1 /*
2 * WPA Supplicant - WPA state machine and EAPOL-Key processing
3 * Copyright (c) 2003-2010, Jouni Malinen <j@w1.fi>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
8 *
9 * Alternatively, this software may be distributed under the terms of BSD
10 * license.
11 *
12 * See README and COPYING for more details.
13 */
14
15 #include "utils/includes.h"
16
17 #include "utils/common.h"
18 #include "utils/eloop.h"
19 #include "rsn_supp/wpa.h"
20 #include "rsn_supp/pmksa_cache.h"
21 #include "rsn_supp/wpa_i.h"
22 #include "common/eapol_common.h"
23 #include "common/ieee802_11_defs.h"
24 #include "rsn_supp/wpa_ie.h"
25 #include "esp_wpas_glue.h"
26 #include "esp_wifi_driver.h"
27
28 #include "crypto/crypto.h"
29 #include "crypto/sha1.h"
30 #include "crypto/aes_wrap.h"
31 #include "crypto/ccmp.h"
32 #include "crypto/sha256.h"
33 #include "esp_rom_sys.h"
34 #include "common/bss.h"
35 #include "esp_common_i.h"
36 #include "esp_owe_i.h"
37 #include "common/sae.h"
38 #include "esp_eap_client_i.h"
39
40 /**
41 * eapol_sm_notify_eap_success - Notification of external EAP success trigger
42 * @sm: Pointer to EAPOL state machine allocated with eapol_sm_init()
43 * @success: %TRUE = set success, %FALSE = clear success
44 *
45 * Notify the EAPOL state machine that external event has forced EAP state to
46 * success (success = %TRUE). This can be cleared by setting success = %FALSE.
47 *
48 * This function is called to update EAP state when WPA-PSK key handshake has
49 * been completed successfully since WPA-PSK does not use EAP state machine.
50 */
51
52 #define WPA_4_4_HANDSHAKE_BIT (1<<13)
53 #define WPA_GROUP_HANDSHAKE_BIT (1<<14)
54 struct wpa_sm gWpaSm;
55 /* fix buf for tx for now */
56 #define WPA_TX_MSG_BUFF_MAXLEN 200
57 #define MIN_DH_LEN(len) (len < 4)
58
59 #define ASSOC_IE_LEN 24 + 2 + PMKID_LEN + RSN_SELECTOR_LEN
60 #define MAX_EAPOL_RETRIES 3
61 u8 assoc_ie_buf[ASSOC_IE_LEN+2];
62
63 void set_assoc_ie(u8 * assoc_buf);
64
65 static int wpa_sm_get_key(uint8_t *ifx, int *alg, u8 *addr, int *key_idx, u8 *key, size_t key_len, enum key_flag key_flag);
66
67 void wpa_set_passphrase(char * passphrase, u8 *ssid, size_t ssid_len);
68
69 void wpa_sm_set_pmk_from_pmksa(struct wpa_sm *sm);
70 static bool wpa_supplicant_gtk_in_use(struct wpa_sm *sm, struct wpa_gtk_data *gd);
71 void wpa_supplicant_stop_countermeasures(void *data, void *user_ctx);
wpa_sm_get_state(struct wpa_sm * sm)72 static inline enum wpa_states wpa_sm_get_state(struct wpa_sm *sm)
73 {
74 return sm->wpa_state;;
75 }
76
wpa_sm_cancel_auth_timeout(struct wpa_sm * sm)77 static inline void wpa_sm_cancel_auth_timeout(struct wpa_sm *sm)
78 {
79
80 }
81
eapol_sm_notify_eap_success(Boolean success)82 void eapol_sm_notify_eap_success(Boolean success)
83 {
84
85 }
86
cipher_type_map_supp_to_public(unsigned wpa_cipher)87 wifi_cipher_type_t cipher_type_map_supp_to_public(unsigned wpa_cipher)
88 {
89 switch (wpa_cipher) {
90 case WPA_CIPHER_NONE:
91 return WIFI_CIPHER_TYPE_NONE;
92
93 case WPA_CIPHER_WEP40:
94 return WIFI_CIPHER_TYPE_WEP40;
95
96 case WPA_CIPHER_WEP104:
97 return WIFI_CIPHER_TYPE_WEP104;
98
99 case WPA_CIPHER_TKIP:
100 return WIFI_CIPHER_TYPE_TKIP;
101
102 case WPA_CIPHER_CCMP:
103 return WIFI_CIPHER_TYPE_CCMP;
104
105 case WPA_CIPHER_CCMP|WPA_CIPHER_TKIP:
106 return WIFI_CIPHER_TYPE_TKIP_CCMP;
107
108 case WPA_CIPHER_AES_128_CMAC:
109 return WIFI_CIPHER_TYPE_AES_CMAC128;
110
111 case WPA_CIPHER_SMS4:
112 return WIFI_CIPHER_TYPE_SMS4;
113
114 case WPA_CIPHER_GCMP:
115 return WIFI_CIPHER_TYPE_GCMP;
116
117 case WPA_CIPHER_GCMP_256:
118 return WIFI_CIPHER_TYPE_GCMP256;
119
120 default:
121 return WIFI_CIPHER_TYPE_UNKNOWN;
122 }
123 }
124
cipher_type_map_public_to_supp(wifi_cipher_type_t cipher)125 unsigned cipher_type_map_public_to_supp(wifi_cipher_type_t cipher)
126 {
127 switch (cipher) {
128 case WIFI_CIPHER_TYPE_NONE:
129 return WPA_CIPHER_NONE;
130
131 case WIFI_CIPHER_TYPE_WEP40:
132 return WPA_CIPHER_WEP40;
133
134 case WIFI_CIPHER_TYPE_WEP104:
135 return WPA_CIPHER_WEP104;
136
137 case WIFI_CIPHER_TYPE_TKIP:
138 return WPA_CIPHER_TKIP;
139
140 case WIFI_CIPHER_TYPE_CCMP:
141 return WPA_CIPHER_CCMP;
142
143 #ifdef CONFIG_GCMP
144 case WIFI_CIPHER_TYPE_GCMP:
145 return WPA_CIPHER_GCMP;
146
147 case WIFI_CIPHER_TYPE_GCMP256:
148 return WPA_CIPHER_GCMP_256;
149 #endif
150
151 case WIFI_CIPHER_TYPE_TKIP_CCMP:
152 return WPA_CIPHER_CCMP|WPA_CIPHER_TKIP;
153
154 case WIFI_CIPHER_TYPE_AES_CMAC128:
155 return WPA_CIPHER_AES_128_CMAC;
156
157 #ifdef CONFIG_GMAC
158 case WIFI_CIPHER_TYPE_AES_GMAC128:
159 return WPA_CIPHER_BIP_GMAC_128;
160
161 case WIFI_CIPHER_TYPE_AES_GMAC256:
162 return WPA_CIPHER_BIP_GMAC_256;
163 #endif
164
165 case WIFI_CIPHER_TYPE_SMS4:
166 return WPA_CIPHER_SMS4;
167
168 default:
169 return WPA_CIPHER_NONE;
170 }
171 }
172
173 #ifdef CONFIG_ESP_WIFI_ENTERPRISE_SUPPORT
is_wpa2_enterprise_connection(void)174 static bool is_wpa2_enterprise_connection(void)
175 {
176 uint8_t authmode;
177
178 if (esp_wifi_sta_prof_is_wpa2_internal()) {
179 authmode = esp_wifi_sta_get_prof_authmode_internal();
180 if ((authmode == WPA2_AUTH_ENT) ||
181 (authmode == WPA2_AUTH_ENT_SHA256) ||
182 (authmode == WPA2_AUTH_ENT_SHA384_SUITE_B)) {
183 return true;
184 }
185 }
186
187 return false;
188 }
189 #endif
190
191 /**
192 * get_bssid - Get the current BSSID
193 * @priv: private driver interface data
194 * @bssid: buffer for BSSID (ETH_ALEN = 6 bytes)
195 *
196 * Returns: 0 on success, -1 on failure
197 *
198 * Query kernel driver for the current BSSID and copy it to bssid.
199 * Setting bssid to 00:00:00:00:00:00 is recommended if the STA is not
200 * associated.
201 */
wpa_sm_get_bssid(struct wpa_sm * sm,u8 * bssid)202 static inline int wpa_sm_get_bssid(struct wpa_sm *sm, u8 *bssid)
203 {
204 memcpy(bssid, sm->bssid, ETH_ALEN);
205 return 0;
206 }
207
208 /*
209 * wpa_sm_ether_send - Send Ethernet frame
210 * @wpa_s: Pointer to wpa_supplicant data
211 * @dest: Destination MAC address
212 * @proto: Ethertype in host byte order
213 * @buf: Frame payload starting from IEEE 802.1X header
214 * @len: Frame payload length
215 * Returns: >=0 on success, <0 on failure
216 */
wpa_sm_ether_send(struct wpa_sm * sm,const u8 * dest,u16 proto,const u8 * data,size_t data_len)217 static inline int wpa_sm_ether_send(struct wpa_sm *sm, const u8 *dest, u16 proto,
218 const u8 *data, size_t data_len)
219 {
220 return wpa_ether_send(sm, dest, proto, data, data_len);
221 }
222
223 /**
224 * wpa_eapol_key_send - Send WPA/RSN EAPOL-Key message
225 * @sm: Pointer to WPA state machine data from wpa_sm_init()
226 * @kck: Key Confirmation Key (KCK, part of PTK)
227 * @kck_len: KCK length in octets
228 * @ver: Version field from Key Info
229 * @dest: Destination address for the frame
230 * @proto: Ethertype (usually ETH_P_EAPOL)
231 * @msg: EAPOL-Key message
232 * @msg_len: Length of message
233 * @key_mic: Pointer to the buffer to which the EAPOL-Key MIC is written
234 */
wpa_eapol_key_send(struct wpa_sm * sm,const u8 * kck,size_t kck_len,int ver,const u8 * dest,u16 proto,u8 * msg,size_t msg_len,u8 * key_mic)235 void wpa_eapol_key_send(struct wpa_sm *sm, const u8 *kck, size_t kck_len,
236 int ver, const u8 *dest, u16 proto,
237 u8 *msg, size_t msg_len, u8 *key_mic)
238 {
239 if (is_zero_ether_addr(dest) && is_zero_ether_addr(sm->bssid)) {
240 /*
241 * Association event was not yet received; try to fetch
242 * BSSID from the driver.
243 */
244 if (wpa_sm_get_bssid(sm, sm->bssid) < 0) {
245 wpa_printf(MSG_DEBUG, "WPA: Failed to read BSSID for "
246 "EAPOL-Key destination address");
247 } else {
248 dest = sm->bssid;
249 wpa_printf(MSG_DEBUG, "WPA: Use BSSID (" MACSTR
250 ") as the destination for EAPOL-Key",
251 MAC2STR(dest));
252 }
253 }
254 if (key_mic &&
255 wpa_eapol_key_mic(kck, kck_len, sm->key_mgmt, ver, msg, msg_len,
256 key_mic)) {
257 wpa_msg(NULL, MSG_ERROR,
258 "WPA: Failed to generate EAPOL-Key version %d key_mgmt 0x%x MIC",
259 ver, sm->key_mgmt);
260 goto out;
261 }
262 wpa_hexdump_key(MSG_DEBUG, "WPA: KCK", kck, kck_len);
263 wpa_hexdump(MSG_DEBUG, "WPA: Derived Key MIC", key_mic, wpa_mic_len(sm->key_mgmt, sm->pmk_len));
264 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key", msg, msg_len);
265 wpa_sm_ether_send(sm, dest, proto, msg, msg_len);
266 out:
267 return;
268 }
269
270 /**
271 * wpa_sm_key_request - Send EAPOL-Key Request
272 * @sm: Pointer to WPA state machine data from wpa_sm_init()
273 * @error: Indicate whether this is an Michael MIC error report
274 * @pairwise: 1 = error report for pairwise packet, 0 = for group packet
275 *
276 * Send an EAPOL-Key Request to the current authenticator. This function is
277 * used to request rekeying and it is usually called when a local Michael MIC
278 * failure is detected.
279 */
wpa_sm_key_request(struct wpa_sm * sm,int error,int pairwise)280 static void wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise)
281 {
282 size_t mic_len, hdrlen, rlen;
283 struct wpa_eapol_key *reply;
284 struct wpa_eapol_key_192 *reply192;
285 int key_info, ver;
286 u8 bssid[ETH_ALEN], *rbuf, *key_mic;
287
288 if (sm->key_mgmt == WPA_KEY_MGMT_OSEN || wpa_key_mgmt_suite_b(sm->key_mgmt))
289 ver = WPA_KEY_INFO_TYPE_AKM_DEFINED;
290 else if (wpa_key_mgmt_ft(sm->key_mgmt) || wpa_key_mgmt_sha256(sm->key_mgmt))
291 ver = WPA_KEY_INFO_TYPE_AES_128_CMAC;
292 else if (sm->pairwise_cipher != WPA_CIPHER_TKIP)
293 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
294 else if (sm->key_mgmt == WPA_KEY_MGMT_SAE || sm->key_mgmt == WPA_KEY_MGMT_OWE)
295 ver = 0;
296 else
297 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
298
299 if (wpa_sm_get_bssid(sm, bssid) < 0) {
300 wpa_printf(MSG_DEBUG, "Failed to read BSSID for EAPOL-Key "
301 "request");
302 return;
303 }
304
305 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
306 hdrlen = mic_len == 24 ? sizeof(*reply192) : sizeof(*reply);
307 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
308 hdrlen, &rlen, (void *) &reply);
309 if (rbuf == NULL)
310 return;
311
312 reply192 = (struct wpa_eapol_key_192 *) reply;
313
314 reply->type = sm->proto == WPA_PROTO_RSN ?
315 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
316 key_info = WPA_KEY_INFO_REQUEST | ver;
317 if (sm->ptk_set)
318 key_info |= WPA_KEY_INFO_SECURE;
319 if (sm->ptk_set && mic_len)
320 key_info |= WPA_KEY_INFO_MIC;
321 if (error)
322 key_info |= WPA_KEY_INFO_ERROR;
323 if (pairwise)
324 key_info |= WPA_KEY_INFO_KEY_TYPE;
325
326 WPA_PUT_BE16(reply->key_info, key_info);
327 WPA_PUT_BE16(reply->key_length, 0);
328
329 os_memcpy(reply->replay_counter, sm->request_counter,
330 WPA_REPLAY_COUNTER_LEN);
331 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
332 if (mic_len == 24)
333 WPA_PUT_BE16(reply192->key_data_length, 0);
334 else
335 WPA_PUT_BE16(reply->key_data_length, 0);
336
337 if (!(key_info & WPA_KEY_INFO_MIC))
338 key_mic = NULL;
339 else
340 key_mic = reply192->key_mic; /* same offset in reply */
341
342
343 wpa_printf(MSG_DEBUG, "WPA: Sending EAPOL-Key Request (error=%d "
344 "pairwise=%d ptk_set=%d len=%lu)",
345 error, pairwise, sm->ptk_set, (unsigned long) rlen);
346 wpa_eapol_key_send(sm, sm->ptk.kck, sm->ptk.kck_len, ver, bssid,
347 ETH_P_EAPOL, rbuf, rlen, key_mic);
348 wpa_sm_free_eapol(rbuf);
349 }
350
wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry * entry,void * ctx,enum pmksa_free_reason reason)351 static void wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
352 void *ctx, enum pmksa_free_reason reason)
353 {
354 struct wpa_sm *sm = ctx;
355 int deauth = 0;
356
357 wpa_printf( MSG_DEBUG, "RSN: PMKSA cache entry free_cb: "
358 MACSTR " reason=%d", MAC2STR(entry->aa), reason);
359
360 if (sm->cur_pmksa == entry) {
361 wpa_printf( MSG_DEBUG,
362 "RSN: %s current PMKSA entry",
363 reason == PMKSA_REPLACE ? "replaced" : "removed");
364 pmksa_cache_clear_current(sm);
365
366 /*
367 * If an entry is simply being replaced, there's no need to
368 * deauthenticate because it will be immediately re-added.
369 * This happens when EAP authentication is completed again
370 * (reauth or failed PMKSA caching attempt).
371 * */
372 if (reason != PMKSA_REPLACE)
373 deauth = 1;
374 }
375
376 if (reason == PMKSA_EXPIRE &&
377 (sm->pmk_len == entry->pmk_len &&
378 os_memcmp(sm->pmk, entry->pmk, sm->pmk_len) == 0)) {
379 wpa_printf( MSG_DEBUG,
380 "RSN: deauthenticating due to expired PMK");
381 pmksa_cache_clear_current(sm);
382 deauth = 1;
383 }
384
385 if (deauth) {
386 os_memset(sm->pmk, 0, sizeof(sm->pmk));
387 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
388 }
389 }
390
391
392
393
wpa_supplicant_get_pmk(struct wpa_sm * sm,const unsigned char * src_addr,const u8 * pmkid)394 static int wpa_supplicant_get_pmk(struct wpa_sm *sm,
395 const unsigned char *src_addr,
396 const u8 *pmkid)
397 {
398 int abort_cached = 0;
399
400 if (pmkid && !sm->cur_pmksa) {
401 /* When using drivers that generate RSN IE, wpa_supplicant may
402 * not have enough time to get the association information
403 * event before receiving this 1/4 message, so try to find a
404 * matching PMKSA cache entry here. */
405 sm->cur_pmksa = pmksa_cache_get(sm->pmksa, src_addr, pmkid,
406 NULL);
407 if (sm->cur_pmksa) {
408 wpa_printf(MSG_DEBUG,
409 "RSN: found matching PMKID from PMKSA cache");
410 } else {
411 wpa_printf( MSG_DEBUG,
412 "RSN: no matching PMKID found");
413 abort_cached = 1;
414 }
415 }
416
417 if (pmkid && sm->cur_pmksa &&
418 os_memcmp_const(pmkid, sm->cur_pmksa->pmkid, PMKID_LEN) == 0) {
419
420 wpa_hexdump(MSG_DEBUG, "RSN: matched PMKID", pmkid, PMKID_LEN);
421 wpa_sm_set_pmk_from_pmksa(sm);
422 wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from PMKSA cache",
423 sm->pmk, sm->pmk_len);
424 //eapol_sm_notify_cached(sm->eapol);
425 #ifdef CONFIG_IEEE80211R
426 sm->xxkey_len = 0;
427 #ifdef CONFIG_WPA3_SAE
428 if ((sm->key_mgmt == WPA_KEY_MGMT_FT_SAE) &&
429 sm->pmk_len == PMK_LEN) {
430 /* Need to allow FT key derivation to proceed with
431 * PMK from SAE being used as the XXKey in cases where
432 * the PMKID in msg 1/4 matches the PMKSA entry that was
433 * just added based on SAE authentication for the
434 * initial mobility domain association. */
435 os_memcpy(sm->xxkey, sm->pmk, sm->pmk_len);
436 sm->xxkey_len = sm->pmk_len;
437 }
438 #endif /* CONFIG_WPA3_SAE */
439
440 #endif /* CONFIG_IEEE80211R */
441 } else if (wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt)) {
442 int res = 0, pmk_len;
443 /* For ESP_SUPPLICANT this is already set using wpa_set_pmk*/
444 //res = eapol_sm_get_key(sm->eapol, 0, sm->pmk, PMK_LEN);
445 if (wpa_key_mgmt_sha384(sm->key_mgmt))
446 pmk_len = PMK_LEN_SUITE_B_192;
447 else
448 pmk_len = PMK_LEN;
449
450 if(!sm->pmk_len) {
451 res = -1;
452 }
453
454 if (res == 0) {
455 struct rsn_pmksa_cache_entry *sa = NULL;
456 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK from EAPOL state "
457 "machines", sm->pmk, pmk_len);
458 sm->pmk_len = pmk_len;
459 //wpa_supplicant_key_mgmt_set_pmk(sm);
460 if (sm->proto == WPA_PROTO_RSN &&
461 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
462 !wpa_key_mgmt_ft(sm->key_mgmt)) {
463 sa = pmksa_cache_add(sm->pmksa, sm->pmk, pmk_len,
464 NULL, NULL, 0, src_addr, sm->own_addr,
465 sm->network_ctx, sm->key_mgmt);
466 }
467 if (!sm->cur_pmksa && pmkid &&
468 pmksa_cache_get(sm->pmksa, src_addr, pmkid, NULL))
469 {
470 wpa_printf( MSG_DEBUG,
471 "RSN: the new PMK matches with the "
472 "PMKID");
473 abort_cached = 0;
474 } else if (sa && !sm->cur_pmksa && pmkid) {
475 /*
476 * It looks like the authentication server
477 * derived mismatching MSK. This should not
478 * really happen, but bugs happen.. There is not
479 * much we can do here without knowing what
480 * exactly caused the server to misbehave.
481 */
482 wpa_printf( MSG_INFO,
483 "RSN: PMKID mismatch - authentication server may have derived different MSK?!");
484 return -1;
485 }
486
487 if (!sm->cur_pmksa)
488 sm->cur_pmksa = sa;
489 } else {
490 wpa_printf( MSG_WARNING,
491 "WPA: Failed to get master session key from "
492 "EAPOL state machines - key handshake "
493 "aborted");
494 if (sm->cur_pmksa) {
495 wpa_printf( MSG_DEBUG,
496 "RSN: Cancelled PMKSA caching "
497 "attempt");
498 sm->cur_pmksa = NULL;
499 abort_cached = 1;
500 } else if (!abort_cached) {
501 return -1;
502 }
503 }
504 }
505
506 if (abort_cached && wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) &&
507 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
508 !wpa_key_mgmt_ft(sm->key_mgmt) && sm->key_mgmt != WPA_KEY_MGMT_OSEN)
509 {
510 /* Send EAPOL-Start to trigger full EAP authentication. */
511 u8 *buf;
512 size_t buflen;
513
514 wpa_printf( MSG_DEBUG,
515 "RSN: no PMKSA entry found - trigger "
516 "full EAP authentication");
517 buf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_START,
518 NULL, 0, &buflen, NULL);
519 if (buf) {
520 wpa_sm_ether_send(sm, sm->bssid, ETH_P_EAPOL,
521 buf, buflen);
522 wpa_sm_free_eapol(buf);
523 return -2;
524 }
525
526 return -1;
527 }
528
529 return 0;
530 }
531
532
533 /**
534 * wpa_supplicant_send_2_of_4 - Send message 2 of WPA/RSN 4-Way Handshake
535 * @sm: Pointer to WPA state machine data from wpa_sm_init()
536 * @dst: Destination address for the frame
537 * @key: Pointer to the EAPOL-Key frame header
538 * @ver: Version bits from EAPOL-Key Key Info
539 * @nonce: Nonce value for the EAPOL-Key frame
540 * @wpa_ie: WPA/RSN IE
541 * @wpa_ie_len: Length of the WPA/RSN IE
542 * @ptk: PTK to use for keyed hash and encryption
543 * Returns: 0 on success, -1 on failure
544 */
wpa_supplicant_send_2_of_4(struct wpa_sm * sm,const unsigned char * dst,const struct wpa_eapol_key * key,int ver,const u8 * nonce,const u8 * wpa_ie,size_t wpa_ie_len,struct wpa_ptk * ptk)545 int wpa_supplicant_send_2_of_4(struct wpa_sm *sm, const unsigned char *dst,
546 const struct wpa_eapol_key *key,
547 int ver, const u8 *nonce,
548 const u8 *wpa_ie, size_t wpa_ie_len,
549 struct wpa_ptk *ptk)
550 {
551 size_t mic_len, hdrlen, rlen;
552 struct wpa_eapol_key *reply;
553 struct wpa_eapol_key_192 *reply192;
554 u8 *rsn_ie_buf = NULL;
555 u8 *rbuf, *key_mic;
556
557 if (wpa_ie == NULL) {
558 wpa_printf(MSG_ERROR, "WPA: No wpa_ie set - cannot "
559 "generate msg 2/4");
560 return -1;
561 }
562
563 #ifdef CONFIG_IEEE80211R
564 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
565 int res;
566
567 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE before FT processing",
568 wpa_ie, wpa_ie_len);
569 /*
570 * Add PMKR1Name into RSN IE (PMKID-List) and add MDIE and
571 * FTIE from (Re)Association Response.
572 */
573 rsn_ie_buf = os_malloc(wpa_ie_len + 2 + 2 + PMKID_LEN +
574 sm->assoc_resp_ies_len);
575 if (rsn_ie_buf == NULL)
576 return -1;
577 os_memcpy(rsn_ie_buf, wpa_ie, wpa_ie_len);
578 res = wpa_insert_pmkid(rsn_ie_buf, &wpa_ie_len,
579 sm->pmk_r1_name);
580 if (res < 0) {
581 os_free(rsn_ie_buf);
582 return -1;
583 }
584 wpa_hexdump(MSG_DEBUG,
585 "WPA: WPA IE after PMKID[PMKR1Name] addition into RSNE",
586 rsn_ie_buf, wpa_ie_len);
587
588 if (sm->assoc_resp_ies) {
589 wpa_hexdump(MSG_DEBUG, "WPA: Add assoc_resp_ies",
590 sm->assoc_resp_ies,
591 sm->assoc_resp_ies_len);
592 os_memcpy(rsn_ie_buf + wpa_ie_len, sm->assoc_resp_ies,
593 sm->assoc_resp_ies_len);
594 wpa_ie_len += sm->assoc_resp_ies_len;
595 }
596
597 wpa_ie = rsn_ie_buf;
598 }
599 #endif /* CONFIG_IEEE80211R */
600 wpa_hexdump(MSG_MSGDUMP, "WPA: WPA IE for msg 2/4\n", wpa_ie, wpa_ie_len);
601
602 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
603 hdrlen = mic_len == 24 ? sizeof(*reply192) : sizeof(*reply);
604 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY,
605 NULL, hdrlen + wpa_ie_len,
606 &rlen, (void *) &reply);
607 if (rbuf == NULL) {
608 os_free(rsn_ie_buf);
609 return -1;
610 }
611 reply192 = (struct wpa_eapol_key_192 *) reply;
612
613 reply->type = sm->proto == WPA_PROTO_RSN ?
614 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
615 WPA_PUT_BE16(reply->key_info,
616 ver | WPA_KEY_INFO_KEY_TYPE | WPA_KEY_INFO_MIC);
617 if (sm->proto == WPA_PROTO_RSN)
618 WPA_PUT_BE16(reply->key_length, 0);
619 else
620 memcpy(reply->key_length, key->key_length, 2);
621
622 memcpy(reply->replay_counter, key->replay_counter,
623 WPA_REPLAY_COUNTER_LEN);
624
625 key_mic = reply192->key_mic; /* same offset for reply and reply192 */
626 if (mic_len == 24) {
627 WPA_PUT_BE16(reply192->key_data_length, wpa_ie_len);
628 os_memcpy(reply192 + 1, wpa_ie, wpa_ie_len);
629 } else {
630 WPA_PUT_BE16(reply->key_data_length, wpa_ie_len);
631 os_memcpy(reply + 1, wpa_ie, wpa_ie_len);
632 }
633
634 os_free(rsn_ie_buf);
635 os_memcpy(reply->key_nonce, nonce, WPA_NONCE_LEN);
636
637 wpa_printf(MSG_DEBUG, "WPA Send EAPOL-Key 2/4");
638
639 wpa_eapol_key_send(sm, ptk->kck, ptk->kck_len, ver, dst, ETH_P_EAPOL,
640 rbuf, rlen, key_mic);
641 wpa_sm_free_eapol(rbuf);
642
643 return 0;
644 }
645
wpa_derive_ptk(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,struct wpa_ptk * ptk)646 static int wpa_derive_ptk(struct wpa_sm *sm, const unsigned char *src_addr,
647 const struct wpa_eapol_key *key, struct wpa_ptk *ptk)
648 {
649 #ifdef CONFIG_IEEE80211R
650 if (wpa_key_mgmt_ft(sm->key_mgmt))
651 return wpa_derive_ptk_ft(sm, src_addr, key, ptk);
652 #endif /* CONFIG_IEEE80211R */
653 return wpa_pmk_to_ptk(sm->pmk, sm->pmk_len, "Pairwise key expansion",
654 sm->own_addr, sm->bssid, sm->snonce,
655 key->key_nonce, ptk, sm->key_mgmt,
656 sm->pairwise_cipher);
657 }
658
wpa_supplicant_process_1_of_4(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len)659 void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
660 const unsigned char *src_addr,
661 const struct wpa_eapol_key *key,
662 u16 ver, const u8 *key_data,
663 size_t key_data_len)
664 {
665 struct wpa_eapol_ie_parse ie;
666 struct wpa_ptk *ptk;
667 int res;
668 u8 *kde, *kde_buf = NULL;
669 size_t kde_len;
670
671 #ifdef CONFIG_ESP_WIFI_ENTERPRISE_SUPPORT
672 if (is_wpa2_enterprise_connection()) {
673 wpa2_ent_eap_state_t state = eap_client_get_eap_state();
674 if (state == WPA2_ENT_EAP_STATE_IN_PROGRESS) {
675 wpa_printf(MSG_INFO, "EAP Success has not been processed yet."
676 " Drop EAPOL message.");
677 return;
678 }
679 }
680 #endif
681
682 wpa_sm_set_state(WPA_FIRST_HALF_4WAY_HANDSHAKE);
683
684 wpa_printf(MSG_DEBUG, "WPA 1/4-Way Handshake");
685
686 memset(&ie, 0, sizeof(ie));
687
688 if (sm->proto == WPA_PROTO_RSN) {
689 /* RSN: msg 1/4 should contain PMKID for the selected PMK */
690 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data",
691 key_data, key_data_len);
692 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
693 goto failed;
694 if (ie.pmkid) {
695 wpa_hexdump(MSG_DEBUG, "RSN: PMKID from "
696 "Authenticator", ie.pmkid, PMKID_LEN);
697 }
698 }
699 res = wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid);
700
701 if (res == -2) {
702 wpa_printf(MSG_DEBUG, "RSN: Do not reply to msg 1/4 - "
703 "requesting full EAP authentication");
704 return;
705 }
706 if (res)
707 goto failed;
708
709 #ifdef CONFIG_ESP_WIFI_ENTERPRISE_SUPPORT
710 if (is_wpa2_enterprise_connection()) {
711 pmksa_cache_set_current(sm, NULL, sm->bssid, 0, 0);
712 }
713 #endif
714
715 if (sm->renew_snonce) {
716 if (os_get_random(sm->snonce, WPA_NONCE_LEN)) {
717 wpa_printf(MSG_DEBUG, "WPA: Failed to get random data for SNonce");
718 goto failed;
719 }
720
721 sm->renew_snonce = 0;
722 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce",
723 sm->snonce, WPA_NONCE_LEN);
724 }
725
726 /* Calculate PTK which will be stored as a temporary PTK until it has
727 * been verified when processing message 3/4. */
728 ptk = &sm->tptk;
729 wpa_derive_ptk(sm, src_addr, key, ptk);
730 /* Supplicant: swap tx/rx Mic keys */
731 sm->tptk_set = 1;
732 sm->ptk_set = 0;
733 sm->key_install = true;
734 kde = sm->assoc_wpa_ie;
735 kde_len = sm->assoc_wpa_ie_len;
736 kde_buf = os_malloc(kde_len +
737 sm->assoc_rsnxe_len);
738 if (!kde_buf)
739 goto failed;
740 os_memcpy(kde_buf, kde, kde_len);
741 kde = kde_buf;
742
743 if (sm->assoc_rsnxe && sm->assoc_rsnxe_len) {
744 os_memcpy(kde + kde_len, sm->assoc_rsnxe, sm->assoc_rsnxe_len);
745 kde_len += sm->assoc_rsnxe_len;
746 }
747
748 if (wpa_supplicant_send_2_of_4(sm, sm->bssid, key, ver, sm->snonce,
749 kde, kde_len, ptk))
750 goto failed;
751
752 os_free(kde_buf);
753 memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN);
754 return;
755
756 failed:
757 os_free(kde_buf);
758 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
759 }
760
wpa_sm_rekey_ptk(void * eloop_ctx,void * timeout_ctx)761 static void wpa_sm_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
762 {
763 struct wpa_sm *sm = eloop_ctx;
764
765 wpa_printf(MSG_DEBUG, "WPA: Request PTK rekeying");
766 wpa_sm_key_request(sm, 0, 1);
767 }
768
769
wpa_supplicant_install_ptk(struct wpa_sm * sm,enum key_flag key_flag)770 static int wpa_supplicant_install_ptk(struct wpa_sm *sm, enum key_flag key_flag)
771 {
772 int keylen;
773 enum wpa_alg alg;
774
775 if (sm->ptk.installed) {
776 wpa_printf(MSG_DEBUG, "WPA: Do not re-install same PTK to the driver");
777 return 0;
778 }
779 wpa_printf(MSG_DEBUG, "WPA: Installing PTK to the driver.");
780
781 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
782 wpa_printf(MSG_DEBUG, "WPA: Pairwise Cipher Suite: NONE - do not use pairwise keys");
783 return 0;
784 }
785
786 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
787 wpa_printf(MSG_DEBUG, "WPA: Unsupported pairwise cipher %d", sm->pairwise_cipher);
788 return -1;
789 }
790
791 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
792 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
793
794 if (alg == WIFI_WPA_ALG_NONE) {
795 wpa_printf(MSG_DEBUG, "WPA: Pairwise Cipher Suite: "
796 "NONE - do not use pairwise keys");
797 return 0;
798 }
799 if (wpa_sm_set_key(&(sm->install_ptk), alg, sm->bssid, 0, 1, (sm->install_ptk).seq, WPA_KEY_RSC_LEN,
800 sm->ptk.tk, keylen, KEY_FLAG_PAIRWISE | key_flag) < 0) {
801 wpa_printf(MSG_DEBUG, "WPA: Failed to set PTK to the "
802 "driver (alg=%d keylen=%d bssid=" MACSTR ")",
803 alg, keylen, MAC2STR(sm->bssid));
804 return -1;
805 }
806
807 sm->ptk.installed = 1;
808
809 if (sm->wpa_ptk_rekey) {
810 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
811 eloop_register_timeout(sm->wpa_ptk_rekey, 0, wpa_sm_rekey_ptk,
812 sm, NULL);
813 }
814
815 return 0;
816 }
817
wpa_supplicant_check_group_cipher(struct wpa_sm * sm,int group_cipher,int keylen,int maxkeylen,int * key_rsc_len,enum wpa_alg * alg)818 static int wpa_supplicant_check_group_cipher(struct wpa_sm *sm,
819 int group_cipher,
820 int keylen, int maxkeylen,
821 int *key_rsc_len,
822 enum wpa_alg *alg)
823 {
824 int klen;
825
826 *alg = wpa_cipher_to_alg(group_cipher);
827 if (*alg == WIFI_WPA_ALG_NONE) {
828 wpa_printf(MSG_WARNING,
829 "WPA: Unsupported Group Cipher %d",
830 group_cipher);
831 return -1;
832 }
833 *key_rsc_len = 6;
834
835 klen = wpa_cipher_key_len(group_cipher);
836 if (keylen != klen || maxkeylen < klen) {
837 wpa_printf(MSG_WARNING,
838 "WPA: Unsupported %s Group Cipher key length %d (%d)",
839 wpa_cipher_txt(group_cipher), keylen, maxkeylen);
840 return -1;
841 }
842 return 0;
843 }
844
wpa_supplicant_key_neg_complete(struct wpa_sm * sm,const u8 * addr,int secure)845 void wpa_supplicant_key_neg_complete(struct wpa_sm *sm,
846 const u8 *addr, int secure)
847 {
848 wpa_printf(MSG_DEBUG, "WPA: Key negotiation completed with "
849 MACSTR " [PTK=%s GTK=%s]\n", MAC2STR(addr),
850 wpa_cipher_txt(sm->pairwise_cipher),
851 wpa_cipher_txt(sm->group_cipher));
852 wpa_sm_cancel_auth_timeout(sm);
853 wpa_sm_set_state(WPA_COMPLETED);
854
855 wpa_neg_complete();
856 sm->eapol1_count = 0;
857 sm->use_ext_key_id = 0;
858
859 if (secure) {
860 wpa_sm_mlme_setprotection(
861 sm, addr, MLME_SETPROTECTION_PROTECT_TYPE_RX_TX,
862 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
863
864 if (wpa_key_mgmt_wpa_psk(sm->key_mgmt) || sm->key_mgmt == WPA_KEY_MGMT_OWE)
865 eapol_sm_notify_eap_success(TRUE);
866 /*
867 * Start preauthentication after a short wait to avoid a
868 * possible race condition between the data receive and key
869 * configuration after the 4-Way Handshake. This increases the
870 * likelyhood of the first preauth EAPOL-Start frame getting to
871 * the target AP.
872 */
873 }
874 #ifdef CONFIG_IEEE80211R
875 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
876 /* Prepare for the next transition */
877 wpa_ft_prepare_auth_request(sm, NULL);
878 sm->ft_protocol = 1;
879 }
880 #endif /* CONFIG_IEEE80211R */
881 }
882
wpa_supplicant_install_gtk(struct wpa_sm * sm,struct wpa_gtk_data * gd)883 static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
884 struct wpa_gtk_data *gd)
885 {
886 u8 *_gtk = gd->gtk;
887 u8 gtk_buf[32];
888 u8 *key_rsc=(sm->install_gtk).seq;
889
890 wpa_hexdump(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
891
892 /* Detect possible key reinstallation */
893 if ((sm->gtk.gtk_len == (size_t) gd->gtk_len &&
894 os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) ||
895 wpa_supplicant_gtk_in_use(sm, &(sm->gd))) {
896 wpa_printf(MSG_DEBUG,
897 "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
898 gd->keyidx, gd->tx, gd->gtk_len);
899 return 0;
900 }
901 wpa_printf(MSG_DEBUG, "WPA: Installing GTK to the driver "
902 "(keyidx=%d tx=%d len=%d).", gd->keyidx, gd->tx,
903 gd->gtk_len);
904
905 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, gd->key_rsc_len);
906 if (sm->group_cipher == WPA_CIPHER_TKIP) {
907 /* Swap Tx/Rx keys for Michael MIC */
908 memcpy(gtk_buf, gd->gtk, 16);
909 memcpy(gtk_buf + 16, gd->gtk + 16, 8);
910 memcpy(gtk_buf + 24, gd->gtk + 24, 8);
911 _gtk = gtk_buf;
912 }
913 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
914 if (wpa_sm_set_key(&(sm->install_gtk), gd->alg,
915 sm->bssid, //(u8 *) "\xff\xff\xff\xff\xff\xff",
916 gd->keyidx, 1, key_rsc, gd->key_rsc_len,
917 _gtk, gd->gtk_len, (KEY_FLAG_GROUP | KEY_FLAG_RX | KEY_FLAG_TX)) < 0) {
918 wpa_printf(MSG_DEBUG, "WPA: Failed to set "
919 "GTK to the driver (Group only).");
920 return -1;
921 }
922 } else if (wpa_sm_set_key(&(sm->install_gtk), gd->alg,
923 sm->bssid, //(u8 *) "\xff\xff\xff\xff\xff\xff",
924 gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len,
925 _gtk, gd->gtk_len, KEY_FLAG_GROUP | KEY_FLAG_RX) < 0) {
926 wpa_printf(MSG_DEBUG, "WPA: Failed to set GTK to "
927 "the driver (alg=%d keylen=%d keyidx=%d)",
928 gd->alg, gd->gtk_len, gd->keyidx);
929 return -1;
930 }
931 sm->gtk.gtk_len = gd->gtk_len;
932 os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
933
934 return 0;
935 }
936
wpa_supplicant_gtk_in_use(struct wpa_sm * sm,struct wpa_gtk_data * gd)937 static bool wpa_supplicant_gtk_in_use(struct wpa_sm *sm, struct wpa_gtk_data *gd)
938 {
939 u8 *_gtk = gd->gtk;
940 u8 gtk_buf[32];
941 u8 gtk_get[32] = {0};
942 u8 ifx;
943 int alg;
944 u8 bssid[6];
945 int keyidx = gd->keyidx;
946
947 wpa_printf(MSG_DEBUG, "WPA: Judge GTK: (keyidx=%d len=%d).", gd->keyidx, gd->gtk_len);
948
949 if (sm->group_cipher == WPA_CIPHER_TKIP) {
950 /* Swap Tx/Rx keys for Michael MIC */
951 memcpy(gtk_buf, gd->gtk, 16);
952 memcpy(gtk_buf + 16, gd->gtk + 16, 8);
953 memcpy(gtk_buf + 24, gd->gtk + 24, 8);
954 _gtk = gtk_buf;
955 }
956
957 if (wpa_sm_get_key(&ifx, &alg, bssid, &keyidx, gtk_get, gd->gtk_len, KEY_FLAG_GROUP) == 0) {
958 if (ifx == 0 && alg == gd->alg && memcmp(bssid, sm->bssid, ETH_ALEN) == 0 &&
959 memcmp(_gtk, gtk_get, gd->gtk_len) == 0) {
960 wpa_printf(MSG_DEBUG, "GTK %d is already in use, it may be an attack, ignore it.", gd->keyidx);
961 return true;
962 }
963 }
964
965 return false;
966 }
967
wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm * sm,int tx)968 int wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm *sm,
969 int tx)
970 {
971 if (tx && sm->pairwise_cipher != WPA_CIPHER_NONE) {
972 /* Ignore Tx bit for GTK if a pairwise key is used. One AP
973 * seemed to set this bit (incorrectly, since Tx is only when
974 * doing Group Key only APs) and without this workaround, the
975 * data connection does not work because wpa_supplicant
976 * configured non-zero keyidx to be used for unicast. */
977 wpa_printf(MSG_DEBUG, "WPA: Tx bit set for GTK, but pairwise "
978 "keys are used - ignore Tx bit");
979 return 0;
980 }
981 return tx;
982 }
983
wpa_supplicant_pairwise_gtk(struct wpa_sm * sm,const u8 * gtk,size_t gtk_len,int key_info)984 int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
985 const u8 *gtk, size_t gtk_len,
986 int key_info)
987 {
988 struct wpa_gtk_data *gd=&(sm->gd);
989
990 /*
991 * IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames - Figure 43x
992 * GTK KDE format:
993 * KeyID[bits 0-1], Tx [bit 2], Reserved [bits 3-7]
994 * Reserved [bits 0-7]
995 * GTK
996 */
997
998 memset(gd, 0, sizeof(struct wpa_gtk_data));
999 wpa_hexdump(MSG_DEBUG, "RSN: received GTK in pairwise handshake",
1000 gtk, gtk_len);
1001
1002 if (gtk_len < 2 || gtk_len - 2 > sizeof(gd->gtk))
1003 return -1;
1004
1005 gd->keyidx = gtk[0] & 0x3;
1006 gd->tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
1007 !!(gtk[0] & BIT(2)));
1008 gtk += 2;
1009 gtk_len -= 2;
1010
1011 memcpy(gd->gtk, gtk, gtk_len);
1012 gd->gtk_len = gtk_len;
1013
1014 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
1015 gtk_len, gtk_len,
1016 &(gd->key_rsc_len), &(gd->alg))) {
1017 wpa_printf(MSG_DEBUG, "RSN: Failed to install GTK");
1018 return -1;
1019 }
1020 return 0;
1021 }
1022
1023 #ifdef CONFIG_IEEE80211W
wpa_supplicant_install_igtk(struct wpa_sm * sm,const wifi_wpa_igtk_t * igtk)1024 static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
1025 const wifi_wpa_igtk_t *igtk)
1026 {
1027 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1028 u16 keyidx = WPA_GET_LE16(igtk->keyid);
1029
1030 /* Detect possible key reinstallation */
1031 if (sm->igtk.igtk_len == len &&
1032 os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) {
1033 wpa_printf(MSG_DEBUG,
1034 "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
1035 keyidx);
1036 return 0;
1037 }
1038
1039 wpa_printf(MSG_DEBUG,
1040 "WPA: IGTK keyid %d pn %02x%02x%02x%02x%02x%02x",
1041 keyidx, MAC2STR(igtk->pn));
1042 wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len);
1043
1044 if (esp_wifi_set_igtk_internal(WIFI_IF_STA, igtk) < 0) {
1045 if (keyidx > 4095) {
1046 wpa_printf(MSG_WARNING,
1047 "WPA: Invalid IGTK KeyID %d", keyidx);
1048 }
1049 wpa_printf(MSG_WARNING,
1050 "WPA: Failed to configure IGTK to the driver");
1051 return -1;
1052 }
1053
1054 sm->igtk.igtk_len = len;
1055 os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
1056
1057 return 0;
1058 }
1059 #endif /* CONFIG_IEEE80211W */
1060
1061 #ifdef DEBUG_PRINT
wpa_report_ie_mismatch(struct wpa_sm * sm,const char * reason,const u8 * src_addr,const u8 * wpa_ie,size_t wpa_ie_len,const u8 * rsn_ie,size_t rsn_ie_len)1062 void wpa_report_ie_mismatch(struct wpa_sm *sm,
1063 const char *reason, const u8 *src_addr,
1064 const u8 *wpa_ie, size_t wpa_ie_len,
1065 const u8 *rsn_ie, size_t rsn_ie_len)
1066 #else
1067 void wpa_report_ie_mismatch(struct wpa_sm *sm, const u8 *src_addr,
1068 const u8 *wpa_ie, size_t wpa_ie_len,
1069 const u8 *rsn_ie, size_t rsn_ie_len)
1070 #endif
1071 {
1072 wpa_printf(MSG_DEBUG, "WPA: %s (src=" MACSTR ")",
1073 reason, MAC2STR(src_addr));
1074 if (sm->ap_wpa_ie) {
1075 wpa_hexdump(MSG_INFO, "WPA: WPA IE in Beacon/ProbeResp",
1076 sm->ap_wpa_ie, sm->ap_wpa_ie_len);
1077 }
1078 if (wpa_ie) {
1079 if (!sm->ap_wpa_ie) {
1080 wpa_printf(MSG_DEBUG, "WPA: No WPA IE in "
1081 "Beacon/ProbeResp");
1082 }
1083 wpa_hexdump(MSG_INFO, "WPA: WPA IE in 3/4 msg",
1084 wpa_ie, wpa_ie_len);
1085 }
1086
1087 if (sm->ap_rsn_ie) {
1088 wpa_hexdump(MSG_INFO, "WPA: RSN IE in Beacon/ProbeResp",
1089 sm->ap_rsn_ie, sm->ap_rsn_ie_len);
1090 }
1091 if (rsn_ie) {
1092 if (!sm->ap_rsn_ie) {
1093 wpa_printf(MSG_DEBUG, "WPA: No RSN IE in "
1094 "Beacon/ProbeResp");
1095 }
1096 wpa_hexdump(MSG_INFO, "WPA: RSN IE in 3/4 msg",
1097 rsn_ie, rsn_ie_len);
1098 }
1099
1100 wpa_sm_disassociate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
1101 }
1102
ieee80211w_set_keys(struct wpa_sm * sm,struct wpa_eapol_ie_parse * ie)1103 static int ieee80211w_set_keys(struct wpa_sm *sm,
1104 struct wpa_eapol_ie_parse *ie)
1105 {
1106 #ifdef CONFIG_IEEE80211W
1107 size_t len;
1108
1109 if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher))
1110 return 0;
1111
1112 if (ie->igtk) {
1113 const wifi_wpa_igtk_t *igtk;
1114 #define WPA_IGTK_KDE_PREFIX_LEN (2 + 6)
1115 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1116 if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len) {
1117 return -1;
1118 }
1119
1120 igtk = (const wifi_wpa_igtk_t*)ie->igtk;
1121 if (wpa_supplicant_install_igtk(sm, igtk) < 0) {
1122 return -1;
1123 }
1124 }
1125 #endif
1126 return 0;
1127 }
1128
wpa_supplicant_validate_ie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie)1129 static int wpa_supplicant_validate_ie(struct wpa_sm *sm,
1130 const unsigned char *src_addr,
1131 struct wpa_eapol_ie_parse *ie)
1132 {
1133 if (ie->wpa_ie == NULL && ie->rsn_ie == NULL &&
1134 (sm->ap_wpa_ie || sm->ap_rsn_ie)) {
1135 #ifdef DEBUG_PRINT
1136 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
1137 "with IE in Beacon/ProbeResp (no IE?)",
1138 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1139 ie->rsn_ie, ie->rsn_ie_len);
1140 #else
1141 wpa_report_ie_mismatch(sm,
1142 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1143 ie->rsn_ie, ie->rsn_ie_len);
1144 #endif
1145 return -1;
1146 }
1147
1148 if ((ie->wpa_ie && sm->ap_wpa_ie &&
1149 (ie->wpa_ie_len != sm->ap_wpa_ie_len ||
1150 memcmp(ie->wpa_ie, sm->ap_wpa_ie, ie->wpa_ie_len) != 0)) ||
1151 (ie->rsn_ie && sm->ap_rsn_ie &&
1152 wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
1153 sm->ap_rsn_ie, sm->ap_rsn_ie_len,
1154 ie->rsn_ie, ie->rsn_ie_len))) {
1155 #ifdef DEBUG_PRINT
1156 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
1157 "with IE in Beacon/ProbeResp",
1158 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1159 ie->rsn_ie, ie->rsn_ie_len);
1160 #else
1161 wpa_report_ie_mismatch(sm,
1162 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1163 ie->rsn_ie, ie->rsn_ie_len);
1164 #endif
1165 return -1;
1166 }
1167
1168 if (sm->proto == WPA_PROTO_WPA &&
1169 ie->rsn_ie && sm->ap_rsn_ie == NULL && sm->rsn_enabled) {
1170 #ifdef DEBUG_PRINT
1171 wpa_report_ie_mismatch(sm, "Possible downgrade attack "
1172 "detected - RSN was enabled and RSN IE "
1173 "was in msg 3/4, but not in "
1174 "Beacon/ProbeResp",
1175 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1176 ie->rsn_ie, ie->rsn_ie_len);
1177 #else
1178 wpa_report_ie_mismatch(sm,
1179 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1180 ie->rsn_ie, ie->rsn_ie_len);
1181 #endif
1182 return -1;
1183 }
1184
1185 if (sm->proto == WPA_PROTO_RSN &&
1186 ((sm->ap_rsnxe && !ie->rsnxe) ||
1187 (!sm->ap_rsnxe && ie->rsnxe) ||
1188 (sm->ap_rsnxe && ie->rsnxe &&
1189 (sm->ap_rsnxe_len != ie->rsnxe_len ||
1190 os_memcmp(sm->ap_rsnxe, ie->rsnxe, sm->ap_rsnxe_len) != 0)))) {
1191 wpa_printf(MSG_INFO,
1192 "WPA: RSNXE mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4");
1193 wpa_hexdump(MSG_INFO, "RSNXE in Beacon/ProbeResp",
1194 sm->ap_rsnxe, sm->ap_rsnxe_len);
1195 wpa_hexdump(MSG_INFO, "RSNXE in EAPOL-Key msg 3/4",
1196 ie->rsnxe, ie->rsnxe_len);
1197 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
1198 return -1;
1199 }
1200
1201 return 0;
1202 }
1203
1204 /**
1205 * wpa_supplicant_send_4_of_4 - Send message 4 of WPA/RSN 4-Way Handshake
1206 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1207 * @dst: Destination address for the frame
1208 * @key: Pointer to the EAPOL-Key frame header
1209 * @ver: Version bits from EAPOL-Key Key Info
1210 * @key_info: Key Info
1211 * @ptk: PTK to use for keyed hash and encryption
1212 * Returns: 0 on success, -1 on failure
1213 */
wpa_supplicant_send_4_of_4(struct wpa_sm * sm,const unsigned char * dst,const struct wpa_eapol_key * key,u16 ver,u16 key_info,struct wpa_ptk * ptk)1214 static int wpa_supplicant_send_4_of_4(struct wpa_sm *sm, const unsigned char *dst,
1215 const struct wpa_eapol_key *key,
1216 u16 ver, u16 key_info,
1217 struct wpa_ptk *ptk)
1218 {
1219 size_t mic_len, hdrlen, rlen;
1220 struct wpa_eapol_key *reply;
1221 struct wpa_eapol_key_192 *reply192;
1222 u8 *rbuf, *key_mic;
1223
1224 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
1225 hdrlen = mic_len == 24 ? sizeof(*reply192) : sizeof(*reply);
1226
1227 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
1228 hdrlen,
1229 &rlen, (void *) &reply);
1230 if (rbuf == NULL)
1231 return -1;
1232
1233 sm->txcb_flags |= WPA_4_4_HANDSHAKE_BIT;
1234 wpa_printf(MSG_DEBUG, "tx 4/4 txcb_flags=%d", sm->txcb_flags);
1235
1236 reply192 = (struct wpa_eapol_key_192 *) reply;
1237 reply->type = sm->proto == WPA_PROTO_RSN ?
1238 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1239 key_info &= WPA_KEY_INFO_SECURE;
1240 key_info |= ver | WPA_KEY_INFO_KEY_TYPE | WPA_KEY_INFO_MIC;
1241 WPA_PUT_BE16(reply->key_info, key_info);
1242 if (sm->proto == WPA_PROTO_RSN)
1243 WPA_PUT_BE16(reply->key_length, 0);
1244 else
1245 memcpy(reply->key_length, key->key_length, 2);
1246 memcpy(reply->replay_counter, key->replay_counter,
1247 WPA_REPLAY_COUNTER_LEN);
1248
1249 key_mic = reply192->key_mic; /* same offset for reply and reply192 */
1250 if (mic_len == 24)
1251 WPA_PUT_BE16(reply192->key_data_length, 0);
1252 else
1253 WPA_PUT_BE16(reply->key_data_length, 0);
1254
1255 wpa_printf(MSG_DEBUG, "WPA Send EAPOL-Key 4/4");
1256 wpa_eapol_key_send(sm, ptk->kck, ptk->kck_len, ver, dst, ETH_P_EAPOL,
1257 rbuf, rlen, key_mic);
1258 wpa_sm_free_eapol(rbuf);
1259
1260 return 0;
1261 }
1262
wpa_sm_set_seq(struct wpa_sm * sm,struct wpa_eapol_key * key,u8 isptk)1263 static void wpa_sm_set_seq(struct wpa_sm *sm, struct wpa_eapol_key *key, u8 isptk)
1264 {
1265 u8 *key_rsc, *seq;
1266 u8 null_rsc[WPA_KEY_RSC_LEN];
1267
1268 os_bzero(null_rsc, WPA_KEY_RSC_LEN);
1269
1270 if (sm->proto == WPA_PROTO_RSN && isptk) {
1271 key_rsc = null_rsc;
1272 } else {
1273 key_rsc = key->key_rsc;
1274 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, WPA_KEY_RSC_LEN);
1275 }
1276
1277 seq=(isptk) ? (sm->install_ptk).seq : (sm->install_gtk).seq;
1278 memcpy(seq, key_rsc, WPA_KEY_RSC_LEN);
1279 }
1280
wpa_supplicant_process_3_of_4(struct wpa_sm * sm,struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len)1281 static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
1282 struct wpa_eapol_key *key,
1283 u16 ver, const u8 *key_data,
1284 size_t key_data_len)
1285 {
1286 u16 key_info, keylen;
1287 struct wpa_eapol_ie_parse ie;
1288
1289 wpa_sm_set_state(WPA_LAST_HALF_4WAY_HANDSHAKE);
1290 wpa_printf(MSG_DEBUG, "WPA 3/4-Way Handshake");
1291
1292 key_info = WPA_GET_BE16(key->key_info);
1293
1294 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
1295 goto failed;
1296 if (wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0)
1297 goto failed;
1298
1299 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1300 wpa_printf(MSG_DEBUG, "WPA: GTK IE in unencrypted key data");
1301 goto failed;
1302 }
1303
1304 wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", key_data, key_data_len);
1305 if (memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
1306 wpa_printf(MSG_DEBUG, "WPA: ANonce from message 1 of 4-Way "
1307 "Handshake differs from 3 of 4-Way Handshake - drop"
1308 " packet (src=" MACSTR ")", MAC2STR(sm->bssid));
1309 goto failed;
1310 }
1311
1312 keylen = WPA_GET_BE16(key->key_length);
1313 switch (sm->pairwise_cipher) {
1314 case WPA_CIPHER_CCMP:
1315 if (keylen != 16) {
1316 wpa_printf(MSG_DEBUG, "WPA: Invalid CCMP key length "
1317 "%d (src=" MACSTR ")",
1318 keylen, MAC2STR(sm->bssid));
1319 goto failed;
1320 }
1321 break;
1322 case WPA_CIPHER_TKIP:
1323 if (keylen != 32) {
1324 wpa_printf(MSG_DEBUG, "WPA: Invalid TKIP key length "
1325 "%d (src=" MACSTR ")",
1326 keylen, MAC2STR(sm->bssid));
1327 goto failed;
1328 }
1329 break;
1330 }
1331
1332
1333 /* SNonce was successfully used in msg 3/4, so mark it to be renewed
1334 * for the next 4-Way Handshake. If msg 3 is received again, the old
1335 * SNonce will still be used to avoid changing PTK. */
1336 sm->renew_snonce = 1;
1337
1338 /*ready for txcallback , set seq and set txcallback param*/
1339 wpa_sm_set_seq(sm, key, 1);
1340 sm->key_info=key_info;
1341 (sm->gd).gtk_len=0; //used as flag if gtk is installed in callback
1342 if (ie.gtk) {
1343 wpa_sm_set_seq(sm, key, 0);
1344 if (wpa_supplicant_pairwise_gtk(sm,
1345 ie.gtk, ie.gtk_len, key_info) < 0) {
1346 wpa_printf(MSG_DEBUG, "RSN: Failed to configure GTK");
1347 goto failed;
1348 }
1349 }
1350
1351 if (sm->pmf_cfg.capable && ieee80211w_set_keys(sm, &ie) < 0) {
1352 wpa_printf(MSG_DEBUG, "RSN: Failed to configure IGTK");
1353 goto failed;
1354 }
1355
1356 if (ie.transition_disable) {
1357 wpa_supplicant_transition_disable(sm, ie.transition_disable[0]);
1358 }
1359
1360 if (sm->key_install && sm->key_info & WPA_KEY_INFO_INSTALL && sm->use_ext_key_id) {
1361 wpa_supplicant_install_ptk(sm, KEY_FLAG_RX);
1362 }
1363 /*after txover, callback will continue run remain task*/
1364 if (wpa_supplicant_send_4_of_4(sm, sm->bssid, key, ver, key_info,
1365 &sm->ptk)) {
1366 goto failed;
1367 }
1368
1369 return;
1370
1371 failed:
1372 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
1373 }
1374
wpa_supplicant_activate_ptk(struct wpa_sm * sm)1375 static int wpa_supplicant_activate_ptk(struct wpa_sm *sm)
1376 {
1377 int keylen;
1378 enum wpa_alg alg;
1379
1380 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
1381 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
1382
1383 if (alg == WIFI_WPA_ALG_NONE) {
1384 wpa_printf(MSG_DEBUG, "WPA: Pairwise Cipher Suite: "
1385 "NONE - do not use pairwise keys");
1386 return 0;
1387 }
1388
1389 wpa_printf(MSG_DEBUG,
1390 "WPA: Activate PTK bssid=" MACSTR ")",
1391 MAC2STR(sm->bssid));
1392
1393 if (wpa_sm_set_key(&(sm->install_ptk), alg, sm->bssid, 0, 1, (sm->install_ptk).seq,
1394 WPA_KEY_RSC_LEN, sm->ptk.tk, keylen,
1395 (KEY_FLAG_MODIFY | KEY_FLAG_PAIRWISE | KEY_FLAG_RX | KEY_FLAG_TX)) < 0) {
1396 wpa_printf(MSG_WARNING,
1397 "WPA: Failed to activate PTK for TX (idx=%d bssid="
1398 MACSTR ")", 0, MAC2STR(sm->bssid));
1399 return -1;
1400 }
1401 return 0;
1402 }
1403
wpa_supplicant_send_4_of_4_txcallback(struct wpa_sm * sm)1404 static int wpa_supplicant_send_4_of_4_txcallback(struct wpa_sm *sm)
1405 {
1406 u16 key_info=sm->key_info;
1407
1408 if (sm->key_install && key_info & WPA_KEY_INFO_INSTALL) {
1409 if (sm->use_ext_key_id) {
1410 if (wpa_supplicant_activate_ptk(sm))
1411 goto failed;
1412 } else {
1413 if (wpa_supplicant_install_ptk(sm, KEY_FLAG_TX | KEY_FLAG_RX))
1414 goto failed;
1415 }
1416 }
1417 else if (sm->key_install == false) {
1418 wpa_printf(MSG_DEBUG, "PTK has been installed, it may be an attack, ignor it.");
1419 }
1420
1421 wpa_sm_set_state(WPA_GROUP_HANDSHAKE);
1422
1423 if ((sm->gd).gtk_len) {
1424 if (sm->key_install) {
1425 if (wpa_supplicant_install_gtk(sm, &(sm->gd)))
1426 goto failed;
1427 }
1428 else {
1429 wpa_printf(MSG_DEBUG, "GTK has been installed, it may be an attack, ignor it.");
1430 }
1431 wpa_supplicant_key_neg_complete(sm, sm->bssid,
1432 key_info & WPA_KEY_INFO_SECURE);
1433 }
1434
1435 if (key_info & WPA_KEY_INFO_SECURE) {
1436 wpa_sm_mlme_setprotection(
1437 sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX,
1438 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
1439 }
1440
1441 sm->key_install = false;
1442
1443 #if defined(CONFIG_SUITEB192) || defined (CONFIG_SUITEB)
1444 /* Add PMKSA cache entry for Suite B AKMs here since PMKID can be
1445 * calculated only after KCK has been derived. Though, do not replace an
1446 * existing PMKSA entry after each 4-way handshake (i.e., new KCK/PMKID)
1447 * to avoid unnecessary changes of PMKID while continuing to use the
1448 * same PMK. */
1449 if (sm->proto == WPA_PROTO_RSN && wpa_key_mgmt_suite_b(sm->key_mgmt) &&
1450 !sm->cur_pmksa) {
1451 struct rsn_pmksa_cache_entry *sa;
1452
1453 sa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, NULL,
1454 sm->ptk.kck, sm->ptk.kck_len,
1455 sm->bssid, sm->own_addr,
1456 sm->network_ctx, sm->key_mgmt);
1457 if (!sm->cur_pmksa)
1458 sm->cur_pmksa = sa;
1459 }
1460 #endif
1461
1462 return 0;
1463
1464 failed:
1465 return WLAN_REASON_UNSPECIFIED;
1466 }
1467
wpa_supplicant_process_1_of_2_rsn(struct wpa_sm * sm,const u8 * keydata,size_t keydatalen,u16 key_info,struct wpa_gtk_data * gd)1468 static int wpa_supplicant_process_1_of_2_rsn(struct wpa_sm *sm,
1469 const u8 *keydata,
1470 size_t keydatalen,
1471 u16 key_info,
1472 struct wpa_gtk_data *gd)
1473 {
1474 int maxkeylen;
1475 struct wpa_eapol_ie_parse ie;
1476
1477 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/2 key data", keydata, keydatalen);
1478 wpa_supplicant_parse_ies(keydata, keydatalen, &ie);
1479 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1480 wpa_printf(MSG_DEBUG, "WPA: GTK IE in unencrypted key data");
1481 return -1;
1482 }
1483 if (ie.gtk == NULL) {
1484 wpa_printf(MSG_DEBUG, "WPA: No GTK IE in Group Key msg 1/2");
1485 return -1;
1486 }
1487 maxkeylen = gd->gtk_len = ie.gtk_len - 2;
1488
1489 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
1490 gd->gtk_len, maxkeylen,
1491 &gd->key_rsc_len, &gd->alg))
1492 return -1;
1493
1494 wpa_hexdump(MSG_DEBUG, "RSN: received GTK in group key handshake",
1495 ie.gtk, ie.gtk_len);
1496 gd->keyidx = ie.gtk[0] & 0x3;
1497 gd->tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
1498 !!(ie.gtk[0] & BIT(2)));
1499 if (ie.gtk_len - 2 > sizeof(gd->gtk)) {
1500 wpa_printf(MSG_DEBUG, "RSN: Too long GTK in GTK IE "
1501 "(len=%lu)", (unsigned long) ie.gtk_len - 2);
1502 return -1;
1503 }
1504 memcpy(gd->gtk, ie.gtk + 2, ie.gtk_len - 2);
1505
1506 if (ieee80211w_set_keys(sm, &ie) < 0)
1507 {
1508 wpa_printf(MSG_DEBUG, "RSN: Failed to configure IGTK");
1509 }
1510 return 0;
1511 }
1512
wpa_supplicant_process_1_of_2_wpa(struct wpa_sm * sm,const struct wpa_eapol_key * key,const u8 * key_data,size_t key_data_len,u16 key_info,u16 ver,struct wpa_gtk_data * gd)1513 static int wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm,
1514 const struct wpa_eapol_key *key,
1515 const u8 *key_data,
1516 size_t key_data_len, u16 key_info,
1517 u16 ver, struct wpa_gtk_data *gd)
1518 {
1519 size_t maxkeylen;
1520 u8 ek[32];
1521
1522 gd->gtk_len = WPA_GET_BE16(key->key_length);
1523 maxkeylen = key_data_len;
1524 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1525 if (maxkeylen < 8) {
1526 wpa_printf(MSG_DEBUG, "WPA: Too short maxkeylen (%lu)",
1527 (unsigned long) maxkeylen);
1528 return -1;
1529 }
1530 maxkeylen -= 8;
1531 }
1532
1533 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
1534 gd->gtk_len, maxkeylen,
1535 &gd->key_rsc_len, &gd->alg))
1536 return -1;
1537
1538 gd->keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
1539 WPA_KEY_INFO_KEY_INDEX_SHIFT;
1540 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
1541 os_memcpy(ek, key->key_iv, 16);
1542 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
1543 if (key_data_len > sizeof(gd->gtk)) {
1544 wpa_printf(MSG_DEBUG, "WPA: RC4 key data "
1545 "too long (%lu)",
1546 (unsigned long) key_data_len);
1547 return -1;
1548 }
1549 os_memcpy(gd->gtk, key_data, key_data_len);
1550 if (rc4_skip(ek, 32, 256, gd->gtk, key_data_len)) {
1551 wpa_printf(MSG_DEBUG, "WPA: RC4 failed");
1552 return -1;
1553 }
1554 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1555 if (maxkeylen % 8) {
1556 wpa_printf(MSG_DEBUG,
1557 "WPA: Unsupported AES-WRAP len %lu",
1558 (unsigned long) maxkeylen);
1559 return -1;
1560 }
1561 if (maxkeylen > sizeof(gd->gtk)) {
1562 wpa_printf(MSG_DEBUG, "WPA: AES-WRAP key data "
1563 "too long (keydatalen=%lu maxkeylen=%lu)",
1564 (unsigned long) key_data_len,
1565 (unsigned long) maxkeylen);
1566 return -1;
1567 }
1568 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, maxkeylen / 8, key_data, gd->gtk)) {
1569 wpa_printf(MSG_DEBUG, "WPA: AES unwrap "
1570 "failed - could not decrypt GTK");
1571 return -1;
1572 }
1573 } else {
1574 wpa_printf(MSG_DEBUG, "WPA: Unsupported key_info type %d",
1575 ver);
1576 return -1;
1577 }
1578 gd->tx = wpa_supplicant_gtk_tx_bit_workaround(
1579 sm, !!(key_info & WPA_KEY_INFO_TXRX));
1580
1581 return 0;
1582 }
1583
wpa_supplicant_send_2_of_2(struct wpa_sm * sm,const struct wpa_eapol_key * key,int ver,u16 key_info)1584 static int wpa_supplicant_send_2_of_2(struct wpa_sm *sm,
1585 const struct wpa_eapol_key *key,
1586 int ver, u16 key_info)
1587 {
1588 size_t mic_len, hdrlen, rlen;
1589 struct wpa_eapol_key *reply;
1590 struct wpa_eapol_key_192 *reply192;
1591 u8 *rbuf, *key_mic;
1592
1593 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
1594 hdrlen = mic_len == 24 ? sizeof(*reply192) : sizeof(*reply);
1595
1596 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
1597 hdrlen, &rlen, (void *) &reply);
1598 if (rbuf == NULL)
1599 return -1;
1600
1601 sm->txcb_flags |= WPA_GROUP_HANDSHAKE_BIT;
1602 wpa_printf(MSG_DEBUG, "2/2 txcb_flags=%d", sm->txcb_flags);
1603
1604 reply192 = (struct wpa_eapol_key_192 *) reply;
1605 reply->type = sm->proto == WPA_PROTO_RSN ?
1606 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1607 key_info &= WPA_KEY_INFO_KEY_INDEX_MASK;
1608 key_info |= ver | WPA_KEY_INFO_MIC | WPA_KEY_INFO_SECURE;
1609 WPA_PUT_BE16(reply->key_info, key_info);
1610 if (sm->proto == WPA_PROTO_RSN)
1611 WPA_PUT_BE16(reply->key_length, 0);
1612 else
1613 memcpy(reply->key_length, key->key_length, 2);
1614 memcpy(reply->replay_counter, key->replay_counter,
1615 WPA_REPLAY_COUNTER_LEN);
1616
1617 key_mic = reply192->key_mic; /* same offset for reply and reply192 */
1618 if (mic_len == 24)
1619 WPA_PUT_BE16(reply192->key_data_length, 0);
1620 else
1621 WPA_PUT_BE16(reply->key_data_length, 0);
1622
1623 wpa_printf(MSG_DEBUG, "WPA Send 2/2 Group key");
1624
1625 wpa_eapol_key_send(sm, sm->ptk.kck, sm->ptk.kck_len, ver, sm->bssid, ETH_P_EAPOL,
1626 rbuf, rlen, key_mic);
1627 wpa_sm_free_eapol(rbuf);
1628
1629 return 0;
1630 }
1631
wpa_supplicant_process_1_of_2(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_key * key,const u8 * key_data,size_t key_data_len,u16 ver)1632 static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
1633 const unsigned char *src_addr,
1634 struct wpa_eapol_key *key,
1635 const u8 *key_data,
1636 size_t key_data_len, u16 ver)
1637 {
1638 u16 key_info;
1639 int ret;
1640 struct wpa_gtk_data *gd=&(sm->gd);
1641
1642 memset(gd, 0, sizeof(struct wpa_gtk_data));
1643
1644 wpa_printf(MSG_DEBUG, "WPA 1/2 Group Key Handshake");
1645
1646 key_info = WPA_GET_BE16(key->key_info);
1647
1648 if (sm->proto == WPA_PROTO_RSN) {
1649 ret = wpa_supplicant_process_1_of_2_rsn(sm, key_data,
1650 key_data_len, key_info, gd);
1651 } else {
1652 ret = wpa_supplicant_process_1_of_2_wpa(sm, key, key_data,
1653 key_data_len, key_info, ver, gd);
1654 }
1655
1656 wpa_sm_set_state(WPA_GROUP_HANDSHAKE);
1657
1658 if (ret)
1659 goto failed;
1660
1661 /*before callback, set seq for add param difficult in callback*/
1662 wpa_sm_set_seq(sm, key, 0);
1663 sm->key_info=key_info;
1664
1665 /*install gtk before send 2 of 2*/
1666 if((sm->gd).gtk_len) {
1667 if (wpa_supplicant_install_gtk(sm, &(sm->gd)))
1668 goto failed;
1669 } else {
1670 goto failed;
1671 }
1672
1673 if (wpa_supplicant_send_2_of_2(sm, key, ver, key_info))
1674 goto failed;
1675
1676 if (WPA_SM_STATE(sm) == WPA_COMPLETED) {
1677 #ifdef MSG_PRINT
1678 wpa_printf(MSG_DEBUG, "WPA: Group rekeying "
1679 "completed with " MACSTR " [GTK=%s]",
1680 MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher));
1681 #endif
1682 wpa_sm_cancel_auth_timeout(sm);
1683 wpa_sm_set_state(WPA_COMPLETED);
1684 } else {
1685 wpa_supplicant_key_neg_complete(sm, sm->bssid,
1686 sm->key_info &WPA_KEY_INFO_SECURE);
1687 }
1688
1689 return;
1690
1691 failed:
1692 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
1693 }
1694
wpa_supplicant_verify_eapol_key_mic(struct wpa_sm * sm,struct wpa_eapol_key_192 * key,u16 ver,const u8 * buf,size_t len)1695 static int wpa_supplicant_verify_eapol_key_mic(struct wpa_sm *sm,
1696 struct wpa_eapol_key_192 *key,
1697 u16 ver,
1698 const u8 *buf, size_t len)
1699 {
1700 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN];
1701 int ok = 0;
1702 size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
1703
1704 os_memcpy(mic, key->key_mic, mic_len);
1705 if (sm->tptk_set) {
1706 os_memset(key->key_mic, 0, mic_len);
1707 wpa_eapol_key_mic(sm->tptk.kck, sm->tptk.kck_len, sm->key_mgmt,
1708 ver, buf, len, key->key_mic);
1709 if (os_memcmp_const(mic, key->key_mic, mic_len) != 0) {
1710 wpa_printf(MSG_DEBUG, "WPA: Invalid EAPOL-Key MIC "
1711 "when using TPTK - ignoring TPTK");
1712 } else {
1713 ok = 1;
1714 sm->tptk_set = 0;
1715 sm->ptk_set = 1;
1716 memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
1717 }
1718 }
1719
1720 if (!ok && sm->ptk_set) {
1721 os_memset(key->key_mic, 0, mic_len);
1722 wpa_eapol_key_mic(sm->ptk.kck, sm->ptk.kck_len, sm->key_mgmt,
1723 ver, buf, len, key->key_mic);
1724 if (os_memcmp_const(mic, key->key_mic, mic_len) != 0) {
1725 wpa_printf(MSG_DEBUG, "WPA: Invalid EAPOL-Key MIC "
1726 "- dropping packet");
1727 return -1;
1728 }
1729 ok = 1;
1730 }
1731
1732 if (!ok) {
1733 wpa_printf(MSG_DEBUG, "WPA: Could not verify EAPOL-Key MIC "
1734 "- dropping packet");
1735 return -1;
1736 }
1737
1738 memcpy(sm->rx_replay_counter, key->replay_counter,
1739 WPA_REPLAY_COUNTER_LEN);
1740 sm->rx_replay_counter_set = 1;
1741 /*update request_counter for mic failure report*/
1742 memcpy(sm->request_counter, key->replay_counter,
1743 WPA_REPLAY_COUNTER_LEN);
1744 return 0;
1745 }
1746
1747
1748 /* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */
wpa_supplicant_decrypt_key_data(struct wpa_sm * sm,struct wpa_eapol_key * key,u16 ver,u8 * key_data,size_t * key_data_len)1749 static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm,
1750 struct wpa_eapol_key *key, u16 ver,
1751 u8 *key_data, size_t *key_data_len)
1752 {
1753 wpa_hexdump(MSG_DEBUG, "RSN: encrypted key data",
1754 key_data, *key_data_len);
1755 if (!sm->ptk_set) {
1756 wpa_printf(MSG_DEBUG, "WPA: PTK not available, "
1757 "cannot decrypt EAPOL-Key key data.");
1758 return -1;
1759 }
1760
1761 /* Decrypt key data here so that this operation does not need
1762 * to be implemented separately for each message type. */
1763 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
1764 u8 ek[32];
1765 os_memcpy(ek, key->key_iv, 16);
1766 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
1767 if (rc4_skip(ek, 32, 256, key_data, *key_data_len)) {
1768 wpa_printf(MSG_DEBUG, "WPA: RC4 failed");
1769 return -1;
1770 }
1771 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1772 ver == WPA_KEY_INFO_TYPE_AES_128_CMAC ||
1773 wpa_use_aes_key_wrap(sm->key_mgmt)) {
1774 u8 *buf;
1775 if (*key_data_len < 8 || *key_data_len % 8) {
1776 wpa_printf(MSG_DEBUG, "WPA: Unsupported "
1777 "AES-WRAP len %u", (unsigned int) *key_data_len);
1778 return -1;
1779 }
1780
1781 *key_data_len -= 8; /* AES-WRAP adds 8 bytes */
1782 /*replaced by xxx to remove malloc*/
1783 buf = ((u8 *) (key+1))+ 8;
1784 /*
1785 buf = os_wifi_malloc(keydatalen);
1786 if (buf == NULL) {
1787 wpa_printf(MSG_DEBUG, "WPA: No memory for "
1788 "AES-UNWRAP buffer");
1789 return -1;
1790 }
1791 */
1792 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, *key_data_len / 8,
1793 key_data, buf)) {
1794 wpa_printf(MSG_DEBUG, "WPA: AES unwrap failed - "
1795 "could not decrypt EAPOL-Key key data");
1796 return -1;
1797 }
1798 os_memcpy(key_data, buf, *key_data_len);
1799 WPA_PUT_BE16(key->key_data_length, *key_data_len);
1800 } else {
1801 wpa_printf(MSG_DEBUG, "WPA: Unsupported key_info type %d",
1802 ver);
1803 return -1;
1804 }
1805 wpa_hexdump(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data",
1806 key_data, *key_data_len);
1807 return 0;
1808 }
1809
1810
wpa_eapol_key_dump(struct wpa_sm * sm,const struct wpa_eapol_key * key,unsigned int key_data_len,const u8 * mic,unsigned int mic_len)1811 static void wpa_eapol_key_dump(struct wpa_sm *sm,
1812 const struct wpa_eapol_key *key,
1813 unsigned int key_data_len,
1814 const u8 *mic, unsigned int mic_len)
1815 {
1816 #ifdef DEBUG_PRINT
1817 u16 key_info = WPA_GET_BE16(key->key_info);
1818
1819 wpa_printf(MSG_DEBUG, " EAPOL-Key type=%d", key->type);
1820 wpa_printf(MSG_DEBUG, " key_info 0x%x (ver=%d keyidx=%d rsvd=%d %s"
1821 "%s%s%s%s%s%s%s)",
1822 key_info, (u32)(key_info & WPA_KEY_INFO_TYPE_MASK),
1823 (u32)((key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
1824 WPA_KEY_INFO_KEY_INDEX_SHIFT),
1825 (u32)((key_info & (BIT(13) | BIT(14) | BIT(15))) >> 13),
1826 key_info & WPA_KEY_INFO_KEY_TYPE ? "Pairwise" : "Group",
1827 key_info & WPA_KEY_INFO_INSTALL ? " Install" : "",
1828 key_info & WPA_KEY_INFO_ACK ? " Ack" : "",
1829 key_info & WPA_KEY_INFO_MIC ? " MIC" : "",
1830 key_info & WPA_KEY_INFO_SECURE ? " Secure" : "",
1831 key_info & WPA_KEY_INFO_ERROR ? " Error" : "",
1832 key_info & WPA_KEY_INFO_REQUEST ? " Request" : "",
1833 key_info & WPA_KEY_INFO_ENCR_KEY_DATA ? " Encr" : "");
1834 wpa_printf(MSG_DEBUG, " key_length=%u key_data_length=%u",
1835 WPA_GET_BE16(key->key_length), key_data_len);
1836 wpa_hexdump(MSG_DEBUG, " replay_counter",
1837 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1838 wpa_hexdump(MSG_DEBUG, " key_nonce", key->key_nonce, WPA_NONCE_LEN);
1839 wpa_hexdump(MSG_DEBUG, " key_iv", key->key_iv, 16);
1840 wpa_hexdump(MSG_DEBUG, " key_rsc", key->key_rsc, 8);
1841 wpa_hexdump(MSG_DEBUG, " key_id (reserved)", key->key_id, 8);
1842 wpa_hexdump(MSG_DEBUG, " key_mic", mic, mic_len);
1843 #endif
1844 }
1845
1846 /**
1847 * wpa_sm_rx_eapol - Process received WPA EAPOL frames
1848 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1849 * @src_addr: Source MAC address of the EAPOL packet
1850 * @buf: Pointer to the beginning of the EAPOL data (EAPOL header)
1851 * @len: Length of the EAPOL frame
1852 * Returns: 1 = WPA EAPOL-Key processed, 0 = not a WPA EAPOL-Key, -1 failure
1853 *
1854 * This function is called for each received EAPOL frame. Other than EAPOL-Key
1855 * frames can be skipped if filtering is done elsewhere. wpa_sm_rx_eapol() is
1856 * only processing WPA and WPA2 EAPOL-Key frames.
1857 *
1858 * The received EAPOL-Key packets are validated and valid packets are replied
1859 * to. In addition, key material (PTK, GTK) is configured at the end of a
1860 * successful key handshake.
1861 * buf begin from version, so remove mac header ,snap header and ether_type
1862 */
wpa_sm_rx_eapol(u8 * src_addr,u8 * buf,u32 len)1863 int wpa_sm_rx_eapol(u8 *src_addr, u8 *buf, u32 len)
1864 {
1865 struct wpa_sm *sm = &gWpaSm;
1866 size_t plen, data_len, key_data_len;
1867 struct ieee802_1x_hdr *hdr;
1868 struct wpa_eapol_key *key;
1869 struct wpa_eapol_key_192 *key192;
1870 u16 key_info, ver;
1871 u8 *tmp;
1872 int ret = -1;
1873 size_t mic_len, keyhdrlen;
1874 u8 *key_data;
1875
1876 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
1877 keyhdrlen = mic_len == 24 ? sizeof(*key192) : sizeof(*key);
1878
1879 if (len < sizeof(*hdr) + keyhdrlen) {
1880 wpa_printf(MSG_DEBUG, "WPA: EAPOL frame too short to be a WPA "
1881 "EAPOL-Key (len %lu, expecting at least %lu)",
1882 (unsigned long) len,
1883 (unsigned long) sizeof(*hdr) + sizeof(*key));
1884 return 0;
1885 }
1886
1887 tmp = buf;
1888
1889 hdr = (struct ieee802_1x_hdr *) tmp;
1890 key = (struct wpa_eapol_key *) (hdr + 1);
1891 key192 = (struct wpa_eapol_key_192 *)
1892 (tmp + sizeof(struct ieee802_1x_hdr));
1893 if (mic_len == 24)
1894 key_data = (u8 *) (key192 + 1);
1895 else
1896 key_data = (u8 *) (key + 1);
1897
1898 plen = be_to_host16(hdr->length);
1899 data_len = plen + sizeof(*hdr);
1900
1901 wpa_printf(MSG_DEBUG, "IEEE 802.1X RX: version=%d type=%d length=%d",
1902 hdr->version, hdr->type, plen);
1903
1904 if (hdr->version < EAPOL_VERSION) {
1905 /* TODO: backwards compatibility */
1906 }
1907 if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) {
1908 wpa_printf(MSG_DEBUG, "WPA: EAPOL frame (type %u) discarded, "
1909 "not a Key frame", hdr->type);
1910 ret = 0;
1911 goto out;
1912 }
1913 if (plen > len - sizeof(*hdr) || plen < keyhdrlen) {
1914 wpa_printf(MSG_DEBUG, "WPA: EAPOL frame payload size %lu "
1915 "invalid (frame size %lu)",
1916 (unsigned long) plen, (unsigned long) len);
1917 ret = 0;
1918 goto out;
1919 }
1920
1921 if (key->type != EAPOL_KEY_TYPE_WPA && key->type != EAPOL_KEY_TYPE_RSN) {
1922 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key type (%d) unknown, "
1923 "discarded", key->type);
1924 ret = 0;
1925 goto out;
1926 }
1927
1928 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", tmp, len);
1929
1930 if (data_len < len) {
1931 wpa_printf(MSG_DEBUG, "WPA: ignoring %lu bytes after the IEEE "
1932 "802.1X data", (unsigned long) len - data_len);
1933 }
1934 key_info = WPA_GET_BE16(key->key_info);
1935 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
1936
1937 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
1938 #ifdef CONFIG_IEEE80211W
1939 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
1940 #endif
1941 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES &&
1942 !wpa_use_akm_defined(sm->key_mgmt)) {
1943 wpa_printf(MSG_DEBUG, "WPA: Unsupported EAPOL-Key descriptor "
1944 "version %d.", ver);
1945 goto out;
1946 }
1947 if (wpa_use_akm_defined(sm->key_mgmt) &&
1948 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
1949 wpa_msg(NULL, MSG_INFO,
1950 "RSN: Unsupported EAPOL-Key descriptor version %d (expected AKM defined = 0)",
1951 ver);
1952 goto out;
1953 }
1954
1955 #ifdef CONFIG_IEEE80211W
1956 if (wpa_key_mgmt_sha256(sm->key_mgmt)) {
1957 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
1958 !wpa_use_akm_defined(sm->key_mgmt)) {
1959 goto out;
1960 }
1961 } else
1962 #endif
1963
1964 if (sm->pairwise_cipher == WPA_CIPHER_CCMP &&
1965 !wpa_use_akm_defined(sm->key_mgmt) &&
1966 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1967 wpa_printf(MSG_DEBUG, "WPA: CCMP is used, but EAPOL-Key "
1968 "descriptor version (%d) is not 2.", ver);
1969 if (sm->group_cipher != WPA_CIPHER_CCMP &&
1970 !(key_info & WPA_KEY_INFO_KEY_TYPE)) {
1971 /* Earlier versions of IEEE 802.11i did not explicitly
1972 * require version 2 descriptor for all EAPOL-Key
1973 * packets, so allow group keys to use version 1 if
1974 * CCMP is not used for them. */
1975 wpa_printf(MSG_DEBUG, "WPA: Backwards compatibility: "
1976 "allow invalid version for non-CCMP group "
1977 "keys");
1978 } else if (ver == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1979 wpa_printf(MSG_DEBUG,
1980 "WPA: Interoperability workaround: allow incorrect (should have been HMAC-SHA1), but stronger (is AES-128-CMAC), descriptor version to be used");
1981 } else
1982 goto out;
1983 }
1984
1985 #ifdef CONFIG_GCMP
1986 if (sm->pairwise_cipher == WPA_CIPHER_GCMP &&
1987 !wpa_use_akm_defined(sm->key_mgmt) &&
1988 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1989 wpa_msg(NULL, MSG_INFO,
1990 "WPA: GCMP is used, but EAPOL-Key "
1991 "descriptor version (%d) is not 2", ver);
1992 goto out;
1993 }
1994 #endif
1995
1996 if (sm->rx_replay_counter_set &&
1997 os_memcmp(key->replay_counter, sm->rx_replay_counter,
1998 WPA_REPLAY_COUNTER_LEN) <= 0) {
1999 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key Replay Counter did not"
2000 " increase - dropping packet");
2001 goto out;
2002 }
2003
2004 if (!(key_info & (WPA_KEY_INFO_ACK | WPA_KEY_INFO_SMK_MESSAGE))) {
2005 wpa_printf(MSG_DEBUG, "WPA: No Ack bit in key_info");
2006 goto out;
2007 }
2008
2009 if (key_info & WPA_KEY_INFO_REQUEST) {
2010 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key with Request bit - dropped");
2011 goto out;
2012 }
2013
2014 if ((key_info & WPA_KEY_INFO_MIC) &&
2015 wpa_supplicant_verify_eapol_key_mic(sm, key192, ver, tmp, data_len))
2016 goto out;
2017
2018
2019 if (mic_len == 24)
2020 key_data_len = WPA_GET_BE16(key192->key_data_length);
2021 else
2022 key_data_len = WPA_GET_BE16(key->key_data_length);
2023
2024 wpa_eapol_key_dump(sm, key, key_data_len, key192->key_mic, mic_len);
2025
2026
2027 if (key_data_len > plen - keyhdrlen) {
2028 wpa_printf(MSG_DEBUG, "WPA: Invalid EAPOL-Key "
2029 "frame - key_data overflow (%d > %u)",
2030 (unsigned int) key_data_len,
2031 (unsigned int) (plen - keyhdrlen));
2032 goto out;
2033 }
2034
2035 if (sm->proto == WPA_PROTO_RSN &&
2036 (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && mic_len) {
2037 /*
2038 * Only decrypt the Key Data field if the frame's authenticity
2039 * was verified. When using AES-SIV (FILS), the MIC flag is not
2040 * set, so this check should only be performed if mic_len != 0
2041 * which is the case in this code branch.
2042 */
2043 if (!(key_info & WPA_KEY_INFO_MIC)) {
2044 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2045 "WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
2046 goto out;
2047 }
2048 if (wpa_supplicant_decrypt_key_data(sm, key, ver, key_data,
2049 &key_data_len))
2050 goto out;
2051 }
2052
2053 if (key_info & WPA_KEY_INFO_KEY_TYPE) {
2054 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) {
2055 wpa_printf(MSG_DEBUG, "WPA: Ignored EAPOL-Key "
2056 "(Pairwise) with non-zero key index");
2057 goto out;
2058 }
2059
2060 if (key_info & WPA_KEY_INFO_MIC) {
2061 /* 3/4 4-Way Handshake */
2062 wpa_supplicant_process_3_of_4(sm, key, ver, key_data,
2063 key_data_len);
2064 } else {
2065 /* 1/4 4-Way Handshake */
2066 sm->eapol1_count++;
2067 if (sm->eapol1_count > MAX_EAPOL_RETRIES) {
2068 wpa_printf(MSG_INFO, "EAPOL1 received for %d times, sending deauth", sm->eapol1_count);
2069 esp_wifi_internal_issue_disconnect(WLAN_REASON_4WAY_HANDSHAKE_TIMEOUT);
2070 goto out;
2071 }
2072 wpa_supplicant_process_1_of_4(sm, src_addr, key,
2073 ver, key_data,
2074 key_data_len);
2075 }
2076 } else {
2077 if (key_info & WPA_KEY_INFO_MIC) {
2078 /* 1/2 Group Key Handshake */
2079 wpa_supplicant_process_1_of_2(sm, src_addr, key,
2080 key_data, key_data_len,
2081 ver);
2082 } else {
2083 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key (Group) "
2084 "without Mic bit - dropped");
2085 }
2086 }
2087
2088 ret = 1;
2089
2090 out:
2091
2092 return ret;
2093 }
2094
2095 /**
2096 * wpa_supplicant_set_state - Set current connection state
2097 * @wpa_s: Pointer to wpa_supplicant data
2098 * @state: The new connection state
2099 *
2100 * This function is called whenever the connection state changes, e.g.,
2101 * association is completed for WPA/WPA2 4-Way Handshake is started.
2102 */
wpa_sm_set_state(enum wpa_states state)2103 void wpa_sm_set_state(enum wpa_states state)
2104 {
2105 struct wpa_sm *sm = &gWpaSm;
2106 if(WPA_MIC_FAILURE==WPA_SM_STATE(sm))
2107 eloop_cancel_timeout(wpa_supplicant_stop_countermeasures, NULL, NULL);
2108 sm->wpa_state= state;
2109 }
2110
2111
2112 /**
2113 * wpa_sm_set_pmk - Set PMK
2114 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2115 * @pmk: The new PMK
2116 * @pmk_len: The length of the new PMK in bytes
2117 * @bssid: AA to add into PMKSA cache or %NULL to not cache the PMK
2118 *
2119 * Configure the PMK for WPA state machine.
2120 */
wpa_sm_set_pmk(struct wpa_sm * sm,const u8 * pmk,size_t pmk_len,const u8 * pmkid,const u8 * bssid)2121 void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
2122 const u8 *pmkid, const u8 *bssid)
2123 {
2124 if (sm == NULL)
2125 return;
2126
2127 sm->pmk_len = pmk_len;
2128 os_memcpy(sm->pmk, pmk, pmk_len);
2129
2130 #ifdef CONFIG_IEEE80211R
2131 /* Set XXKey to be PSK for FT key derivation */
2132 sm->xxkey_len = pmk_len;
2133 os_memcpy(sm->xxkey, pmk, pmk_len);
2134 #endif /* CONFIG_IEEE80211R */
2135
2136 if (bssid) {
2137 pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0,
2138 bssid, sm->own_addr,
2139 sm->network_ctx, sm->key_mgmt);
2140 }
2141 }
2142
2143
2144 /**
2145 * wpa_sm_set_pmk_from_pmksa - Set PMK based on the current PMKSA
2146 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2147 *
2148 * Take the PMK from the current PMKSA into use. If no PMKSA is active, the PMK
2149 * will be cleared.
2150 */
wpa_sm_set_pmk_from_pmksa(struct wpa_sm * sm)2151 void wpa_sm_set_pmk_from_pmksa(struct wpa_sm *sm)
2152 {
2153 if (sm == NULL)
2154 return;
2155
2156 if (sm->cur_pmksa) {
2157 sm->pmk_len = sm->cur_pmksa->pmk_len;
2158 os_memcpy(sm->pmk, sm->cur_pmksa->pmk, sm->pmk_len);
2159 } else {
2160 sm->pmk_len = PMK_LEN_MAX;
2161 os_memset(sm->pmk, 0, PMK_LEN_MAX);
2162 }
2163 }
2164
2165
wpa_sm_init(void)2166 bool wpa_sm_init(void)
2167 {
2168 struct wpa_sm *sm = &gWpaSm;
2169 u16 spp_attrubute = 0;
2170
2171 os_memset(sm, 0, sizeof(struct wpa_sm));
2172
2173 sm->eapol_version = DEFAULT_EAPOL_VERSION; /* DEFAULT_EAPOL_VERSION */
2174
2175 spp_attrubute = esp_wifi_get_spp_attrubute_internal(WIFI_IF_STA);
2176 sm->spp_sup.capable = ((spp_attrubute & WPA_CAPABILITY_SPP_CAPABLE) ? SPP_AMSDU_CAP_ENABLE : SPP_AMSDU_CAP_DISABLE);
2177 sm->spp_sup.require = ((spp_attrubute & WPA_CAPABILITY_SPP_REQUIRED) ? SPP_AMSDU_REQ_ENABLE : SPP_AMSDU_REQ_DISABLE);
2178
2179 wpa_sm_set_state(WPA_INACTIVE);
2180
2181 sm->pmksa = pmksa_cache_init(wpa_sm_pmksa_free_cb, sm, sm);
2182 if (sm->pmksa == NULL) {
2183 wpa_printf(MSG_ERROR,
2184 "RSN: PMKSA cache initialization failed");
2185 return false;
2186 }
2187 return true;
2188 }
2189
2190 /**
2191 * * wpa_sm_deinit - Deinitialize WPA state machine
2192 * */
wpa_sm_deinit(void)2193 void wpa_sm_deinit(void)
2194 {
2195 struct wpa_sm *sm = &gWpaSm;
2196 pmksa_cache_deinit(sm->pmksa);
2197 os_free(sm->ap_rsnxe);
2198 sm->ap_rsnxe = NULL;
2199 os_free(sm->assoc_rsnxe);
2200 wpa_sm_drop_sa(sm);
2201 sm->assoc_rsnxe = NULL;
2202 }
2203
2204
2205 #ifdef ESP_SUPPLICANT
2206 /**
2207 * wpa_sm_notify_assoc - Notify WPA state machine about association
2208 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2209 * @bssid: The BSSID of the new association
2210 *
2211 * This function is called to let WPA state machine know that the connection
2212 * was established.
2213 */
wpa_sm_notify_assoc(struct wpa_sm * sm,const u8 * bssid)2214 void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
2215 {
2216 int clear_keys = 1;
2217
2218 if (sm == NULL)
2219 return;
2220
2221 wpa_printf(MSG_DEBUG,
2222 "WPA: Association event - clear replay counter");
2223 os_memcpy(sm->bssid, bssid, ETH_ALEN);
2224 os_memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN);
2225 sm->rx_replay_counter_set = 0;
2226 sm->renew_snonce = 1;
2227
2228 #ifdef CONFIG_IEEE80211R
2229 if (wpa_ft_is_completed(sm)) {
2230 /*
2231 * Clear portValid to kick EAPOL state machine to re-enter
2232 * AUTHENTICATED state to get the EAPOL port Authorized.
2233 */
2234 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
2235
2236 /* Prepare for the next transition */
2237 wpa_ft_prepare_auth_request(sm, NULL);
2238
2239 clear_keys = 0;
2240 sm->ft_protocol = 1;
2241 } else {
2242 sm->ft_protocol = 0;
2243 }
2244 #endif /* CONFIG_IEEE80211R */
2245 if (clear_keys) {
2246 /*
2247 * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
2248 * this is not part of a Fast BSS Transition.
2249 */
2250 wpa_printf(MSG_DEBUG, "WPA: Clear old PTK");
2251 sm->ptk_set = 0;
2252 os_memset(&sm->ptk, 0, sizeof(sm->ptk));
2253 sm->tptk_set = 0;
2254 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
2255 os_memset(&sm->gtk, 0, sizeof(sm->gtk));
2256 os_memset(&sm->igtk, 0, sizeof(sm->igtk));
2257 }
2258 }
2259
2260
2261 /**
2262 * wpa_sm_notify_disassoc - Notify WPA state machine about disassociation
2263 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2264 *
2265 * This function is called to let WPA state machine know that the connection
2266 * was lost. This will abort any existing pre-authentication session.
2267 */
wpa_sm_notify_disassoc(struct wpa_sm * sm)2268 void wpa_sm_notify_disassoc(struct wpa_sm *sm)
2269 {
2270 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
2271 pmksa_cache_clear_current(sm);
2272 #ifdef CONFIG_IEEE80211R
2273 sm->ft_reassoc_completed = 0;
2274 sm->ft_protocol = 0;
2275 #endif /* CONFIG_IEEE80211R */
2276
2277 /* Keys are not needed in the WPA state machine anymore */
2278 wpa_sm_drop_sa(sm);
2279
2280 os_memset(sm->bssid, 0, ETH_ALEN);
2281 }
2282
2283
wpa_set_profile(u32 wpa_proto,u8 auth_mode)2284 void wpa_set_profile(u32 wpa_proto, u8 auth_mode)
2285 {
2286 struct wpa_sm *sm = &gWpaSm;
2287
2288 sm->proto = wpa_proto;
2289 if (auth_mode == WPA2_AUTH_ENT) {
2290 sm->key_mgmt = WPA_KEY_MGMT_IEEE8021X; /* for wpa2 enterprise */
2291 } else if (auth_mode == WPA2_AUTH_ENT_SHA256) {
2292 sm->key_mgmt = WPA_KEY_MGMT_IEEE8021X_SHA256; /* for wpa2 enterprise sha256 */
2293 } else if (auth_mode == WPA2_AUTH_PSK_SHA256) {
2294 sm->key_mgmt = WPA_KEY_MGMT_PSK_SHA256;
2295 } else if (auth_mode == WPA3_AUTH_PSK) {
2296 sm->key_mgmt = WPA_KEY_MGMT_SAE; /* for WPA3 PSK */
2297 } else if (auth_mode == WAPI_AUTH_PSK) {
2298 sm->key_mgmt = WPA_KEY_MGMT_WAPI_PSK; /* for WAPI PSK */
2299 } else if (auth_mode == WPA2_AUTH_ENT_SHA384_SUITE_B) {
2300 sm->key_mgmt = WPA_KEY_MGMT_IEEE8021X_SUITE_B_192;
2301 } else if (auth_mode == WPA2_AUTH_FT_PSK) {
2302 sm->key_mgmt = WPA_KEY_MGMT_FT_PSK;
2303 } else if (auth_mode == WPA3_AUTH_OWE) {
2304 sm->key_mgmt = WPA_KEY_MGMT_OWE;
2305 } else {
2306 sm->key_mgmt = WPA_KEY_MGMT_PSK; /* fixed to PSK for now */
2307 }
2308 }
2309
wpa_set_pmk(uint8_t * pmk,size_t pmk_length,const u8 * pmkid,bool cache_pmksa)2310 void wpa_set_pmk(uint8_t *pmk, size_t pmk_length, const u8 *pmkid, bool cache_pmksa)
2311 {
2312 struct wpa_sm *sm = &gWpaSm;
2313 int pmk_len;
2314
2315 if (wpa_key_mgmt_sha384(sm->key_mgmt))
2316 pmk_len = PMK_LEN_SUITE_B_192;
2317 else if (wpa_key_mgmt_sae(sm->key_mgmt))
2318 pmk_len = pmk_length;
2319 else
2320 pmk_len = PMK_LEN;
2321
2322 memcpy(sm->pmk, pmk, pmk_len);
2323 sm->pmk_len = pmk_len;
2324
2325 if (cache_pmksa) {
2326 pmksa_cache_add(sm->pmksa, pmk, PMK_LEN, pmkid, NULL, 0,
2327 sm->bssid, sm->own_addr,
2328 sm->network_ctx, sm->key_mgmt);
2329 }
2330 }
2331
wpa_set_bss(char * macddr,char * bssid,u8 pairwise_cipher,u8 group_cipher,char * passphrase,u8 * ssid,size_t ssid_len)2332 int wpa_set_bss(char *macddr, char * bssid, u8 pairwise_cipher, u8 group_cipher, char *passphrase, u8 *ssid, size_t ssid_len)
2333 {
2334 int res = 0;
2335 struct wpa_sm *sm = &gWpaSm;
2336 bool use_pmk_cache = !esp_wifi_skip_supp_pmkcaching();
2337 u8 assoc_rsnxe[20];
2338 size_t assoc_rsnxe_len = sizeof(assoc_rsnxe);
2339
2340 /* Incase AP has changed it's SSID, don't try with PMK caching for SAE connection */
2341 /* Ideally we should use network_ctx for this purpose however currently network profile block
2342 * is part of libraries,
2343 * TODO Correct this in future during NVS restructuring */
2344 if ((sm->key_mgmt == WPA_KEY_MGMT_SAE) &&
2345 (os_memcmp(sm->bssid, bssid, ETH_ALEN) == 0) &&
2346 (os_memcmp(sm->ssid, ssid, ssid_len) != 0)) {
2347 use_pmk_cache = false;
2348 }
2349 sm->pairwise_cipher = BIT(pairwise_cipher);
2350 sm->group_cipher = BIT(group_cipher);
2351 sm->rx_replay_counter_set = 0; //init state not intall replay counter value
2352 memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN);
2353 sm->wpa_ptk_rekey = 0;
2354 sm->renew_snonce = 1;
2355 memcpy(sm->own_addr, macddr, ETH_ALEN);
2356 memcpy(sm->bssid, bssid, ETH_ALEN);
2357 sm->ap_notify_completed_rsne = esp_wifi_sta_is_ap_notify_completed_rsne_internal();
2358 sm->use_ext_key_id = (sm->proto == WPA_PROTO_WPA);
2359 pmksa_cache_clear_current(sm);
2360 sm->sae_pwe = esp_wifi_get_config_sae_pwe_h2e_internal(WIFI_IF_STA);
2361
2362 struct rsn_pmksa_cache_entry *pmksa = NULL;
2363 if (use_pmk_cache) {
2364 pmksa = pmksa_cache_get(sm->pmksa, (const u8 *)bssid, NULL, NULL);
2365 if (pmksa && (pmksa->akmp != sm->key_mgmt)) {
2366 use_pmk_cache = false;
2367 }
2368 }
2369 if (wpa_key_mgmt_supports_caching(sm->key_mgmt) && use_pmk_cache) {
2370 pmksa_cache_set_current(sm, NULL, (const u8*) bssid, 0, 0);
2371 wpa_sm_set_pmk_from_pmksa(sm);
2372 } else {
2373 if (pmksa) {
2374 pmksa_cache_flush(sm->pmksa, NULL, pmksa->pmk, pmksa->pmk_len);
2375 }
2376 }
2377
2378 sm->eapol1_count = 0;
2379 #ifdef CONFIG_IEEE80211W
2380 if (esp_wifi_sta_pmf_enabled()) {
2381 wifi_config_t wifi_cfg;
2382 wifi_cipher_type_t mgmt_cipher = esp_wifi_sta_get_mgmt_group_cipher();
2383
2384 esp_wifi_get_config(WIFI_IF_STA, &wifi_cfg);
2385 sm->pmf_cfg = wifi_cfg.sta.pmf_cfg;
2386 sm->mgmt_group_cipher = cipher_type_map_public_to_supp(mgmt_cipher);
2387 if (sm->mgmt_group_cipher == WPA_CIPHER_NONE) {
2388 wpa_printf(MSG_ERROR, "mgmt_cipher %d not supported", mgmt_cipher);
2389 return -1;
2390 }
2391 #ifdef CONFIG_SUITEB192
2392 extern bool g_wpa_suiteb_certification;
2393 if (g_wpa_suiteb_certification) {
2394 if (sm->mgmt_group_cipher != WPA_CIPHER_BIP_GMAC_256) {
2395 wpa_printf(MSG_ERROR, "suite-b 192bit certification, only GMAC256 is supported");
2396 return -1;
2397 }
2398 if (sm->group_cipher != WPA_CIPHER_GCMP_256) {
2399 wpa_printf(MSG_ERROR, "suite-b 192bit certification, only group GCMP256 is supported for group data cipher.");
2400 return -1;
2401 }
2402 if (sm->pairwise_cipher != WPA_CIPHER_GCMP_256) {
2403 wpa_printf(MSG_ERROR,"suite-b 192bit certification, only group GCMP256 is supported for pairwise cipher");
2404 return -1;
2405 }
2406 if (sm->key_mgmt != WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) {
2407 wpa_printf(MSG_ERROR, "suite-b 192bit certification, 192bit akm supported");
2408 return -1;
2409 }
2410 }
2411 #endif
2412 } else {
2413 memset(&sm->pmf_cfg, 0, sizeof(sm->pmf_cfg));
2414 sm->mgmt_group_cipher = WPA_CIPHER_NONE;
2415 }
2416 #endif
2417 #ifdef CONFIG_IEEE80211R
2418 if (sm->key_mgmt == WPA_KEY_MGMT_FT_PSK) {
2419 const u8 *ie, *md = NULL;
2420 struct wpa_bss *bss = wpa_bss_get_bssid(&g_wpa_supp, (uint8_t *)bssid);
2421 if (!bss) {
2422 return -1;
2423 }
2424 ie = wpa_bss_get_ie(bss, WLAN_EID_MOBILITY_DOMAIN);
2425 if (ie && ie[1] >= MOBILITY_DOMAIN_ID_LEN)
2426 md = ie + 2;
2427 if (os_memcmp(md, sm->mobility_domain, MOBILITY_DOMAIN_ID_LEN) != 0) {
2428 /* Reset Auth IE here */
2429 esp_wifi_unset_appie_internal(WIFI_APPIE_RAM_STA_AUTH);
2430 esp_wifi_unset_appie_internal(WIFI_APPIE_ASSOC_REQ);
2431 sm->ft_protocol = 0;
2432 }
2433 wpa_sm_set_ft_params(sm, ie, ie ? 2 + ie[1] : 0);
2434 } else {
2435 /* Reset FT parameters */
2436 wpa_sm_set_ft_params(sm, NULL, 0);
2437 esp_wifi_unset_appie_internal(WIFI_APPIE_RAM_STA_AUTH);
2438 esp_wifi_unset_appie_internal(WIFI_APPIE_ASSOC_REQ);
2439 }
2440 #endif
2441 set_assoc_ie(assoc_ie_buf); /* use static buffer */
2442 res = wpa_gen_wpa_ie(sm, sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
2443 if (res < 0)
2444 return -1;
2445 sm->assoc_wpa_ie_len = res;
2446
2447 const u8 *rsnxe;
2448 rsnxe = esp_wifi_sta_get_rsnxe((u8*)bssid);
2449 wpa_sm_set_ap_rsnxe(rsnxe, rsnxe ? (rsnxe[1] + 2) : 0);
2450 res = wpa_gen_rsnxe(sm, assoc_rsnxe, assoc_rsnxe_len);
2451 if (res < 0)
2452 return -1;
2453 assoc_rsnxe_len = res;
2454 res = wpa_sm_set_assoc_rsnxe(sm, assoc_rsnxe, assoc_rsnxe_len);
2455 if (res < 0)
2456 return -1;
2457 esp_set_assoc_ie((uint8_t *)bssid, assoc_rsnxe, assoc_rsnxe_len, true);
2458 os_memset(sm->ssid, 0, sizeof(sm->ssid));
2459 os_memcpy(sm->ssid, ssid, ssid_len);
2460 sm->ssid_len = ssid_len;
2461 wpa_set_passphrase(passphrase, ssid, ssid_len);
2462 #ifdef CONFIG_MBO
2463 if (!mbo_bss_profile_match((u8 *)bssid))
2464 return -1;
2465 #endif
2466
2467 #ifndef CONFIG_SAE_PK
2468 esp_wifi_sta_disable_sae_pk_internal();
2469 #endif /* CONFIG_SAE_PK */
2470 return 0;
2471 }
2472
2473 /*
2474 * Call after set ssid since we calc pmk inside this routine directly
2475 */
2476 void
wpa_set_passphrase(char * passphrase,u8 * ssid,size_t ssid_len)2477 wpa_set_passphrase(char * passphrase, u8 *ssid, size_t ssid_len)
2478 {
2479 struct wifi_ssid *sta_ssid = esp_wifi_sta_get_prof_ssid_internal();
2480 struct wpa_sm *sm = &gWpaSm;
2481
2482 if (passphrase == NULL) return;
2483
2484 /*
2485 * Here only handle passphrase string. Need extra step to handle 32B, 64Hex raw
2486 * PMK.
2487 */
2488 if (sm->key_mgmt == WPA_KEY_MGMT_SAE || sm->key_mgmt == WPA_KEY_MGMT_OWE)
2489 return;
2490
2491 /* This is really SLOW, so just re cacl while reset param */
2492 if (esp_wifi_sta_get_reset_param_internal() != 0) {
2493 // check it's psk
2494 if (strlen((char *)esp_wifi_sta_get_prof_password_internal()) == 64) {
2495 if (hexstr2bin((char *)esp_wifi_sta_get_prof_password_internal(),
2496 esp_wifi_sta_get_ap_info_prof_pmk_internal(), PMK_LEN) != 0)
2497 return;
2498 } else {
2499 pbkdf2_sha1((char *)esp_wifi_sta_get_prof_password_internal(), sta_ssid->ssid, (size_t)sta_ssid->len,
2500 4096, esp_wifi_sta_get_ap_info_prof_pmk_internal(), PMK_LEN);
2501 }
2502 esp_wifi_sta_update_ap_info_internal();
2503 esp_wifi_sta_set_reset_param_internal(0);
2504 }
2505
2506 if (sm->key_mgmt == WPA_KEY_MGMT_IEEE8021X) {
2507 /* TODO nothing */
2508 } else {
2509 memcpy(sm->pmk, esp_wifi_sta_get_ap_info_prof_pmk_internal(), PMK_LEN);
2510 sm->pmk_len = PMK_LEN;
2511 }
2512 #ifdef CONFIG_IEEE80211R
2513 /* Set XXKey to be PSK for FT key derivation */
2514 sm->xxkey_len = PMK_LEN;
2515 os_memcpy(sm->xxkey, sm->pmk, PMK_LEN);
2516 #endif /* CONFIG_IEEE80211R */
2517 }
2518
2519 void
set_assoc_ie(u8 * assoc_buf)2520 set_assoc_ie(u8 * assoc_buf)
2521 {
2522 struct wpa_sm *sm = &gWpaSm;
2523
2524 sm->assoc_wpa_ie = assoc_buf + 2;
2525 //wpa_ie insert OUI 4 byte before ver, but RSN have 2 bytes of RSN capability,
2526 // so wpa_ie have two more bytes than rsn_ie
2527 if ( sm->proto == WPA_PROTO_WPA)
2528 sm->assoc_wpa_ie_len = ASSOC_IE_LEN;
2529 else
2530 sm->assoc_wpa_ie_len = ASSOC_IE_LEN - 2;
2531
2532 wpa_config_assoc_ie(sm->proto, assoc_buf, sm->assoc_wpa_ie_len);
2533 }
2534
wpa_sm_set_key(struct install_key * key_sm,enum wpa_alg alg,u8 * addr,int key_idx,int set_tx,u8 * seq,size_t seq_len,u8 * key,size_t key_len,enum key_flag key_flag)2535 int wpa_sm_set_key(struct install_key *key_sm, enum wpa_alg alg,
2536 u8 *addr, int key_idx, int set_tx,
2537 u8 *seq, size_t seq_len,
2538 u8 *key, size_t key_len,
2539 enum key_flag key_flag)
2540 {
2541 struct wpa_sm *sm = &gWpaSm;
2542
2543 /*gtk or ptk both need check countermeasures*/
2544 if (alg == WIFI_WPA_ALG_TKIP && key_idx == 0 && key_len == 32) {
2545 /* Clear the MIC error counter when setting a new PTK. */
2546 sm->mic_errors_seen = 0;
2547 }
2548
2549 key_sm->keys_cleared = 0;
2550 key_sm->alg = alg;
2551 memcpy(key_sm->addr, addr, ETH_ALEN);
2552 key_sm->key_idx = key_idx;
2553 key_sm->set_tx = set_tx;
2554 memcpy(key_sm->key, key, key_len);
2555
2556 wpa_install_key(alg, addr, key_idx, set_tx, seq, seq_len, key, key_len, key_flag);
2557 return 0;
2558 }
2559
2560 static int
wpa_sm_get_key(uint8_t * ifx,int * alg,u8 * addr,int * key_idx,u8 * key,size_t key_len,enum key_flag key_flag)2561 wpa_sm_get_key(uint8_t *ifx, int *alg, u8 *addr, int *key_idx, u8 *key, size_t key_len, enum key_flag key_flag)
2562 {
2563 return wpa_get_key(ifx, alg, addr, key_idx, key, key_len, key_flag);
2564 }
2565
wpa_supplicant_clr_countermeasures(u16 * pisunicast)2566 void wpa_supplicant_clr_countermeasures(u16 *pisunicast)
2567 {
2568 struct wpa_sm *sm = &gWpaSm;
2569 sm->mic_errors_seen = 0;
2570 wpa_printf(MSG_DEBUG, "WPA: TKIP countermeasures clean");
2571 }
2572
2573 /*recovery from countermeasures state, countermeasures state is period that stop connection with ap
2574 also used in wpa_init after connecting with ap
2575 */
wpa_supplicant_stop_countermeasures(void * data,void * user_ctx)2576 void wpa_supplicant_stop_countermeasures(void *data, void *user_ctx)
2577 {
2578 struct wpa_sm *sm = &gWpaSm;
2579
2580 if (sm->countermeasures) {
2581 sm->countermeasures = 0;
2582 wpa_supplicant_clr_countermeasures(NULL);
2583 eloop_cancel_timeout(wpa_supplicant_stop_countermeasures, NULL, NULL);
2584
2585 wpa_printf(MSG_DEBUG, "WPA: TKIP countermeasures stopped");
2586 /*renew scan preocess, this isn't done now*/
2587 }
2588 wpa_sm_set_state(WPA_DISCONNECTED);
2589 }
2590
wpa_michael_mic_failure(u16 isunicast)2591 int wpa_michael_mic_failure(u16 isunicast)
2592 {
2593 struct wpa_sm *sm = &gWpaSm;
2594
2595 wpa_printf(MSG_DEBUG, "TKIP MIC failure occur");
2596
2597 if (sm->mic_errors_seen) {
2598 /* Send the new MIC error report immediately since we are going
2599 * to start countermeasures and AP better do the same.
2600 */
2601 wpa_sm_set_state(WPA_TKIP_COUNTERMEASURES);
2602 wpa_sm_key_request(sm, 1, isunicast);
2603
2604 /* initialize countermeasures */
2605 sm->countermeasures = 1;
2606 wpa_printf(MSG_DEBUG, "TKIP countermeasures started");
2607
2608 /*
2609 * Need to wait for completion of request frame. We do not get
2610 * any callback for the message completion, so just wait a
2611 * short while and hope for the best. */
2612 os_sleep(0, 10000);
2613
2614 /*deauthenticate AP*/
2615
2616 /*stop monitor next mic_failure timer,disconnect for 60sec, then stop contermeasures*/
2617 eloop_cancel_timeout(wpa_supplicant_stop_countermeasures, NULL, NULL);
2618 eloop_register_timeout(60, 0, wpa_supplicant_stop_countermeasures, NULL, NULL);
2619
2620 /* TODO: mark the AP rejected for 60 second. STA is
2621 * allowed to associate with another AP.. */
2622 } else {
2623 sm->mic_errors_seen++;
2624 wpa_sm_set_state(WPA_MIC_FAILURE);
2625 wpa_sm_key_request(sm, 1, isunicast);
2626 /*start 60sec counter to monitor whether next mic_failure occur in this period, or clear mic_errors_seen*/
2627 eloop_cancel_timeout(wpa_supplicant_stop_countermeasures, NULL, NULL);
2628 eloop_register_timeout(60, 0, wpa_supplicant_stop_countermeasures, NULL, NULL);
2629 }
2630
2631 return 0;
2632 }
2633
2634 /*
2635 eapol tx callback function to make sure new key
2636 install after 4-way handoff
2637 */
eapol_txcb(uint8_t * eapol_payload,size_t len,bool tx_failure)2638 void eapol_txcb(uint8_t *eapol_payload, size_t len, bool tx_failure)
2639 {
2640 struct ieee802_1x_hdr *hdr;
2641 struct wpa_eapol_key *key;
2642 struct wpa_sm *sm = &gWpaSm;
2643 u8 isdeauth = 0; //no_zero value is the reason for deauth
2644
2645 if (len < sizeof(struct ieee802_1x_hdr)) {
2646 /* Invalid 802.1X header, ignore */
2647 return;
2648 }
2649 hdr = (struct ieee802_1x_hdr *) eapol_payload;
2650 if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) {
2651 /* Ignore EAPOL non-key frames */
2652 return;
2653 }
2654 if (len < (sizeof(struct ieee802_1x_hdr) + sizeof(struct wpa_eapol_key))) {
2655 wpa_printf(MSG_ERROR, "EAPOL TxDone with invalid payload len! (len - %zu)", len);
2656 return;
2657 }
2658 key = (struct wpa_eapol_key *) (hdr + 1);
2659
2660 switch(WPA_SM_STATE(sm)) {
2661 case WPA_FIRST_HALF_4WAY_HANDSHAKE:
2662 case WPA_LAST_HALF_4WAY_HANDSHAKE:
2663 if (WPA_GET_BE16(key->key_data_length) == 0 ||
2664 (WPA_GET_BE16(key->key_info) & WPA_KEY_INFO_SECURE)) {
2665 /* msg 4/4 Tx Done */
2666 if (tx_failure) {
2667 wpa_printf(MSG_ERROR, "Eapol message 4/4 tx failure, not installing keys");
2668 return;
2669 }
2670
2671 if (sm->txcb_flags & WPA_4_4_HANDSHAKE_BIT) {
2672 sm->txcb_flags &= ~WPA_4_4_HANDSHAKE_BIT;
2673 isdeauth = wpa_supplicant_send_4_of_4_txcallback(sm);
2674 } else {
2675 wpa_printf(MSG_DEBUG, "4/4 txcb, flags=%d", sm->txcb_flags);
2676 }
2677 } else {
2678 /* msg 2/4 Tx Done */
2679 wpa_printf(MSG_DEBUG, "2/4 txcb, flags=%d, txfail %d", sm->txcb_flags, tx_failure);
2680 }
2681 break;
2682 case WPA_GROUP_HANDSHAKE:
2683 if (sm->txcb_flags & WPA_GROUP_HANDSHAKE_BIT) {
2684 sm->txcb_flags &= ~WPA_GROUP_HANDSHAKE_BIT;
2685 } else {
2686 wpa_printf(MSG_DEBUG, "2/2 txcb, flags=%d", sm->txcb_flags);
2687 }
2688 break;
2689 case WPA_TKIP_COUNTERMEASURES: isdeauth=WLAN_REASON_MICHAEL_MIC_FAILURE;
2690 break;
2691 default: break;
2692 }
2693
2694 if(isdeauth) {
2695 wpa_sm_deauthenticate(sm, isdeauth);
2696 }
2697 }
2698
wpa_sta_in_4way_handshake(void)2699 bool wpa_sta_in_4way_handshake(void)
2700 {
2701 struct wpa_sm *sm = &gWpaSm;
2702 if ( WPA_SM_STATE(sm) == WPA_MIC_FAILURE || WPA_SM_STATE(sm) == WPA_FIRST_HALF_4WAY_HANDSHAKE
2703 || WPA_SM_STATE(sm) == WPA_LAST_HALF_4WAY_HANDSHAKE) {
2704 return true;
2705 }
2706 return false;
2707 }
2708
wpa_sta_is_cur_pmksa_set(void)2709 bool wpa_sta_is_cur_pmksa_set(void) {
2710 struct wpa_sm *sm = &gWpaSm;
2711 return (pmksa_cache_get_current(sm) != NULL);
2712 }
2713
wpa_sta_cur_pmksa_matches_akm(void)2714 bool wpa_sta_cur_pmksa_matches_akm(void) {
2715 struct wpa_sm *sm = &gWpaSm;
2716 struct rsn_pmksa_cache_entry *pmksa;
2717
2718 pmksa = pmksa_cache_get_current(sm);
2719 return (pmksa != NULL &&
2720 sm->key_mgmt == pmksa->akmp);
2721 }
2722
wpa_sta_clear_curr_pmksa(void)2723 void wpa_sta_clear_curr_pmksa(void) {
2724 struct wpa_sm *sm = &gWpaSm;
2725
2726 if (sm->pmksa)
2727 pmksa_cache_flush(sm->pmksa, NULL, sm->pmk, sm->pmk_len);
2728 pmksa_cache_clear_current(sm);
2729 }
2730
get_wpa_sm(void)2731 struct wpa_sm * get_wpa_sm(void)
2732 {
2733 return &gWpaSm;
2734 }
2735
wpa_sm_set_ap_rsnxe(const u8 * ie,size_t len)2736 int wpa_sm_set_ap_rsnxe(const u8 *ie, size_t len)
2737 {
2738 struct wpa_sm *sm = &gWpaSm;
2739 if (!sm)
2740 return -1;
2741
2742 os_free(sm->ap_rsnxe);
2743 if (!ie || len == 0) {
2744 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSNXE", ie, len);
2745 sm->ap_rsnxe = NULL;
2746 sm->ap_rsnxe_len = 0;
2747 } else {
2748 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSNXE", ie, len);
2749 sm->ap_rsnxe = os_memdup(ie, len);
2750 if (!sm->ap_rsnxe)
2751 return -1;
2752
2753 sm->ap_rsnxe_len = len;
2754 }
2755
2756 if (sm->ap_rsnxe != NULL) {
2757 sm->sae_pwe = esp_wifi_get_config_sae_pwe_h2e_internal(WIFI_IF_STA);
2758 #ifdef CONFIG_SAE_PK
2759 const u8 *pw = (const u8 *)esp_wifi_sta_get_prof_password_internal();
2760 if (esp_wifi_sta_get_config_sae_pk_internal() != WPA3_SAE_PK_MODE_DISABLED &&
2761 sae_pk_valid_password((const char*)pw)) {
2762 sm->sae_pk = true;
2763 }
2764 #endif /* CONFIG_SAE_PK */
2765 }
2766 return 0;
2767 }
2768
2769
wpa_sm_set_assoc_rsnxe(struct wpa_sm * sm,const u8 * ie,size_t len)2770 int wpa_sm_set_assoc_rsnxe(struct wpa_sm *sm, const u8 *ie, size_t len)
2771 {
2772 if (!sm)
2773 return -1;
2774
2775 os_free(sm->assoc_rsnxe);
2776 if (!ie || len == 0) {
2777 sm->assoc_rsnxe = NULL;
2778 sm->assoc_rsnxe_len = 0;
2779 } else {
2780 wpa_hexdump(MSG_DEBUG, "RSN: set own RSNXE", ie, len);
2781 sm->assoc_rsnxe = os_memdup(ie, len);
2782 if (!sm->assoc_rsnxe)
2783 return -1;
2784
2785 sm->assoc_rsnxe_len = len;
2786 }
2787
2788 return 0;
2789 }
2790
wpa_sm_drop_sa(struct wpa_sm * sm)2791 void wpa_sm_drop_sa(struct wpa_sm *sm)
2792 {
2793 wpa_printf(MSG_DEBUG, "WPA: Clear old PMK and PTK");
2794 sm->ptk_set = 0;
2795 sm->tptk_set = 0;
2796 sm->pmk_len = 0;
2797 os_memset(&sm->ptk, 0, sizeof(sm->ptk));
2798 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
2799 os_memset(&sm->gtk, 0, sizeof(sm->gtk));
2800 os_memset(&sm->igtk, 0, sizeof(sm->igtk));
2801 }
2802
2803 #ifdef CONFIG_OWE_STA
owe_build_assoc_req(struct wpa_sm * sm,u16 group)2804 struct wpabuf *owe_build_assoc_req(struct wpa_sm *sm, u16 group)
2805 {
2806 struct wpabuf *pub = NULL;
2807 size_t prime_len;
2808
2809 if (group == OWE_DH_GRP19) {
2810 prime_len = OWE_PRIME_LEN;
2811 } else {
2812 wpa_printf(MSG_ERROR, "OWE: Unsupported Diffie-Hellman group");
2813 return NULL;
2814 }
2815
2816 sm->owe_ecdh = crypto_ecdh_init(group);
2817
2818 if (!sm->owe_ecdh) {
2819 wpa_printf(MSG_ERROR, "Initialization of ecdh failed");
2820 return NULL;
2821 }
2822
2823 sm->owe_group = group;
2824 /* Get own public key */
2825 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
2826 pub = wpabuf_zeropad(pub, prime_len);
2827
2828 if (!pub) {
2829 wpa_printf(MSG_ERROR, "Own public key is NULL");
2830 goto fail;
2831 }
2832
2833 wpa_hexdump_buf(MSG_DEBUG, "Own public key", pub);
2834
2835 if (sm->owe_ie) {
2836 wpabuf_free(sm->owe_ie);
2837 }
2838 sm->owe_ie = wpabuf_alloc(5 + wpabuf_len(pub));
2839
2840 if (!sm->owe_ie) {
2841 wpa_printf(MSG_ERROR, "OWE IE allocation failed");
2842 goto fail;
2843 }
2844
2845 /* Constructing the DH IE */
2846 wpabuf_put_u8(sm->owe_ie, WLAN_EID_EXTENSION);
2847 wpabuf_put_u8(sm->owe_ie, 1 + 2 + wpabuf_len(pub));
2848 wpabuf_put_u8(sm->owe_ie, WLAN_EID_EXT_OWE_DH_PARAM);
2849 wpabuf_put_le16(sm->owe_ie, group);
2850 wpabuf_put_buf(sm->owe_ie, pub);
2851 wpabuf_free(pub);
2852
2853 wpa_hexdump_buf(MSG_DEBUG, "OWE: Diffie-Hellman Parameter element", sm->owe_ie);
2854
2855 return (struct wpabuf *)wpabuf_head(sm->owe_ie);
2856
2857 fail:
2858 wpabuf_free(pub);
2859 crypto_ecdh_deinit(sm->owe_ecdh);
2860 return NULL;
2861 }
2862
owe_process_assoc_resp(const u8 * rsn_ie,size_t rsn_len,const uint8_t * dh_ie,size_t dh_len)2863 int owe_process_assoc_resp(const u8 *rsn_ie, size_t rsn_len, const uint8_t *dh_ie, size_t dh_len)
2864 {
2865 size_t prime_len=0,hash_len=0;
2866 struct wpabuf * sh_secret = NULL, *pub = NULL, *hkey = NULL;
2867 const char *info = "OWE Key Generation";
2868 u8 pmkid[SHA256_MAC_LEN], prk[SHA256_MAC_LEN], pmk[SHA256_MAC_LEN];
2869 const u8 *addr[2];
2870 size_t len[2];
2871 u16 group;
2872
2873 struct wpa_sm *sm;
2874 sm = get_wpa_sm();
2875
2876 /* Deallocate the dh ie buffer constructed in owe_build_assoc_req */
2877 wpabuf_free(sm->owe_ie);
2878 sm->owe_ie = NULL;
2879
2880 struct wpa_ie_data *parsed_rsn_data;
2881 parsed_rsn_data = os_zalloc(sizeof(struct wpa_ie_data));
2882 if (!parsed_rsn_data) {
2883 wpa_printf(MSG_ERROR, "Memory allocation failed");
2884 return -1;
2885 }
2886
2887 if (rsn_ie && rsn_len && wpa_parse_wpa_ie_rsn(rsn_ie, rsn_len + 2, parsed_rsn_data) != 0) {
2888 goto fail;
2889 }
2890
2891 if (!dh_ie && parsed_rsn_data->num_pmkid == 0) {
2892 wpa_printf(MSG_ERROR, "OWE: Assoc response should either have pmkid or DH IE");
2893 goto fail;
2894 }
2895
2896 /* Check for PMK caching */
2897 if (sm->cur_pmksa && parsed_rsn_data && parsed_rsn_data->num_pmkid == 1 && parsed_rsn_data->pmkid) {
2898 if (os_memcmp(parsed_rsn_data->pmkid, sm->cur_pmksa->pmkid, OWE_PMKID_LEN) == 0) {
2899 wpa_printf(MSG_DEBUG, "OWE: Using PMK caching");
2900 wpa_sm_set_pmk_from_pmksa(sm);
2901 goto done;
2902 } else {
2903 /* If PMKID mismatches, derive keys again */
2904 wpa_printf(MSG_DEBUG, "OWE : Invalid PMKID in response");
2905 }
2906 }
2907
2908 if (dh_ie == NULL) {
2909 wpa_printf(MSG_ERROR, "OWE: No Diffie Hellman IE in association response");
2910 goto fail;
2911 }
2912 if (dh_ie && MIN_DH_LEN(dh_len)) {
2913 wpa_printf(MSG_ERROR, "OWE: Invalid Diffie Hellman IE");
2914 goto fail;
2915 }
2916
2917 /* If STA or AP does not have PMKID, or PMKID mismatches, proceed with normal association */
2918 dh_len += 2;
2919
2920 dh_ie += 3;
2921 dh_len -=3;
2922 group = WPA_GET_LE16(dh_ie);
2923
2924 /* Only group 19 is supported */
2925 if ((group != sm->owe_group) || (group != OWE_DH_GRP19)) {
2926 wpa_printf(MSG_ERROR, "OWE: Unexpected Diffie-Hellman group in response");
2927 goto fail;
2928 }
2929
2930 prime_len = OWE_PRIME_LEN;
2931
2932 /* Set peer's public key point and calculate shared secret */
2933 sh_secret = crypto_ecdh_set_peerkey(sm->owe_ecdh, 0, dh_ie+2, dh_len-2);
2934 sh_secret = wpabuf_zeropad(sh_secret, prime_len);
2935 if (!sh_secret) {
2936 wpa_printf(MSG_ERROR, "OWE: Invalid peer DH public key");
2937 goto fail;
2938 }
2939
2940 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", sh_secret);
2941 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
2942 if (!pub) {
2943 wpa_printf(MSG_ERROR, "No own public key");
2944 goto fail;
2945 }
2946
2947 /* PMKID = Truncate-128(Hash(C | A)) */
2948 addr[0] = wpabuf_head(pub);
2949 len[0] = wpabuf_len(pub);
2950 addr[1] = dh_ie + 2;
2951 len[1] = dh_len - 2;
2952
2953 int res = sha256_vector(2, addr, len, pmkid);
2954 if (res < 0 ) {
2955 goto fail;
2956 }
2957
2958 hash_len = SHA256_MAC_LEN;
2959
2960 pub = wpabuf_zeropad(pub, prime_len);
2961 if (!pub) {
2962 goto fail;
2963 }
2964
2965 /* prk = HKDF-extract(C | A | group, z) */
2966 hkey = wpabuf_alloc(wpabuf_len(pub) + dh_len - 2 + 2);
2967 if (!hkey) {
2968 goto fail;
2969 }
2970
2971 wpabuf_put_buf(hkey, pub); /* C */
2972 wpabuf_free(pub);
2973
2974 wpabuf_put_data(hkey, dh_ie + 2, dh_len - 2); /* A */
2975 wpabuf_put_le16(hkey, sm->owe_group); /* group */
2976
2977 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey), wpabuf_head(sh_secret), wpabuf_len(sh_secret), prk);
2978 if (res < 0 ) {
2979 goto fail;
2980 }
2981
2982 hash_len = SHA256_MAC_LEN;
2983
2984 wpabuf_free(hkey);
2985 wpabuf_clear_free(sh_secret);
2986
2987 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
2988
2989 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
2990 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *)info,
2991 os_strlen(info), pmk, hash_len);
2992 if (res < 0 ) {
2993 goto fail;
2994 }
2995
2996 forced_memzero(prk, SHA256_MAC_LEN);
2997 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, OWE_PMKID_LEN);
2998
2999 os_memcpy(sm->pmk,pmk,hash_len);
3000 sm->pmk_len = hash_len;
3001 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sm->pmk, sm->pmk_len);
3002
3003 pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, pmkid, NULL, 0,
3004 sm->bssid, sm->own_addr, sm->network_ctx, sm->key_mgmt);
3005
3006 done:
3007 os_free(parsed_rsn_data);
3008 return 0;
3009 fail:
3010 os_free(parsed_rsn_data);
3011 wpabuf_free(pub);
3012 wpabuf_free(hkey);
3013 wpabuf_clear_free(sh_secret);
3014 return -1;
3015 }
3016 #endif // CONFIG_OWE_STA
3017 #endif // ESP_SUPPLICANT
3018
