_kek_len)
3480 {
3481 	if (ptk_kck && ptk_kck_len <= WPA_KCK_MAX_LEN) {
3482 		os_memcpy(sm->ptk.kck, ptk_kck, ptk_kck_len);
3483 		sm->ptk.kck_len = ptk_kck_len;
3484 		wpa_printf(MSG_DEBUG, "Updated PTK KCK");
3485 	}
3486 	if (ptk_kek && ptk_kek_len <= WPA_KEK_MAX_LEN) {
3487 		os_memcpy(sm->ptk.kek, ptk_kek, ptk_kek_len);
3488 		sm->ptk.kek_len = ptk_kek_len;
3489 		wpa_printf(MSG_DEBUG, "Updated PTK KEK");
3490 	}
3491 	sm->ptk_set = 1;
3492 }
3493 
3494 
3495 #ifdef CONFIG_TESTING_OPTIONS
3496 
3497 void wpa_sm_set_test_assoc_ie(struct wpa_sm *sm, struct wpabuf *buf)
3498 {
3499 	wpabuf_free(sm->test_assoc_ie);
3500 	sm->test_assoc_ie = buf;
3501 }
3502 
3503 
3504 const u8 * wpa_sm_get_anonce(struct wpa_sm *sm)
3505 {
3506 	return sm->anonce;
3507 }
3508 
3509 #endif /* CONFIG_TESTING_OPTIONS */
3510 
3511 
3512 unsigned int wpa_sm_get_key_mgmt(struct wpa_sm *sm)
3513 {
3514 	return sm->key_mgmt;
3515 }
3516 
3517 
3518 #ifdef CONFIG_FILS
3519 
3520 struct wpabuf * fils_build_auth(struct wpa_sm *sm, int dh_group, const u8 *md)
3521 {
3522 	struct wpabuf *buf = NULL;
3523 	struct wpabuf *erp_msg;
3524 	struct wpabuf *pub = NULL;
3525 
3526 	erp_msg = eapol_sm_build_erp_reauth_start(sm->eapol);
3527 	if (!erp_msg && !sm->cur_pmksa) {
3528 		wpa_printf(MSG_DEBUG,
3529 			   "FILS: Neither ERP EAP-Initiate/Re-auth nor PMKSA cache entry is available - skip FILS");
3530 		goto fail;
3531 	}
3532 
3533 	wpa_printf(MSG_DEBUG, "FILS: Try to use FILS (erp=%d pmksa_cache=%d)",
3534 		   erp_msg != NULL, sm->cur_pmksa != NULL);
3535 
3536 	sm->fils_completed = 0;
3537 
3538 	if (!sm->assoc_wpa_ie) {
3539 		wpa_printf(MSG_INFO, "FILS: No own RSN IE set for FILS");
3540 		goto fail;
3541 	}
3542 
3543 	if (random_get_bytes(sm->fils_nonce, FILS_NONCE_LEN) < 0 ||
3544 	    random_get_bytes(sm->fils_session, FILS_SESSION_LEN) < 0)
3545 		goto fail;
3546 
3547 	wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Nonce",
3548 		    sm->fils_nonce, FILS_NONCE_LEN);
3549 	wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Session",
3550 		    sm->fils_session, FILS_SESSION_LEN);
3551 
3552 #ifdef CONFIG_FILS_SK_PFS
3553 	sm->fils_dh_group = dh_group;
3554 	if (dh_group) {
3555 		crypto_ecdh_deinit(sm->fils_ecdh);
3556 		sm->fils_ecdh = crypto_ecdh_init(dh_group);
3557 		if (!sm->fils_ecdh) {
3558 			wpa_printf(MSG_INFO,
3559 				   "FILS: Could not initialize ECDH with group %d",
3560 				   dh_group);
3561 			goto fail;
3562 		}
3563 		pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1);
3564 		if (!pub)
3565 			goto fail;
3566 		wpa_hexdump_buf(MSG_DEBUG, "FILS: Element (DH public key)",
3567 				pub);
3568 		sm->fils_dh_elem_len = wpabuf_len(pub);
3569 	}
3570 #endif /* CONFIG_FILS_SK_PFS */
3571 
3572 	buf = wpabuf_alloc(1000 + sm->assoc_wpa_ie_len +
3573 			   (pub ? wpabuf_len(pub) : 0));
3574 	if (!buf)
3575 		goto fail;
3576 
3577 	/* Fields following the Authentication algorithm number field */
3578 
3579 	/* Authentication Transaction seq# */
3580 	wpabuf_put_le16(buf, 1);
3581 
3582 	/* Status Code */
3583 	wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
3584 
3585 	/* TODO: FILS PK */
3586 #ifdef CONFIG_FILS_SK_PFS
3587 	if (dh_group) {
3588 		/* Finite Cyclic Group */
3589 		wpabuf_put_le16(buf, dh_group);
3590 		/* Element */
3591 		wpabuf_put_buf(buf, pub);
3592 	}
3593 #endif /* CONFIG_FILS_SK_PFS */
3594 
3595 	/* RSNE */
3596 	wpa_hexdump(MSG_DEBUG, "FILS: RSNE in FILS Authentication frame",
3597 		    sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
3598 	wpabuf_put_data(buf, sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
3599 
3600 	if (md) {
3601 		/* MDE when using FILS for FT initial association */
3602 		struct rsn_mdie *mdie;
3603 
3604 		wpabuf_put_u8(buf, WLAN_EID_MOBILITY_DOMAIN);
3605 		wpabuf_put_u8(buf, sizeof(*mdie));
3606 		mdie = wpabuf_put(buf, sizeof(*mdie));
3607 		os_memcpy(mdie->mobility_domain, md, MOBILITY_DOMAIN_ID_LEN);
3608 		mdie->ft_capab = 0;
3609 	}
3610 
3611 	/* FILS Nonce */
3612 	wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3613 	wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN); /* Length */
3614 	/* Element ID Extension */
3615 	wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
3616 	wpabuf_put_data(buf, sm->fils_nonce, FILS_NONCE_LEN);
3617 
3618 	/* FILS Session */
3619 	wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3620 	wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
3621 	/* Element ID Extension */
3622 	wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
3623 	wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
3624 
3625 	/* FILS Wrapped Data */
3626 	sm->fils_erp_pmkid_set = 0;
3627 	if (erp_msg) {
3628 		wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3629 		wpabuf_put_u8(buf, 1 + wpabuf_len(erp_msg)); /* Length */
3630 		/* Element ID Extension */
3631 		wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_WRAPPED_DATA);
3632 		wpabuf_put_buf(buf, erp_msg);
3633 		/* Calculate pending PMKID here so that we do not need to
3634 		 * maintain a copy of the EAP-Initiate/Reauth message. */
3635 		if (fils_pmkid_erp(sm->key_mgmt, wpabuf_head(erp_msg),
3636 				   wpabuf_len(erp_msg),
3637 				   sm->fils_erp_pmkid) == 0)
3638 			sm->fils_erp_pmkid_set = 1;
3639 	}
3640 
3641 	wpa_hexdump_buf(MSG_DEBUG, "RSN: FILS fields for Authentication frame",
3642 			buf);
3643 
3644 fail:
3645 	wpabuf_free(erp_msg);
3646 	wpabuf_free(pub);
3647 	return buf;
3648 }
3649 
3650 
3651 int fils_process_auth(struct wpa_sm *sm, const u8 *bssid, const u8 *data,
3652 		      size_t len)
3653 {
3654 	const u8 *pos, *end;
3655 	struct ieee802_11_elems elems;
3656 	struct wpa_ie_data rsn;
3657 	int pmkid_match = 0;
3658 	u8 ick[FILS_ICK_MAX_LEN];
3659 	size_t ick_len;
3660 	int res;
3661 	struct wpabuf *dh_ss = NULL;
3662 	const u8 *g_sta = NULL;
3663 	size_t g_sta_len = 0;
3664 	const u8 *g_ap = NULL;
3665 	size_t g_ap_len = 0;
3666 	struct wpabuf *pub = NULL;
3667 
3668 	os_memcpy(sm->bssid, bssid, ETH_ALEN);
3669 
3670 	wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
3671 		    data, len);
3672 	pos = data;
3673 	end = data + len;
3674 
3675 	/* TODO: FILS PK */
3676 #ifdef CONFIG_FILS_SK_PFS
3677 	if (sm->fils_dh_group) {
3678 		u16 group;
3679 
3680 		/* Using FILS PFS */
3681 
3682 		/* Finite Cyclic Group */
3683 		if (end - pos < 2) {
3684 			wpa_printf(MSG_DEBUG,
3685 				   "FILS: No room for Finite Cyclic Group");
3686 			goto fail;
3687 		}
3688 		group = WPA_GET_LE16(pos);
3689 		pos += 2;
3690 		if (group != sm->fils_dh_group) {
3691 			wpa_printf(MSG_DEBUG,
3692 				   "FILS: Unexpected change in Finite Cyclic Group: %u (expected %u)",
3693 				   group, sm->fils_dh_group);
3694 			goto fail;
3695 		}
3696 
3697 		/* Element */
3698 		if ((size_t) (end - pos) < sm->fils_dh_elem_len) {
3699 			wpa_printf(MSG_DEBUG, "FILS: No room for Element");
3700 			goto fail;
3701 		}
3702 
3703 		if (!sm->fils_ecdh) {
3704 			wpa_printf(MSG_DEBUG, "FILS: No ECDH state available");
3705 			goto fail;
3706 		}
3707 		dh_ss = crypto_ecdh_set_peerkey(sm->fils_ecdh, 1, pos,
3708 						sm->fils_dh_elem_len);
3709 		if (!dh_ss) {
3710 			wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
3711 			goto fail;
3712 		}
3713 		wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", dh_ss);
3714 		g_ap = pos;
3715 		g_ap_len = sm->fils_dh_elem_len;
3716 		pos += sm->fils_dh_elem_len;
3717 	}
3718 #endif /* CONFIG_FILS_SK_PFS */
3719 
3720 	wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
3721 	if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
3722 		wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
3723 		goto fail;
3724 	}
3725 
3726 	/* RSNE */
3727 	wpa_hexdump(MSG_DEBUG, "FILS: RSN element", elems.rsn_ie,
3728 		    elems.rsn_ie_len);
3729 	if (!elems.rsn_ie ||
3730 	    wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
3731 				 &rsn) < 0) {
3732 		wpa_printf(MSG_DEBUG, "FILS: No RSN element");
3733 		goto fail;
3734 	}
3735 
3736 	if (!elems.fils_nonce) {
3737 		wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
3738 		goto fail;
3739 	}
3740 	os_memcpy(sm->fils_anonce, elems.fils_nonce, FILS_NONCE_LEN);
3741 	wpa_hexdump(MSG_DEBUG, "FILS: ANonce", sm->fils_anonce, FILS_NONCE_LEN);
3742 
3743 #ifdef CONFIG_IEEE80211R
3744 	if (wpa_key_mgmt_ft(sm->key_mgmt)) {
3745 		struct wpa_ft_ies parse;
3746 
3747 		if (!elems.mdie || !elems.ftie) {
3748 			wpa_printf(MSG_DEBUG, "FILS+FT: No MDE or FTE");
3749 			goto fail;
3750 		}
3751 
3752 		if (wpa_ft_parse_ies(pos, end - pos, &parse,
3753 				     wpa_key_mgmt_sha384(sm->key_mgmt)) < 0) {
3754 			wpa_printf(MSG_DEBUG, "FILS+FT: Failed to parse IEs");
3755 			goto fail;
3756 		}
3757 
3758 		if (!parse.r0kh_id) {
3759 			wpa_printf(MSG_DEBUG,
3760 				   "FILS+FT: No R0KH-ID subelem in FTE");
3761 			goto fail;
3762 		}
3763 		os_memcpy(sm->r0kh_id, parse.r0kh_id, parse.r0kh_id_len);
3764 		sm->r0kh_id_len = parse.r0kh_id_len;
3765 		wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID",
3766 				  sm->r0kh_id, sm->r0kh_id_len);
3767 
3768 		if (!parse.r1kh_id) {
3769 			wpa_printf(MSG_DEBUG,
3770 				   "FILS+FT: No R1KH-ID subelem in FTE");
3771 			goto fail;
3772 		}
3773 		os_memcpy(sm->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN);
3774 		wpa_hexdump(MSG_DEBUG, "FILS+FT: R1KH-ID",
3775 			    sm->r1kh_id, FT_R1KH_ID_LEN);
3776 
3777 		/* TODO: Check MDE and FTE payload */
3778 
3779 		wpabuf_free(sm->fils_ft_ies);
3780 		sm->fils_ft_ies = wpabuf_alloc(2 + elems.mdie_len +
3781 					       2 + elems.ftie_len);
3782 		if (!sm->fils_ft_ies)
3783 			goto fail;
3784 		wpabuf_put_data(sm->fils_ft_ies, elems.mdie - 2,
3785 				2 + elems.mdie_len);
3786 		wpabuf_put_data(sm->fils_ft_ies, elems.ftie - 2,
3787 				2 + elems.ftie_len);
3788 	} else {
3789 		wpabuf_free(sm->fils_ft_ies);
3790 		sm->fils_ft_ies = NULL;
3791 	}
3792 #endif /* CONFIG_IEEE80211R */
3793 
3794 	/* PMKID List */
3795 	if (rsn.pmkid && rsn.num_pmkid > 0) {
3796 		wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
3797 			    rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
3798 
3799 		if (rsn.num_pmkid != 1) {
3800 			wpa_printf(MSG_DEBUG, "FILS: Invalid PMKID selection");
3801 			goto fail;
3802 		}
3803 		wpa_hexdump(MSG_DEBUG, "FILS: PMKID", rsn.pmkid, PMKID_LEN);
3804 		if (os_memcmp(sm->cur_pmksa->pmkid, rsn.pmkid, PMKID_LEN) != 0)
3805 		{
3806 			wpa_printf(MSG_DEBUG, "FILS: PMKID mismatch");
3807 			wpa_hexdump(MSG_DEBUG, "FILS: Expected PMKID",
3808 				    sm->cur_pmksa->pmkid, PMKID_LEN);
3809 			goto fail;
3810 		}
3811 		wpa_printf(MSG_DEBUG,
3812 			   "FILS: Matching PMKID - continue using PMKSA caching");
3813 		pmkid_match = 1;
3814 	}
3815 	if (!pmkid_match && sm->cur_pmksa) {
3816 		wpa_printf(MSG_DEBUG,
3817 			   "FILS: No PMKID match - cannot use cached PMKSA entry");
3818 		sm->cur_pmksa = NULL;
3819 	}
3820 
3821 	/* FILS Session */
3822 	if (!elems.fils_session) {
3823 		wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
3824 		goto fail;
3825 	}
3826 	wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
3827 		    FILS_SESSION_LEN);
3828 	if (os_memcmp(sm->fils_session, elems.fils_session, FILS_SESSION_LEN)
3829 	    != 0) {
3830 		wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
3831 		wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
3832 			    sm->fils_session, FILS_SESSION_LEN);
3833 		goto fail;
3834 	}
3835 
3836 	/* FILS Wrapped Data */
3837 	if (!sm->cur_pmksa && elems.fils_wrapped_data) {
3838 		u8 rmsk[ERP_MAX_KEY_LEN];
3839 		size_t rmsk_len;
3840 
3841 		wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
3842 			    elems.fils_wrapped_data,
3843 			    elems.fils_wrapped_data_len);
3844 		eapol_sm_process_erp_finish(sm->eapol, elems.fils_wrapped_data,
3845 					    elems.fils_wrapped_data_len);
3846 		if (eapol_sm_failed(sm->eapol))
3847 			goto fail;
3848 
3849 		rmsk_len = ERP_MAX_KEY_LEN;
3850 		res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
3851 		if (res == PMK_LEN) {
3852 			rmsk_len = PMK_LEN;
3853 			res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
3854 		}
3855 		if (res)
3856 			goto fail;
3857 
3858 		res = fils_rmsk_to_pmk(sm->key_mgmt, rmsk, rmsk_len,
3859 				       sm->fils_nonce, sm->fils_anonce,
3860 				       dh_ss ? wpabuf_head(dh_ss) : NULL,
3861 				       dh_ss ? wpabuf_len(dh_ss) : 0,
3862 				       sm->pmk, &sm->pmk_len);
3863 		os_memset(rmsk, 0, sizeof(rmsk));
3864 
3865 		/* Don't use DHss in PTK derivation if PMKSA caching is not
3866 		 * used. */
3867 		wpabuf_clear_free(dh_ss);
3868 		dh_ss = NULL;
3869 
3870 		if (res)
3871 			goto fail;
3872 
3873 		if (!sm->fils_erp_pmkid_set) {
3874 			wpa_printf(MSG_DEBUG, "FILS: PMKID not available");
3875 			goto fail;
3876 		}
3877 		wpa_hexdump(MSG_DEBUG, "FILS: PMKID", sm->fils_erp_pmkid,
3878 			    PMKID_LEN);
3879 		wpa_printf(MSG_DEBUG, "FILS: ERP processing succeeded - add PMKSA cache entry for the result");
3880 		sm->cur_pmksa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len,
3881 						sm->fils_erp_pmkid, NULL, 0,
3882 						sm->bssid, sm->own_addr,
3883 						sm->network_ctx, sm->key_mgmt,
3884 						NULL);
3885 	}
3886 
3887 	if (!sm->cur_pmksa) {
3888 		wpa_printf(MSG_DEBUG,
3889 			   "FILS: No remaining options to continue FILS authentication");
3890 		goto fail;
3891 	}
3892 
3893 	if (fils_pmk_to_ptk(sm->pmk, sm->pmk_len, sm->own_addr, sm->bssid,
3894 			    sm->fils_nonce, sm->fils_anonce,
3895 			    dh_ss ? wpabuf_head(dh_ss) : NULL,
3896 			    dh_ss ? wpabuf_len(dh_ss) : 0,
3897 			    &sm->ptk, ick, &ick_len,
3898 			    sm->key_mgmt, sm->pairwise_cipher,
3899 			    sm->fils_ft, &sm->fils_ft_len) < 0) {
3900 		wpa_printf(MSG_DEBUG, "FILS: Failed to derive PTK");
3901 		goto fail;
3902 	}
3903 
3904 	wpabuf_clear_free(dh_ss);
3905 	dh_ss = NULL;
3906 
3907 	sm->ptk_set = 1;
3908 	sm->tptk_set = 0;
3909 	os_memset(&sm->tptk, 0, sizeof(sm->tptk));
3910 
3911 #ifdef CONFIG_FILS_SK_PFS
3912 	if (sm->fils_dh_group) {
3913 		if (!sm->fils_ecdh) {
3914 			wpa_printf(MSG_INFO, "FILS: ECDH not initialized");
3915 			goto fail;
3916 		}
3917 		pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1);
3918 		if (!pub)
3919 			goto fail;
3920 		wpa_hexdump_buf(MSG_DEBUG, "FILS: gSTA", pub);
3921 		g_sta = wpabuf_head(pub);
3922 		g_sta_len = wpabuf_len(pub);
3923 		if (!g_ap) {
3924 			wpa_printf(MSG_INFO, "FILS: gAP not available");
3925 			goto fail;
3926 		}
3927 		wpa_hexdump(MSG_DEBUG, "FILS: gAP", g_ap, g_ap_len);
3928 	}
3929 #endif /* CONFIG_FILS_SK_PFS */
3930 
3931 	res = fils_key_auth_sk(ick, ick_len, sm->fils_nonce,
3932 			       sm->fils_anonce, sm->own_addr, sm->bssid,
3933 			       g_sta, g_sta_len, g_ap, g_ap_len,
3934 			       sm->key_mgmt, sm->fils_key_auth_sta,
3935 			       sm->fils_key_auth_ap,
3936 			       &sm->fils_key_auth_len);
3937 	wpabuf_free(pub);
3938 	os_memset(ick, 0, sizeof(ick));
3939 	return res;
3940 fail:
3941 	wpabuf_free(pub);
3942 	wpabuf_clear_free(dh_ss);
3943 	return -1;
3944 }
3945 
3946 
3947 #ifdef CONFIG_IEEE80211R
3948 static int fils_ft_build_assoc_req_rsne(struct wpa_sm *sm, struct wpabuf *buf)
3949 {
3950 	struct rsn_ie_hdr *rsnie;
3951 	u16 capab;
3952 	u8 *pos;
3953 	int use_sha384 = wpa_key_mgmt_sha384(sm->key_mgmt);
3954 
3955 	/* RSNIE[PMKR0Name/PMKR1Name] */
3956 	rsnie = wpabuf_put(buf, sizeof(*rsnie));
3957 	rsnie->elem_id = WLAN_EID_RSN;
3958 	WPA_PUT_LE16(rsnie->version, RSN_VERSION);
3959 
3960 	/* Group Suite Selector */
3961 	if (!wpa_cipher_valid_group(sm->group_cipher)) {
3962 		wpa_printf(MSG_WARNING, "FT: Invalid group cipher (%d)",
3963 			   sm->group_cipher);
3964 		return -1;
3965 	}
3966 	pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
3967 	RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
3968 						  sm->group_cipher));
3969 
3970 	/* Pairwise Suite Count */
3971 	wpabuf_put_le16(buf, 1);
3972 
3973 	/* Pairwise Suite List */
3974 	if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
3975 		wpa_printf(MSG_WARNING, "FT: Invalid pairwise cipher (%d)",
3976 			   sm->pairwise_cipher);
3977 		return -1;
3978 	}
3979 	pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
3980 	RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
3981 						  sm->pairwise_cipher));
3982 
3983 	/* Authenticated Key Management Suite Count */
3984 	wpabuf_put_le16(buf, 1);
3985 
3986 	/* Authenticated Key Management Suite List */
3987 	pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
3988 	if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA256)
3989 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA256);
3990 	else if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA384)
3991 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA384);
3992 	else {
3993 		wpa_printf(MSG_WARNING,
3994 			   "FILS+FT: Invalid key management type (%d)",
3995 			   sm->key_mgmt);
3996 		return -1;
3997 	}
3998 
3999 	/* RSN Capabilities */
4000 	capab = 0;
4001 #ifdef CONFIG_IEEE80211W
4002 	if (sm->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC)
4003 		capab |= WPA_CAPABILITY_MFPC;
4004 #endif /* CONFIG_IEEE80211W */
4005 	if (sm->ocv)
4006 		capab |= WPA_CAPABILITY_OCVC;
4007 	wpabuf_put_le16(buf, capab);
4008 
4009 	/* PMKID Count */
4010 	wpabuf_put_le16(buf, 1);
4011 
4012 	/* PMKID List [PMKR1Name] */
4013 	wpa_hexdump_key(MSG_DEBUG, "FILS+FT: XXKey (FILS-FT)",
4014 			sm->fils_ft, sm->fils_ft_len);
4015 	wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: SSID", sm->ssid, sm->ssid_len);
4016 	wpa_hexdump(MSG_DEBUG, "FILS+FT: MDID",
4017 		    sm->mobility_domain, MOBILITY_DOMAIN_ID_LEN);
4018 	wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID",
4019 			  sm->r0kh_id, sm->r0kh_id_len);
4020 	if (wpa_derive_pmk_r0(sm->fils_ft, sm->fils_ft_len, sm->ssid,
4021 			      sm->ssid_len, sm->mobility_domain,
4022 			      sm->r0kh_id, sm->r0kh_id_len, sm->own_addr,
4023 			      sm->pmk_r0, sm->pmk_r0_name, use_sha384) < 0) {
4024 		wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMK-R0");
4025 		return -1;
4026 	}
4027 	sm->pmk_r0_len = use_sha384 ? SHA384_MAC_LEN : PMK_LEN;
4028 	wpa_hexdump_key(MSG_DEBUG, "FILS+FT: PMK-R0",
4029 			sm->pmk_r0, sm->pmk_r0_len);
4030 	wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR0Name",
4031 		    sm->pmk_r0_name, WPA_PMK_NAME_LEN);
4032 	wpa_printf(MSG_DEBUG, "FILS+FT: R1KH-ID: " MACSTR,
4033 		   MAC2STR(sm->r1kh_id));
4034 	pos = wpabuf_put(buf, WPA_PMK_NAME_LEN);
4035 	if (wpa_derive_pmk_r1_name(sm->pmk_r0_name, sm->r1kh_id, sm->own_addr,
4036 				   sm->pmk_r1_name, use_sha384) < 0) {
4037 		wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMKR1Name");
4038 		return -1;
4039 	}
4040 	wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR1Name", sm->pmk_r1_name,
4041 		    WPA_PMK_NAME_LEN);
4042 	os_memcpy(pos, sm->pmk_r1_name, WPA_PMK_NAME_LEN);
4043 
4044 #ifdef CONFIG_IEEE80211W
4045 	if (sm->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC) {
4046 		/* Management Group Cipher Suite */
4047 		pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
4048 		RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_AES_128_CMAC);
4049 	}
4050 #endif /* CONFIG_IEEE80211W */
4051 
4052 	rsnie->len = ((u8 *) wpabuf_put(buf, 0) - (u8 *) rsnie) - 2;
4053 	return 0;
4054 }
4055 #endif /* CONFIG_IEEE80211R */
4056 
4057 
4058 struct wpabuf * fils_build_assoc_req(struct wpa_sm *sm, const u8 **kek,
4059 				     size_t *kek_len, const u8 **snonce,
4060 				     const u8 **anonce,
4061 				     const struct wpabuf **hlp,
4062 				     unsigned int num_hlp)
4063 {
4064 	struct wpabuf *buf;
4065 	size_t len;
4066 	unsigned int i;
4067 
4068 	len = 1000;
4069 #ifdef CONFIG_IEEE80211R
4070 	if (sm->fils_ft_ies)
4071 		len += wpabuf_len(sm->fils_ft_ies);
4072 	if (wpa_key_mgmt_ft(sm->key_mgmt))
4073 		len += 256;
4074 #endif /* CONFIG_IEEE80211R */
4075 	for (i = 0; hlp && i < num_hlp; i++)
4076 		len += 10 + wpabuf_len(hlp[i]);
4077 	buf = wpabuf_alloc(len);
4078 	if (!buf)
4079 		return NULL;
4080 
4081 #ifdef CONFIG_IEEE80211R
4082 	if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) {
4083 		/* MDE and FTE when using FILS+FT */
4084 		wpabuf_put_buf(buf, sm->fils_ft_ies);
4085 		/* RSNE with PMKR1Name in PMKID field */
4086 		if (fils_ft_build_assoc_req_rsne(sm, buf) < 0) {
4087 			wpabuf_free(buf);
4088 			return NULL;
4089 		}
4090 	}
4091 #endif /* CONFIG_IEEE80211R */
4092 
4093 	/* FILS Session */
4094 	wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
4095 	wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
4096 	/* Element ID Extension */
4097 	wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
4098 	wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
4099 
4100 	/* Everything after FILS Session element gets encrypted in the driver
4101 	 * with KEK. The buffer returned from here is the plaintext version. */
4102 
4103 	/* TODO: FILS Public Key */
4104 
4105 	/* FILS Key Confirm */
4106 	wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
4107 	wpabuf_put_u8(buf, 1 + sm->fils_key_auth_len); /* Length */
4108 	/* Element ID Extension */
4109 	wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_KEY_CONFIRM);
4110 	wpabuf_put_data(buf, sm->fils_key_auth_sta, sm->fils_key_auth_len);
4111 
4112 	/* FILS HLP Container */
4113 	for (i = 0; hlp && i < num_hlp; i++) {
4114 		const u8 *pos = wpabuf_head(hlp[i]);
4115 		size_t left = wpabuf_len(hlp[i]);
4116 
4117 		wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
4118 		if (left <= 254)
4119 			len = 1 + left;
4120 		else
4121 			len = 255;
4122 		wpabuf_put_u8(buf, len); /* Length */
4123 		/* Element ID Extension */
4124 		wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_HLP_CONTAINER);
4125 		/* Destination MAC Address, Source MAC Address, HLP Packet.
4126 		 * HLP Packet is in MSDU format (i.e., included the LLC/SNAP
4127 		 * header when LPD is used). */
4128 		wpabuf_put_data(buf, pos, len - 1);
4129 		pos += len - 1;
4130 		left -= len - 1;
4131 		while (left) {
4132 			wpabuf_put_u8(buf, WLAN_EID_FRAGMENT);
4133 			len = left > 255 ? 255 : left;
4134 			wpabuf_put_u8(buf, len);
4135 			wpabuf_put_data(buf, pos, len);
4136 			pos += len;
4137 			left -= len;
4138 		}
4139 	}
4140 
4141 	/* TODO: FILS IP Address Assignment */
4142 
4143 #ifdef CONFIG_OCV
4144 	if (wpa_sm_ocv_enabled(sm)) {
4145 		struct wpa_channel_info ci;
4146 		u8 *pos;
4147 
4148 		if (wpa_sm_channel_info(sm, &ci) != 0) {
4149 			wpa_printf(MSG_WARNING,
4150 				   "FILS: Failed to get channel info for OCI element");
4151 			wpabuf_free(buf);
4152 			return NULL;
4153 		}
4154 
4155 		pos = wpabuf_put(buf, OCV_OCI_EXTENDED_LEN);
4156 		if (ocv_insert_extended_oci(&ci, pos) < 0) {
4157 			wpabuf_free(buf);
4158 			return NULL;
4159 		}
4160 	}
4161 #endif /* CONFIG_OCV */
4162 
4163 	wpa_hexdump_buf(MSG_DEBUG, "FILS: Association Request plaintext", buf);
4164 
4165 	*kek = sm->ptk.kek;
4166 	*kek_len = sm->ptk.kek_len;
4167 	wpa_hexdump_key(MSG_DEBUG, "FILS: KEK for AEAD", *kek, *kek_len);
4168 	*snonce = sm->fils_nonce;
4169 	wpa_hexdump(MSG_DEBUG, "FILS: SNonce for AEAD AAD",
4170 		    *snonce, FILS_NONCE_LEN);
4171 	*anonce = sm->fils_anonce;
4172 	wpa_hexdump(MSG_DEBUG, "FILS: ANonce for AEAD AAD",
4173 		    *anonce, FILS_NONCE_LEN);
4174 
4175 	return buf;
4176 }
4177 
4178 
4179 static void fils_process_hlp_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
4180 {
4181 	const u8 *pos, *end;
4182 
4183 	wpa_hexdump(MSG_MSGDUMP, "FILS: HLP response", resp, len);
4184 	if (len < 2 * ETH_ALEN)
4185 		return;
4186 	pos = resp + 2 * ETH_ALEN;
4187 	end = resp + len;
4188 	if (end - pos >= 6 &&
4189 	    os_memcmp(pos, "\xaa\xaa\x03\x00\x00\x00", 6) == 0)
4190 		pos += 6; /* Remove SNAP/LLC header */
4191 	wpa_sm_fils_hlp_rx(sm, resp, resp + ETH_ALEN, pos, end - pos);
4192 }
4193 
4194 
4195 static void fils_process_hlp_container(struct wpa_sm *sm, const u8 *pos,
4196 				       size_t len)
4197 {
4198 	const u8 *end = pos + len;
4199 	u8 *tmp, *tmp_pos;
4200 
4201 	/* Check if there are any FILS HLP Container elements */
4202 	while (end - pos >= 2) {
4203 		if (2 + pos[1] > end - pos)
4204 			return;
4205 		if (pos[0] == WLAN_EID_EXTENSION &&
4206 		    pos[1] >= 1 + 2 * ETH_ALEN &&
4207 		    pos[2] == WLAN_EID_EXT_FILS_HLP_CONTAINER)
4208 			break;
4209 		pos += 2 + pos[1];
4210 	}
4211 	if (end - pos < 2)
4212 		return; /* No FILS HLP Container elements */
4213 
4214 	tmp = os_malloc(end - pos);
4215 	if (!tmp)
4216 		return;
4217 
4218 	while (end - pos >= 2) {
4219 		if (2 + pos[1] > end - pos ||
4220 		    pos[0] != WLAN_EID_EXTENSION ||
4221 		    pos[1] < 1 + 2 * ETH_ALEN ||
4222 		    pos[2] != WLAN_EID_EXT_FILS_HLP_CONTAINER)
4223 			break;
4224 		tmp_pos = tmp;
4225 		os_memcpy(tmp_pos, pos + 3, pos[1] - 1);
4226 		tmp_pos += pos[1] - 1;
4227 		pos += 2 + pos[1];
4228 
4229 		/* Add possible fragments */
4230 		while (end - pos >= 2 && pos[0] == WLAN_EID_FRAGMENT &&
4231 		       2 + pos[1] <= end - pos) {
4232 			os_memcpy(tmp_pos, pos + 2, pos[1]);
4233 			tmp_pos += pos[1];
4234 			pos += 2 + pos[1];
4235 		}
4236 
4237 		fils_process_hlp_resp(sm, tmp, tmp_pos - tmp);
4238 	}
4239 
4240 	os_free(tmp);
4241 }
4242 
4243 
4244 int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
4245 {
4246 	const struct ieee80211_mgmt *mgmt;
4247 	const u8 *end, *ie_start;
4248 	struct ieee802_11_elems elems;
4249 	int keylen, rsclen;
4250 	enum wpa_alg alg;
4251 	struct wpa_gtk_data gd;
4252 	int maxkeylen;
4253 	struct wpa_eapol_ie_parse kde;
4254 
4255 	if (!sm || !sm->ptk_set) {
4256 		wpa_printf(MSG_DEBUG, "FILS: No KEK available");
4257 		return -1;
4258 	}
4259 
4260 	if (!wpa_key_mgmt_fils(sm->key_mgmt)) {
4261 		wpa_printf(MSG_DEBUG, "FILS: Not a FILS AKM");
4262 		return -1;
4263 	}
4264 
4265 	if (sm->fils_completed) {
4266 		wpa_printf(MSG_DEBUG,
4267 			   "FILS: Association has already been completed for this FILS authentication - ignore unexpected retransmission");
4268 		return -1;
4269 	}
4270 
4271 	wpa_hexdump(MSG_DEBUG, "FILS: (Re)Association Response frame",
4272 		    resp, len);
4273 
4274 	mgmt = (const struct ieee80211_mgmt *) resp;
4275 	if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_resp))
4276 		return -1;
4277 
4278 	end = resp + len;
4279 	/* Same offset for Association Response and Reassociation Response */
4280 	ie_start = mgmt->u.assoc_resp.variable;
4281 
4282 	if (ieee802_11_parse_elems(ie_start, end - ie_start, &elems, 1) ==
4283 	    ParseFailed) {
4284 		wpa_printf(MSG_DEBUG,
4285 			   "FILS: Failed to parse decrypted elements");
4286 		goto fail;
4287 	}
4288 
4289 	if (!elems.fils_session) {
4290 		wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
4291 		return -1;
4292 	}
4293 	if (os_memcmp(elems.fils_session, sm->fils_session,
4294 		      FILS_SESSION_LEN) != 0) {
4295 		wpa_printf(MSG_DEBUG, "FILS: FILS Session mismatch");
4296 		wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
4297 			    elems.fils_session, FILS_SESSION_LEN);
4298 		wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
4299 			    sm->fils_session, FILS_SESSION_LEN);
4300 	}
4301 
4302 	/* TODO: FILS Public Key */
4303 
4304 	if (!elems.fils_key_confirm) {
4305 		wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
4306 		goto fail;
4307 	}
4308 	if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
4309 		wpa_printf(MSG_DEBUG,
4310 			   "FILS: Unexpected Key-Auth length %d (expected %d)",
4311 			   elems.fils_key_confirm_len,
4312 			   (int) sm->fils_key_auth_len);
4313 		goto fail;
4314 	}
4315 	if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_ap,
4316 		      sm->fils_key_auth_len) != 0) {
4317 		wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
4318 		wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
4319 			    elems.fils_key_confirm,
4320 			    elems.fils_key_confirm_len);
4321 		wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
4322 			    sm->fils_key_auth_ap, sm->fils_key_auth_len);
4323 		goto fail;
4324 	}
4325 
4326 #ifdef CONFIG_OCV
4327 	if (wpa_sm_ocv_enabled(sm)) {
4328 		struct wpa_channel_info ci;
4329 
4330 		if (wpa_sm_channel_info(sm, &ci) != 0) {
4331 			wpa_printf(MSG_WARNING,
4332 				   "Failed to get channel info to validate received OCI in FILS (Re)Association Response frame");
4333 			goto fail;
4334 		}
4335 
4336 		if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci,
4337 					 channel_width_to_int(ci.chanwidth),
4338 					 ci.seg1_idx) != 0) {
4339 			wpa_printf(MSG_WARNING, "FILS: %s", ocv_errorstr);
4340 			goto fail;
4341 		}
4342 	}
4343 #endif /* CONFIG_OCV */
4344 
4345 #ifdef CONFIG_IEEE80211R
4346 	if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) {
4347 		struct wpa_ie_data rsn;
4348 
4349 		/* Check that PMKR1Name derived by the AP matches */
4350 		if (!elems.rsn_ie ||
4351 		    wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
4352 					 &rsn) < 0 ||
4353 		    !rsn.pmkid || rsn.num_pmkid != 1 ||
4354 		    os_memcmp(rsn.pmkid, sm->pmk_r1_name,
4355 			      WPA_PMK_NAME_LEN) != 0) {
4356 			wpa_printf(MSG_DEBUG,
4357 				   "FILS+FT: No RSNE[PMKR1Name] match in AssocResp");
4358 			goto fail;
4359 		}
4360 	}
4361 #endif /* CONFIG_IEEE80211R */
4362 
4363 	/* Key Delivery */
4364 	if (!elems.key_delivery) {
4365 		wpa_printf(MSG_DEBUG, "FILS: No Key Delivery element");
4366 		goto fail;
4367 	}
4368 
4369 	/* Parse GTK and set the key to the driver */
4370 	os_memset(&gd, 0, sizeof(gd));
4371 	if (wpa_supplicant_parse_ies(elems.key_delivery + WPA_KEY_RSC_LEN,
4372 				     elems.key_delivery_len - WPA_KEY_RSC_LEN,
4373 				     &kde) < 0) {
4374 		wpa_printf(MSG_DEBUG, "FILS: Failed to parse KDEs");
4375 		goto fail;
4376 	}
4377 	if (!kde.gtk) {
4378 		wpa_printf(MSG_DEBUG, "FILS: No GTK KDE");
4379 		goto fail;
4380 	}
4381 	maxkeylen = gd.gtk_len = kde.gtk_len - 2;
4382 	if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
4383 					      gd.gtk_len, maxkeylen,
4384 					      &gd.key_rsc_len, &gd.alg))
4385 		goto fail;
4386 
4387 	wpa_hexdump_key(MSG_DEBUG, "FILS: Received GTK", kde.gtk, kde.gtk_len);
4388 	gd.keyidx = kde.gtk[0] & 0x3;
4389 	gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
4390 						     !!(kde.gtk[0] & BIT(2)));
4391 	if (kde.gtk_len - 2 > sizeof(gd.gtk)) {
4392 		wpa_printf(MSG_DEBUG, "FILS: Too long GTK in GTK KDE (len=%lu)",
4393 			   (unsigned long) kde.gtk_len - 2);
4394 		goto fail;
4395 	}
4396 	os_memcpy(gd.gtk, kde.gtk + 2, kde.gtk_len - 2);
4397 
4398 	wpa_printf(MSG_DEBUG, "FILS: Set GTK to driver");
4399 	if (wpa_supplicant_install_gtk(sm, &gd, elems.key_delivery, 0) < 0) {
4400 		wpa_printf(MSG_DEBUG, "FILS: Failed to set GTK");
4401 		goto fail;
4402 	}
4403 
4404 	if (ieee80211w_set_keys(sm, &kde) < 0) {
4405 		wpa_printf(MSG_DEBUG, "FILS: Failed to set IGTK");
4406 		goto fail;
4407 	}
4408 
4409 	alg = wpa_cipher_to_alg(sm->pairwise_cipher);
4410 	keylen = wpa_cipher_key_len(sm->pairwise_cipher);
4411 	if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) {
4412 		wpa_printf(MSG_DEBUG, "FILS: TK length mismatch: %u != %lu",
4413 			   keylen, (long unsigned int) sm->ptk.tk_len);
4414 		goto fail;
4415 	}
4416 	rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
4417 	wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver",
4418 			sm->ptk.tk, keylen);
4419 	if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, null_rsc, rsclen,
4420 			   sm->ptk.tk, keylen) < 0) {
4421 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
4422 			"FILS: Failed to set PTK to the driver (alg=%d keylen=%d bssid="
4423 			MACSTR ")",
4424 			alg, keylen, MAC2STR(sm->bssid));
4425 		goto fail;
4426 	}
4427 
4428 	/* TODO: TK could be cleared after auth frame exchange now that driver
4429 	 * takes care of association frame encryption/decryption. */
4430 	/* TK is not needed anymore in supplicant */
4431 	os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
4432 	sm->ptk.tk_len = 0;
4433 	sm->ptk.installed = 1;
4434 
4435 	/* FILS HLP Container */
4436 	fils_process_hlp_container(sm, ie_start, end - ie_start);
4437 
4438 	/* TODO: FILS IP Address Assignment */
4439 
4440 	wpa_printf(MSG_DEBUG, "FILS: Auth+Assoc completed successfully");
4441 	sm->fils_completed = 1;
4442 
4443 	return 0;
4444 fail:
4445 	return -1;
4446 }
4447 
4448 
4449 void wpa_sm_set_reset_fils_completed(struct wpa_sm *sm, int set)
4450 {
4451 	if (sm)
4452 		sm->fils_completed = !!set;
4453 }
4454 
4455 #endif /* CONFIG_FILS */
4456 
4457 
4458 int wpa_fils_is_completed(struct wpa_sm *sm)
4459 {
4460 #ifdef CONFIG_FILS
4461 	return sm && sm->fils_completed;
4462 #else /* CONFIG_FILS */
4463 	return 0;
4464 #endif /* CONFIG_FILS */
4465 }
4466 
4467 
4468 #ifdef CONFIG_OWE
4469 
4470 struct wpabuf * owe_build_assoc_req(struct wpa_sm *sm, u16 group)
4471 {
4472 	struct wpabuf *ie = NULL, *pub = NULL;
4473 	size_t prime_len;
4474 
4475 	if (group == 19)
4476 		prime_len = 32;
4477 	else if (group == 20)
4478 		prime_len = 48;
4479 	else if (group == 21)
4480 		prime_len = 66;
4481 	else
4482 		return NULL;
4483 
4484 	crypto_ecdh_deinit(sm->owe_ecdh);
4485 	sm->owe_ecdh = crypto_ecdh_init(group);
4486 	if (!sm->owe_ecdh)
4487 		goto fail;
4488 	sm->owe_group = group;
4489 	pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
4490 	pub = wpabuf_zeropad(pub, prime_len);
4491 	if (!pub)
4492 		goto fail;
4493 
4494 	ie = wpabuf_alloc(5 + wpabuf_len(pub));
4495 	if (!ie)
4496 		goto fail;
4497 	wpabuf_put_u8(ie, WLAN_EID_EXTENSION);
4498 	wpabuf_put_u8(ie, 1 + 2 + wpabuf_len(pub));
4499 	wpabuf_put_u8(ie, WLAN_EID_EXT_OWE_DH_PARAM);
4500 	wpabuf_put_le16(ie, group);
4501 	wpabuf_put_buf(ie, pub);
4502 	wpabuf_free(pub);
4503 	wpa_hexdump_buf(MSG_DEBUG, "OWE: Diffie-Hellman Parameter element",
4504 			ie);
4505 
4506 	return ie;
4507 fail:
4508 	wpabuf_free(pub);
4509 	crypto_ecdh_deinit(sm->owe_ecdh);
4510 	sm->owe_ecdh = NULL;
4511 	return NULL;
4512 }
4513 
4514 
4515 int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *bssid,
4516 			   const u8 *resp_ies, size_t resp_ies_len)
4517 {
4518 	struct ieee802_11_elems elems;
4519 	u16 group;
4520 	struct wpabuf *secret, *pub, *hkey;
4521 	int res;
4522 	u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
4523 	const char *info = "OWE Key Generation";
4524 	const u8 *addr[2];
4525 	size_t len[2];
4526 	size_t hash_len, prime_len;
4527 	struct wpa_ie_data data;
4528 
4529 	if (!resp_ies ||
4530 	    ieee802_11_parse_elems(resp_ies, resp_ies_len, &elems, 1) ==
4531 	    ParseFailed) {
4532 		wpa_printf(MSG_INFO,
4533 			   "OWE: Could not parse Association Response frame elements");
4534 		return -1;
4535 	}
4536 
4537 	if (sm->cur_pmksa && elems.rsn_ie &&
4538 	    wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, 2 + elems.rsn_ie_len,
4539 				 &data) == 0 &&
4540 	    data.num_pmkid == 1 && data.pmkid &&
4541 	    os_memcmp(sm->cur_pmksa->pmkid, data.pmkid, PMKID_LEN) == 0) {
4542 		wpa_printf(MSG_DEBUG, "OWE: Use PMKSA caching");
4543 		wpa_sm_set_pmk_from_pmksa(sm);
4544 		return 0;
4545 	}
4546 
4547 	if (!elems.owe_dh) {
4548 		wpa_printf(MSG_INFO,
4549 			   "OWE: No Diffie-Hellman Parameter element found in Association Response frame");
4550 		return -1;
4551 	}
4552 
4553 	group = WPA_GET_LE16(elems.owe_dh);
4554 	if (group != sm->owe_group) {
4555 		wpa_printf(MSG_INFO,
4556 			   "OWE: Unexpected Diffie-Hellman group in response: %u",
4557 			   group);
4558 		return -1;
4559 	}
4560 
4561 	if (!sm->owe_ecdh) {
4562 		wpa_printf(MSG_INFO, "OWE: No ECDH state available");
4563 		return -1;
4564 	}
4565 
4566 	if (group == 19)
4567 		prime_len = 32;
4568 	else if (group == 20)
4569 		prime_len = 48;
4570 	else if (group == 21)
4571 		prime_len = 66;
4572 	else
4573 		return -1;
4574 
4575 	secret = crypto_ecdh_set_peerkey(sm->owe_ecdh, 0,
4576 					 elems.owe_dh + 2,
4577 					 elems.owe_dh_len - 2);
4578 	secret = wpabuf_zeropad(secret, prime_len);
4579 	if (!secret) {
4580 		wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
4581 		return -1;
4582 	}
4583 	wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
4584 
4585 	/* prk = HKDF-extract(C | A | group, z) */
4586 
4587 	pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
4588 	if (!pub) {
4589 		wpabuf_clear_free(secret);
4590 		return -1;
4591 	}
4592 
4593 	/* PMKID = Truncate-128(Hash(C | A)) */
4594 	addr[0] = wpabuf_head(pub);
4595 	len[0] = wpabuf_len(pub);
4596 	addr[1] = elems.owe_dh + 2;
4597 	len[1] = elems.owe_dh_len - 2;
4598 	if (group == 19) {
4599 		res = sha256_vector(2, addr, len, pmkid);
4600 		hash_len = SHA256_MAC_LEN;
4601 	} else if (group == 20) {
4602 		res = sha384_vector(2, addr, len, pmkid);
4603 		hash_len = SHA384_MAC_LEN;
4604 	} else if (group == 21) {
4605 		res = sha512_vector(2, addr, len, pmkid);
4606 		hash_len = SHA512_MAC_LEN;
4607 	} else {
4608 		res = -1;
4609 		hash_len = 0;
4610 	}
4611 	pub = wpabuf_zeropad(pub, prime_len);
4612 	if (res < 0 || !pub) {
4613 		wpabuf_free(pub);
4614 		wpabuf_clear_free(secret);
4615 		return -1;
4616 	}
4617 
4618 	hkey = wpabuf_alloc(wpabuf_len(pub) + elems.owe_dh_len - 2 + 2);
4619 	if (!hkey) {
4620 		wpabuf_free(pub);
4621 		wpabuf_clear_free(secret);
4622 		return -1;
4623 	}
4624 
4625 	wpabuf_put_buf(hkey, pub); /* C */
4626 	wpabuf_free(pub);
4627 	wpabuf_put_data(hkey, elems.owe_dh + 2, elems.owe_dh_len - 2); /* A */
4628 	wpabuf_put_le16(hkey, sm->owe_group); /* group */
4629 	if (group == 19)
4630 		res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
4631 				  wpabuf_head(secret), wpabuf_len(secret), prk);
4632 	else if (group == 20)
4633 		res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
4634 				  wpabuf_head(secret), wpabuf_len(secret), prk);
4635 	else if (group == 21)
4636 		res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
4637 				  wpabuf_head(secret), wpabuf_len(secret), prk);
4638 	wpabuf_clear_free(hkey);
4639 	wpabuf_clear_free(secret);
4640 	if (res < 0)
4641 		return -1;
4642 
4643 	wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
4644 
4645 	/* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
4646 
4647 	if (group == 19)
4648 		res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
4649 				      os_strlen(info), sm->pmk, hash_len);
4650 	else if (group == 20)
4651 		res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
4652 				      os_strlen(info), sm->pmk, hash_len);
4653 	else if (group == 21)
4654 		res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
4655 				      os_strlen(info), sm->pmk, hash_len);
4656 	os_memset(prk, 0, SHA512_MAC_LEN);
4657 	if (res < 0) {
4658 		sm->pmk_len = 0;
4659 		return -1;
4660 	}
4661 	sm->pmk_len = hash_len;
4662 
4663 	wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sm->pmk, sm->pmk_len);
4664 	wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
4665 	pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, pmkid, NULL, 0,
4666 			bssid, sm->own_addr, sm->network_ctx, sm->key_mgmt,
4667 			NULL);
4668 
4669 	return 0;
4670 }
4671 
4672 #endif /* CONFIG_OWE */
4673 
4674 
4675 void wpa_sm_set_fils_cache_id(struct wpa_sm *sm, const u8 *fils_cache_id)
4676 {
4677 #ifdef CONFIG_FILS
4678 	if (sm && fils_cache_id) {
4679 		sm->fils_cache_id_set = 1;
4680 		os_memcpy(sm->fils_cache_id, fils_cache_id, FILS_CACHE_ID_LEN);
4681 	}
4682 #endif /* CONFIG_FILS */
4683 }
4684 
4685 
4686 #ifdef CONFIG_DPP2
4687 void wpa_sm_set_dpp_z(struct wpa_sm *sm, const struct wpabuf *z)
4688 {
4689 	if (sm) {
4690 		wpabuf_clear_free(sm->dpp_z);
4691 		sm->dpp_z = z ? wpabuf_dup(z) : NULL;
4692 	}
4693 }
4694 #endif /* CONFIG_DPP2 */
4695