1 /*
2 * WPA Supplicant - WPA state machine and EAPOL-Key processing
3 * Copyright (c) 2003-2018, Jouni Malinen <j@w1.fi>
4 * Copyright(c) 2015 Intel Deutschland GmbH
5 *
6 * This software may be distributed under the terms of the BSD license.
7 * See README for more details.
8 */
9
10 #include "includes.h"
11
12 #include "common.h"
13 #include "crypto/aes.h"
14 #include "crypto/aes_wrap.h"
15 #include "crypto/crypto.h"
16 #include "crypto/random.h"
17 #include "crypto/aes_siv.h"
18 #include "crypto/sha256.h"
19 #include "crypto/sha384.h"
20 #include "crypto/sha512.h"
21 #include "common/ieee802_11_defs.h"
22 #include "common/ieee802_11_common.h"
23 #include "common/ocv.h"
24 #include "common/dpp.h"
25 #include "common/wpa_ctrl.h"
26 #include "eap_common/eap_defs.h"
27 #include "eapol_supp/eapol_supp_sm.h"
28 #include "drivers/driver.h"
29 #include "wpa.h"
30 #include "eloop.h"
31 #include "preauth.h"
32 #include "pmksa_cache.h"
33 #include "wpa_i.h"
34 #include "wpa_ie.h"
35
36
37 static const u8 null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
38
39
_wpa_hexdump_link(int level,u8 link_id,const char * title,const void * buf,size_t len,bool key)40 static void _wpa_hexdump_link(int level, u8 link_id, const char *title,
41 const void *buf, size_t len, bool key)
42 {
43 char *link_title = NULL;
44
45 if (link_id >= MAX_NUM_MLD_LINKS)
46 goto out;
47
48 link_title = os_malloc(os_strlen(title) + 20);
49 if (!link_title)
50 goto out;
51
52 os_snprintf(link_title, os_strlen(title) + 20, "MLO link[%u]: %s",
53 link_id, title);
54
55 out:
56 if (key)
57 wpa_hexdump_key(level, link_title ? link_title : title, buf,
58 len);
59 else
60 wpa_hexdump(level, link_title ? link_title : title, buf, len);
61 os_free(link_title);
62 }
63
64
wpa_hexdump_link(int level,u8 link_id,const char * title,const void * buf,size_t len)65 static void wpa_hexdump_link(int level, u8 link_id, const char *title,
66 const void *buf, size_t len)
67 {
68 _wpa_hexdump_link(level, link_id, title, buf, len, false);
69 }
70
71
wpa_hexdump_link_key(int level,u8 link_id,const char * title,const void * buf,size_t len)72 static void wpa_hexdump_link_key(int level, u8 link_id, const char *title,
73 const void *buf, size_t len)
74 {
75 _wpa_hexdump_link(level, link_id, title, buf, len, true);
76 }
77
78
79 /**
80 * wpa_eapol_key_send - Send WPA/RSN EAPOL-Key message
81 * @sm: Pointer to WPA state machine data from wpa_sm_init()
82 * @ptk: PTK for Key Confirmation/Encryption Key
83 * @ver: Version field from Key Info
84 * @dest: Destination address for the frame
85 * @proto: Ethertype (usually ETH_P_EAPOL)
86 * @msg: EAPOL-Key message
87 * @msg_len: Length of message
88 * @key_mic: Pointer to the buffer to which the EAPOL-Key MIC is written
89 * Returns: >= 0 on success, < 0 on failure
90 */
wpa_eapol_key_send(struct wpa_sm * sm,struct wpa_ptk * ptk,int ver,const u8 * dest,u16 proto,u8 * msg,size_t msg_len,u8 * key_mic)91 int wpa_eapol_key_send(struct wpa_sm *sm, struct wpa_ptk *ptk,
92 int ver, const u8 *dest, u16 proto,
93 u8 *msg, size_t msg_len, u8 *key_mic)
94 {
95 int ret = -1;
96 size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
97
98 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL-Key frame to " MACSTR
99 " ver=%d mic_len=%d key_mgmt=0x%x",
100 MAC2STR(dest), ver, (int) mic_len, sm->key_mgmt);
101 if (is_zero_ether_addr(dest) && is_zero_ether_addr(sm->bssid)) {
102 /*
103 * Association event was not yet received; try to fetch
104 * BSSID from the driver.
105 */
106 if (wpa_sm_get_bssid(sm, sm->bssid) < 0) {
107 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
108 "WPA: Failed to read BSSID for "
109 "EAPOL-Key destination address");
110 } else {
111 dest = sm->bssid;
112 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
113 "WPA: Use BSSID (" MACSTR
114 ") as the destination for EAPOL-Key",
115 MAC2STR(dest));
116 }
117 }
118
119 if (mic_len) {
120 if (key_mic && (!ptk || !ptk->kck_len))
121 goto out;
122
123 if (key_mic &&
124 wpa_eapol_key_mic(ptk->kck, ptk->kck_len, sm->key_mgmt, ver,
125 msg, msg_len, key_mic)) {
126 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
127 "WPA: Failed to generate EAPOL-Key version %d key_mgmt 0x%x MIC",
128 ver, sm->key_mgmt);
129 goto out;
130 }
131 if (ptk)
132 wpa_hexdump_key(MSG_DEBUG, "WPA: KCK",
133 ptk->kck, ptk->kck_len);
134 wpa_hexdump(MSG_DEBUG, "WPA: Derived Key MIC",
135 key_mic, mic_len);
136 } else {
137 #ifdef CONFIG_FILS
138 /* AEAD cipher - Key MIC field not used */
139 struct ieee802_1x_hdr *s_hdr, *hdr;
140 struct wpa_eapol_key *s_key, *key;
141 u8 *buf, *s_key_data, *key_data;
142 size_t buf_len = msg_len + AES_BLOCK_SIZE;
143 size_t key_data_len;
144 u16 eapol_len;
145 const u8 *aad[1];
146 size_t aad_len[1];
147
148 if (!ptk || !ptk->kek_len)
149 goto out;
150
151 key_data_len = msg_len - sizeof(struct ieee802_1x_hdr) -
152 sizeof(struct wpa_eapol_key) - 2;
153
154 buf = os_malloc(buf_len);
155 if (!buf)
156 goto out;
157
158 os_memcpy(buf, msg, msg_len);
159 hdr = (struct ieee802_1x_hdr *) buf;
160 key = (struct wpa_eapol_key *) (hdr + 1);
161 key_data = ((u8 *) (key + 1)) + 2;
162
163 /* Update EAPOL header to include AES-SIV overhead */
164 eapol_len = be_to_host16(hdr->length);
165 eapol_len += AES_BLOCK_SIZE;
166 hdr->length = host_to_be16(eapol_len);
167
168 /* Update Key Data Length field to include AES-SIV overhead */
169 WPA_PUT_BE16((u8 *) (key + 1), AES_BLOCK_SIZE + key_data_len);
170
171 s_hdr = (struct ieee802_1x_hdr *) msg;
172 s_key = (struct wpa_eapol_key *) (s_hdr + 1);
173 s_key_data = ((u8 *) (s_key + 1)) + 2;
174
175 wpa_hexdump_key(MSG_DEBUG, "WPA: Plaintext Key Data",
176 s_key_data, key_data_len);
177
178 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len);
179 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
180 * to Key Data (exclusive). */
181 aad[0] = buf;
182 aad_len[0] = key_data - buf;
183 if (aes_siv_encrypt(ptk->kek, ptk->kek_len,
184 s_key_data, key_data_len,
185 1, aad, aad_len, key_data) < 0) {
186 os_free(buf);
187 goto out;
188 }
189
190 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
191 key_data, AES_BLOCK_SIZE + key_data_len);
192
193 os_free(msg);
194 msg = buf;
195 msg_len = buf_len;
196 #else /* CONFIG_FILS */
197 goto out;
198 #endif /* CONFIG_FILS */
199 }
200
201 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key", msg, msg_len);
202 ret = wpa_sm_ether_send(sm, dest, proto, msg, msg_len);
203 eapol_sm_notify_tx_eapol_key(sm->eapol);
204 out:
205 os_free(msg);
206 return ret;
207 }
208
209
210 /**
211 * wpa_sm_key_request - Send EAPOL-Key Request
212 * @sm: Pointer to WPA state machine data from wpa_sm_init()
213 * @error: Indicate whether this is an Michael MIC error report
214 * @pairwise: 1 = error report for pairwise packet, 0 = for group packet
215 *
216 * Send an EAPOL-Key Request to the current authenticator. This function is
217 * used to request rekeying and it is usually called when a local Michael MIC
218 * failure is detected.
219 */
wpa_sm_key_request(struct wpa_sm * sm,int error,int pairwise)220 void wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise)
221 {
222 size_t mic_len, hdrlen, rlen;
223 struct wpa_eapol_key *reply;
224 int key_info, ver;
225 u8 *rbuf, *key_mic, *mic;
226
227 if (pairwise && sm->wpa_deny_ptk0_rekey && !sm->use_ext_key_id &&
228 wpa_sm_get_state(sm) == WPA_COMPLETED && !error) {
229 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
230 "WPA: PTK0 rekey not allowed, reconnecting");
231 wpa_sm_reconnect(sm);
232 return;
233 }
234
235 if (!sm->ptk_set) {
236 wpa_printf(MSG_INFO,
237 "WPA: No PTK derived yet - cannot send EAPOL-Key Request");
238 return;
239 }
240
241 if (wpa_use_akm_defined(sm->key_mgmt))
242 ver = WPA_KEY_INFO_TYPE_AKM_DEFINED;
243 else if (wpa_key_mgmt_ft(sm->key_mgmt) ||
244 wpa_key_mgmt_sha256(sm->key_mgmt))
245 ver = WPA_KEY_INFO_TYPE_AES_128_CMAC;
246 else if (sm->pairwise_cipher != WPA_CIPHER_TKIP)
247 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
248 else
249 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
250
251 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
252 hdrlen = sizeof(*reply) + mic_len + 2;
253 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
254 hdrlen, &rlen, (void *) &reply);
255 if (rbuf == NULL)
256 return;
257
258 reply->type = (sm->proto == WPA_PROTO_RSN ||
259 sm->proto == WPA_PROTO_OSEN) ?
260 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
261 key_info = WPA_KEY_INFO_REQUEST | ver;
262 key_info |= WPA_KEY_INFO_SECURE;
263 if (mic_len)
264 key_info |= WPA_KEY_INFO_MIC;
265 else
266 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
267 if (error)
268 key_info |= WPA_KEY_INFO_ERROR;
269 if (pairwise)
270 key_info |= WPA_KEY_INFO_KEY_TYPE;
271 WPA_PUT_BE16(reply->key_info, key_info);
272 WPA_PUT_BE16(reply->key_length, 0);
273 os_memcpy(reply->replay_counter, sm->request_counter,
274 WPA_REPLAY_COUNTER_LEN);
275 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
276
277 mic = (u8 *) (reply + 1);
278 WPA_PUT_BE16(mic + mic_len, 0);
279 if (!(key_info & WPA_KEY_INFO_MIC))
280 key_mic = NULL;
281 else
282 key_mic = mic;
283
284 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
285 "WPA: Sending EAPOL-Key Request (error=%d "
286 "pairwise=%d ptk_set=%d len=%lu)",
287 error, pairwise, sm->ptk_set, (unsigned long) rlen);
288 wpa_eapol_key_send(sm, &sm->ptk, ver, wpa_sm_get_auth_addr(sm),
289 ETH_P_EAPOL, rbuf, rlen, key_mic);
290 }
291
292
wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm * sm)293 static void wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm *sm)
294 {
295 #ifdef CONFIG_IEEE80211R
296 if (sm->key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X) {
297 if (wpa_sm_key_mgmt_set_pmk(sm, sm->xxkey, sm->xxkey_len))
298 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
299 "RSN: Cannot set low order 256 bits of MSK for key management offload");
300 } else {
301 #endif /* CONFIG_IEEE80211R */
302 if (wpa_sm_key_mgmt_set_pmk(sm, sm->pmk, sm->pmk_len))
303 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
304 "RSN: Cannot set PMK for key management offload");
305 #ifdef CONFIG_IEEE80211R
306 }
307 #endif /* CONFIG_IEEE80211R */
308 }
309
310
wpa_supplicant_get_pmk(struct wpa_sm * sm,const unsigned char * src_addr,const u8 * pmkid)311 static int wpa_supplicant_get_pmk(struct wpa_sm *sm,
312 const unsigned char *src_addr,
313 const u8 *pmkid)
314 {
315 int abort_cached = 0;
316
317 if (pmkid && !sm->cur_pmksa) {
318 /* When using drivers that generate RSN IE, wpa_supplicant may
319 * not have enough time to get the association information
320 * event before receiving this 1/4 message, so try to find a
321 * matching PMKSA cache entry here. */
322 sm->cur_pmksa = pmksa_cache_get(sm->pmksa, src_addr,
323 sm->own_addr, pmkid,
324 NULL, 0);
325 if (sm->cur_pmksa) {
326 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
327 "RSN: found matching PMKID from PMKSA cache");
328 } else {
329 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
330 "RSN: no matching PMKID found");
331 abort_cached = 1;
332 }
333 }
334
335 if (pmkid && sm->cur_pmksa &&
336 os_memcmp_const(pmkid, sm->cur_pmksa->pmkid, PMKID_LEN) == 0) {
337 wpa_hexdump(MSG_DEBUG, "RSN: matched PMKID", pmkid, PMKID_LEN);
338 wpa_sm_set_pmk_from_pmksa(sm);
339 wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from PMKSA cache",
340 sm->pmk, sm->pmk_len);
341 eapol_sm_notify_cached(sm->eapol);
342 #ifdef CONFIG_IEEE80211R
343 sm->xxkey_len = 0;
344 #ifdef CONFIG_SAE
345 if ((sm->key_mgmt == WPA_KEY_MGMT_FT_SAE ||
346 sm->key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY) &&
347 sm->pmk_len == PMK_LEN) {
348 /* Need to allow FT key derivation to proceed with
349 * PMK from SAE being used as the XXKey in cases where
350 * the PMKID in msg 1/4 matches the PMKSA entry that was
351 * just added based on SAE authentication for the
352 * initial mobility domain association. */
353 os_memcpy(sm->xxkey, sm->pmk, sm->pmk_len);
354 sm->xxkey_len = sm->pmk_len;
355 }
356 #endif /* CONFIG_SAE */
357 #endif /* CONFIG_IEEE80211R */
358 } else if (wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && sm->eapol) {
359 int res, pmk_len;
360 #ifdef CONFIG_IEEE80211R
361 u8 buf[2 * PMK_LEN];
362 #endif /* CONFIG_IEEE80211R */
363
364 if (wpa_key_mgmt_sha384(sm->key_mgmt))
365 pmk_len = PMK_LEN_SUITE_B_192;
366 else
367 pmk_len = PMK_LEN;
368 res = eapol_sm_get_key(sm->eapol, sm->pmk, pmk_len);
369 if (res) {
370 if (pmk_len == PMK_LEN) {
371 /*
372 * EAP-LEAP is an exception from other EAP
373 * methods: it uses only 16-byte PMK.
374 */
375 res = eapol_sm_get_key(sm->eapol, sm->pmk, 16);
376 pmk_len = 16;
377 }
378 }
379 #ifdef CONFIG_IEEE80211R
380 if (res == 0 &&
381 eapol_sm_get_key(sm->eapol, buf, 2 * PMK_LEN) == 0) {
382 if (wpa_key_mgmt_sha384(sm->key_mgmt)) {
383 os_memcpy(sm->xxkey, buf, SHA384_MAC_LEN);
384 sm->xxkey_len = SHA384_MAC_LEN;
385 } else {
386 os_memcpy(sm->xxkey, buf + PMK_LEN, PMK_LEN);
387 sm->xxkey_len = PMK_LEN;
388 }
389 forced_memzero(buf, sizeof(buf));
390 if (sm->proto == WPA_PROTO_RSN &&
391 wpa_key_mgmt_ft(sm->key_mgmt)) {
392 struct rsn_pmksa_cache_entry *sa = NULL;
393 const u8 *fils_cache_id = NULL;
394
395 #ifdef CONFIG_FILS
396 if (sm->fils_cache_id_set)
397 fils_cache_id = sm->fils_cache_id;
398 #endif /* CONFIG_FILS */
399 wpa_hexdump_key(MSG_DEBUG,
400 "FT: Cache XXKey/MPMK",
401 sm->xxkey, sm->xxkey_len);
402 sa = pmksa_cache_add(sm->pmksa,
403 sm->xxkey, sm->xxkey_len,
404 NULL, NULL, 0,
405 src_addr, sm->own_addr,
406 sm->network_ctx,
407 sm->key_mgmt,
408 fils_cache_id);
409 if (!sm->cur_pmksa)
410 sm->cur_pmksa = sa;
411 }
412 }
413 #endif /* CONFIG_IEEE80211R */
414 if (res == 0) {
415 struct rsn_pmksa_cache_entry *sa = NULL;
416 const u8 *fils_cache_id = NULL;
417
418 #ifdef CONFIG_FILS
419 if (sm->fils_cache_id_set)
420 fils_cache_id = sm->fils_cache_id;
421 #endif /* CONFIG_FILS */
422
423 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK from EAPOL state "
424 "machines", sm->pmk, pmk_len);
425 sm->pmk_len = pmk_len;
426 wpa_supplicant_key_mgmt_set_pmk(sm);
427 if (sm->proto == WPA_PROTO_RSN &&
428 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
429 !wpa_key_mgmt_ft(sm->key_mgmt)) {
430 sa = pmksa_cache_add(sm->pmksa,
431 sm->pmk, pmk_len, NULL,
432 NULL, 0,
433 src_addr, sm->own_addr,
434 sm->network_ctx,
435 sm->key_mgmt,
436 fils_cache_id);
437 }
438 if (!sm->cur_pmksa && pmkid &&
439 pmksa_cache_get(sm->pmksa, src_addr, sm->own_addr,
440 pmkid, NULL, 0)) {
441 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
442 "RSN: the new PMK matches with the "
443 "PMKID");
444 abort_cached = 0;
445 } else if (sa && !sm->cur_pmksa && pmkid) {
446 /*
447 * It looks like the authentication server
448 * derived mismatching MSK. This should not
449 * really happen, but bugs happen.. There is not
450 * much we can do here without knowing what
451 * exactly caused the server to misbehave.
452 */
453 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
454 "RSN: PMKID mismatch - authentication server may have derived different MSK?!");
455 return -1;
456 }
457
458 if (!sm->cur_pmksa)
459 sm->cur_pmksa = sa;
460 #ifdef CONFIG_IEEE80211R
461 } else if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->ft_protocol) {
462 wpa_printf(MSG_DEBUG,
463 "FT: Continue 4-way handshake without PMK/PMKID for association using FT protocol");
464 #endif /* CONFIG_IEEE80211R */
465 } else {
466 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
467 "WPA: Failed to get master session key from "
468 "EAPOL state machines - key handshake "
469 "aborted");
470 if (sm->cur_pmksa) {
471 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
472 "RSN: Cancelled PMKSA caching "
473 "attempt");
474 sm->cur_pmksa = NULL;
475 abort_cached = 1;
476 } else if (!abort_cached) {
477 return -1;
478 }
479 }
480 }
481
482 if (abort_cached && wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) &&
483 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
484 !wpa_key_mgmt_ft(sm->key_mgmt) && sm->key_mgmt != WPA_KEY_MGMT_OSEN)
485 {
486 /* Send EAPOL-Start to trigger full EAP authentication. */
487 u8 *buf;
488 size_t buflen;
489
490 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
491 "RSN: no PMKSA entry found - trigger "
492 "full EAP authentication");
493 buf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_START,
494 NULL, 0, &buflen, NULL);
495 if (buf) {
496 /* Set and reset eapFail to allow EAP state machine to
497 * proceed with new authentication. */
498 eapol_sm_notify_eap_fail(sm->eapol, true);
499 eapol_sm_notify_eap_fail(sm->eapol, false);
500 wpa_sm_ether_send(sm, sm->bssid, ETH_P_EAPOL,
501 buf, buflen);
502 os_free(buf);
503 return -2;
504 }
505
506 return -1;
507 }
508
509 return 0;
510 }
511
512
513 /**
514 * wpa_supplicant_send_2_of_4 - Send message 2 of WPA/RSN 4-Way Handshake
515 * @sm: Pointer to WPA state machine data from wpa_sm_init()
516 * @dst: Destination address for the frame
517 * @key: Pointer to the EAPOL-Key frame header
518 * @ver: Version bits from EAPOL-Key Key Info
519 * @nonce: Nonce value for the EAPOL-Key frame
520 * @wpa_ie: WPA/RSN IE
521 * @wpa_ie_len: Length of the WPA/RSN IE
522 * @ptk: PTK to use for keyed hash and encryption
523 * Returns: >= 0 on success, < 0 on failure
524 */
wpa_supplicant_send_2_of_4(struct wpa_sm * sm,const unsigned char * dst,const struct wpa_eapol_key * key,int ver,const u8 * nonce,const u8 * wpa_ie,size_t wpa_ie_len,struct wpa_ptk * ptk)525 int wpa_supplicant_send_2_of_4(struct wpa_sm *sm, const unsigned char *dst,
526 const struct wpa_eapol_key *key,
527 int ver, const u8 *nonce,
528 const u8 *wpa_ie, size_t wpa_ie_len,
529 struct wpa_ptk *ptk)
530 {
531 size_t mic_len, hdrlen, rlen, extra_len = 0;
532 struct wpa_eapol_key *reply;
533 u8 *rbuf, *key_mic;
534 u8 *rsn_ie_buf = NULL, *buf2 = NULL;
535 u16 key_info;
536 #ifdef CONFIG_TESTING_OPTIONS
537 size_t pad_len = 0;
538 #endif /* CONFIG_TESTING_OPTIONS */
539
540 if (wpa_ie == NULL) {
541 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No wpa_ie set - "
542 "cannot generate msg 2/4");
543 return -1;
544 }
545
546 #ifdef CONFIG_IEEE80211R
547 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
548 int res;
549
550 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE before FT processing",
551 wpa_ie, wpa_ie_len);
552 /*
553 * Add PMKR1Name into RSN IE (PMKID-List) and add MDIE and
554 * FTIE from (Re)Association Response.
555 */
556 rsn_ie_buf = os_malloc(wpa_ie_len + 2 + 2 + PMKID_LEN +
557 sm->assoc_resp_ies_len);
558 if (rsn_ie_buf == NULL)
559 return -1;
560 os_memcpy(rsn_ie_buf, wpa_ie, wpa_ie_len);
561 res = wpa_insert_pmkid(rsn_ie_buf, &wpa_ie_len,
562 sm->pmk_r1_name, !sm->ft_prepend_pmkid);
563 if (res < 0) {
564 os_free(rsn_ie_buf);
565 return -1;
566 }
567 wpa_hexdump(MSG_DEBUG,
568 "WPA: WPA IE after PMKID[PMKR1Name] addition into RSNE",
569 rsn_ie_buf, wpa_ie_len);
570
571 if (sm->assoc_resp_ies) {
572 wpa_hexdump(MSG_DEBUG, "WPA: Add assoc_resp_ies",
573 sm->assoc_resp_ies,
574 sm->assoc_resp_ies_len);
575 os_memcpy(rsn_ie_buf + wpa_ie_len, sm->assoc_resp_ies,
576 sm->assoc_resp_ies_len);
577 wpa_ie_len += sm->assoc_resp_ies_len;
578 }
579
580 wpa_ie = rsn_ie_buf;
581 }
582 #endif /* CONFIG_IEEE80211R */
583
584 if (sm->rsn_override != RSN_OVERRIDE_NOT_USED) {
585 u8 *pos;
586
587 buf2 = os_malloc(wpa_ie_len + 2 + 4 + 1);
588 if (!buf2) {
589 os_free(rsn_ie_buf);
590 return -1;
591 }
592 os_memcpy(buf2, wpa_ie, wpa_ie_len);
593 pos = buf2 + wpa_ie_len;
594 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
595 *pos++ = 4 + 1;
596 WPA_PUT_BE32(pos, RSN_SELECTION_IE_VENDOR_TYPE);
597 pos += 4;
598 if (sm->rsn_override == RSN_OVERRIDE_RSNE) {
599 *pos++ = RSN_SELECTION_RSNE;
600 } else if (sm->rsn_override == RSN_OVERRIDE_RSNE_OVERRIDE) {
601 *pos++ = RSN_SELECTION_RSNE_OVERRIDE;
602 } else if (sm->rsn_override == RSN_OVERRIDE_RSNE_OVERRIDE_2) {
603 *pos++ = RSN_SELECTION_RSNE_OVERRIDE_2;
604 } else {
605 os_free(rsn_ie_buf);
606 os_free(buf2);
607 return -1;
608 }
609
610 wpa_ie = buf2;
611 wpa_ie_len += 2 + 4 + 1;
612
613 }
614
615 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE for msg 2/4", wpa_ie, wpa_ie_len);
616
617 #ifdef CONFIG_TESTING_OPTIONS
618 if (sm->test_eapol_m2_elems)
619 extra_len = wpabuf_len(sm->test_eapol_m2_elems);
620 if (sm->encrypt_eapol_m2) {
621 pad_len = (wpa_ie_len + extra_len) % 8;
622 if (pad_len)
623 pad_len = 8 - pad_len;
624 extra_len += pad_len + 8;
625 }
626 #endif /* CONFIG_TESTING_OPTIONS */
627
628 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
629 hdrlen = sizeof(*reply) + mic_len + 2;
630 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY,
631 NULL, hdrlen + wpa_ie_len + extra_len,
632 &rlen, (void *) &reply);
633 if (rbuf == NULL) {
634 os_free(rsn_ie_buf);
635 os_free(buf2);
636 return -1;
637 }
638
639 reply->type = (sm->proto == WPA_PROTO_RSN ||
640 sm->proto == WPA_PROTO_OSEN) ?
641 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
642 key_info = ver | WPA_KEY_INFO_KEY_TYPE;
643 if (sm->ptk_set && sm->proto != WPA_PROTO_WPA)
644 key_info |= WPA_KEY_INFO_SECURE;
645 if (mic_len)
646 key_info |= WPA_KEY_INFO_MIC;
647 else
648 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
649 #ifdef CONFIG_TESTING_OPTIONS
650 if (sm->encrypt_eapol_m2)
651 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
652 #endif /* CONFIG_TESTING_OPTIONS */
653 WPA_PUT_BE16(reply->key_info, key_info);
654 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
655 WPA_PUT_BE16(reply->key_length, 0);
656 else
657 os_memcpy(reply->key_length, key->key_length, 2);
658 os_memcpy(reply->replay_counter, key->replay_counter,
659 WPA_REPLAY_COUNTER_LEN);
660 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", reply->replay_counter,
661 WPA_REPLAY_COUNTER_LEN);
662
663 key_mic = (u8 *) (reply + 1);
664 /* Key Data Length */
665 WPA_PUT_BE16(key_mic + mic_len, wpa_ie_len + extra_len);
666 os_memcpy(key_mic + mic_len + 2, wpa_ie, wpa_ie_len); /* Key Data */
667 os_free(rsn_ie_buf);
668 os_free(buf2);
669 #ifdef CONFIG_TESTING_OPTIONS
670 if (sm->test_eapol_m2_elems) {
671 os_memcpy(key_mic + mic_len + 2 + wpa_ie_len,
672 wpabuf_head(sm->test_eapol_m2_elems),
673 wpabuf_len(sm->test_eapol_m2_elems));
674 }
675
676 if (sm->encrypt_eapol_m2) {
677 u8 *plain;
678 size_t plain_len;
679
680 if (sm->test_eapol_m2_elems)
681 extra_len = wpabuf_len(sm->test_eapol_m2_elems);
682 else
683 extra_len = 0;
684 plain_len = wpa_ie_len + extra_len + pad_len;
685 plain = os_memdup(key_mic + mic_len + 2, plain_len);
686 if (!plain) {
687 os_free(rbuf);
688 return -1;
689 }
690 if (pad_len)
691 plain[plain_len - pad_len] = 0xdd;
692
693 wpa_hexdump_key(MSG_DEBUG, "RSN: AES-WRAP using KEK",
694 ptk->kek, ptk->kek_len);
695 if (aes_wrap(ptk->kek, ptk->kek_len, plain_len / 8, plain,
696 key_mic + mic_len + 2)) {
697 os_free(plain);
698 os_free(rbuf);
699 return -1;
700 }
701 wpa_hexdump(MSG_DEBUG,
702 "RSN: Encrypted Key Data from AES-WRAP",
703 key_mic + mic_len + 2, plain_len + 8);
704 os_free(plain);
705 }
706 #endif /* CONFIG_TESTING_OPTIONS */
707
708 os_memcpy(reply->key_nonce, nonce, WPA_NONCE_LEN);
709
710 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/4");
711 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
712 key_mic);
713 }
714
715
wpa_derive_ptk(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,struct wpa_ptk * ptk)716 static int wpa_derive_ptk(struct wpa_sm *sm, const unsigned char *src_addr,
717 const struct wpa_eapol_key *key, struct wpa_ptk *ptk)
718 {
719 int ret;
720 const u8 *z = NULL;
721 size_t z_len = 0, kdk_len;
722 int akmp;
723
724 #ifdef CONFIG_IEEE80211R
725 if (wpa_key_mgmt_ft(sm->key_mgmt))
726 return wpa_derive_ptk_ft(sm, src_addr, key, ptk);
727 #endif /* CONFIG_IEEE80211R */
728
729 #ifdef CONFIG_DPP2
730 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
731 z = wpabuf_head(sm->dpp_z);
732 z_len = wpabuf_len(sm->dpp_z);
733 }
734 #endif /* CONFIG_DPP2 */
735
736 akmp = sm->key_mgmt;
737 #ifdef CONFIG_OWE
738 if (sm->owe_ptk_workaround && akmp == WPA_KEY_MGMT_OWE &&
739 sm->pmk_len > 32) {
740 wpa_printf(MSG_DEBUG,
741 "OWE: Force SHA256 for PTK derivation");
742 akmp |= WPA_KEY_MGMT_PSK_SHA256;
743 }
744 #endif /* CONFIG_OWE */
745
746 if (sm->force_kdk_derivation ||
747 (sm->secure_ltf &&
748 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)))
749 kdk_len = WPA_KDK_MAX_LEN;
750 else
751 kdk_len = 0;
752
753 ret = wpa_pmk_to_ptk(sm->pmk, sm->pmk_len, "Pairwise key expansion",
754 sm->own_addr, wpa_sm_get_auth_addr(sm), sm->snonce,
755 key->key_nonce, ptk, akmp,
756 sm->pairwise_cipher, z, z_len,
757 kdk_len);
758 if (ret) {
759 wpa_printf(MSG_ERROR, "WPA: PTK derivation failed");
760 return ret;
761 }
762
763 #ifdef CONFIG_PASN
764 if (sm->secure_ltf &&
765 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF))
766 ret = wpa_ltf_keyseed(ptk, akmp, sm->pairwise_cipher);
767 #endif /* CONFIG_PASN */
768
769 return ret;
770 }
771
772
wpa_handle_ext_key_id(struct wpa_sm * sm,struct wpa_eapol_ie_parse * kde)773 static int wpa_handle_ext_key_id(struct wpa_sm *sm,
774 struct wpa_eapol_ie_parse *kde)
775 {
776 if (sm->ext_key_id) {
777 u16 key_id;
778
779 if (!kde->key_id) {
780 wpa_msg(sm->ctx->msg_ctx,
781 sm->use_ext_key_id ? MSG_INFO : MSG_DEBUG,
782 "RSN: No Key ID in Extended Key ID handshake");
783 sm->keyidx_active = 0;
784 return sm->use_ext_key_id ? -1 : 0;
785 }
786
787 key_id = kde->key_id[0] & 0x03;
788 if (key_id > 1) {
789 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
790 "RSN: Invalid Extended Key ID: %d", key_id);
791 return -1;
792 }
793 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
794 "RSN: Using Extended Key ID %d", key_id);
795 sm->keyidx_active = key_id;
796 sm->use_ext_key_id = 1;
797 } else {
798 if (kde->key_id && (kde->key_id[0] & 0x03)) {
799 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
800 "RSN: Non-zero Extended Key ID Key ID in PTK0 handshake");
801 return -1;
802 }
803
804 if (kde->key_id) {
805 /* This is not supposed to be included here, but ignore
806 * the case of matching Key ID 0 just in case. */
807 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
808 "RSN: Extended Key ID Key ID 0 in PTK0 handshake");
809 }
810 sm->keyidx_active = 0;
811 sm->use_ext_key_id = 0;
812 }
813
814 return 0;
815 }
816
817
rsn_add_kde(u8 * pos,u32 kde,const u8 * data,size_t data_len)818 static u8 * rsn_add_kde(u8 *pos, u32 kde, const u8 *data, size_t data_len)
819 {
820 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
821 *pos++ = RSN_SELECTOR_LEN + data_len;
822 RSN_SELECTOR_PUT(pos, kde);
823 pos += RSN_SELECTOR_LEN;
824 os_memcpy(pos, data, data_len);
825 pos += data_len;
826
827 return pos;
828 }
829
830
wpa_mlo_link_kde_len(struct wpa_sm * sm)831 static size_t wpa_mlo_link_kde_len(struct wpa_sm *sm)
832 {
833 int i;
834 unsigned int num_links = 0;
835
836 for_each_link(sm->mlo.req_links, i) {
837 if (sm->mlo.assoc_link_id != i)
838 num_links++;
839 }
840
841 return num_links * (RSN_SELECTOR_LEN + 1 + ETH_ALEN + 2);
842 }
843
844
wpa_mlo_link_kde(struct wpa_sm * sm,u8 * pos)845 static u8 * wpa_mlo_link_kde(struct wpa_sm *sm, u8 *pos)
846 {
847 int i;
848 u8 hdr[1 + ETH_ALEN];
849
850 for_each_link(sm->mlo.req_links, i) {
851 if (sm->mlo.assoc_link_id == i)
852 continue;
853
854 wpa_printf(MSG_DEBUG,
855 "MLO: Add MLO Link %d KDE in EAPOL-Key 2/4", i);
856 hdr[0] = i & 0xF; /* LinkID; no RSNE or RSNXE */
857 os_memcpy(&hdr[1], sm->mlo.links[i].addr, ETH_ALEN);
858 pos = rsn_add_kde(pos, RSN_KEY_DATA_MLO_LINK, hdr, sizeof(hdr));
859 }
860
861 return pos;
862 }
863
864
is_valid_ap_mld_mac_kde(struct wpa_sm * sm,const u8 * mac_kde)865 static bool is_valid_ap_mld_mac_kde(struct wpa_sm *sm, const u8 *mac_kde)
866 {
867 return mac_kde &&
868 ether_addr_equal(mac_kde, sm->mlo.ap_mld_addr);
869 }
870
871
wpas_swap_tkip_mic_keys(struct wpa_ptk * ptk)872 static void wpas_swap_tkip_mic_keys(struct wpa_ptk *ptk)
873 {
874 u8 buf[8];
875
876 /* Supplicant: swap tx/rx Mic keys */
877 os_memcpy(buf, &ptk->tk[16], 8);
878 os_memcpy(&ptk->tk[16], &ptk->tk[24], 8);
879 os_memcpy(&ptk->tk[24], buf, 8);
880 forced_memzero(buf, sizeof(buf));
881 }
882
883
wpa_supplicant_process_1_of_4_wpa(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len,enum frame_encryption encrypted)884 static void wpa_supplicant_process_1_of_4_wpa(struct wpa_sm *sm,
885 const unsigned char *src_addr,
886 const struct wpa_eapol_key *key,
887 u16 ver, const u8 *key_data,
888 size_t key_data_len,
889 enum frame_encryption encrypted)
890 {
891 struct wpa_eapol_ie_parse ie;
892 struct wpa_ptk *ptk;
893 int res;
894
895 if (wpa_sm_get_network_ctx(sm) == NULL) {
896 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
897 "WPA: No SSID info found (msg 1 of 4)");
898 return;
899 }
900
901 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
902 "WPA: RX message 1 of 4-Way Handshake from " MACSTR
903 " (ver=%d)", MAC2STR(src_addr), ver);
904
905 os_memset(&ie, 0, sizeof(ie));
906
907 res = wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid);
908 if (res == -2) {
909 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
910 "WPA: Do not reply to msg 1/4 - requesting full EAP authentication");
911 return;
912 }
913 if (res)
914 goto failed;
915
916 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
917
918 if (sm->renew_snonce) {
919 if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) {
920 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
921 "WPA: Failed to get random data for SNonce");
922 goto failed;
923 }
924 sm->renew_snonce = 0;
925 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce",
926 sm->snonce, WPA_NONCE_LEN);
927 }
928
929 /* Calculate PTK which will be stored as a temporary PTK until it has
930 * been verified when processing message 3/4. */
931 ptk = &sm->tptk;
932 if (wpa_derive_ptk(sm, src_addr, key, ptk) < 0)
933 goto failed;
934 if (sm->pairwise_cipher == WPA_CIPHER_TKIP)
935 wpas_swap_tkip_mic_keys(ptk);
936 sm->tptk_set = 1;
937
938 if (wpa_supplicant_send_2_of_4(sm, wpa_sm_get_auth_addr(sm), key, ver,
939 sm->snonce, sm->assoc_wpa_ie,
940 sm->assoc_wpa_ie_len, ptk) < 0)
941 goto failed;
942
943 os_memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN);
944 return;
945
946 failed:
947 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
948 }
949
950
wpa_supplicant_process_1_of_4(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len,enum frame_encryption encrypted)951 static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
952 const unsigned char *src_addr,
953 const struct wpa_eapol_key *key,
954 u16 ver, const u8 *key_data,
955 size_t key_data_len,
956 enum frame_encryption encrypted)
957 {
958 struct wpa_eapol_ie_parse ie;
959 struct wpa_ptk *ptk;
960 int res;
961 u8 *kde, *kde_buf = NULL;
962 size_t kde_len;
963 size_t mlo_kde_len = 0;
964
965 if (encrypted == FRAME_NOT_ENCRYPTED && sm->tk_set &&
966 wpa_sm_pmf_enabled(sm)) {
967 wpa_printf(MSG_DEBUG,
968 "RSN: Discard unencrypted EAPOL-Key msg 1/4 when TK is set and PMF is enabled");
969 return;
970 }
971
972 if (wpa_sm_get_network_ctx(sm) == NULL) {
973 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No SSID info "
974 "found (msg 1 of 4)");
975 return;
976 }
977
978 if (sm->wpa_deny_ptk0_rekey && !sm->use_ext_key_id &&
979 wpa_sm_get_state(sm) == WPA_COMPLETED) {
980 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
981 "WPA: PTK0 rekey not allowed, reconnecting");
982 wpa_sm_reconnect(sm);
983 return;
984 }
985
986 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of 4-Way "
987 "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
988
989 os_memset(&ie, 0, sizeof(ie));
990
991 /* RSN: msg 1/4 should contain PMKID for the selected PMK */
992 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data", key_data, key_data_len);
993 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0) {
994 wpa_printf(MSG_DEBUG,
995 "RSN: Discard EAPOL-Key msg 1/4 with invalid IEs/KDEs");
996 return;
997 }
998 if (ie.pmkid) {
999 wpa_hexdump(MSG_DEBUG, "RSN: PMKID from Authenticator",
1000 ie.pmkid, PMKID_LEN);
1001 }
1002
1003 if (sm->mlo.valid_links && !is_valid_ap_mld_mac_kde(sm, ie.mac_addr)) {
1004 wpa_printf(MSG_INFO,
1005 "RSN: Discard EAPOL-Key msg 1/4 with invalid AP MLD MAC address KDE");
1006 return;
1007 }
1008
1009 res = wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid);
1010 if (res == -2) {
1011 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: Do not reply to "
1012 "msg 1/4 - requesting full EAP authentication");
1013 return;
1014 }
1015 if (res)
1016 goto failed;
1017
1018 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
1019
1020 if (sm->renew_snonce) {
1021 if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) {
1022 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1023 "WPA: Failed to get random data for SNonce");
1024 goto failed;
1025 }
1026 if (wpa_sm_rsn_overriding_supported(sm))
1027 rsn_set_snonce_cookie(sm->snonce);
1028 sm->renew_snonce = 0;
1029 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce",
1030 sm->snonce, WPA_NONCE_LEN);
1031 }
1032
1033 /* Calculate PTK which will be stored as a temporary PTK until it has
1034 * been verified when processing message 3/4. */
1035 ptk = &sm->tptk;
1036 if (wpa_derive_ptk(sm, src_addr, key, ptk) < 0)
1037 goto failed;
1038 if (sm->pairwise_cipher == WPA_CIPHER_TKIP)
1039 wpas_swap_tkip_mic_keys(ptk);
1040 sm->tptk_set = 1;
1041
1042 /* Add MLO Link KDE and MAC KDE in M2 for ML connection */
1043 if (sm->mlo.valid_links)
1044 mlo_kde_len = wpa_mlo_link_kde_len(sm) +
1045 RSN_SELECTOR_LEN + ETH_ALEN + 2;
1046
1047 kde = sm->assoc_wpa_ie;
1048 kde_len = sm->assoc_wpa_ie_len;
1049 kde_buf = os_malloc(kde_len +
1050 2 + RSN_SELECTOR_LEN + 3 +
1051 sm->assoc_rsnxe_len +
1052 2 + RSN_SELECTOR_LEN + 1 +
1053 2 + RSN_SELECTOR_LEN + 2 + mlo_kde_len);
1054
1055 if (!kde_buf)
1056 goto failed;
1057 os_memcpy(kde_buf, kde, kde_len);
1058 kde = kde_buf;
1059
1060 #ifdef CONFIG_OCV
1061 if (wpa_sm_ocv_enabled(sm)) {
1062 struct wpa_channel_info ci;
1063 u8 *pos;
1064
1065 pos = kde + kde_len;
1066 if (wpa_sm_channel_info(sm, &ci) != 0) {
1067 wpa_printf(MSG_WARNING,
1068 "Failed to get channel info for OCI element in EAPOL-Key 2/4");
1069 goto failed;
1070 }
1071 #ifdef CONFIG_TESTING_OPTIONS
1072 if (sm->oci_freq_override_eapol) {
1073 wpa_printf(MSG_INFO,
1074 "TEST: Override OCI KDE frequency %d -> %d MHz",
1075 ci.frequency, sm->oci_freq_override_eapol);
1076 ci.frequency = sm->oci_freq_override_eapol;
1077 }
1078 #endif /* CONFIG_TESTING_OPTIONS */
1079
1080 if (ocv_insert_oci_kde(&ci, &pos) < 0)
1081 goto failed;
1082 kde_len = pos - kde;
1083 }
1084 #endif /* CONFIG_OCV */
1085
1086 if (sm->assoc_rsnxe && sm->assoc_rsnxe_len) {
1087 os_memcpy(kde + kde_len, sm->assoc_rsnxe, sm->assoc_rsnxe_len);
1088 kde_len += sm->assoc_rsnxe_len;
1089 }
1090
1091 #ifdef CONFIG_P2P
1092 if (sm->p2p) {
1093 u8 *pos;
1094
1095 wpa_printf(MSG_DEBUG,
1096 "P2P: Add IP Address Request KDE into EAPOL-Key 2/4");
1097 pos = kde + kde_len;
1098 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
1099 *pos++ = RSN_SELECTOR_LEN + 1;
1100 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_IP_ADDR_REQ);
1101 pos += RSN_SELECTOR_LEN;
1102 *pos++ = 0x01;
1103 kde_len = pos - kde;
1104 }
1105 #endif /* CONFIG_P2P */
1106
1107 #ifdef CONFIG_DPP2
1108 if (DPP_VERSION > 1 && sm->key_mgmt == WPA_KEY_MGMT_DPP) {
1109 u8 *pos;
1110
1111 wpa_printf(MSG_DEBUG, "DPP: Add DPP KDE into EAPOL-Key 2/4");
1112 pos = kde + kde_len;
1113 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
1114 *pos++ = RSN_SELECTOR_LEN + 2;
1115 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_DPP);
1116 pos += RSN_SELECTOR_LEN;
1117 *pos++ = DPP_VERSION; /* Protocol Version */
1118 *pos = 0; /* Flags */
1119 if (sm->dpp_pfs == 0)
1120 *pos |= DPP_KDE_PFS_ALLOWED;
1121 else if (sm->dpp_pfs == 1)
1122 *pos |= DPP_KDE_PFS_ALLOWED | DPP_KDE_PFS_REQUIRED;
1123 pos++;
1124 kde_len = pos - kde;
1125 }
1126 #endif /* CONFIG_DPP2 */
1127
1128 if (sm->mlo.valid_links) {
1129 u8 *pos;
1130
1131 /* Add MAC KDE */
1132 wpa_printf(MSG_DEBUG, "MLO: Add MAC KDE into EAPOL-Key 2/4");
1133 pos = kde + kde_len;
1134 pos = rsn_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, sm->own_addr,
1135 ETH_ALEN);
1136
1137 /* Add MLO Link KDE */
1138 wpa_printf(MSG_DEBUG, "Add MLO Link KDE(s) into EAPOL-Key 2/4");
1139 pos = wpa_mlo_link_kde(sm, pos);
1140 kde_len = pos - kde;
1141 }
1142
1143 if (wpa_supplicant_send_2_of_4(sm, wpa_sm_get_auth_addr(sm), key, ver,
1144 sm->snonce, kde, kde_len, ptk) < 0)
1145 goto failed;
1146
1147 os_free(kde_buf);
1148 os_memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN);
1149 return;
1150
1151 failed:
1152 os_free(kde_buf);
1153 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
1154 }
1155
1156
wpa_sm_start_preauth(void * eloop_ctx,void * timeout_ctx)1157 static void wpa_sm_start_preauth(void *eloop_ctx, void *timeout_ctx)
1158 {
1159 struct wpa_sm *sm = eloop_ctx;
1160 rsn_preauth_candidate_process(sm);
1161 }
1162
1163
wpa_supplicant_key_neg_complete(struct wpa_sm * sm,const u8 * addr,int secure)1164 static void wpa_supplicant_key_neg_complete(struct wpa_sm *sm,
1165 const u8 *addr, int secure)
1166 {
1167 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1168 "WPA: Key negotiation completed with "
1169 MACSTR " [PTK=%s GTK=%s]", MAC2STR(addr),
1170 wpa_cipher_txt(sm->pairwise_cipher),
1171 wpa_cipher_txt(sm->group_cipher));
1172 wpa_sm_cancel_auth_timeout(sm);
1173 wpa_sm_set_state(sm, WPA_COMPLETED);
1174
1175 if (secure) {
1176 wpa_sm_mlme_setprotection(
1177 sm, addr, MLME_SETPROTECTION_PROTECT_TYPE_RX_TX,
1178 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
1179 eapol_sm_notify_portValid(sm->eapol, true);
1180 if (wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
1181 sm->key_mgmt == WPA_KEY_MGMT_DPP ||
1182 sm->key_mgmt == WPA_KEY_MGMT_OWE)
1183 eapol_sm_notify_eap_success(sm->eapol, true);
1184 /*
1185 * Start preauthentication after a short wait to avoid a
1186 * possible race condition between the data receive and key
1187 * configuration after the 4-Way Handshake. This increases the
1188 * likelihood of the first preauth EAPOL-Start frame getting to
1189 * the target AP.
1190 */
1191 if (!dl_list_empty(&sm->pmksa_candidates))
1192 eloop_register_timeout(1, 0, wpa_sm_start_preauth,
1193 sm, NULL);
1194 }
1195
1196 if (sm->cur_pmksa && sm->cur_pmksa->opportunistic) {
1197 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1198 "RSN: Authenticator accepted "
1199 "opportunistic PMKSA entry - marking it valid");
1200 sm->cur_pmksa->opportunistic = 0;
1201 }
1202
1203 #ifdef CONFIG_IEEE80211R
1204 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
1205 /* Prepare for the next transition */
1206 wpa_ft_prepare_auth_request(sm, NULL);
1207 }
1208 #endif /* CONFIG_IEEE80211R */
1209 }
1210
1211
wpa_sm_rekey_ptk(void * eloop_ctx,void * timeout_ctx)1212 static void wpa_sm_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
1213 {
1214 struct wpa_sm *sm = eloop_ctx;
1215 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Request PTK rekeying");
1216 wpa_sm_key_request(sm, 0, 1);
1217 }
1218
1219
wpa_supplicant_install_ptk(struct wpa_sm * sm,const struct wpa_eapol_key * key,enum key_flag key_flag)1220 static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
1221 const struct wpa_eapol_key *key,
1222 enum key_flag key_flag)
1223 {
1224 int keylen, rsclen;
1225 enum wpa_alg alg;
1226 const u8 *key_rsc;
1227
1228 if (sm->ptk.installed) {
1229 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1230 "WPA: Do not re-install same PTK to the driver");
1231 return 0;
1232 }
1233
1234 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1235 "WPA: Installing PTK to the driver");
1236
1237 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
1238 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Pairwise Cipher "
1239 "Suite: NONE - do not use pairwise keys");
1240 return 0;
1241 }
1242
1243 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
1244 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1245 "WPA: Unsupported pairwise cipher %d",
1246 sm->pairwise_cipher);
1247 return -1;
1248 }
1249
1250 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
1251 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
1252 if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) {
1253 wpa_printf(MSG_DEBUG, "WPA: TK length mismatch: %d != %lu",
1254 keylen, (long unsigned int) sm->ptk.tk_len);
1255 return -1;
1256 }
1257 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
1258
1259 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
1260 key_rsc = null_rsc;
1261 } else {
1262 key_rsc = key->key_rsc;
1263 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen);
1264 }
1265
1266 if (wpa_sm_set_key(sm, -1, alg, wpa_sm_get_auth_addr(sm),
1267 sm->keyidx_active, 1, key_rsc, rsclen, sm->ptk.tk,
1268 keylen, KEY_FLAG_PAIRWISE | key_flag) < 0) {
1269 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1270 "WPA: Failed to set PTK to the driver (alg=%d keylen=%d auth_addr="
1271 MACSTR " idx=%d key_flag=0x%x)",
1272 alg, keylen, MAC2STR(wpa_sm_get_auth_addr(sm)),
1273 sm->keyidx_active, key_flag);
1274 return -1;
1275 }
1276
1277 #ifdef CONFIG_PASN
1278 if (sm->secure_ltf &&
1279 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF) &&
1280 wpa_sm_set_ltf_keyseed(sm, sm->own_addr, sm->bssid,
1281 sm->ptk.ltf_keyseed_len,
1282 sm->ptk.ltf_keyseed) < 0) {
1283 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1284 "WPA: Failed to set LTF keyseed to the driver (keylen=%zu bssid="
1285 MACSTR ")", sm->ptk.ltf_keyseed_len,
1286 MAC2STR(sm->bssid));
1287 return -1;
1288 }
1289 #endif /* CONFIG_PASN */
1290
1291 wpa_sm_store_ptk(sm, sm->bssid, sm->pairwise_cipher,
1292 sm->dot11RSNAConfigPMKLifetime, &sm->ptk);
1293
1294 /* TK is not needed anymore in supplicant */
1295 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
1296 sm->ptk.tk_len = 0;
1297 sm->ptk.installed = 1;
1298 sm->tk_set = true;
1299
1300 if (sm->wpa_ptk_rekey) {
1301 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
1302 eloop_register_timeout(sm->wpa_ptk_rekey, 0, wpa_sm_rekey_ptk,
1303 sm, NULL);
1304 }
1305 return 0;
1306 }
1307
1308
wpa_supplicant_activate_ptk(struct wpa_sm * sm)1309 static int wpa_supplicant_activate_ptk(struct wpa_sm *sm)
1310 {
1311 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1312 "WPA: Activate PTK (idx=%d auth_addr=" MACSTR ")",
1313 sm->keyidx_active, MAC2STR(wpa_sm_get_auth_addr(sm)));
1314
1315 if (wpa_sm_set_key(sm, -1, 0, wpa_sm_get_auth_addr(sm),
1316 sm->keyidx_active, 0, NULL, 0, NULL, 0,
1317 KEY_FLAG_PAIRWISE_RX_TX_MODIFY) < 0) {
1318 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1319 "WPA: Failed to activate PTK for TX (idx=%d auth_addr="
1320 MACSTR ")", sm->keyidx_active,
1321 MAC2STR(wpa_sm_get_auth_addr(sm)));
1322 return -1;
1323 }
1324 return 0;
1325 }
1326
1327
wpa_supplicant_check_group_cipher(struct wpa_sm * sm,int group_cipher,int keylen,int maxkeylen,int * key_rsc_len,enum wpa_alg * alg)1328 static int wpa_supplicant_check_group_cipher(struct wpa_sm *sm,
1329 int group_cipher,
1330 int keylen, int maxkeylen,
1331 int *key_rsc_len,
1332 enum wpa_alg *alg)
1333 {
1334 int klen;
1335
1336 *alg = wpa_cipher_to_alg(group_cipher);
1337 if (*alg == WPA_ALG_NONE) {
1338 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1339 "WPA: Unsupported Group Cipher %d",
1340 group_cipher);
1341 return -1;
1342 }
1343 *key_rsc_len = wpa_cipher_rsc_len(group_cipher);
1344
1345 klen = wpa_cipher_key_len(group_cipher);
1346 if (keylen != klen || maxkeylen < klen) {
1347 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1348 "WPA: Unsupported %s Group Cipher key length %d (%d)",
1349 wpa_cipher_txt(group_cipher), keylen, maxkeylen);
1350 return -1;
1351 }
1352 return 0;
1353 }
1354
1355
1356 struct wpa_gtk_data {
1357 enum wpa_alg alg;
1358 int tx, key_rsc_len, keyidx;
1359 u8 gtk[32];
1360 int gtk_len;
1361 };
1362
1363
wpa_supplicant_install_gtk(struct wpa_sm * sm,const struct wpa_gtk_data * gd,const u8 * key_rsc,int wnm_sleep)1364 static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
1365 const struct wpa_gtk_data *gd,
1366 const u8 *key_rsc, int wnm_sleep)
1367 {
1368 const u8 *_gtk = gd->gtk;
1369 u8 gtk_buf[32];
1370
1371 /* Detect possible key reinstallation */
1372 if ((sm->gtk.gtk_len == (size_t) gd->gtk_len &&
1373 os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) ||
1374 (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len &&
1375 os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk,
1376 sm->gtk_wnm_sleep.gtk_len) == 0)) {
1377 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1378 "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
1379 gd->keyidx, gd->tx, gd->gtk_len);
1380 return 0;
1381 }
1382
1383 wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
1384 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1385 "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
1386 gd->keyidx, gd->tx, gd->gtk_len);
1387 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, gd->key_rsc_len);
1388 if (sm->group_cipher == WPA_CIPHER_TKIP) {
1389 /* Swap Tx/Rx keys for Michael MIC */
1390 os_memcpy(gtk_buf, gd->gtk, 16);
1391 os_memcpy(gtk_buf + 16, gd->gtk + 24, 8);
1392 os_memcpy(gtk_buf + 24, gd->gtk + 16, 8);
1393 _gtk = gtk_buf;
1394 }
1395 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
1396 if (wpa_sm_set_key(sm, -1, gd->alg, NULL,
1397 gd->keyidx, 1, key_rsc, gd->key_rsc_len,
1398 _gtk, gd->gtk_len,
1399 KEY_FLAG_GROUP_RX_TX_DEFAULT) < 0) {
1400 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1401 "WPA: Failed to set GTK to the driver "
1402 "(Group only)");
1403 forced_memzero(gtk_buf, sizeof(gtk_buf));
1404 return -1;
1405 }
1406 } else if (wpa_sm_set_key(sm, -1, gd->alg, broadcast_ether_addr,
1407 gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len,
1408 _gtk, gd->gtk_len, KEY_FLAG_GROUP_RX) < 0) {
1409 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1410 "WPA: Failed to set GTK to "
1411 "the driver (alg=%d keylen=%d keyidx=%d)",
1412 gd->alg, gd->gtk_len, gd->keyidx);
1413 forced_memzero(gtk_buf, sizeof(gtk_buf));
1414 return -1;
1415 }
1416 forced_memzero(gtk_buf, sizeof(gtk_buf));
1417
1418 if (wnm_sleep) {
1419 sm->gtk_wnm_sleep.gtk_len = gd->gtk_len;
1420 os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk,
1421 sm->gtk_wnm_sleep.gtk_len);
1422 } else {
1423 sm->gtk.gtk_len = gd->gtk_len;
1424 os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
1425 }
1426
1427 return 0;
1428 }
1429
1430
wpa_supplicant_install_mlo_gtk(struct wpa_sm * sm,u8 link_id,const struct wpa_gtk_data * gd,const u8 * key_rsc,int wnm_sleep)1431 static int wpa_supplicant_install_mlo_gtk(struct wpa_sm *sm, u8 link_id,
1432 const struct wpa_gtk_data *gd,
1433 const u8 *key_rsc, int wnm_sleep)
1434 {
1435 const u8 *gtk = gd->gtk;
1436 u8 gtk_buf[32];
1437
1438 /* Detect possible key reinstallation */
1439 if ((sm->mlo.links[link_id].gtk.gtk_len == (size_t) gd->gtk_len &&
1440 os_memcmp(sm->mlo.links[link_id].gtk.gtk, gd->gtk,
1441 sm->mlo.links[link_id].gtk.gtk_len) == 0) ||
1442 (sm->mlo.links[link_id].gtk_wnm_sleep.gtk_len ==
1443 (size_t) gd->gtk_len &&
1444 os_memcmp(sm->mlo.links[link_id].gtk_wnm_sleep.gtk, gd->gtk,
1445 sm->mlo.links[link_id].gtk_wnm_sleep.gtk_len) == 0)) {
1446 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1447 "RSN: Not reinstalling already in-use GTK to the driver (link_id=%d keyidx=%d tx=%d len=%d)",
1448 link_id, gd->keyidx, gd->tx, gd->gtk_len);
1449 return 0;
1450 }
1451
1452 wpa_hexdump_link_key(MSG_DEBUG, link_id, "RSN: Group Key", gd->gtk,
1453 gd->gtk_len);
1454 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1455 "RSN: Installing GTK to the driver (link_id=%d keyidx=%d tx=%d len=%d)",
1456 link_id, gd->keyidx, gd->tx, gd->gtk_len);
1457 wpa_hexdump_link(MSG_DEBUG, link_id, "RSN: RSC",
1458 key_rsc, gd->key_rsc_len);
1459 if (sm->group_cipher == WPA_CIPHER_TKIP) {
1460 /* Swap Tx/Rx keys for Michael MIC */
1461 os_memcpy(gtk_buf, gd->gtk, 16);
1462 os_memcpy(gtk_buf + 16, gd->gtk + 24, 8);
1463 os_memcpy(gtk_buf + 24, gd->gtk + 16, 8);
1464 gtk = gtk_buf;
1465 }
1466 if (wpa_sm_set_key(sm, link_id, gd->alg, broadcast_ether_addr,
1467 gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len, gtk,
1468 gd->gtk_len, KEY_FLAG_GROUP_RX) < 0) {
1469 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1470 "RSN: Failed to set GTK to the driver (link_id=%d alg=%d keylen=%d keyidx=%d)",
1471 link_id, gd->alg, gd->gtk_len, gd->keyidx);
1472 forced_memzero(gtk_buf, sizeof(gtk_buf));
1473 return -1;
1474 }
1475 forced_memzero(gtk_buf, sizeof(gtk_buf));
1476
1477 if (wnm_sleep) {
1478 sm->mlo.links[link_id].gtk_wnm_sleep.gtk_len = gd->gtk_len;
1479 os_memcpy(sm->mlo.links[link_id].gtk_wnm_sleep.gtk, gd->gtk,
1480 sm->mlo.links[link_id].gtk_wnm_sleep.gtk_len);
1481 } else {
1482 sm->mlo.links[link_id].gtk.gtk_len = gd->gtk_len;
1483 os_memcpy(sm->mlo.links[link_id].gtk.gtk, gd->gtk,
1484 sm->mlo.links[link_id].gtk.gtk_len);
1485 }
1486
1487 return 0;
1488 }
1489
1490
wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm * sm,int tx)1491 static int wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm *sm,
1492 int tx)
1493 {
1494 if (tx && sm->pairwise_cipher != WPA_CIPHER_NONE) {
1495 /* Ignore Tx bit for GTK if a pairwise key is used. One AP
1496 * seemed to set this bit (incorrectly, since Tx is only when
1497 * doing Group Key only APs) and without this workaround, the
1498 * data connection does not work because wpa_supplicant
1499 * configured non-zero keyidx to be used for unicast. */
1500 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1501 "WPA: Tx bit set for GTK, but pairwise "
1502 "keys are used - ignore Tx bit");
1503 return 0;
1504 }
1505 return tx;
1506 }
1507
1508
wpa_supplicant_rsc_relaxation(const struct wpa_sm * sm,const u8 * rsc)1509 static int wpa_supplicant_rsc_relaxation(const struct wpa_sm *sm,
1510 const u8 *rsc)
1511 {
1512 int rsclen;
1513
1514 if (!sm->wpa_rsc_relaxation)
1515 return 0;
1516
1517 rsclen = wpa_cipher_rsc_len(sm->group_cipher);
1518
1519 /*
1520 * Try to detect RSC (endian) corruption issue where the AP sends
1521 * the RSC bytes in EAPOL-Key message in the wrong order, both if
1522 * it's actually a 6-byte field (as it should be) and if it treats
1523 * it as an 8-byte field.
1524 * An AP model known to have this bug is the Sapido RB-1632.
1525 */
1526 if (rsclen == 6 && ((rsc[5] && !rsc[0]) || rsc[6] || rsc[7])) {
1527 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1528 "RSC %02x%02x%02x%02x%02x%02x%02x%02x is likely bogus, using 0",
1529 rsc[0], rsc[1], rsc[2], rsc[3],
1530 rsc[4], rsc[5], rsc[6], rsc[7]);
1531
1532 return 1;
1533 }
1534
1535 return 0;
1536 }
1537
1538
wpa_supplicant_mlo_gtk(struct wpa_sm * sm,u8 link_id,const u8 * gtk,size_t gtk_len,int key_info)1539 static int wpa_supplicant_mlo_gtk(struct wpa_sm *sm, u8 link_id, const u8 *gtk,
1540 size_t gtk_len, int key_info)
1541 {
1542 struct wpa_gtk_data gd;
1543 const u8 *key_rsc;
1544 int ret;
1545
1546 /*
1547 * MLO GTK KDE format:
1548 * KeyID[bits 0-1], Tx [bit 2], Reserved [bit 3], link id [4-7]
1549 * PN
1550 * GTK
1551 */
1552 os_memset(&gd, 0, sizeof(gd));
1553 wpa_hexdump_link_key(MSG_DEBUG, link_id,
1554 "RSN: received GTK in pairwise handshake",
1555 gtk, gtk_len);
1556
1557 if (gtk_len < RSN_MLO_GTK_KDE_PREFIX_LENGTH ||
1558 gtk_len - RSN_MLO_GTK_KDE_PREFIX_LENGTH > sizeof(gd.gtk))
1559 return -1;
1560
1561 gd.keyidx = gtk[0] & 0x3;
1562 gtk += 1;
1563 gtk_len -= 1;
1564
1565 key_rsc = gtk;
1566
1567 gtk += 6;
1568 gtk_len -= 6;
1569
1570 os_memcpy(gd.gtk, gtk, gtk_len);
1571 gd.gtk_len = gtk_len;
1572
1573 ret = 0;
1574 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, gtk_len,
1575 gtk_len, &gd.key_rsc_len,
1576 &gd.alg) ||
1577 wpa_supplicant_install_mlo_gtk(sm, link_id, &gd, key_rsc, 0)) {
1578 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1579 "RSN: Failed to install GTK for MLO Link ID %u",
1580 link_id);
1581 ret = -1;
1582 goto out;
1583 }
1584
1585 out:
1586 forced_memzero(&gd, sizeof(gd));
1587 return ret;
1588 }
1589
1590
wpa_supplicant_pairwise_mlo_gtk(struct wpa_sm * sm,const struct wpa_eapol_key * key,struct wpa_eapol_ie_parse * ie,int key_info)1591 static int wpa_supplicant_pairwise_mlo_gtk(struct wpa_sm *sm,
1592 const struct wpa_eapol_key *key,
1593 struct wpa_eapol_ie_parse *ie,
1594 int key_info)
1595 {
1596 u8 i;
1597
1598 for_each_link(sm->mlo.valid_links, i) {
1599 if (!ie->mlo_gtk[i]) {
1600 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
1601 "MLO RSN: GTK not found for link ID %u", i);
1602 return -1;
1603 }
1604
1605 if (wpa_supplicant_mlo_gtk(sm, i, ie->mlo_gtk[i],
1606 ie->mlo_gtk_len[i], key_info))
1607 return -1;
1608 }
1609
1610 return 0;
1611 }
1612
1613
wpa_supplicant_pairwise_gtk(struct wpa_sm * sm,const struct wpa_eapol_key * key,const u8 * gtk,size_t gtk_len,int key_info)1614 static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
1615 const struct wpa_eapol_key *key,
1616 const u8 *gtk, size_t gtk_len,
1617 int key_info)
1618 {
1619 struct wpa_gtk_data gd;
1620 const u8 *key_rsc;
1621
1622 /*
1623 * IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames - Figure 43x
1624 * GTK KDE format:
1625 * KeyID[bits 0-1], Tx [bit 2], Reserved [bits 3-7]
1626 * Reserved [bits 0-7]
1627 * GTK
1628 */
1629
1630 os_memset(&gd, 0, sizeof(gd));
1631 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in pairwise handshake",
1632 gtk, gtk_len);
1633
1634 if (gtk_len < 2 || gtk_len - 2 > sizeof(gd.gtk))
1635 return -1;
1636
1637 gd.keyidx = gtk[0] & 0x3;
1638 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
1639 !!(gtk[0] & BIT(2)));
1640 gtk += 2;
1641 gtk_len -= 2;
1642
1643 os_memcpy(gd.gtk, gtk, gtk_len);
1644 gd.gtk_len = gtk_len;
1645
1646 key_rsc = key->key_rsc;
1647 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
1648 key_rsc = null_rsc;
1649
1650 if (sm->group_cipher != WPA_CIPHER_GTK_NOT_USED &&
1651 (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
1652 gtk_len, gtk_len,
1653 &gd.key_rsc_len, &gd.alg) ||
1654 wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) {
1655 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1656 "RSN: Failed to install GTK");
1657 forced_memzero(&gd, sizeof(gd));
1658 return -1;
1659 }
1660 forced_memzero(&gd, sizeof(gd));
1661
1662 return 0;
1663 }
1664
1665
wpa_supplicant_install_igtk(struct wpa_sm * sm,const struct wpa_igtk_kde * igtk,int wnm_sleep)1666 static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
1667 const struct wpa_igtk_kde *igtk,
1668 int wnm_sleep)
1669 {
1670 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1671 u16 keyidx = WPA_GET_LE16(igtk->keyid);
1672
1673 /* Detect possible key reinstallation */
1674 if ((sm->igtk.igtk_len == len &&
1675 os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) ||
1676 (sm->igtk_wnm_sleep.igtk_len == len &&
1677 os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk,
1678 sm->igtk_wnm_sleep.igtk_len) == 0)) {
1679 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1680 "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
1681 keyidx);
1682 return 0;
1683 }
1684
1685 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1686 "WPA: IGTK keyid %d pn " COMPACT_MACSTR,
1687 keyidx, MAC2STR(igtk->pn));
1688 wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len);
1689 if (keyidx > 4095) {
1690 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1691 "WPA: Invalid IGTK KeyID %d", keyidx);
1692 return -1;
1693 }
1694 if (wpa_sm_set_key(sm, -1, wpa_cipher_to_alg(sm->mgmt_group_cipher),
1695 broadcast_ether_addr,
1696 keyidx, 0, igtk->pn, sizeof(igtk->pn),
1697 igtk->igtk, len, KEY_FLAG_GROUP_RX) < 0) {
1698 if (keyidx == 0x0400 || keyidx == 0x0500) {
1699 /* Assume the AP has broken PMF implementation since it
1700 * seems to have swapped the KeyID bytes. The AP cannot
1701 * be trusted to implement BIP correctly or provide a
1702 * valid IGTK, so do not try to configure this key with
1703 * swapped KeyID bytes. Instead, continue without
1704 * configuring the IGTK so that the driver can drop any
1705 * received group-addressed robust management frames due
1706 * to missing keys.
1707 *
1708 * Normally, this error behavior would result in us
1709 * disconnecting, but there are number of deployed APs
1710 * with this broken behavior, so as an interoperability
1711 * workaround, allow the connection to proceed. */
1712 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1713 "WPA: Ignore IGTK configuration error due to invalid IGTK KeyID byte order");
1714 } else {
1715 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1716 "WPA: Failed to configure IGTK to the driver");
1717 return -1;
1718 }
1719 }
1720
1721 if (wnm_sleep) {
1722 sm->igtk_wnm_sleep.igtk_len = len;
1723 os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk,
1724 sm->igtk_wnm_sleep.igtk_len);
1725 } else {
1726 sm->igtk.igtk_len = len;
1727 os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
1728 }
1729
1730 return 0;
1731 }
1732
1733
wpa_supplicant_install_bigtk(struct wpa_sm * sm,const struct wpa_bigtk_kde * bigtk,int wnm_sleep)1734 static int wpa_supplicant_install_bigtk(struct wpa_sm *sm,
1735 const struct wpa_bigtk_kde *bigtk,
1736 int wnm_sleep)
1737 {
1738 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1739 u16 keyidx = WPA_GET_LE16(bigtk->keyid);
1740
1741 /* Detect possible key reinstallation */
1742 if ((sm->bigtk.bigtk_len == len &&
1743 os_memcmp(sm->bigtk.bigtk, bigtk->bigtk,
1744 sm->bigtk.bigtk_len) == 0) ||
1745 (sm->bigtk_wnm_sleep.bigtk_len == len &&
1746 os_memcmp(sm->bigtk_wnm_sleep.bigtk, bigtk->bigtk,
1747 sm->bigtk_wnm_sleep.bigtk_len) == 0)) {
1748 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1749 "WPA: Not reinstalling already in-use BIGTK to the driver (keyidx=%d)",
1750 keyidx);
1751 return 0;
1752 }
1753
1754 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1755 "WPA: BIGTK keyid %d pn " COMPACT_MACSTR,
1756 keyidx, MAC2STR(bigtk->pn));
1757 wpa_hexdump_key(MSG_DEBUG, "WPA: BIGTK", bigtk->bigtk, len);
1758 if (keyidx < 6 || keyidx > 7) {
1759 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1760 "WPA: Invalid BIGTK KeyID %d", keyidx);
1761 return -1;
1762 }
1763 if (wpa_sm_set_key(sm, -1, wpa_cipher_to_alg(sm->mgmt_group_cipher),
1764 broadcast_ether_addr,
1765 keyidx, 0, bigtk->pn, sizeof(bigtk->pn),
1766 bigtk->bigtk, len, KEY_FLAG_GROUP_RX) < 0) {
1767 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1768 "WPA: Failed to configure BIGTK to the driver");
1769 return -1;
1770 }
1771
1772 if (wnm_sleep) {
1773 sm->bigtk_wnm_sleep.bigtk_len = len;
1774 os_memcpy(sm->bigtk_wnm_sleep.bigtk, bigtk->bigtk,
1775 sm->bigtk_wnm_sleep.bigtk_len);
1776 } else {
1777 sm->bigtk.bigtk_len = len;
1778 os_memcpy(sm->bigtk.bigtk, bigtk->bigtk, sm->bigtk.bigtk_len);
1779 }
1780
1781 return 0;
1782 }
1783
1784
wpa_supplicant_install_mlo_igtk(struct wpa_sm * sm,u8 link_id,const struct rsn_mlo_igtk_kde * igtk,int wnm_sleep)1785 static int wpa_supplicant_install_mlo_igtk(struct wpa_sm *sm, u8 link_id,
1786 const struct rsn_mlo_igtk_kde *igtk,
1787 int wnm_sleep)
1788 {
1789 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1790 u16 keyidx = WPA_GET_LE16(igtk->keyid);
1791
1792 /* Detect possible key reinstallation */
1793 if ((sm->mlo.links[link_id].igtk.igtk_len == len &&
1794 os_memcmp(sm->mlo.links[link_id].igtk.igtk, igtk->igtk,
1795 sm->mlo.links[link_id].igtk.igtk_len) == 0) ||
1796 (sm->mlo.links[link_id].igtk_wnm_sleep.igtk_len == len &&
1797 os_memcmp(sm->mlo.links[link_id].igtk_wnm_sleep.igtk, igtk->igtk,
1798 sm->mlo.links[link_id].igtk_wnm_sleep.igtk_len) == 0)) {
1799 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1800 "RSN: Not reinstalling already in-use IGTK to the driver (link_id=%d keyidx=%d)",
1801 link_id, keyidx);
1802 return 0;
1803 }
1804
1805 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1806 "RSN: MLO Link %u IGTK keyid %d pn " COMPACT_MACSTR,
1807 link_id, keyidx, MAC2STR(igtk->pn));
1808 wpa_hexdump_link_key(MSG_DEBUG, link_id, "RSN: IGTK", igtk->igtk, len);
1809 if (keyidx > 4095) {
1810 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1811 "RSN: Invalid MLO Link %d IGTK KeyID %d", link_id,
1812 keyidx);
1813 return -1;
1814 }
1815 if (wpa_sm_set_key(sm, link_id,
1816 wpa_cipher_to_alg(sm->mgmt_group_cipher),
1817 broadcast_ether_addr, keyidx, 0, igtk->pn,
1818 sizeof(igtk->pn), igtk->igtk, len,
1819 KEY_FLAG_GROUP_RX) < 0) {
1820 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1821 "RSN: Failed to configure MLO Link %d IGTK to the driver",
1822 link_id);
1823 return -1;
1824 }
1825
1826 if (wnm_sleep) {
1827 sm->mlo.links[link_id].igtk_wnm_sleep.igtk_len = len;
1828 os_memcpy(sm->mlo.links[link_id].igtk_wnm_sleep.igtk,
1829 igtk->igtk,
1830 sm->mlo.links[link_id].igtk_wnm_sleep.igtk_len);
1831 } else {
1832 sm->mlo.links[link_id].igtk.igtk_len = len;
1833 os_memcpy(sm->mlo.links[link_id].igtk.igtk, igtk->igtk,
1834 sm->mlo.links[link_id].igtk.igtk_len);
1835 }
1836
1837 return 0;
1838 }
1839
1840
1841 static int
wpa_supplicant_install_mlo_bigtk(struct wpa_sm * sm,u8 link_id,const struct rsn_mlo_bigtk_kde * bigtk,int wnm_sleep)1842 wpa_supplicant_install_mlo_bigtk(struct wpa_sm *sm, u8 link_id,
1843 const struct rsn_mlo_bigtk_kde *bigtk,
1844 int wnm_sleep)
1845 {
1846 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1847 u16 keyidx = WPA_GET_LE16(bigtk->keyid);
1848
1849 /* Detect possible key reinstallation */
1850 if ((sm->mlo.links[link_id].bigtk.bigtk_len == len &&
1851 os_memcmp(sm->mlo.links[link_id].bigtk.bigtk, bigtk->bigtk,
1852 sm->mlo.links[link_id].bigtk.bigtk_len) == 0) ||
1853 (sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk_len == len &&
1854 os_memcmp(sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk,
1855 bigtk->bigtk,
1856 sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk_len) ==
1857 0)) {
1858 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1859 "RSN: Not reinstalling already in-use BIGTK to the driver (link_id=%d keyidx=%d)",
1860 link_id, keyidx);
1861 return 0;
1862 }
1863
1864 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1865 "RSN: MLO Link %u BIGTK keyid %d pn " COMPACT_MACSTR,
1866 link_id, keyidx, MAC2STR(bigtk->pn));
1867 wpa_hexdump_link_key(MSG_DEBUG, link_id, "RSN: BIGTK", bigtk->bigtk,
1868 len);
1869 if (keyidx < 6 || keyidx > 7) {
1870 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1871 "RSN: Invalid MLO Link %d BIGTK KeyID %d", link_id,
1872 keyidx);
1873 return -1;
1874 }
1875 if (wpa_sm_set_key(sm, link_id,
1876 wpa_cipher_to_alg(sm->mgmt_group_cipher),
1877 broadcast_ether_addr, keyidx, 0, bigtk->pn,
1878 sizeof(bigtk->pn), bigtk->bigtk, len,
1879 KEY_FLAG_GROUP_RX) < 0) {
1880 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1881 "RSN: Failed to configure MLO Link %d BIGTK to the driver",
1882 link_id);
1883 return -1;
1884 }
1885
1886 if (wnm_sleep) {
1887 sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk_len = len;
1888 os_memcpy(sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk,
1889 bigtk->bigtk,
1890 sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk_len);
1891 } else {
1892 sm->mlo.links[link_id].bigtk.bigtk_len = len;
1893 os_memcpy(sm->mlo.links[link_id].bigtk.bigtk, bigtk->bigtk,
1894 sm->mlo.links[link_id].bigtk.bigtk_len);
1895 }
1896
1897 return 0;
1898 }
1899
1900
_mlo_ieee80211w_set_keys(struct wpa_sm * sm,u8 link_id,struct wpa_eapol_ie_parse * ie)1901 static int _mlo_ieee80211w_set_keys(struct wpa_sm *sm, u8 link_id,
1902 struct wpa_eapol_ie_parse *ie)
1903 {
1904 size_t len;
1905
1906 if (ie->mlo_igtk[link_id]) {
1907 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1908 if (ie->mlo_igtk_len[link_id] !=
1909 RSN_MLO_IGTK_KDE_PREFIX_LENGTH + len)
1910 return -1;
1911
1912 if (wpa_supplicant_install_mlo_igtk(
1913 sm, link_id,
1914 (const struct rsn_mlo_igtk_kde *)
1915 ie->mlo_igtk[link_id],
1916 0) < 0)
1917 return -1;
1918 }
1919
1920 if (ie->mlo_bigtk[link_id] && sm->beacon_prot) {
1921 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1922 if (ie->mlo_bigtk_len[link_id] !=
1923 RSN_MLO_BIGTK_KDE_PREFIX_LENGTH + len)
1924 return -1;
1925
1926 if (wpa_supplicant_install_mlo_bigtk(
1927 sm, link_id,
1928 (const struct rsn_mlo_bigtk_kde *)
1929 ie->mlo_bigtk[link_id],
1930 0) < 0)
1931 return -1;
1932 }
1933
1934 return 0;
1935 }
1936
1937
mlo_ieee80211w_set_keys(struct wpa_sm * sm,struct wpa_eapol_ie_parse * ie)1938 static int mlo_ieee80211w_set_keys(struct wpa_sm *sm,
1939 struct wpa_eapol_ie_parse *ie)
1940 {
1941 u8 i;
1942
1943 if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) ||
1944 sm->mgmt_group_cipher == WPA_CIPHER_GTK_NOT_USED)
1945 return 0;
1946
1947 for_each_link(sm->mlo.valid_links, i) {
1948 if (_mlo_ieee80211w_set_keys(sm, i, ie))
1949 return -1;
1950 }
1951
1952 return 0;
1953 }
1954
1955
ieee80211w_set_keys(struct wpa_sm * sm,struct wpa_eapol_ie_parse * ie)1956 static int ieee80211w_set_keys(struct wpa_sm *sm,
1957 struct wpa_eapol_ie_parse *ie)
1958 {
1959 size_t len;
1960
1961 if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) ||
1962 sm->mgmt_group_cipher == WPA_CIPHER_GTK_NOT_USED)
1963 return 0;
1964
1965 if (ie->igtk) {
1966 const struct wpa_igtk_kde *igtk;
1967
1968 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1969 if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
1970 return -1;
1971
1972 igtk = (const struct wpa_igtk_kde *) ie->igtk;
1973 if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0)
1974 return -1;
1975 }
1976
1977 if (ie->bigtk && sm->beacon_prot) {
1978 const struct wpa_bigtk_kde *bigtk;
1979
1980 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1981 if (ie->bigtk_len != WPA_BIGTK_KDE_PREFIX_LEN + len)
1982 return -1;
1983
1984 bigtk = (const struct wpa_bigtk_kde *) ie->bigtk;
1985 if (wpa_supplicant_install_bigtk(sm, bigtk, 0) < 0)
1986 return -1;
1987 }
1988
1989 return 0;
1990 }
1991
1992
wpa_report_ie_mismatch(struct wpa_sm * sm,const char * reason,const u8 * src_addr,const u8 * wpa_ie,size_t wpa_ie_len,const u8 * rsn_ie,size_t rsn_ie_len)1993 static void wpa_report_ie_mismatch(struct wpa_sm *sm,
1994 const char *reason, const u8 *src_addr,
1995 const u8 *wpa_ie, size_t wpa_ie_len,
1996 const u8 *rsn_ie, size_t rsn_ie_len)
1997 {
1998 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: %s (src=" MACSTR ")",
1999 reason, MAC2STR(src_addr));
2000
2001 if (sm->ap_wpa_ie) {
2002 wpa_hexdump(MSG_INFO, "WPA: WPA IE in Beacon/ProbeResp",
2003 sm->ap_wpa_ie, sm->ap_wpa_ie_len);
2004 }
2005 if (wpa_ie) {
2006 if (!sm->ap_wpa_ie) {
2007 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2008 "WPA: No WPA IE in Beacon/ProbeResp");
2009 }
2010 wpa_hexdump(MSG_INFO, "WPA: WPA IE in 3/4 msg",
2011 wpa_ie, wpa_ie_len);
2012 }
2013
2014 if (sm->ap_rsn_ie) {
2015 wpa_hexdump(MSG_INFO, "WPA: RSN IE in Beacon/ProbeResp",
2016 sm->ap_rsn_ie, sm->ap_rsn_ie_len);
2017 }
2018 if (rsn_ie) {
2019 if (!sm->ap_rsn_ie) {
2020 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2021 "WPA: No RSN IE in Beacon/ProbeResp");
2022 }
2023 wpa_hexdump(MSG_INFO, "WPA: RSN IE in 3/4 msg",
2024 rsn_ie, rsn_ie_len);
2025 }
2026
2027 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
2028 }
2029
2030
2031 #ifdef CONFIG_IEEE80211R
2032
ft_validate_mdie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie,const u8 * assoc_resp_mdie)2033 static int ft_validate_mdie(struct wpa_sm *sm,
2034 const unsigned char *src_addr,
2035 struct wpa_eapol_ie_parse *ie,
2036 const u8 *assoc_resp_mdie)
2037 {
2038 struct rsn_mdie *mdie;
2039
2040 mdie = (struct rsn_mdie *) (ie->mdie + 2);
2041 if (ie->mdie == NULL || ie->mdie_len < 2 + sizeof(*mdie) ||
2042 os_memcmp(mdie->mobility_domain, sm->mobility_domain,
2043 MOBILITY_DOMAIN_ID_LEN) != 0) {
2044 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE in msg 3/4 did "
2045 "not match with the current mobility domain");
2046 return -1;
2047 }
2048
2049 if (assoc_resp_mdie &&
2050 (assoc_resp_mdie[1] != ie->mdie[1] ||
2051 os_memcmp(assoc_resp_mdie, ie->mdie, 2 + ie->mdie[1]) != 0)) {
2052 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE mismatch");
2053 wpa_hexdump(MSG_DEBUG, "FT: MDIE in EAPOL-Key msg 3/4",
2054 ie->mdie, 2 + ie->mdie[1]);
2055 wpa_hexdump(MSG_DEBUG, "FT: MDIE in (Re)Association Response",
2056 assoc_resp_mdie, 2 + assoc_resp_mdie[1]);
2057 return -1;
2058 }
2059
2060 return 0;
2061 }
2062
2063
ft_validate_ftie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie,const u8 * assoc_resp_ftie)2064 static int ft_validate_ftie(struct wpa_sm *sm,
2065 const unsigned char *src_addr,
2066 struct wpa_eapol_ie_parse *ie,
2067 const u8 *assoc_resp_ftie)
2068 {
2069 if (ie->ftie == NULL) {
2070 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2071 "FT: No FTIE in EAPOL-Key msg 3/4");
2072 return -1;
2073 }
2074
2075 if (assoc_resp_ftie == NULL)
2076 return 0;
2077
2078 if (assoc_resp_ftie[1] != ie->ftie[1] ||
2079 os_memcmp(assoc_resp_ftie, ie->ftie, 2 + ie->ftie[1]) != 0) {
2080 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: FTIE mismatch");
2081 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 3/4",
2082 ie->ftie, 2 + ie->ftie[1]);
2083 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)Association Response",
2084 assoc_resp_ftie, 2 + assoc_resp_ftie[1]);
2085 return -1;
2086 }
2087
2088 return 0;
2089 }
2090
2091
ft_validate_rsnie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie)2092 static int ft_validate_rsnie(struct wpa_sm *sm,
2093 const unsigned char *src_addr,
2094 struct wpa_eapol_ie_parse *ie)
2095 {
2096 struct wpa_ie_data rsn;
2097
2098 if (!ie->rsn_ie)
2099 return 0;
2100
2101 /*
2102 * Verify that PMKR1Name from EAPOL-Key message 3/4
2103 * matches with the value we derived.
2104 */
2105 if (wpa_parse_wpa_ie_rsn(ie->rsn_ie, ie->rsn_ie_len, &rsn) < 0 ||
2106 rsn.num_pmkid != 1 || rsn.pmkid == NULL) {
2107 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: No PMKR1Name in "
2108 "FT 4-way handshake message 3/4");
2109 return -1;
2110 }
2111
2112 if (os_memcmp_const(rsn.pmkid, sm->pmk_r1_name, WPA_PMK_NAME_LEN) != 0)
2113 {
2114 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2115 "FT: PMKR1Name mismatch in "
2116 "FT 4-way handshake message 3/4");
2117 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Authenticator",
2118 rsn.pmkid, WPA_PMK_NAME_LEN);
2119 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
2120 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
2121 return -1;
2122 }
2123
2124 return 0;
2125 }
2126
2127
wpa_supplicant_validate_ie_ft(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie)2128 static int wpa_supplicant_validate_ie_ft(struct wpa_sm *sm,
2129 const unsigned char *src_addr,
2130 struct wpa_eapol_ie_parse *ie)
2131 {
2132 const u8 *pos, *end, *mdie = NULL, *ftie = NULL;
2133
2134 if (sm->assoc_resp_ies) {
2135 pos = sm->assoc_resp_ies;
2136 end = pos + sm->assoc_resp_ies_len;
2137 while (end - pos > 2) {
2138 if (2 + pos[1] > end - pos)
2139 break;
2140 switch (*pos) {
2141 case WLAN_EID_MOBILITY_DOMAIN:
2142 mdie = pos;
2143 break;
2144 case WLAN_EID_FAST_BSS_TRANSITION:
2145 ftie = pos;
2146 break;
2147 }
2148 pos += 2 + pos[1];
2149 }
2150 }
2151
2152 if (ft_validate_mdie(sm, src_addr, ie, mdie) < 0 ||
2153 ft_validate_ftie(sm, src_addr, ie, ftie) < 0 ||
2154 ft_validate_rsnie(sm, src_addr, ie) < 0)
2155 return -1;
2156
2157 return 0;
2158 }
2159
2160 #endif /* CONFIG_IEEE80211R */
2161
2162
wpa_supplicant_validate_ie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie)2163 static int wpa_supplicant_validate_ie(struct wpa_sm *sm,
2164 const unsigned char *src_addr,
2165 struct wpa_eapol_ie_parse *ie)
2166 {
2167 if (sm->ap_wpa_ie == NULL && sm->ap_rsn_ie == NULL) {
2168 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2169 "WPA: No WPA/RSN IE for this AP known. "
2170 "Trying to get from scan results");
2171 if (wpa_sm_get_beacon_ie(sm) < 0) {
2172 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2173 "WPA: Could not find AP from "
2174 "the scan results");
2175 return -1;
2176 }
2177 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
2178 "WPA: Found the current AP from updated scan results");
2179 }
2180
2181 if (ie->wpa_ie == NULL && ie->rsn_ie == NULL &&
2182 (sm->ap_wpa_ie || sm->ap_rsn_ie)) {
2183 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
2184 "with IE in Beacon/ProbeResp (no IE?)",
2185 src_addr, ie->wpa_ie, ie->wpa_ie_len,
2186 ie->rsn_ie, ie->rsn_ie_len);
2187 return -1;
2188 }
2189
2190 if ((ie->wpa_ie && sm->ap_wpa_ie &&
2191 (ie->wpa_ie_len != sm->ap_wpa_ie_len ||
2192 os_memcmp(ie->wpa_ie, sm->ap_wpa_ie, ie->wpa_ie_len) != 0)) ||
2193 (ie->rsn_ie && sm->ap_rsn_ie &&
2194 wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
2195 sm->ap_rsn_ie, sm->ap_rsn_ie_len,
2196 ie->rsn_ie, ie->rsn_ie_len))) {
2197 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
2198 "with IE in Beacon/ProbeResp",
2199 src_addr, ie->wpa_ie, ie->wpa_ie_len,
2200 ie->rsn_ie, ie->rsn_ie_len);
2201 return -1;
2202 }
2203
2204 if (sm->proto == WPA_PROTO_WPA &&
2205 ie->rsn_ie && sm->ap_rsn_ie == NULL && sm->rsn_enabled) {
2206 wpa_report_ie_mismatch(sm, "Possible downgrade attack "
2207 "detected - RSN was enabled and RSN IE "
2208 "was in msg 3/4, but not in "
2209 "Beacon/ProbeResp",
2210 src_addr, ie->wpa_ie, ie->wpa_ie_len,
2211 ie->rsn_ie, ie->rsn_ie_len);
2212 return -1;
2213 }
2214
2215 if (sm->proto == WPA_PROTO_RSN &&
2216 ((sm->ap_rsnxe && !ie->rsnxe) ||
2217 (!sm->ap_rsnxe && ie->rsnxe) ||
2218 (sm->ap_rsnxe && ie->rsnxe &&
2219 (sm->ap_rsnxe_len != ie->rsnxe_len ||
2220 os_memcmp(sm->ap_rsnxe, ie->rsnxe, sm->ap_rsnxe_len) != 0)))) {
2221 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2222 "WPA: RSNXE mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4");
2223 wpa_hexdump(MSG_INFO, "RSNXE in Beacon/ProbeResp",
2224 sm->ap_rsnxe, sm->ap_rsnxe_len);
2225 wpa_hexdump(MSG_INFO, "RSNXE in EAPOL-Key msg 3/4",
2226 ie->rsnxe, ie->rsnxe_len);
2227 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
2228 return -1;
2229 }
2230
2231 if (sm->proto == WPA_PROTO_RSN && wpa_sm_rsn_overriding_supported(sm)) {
2232 if ((sm->ap_rsne_override && !ie->rsne_override) ||
2233 (!sm->ap_rsne_override && ie->rsne_override) ||
2234 (sm->ap_rsne_override && ie->rsne_override &&
2235 (sm->ap_rsne_override_len != ie->rsne_override_len ||
2236 os_memcmp(sm->ap_rsne_override, ie->rsne_override,
2237 sm->ap_rsne_override_len) != 0))) {
2238 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2239 "RSN: RSNE Override element mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4");
2240 wpa_hexdump(MSG_INFO,
2241 "RSNE Override element in Beacon/ProbeResp",
2242 sm->ap_rsne_override,
2243 sm->ap_rsne_override_len);
2244 wpa_hexdump(MSG_INFO,
2245 "RSNE Override element in EAPOL-Key msg 3/4",
2246 ie->rsne_override, ie->rsne_override_len);
2247 wpa_sm_deauthenticate(sm,
2248 WLAN_REASON_IE_IN_4WAY_DIFFERS);
2249 return -1;
2250 }
2251
2252 if ((sm->ap_rsne_override_2 && !ie->rsne_override_2) ||
2253 (!sm->ap_rsne_override_2 && ie->rsne_override_2) ||
2254 (sm->ap_rsne_override_2 && ie->rsne_override_2 &&
2255 (sm->ap_rsne_override_2_len != ie->rsne_override_2_len ||
2256 os_memcmp(sm->ap_rsne_override_2, ie->rsne_override_2,
2257 sm->ap_rsne_override_2_len) != 0))) {
2258 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2259 "RSN: RSNE Override 2 element mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4");
2260 wpa_hexdump(MSG_INFO,
2261 "RSNE Override 2 element in Beacon/ProbeResp",
2262 sm->ap_rsne_override_2,
2263 sm->ap_rsne_override_2_len);
2264 wpa_hexdump(MSG_INFO,
2265 "RSNE Override 2 element in EAPOL-Key msg 3/4",
2266 ie->rsne_override_2, ie->rsne_override_2_len);
2267 wpa_sm_deauthenticate(sm,
2268 WLAN_REASON_IE_IN_4WAY_DIFFERS);
2269 return -1;
2270 }
2271
2272 if ((sm->ap_rsnxe_override && !ie->rsnxe_override) ||
2273 (!sm->ap_rsnxe_override && ie->rsnxe_override) ||
2274 (sm->ap_rsnxe_override && ie->rsnxe_override &&
2275 (sm->ap_rsnxe_override_len != ie->rsnxe_override_len ||
2276 os_memcmp(sm->ap_rsnxe_override, ie->rsnxe_override,
2277 sm->ap_rsnxe_override_len) != 0))) {
2278 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2279 "RSN: RSNXE Override element mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4");
2280 wpa_hexdump(MSG_INFO,
2281 "RSNXE Override element in Beacon/ProbeResp",
2282 sm->ap_rsnxe_override,
2283 sm->ap_rsnxe_override_len);
2284 wpa_hexdump(MSG_INFO,
2285 "RSNXE Override element in EAPOL-Key msg 3/4",
2286 ie->rsnxe_override, ie->rsnxe_override_len);
2287 wpa_sm_deauthenticate(sm,
2288 WLAN_REASON_IE_IN_4WAY_DIFFERS);
2289 return -1;
2290 }
2291 }
2292
2293 #ifdef CONFIG_IEEE80211R
2294 if (wpa_key_mgmt_ft(sm->key_mgmt) &&
2295 wpa_supplicant_validate_ie_ft(sm, src_addr, ie) < 0)
2296 return -1;
2297 #endif /* CONFIG_IEEE80211R */
2298
2299 return 0;
2300 }
2301
2302
2303 /**
2304 * wpa_supplicant_send_4_of_4 - Send message 4 of WPA/RSN 4-Way Handshake
2305 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2306 * @dst: Destination address for the frame
2307 * @key: Pointer to the EAPOL-Key frame header
2308 * @ver: Version bits from EAPOL-Key Key Info
2309 * @key_info: Key Info
2310 * @ptk: PTK to use for keyed hash and encryption
2311 * Returns: >= 0 on success, < 0 on failure
2312 */
wpa_supplicant_send_4_of_4(struct wpa_sm * sm,const unsigned char * dst,const struct wpa_eapol_key * key,u16 ver,u16 key_info,struct wpa_ptk * ptk)2313 int wpa_supplicant_send_4_of_4(struct wpa_sm *sm, const unsigned char *dst,
2314 const struct wpa_eapol_key *key,
2315 u16 ver, u16 key_info,
2316 struct wpa_ptk *ptk)
2317 {
2318 size_t mic_len, hdrlen, rlen;
2319 struct wpa_eapol_key *reply;
2320 u8 *rbuf, *key_mic;
2321 u8 *kde = NULL;
2322 size_t kde_len = 0, extra_len = 0;
2323 #ifdef CONFIG_TESTING_OPTIONS
2324 size_t pad_len = 0;
2325 #endif /* CONFIG_TESTING_OPTIONS */
2326
2327 if (sm->mlo.valid_links) {
2328 u8 *pos;
2329
2330 kde = os_malloc(RSN_SELECTOR_LEN + ETH_ALEN + 2);
2331 if (!kde)
2332 return -1;
2333
2334 /* Add MAC KDE */
2335 wpa_printf(MSG_DEBUG, "MLO: Add MAC KDE into EAPOL-Key 4/4");
2336 pos = kde;
2337 pos = rsn_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, sm->own_addr,
2338 ETH_ALEN);
2339 kde_len = pos - kde;
2340 }
2341
2342 #ifdef CONFIG_TESTING_OPTIONS
2343 if (sm->test_eapol_m4_elems)
2344 extra_len = wpabuf_len(sm->test_eapol_m4_elems);
2345 if (sm->encrypt_eapol_m4) {
2346 pad_len = (kde_len + extra_len) % 8;
2347 if (pad_len)
2348 pad_len = 8 - pad_len;
2349 extra_len += pad_len + 8;
2350 }
2351 #endif /* CONFIG_TESTING_OPTIONS */
2352
2353 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
2354 hdrlen = sizeof(*reply) + mic_len + 2;
2355 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
2356 hdrlen + kde_len + extra_len, &rlen,
2357 (void *) &reply);
2358 if (!rbuf) {
2359 os_free(kde);
2360 return -1;
2361 }
2362
2363 reply->type = (sm->proto == WPA_PROTO_RSN ||
2364 sm->proto == WPA_PROTO_OSEN) ?
2365 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
2366 key_info &= WPA_KEY_INFO_SECURE;
2367 key_info |= ver | WPA_KEY_INFO_KEY_TYPE;
2368 if (mic_len)
2369 key_info |= WPA_KEY_INFO_MIC;
2370 else
2371 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
2372 #ifdef CONFIG_TESTING_OPTIONS
2373 if (sm->encrypt_eapol_m4)
2374 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
2375 #endif /* CONFIG_TESTING_OPTIONS */
2376 WPA_PUT_BE16(reply->key_info, key_info);
2377 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
2378 WPA_PUT_BE16(reply->key_length, 0);
2379 else
2380 os_memcpy(reply->key_length, key->key_length, 2);
2381 os_memcpy(reply->replay_counter, key->replay_counter,
2382 WPA_REPLAY_COUNTER_LEN);
2383
2384 key_mic = (u8 *) (reply + 1);
2385 /* Key Data length */
2386 WPA_PUT_BE16(key_mic + mic_len, kde_len + extra_len);
2387 if (kde) {
2388 os_memcpy(key_mic + mic_len + 2, kde, kde_len); /* Key Data */
2389 os_free(kde);
2390 }
2391
2392 #ifdef CONFIG_TESTING_OPTIONS
2393 if (sm->test_eapol_m4_elems) {
2394 os_memcpy(key_mic + mic_len + 2 + kde_len,
2395 wpabuf_head(sm->test_eapol_m4_elems),
2396 wpabuf_len(sm->test_eapol_m4_elems));
2397 }
2398
2399 if (sm->encrypt_eapol_m4) {
2400 u8 *plain;
2401 size_t plain_len;
2402
2403 if (sm->test_eapol_m4_elems)
2404 extra_len = wpabuf_len(sm->test_eapol_m4_elems);
2405 else
2406 extra_len = 0;
2407 plain_len = kde_len + extra_len + pad_len;
2408 plain = os_memdup(key_mic + mic_len + 2, plain_len);
2409 if (!plain) {
2410 os_free(rbuf);
2411 return -1;
2412 }
2413 if (pad_len)
2414 plain[plain_len - pad_len] = 0xdd;
2415
2416 wpa_hexdump_key(MSG_DEBUG, "RSN: AES-WRAP using KEK",
2417 ptk->kek, ptk->kek_len);
2418 if (aes_wrap(ptk->kek, ptk->kek_len, plain_len / 8, plain,
2419 key_mic + mic_len + 2)) {
2420 os_free(plain);
2421 os_free(rbuf);
2422 return -1;
2423 }
2424 wpa_hexdump(MSG_DEBUG,
2425 "RSN: Encrypted Key Data from AES-WRAP",
2426 key_mic + mic_len + 2, plain_len + 8);
2427 os_free(plain);
2428 }
2429 #endif /* CONFIG_TESTING_OPTIONS */
2430
2431 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 4/4");
2432 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
2433 key_mic);
2434 }
2435
2436
wpa_supplicant_validate_link_kde(struct wpa_sm * sm,u8 link_id,const u8 * link_kde,size_t link_kde_len,const u8 * rsn_override_link_kde,size_t rsn_override_link_kde_len)2437 static int wpa_supplicant_validate_link_kde(struct wpa_sm *sm, u8 link_id,
2438 const u8 *link_kde,
2439 size_t link_kde_len,
2440 const u8 *rsn_override_link_kde,
2441 size_t rsn_override_link_kde_len)
2442 {
2443 size_t rsne_len = 0, rsnxe_len = 0, rsnoe_len = 0, rsno2e_len = 0,
2444 rsnxoe_len = 0;
2445 const u8 *rsne = NULL, *rsnxe = NULL, *rsnoe = NULL, *rsno2e = NULL,
2446 *rsnxoe = NULL;
2447
2448 if (!link_kde ||
2449 link_kde_len < RSN_MLO_LINK_KDE_LINK_MAC_INDEX + ETH_ALEN) {
2450 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2451 "RSN: MLO Link KDE is not found for link ID %d",
2452 link_id);
2453 return -1;
2454 }
2455
2456 if (!ether_addr_equal(sm->mlo.links[link_id].bssid,
2457 &link_kde[RSN_MLO_LINK_KDE_LINK_MAC_INDEX])) {
2458 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2459 "RSN: MLO Link %u MAC address (" MACSTR
2460 ") not matching association response (" MACSTR ")",
2461 link_id,
2462 MAC2STR(&link_kde[RSN_MLO_LINK_KDE_LINK_MAC_INDEX]),
2463 MAC2STR(sm->mlo.links[link_id].bssid));
2464 return -1;
2465 }
2466
2467 if (link_kde[0] & RSN_MLO_LINK_KDE_LI_RSNE_INFO) {
2468 rsne = link_kde + RSN_MLO_LINK_KDE_FIXED_LENGTH;
2469 if (link_kde_len < RSN_MLO_LINK_KDE_FIXED_LENGTH + 2 ||
2470 link_kde_len <
2471 (size_t) (RSN_MLO_LINK_KDE_FIXED_LENGTH + 2 + rsne[1])) {
2472 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2473 "RSN: No room for link %u RSNE in MLO Link KDE",
2474 link_id);
2475 return -1;
2476 }
2477
2478 rsne_len = rsne[1] + 2;
2479 }
2480
2481 if (!rsne) {
2482 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2483 "RSN: RSNE not present in MLO Link %u KDE", link_id);
2484 return -1;
2485 }
2486
2487 if (link_kde[0] & RSN_MLO_LINK_KDE_LI_RSNXE_INFO) {
2488 rsnxe = link_kde + RSN_MLO_LINK_KDE_FIXED_LENGTH + rsne_len;
2489 if (link_kde_len <
2490 (RSN_MLO_LINK_KDE_FIXED_LENGTH + rsne_len + 2) ||
2491 link_kde_len <
2492 (RSN_MLO_LINK_KDE_FIXED_LENGTH + rsne_len + 2 + rsnxe[1])) {
2493 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2494 "RSN: No room for link %u RSNXE in MLO Link KDE",
2495 link_id);
2496 return -1;
2497 }
2498
2499 rsnxe_len = rsnxe[1] + 2;
2500 }
2501
2502 if (wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
2503 sm->mlo.links[link_id].ap_rsne,
2504 sm->mlo.links[link_id].ap_rsne_len,
2505 rsne, rsne_len)) {
2506 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2507 "RSN MLO: RSNE in 3/4 msg does not match with IE in Beacon/ProbeResp for link ID %u",
2508 link_id);
2509 wpa_hexdump(MSG_INFO, "RSNE in Beacon/ProbeResp",
2510 sm->mlo.links[link_id].ap_rsne,
2511 sm->mlo.links[link_id].ap_rsne_len);
2512 wpa_hexdump(MSG_INFO, "RSNE in EAPOL-Key msg 3/4",
2513 rsne, rsne_len);
2514 goto fail;
2515 }
2516
2517 if ((sm->mlo.links[link_id].ap_rsnxe && !rsnxe) ||
2518 (!sm->mlo.links[link_id].ap_rsnxe && rsnxe) ||
2519 (sm->mlo.links[link_id].ap_rsnxe && rsnxe &&
2520 (sm->mlo.links[link_id].ap_rsnxe_len != rsnxe_len ||
2521 os_memcmp(sm->mlo.links[link_id].ap_rsnxe, rsnxe,
2522 sm->mlo.links[link_id].ap_rsnxe_len) != 0))) {
2523 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2524 "RSN MLO: RSNXE mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4 for link ID %u",
2525 link_id);
2526 wpa_hexdump(MSG_INFO, "RSNXE in Beacon/ProbeResp",
2527 sm->mlo.links[link_id].ap_rsnxe,
2528 sm->mlo.links[link_id].ap_rsnxe_len);
2529 wpa_hexdump(MSG_INFO, "RSNXE in EAPOL-Key msg 3/4",
2530 rsnxe, rsnxe_len);
2531 goto fail;
2532 }
2533
2534 if (!wpa_sm_rsn_overriding_supported(sm))
2535 return 0;
2536
2537 if (rsn_override_link_kde) {
2538 rsnoe = get_vendor_ie(rsn_override_link_kde + 1,
2539 rsn_override_link_kde_len - 1,
2540 RSNE_OVERRIDE_IE_VENDOR_TYPE);
2541 if (rsnoe)
2542 rsnoe_len = 2 + rsnoe[1];
2543
2544 rsno2e = get_vendor_ie(rsn_override_link_kde + 1,
2545 rsn_override_link_kde_len - 1,
2546 RSNE_OVERRIDE_2_IE_VENDOR_TYPE);
2547 if (rsno2e)
2548 rsno2e_len = 2 + rsno2e[1];
2549
2550 rsnxoe = get_vendor_ie(rsn_override_link_kde + 1,
2551 rsn_override_link_kde_len - 1,
2552 RSNXE_OVERRIDE_IE_VENDOR_TYPE);
2553 if (rsnxoe)
2554 rsnxoe_len = 2 + rsnxoe[1];
2555 }
2556
2557 if ((sm->mlo.links[link_id].ap_rsnoe && !rsnoe) ||
2558 (!sm->mlo.links[link_id].ap_rsnoe && rsnoe) ||
2559 (sm->mlo.links[link_id].ap_rsnoe && rsnoe &&
2560 wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
2561 sm->mlo.links[link_id].ap_rsnoe,
2562 sm->mlo.links[link_id].ap_rsnoe_len,
2563 rsnoe, rsnoe_len))) {
2564 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2565 "RSN MLO: RSNOE in 3/4 msg does not match with IE in Beacon/ProbeResp for link ID %u",
2566 link_id);
2567 wpa_hexdump(MSG_INFO, "RSNOE in Beacon/ProbeResp",
2568 sm->mlo.links[link_id].ap_rsnoe,
2569 sm->mlo.links[link_id].ap_rsnoe_len);
2570 wpa_hexdump(MSG_INFO, "RSNOE in EAPOL-Key msg 3/4",
2571 rsnoe, rsnoe_len);
2572 goto fail;
2573 }
2574
2575 if ((sm->mlo.links[link_id].ap_rsno2e && !rsno2e) ||
2576 (!sm->mlo.links[link_id].ap_rsno2e && rsno2e) ||
2577 (sm->mlo.links[link_id].ap_rsno2e && rsno2e &&
2578 wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
2579 sm->mlo.links[link_id].ap_rsno2e,
2580 sm->mlo.links[link_id].ap_rsno2e_len,
2581 rsno2e, rsno2e_len))) {
2582 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2583 "RSN MLO: RSNO2E in 3/4 msg does not match with IE in Beacon/ProbeResp for link ID %u",
2584 link_id);
2585 wpa_hexdump(MSG_INFO, "RSNO2E in Beacon/ProbeResp",
2586 sm->mlo.links[link_id].ap_rsno2e,
2587 sm->mlo.links[link_id].ap_rsno2e_len);
2588 wpa_hexdump(MSG_INFO, "RSNOE in EAPOL-Key msg 3/4",
2589 rsno2e, rsno2e_len);
2590 goto fail;
2591 }
2592
2593 if ((sm->mlo.links[link_id].ap_rsnxoe && !rsnxoe) ||
2594 (!sm->mlo.links[link_id].ap_rsnxoe && rsnxoe) ||
2595 (sm->mlo.links[link_id].ap_rsnxoe && rsnxoe &&
2596 (sm->mlo.links[link_id].ap_rsnxoe_len != rsnxoe_len ||
2597 os_memcmp(sm->mlo.links[link_id].ap_rsnxoe, rsnxoe,
2598 sm->mlo.links[link_id].ap_rsnxoe_len) != 0))) {
2599 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2600 "RSN MLO: RSNXOE mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4 for link ID %u",
2601 link_id);
2602 wpa_hexdump(MSG_INFO, "RSNXOE in Beacon/ProbeResp",
2603 sm->mlo.links[link_id].ap_rsnxoe,
2604 sm->mlo.links[link_id].ap_rsnxoe_len);
2605 wpa_hexdump(MSG_INFO, "RSNXOE in EAPOL-Key msg 3/4",
2606 rsnxoe, rsnxoe_len);
2607 goto fail;
2608 }
2609
2610 return 0;
2611 fail:
2612 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
2613 return -1;
2614 }
2615
2616
wpa_validate_mlo_ieee80211w_kdes(struct wpa_sm * sm,u8 link_id,struct wpa_eapol_ie_parse * ie)2617 static int wpa_validate_mlo_ieee80211w_kdes(struct wpa_sm *sm,
2618 u8 link_id,
2619 struct wpa_eapol_ie_parse *ie)
2620 {
2621 if (ie->mlo_igtk[link_id] &&
2622 ie->mlo_igtk_len[link_id] != RSN_MLO_IGTK_KDE_PREFIX_LENGTH +
2623 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
2624 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2625 "RSN MLO: Invalid IGTK KDE length %lu for link ID %u",
2626 (unsigned long) ie->mlo_igtk_len[link_id], link_id);
2627 return -1;
2628 }
2629
2630 if (!sm->beacon_prot)
2631 return 0;
2632
2633 if (ie->mlo_bigtk[link_id] &&
2634 ie->mlo_bigtk_len[link_id] != RSN_MLO_BIGTK_KDE_PREFIX_LENGTH +
2635 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
2636 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2637 "RSN MLO: Invalid BIGTK KDE length %lu for link ID %u",
2638 (unsigned long) ie->mlo_bigtk_len[link_id], link_id);
2639 return -1;
2640 }
2641
2642 return 0;
2643 }
2644
2645
wpa_supplicant_process_3_of_4_wpa(struct wpa_sm * sm,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len)2646 static void wpa_supplicant_process_3_of_4_wpa(struct wpa_sm *sm,
2647 const struct wpa_eapol_key *key,
2648 u16 ver, const u8 *key_data,
2649 size_t key_data_len)
2650 {
2651 u16 key_info, keylen;
2652 struct wpa_eapol_ie_parse ie;
2653
2654 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
2655 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2656 "WPA: RX message 3 of 4-Way Handshake from " MACSTR
2657 " (ver=%d)", MAC2STR(sm->bssid), ver);
2658
2659 key_info = WPA_GET_BE16(key->key_info);
2660
2661 wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", key_data, key_data_len);
2662 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
2663 goto failed;
2664
2665 if (wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0)
2666 goto failed;
2667
2668 if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
2669 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2670 "WPA: ANonce from message 1 of 4-Way Handshake differs from 3 of 4-Way Handshake - drop packet (src="
2671 MACSTR ")", MAC2STR(sm->bssid));
2672 goto failed;
2673 }
2674
2675 keylen = WPA_GET_BE16(key->key_length);
2676 if (keylen != wpa_cipher_key_len(sm->pairwise_cipher)) {
2677 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2678 "WPA: Invalid %s key length %d (src=" MACSTR ")",
2679 wpa_cipher_txt(sm->pairwise_cipher), keylen,
2680 MAC2STR(sm->bssid));
2681 goto failed;
2682 }
2683
2684 if (wpa_supplicant_send_4_of_4(sm, wpa_sm_get_auth_addr(sm), key, ver,
2685 key_info, &sm->ptk) < 0)
2686 goto failed;
2687
2688 /* SNonce was successfully used in msg 3/4, so mark it to be renewed
2689 * for the next 4-Way Handshake. If msg 3 is received again, the old
2690 * SNonce will still be used to avoid changing PTK. */
2691 sm->renew_snonce = 1;
2692
2693 if ((key_info & WPA_KEY_INFO_INSTALL) &&
2694 wpa_supplicant_install_ptk(sm, key, KEY_FLAG_RX_TX))
2695 goto failed;
2696
2697 if (key_info & WPA_KEY_INFO_SECURE) {
2698 wpa_sm_mlme_setprotection(
2699 sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX,
2700 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
2701 eapol_sm_notify_portValid(sm->eapol, true);
2702 }
2703 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
2704
2705 sm->msg_3_of_4_ok = 1;
2706 return;
2707
2708 failed:
2709 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
2710 }
2711
2712
wpa_supplicant_process_3_of_4(struct wpa_sm * sm,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len)2713 static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
2714 const struct wpa_eapol_key *key,
2715 u16 ver, const u8 *key_data,
2716 size_t key_data_len)
2717 {
2718 u16 key_info, keylen;
2719 struct wpa_eapol_ie_parse ie;
2720 bool mlo = sm->mlo.valid_links;
2721 int i;
2722
2723 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
2724 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2725 "RSN: RX message 3 of 4-Way Handshake from " MACSTR
2726 " (ver=%d)%s", MAC2STR(sm->bssid), ver, mlo ? " (MLO)" : "");
2727
2728 key_info = WPA_GET_BE16(key->key_info);
2729
2730 wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", key_data, key_data_len);
2731 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
2732 goto failed;
2733
2734 if (sm->ssid_protection) {
2735 if (!ie.ssid) {
2736 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2737 "RSN: No SSID included in EAPOL-Key msg 3/4");
2738 goto failed;
2739 }
2740
2741 if (ie.ssid_len != sm->ssid_len ||
2742 os_memcmp(ie.ssid, sm->ssid, sm->ssid_len) != 0) {
2743 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2744 "RSN: SSID mismatch in EAPOL-Key msg 3/4");
2745 wpa_hexdump_ascii(MSG_DEBUG, "RSN: Received SSID",
2746 ie.ssid, ie.ssid_len);
2747 wpa_hexdump_ascii(MSG_DEBUG, "RSN: Expected SSID",
2748 sm->ssid, sm->ssid_len);
2749 goto failed;
2750 }
2751
2752 wpa_sm_ssid_verified(sm);
2753 }
2754
2755 if (mlo && !ie.valid_mlo_gtks) {
2756 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2757 "MLO RSN: No GTK KDE included in EAPOL-Key msg 3/4");
2758 goto failed;
2759 }
2760 if (mlo &&
2761 (key_info &
2762 (WPA_KEY_INFO_ENCR_KEY_DATA | WPA_KEY_INFO_INSTALL |
2763 WPA_KEY_INFO_SECURE)) !=
2764 (WPA_KEY_INFO_ENCR_KEY_DATA | WPA_KEY_INFO_INSTALL |
2765 WPA_KEY_INFO_SECURE)) {
2766 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2767 "RSN MLO: Invalid key info (0x%x) in EAPOL-Key msg 3/4",
2768 key_info);
2769 goto failed;
2770 }
2771
2772 if (mlo && !is_valid_ap_mld_mac_kde(sm, ie.mac_addr)) {
2773 wpa_printf(MSG_DEBUG, "RSN: Invalid AP MLD MAC address KDE");
2774 goto failed;
2775 }
2776
2777 for (i = 0; mlo && i < MAX_NUM_MLD_LINKS; i++) {
2778 if (!(sm->mlo.req_links & BIT(i)))
2779 continue;
2780
2781 if (wpa_supplicant_validate_link_kde(
2782 sm, i, ie.mlo_link[i], ie.mlo_link_len[i],
2783 ie.rsn_override_link[i],
2784 ie.rsn_override_link_len[i]) < 0)
2785 goto failed;
2786
2787 if (!(sm->mlo.valid_links & BIT(i)))
2788 continue;
2789
2790 if (!ie.mlo_gtk[i]) {
2791 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
2792 "RSN: GTK not found for link ID %u", i);
2793 goto failed;
2794 }
2795
2796 if (sm->mgmt_group_cipher != WPA_CIPHER_GTK_NOT_USED &&
2797 wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) &&
2798 wpa_validate_mlo_ieee80211w_kdes(sm, i, &ie) < 0)
2799 goto failed;
2800 }
2801
2802 #ifdef CONFIG_IEEE80211R
2803 if (mlo && wpa_key_mgmt_ft(sm->key_mgmt) &&
2804 wpa_supplicant_validate_ie_ft(sm, sm->bssid, &ie) < 0)
2805 goto failed;
2806 #endif /* CONFIG_IEEE80211R */
2807
2808 if (!mlo && ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
2809 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2810 "WPA: GTK IE in unencrypted key data");
2811 goto failed;
2812 }
2813 if (!mlo && ie.igtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
2814 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2815 "WPA: IGTK KDE in unencrypted key data");
2816 goto failed;
2817 }
2818
2819 if (!mlo && ie.igtk &&
2820 sm->mgmt_group_cipher != WPA_CIPHER_GTK_NOT_USED &&
2821 wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) &&
2822 ie.igtk_len != WPA_IGTK_KDE_PREFIX_LEN +
2823 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
2824 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2825 "WPA: Invalid IGTK KDE length %lu",
2826 (unsigned long) ie.igtk_len);
2827 goto failed;
2828 }
2829
2830 if (!mlo && wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0)
2831 goto failed;
2832
2833 if (wpa_handle_ext_key_id(sm, &ie))
2834 goto failed;
2835
2836 if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
2837 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2838 "WPA: ANonce from message 1 of 4-Way Handshake "
2839 "differs from 3 of 4-Way Handshake - drop packet (src="
2840 MACSTR ")", MAC2STR(sm->bssid));
2841 goto failed;
2842 }
2843
2844 keylen = WPA_GET_BE16(key->key_length);
2845 if (keylen != wpa_cipher_key_len(sm->pairwise_cipher)) {
2846 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2847 "WPA: Invalid %s key length %d (src=" MACSTR
2848 ")", wpa_cipher_txt(sm->pairwise_cipher), keylen,
2849 MAC2STR(sm->bssid));
2850 goto failed;
2851 }
2852
2853 #ifdef CONFIG_P2P
2854 if (ie.ip_addr_alloc) {
2855 os_memcpy(sm->p2p_ip_addr, ie.ip_addr_alloc, 3 * 4);
2856 wpa_hexdump(MSG_DEBUG, "P2P: IP address info",
2857 sm->p2p_ip_addr, sizeof(sm->p2p_ip_addr));
2858 }
2859 #endif /* CONFIG_P2P */
2860
2861 #ifdef CONFIG_OCV
2862 if (wpa_sm_ocv_enabled(sm)) {
2863 struct wpa_channel_info ci;
2864
2865 if (wpa_sm_channel_info(sm, &ci) != 0) {
2866 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2867 "Failed to get channel info to validate received OCI in EAPOL-Key 3/4");
2868 return;
2869 }
2870
2871 if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci,
2872 channel_width_to_int(ci.chanwidth),
2873 ci.seg1_idx) != OCI_SUCCESS) {
2874 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
2875 "addr=" MACSTR " frame=eapol-key-m3 error=%s",
2876 MAC2STR(sm->bssid), ocv_errorstr);
2877 return;
2878 }
2879 }
2880 #endif /* CONFIG_OCV */
2881
2882 #ifdef CONFIG_DPP2
2883 if (DPP_VERSION > 1 && ie.dpp_kde) {
2884 wpa_printf(MSG_DEBUG,
2885 "DPP: peer Protocol Version %u Flags 0x%x",
2886 ie.dpp_kde[0], ie.dpp_kde[1]);
2887 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_pfs != 2 &&
2888 (ie.dpp_kde[1] & DPP_KDE_PFS_ALLOWED) && !sm->dpp_z) {
2889 wpa_printf(MSG_INFO,
2890 "DPP: Peer indicated it supports PFS and local configuration allows this, but PFS was not negotiated for the association");
2891 goto failed;
2892 }
2893 }
2894 #endif /* CONFIG_DPP2 */
2895
2896 if (sm->use_ext_key_id &&
2897 wpa_supplicant_install_ptk(sm, key, KEY_FLAG_RX))
2898 goto failed;
2899
2900 if (wpa_supplicant_send_4_of_4(sm, wpa_sm_get_auth_addr(sm), key, ver,
2901 key_info, &sm->ptk) < 0)
2902 goto failed;
2903
2904 /* SNonce was successfully used in msg 3/4, so mark it to be renewed
2905 * for the next 4-Way Handshake. If msg 3 is received again, the old
2906 * SNonce will still be used to avoid changing PTK. */
2907 sm->renew_snonce = 1;
2908
2909 if (key_info & WPA_KEY_INFO_INSTALL) {
2910 int res;
2911
2912 if (sm->use_ext_key_id)
2913 res = wpa_supplicant_activate_ptk(sm);
2914 else
2915 res = wpa_supplicant_install_ptk(sm, key,
2916 KEY_FLAG_RX_TX);
2917 if (res)
2918 goto failed;
2919 }
2920
2921 if (key_info & WPA_KEY_INFO_SECURE) {
2922 wpa_sm_mlme_setprotection(
2923 sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX,
2924 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
2925 eapol_sm_notify_portValid(sm->eapol, true);
2926 }
2927 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
2928
2929 if (mlo) {
2930 if (wpa_supplicant_pairwise_mlo_gtk(sm, key, &ie,
2931 key_info) < 0) {
2932 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2933 "MLO RSN: Failed to configure MLO GTKs");
2934 goto failed;
2935 }
2936 } else if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED) {
2937 /* No GTK to be set to the driver */
2938 } else if (!ie.gtk && sm->proto == WPA_PROTO_RSN) {
2939 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2940 "RSN: No GTK KDE included in EAPOL-Key msg 3/4");
2941 goto failed;
2942 } else if (ie.gtk &&
2943 wpa_supplicant_pairwise_gtk(sm, key,
2944 ie.gtk, ie.gtk_len, key_info) < 0) {
2945 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2946 "RSN: Failed to configure GTK");
2947 goto failed;
2948 }
2949
2950 if ((mlo && mlo_ieee80211w_set_keys(sm, &ie) < 0) ||
2951 (!mlo && ieee80211w_set_keys(sm, &ie) < 0)) {
2952 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2953 "RSN: Failed to configure IGTK");
2954 goto failed;
2955 }
2956
2957 if (mlo || sm->group_cipher == WPA_CIPHER_GTK_NOT_USED || ie.gtk)
2958 wpa_supplicant_key_neg_complete(sm, sm->bssid,
2959 key_info & WPA_KEY_INFO_SECURE);
2960
2961 if (mlo || ie.gtk)
2962 wpa_sm_set_rekey_offload(sm);
2963
2964 /* Add PMKSA cache entry for Suite B AKMs here since PMKID can be
2965 * calculated only after KCK has been derived. Though, do not replace an
2966 * existing PMKSA entry after each 4-way handshake (i.e., new KCK/PMKID)
2967 * to avoid unnecessary changes of PMKID while continuing to use the
2968 * same PMK. */
2969 if (sm->proto == WPA_PROTO_RSN && wpa_key_mgmt_suite_b(sm->key_mgmt) &&
2970 !sm->cur_pmksa) {
2971 struct rsn_pmksa_cache_entry *sa;
2972
2973 sa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, NULL,
2974 sm->ptk.kck, sm->ptk.kck_len,
2975 wpa_sm_get_auth_addr(sm), sm->own_addr,
2976 sm->network_ctx, sm->key_mgmt, NULL);
2977 if (!sm->cur_pmksa)
2978 sm->cur_pmksa = sa;
2979 }
2980
2981 if (ie.transition_disable)
2982 wpa_sm_transition_disable(sm, ie.transition_disable[0]);
2983 sm->msg_3_of_4_ok = 1;
2984 return;
2985
2986 failed:
2987 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
2988 }
2989
2990
wpa_supplicant_send_2_of_2(struct wpa_sm * sm,const struct wpa_eapol_key * key,int ver,u16 key_info)2991 static int wpa_supplicant_send_2_of_2(struct wpa_sm *sm,
2992 const struct wpa_eapol_key *key,
2993 int ver, u16 key_info)
2994 {
2995 size_t mic_len, hdrlen, rlen;
2996 struct wpa_eapol_key *reply;
2997 u8 *rbuf, *key_mic;
2998 size_t kde_len = 0;
2999
3000 #ifdef CONFIG_TESTING_OPTIONS
3001 if (sm->disable_eapol_g2_tx) {
3002 wpa_printf(MSG_INFO, "TEST: Disable sending EAPOL-Key 2/2");
3003 return 0;
3004 }
3005 #endif /* CONFIG_TESTING_OPTIONS */
3006
3007 #ifdef CONFIG_OCV
3008 if (wpa_sm_ocv_enabled(sm))
3009 kde_len = OCV_OCI_KDE_LEN;
3010 #endif /* CONFIG_OCV */
3011
3012 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
3013 hdrlen = sizeof(*reply) + mic_len + 2;
3014 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
3015 hdrlen + kde_len, &rlen, (void *) &reply);
3016 if (rbuf == NULL)
3017 return -1;
3018
3019 reply->type = (sm->proto == WPA_PROTO_RSN ||
3020 sm->proto == WPA_PROTO_OSEN) ?
3021 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
3022 key_info &= WPA_KEY_INFO_KEY_INDEX_MASK;
3023 key_info |= ver | WPA_KEY_INFO_SECURE;
3024 if (mic_len)
3025 key_info |= WPA_KEY_INFO_MIC;
3026 else
3027 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
3028 WPA_PUT_BE16(reply->key_info, key_info);
3029 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
3030 WPA_PUT_BE16(reply->key_length, 0);
3031 else
3032 os_memcpy(reply->key_length, key->key_length, 2);
3033 os_memcpy(reply->replay_counter, key->replay_counter,
3034 WPA_REPLAY_COUNTER_LEN);
3035
3036 key_mic = (u8 *) (reply + 1);
3037 WPA_PUT_BE16(key_mic + mic_len, kde_len); /* Key Data Length */
3038
3039 #ifdef CONFIG_OCV
3040 if (wpa_sm_ocv_enabled(sm)) {
3041 struct wpa_channel_info ci;
3042 u8 *pos;
3043
3044 if (wpa_sm_channel_info(sm, &ci) != 0) {
3045 wpa_printf(MSG_WARNING,
3046 "Failed to get channel info for OCI element in EAPOL-Key 2/2");
3047 os_free(rbuf);
3048 return -1;
3049 }
3050 #ifdef CONFIG_TESTING_OPTIONS
3051 if (sm->oci_freq_override_eapol_g2) {
3052 wpa_printf(MSG_INFO,
3053 "TEST: Override OCI KDE frequency %d -> %d MHz",
3054 ci.frequency,
3055 sm->oci_freq_override_eapol_g2);
3056 ci.frequency = sm->oci_freq_override_eapol_g2;
3057 }
3058 #endif /* CONFIG_TESTING_OPTIONS */
3059
3060 pos = key_mic + mic_len + 2; /* Key Data */
3061 if (ocv_insert_oci_kde(&ci, &pos) < 0) {
3062 os_free(rbuf);
3063 return -1;
3064 }
3065 }
3066 #endif /* CONFIG_OCV */
3067
3068 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/2");
3069 return wpa_eapol_key_send(sm, &sm->ptk, ver, wpa_sm_get_auth_addr(sm),
3070 ETH_P_EAPOL, rbuf, rlen, key_mic);
3071 }
3072
3073
wpa_supplicant_process_mlo_1_of_2(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,const u8 * key_data,size_t key_data_len,u16 ver)3074 static void wpa_supplicant_process_mlo_1_of_2(struct wpa_sm *sm,
3075 const unsigned char *src_addr,
3076 const struct wpa_eapol_key *key,
3077 const u8 *key_data,
3078 size_t key_data_len, u16 ver)
3079 {
3080 u16 key_info;
3081 u8 i;
3082 struct wpa_eapol_ie_parse ie;
3083
3084 if (!sm->msg_3_of_4_ok && !wpa_fils_is_completed(sm)) {
3085 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3086 "MLO RSN: Group Key Handshake started prior to completion of 4-way handshake");
3087 goto failed;
3088 }
3089
3090 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "MLO RSN: RX message 1 of Group "
3091 "Key Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr),
3092 ver);
3093
3094 key_info = WPA_GET_BE16(key->key_info);
3095
3096 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
3097
3098 wpa_hexdump_key(MSG_DEBUG, "MLO RSN: msg 1/2 key data", key_data,
3099 key_data_len);
3100 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
3101 goto failed;
3102
3103 if (!ie.valid_mlo_gtks) {
3104 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3105 "MLO RSN: No MLO GTK KDE in Group Key msg 1/2");
3106 goto failed;
3107 }
3108
3109 if (!(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
3110 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3111 "MLO RSN: MLO GTK KDE in unencrypted key data");
3112 goto failed;
3113 }
3114
3115 #ifdef CONFIG_OCV
3116 if (wpa_sm_ocv_enabled(sm)) {
3117 struct wpa_channel_info ci;
3118
3119 if (wpa_sm_channel_info(sm, &ci) != 0) {
3120 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3121 "Failed to get channel info to validate received OCI in EAPOL-Key group msg 1/2");
3122 goto failed;
3123 }
3124
3125 if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci,
3126 channel_width_to_int(ci.chanwidth),
3127 ci.seg1_idx) != OCI_SUCCESS) {
3128 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
3129 "addr=" MACSTR " frame=eapol-key-g1 error=%s",
3130 MAC2STR(sm->bssid), ocv_errorstr);
3131 goto failed;
3132 }
3133 }
3134 #endif /* CONFIG_OCV */
3135
3136 if (mlo_ieee80211w_set_keys(sm, &ie) < 0)
3137 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3138 "MLO RSN: Failed to configure MLO IGTK");
3139
3140 for_each_link(sm->mlo.valid_links, i) {
3141 /*
3142 * AP may send group keys for subset of the all links during
3143 * rekey
3144 */
3145 if (!ie.mlo_gtk[i])
3146 continue;
3147
3148 if (wpa_supplicant_mlo_gtk(sm, i, ie.mlo_gtk[i],
3149 ie.mlo_gtk_len[i], key_info))
3150 goto failed;
3151 }
3152
3153 if (wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
3154 goto failed;
3155
3156 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "MLO RSN: Group rekeying completed "
3157 "with " MACSTR " [GTK=%s]", MAC2STR(sm->mlo.ap_mld_addr),
3158 wpa_cipher_txt(sm->group_cipher));
3159 wpa_sm_cancel_auth_timeout(sm);
3160 wpa_sm_set_state(sm, WPA_COMPLETED);
3161
3162 wpa_sm_set_rekey_offload(sm);
3163
3164 return;
3165
3166 failed:
3167 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
3168 }
3169
3170
wpa_supplicant_process_1_of_2_wpa(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,const u8 * key_data,size_t key_data_len,u16 ver)3171 static void wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm,
3172 const unsigned char *src_addr,
3173 const struct wpa_eapol_key *key,
3174 const u8 *key_data,
3175 size_t key_data_len, u16 ver)
3176 {
3177 u16 key_info;
3178 int rekey;
3179 struct wpa_gtk_data gd;
3180 const u8 *key_rsc;
3181 size_t maxkeylen;
3182 u16 gtk_len;
3183
3184 if (!sm->msg_3_of_4_ok) {
3185 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3186 "WPA: Group Key Handshake started prior to completion of 4-way handshake");
3187 goto failed;
3188 }
3189
3190 os_memset(&gd, 0, sizeof(gd));
3191
3192 rekey = wpa_sm_get_state(sm) == WPA_COMPLETED;
3193 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3194 "WPA: RX message 1 of Group Key Handshake from " MACSTR
3195 " (ver=%d)", MAC2STR(src_addr), ver);
3196
3197 key_info = WPA_GET_BE16(key->key_info);
3198
3199 gtk_len = WPA_GET_BE16(key->key_length);
3200 maxkeylen = key_data_len;
3201 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
3202 if (maxkeylen < 8) {
3203 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3204 "WPA: Too short maxkeylen (%lu)",
3205 (unsigned long) maxkeylen);
3206 goto failed;
3207 }
3208 maxkeylen -= 8;
3209 }
3210
3211 if (gtk_len > maxkeylen ||
3212 wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
3213 gtk_len, maxkeylen,
3214 &gd.key_rsc_len, &gd.alg))
3215 goto failed;
3216
3217 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
3218
3219 gd.gtk_len = gtk_len;
3220 gd.keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
3221 WPA_KEY_INFO_KEY_INDEX_SHIFT;
3222 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
3223 #if defined(CONFIG_NO_RC4) || defined(CONFIG_FIPS)
3224 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3225 "WPA: RC4 not supported in the build");
3226 goto failed;
3227 #else /* CONFIG_NO_RC4 || CONFIG_FIPS */
3228 u8 ek[32];
3229 if (key_data_len > sizeof(gd.gtk)) {
3230 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3231 "WPA: RC4 key data too long (%lu)",
3232 (unsigned long) key_data_len);
3233 goto failed;
3234 }
3235 os_memcpy(ek, key->key_iv, 16);
3236 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
3237 os_memcpy(gd.gtk, key_data, key_data_len);
3238 if (rc4_skip(ek, 32, 256, gd.gtk, key_data_len)) {
3239 forced_memzero(ek, sizeof(ek));
3240 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
3241 "WPA: RC4 failed");
3242 goto failed;
3243 }
3244 forced_memzero(ek, sizeof(ek));
3245 #endif /* CONFIG_NO_RC4 || CONFIG_FIPS */
3246 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
3247 if (maxkeylen % 8) {
3248 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3249 "WPA: Unsupported AES-WRAP len %lu",
3250 (unsigned long) maxkeylen);
3251 goto failed;
3252 }
3253 if (maxkeylen > sizeof(gd.gtk)) {
3254 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3255 "WPA: AES-WRAP key data "
3256 "too long (keydatalen=%lu maxkeylen=%lu)",
3257 (unsigned long) key_data_len,
3258 (unsigned long) maxkeylen);
3259 goto failed;
3260 }
3261 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, maxkeylen / 8,
3262 key_data, gd.gtk)) {
3263 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3264 "WPA: AES unwrap failed - could not decrypt "
3265 "GTK");
3266 goto failed;
3267 }
3268 } else {
3269 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3270 "WPA: Unsupported key_info type %d", ver);
3271 goto failed;
3272 }
3273 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(
3274 sm, !!(key_info & WPA_KEY_INFO_TXRX));
3275
3276 key_rsc = key->key_rsc;
3277 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
3278 key_rsc = null_rsc;
3279
3280 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
3281 wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
3282 goto failed;
3283 forced_memzero(&gd, sizeof(gd));
3284
3285 if (rekey) {
3286 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3287 "WPA: Group rekeying completed with " MACSTR
3288 " [GTK=%s]",
3289 MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher));
3290 wpa_sm_cancel_auth_timeout(sm);
3291 wpa_sm_set_state(sm, WPA_COMPLETED);
3292 } else {
3293 wpa_supplicant_key_neg_complete(sm, sm->bssid,
3294 key_info & WPA_KEY_INFO_SECURE);
3295 }
3296
3297 wpa_sm_set_rekey_offload(sm);
3298
3299 return;
3300
3301 failed:
3302 forced_memzero(&gd, sizeof(gd));
3303 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
3304 }
3305
3306
wpa_supplicant_process_1_of_2(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,const u8 * key_data,size_t key_data_len,u16 ver)3307 static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
3308 const unsigned char *src_addr,
3309 const struct wpa_eapol_key *key,
3310 const u8 *key_data,
3311 size_t key_data_len, u16 ver)
3312 {
3313 u16 key_info;
3314 struct wpa_gtk_data gd;
3315 const u8 *key_rsc;
3316 int maxkeylen;
3317 struct wpa_eapol_ie_parse ie;
3318 u16 gtk_len;
3319
3320 if (!sm->msg_3_of_4_ok && !wpa_fils_is_completed(sm)) {
3321 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3322 "RSN: Group Key Handshake started prior to completion of 4-way handshake");
3323 goto failed;
3324 }
3325
3326 os_memset(&gd, 0, sizeof(gd));
3327
3328 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3329 "RSN: RX message 1 of Group Key Handshake from " MACSTR
3330 " (ver=%d)", MAC2STR(src_addr), ver);
3331
3332 key_info = WPA_GET_BE16(key->key_info);
3333
3334 wpa_hexdump_key(MSG_DEBUG, "RSN: msg 1/2 key data",
3335 key_data, key_data_len);
3336 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
3337 goto failed;
3338
3339 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
3340
3341 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
3342 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3343 "RSN: GTK KDE in unencrypted key data");
3344 goto failed;
3345 }
3346 if (!ie.gtk) {
3347 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3348 "RSN: No GTK KDE in Group Key msg 1/2");
3349 goto failed;
3350 }
3351 gtk_len = ie.gtk_len;
3352 if (gtk_len < 2) {
3353 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3354 "RSN: Invalid GTK KDE length (%u) in Group Key msg 1/2",
3355 gtk_len);
3356 goto failed;
3357 }
3358 gtk_len -= 2;
3359 if (gtk_len > sizeof(gd.gtk)) {
3360 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3361 "RSN: Too long GTK in GTK KDE (len=%u)", gtk_len);
3362 goto failed;
3363 }
3364 maxkeylen = gd.gtk_len = gtk_len;
3365
3366 #ifdef CONFIG_OCV
3367 if (wpa_sm_ocv_enabled(sm)) {
3368 struct wpa_channel_info ci;
3369
3370 if (wpa_sm_channel_info(sm, &ci) != 0) {
3371 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3372 "Failed to get channel info to validate received OCI in EAPOL-Key group msg 1/2");
3373 goto failed;
3374 }
3375
3376 if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci,
3377 channel_width_to_int(ci.chanwidth),
3378 ci.seg1_idx) != OCI_SUCCESS) {
3379 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
3380 "addr=" MACSTR " frame=eapol-key-g1 error=%s",
3381 MAC2STR(sm->bssid), ocv_errorstr);
3382 goto failed;
3383 }
3384 }
3385 #endif /* CONFIG_OCV */
3386
3387 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
3388 gtk_len, maxkeylen,
3389 &gd.key_rsc_len, &gd.alg))
3390 goto failed;
3391
3392 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in group key handshake",
3393 ie.gtk, 2 + gtk_len);
3394 gd.keyidx = ie.gtk[0] & 0x3;
3395 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
3396 !!(ie.gtk[0] & BIT(2)));
3397 os_memcpy(gd.gtk, ie.gtk + 2, gtk_len);
3398
3399 if (ieee80211w_set_keys(sm, &ie) < 0)
3400 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3401 "RSN: Failed to configure IGTK");
3402
3403 key_rsc = key->key_rsc;
3404 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
3405 key_rsc = null_rsc;
3406
3407 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
3408 wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
3409 goto failed;
3410 forced_memzero(&gd, sizeof(gd));
3411
3412 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3413 "RSN: Group rekeying completed with " MACSTR " [GTK=%s]",
3414 MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher));
3415 wpa_sm_cancel_auth_timeout(sm);
3416 wpa_sm_set_state(sm, WPA_COMPLETED);
3417
3418 wpa_sm_set_rekey_offload(sm);
3419
3420 return;
3421
3422 failed:
3423 forced_memzero(&gd, sizeof(gd));
3424 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
3425 }
3426
3427
wpa_supplicant_verify_eapol_key_mic(struct wpa_sm * sm,struct wpa_eapol_key * key,u16 ver,const u8 * buf,size_t len)3428 static int wpa_supplicant_verify_eapol_key_mic(struct wpa_sm *sm,
3429 struct wpa_eapol_key *key,
3430 u16 ver,
3431 const u8 *buf, size_t len)
3432 {
3433 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN];
3434 int ok = 0;
3435 size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
3436
3437 os_memcpy(mic, key + 1, mic_len);
3438 if (sm->tptk_set) {
3439 os_memset(key + 1, 0, mic_len);
3440 if (wpa_eapol_key_mic(sm->tptk.kck, sm->tptk.kck_len,
3441 sm->key_mgmt,
3442 ver, buf, len, (u8 *) (key + 1)) < 0 ||
3443 os_memcmp_const(mic, key + 1, mic_len) != 0) {
3444 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3445 "WPA: Invalid EAPOL-Key MIC "
3446 "when using TPTK - ignoring TPTK");
3447 #ifdef TEST_FUZZ
3448 wpa_printf(MSG_INFO,
3449 "TEST: Ignore Key MIC failure for fuzz testing");
3450 goto continue_fuzz;
3451 #endif /* TEST_FUZZ */
3452 } else {
3453 #ifdef TEST_FUZZ
3454 continue_fuzz:
3455 #endif /* TEST_FUZZ */
3456 ok = 1;
3457 sm->tptk_set = 0;
3458 sm->ptk_set = 1;
3459 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
3460 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
3461 /*
3462 * This assures the same TPTK in sm->tptk can never be
3463 * copied twice to sm->ptk as the new PTK. In
3464 * combination with the installed flag in the wpa_ptk
3465 * struct, this assures the same PTK is only installed
3466 * once.
3467 */
3468 sm->renew_snonce = 1;
3469 }
3470 }
3471
3472 if (!ok && sm->ptk_set) {
3473 os_memset(key + 1, 0, mic_len);
3474 if (wpa_eapol_key_mic(sm->ptk.kck, sm->ptk.kck_len,
3475 sm->key_mgmt,
3476 ver, buf, len, (u8 *) (key + 1)) < 0 ||
3477 os_memcmp_const(mic, key + 1, mic_len) != 0) {
3478 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3479 "WPA: Invalid EAPOL-Key MIC - "
3480 "dropping packet");
3481 #ifdef TEST_FUZZ
3482 wpa_printf(MSG_INFO,
3483 "TEST: Ignore Key MIC failure for fuzz testing");
3484 goto continue_fuzz2;
3485 #endif /* TEST_FUZZ */
3486 return -1;
3487 }
3488 #ifdef TEST_FUZZ
3489 continue_fuzz2:
3490 #endif /* TEST_FUZZ */
3491 ok = 1;
3492 }
3493
3494 if (!ok) {
3495 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3496 "WPA: Could not verify EAPOL-Key MIC - "
3497 "dropping packet");
3498 return -1;
3499 }
3500
3501 os_memcpy(sm->rx_replay_counter, key->replay_counter,
3502 WPA_REPLAY_COUNTER_LEN);
3503 sm->rx_replay_counter_set = 1;
3504 return 0;
3505 }
3506
3507
3508 /* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */
wpa_supplicant_decrypt_key_data(struct wpa_sm * sm,struct wpa_eapol_key * key,size_t mic_len,u16 ver,u8 * key_data,size_t * key_data_len)3509 static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm,
3510 struct wpa_eapol_key *key,
3511 size_t mic_len, u16 ver,
3512 u8 *key_data, size_t *key_data_len)
3513 {
3514 wpa_hexdump(MSG_DEBUG, "RSN: encrypted key data",
3515 key_data, *key_data_len);
3516 if (!sm->ptk_set) {
3517 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3518 "WPA: PTK not available, cannot decrypt EAPOL-Key Key "
3519 "Data");
3520 return -1;
3521 }
3522
3523 /* Decrypt key data here so that this operation does not need
3524 * to be implemented separately for each message type. */
3525 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
3526 #if defined(CONFIG_NO_RC4) || defined(CONFIG_FIPS)
3527 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3528 "WPA: RC4 not supported in the build");
3529 return -1;
3530 #else /* CONFIG_NO_RC4 || CONFIG_FIPS */
3531 u8 ek[32];
3532
3533 wpa_printf(MSG_DEBUG, "WPA: Decrypt Key Data using RC4");
3534 os_memcpy(ek, key->key_iv, 16);
3535 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
3536 if (rc4_skip(ek, 32, 256, key_data, *key_data_len)) {
3537 forced_memzero(ek, sizeof(ek));
3538 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
3539 "WPA: RC4 failed");
3540 return -1;
3541 }
3542 forced_memzero(ek, sizeof(ek));
3543 #endif /* CONFIG_NO_RC4 || CONFIG_FIPS */
3544 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
3545 ver == WPA_KEY_INFO_TYPE_AES_128_CMAC ||
3546 wpa_use_aes_key_wrap(sm->key_mgmt)) {
3547 u8 *buf;
3548
3549 wpa_printf(MSG_DEBUG,
3550 "WPA: Decrypt Key Data using AES-UNWRAP (KEK length %u)",
3551 (unsigned int) sm->ptk.kek_len);
3552 if (*key_data_len < 8 || *key_data_len % 8) {
3553 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3554 "WPA: Unsupported AES-WRAP len %u",
3555 (unsigned int) *key_data_len);
3556 return -1;
3557 }
3558 *key_data_len -= 8; /* AES-WRAP adds 8 bytes */
3559 buf = os_malloc(*key_data_len);
3560 if (buf == NULL) {
3561 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3562 "WPA: No memory for AES-UNWRAP buffer");
3563 return -1;
3564 }
3565 #ifdef TEST_FUZZ
3566 os_memset(buf, 0x11, *key_data_len);
3567 #endif /* TEST_FUZZ */
3568 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, *key_data_len / 8,
3569 key_data, buf)) {
3570 #ifdef TEST_FUZZ
3571 wpa_printf(MSG_INFO,
3572 "TEST: Ignore AES unwrap failure for fuzz testing");
3573 goto continue_fuzz;
3574 #endif /* TEST_FUZZ */
3575 bin_clear_free(buf, *key_data_len);
3576 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3577 "WPA: AES unwrap failed - "
3578 "could not decrypt EAPOL-Key key data");
3579 return -1;
3580 }
3581 #ifdef TEST_FUZZ
3582 continue_fuzz:
3583 #endif /* TEST_FUZZ */
3584 os_memcpy(key_data, buf, *key_data_len);
3585 bin_clear_free(buf, *key_data_len);
3586 WPA_PUT_BE16(((u8 *) (key + 1)) + mic_len, *key_data_len);
3587 } else {
3588 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3589 "WPA: Unsupported key_info type %d", ver);
3590 return -1;
3591 }
3592 wpa_hexdump_key(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data",
3593 key_data, *key_data_len);
3594 return 0;
3595 }
3596
3597
3598 /**
3599 * wpa_sm_aborted_cached - Notify WPA that PMKSA caching was aborted
3600 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3601 */
wpa_sm_aborted_cached(struct wpa_sm * sm)3602 void wpa_sm_aborted_cached(struct wpa_sm *sm)
3603 {
3604 if (sm && sm->cur_pmksa) {
3605 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3606 "RSN: Cancelling PMKSA caching attempt");
3607 sm->cur_pmksa = NULL;
3608 }
3609 }
3610
3611
wpa_sm_aborted_external_cached(struct wpa_sm * sm)3612 void wpa_sm_aborted_external_cached(struct wpa_sm *sm)
3613 {
3614 if (sm && sm->cur_pmksa && sm->cur_pmksa->external) {
3615 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3616 "RSN: Cancelling external PMKSA caching attempt");
3617 sm->cur_pmksa = NULL;
3618 }
3619 }
3620
3621
wpa_eapol_key_dump(struct wpa_sm * sm,const struct wpa_eapol_key * key,unsigned int key_data_len,const u8 * mic,unsigned int mic_len)3622 static void wpa_eapol_key_dump(struct wpa_sm *sm,
3623 const struct wpa_eapol_key *key,
3624 unsigned int key_data_len,
3625 const u8 *mic, unsigned int mic_len)
3626 {
3627 #ifndef CONFIG_NO_STDOUT_DEBUG
3628 u16 key_info = WPA_GET_BE16(key->key_info);
3629
3630 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, " EAPOL-Key type=%d", key->type);
3631 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3632 " key_info 0x%x (ver=%d keyidx=%ld rsvd=%ld %s%s%s%s%s%s%s%s)",
3633 key_info, key_info & WPA_KEY_INFO_TYPE_MASK,
3634 (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
3635 WPA_KEY_INFO_KEY_INDEX_SHIFT,
3636 (key_info & (BIT(13) | BIT(14) | BIT(15))) >> 13,
3637 key_info & WPA_KEY_INFO_KEY_TYPE ? "Pairwise" : "Group",
3638 key_info & WPA_KEY_INFO_INSTALL ? " Install" : "",
3639 key_info & WPA_KEY_INFO_ACK ? " Ack" : "",
3640 key_info & WPA_KEY_INFO_MIC ? " MIC" : "",
3641 key_info & WPA_KEY_INFO_SECURE ? " Secure" : "",
3642 key_info & WPA_KEY_INFO_ERROR ? " Error" : "",
3643 key_info & WPA_KEY_INFO_REQUEST ? " Request" : "",
3644 key_info & WPA_KEY_INFO_ENCR_KEY_DATA ? " Encr" : "");
3645 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3646 " key_length=%u key_data_length=%u",
3647 WPA_GET_BE16(key->key_length), key_data_len);
3648 wpa_hexdump(MSG_DEBUG, " replay_counter",
3649 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
3650 wpa_hexdump(MSG_DEBUG, " key_nonce", key->key_nonce, WPA_NONCE_LEN);
3651 wpa_hexdump(MSG_DEBUG, " key_iv", key->key_iv, 16);
3652 wpa_hexdump(MSG_DEBUG, " key_rsc", key->key_rsc, 8);
3653 wpa_hexdump(MSG_DEBUG, " key_id (reserved)", key->key_id, 8);
3654 wpa_hexdump(MSG_DEBUG, " key_mic", mic, mic_len);
3655 #endif /* CONFIG_NO_STDOUT_DEBUG */
3656 }
3657
3658
3659 #ifdef CONFIG_FILS
wpa_supp_aead_decrypt(struct wpa_sm * sm,u8 * buf,size_t buf_len,size_t * key_data_len)3660 static int wpa_supp_aead_decrypt(struct wpa_sm *sm, u8 *buf, size_t buf_len,
3661 size_t *key_data_len)
3662 {
3663 struct wpa_ptk *ptk;
3664 struct ieee802_1x_hdr *hdr;
3665 struct wpa_eapol_key *key;
3666 u8 *pos, *tmp;
3667 const u8 *aad[1];
3668 size_t aad_len[1];
3669
3670 if (*key_data_len < AES_BLOCK_SIZE) {
3671 wpa_printf(MSG_INFO, "No room for AES-SIV data in the frame");
3672 return -1;
3673 }
3674
3675 if (sm->tptk_set)
3676 ptk = &sm->tptk;
3677 else if (sm->ptk_set)
3678 ptk = &sm->ptk;
3679 else
3680 return -1;
3681
3682 hdr = (struct ieee802_1x_hdr *) buf;
3683 key = (struct wpa_eapol_key *) (hdr + 1);
3684 pos = (u8 *) (key + 1);
3685 pos += 2; /* Pointing at the Encrypted Key Data field */
3686
3687 tmp = os_malloc(*key_data_len);
3688 if (!tmp)
3689 return -1;
3690
3691 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
3692 * to Key Data (exclusive). */
3693 aad[0] = buf;
3694 aad_len[0] = pos - buf;
3695 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, *key_data_len,
3696 1, aad, aad_len, tmp) < 0) {
3697 wpa_printf(MSG_INFO, "Invalid AES-SIV data in the frame");
3698 bin_clear_free(tmp, *key_data_len);
3699 return -1;
3700 }
3701
3702 /* AEAD decryption and validation completed successfully */
3703 (*key_data_len) -= AES_BLOCK_SIZE;
3704 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
3705 tmp, *key_data_len);
3706
3707 /* Replace Key Data field with the decrypted version */
3708 os_memcpy(pos, tmp, *key_data_len);
3709 pos -= 2; /* Key Data Length field */
3710 WPA_PUT_BE16(pos, *key_data_len);
3711 bin_clear_free(tmp, *key_data_len);
3712
3713 if (sm->tptk_set) {
3714 sm->tptk_set = 0;
3715 sm->ptk_set = 1;
3716 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
3717 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
3718 }
3719
3720 os_memcpy(sm->rx_replay_counter, key->replay_counter,
3721 WPA_REPLAY_COUNTER_LEN);
3722 sm->rx_replay_counter_set = 1;
3723
3724 return 0;
3725 }
3726 #endif /* CONFIG_FILS */
3727
3728
wpa_sm_rx_eapol_wpa(struct wpa_sm * sm,const u8 * src_addr,struct wpa_eapol_key * key,enum frame_encryption encrypted,const u8 * tmp,size_t data_len,u8 * key_data,size_t key_data_len)3729 static int wpa_sm_rx_eapol_wpa(struct wpa_sm *sm, const u8 *src_addr,
3730 struct wpa_eapol_key *key,
3731 enum frame_encryption encrypted,
3732 const u8 *tmp, size_t data_len,
3733 u8 *key_data, size_t key_data_len)
3734 {
3735 u16 key_info, ver;
3736
3737 key_info = WPA_GET_BE16(key->key_info);
3738
3739 if (key->type != EAPOL_KEY_TYPE_WPA) {
3740 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3741 "WPA: Unsupported EAPOL-Key type %d", key->type);
3742 return -1;
3743 }
3744
3745 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
3746 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
3747 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
3748 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3749 "WPA: Unsupported EAPOL-Key descriptor version %d",
3750 ver);
3751 return -1;
3752 }
3753
3754 if (sm->pairwise_cipher == WPA_CIPHER_CCMP &&
3755 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
3756 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3757 "WPA: CCMP is used, but EAPOL-Key descriptor version (%d) is not 2",
3758 ver);
3759 if (sm->group_cipher != WPA_CIPHER_CCMP &&
3760 !(key_info & WPA_KEY_INFO_KEY_TYPE)) {
3761 /* Earlier versions of IEEE 802.11i did not explicitly
3762 * require version 2 descriptor for all EAPOL-Key
3763 * packets, so allow group keys to use version 1 if
3764 * CCMP is not used for them. */
3765 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3766 "WPA: Backwards compatibility: allow invalid version for non-CCMP group keys");
3767 } else
3768 return -1;
3769 }
3770
3771 if ((key_info & WPA_KEY_INFO_MIC) &&
3772 wpa_supplicant_verify_eapol_key_mic(sm, key, ver, tmp, data_len))
3773 return -1;
3774
3775 if (key_info & WPA_KEY_INFO_KEY_TYPE) {
3776 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) {
3777 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3778 "WPA: Ignored EAPOL-Key (Pairwise) with non-zero key index");
3779 return -1;
3780 }
3781 if (key_info & (WPA_KEY_INFO_MIC |
3782 WPA_KEY_INFO_ENCR_KEY_DATA)) {
3783 /* 3/4 4-Way Handshake */
3784 wpa_supplicant_process_3_of_4_wpa(sm, key, ver,
3785 key_data,
3786 key_data_len);
3787 } else {
3788 /* 1/4 4-Way Handshake */
3789 wpa_supplicant_process_1_of_4_wpa(sm, src_addr, key,
3790 ver, key_data,
3791 key_data_len,
3792 encrypted);
3793 }
3794 } else {
3795 if (key_info & WPA_KEY_INFO_MIC) {
3796 /* 1/2 Group Key Handshake */
3797 wpa_supplicant_process_1_of_2_wpa(sm, src_addr, key,
3798 key_data,
3799 key_data_len,
3800 ver);
3801 } else {
3802 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3803 "WPA: EAPOL-Key (Group) without Mic/Encr bit - dropped");
3804 }
3805 }
3806
3807 return 1;
3808 }
3809
3810
3811 /**
3812 * wpa_sm_rx_eapol - Process received WPA EAPOL frames
3813 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3814 * @src_addr: Source MAC address of the EAPOL packet
3815 * @buf: Pointer to the beginning of the EAPOL data (EAPOL header)
3816 * @len: Length of the EAPOL frame
3817 * @encrypted: Whether the frame was encrypted
3818 * Returns: 1 = WPA EAPOL-Key processed, 0 = not a WPA EAPOL-Key, -1 failure
3819 *
3820 * This function is called for each received EAPOL frame. Other than EAPOL-Key
3821 * frames can be skipped if filtering is done elsewhere. wpa_sm_rx_eapol() is
3822 * only processing WPA and WPA2 EAPOL-Key frames.
3823 *
3824 * The received EAPOL-Key packets are validated and valid packets are replied
3825 * to. In addition, key material (PTK, GTK) is configured at the end of a
3826 * successful key handshake.
3827 */
wpa_sm_rx_eapol(struct wpa_sm * sm,const u8 * src_addr,const u8 * buf,size_t len,enum frame_encryption encrypted)3828 int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr,
3829 const u8 *buf, size_t len, enum frame_encryption encrypted)
3830 {
3831 size_t plen, data_len, key_data_len;
3832 const struct ieee802_1x_hdr *hdr;
3833 struct wpa_eapol_key *key;
3834 u16 key_info, ver;
3835 u8 *tmp = NULL;
3836 int ret = -1;
3837 u8 *mic, *key_data;
3838 size_t mic_len, keyhdrlen, pmk_len;
3839
3840 #ifdef CONFIG_IEEE80211R
3841 sm->ft_completed = 0;
3842 #endif /* CONFIG_IEEE80211R */
3843
3844 pmk_len = sm->pmk_len;
3845 if (!pmk_len && sm->cur_pmksa)
3846 pmk_len = sm->cur_pmksa->pmk_len;
3847 mic_len = wpa_mic_len(sm->key_mgmt, pmk_len);
3848 keyhdrlen = sizeof(*key) + mic_len + 2;
3849
3850 if (len < sizeof(*hdr) + keyhdrlen) {
3851 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3852 "WPA: EAPOL frame too short to be a WPA "
3853 "EAPOL-Key (len %lu, expecting at least %lu)",
3854 (unsigned long) len,
3855 (unsigned long) sizeof(*hdr) + keyhdrlen);
3856 return 0;
3857 }
3858
3859 hdr = (const struct ieee802_1x_hdr *) buf;
3860 plen = be_to_host16(hdr->length);
3861 data_len = plen + sizeof(*hdr);
3862 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3863 "IEEE 802.1X RX: version=%d type=%d length=%lu",
3864 hdr->version, hdr->type, (unsigned long) plen);
3865
3866 if (hdr->version < EAPOL_VERSION) {
3867 /* TODO: backwards compatibility */
3868 }
3869 if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) {
3870 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3871 "WPA: EAPOL frame (type %u) discarded, "
3872 "not a Key frame", hdr->type);
3873 ret = 0;
3874 goto out;
3875 }
3876 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", buf, len);
3877 if (plen > len - sizeof(*hdr) || plen < keyhdrlen) {
3878 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3879 "WPA: EAPOL frame payload size %lu "
3880 "invalid (frame size %lu)",
3881 (unsigned long) plen, (unsigned long) len);
3882 ret = 0;
3883 goto out;
3884 }
3885 if (data_len < len) {
3886 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3887 "WPA: ignoring %lu bytes after the IEEE 802.1X data",
3888 (unsigned long) len - data_len);
3889 }
3890
3891 /*
3892 * Make a copy of the frame since we need to modify the buffer during
3893 * MAC validation and Key Data decryption.
3894 */
3895 tmp = os_memdup(buf, data_len);
3896 if (tmp == NULL)
3897 goto out;
3898 key = (struct wpa_eapol_key *) (tmp + sizeof(struct ieee802_1x_hdr));
3899 mic = (u8 *) (key + 1);
3900 key_data = mic + mic_len + 2;
3901
3902 if (key->type != EAPOL_KEY_TYPE_WPA && key->type != EAPOL_KEY_TYPE_RSN)
3903 {
3904 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3905 "WPA: EAPOL-Key type (%d) unknown, discarded",
3906 key->type);
3907 ret = 0;
3908 goto out;
3909 }
3910
3911 key_data_len = WPA_GET_BE16(mic + mic_len);
3912 wpa_eapol_key_dump(sm, key, key_data_len, mic, mic_len);
3913
3914 if (key_data_len > plen - keyhdrlen) {
3915 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Invalid EAPOL-Key "
3916 "frame - key_data overflow (%u > %u)",
3917 (unsigned int) key_data_len,
3918 (unsigned int) (plen - keyhdrlen));
3919 goto out;
3920 }
3921
3922 if (sm->rx_replay_counter_set &&
3923 os_memcmp(key->replay_counter, sm->rx_replay_counter,
3924 WPA_REPLAY_COUNTER_LEN) <= 0) {
3925 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3926 "WPA: EAPOL-Key Replay Counter did not increase - dropping packet");
3927 goto out;
3928 }
3929
3930 eapol_sm_notify_lower_layer_success(sm->eapol, 0);
3931
3932 key_info = WPA_GET_BE16(key->key_info);
3933
3934 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
3935 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3936 "WPA: Unsupported SMK bit in key_info");
3937 goto out;
3938 }
3939
3940 if (!(key_info & WPA_KEY_INFO_ACK)) {
3941 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3942 "WPA: No Ack bit in key_info");
3943 goto out;
3944 }
3945
3946 if (key_info & WPA_KEY_INFO_REQUEST) {
3947 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3948 "WPA: EAPOL-Key with Request bit - dropped");
3949 goto out;
3950 }
3951
3952 if (sm->proto == WPA_PROTO_WPA) {
3953 ret = wpa_sm_rx_eapol_wpa(sm, src_addr, key, encrypted,
3954 tmp, data_len,
3955 key_data, key_data_len);
3956 goto out;
3957 }
3958
3959 if (key->type != EAPOL_KEY_TYPE_RSN) {
3960 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3961 "RSN: Unsupported EAPOL-Key type %d", key->type);
3962 goto out;
3963 }
3964
3965 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
3966 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
3967 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
3968 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES &&
3969 !wpa_use_akm_defined(sm->key_mgmt)) {
3970 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3971 "RSN: Unsupported EAPOL-Key descriptor version %d",
3972 ver);
3973 goto out;
3974 }
3975
3976 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
3977 sm->pairwise_cipher != WPA_CIPHER_TKIP) {
3978 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3979 "RSN: EAPOL-Key descriptor version %d not allowed without TKIP as the pairwise cipher",
3980 ver);
3981 goto out;
3982 }
3983
3984 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES &&
3985 (sm->key_mgmt != WPA_KEY_MGMT_IEEE8021X &&
3986 sm->key_mgmt != WPA_KEY_MGMT_PSK)) {
3987 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3988 "RSN: EAPOL-Key descriptor version %d not allowed due to negotiated AKM (0x%x)",
3989 ver, sm->key_mgmt);
3990 goto out;
3991 }
3992
3993 if (wpa_use_akm_defined(sm->key_mgmt) &&
3994 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
3995 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3996 "RSN: Unsupported EAPOL-Key descriptor version %d (expected AKM defined = 0)",
3997 ver);
3998 goto out;
3999 }
4000
4001 #ifdef CONFIG_IEEE80211R
4002 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
4003 /* IEEE 802.11r uses a new key_info type (AES-128-CMAC). */
4004 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
4005 !wpa_use_akm_defined(sm->key_mgmt)) {
4006 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
4007 "FT: AP did not use AES-128-CMAC");
4008 goto out;
4009 }
4010 } else
4011 #endif /* CONFIG_IEEE80211R */
4012 if (wpa_key_mgmt_sha256(sm->key_mgmt)) {
4013 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
4014 !wpa_use_akm_defined(sm->key_mgmt)) {
4015 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
4016 "RSN: AP did not use the negotiated AES-128-CMAC");
4017 goto out;
4018 }
4019 } else if (sm->pairwise_cipher == WPA_CIPHER_CCMP &&
4020 !wpa_use_akm_defined(sm->key_mgmt) &&
4021 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
4022 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
4023 "RSN: CCMP is used, but EAPOL-Key descriptor version (%d) is not 2", ver);
4024 if (ver == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
4025 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
4026 "RSN: Interoperability workaround: allow incorrect (should have been HMAC-SHA1), but stronger (is AES-128-CMAC), descriptor version to be used");
4027 } else {
4028 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
4029 "RSN: Unexpected descriptor version %u", ver);
4030 goto out;
4031 }
4032 } else if (sm->pairwise_cipher == WPA_CIPHER_GCMP &&
4033 !wpa_use_akm_defined(sm->key_mgmt) &&
4034 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
4035 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
4036 "RSN: GCMP is used, but EAPOL-Key descriptor version (%d) is not 2",
4037 ver);
4038 goto out;
4039 }
4040
4041 if ((key_info & WPA_KEY_INFO_MIC) &&
4042 wpa_supplicant_verify_eapol_key_mic(sm, key, ver, tmp, data_len))
4043 goto out;
4044
4045 #ifdef CONFIG_FILS
4046 if (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
4047 if (wpa_supp_aead_decrypt(sm, tmp, data_len, &key_data_len))
4048 goto out;
4049 }
4050 #endif /* CONFIG_FILS */
4051
4052 if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
4053 (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && mic_len) {
4054 /*
4055 * Only decrypt the Key Data field if the frame's authenticity
4056 * was verified. When using AES-SIV (FILS), the MIC flag is not
4057 * set, so this check should only be performed if mic_len != 0
4058 * which is the case in this code branch.
4059 */
4060 if (!(key_info & WPA_KEY_INFO_MIC)) {
4061 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
4062 "WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
4063 goto out;
4064 }
4065 if (wpa_supplicant_decrypt_key_data(sm, key, mic_len,
4066 ver, key_data,
4067 &key_data_len))
4068 goto out;
4069 }
4070
4071 if (key_info & WPA_KEY_INFO_KEY_TYPE) {
4072 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) {
4073 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
4074 "RSN: Ignored EAPOL-Key (Pairwise) with non-zero key index");
4075 goto out;
4076 }
4077 if (key_info & (WPA_KEY_INFO_MIC |
4078 WPA_KEY_INFO_ENCR_KEY_DATA)) {
4079 /* 3/4 4-Way Handshake */
4080 wpa_supplicant_process_3_of_4(sm, key, ver, key_data,
4081 key_data_len);
4082 } else {
4083 /* 1/4 4-Way Handshake */
4084 wpa_supplicant_process_1_of_4(sm, src_addr, key,
4085 ver, key_data,
4086 key_data_len,
4087 encrypted);
4088 }
4089 } else {
4090 if ((mic_len && (key_info & WPA_KEY_INFO_MIC)) ||
4091 (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA))) {
4092 /* 1/2 Group Key Handshake */
4093 if (sm->mlo.valid_links)
4094 wpa_supplicant_process_mlo_1_of_2(sm, src_addr,
4095 key, key_data,
4096 key_data_len,
4097 ver);
4098 else
4099 wpa_supplicant_process_1_of_2(sm, src_addr, key,
4100 key_data,
4101 key_data_len,
4102 ver);
4103 } else {
4104 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
4105 "RSN: EAPOL-Key (Group) without Mic/Encr bit - dropped");
4106 }
4107 }
4108
4109 ret = 1;
4110
4111 out:
4112 bin_clear_free(tmp, data_len);
4113 return ret;
4114 }
4115
4116
4117 #ifdef CONFIG_CTRL_IFACE
wpa_key_mgmt_suite(struct wpa_sm * sm)4118 static u32 wpa_key_mgmt_suite(struct wpa_sm *sm)
4119 {
4120 switch (sm->key_mgmt) {
4121 case WPA_KEY_MGMT_IEEE8021X:
4122 return ((sm->proto == WPA_PROTO_RSN ||
4123 sm->proto == WPA_PROTO_OSEN) ?
4124 RSN_AUTH_KEY_MGMT_UNSPEC_802_1X :
4125 WPA_AUTH_KEY_MGMT_UNSPEC_802_1X);
4126 case WPA_KEY_MGMT_PSK:
4127 return (sm->proto == WPA_PROTO_RSN ?
4128 RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X :
4129 WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X);
4130 #ifdef CONFIG_IEEE80211R
4131 case WPA_KEY_MGMT_FT_IEEE8021X:
4132 return RSN_AUTH_KEY_MGMT_FT_802_1X;
4133 case WPA_KEY_MGMT_FT_PSK:
4134 return RSN_AUTH_KEY_MGMT_FT_PSK;
4135 #endif /* CONFIG_IEEE80211R */
4136 case WPA_KEY_MGMT_IEEE8021X_SHA256:
4137 return RSN_AUTH_KEY_MGMT_802_1X_SHA256;
4138 case WPA_KEY_MGMT_PSK_SHA256:
4139 return RSN_AUTH_KEY_MGMT_PSK_SHA256;
4140 case WPA_KEY_MGMT_CCKM:
4141 return (sm->proto == WPA_PROTO_RSN ?
4142 RSN_AUTH_KEY_MGMT_CCKM:
4143 WPA_AUTH_KEY_MGMT_CCKM);
4144 case WPA_KEY_MGMT_WPA_NONE:
4145 return WPA_AUTH_KEY_MGMT_NONE;
4146 case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
4147 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B;
4148 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
4149 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192;
4150 case WPA_KEY_MGMT_IEEE8021X_SHA384:
4151 return RSN_AUTH_KEY_MGMT_802_1X_SHA384;
4152 default:
4153 return 0;
4154 }
4155 }
4156
4157
4158 #define RSN_SUITE "%02x-%02x-%02x-%d"
4159 #define RSN_SUITE_ARG(s) \
4160 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
4161
4162 /**
4163 * wpa_sm_get_mib - Dump text list of MIB entries
4164 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4165 * @buf: Buffer for the list
4166 * @buflen: Length of the buffer
4167 * Returns: Number of bytes written to buffer
4168 *
4169 * This function is used fetch dot11 MIB variables.
4170 */
wpa_sm_get_mib(struct wpa_sm * sm,char * buf,size_t buflen)4171 int wpa_sm_get_mib(struct wpa_sm *sm, char *buf, size_t buflen)
4172 {
4173 char pmkid_txt[PMKID_LEN * 2 + 1];
4174 bool rsna;
4175 int ret;
4176 size_t len;
4177
4178 if (sm->cur_pmksa) {
4179 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
4180 sm->cur_pmksa->pmkid, PMKID_LEN);
4181 } else
4182 pmkid_txt[0] = '\0';
4183
4184 rsna = (wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
4185 wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt)) &&
4186 sm->proto == WPA_PROTO_RSN;
4187
4188 ret = os_snprintf(buf, buflen,
4189 "dot11RSNAOptionImplemented=TRUE\n"
4190 "dot11RSNAPreauthenticationImplemented=TRUE\n"
4191 "dot11RSNAEnabled=%s\n"
4192 "dot11RSNAPreauthenticationEnabled=%s\n"
4193 "dot11RSNAConfigVersion=%d\n"
4194 "dot11RSNAConfigPairwiseKeysSupported=5\n"
4195 "dot11RSNAConfigGroupCipherSize=%d\n"
4196 "dot11RSNAConfigPMKLifetime=%d\n"
4197 "dot11RSNAConfigPMKReauthThreshold=%d\n"
4198 "dot11RSNAConfigNumberOfPTKSAReplayCounters=1\n"
4199 "dot11RSNAConfigSATimeout=%d\n",
4200 rsna ? "TRUE" : "FALSE",
4201 rsna ? "TRUE" : "FALSE",
4202 RSN_VERSION,
4203 wpa_cipher_key_len(sm->group_cipher) * 8,
4204 sm->dot11RSNAConfigPMKLifetime,
4205 sm->dot11RSNAConfigPMKReauthThreshold,
4206 sm->dot11RSNAConfigSATimeout);
4207 if (os_snprintf_error(buflen, ret))
4208 return 0;
4209 len = ret;
4210
4211 ret = os_snprintf(
4212 buf + len, buflen - len,
4213 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
4214 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
4215 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
4216 "dot11RSNAPMKIDUsed=%s\n"
4217 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
4218 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
4219 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
4220 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n"
4221 "dot11RSNA4WayHandshakeFailures=%u\n",
4222 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
4223 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
4224 sm->pairwise_cipher)),
4225 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
4226 sm->group_cipher)),
4227 pmkid_txt,
4228 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
4229 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
4230 sm->pairwise_cipher)),
4231 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
4232 sm->group_cipher)),
4233 sm->dot11RSNA4WayHandshakeFailures);
4234 if (!os_snprintf_error(buflen - len, ret))
4235 len += ret;
4236
4237 return (int) len;
4238 }
4239 #endif /* CONFIG_CTRL_IFACE */
4240
4241
wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry * entry,void * ctx,enum pmksa_free_reason reason)4242 static void wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
4243 void *ctx, enum pmksa_free_reason reason)
4244 {
4245 struct wpa_sm *sm = ctx;
4246 int deauth = 0;
4247
4248 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: PMKSA cache entry free_cb: "
4249 MACSTR " reason=%d", MAC2STR(entry->aa), reason);
4250
4251 if (sm->cur_pmksa == entry) {
4252 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4253 "RSN: %s current PMKSA entry",
4254 reason == PMKSA_REPLACE ? "replaced" : "removed");
4255 pmksa_cache_clear_current(sm);
4256
4257 /*
4258 * If an entry is simply being replaced, there's no need to
4259 * deauthenticate because it will be immediately re-added.
4260 * This happens when EAP authentication is completed again
4261 * (reauth or failed PMKSA caching attempt).
4262 */
4263 if (reason != PMKSA_REPLACE)
4264 deauth = 1;
4265 }
4266
4267 if (reason == PMKSA_EXPIRE &&
4268 (sm->pmk_len == entry->pmk_len &&
4269 os_memcmp(sm->pmk, entry->pmk, sm->pmk_len) == 0)) {
4270 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4271 "RSN: deauthenticating due to expired PMK");
4272 pmksa_cache_clear_current(sm);
4273 deauth = 1;
4274 }
4275
4276 if (deauth) {
4277 sm->pmk_len = 0;
4278 os_memset(sm->pmk, 0, sizeof(sm->pmk));
4279 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
4280 }
4281 }
4282
4283
wpa_sm_pmksa_is_current_cb(struct rsn_pmksa_cache_entry * entry,void * ctx)4284 static bool wpa_sm_pmksa_is_current_cb(struct rsn_pmksa_cache_entry *entry,
4285 void *ctx)
4286 {
4287 struct wpa_sm *sm = ctx;
4288
4289 return sm->cur_pmksa == entry;
4290 }
4291
4292
wpa_sm_pmksa_notify_cb(struct rsn_pmksa_cache_entry * entry,void * ctx)4293 static void wpa_sm_pmksa_notify_cb(struct rsn_pmksa_cache_entry *entry,
4294 void *ctx)
4295 {
4296 struct wpa_sm *sm = ctx;
4297
4298 wpa_sm_notify_pmksa_cache_entry(sm, entry);
4299 }
4300
4301
4302 /**
4303 * wpa_sm_init - Initialize WPA state machine
4304 * @ctx: Context pointer for callbacks; this needs to be an allocated buffer
4305 * Returns: Pointer to the allocated WPA state machine data
4306 *
4307 * This function is used to allocate a new WPA state machine and the returned
4308 * value is passed to all WPA state machine calls.
4309 */
wpa_sm_init(struct wpa_sm_ctx * ctx)4310 struct wpa_sm * wpa_sm_init(struct wpa_sm_ctx *ctx)
4311 {
4312 struct wpa_sm *sm;
4313
4314 sm = os_zalloc(sizeof(*sm));
4315 if (sm == NULL)
4316 return NULL;
4317 dl_list_init(&sm->pmksa_candidates);
4318 sm->renew_snonce = 1;
4319 sm->ctx = ctx;
4320
4321 sm->dot11RSNAConfigPMKLifetime = 43200;
4322 sm->dot11RSNAConfigPMKReauthThreshold = 70;
4323 sm->dot11RSNAConfigSATimeout = 60;
4324
4325 sm->pmksa = pmksa_cache_init(wpa_sm_pmksa_free_cb,
4326 wpa_sm_pmksa_is_current_cb,
4327 wpa_sm_pmksa_notify_cb, sm, sm);
4328 if (sm->pmksa == NULL) {
4329 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
4330 "RSN: PMKSA cache initialization failed");
4331 os_free(sm);
4332 return NULL;
4333 }
4334
4335 return sm;
4336 }
4337
4338
4339 /**
4340 * wpa_sm_deinit - Deinitialize WPA state machine
4341 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4342 */
wpa_sm_deinit(struct wpa_sm * sm)4343 void wpa_sm_deinit(struct wpa_sm *sm)
4344 {
4345 int i;
4346
4347 if (sm == NULL)
4348 return;
4349 pmksa_cache_deinit(sm->pmksa);
4350 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
4351 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
4352 os_free(sm->assoc_wpa_ie);
4353 os_free(sm->assoc_rsnxe);
4354 os_free(sm->ap_wpa_ie);
4355 os_free(sm->ap_rsn_ie);
4356 os_free(sm->ap_rsnxe);
4357 os_free(sm->ap_rsne_override);
4358 os_free(sm->ap_rsne_override_2);
4359 os_free(sm->ap_rsnxe_override);
4360 for (i = 0; i < MAX_NUM_MLD_LINKS; i++) {
4361 os_free(sm->mlo.links[i].ap_rsne);
4362 os_free(sm->mlo.links[i].ap_rsnxe);
4363 os_free(sm->mlo.links[i].ap_rsnoe);
4364 os_free(sm->mlo.links[i].ap_rsno2e);
4365 os_free(sm->mlo.links[i].ap_rsnxoe);
4366 }
4367 wpa_sm_drop_sa(sm);
4368 os_free(sm->ctx);
4369 #ifdef CONFIG_IEEE80211R
4370 os_free(sm->assoc_resp_ies);
4371 #endif /* CONFIG_IEEE80211R */
4372 #ifdef CONFIG_TESTING_OPTIONS
4373 wpabuf_free(sm->test_assoc_ie);
4374 wpabuf_free(sm->test_eapol_m2_elems);
4375 wpabuf_free(sm->test_eapol_m4_elems);
4376 #endif /* CONFIG_TESTING_OPTIONS */
4377 #ifdef CONFIG_FILS_SK_PFS
4378 crypto_ecdh_deinit(sm->fils_ecdh);
4379 #endif /* CONFIG_FILS_SK_PFS */
4380 #ifdef CONFIG_FILS
4381 wpabuf_free(sm->fils_ft_ies);
4382 #endif /* CONFIG_FILS */
4383 #ifdef CONFIG_OWE
4384 crypto_ecdh_deinit(sm->owe_ecdh);
4385 #endif /* CONFIG_OWE */
4386 #ifdef CONFIG_DPP2
4387 wpabuf_clear_free(sm->dpp_z);
4388 #endif /* CONFIG_DPP2 */
4389 os_free(sm);
4390 }
4391
4392
wpa_sm_clear_ptk(struct wpa_sm * sm)4393 static void wpa_sm_clear_ptk(struct wpa_sm *sm)
4394 {
4395 int i;
4396
4397 sm->ptk_set = 0;
4398 os_memset(&sm->ptk, 0, sizeof(sm->ptk));
4399 sm->tptk_set = 0;
4400 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
4401 os_memset(&sm->gtk, 0, sizeof(sm->gtk));
4402 os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
4403 os_memset(&sm->igtk, 0, sizeof(sm->igtk));
4404 os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
4405 os_memset(&sm->bigtk, 0, sizeof(sm->bigtk));
4406 os_memset(&sm->bigtk_wnm_sleep, 0, sizeof(sm->bigtk_wnm_sleep));
4407 sm->tk_set = false;
4408 for (i = 0; i < MAX_NUM_MLD_LINKS; i++) {
4409 os_memset(&sm->mlo.links[i].gtk, 0,
4410 sizeof(sm->mlo.links[i].gtk));
4411 os_memset(&sm->mlo.links[i].gtk_wnm_sleep, 0,
4412 sizeof(sm->mlo.links[i].gtk_wnm_sleep));
4413 os_memset(&sm->mlo.links[i].igtk, 0,
4414 sizeof(sm->mlo.links[i].igtk));
4415 os_memset(&sm->mlo.links[i].igtk_wnm_sleep, 0,
4416 sizeof(sm->mlo.links[i].igtk_wnm_sleep));
4417 os_memset(&sm->mlo.links[i].bigtk, 0,
4418 sizeof(sm->mlo.links[i].bigtk));
4419 os_memset(&sm->mlo.links[i].bigtk_wnm_sleep, 0,
4420 sizeof(sm->mlo.links[i].bigtk_wnm_sleep));
4421 }
4422 }
4423
4424
4425 /**
4426 * wpa_sm_notify_assoc - Notify WPA state machine about association
4427 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4428 * @bssid: The BSSID of the new association
4429 *
4430 * This function is called to let WPA state machine know that the connection
4431 * was established.
4432 */
wpa_sm_notify_assoc(struct wpa_sm * sm,const u8 * bssid)4433 void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
4434 {
4435 int clear_keys = 1;
4436
4437 if (sm == NULL)
4438 return;
4439
4440 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4441 "WPA: Association event - clear replay counter");
4442 os_memcpy(sm->bssid, bssid, ETH_ALEN);
4443 os_memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN);
4444 sm->rx_replay_counter_set = 0;
4445 sm->renew_snonce = 1;
4446 if (ether_addr_equal(sm->preauth_bssid, bssid))
4447 rsn_preauth_deinit(sm);
4448
4449 #ifdef CONFIG_IEEE80211R
4450 if (wpa_ft_is_completed(sm)) {
4451 /*
4452 * Clear portValid to kick EAPOL state machine to re-enter
4453 * AUTHENTICATED state to get the EAPOL port Authorized.
4454 */
4455 eapol_sm_notify_portValid(sm->eapol, false);
4456 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
4457
4458 /* Prepare for the next transition */
4459 wpa_ft_prepare_auth_request(sm, NULL);
4460
4461 clear_keys = 0;
4462 sm->ft_protocol = 1;
4463 } else {
4464 sm->ft_protocol = 0;
4465 }
4466 #endif /* CONFIG_IEEE80211R */
4467 #ifdef CONFIG_FILS
4468 if (sm->fils_completed) {
4469 /*
4470 * Clear portValid to kick EAPOL state machine to re-enter
4471 * AUTHENTICATED state to get the EAPOL port Authorized.
4472 */
4473 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
4474 clear_keys = 0;
4475 }
4476 #endif /* CONFIG_FILS */
4477
4478 if (clear_keys) {
4479 /*
4480 * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
4481 * this is not part of a Fast BSS Transition.
4482 */
4483 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PTK");
4484 wpa_sm_clear_ptk(sm);
4485 }
4486
4487 #ifdef CONFIG_TDLS
4488 wpa_tdls_assoc(sm);
4489 #endif /* CONFIG_TDLS */
4490
4491 #ifdef CONFIG_P2P
4492 os_memset(sm->p2p_ip_addr, 0, sizeof(sm->p2p_ip_addr));
4493 #endif /* CONFIG_P2P */
4494
4495 sm->keyidx_active = 0;
4496 }
4497
4498
4499 /**
4500 * wpa_sm_notify_disassoc - Notify WPA state machine about disassociation
4501 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4502 *
4503 * This function is called to let WPA state machine know that the connection
4504 * was lost. This will abort any existing pre-authentication session.
4505 */
wpa_sm_notify_disassoc(struct wpa_sm * sm)4506 void wpa_sm_notify_disassoc(struct wpa_sm *sm)
4507 {
4508 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
4509 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
4510 rsn_preauth_deinit(sm);
4511 pmksa_cache_clear_current(sm);
4512 if (wpa_sm_get_state(sm) == WPA_4WAY_HANDSHAKE)
4513 sm->dot11RSNA4WayHandshakeFailures++;
4514 #ifdef CONFIG_TDLS
4515 wpa_tdls_disassoc(sm);
4516 #endif /* CONFIG_TDLS */
4517 #ifdef CONFIG_FILS
4518 sm->fils_completed = 0;
4519 #endif /* CONFIG_FILS */
4520 #ifdef CONFIG_IEEE80211R
4521 sm->ft_reassoc_completed = 0;
4522 sm->ft_protocol = 0;
4523 #endif /* CONFIG_IEEE80211R */
4524
4525 /* Keys are not needed in the WPA state machine anymore */
4526 wpa_sm_drop_sa(sm);
4527 sm->keyidx_active = 0;
4528
4529 sm->msg_3_of_4_ok = 0;
4530 os_memset(sm->bssid, 0, ETH_ALEN);
4531 }
4532
4533
4534 /**
4535 * wpa_sm_set_pmk - Set PMK
4536 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4537 * @pmk: The new PMK
4538 * @pmk_len: The length of the new PMK in bytes
4539 * @pmkid: Calculated PMKID
4540 * @bssid: AA to add into PMKSA cache or %NULL to not cache the PMK
4541 *
4542 * Configure the PMK for WPA state machine.
4543 */
wpa_sm_set_pmk(struct wpa_sm * sm,const u8 * pmk,size_t pmk_len,const u8 * pmkid,const u8 * bssid)4544 void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
4545 const u8 *pmkid, const u8 *bssid)
4546 {
4547 if (sm == NULL)
4548 return;
4549
4550 wpa_hexdump_key(MSG_DEBUG, "WPA: Set PMK based on external data",
4551 pmk, pmk_len);
4552 sm->pmk_len = pmk_len;
4553 os_memcpy(sm->pmk, pmk, pmk_len);
4554
4555 #ifdef CONFIG_IEEE80211R
4556 /* Set XXKey to be PSK for FT key derivation */
4557 sm->xxkey_len = pmk_len;
4558 os_memcpy(sm->xxkey, pmk, pmk_len);
4559 #endif /* CONFIG_IEEE80211R */
4560
4561 if (bssid) {
4562 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len,
4563 pmkid, NULL, 0, bssid,
4564 sm->own_addr,
4565 sm->network_ctx, sm->key_mgmt,
4566 NULL);
4567 }
4568 }
4569
4570
4571 /**
4572 * wpa_sm_set_pmk_from_pmksa - Set PMK based on the current PMKSA
4573 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4574 *
4575 * Take the PMK from the current PMKSA into use. If no PMKSA is active, the PMK
4576 * will be cleared.
4577 */
wpa_sm_set_pmk_from_pmksa(struct wpa_sm * sm)4578 void wpa_sm_set_pmk_from_pmksa(struct wpa_sm *sm)
4579 {
4580 if (sm == NULL)
4581 return;
4582
4583 if (sm->cur_pmksa) {
4584 wpa_hexdump_key(MSG_DEBUG,
4585 "WPA: Set PMK based on current PMKSA",
4586 sm->cur_pmksa->pmk, sm->cur_pmksa->pmk_len);
4587 sm->pmk_len = sm->cur_pmksa->pmk_len;
4588 os_memcpy(sm->pmk, sm->cur_pmksa->pmk, sm->pmk_len);
4589 } else {
4590 wpa_printf(MSG_DEBUG, "WPA: No current PMKSA - clear PMK");
4591 sm->pmk_len = 0;
4592 os_memset(sm->pmk, 0, PMK_LEN_MAX);
4593 }
4594 }
4595
4596
4597 /**
4598 * wpa_sm_set_fast_reauth - Set fast reauthentication (EAP) enabled/disabled
4599 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4600 * @fast_reauth: Whether fast reauthentication (EAP) is allowed
4601 */
wpa_sm_set_fast_reauth(struct wpa_sm * sm,int fast_reauth)4602 void wpa_sm_set_fast_reauth(struct wpa_sm *sm, int fast_reauth)
4603 {
4604 if (sm)
4605 sm->fast_reauth = fast_reauth;
4606 }
4607
4608
4609 /**
4610 * wpa_sm_set_scard_ctx - Set context pointer for smartcard callbacks
4611 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4612 * @scard_ctx: Context pointer for smartcard related callback functions
4613 */
wpa_sm_set_scard_ctx(struct wpa_sm * sm,void * scard_ctx)4614 void wpa_sm_set_scard_ctx(struct wpa_sm *sm, void *scard_ctx)
4615 {
4616 if (sm == NULL)
4617 return;
4618 sm->scard_ctx = scard_ctx;
4619 if (sm->preauth_eapol)
4620 eapol_sm_register_scard_ctx(sm->preauth_eapol, scard_ctx);
4621 }
4622
4623
4624 /**
4625 * wpa_sm_set_config - Notification of current configuration change
4626 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4627 * @config: Pointer to current network configuration
4628 *
4629 * Notify WPA state machine that configuration has changed. config will be
4630 * stored as a backpointer to network configuration. This can be %NULL to clear
4631 * the stored pointed.
4632 */
wpa_sm_set_config(struct wpa_sm * sm,struct rsn_supp_config * config)4633 void wpa_sm_set_config(struct wpa_sm *sm, struct rsn_supp_config *config)
4634 {
4635 if (!sm)
4636 return;
4637
4638 if (config) {
4639 sm->network_ctx = config->network_ctx;
4640 sm->allowed_pairwise_cipher = config->allowed_pairwise_cipher;
4641 sm->proactive_key_caching = config->proactive_key_caching;
4642 sm->eap_workaround = config->eap_workaround;
4643 sm->eap_conf_ctx = config->eap_conf_ctx;
4644 if (config->ssid) {
4645 os_memcpy(sm->ssid, config->ssid, config->ssid_len);
4646 sm->ssid_len = config->ssid_len;
4647 } else
4648 sm->ssid_len = 0;
4649 sm->wpa_ptk_rekey = config->wpa_ptk_rekey;
4650 sm->p2p = config->p2p;
4651 sm->wpa_rsc_relaxation = config->wpa_rsc_relaxation;
4652 sm->owe_ptk_workaround = config->owe_ptk_workaround;
4653 sm->force_kdk_derivation = config->force_kdk_derivation;
4654 #ifdef CONFIG_FILS
4655 if (config->fils_cache_id) {
4656 sm->fils_cache_id_set = 1;
4657 os_memcpy(sm->fils_cache_id, config->fils_cache_id,
4658 FILS_CACHE_ID_LEN);
4659 } else {
4660 sm->fils_cache_id_set = 0;
4661 }
4662 #endif /* CONFIG_FILS */
4663 sm->beacon_prot = config->beacon_prot;
4664 } else {
4665 sm->network_ctx = NULL;
4666 sm->allowed_pairwise_cipher = 0;
4667 sm->proactive_key_caching = 0;
4668 sm->eap_workaround = 0;
4669 sm->eap_conf_ctx = NULL;
4670 sm->ssid_len = 0;
4671 sm->wpa_ptk_rekey = 0;
4672 sm->p2p = 0;
4673 sm->wpa_rsc_relaxation = 0;
4674 sm->owe_ptk_workaround = 0;
4675 sm->beacon_prot = 0;
4676 sm->force_kdk_derivation = false;
4677 }
4678 }
4679
4680
wpa_sm_set_ssid(struct wpa_sm * sm,const u8 * ssid,size_t ssid_len)4681 void wpa_sm_set_ssid(struct wpa_sm *sm, const u8 *ssid, size_t ssid_len)
4682 {
4683 if (!sm)
4684 return;
4685
4686 if (ssid) {
4687 os_memcpy(sm->ssid, ssid, ssid_len);
4688 sm->ssid_len = ssid_len;
4689 } else {
4690 sm->ssid_len = 0;
4691 }
4692 }
4693
4694
wpa_sm_set_mlo_params(struct wpa_sm * sm,const struct wpa_sm_mlo * mlo)4695 int wpa_sm_set_mlo_params(struct wpa_sm *sm, const struct wpa_sm_mlo *mlo)
4696 {
4697 int i;
4698
4699 if (!sm)
4700 return -1;
4701
4702 os_memcpy(sm->mlo.ap_mld_addr, mlo->ap_mld_addr, ETH_ALEN);
4703 sm->mlo.assoc_link_id = mlo->assoc_link_id;
4704 sm->mlo.valid_links = mlo->valid_links;
4705 sm->mlo.req_links = mlo->req_links;
4706
4707 for (i = 0; i < MAX_NUM_MLD_LINKS; i++) {
4708 const u8 *ie;
4709 size_t len;
4710
4711 if (sm->mlo.req_links & BIT(i)) {
4712 if (!mlo->links[i].ap_rsne ||
4713 mlo->links[i].ap_rsne_len == 0) {
4714 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO,
4715 "RSN: No RSNE for AP MLO link %d with BSSID "
4716 MACSTR,
4717 i, MAC2STR(mlo->links[i].bssid));
4718 return -1;
4719
4720 }
4721 os_memcpy(sm->mlo.links[i].addr, mlo->links[i].addr,
4722 ETH_ALEN);
4723 os_memcpy(sm->mlo.links[i].bssid, mlo->links[i].bssid,
4724 ETH_ALEN);
4725 }
4726
4727 ie = mlo->links[i].ap_rsne;
4728 len = mlo->links[i].ap_rsne_len;
4729 os_free(sm->mlo.links[i].ap_rsne);
4730 if (!ie || len == 0) {
4731 if (sm->mlo.links[i].ap_rsne)
4732 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4733 "RSN: Clearing MLO link[%u] AP RSNE",
4734 i);
4735 sm->mlo.links[i].ap_rsne = NULL;
4736 sm->mlo.links[i].ap_rsne_len = 0;
4737 } else {
4738 wpa_hexdump_link(MSG_DEBUG, i, "RSN: Set AP RSNE",
4739 ie, len);
4740 sm->mlo.links[i].ap_rsne = os_memdup(ie, len);
4741 if (!sm->mlo.links[i].ap_rsne) {
4742 sm->mlo.links[i].ap_rsne_len = 0;
4743 return -1;
4744 }
4745 sm->mlo.links[i].ap_rsne_len = len;
4746 }
4747
4748 ie = mlo->links[i].ap_rsnxe;
4749 len = mlo->links[i].ap_rsnxe_len;
4750 os_free(sm->mlo.links[i].ap_rsnxe);
4751 if (!ie || len == 0) {
4752 if (sm->mlo.links[i].ap_rsnxe)
4753 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4754 "RSN: Clearing MLO link[%u] AP RSNXE",
4755 i);
4756 sm->mlo.links[i].ap_rsnxe = NULL;
4757 sm->mlo.links[i].ap_rsnxe_len = 0;
4758 } else {
4759 wpa_hexdump_link(MSG_DEBUG, i, "RSN: Set AP RSNXE", ie,
4760 len);
4761 sm->mlo.links[i].ap_rsnxe = os_memdup(ie, len);
4762 if (!sm->mlo.links[i].ap_rsnxe) {
4763 sm->mlo.links[i].ap_rsnxe_len = 0;
4764 return -1;
4765 }
4766 sm->mlo.links[i].ap_rsnxe_len = len;
4767 }
4768
4769 ie = mlo->links[i].ap_rsnoe;
4770 len = mlo->links[i].ap_rsnoe_len;
4771 os_free(sm->mlo.links[i].ap_rsnoe);
4772 if (!ie || len == 0) {
4773 if (sm->mlo.links[i].ap_rsnoe)
4774 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4775 "RSN: Clearing MLO link[%u] AP RSNOE",
4776 i);
4777 sm->mlo.links[i].ap_rsnoe = NULL;
4778 sm->mlo.links[i].ap_rsnoe_len = 0;
4779 } else {
4780 wpa_hexdump_link(MSG_DEBUG, i, "RSN: Set AP RSNOE",
4781 ie, len);
4782 sm->mlo.links[i].ap_rsnoe = os_memdup(ie, len);
4783 if (!sm->mlo.links[i].ap_rsnoe) {
4784 sm->mlo.links[i].ap_rsnoe_len = 0;
4785 return -1;
4786 }
4787 sm->mlo.links[i].ap_rsnoe_len = len;
4788 }
4789
4790 ie = mlo->links[i].ap_rsno2e;
4791 len = mlo->links[i].ap_rsno2e_len;
4792 os_free(sm->mlo.links[i].ap_rsno2e);
4793 if (!ie || len == 0) {
4794 if (sm->mlo.links[i].ap_rsno2e)
4795 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4796 "RSN: Clearing MLO link[%u] AP RSNO2E",
4797 i);
4798 sm->mlo.links[i].ap_rsno2e = NULL;
4799 sm->mlo.links[i].ap_rsno2e_len = 0;
4800 } else {
4801 wpa_hexdump_link(MSG_DEBUG, i, "RSN: Set AP RSNO2E",
4802 ie, len);
4803 sm->mlo.links[i].ap_rsno2e = os_memdup(ie, len);
4804 if (!sm->mlo.links[i].ap_rsno2e) {
4805 sm->mlo.links[i].ap_rsno2e_len = 0;
4806 return -1;
4807 }
4808 sm->mlo.links[i].ap_rsno2e_len = len;
4809 }
4810
4811 ie = mlo->links[i].ap_rsnxoe;
4812 len = mlo->links[i].ap_rsnxoe_len;
4813 os_free(sm->mlo.links[i].ap_rsnxoe);
4814 if (!ie || len == 0) {
4815 if (sm->mlo.links[i].ap_rsnxoe)
4816 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4817 "RSN: Clearing MLO link[%u] AP RSNXOE",
4818 i);
4819 sm->mlo.links[i].ap_rsnxoe = NULL;
4820 sm->mlo.links[i].ap_rsnxoe_len = 0;
4821 } else {
4822 wpa_hexdump_link(MSG_DEBUG, i, "RSN: Set AP RSNXOE",
4823 ie, len);
4824 sm->mlo.links[i].ap_rsnxoe = os_memdup(ie, len);
4825 if (!sm->mlo.links[i].ap_rsnxoe) {
4826 sm->mlo.links[i].ap_rsnxoe_len = 0;
4827 return -1;
4828 }
4829 sm->mlo.links[i].ap_rsnxoe_len = len;
4830 }
4831 }
4832
4833 return 0;
4834 }
4835
4836
4837 /**
4838 * wpa_sm_set_own_addr - Set own MAC address
4839 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4840 * @addr: Own MAC address
4841 */
wpa_sm_set_own_addr(struct wpa_sm * sm,const u8 * addr)4842 void wpa_sm_set_own_addr(struct wpa_sm *sm, const u8 *addr)
4843 {
4844 if (sm)
4845 os_memcpy(sm->own_addr, addr, ETH_ALEN);
4846 }
4847
4848
4849 /**
4850 * wpa_sm_set_ifname - Set network interface name
4851 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4852 * @ifname: Interface name
4853 * @bridge_ifname: Optional bridge interface name (for pre-auth)
4854 */
wpa_sm_set_ifname(struct wpa_sm * sm,const char * ifname,const char * bridge_ifname)4855 void wpa_sm_set_ifname(struct wpa_sm *sm, const char *ifname,
4856 const char *bridge_ifname)
4857 {
4858 if (sm) {
4859 sm->ifname = ifname;
4860 sm->bridge_ifname = bridge_ifname;
4861 }
4862 }
4863
4864
4865 /**
4866 * wpa_sm_set_eapol - Set EAPOL state machine pointer
4867 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4868 * @eapol: Pointer to EAPOL state machine allocated with eapol_sm_init()
4869 */
wpa_sm_set_eapol(struct wpa_sm * sm,struct eapol_sm * eapol)4870 void wpa_sm_set_eapol(struct wpa_sm *sm, struct eapol_sm *eapol)
4871 {
4872 if (sm)
4873 sm->eapol = eapol;
4874 }
4875
4876
4877 /**
4878 * wpa_sm_set_param - Set WPA state machine parameters
4879 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4880 * @param: Parameter field
4881 * @value: Parameter value
4882 * Returns: 0 on success, -1 on failure
4883 */
wpa_sm_set_param(struct wpa_sm * sm,enum wpa_sm_conf_params param,unsigned int value)4884 int wpa_sm_set_param(struct wpa_sm *sm, enum wpa_sm_conf_params param,
4885 unsigned int value)
4886 {
4887 int ret = 0;
4888
4889 if (sm == NULL)
4890 return -1;
4891
4892 switch (param) {
4893 case RSNA_PMK_LIFETIME:
4894 if (value > 0)
4895 sm->dot11RSNAConfigPMKLifetime = value;
4896 else
4897 ret = -1;
4898 break;
4899 case RSNA_PMK_REAUTH_THRESHOLD:
4900 if (value > 0 && value <= 100)
4901 sm->dot11RSNAConfigPMKReauthThreshold = value;
4902 else
4903 ret = -1;
4904 break;
4905 case RSNA_SA_TIMEOUT:
4906 if (value > 0)
4907 sm->dot11RSNAConfigSATimeout = value;
4908 else
4909 ret = -1;
4910 break;
4911 case WPA_PARAM_PROTO:
4912 sm->proto = value;
4913 break;
4914 case WPA_PARAM_PAIRWISE:
4915 sm->pairwise_cipher = value;
4916 break;
4917 case WPA_PARAM_GROUP:
4918 sm->group_cipher = value;
4919 break;
4920 case WPA_PARAM_KEY_MGMT:
4921 sm->key_mgmt = value;
4922 break;
4923 case WPA_PARAM_MGMT_GROUP:
4924 sm->mgmt_group_cipher = value;
4925 break;
4926 case WPA_PARAM_RSN_ENABLED:
4927 sm->rsn_enabled = value;
4928 break;
4929 case WPA_PARAM_MFP:
4930 sm->mfp = value;
4931 break;
4932 case WPA_PARAM_OCV:
4933 sm->ocv = value;
4934 break;
4935 case WPA_PARAM_SAE_PWE:
4936 sm->sae_pwe = value;
4937 break;
4938 case WPA_PARAM_SAE_PK:
4939 sm->sae_pk = value;
4940 break;
4941 case WPA_PARAM_DENY_PTK0_REKEY:
4942 sm->wpa_deny_ptk0_rekey = value;
4943 break;
4944 case WPA_PARAM_EXT_KEY_ID:
4945 sm->ext_key_id = value;
4946 break;
4947 case WPA_PARAM_USE_EXT_KEY_ID:
4948 sm->use_ext_key_id = value;
4949 break;
4950 #ifdef CONFIG_TESTING_OPTIONS
4951 case WPA_PARAM_FT_RSNXE_USED:
4952 sm->ft_rsnxe_used = value;
4953 break;
4954 case WPA_PARAM_OCI_FREQ_EAPOL:
4955 sm->oci_freq_override_eapol = value;
4956 break;
4957 case WPA_PARAM_OCI_FREQ_EAPOL_G2:
4958 sm->oci_freq_override_eapol_g2 = value;
4959 break;
4960 case WPA_PARAM_OCI_FREQ_FT_ASSOC:
4961 sm->oci_freq_override_ft_assoc = value;
4962 break;
4963 case WPA_PARAM_OCI_FREQ_FILS_ASSOC:
4964 sm->oci_freq_override_fils_assoc = value;
4965 break;
4966 case WPA_PARAM_DISABLE_EAPOL_G2_TX:
4967 sm->disable_eapol_g2_tx = value;
4968 break;
4969 case WPA_PARAM_ENCRYPT_EAPOL_M2:
4970 sm->encrypt_eapol_m2 = value;
4971 break;
4972 case WPA_PARAM_ENCRYPT_EAPOL_M4:
4973 sm->encrypt_eapol_m4 = value;
4974 break;
4975 #endif /* CONFIG_TESTING_OPTIONS */
4976 #ifdef CONFIG_DPP2
4977 case WPA_PARAM_DPP_PFS:
4978 sm->dpp_pfs = value;
4979 break;
4980 #endif /* CONFIG_DPP2 */
4981 case WPA_PARAM_WMM_ENABLED:
4982 sm->wmm_enabled = value;
4983 break;
4984 case WPA_PARAM_FT_PREPEND_PMKID:
4985 sm->ft_prepend_pmkid = value;
4986 break;
4987 case WPA_PARAM_SSID_PROTECTION:
4988 sm->ssid_protection = value;
4989 break;
4990 case WPA_PARAM_RSN_OVERRIDE:
4991 sm->rsn_override = value;
4992 break;
4993 case WPA_PARAM_RSN_OVERRIDE_SUPPORT:
4994 sm->rsn_override_support = value;
4995 break;
4996 default:
4997 break;
4998 }
4999
5000 return ret;
5001 }
5002
5003
wpa_sm_get_ap_rsne(struct wpa_sm * sm,size_t * len)5004 static const u8 * wpa_sm_get_ap_rsne(struct wpa_sm *sm, size_t *len)
5005 {
5006 if (sm->rsn_override == RSN_OVERRIDE_RSNE_OVERRIDE) {
5007 *len = sm->ap_rsne_override_len;
5008 return sm->ap_rsne_override;
5009 }
5010
5011 if (sm->rsn_override == RSN_OVERRIDE_RSNE_OVERRIDE_2) {
5012 *len = sm->ap_rsne_override_2_len;
5013 return sm->ap_rsne_override_2;
5014 }
5015
5016 *len = sm->ap_rsn_ie_len;
5017 return sm->ap_rsn_ie;
5018 }
5019
5020
5021 /**
5022 * wpa_sm_get_status - Get WPA state machine
5023 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5024 * @buf: Buffer for status information
5025 * @buflen: Maximum buffer length
5026 * @verbose: Whether to include verbose status information
5027 * Returns: Number of bytes written to buf.
5028 *
5029 * Query WPA state machine for status information. This function fills in
5030 * a text area with current status information. If the buffer (buf) is not
5031 * large enough, status information will be truncated to fit the buffer.
5032 */
wpa_sm_get_status(struct wpa_sm * sm,char * buf,size_t buflen,int verbose)5033 int wpa_sm_get_status(struct wpa_sm *sm, char *buf, size_t buflen,
5034 int verbose)
5035 {
5036 char *pos = buf, *end = buf + buflen;
5037 int ret;
5038 const u8 *rsne;
5039 size_t rsne_len;
5040
5041 rsne = wpa_sm_get_ap_rsne(sm, &rsne_len);
5042
5043 ret = os_snprintf(pos, end - pos,
5044 "pairwise_cipher=%s\n"
5045 "group_cipher=%s\n"
5046 "key_mgmt=%s\n",
5047 wpa_cipher_txt(sm->pairwise_cipher),
5048 wpa_cipher_txt(sm->group_cipher),
5049 wpa_key_mgmt_txt(sm->key_mgmt, sm->proto));
5050 if (os_snprintf_error(end - pos, ret))
5051 return pos - buf;
5052 pos += ret;
5053
5054 #ifdef CONFIG_DPP2
5055 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
5056 ret = os_snprintf(pos, end - pos, "dpp_pfs=1\n");
5057 if (os_snprintf_error(end - pos, ret))
5058 return pos - buf;
5059 pos += ret;
5060 }
5061 #endif /* CONFIG_DPP2 */
5062
5063 if (sm->mfp != NO_MGMT_FRAME_PROTECTION && rsne) {
5064 struct wpa_ie_data rsn;
5065
5066 if (wpa_parse_wpa_ie_rsn(rsne, rsne_len, &rsn) >= 0 &&
5067 rsn.capabilities & (WPA_CAPABILITY_MFPR |
5068 WPA_CAPABILITY_MFPC)) {
5069 ret = os_snprintf(pos, end - pos, "pmf=%d\n"
5070 "mgmt_group_cipher=%s\n",
5071 (rsn.capabilities &
5072 WPA_CAPABILITY_MFPR) ? 2 : 1,
5073 wpa_cipher_txt(
5074 sm->mgmt_group_cipher));
5075 if (os_snprintf_error(end - pos, ret))
5076 return pos - buf;
5077 pos += ret;
5078 }
5079 }
5080
5081 return pos - buf;
5082 }
5083
5084
wpa_sm_pmf_enabled(struct wpa_sm * sm)5085 int wpa_sm_pmf_enabled(struct wpa_sm *sm)
5086 {
5087 struct wpa_ie_data rsn;
5088 const u8 *rsne;
5089 size_t rsne_len;
5090
5091 rsne = wpa_sm_get_ap_rsne(sm, &rsne_len);
5092
5093 if (sm->mfp == NO_MGMT_FRAME_PROTECTION || !rsne)
5094 return 0;
5095
5096 if (wpa_parse_wpa_ie_rsn(rsne, rsne_len, &rsn) >= 0 &&
5097 rsn.capabilities & (WPA_CAPABILITY_MFPR | WPA_CAPABILITY_MFPC))
5098 return 1;
5099
5100 return 0;
5101 }
5102
5103
wpa_sm_rsn_overriding_supported(struct wpa_sm * sm)5104 bool wpa_sm_rsn_overriding_supported(struct wpa_sm *sm)
5105 {
5106 const u8 *rsne;
5107 size_t rsne_len;
5108
5109 rsne = wpa_sm_get_ap_rsne(sm, &rsne_len);
5110
5111 return sm->rsn_override_support && rsne;
5112 }
5113
5114
wpa_sm_ext_key_id(struct wpa_sm * sm)5115 int wpa_sm_ext_key_id(struct wpa_sm *sm)
5116 {
5117 return sm ? sm->ext_key_id : 0;
5118 }
5119
5120
wpa_sm_ext_key_id_active(struct wpa_sm * sm)5121 int wpa_sm_ext_key_id_active(struct wpa_sm *sm)
5122 {
5123 return sm ? sm->use_ext_key_id : 0;
5124 }
5125
5126
wpa_sm_ocv_enabled(struct wpa_sm * sm)5127 int wpa_sm_ocv_enabled(struct wpa_sm *sm)
5128 {
5129 struct wpa_ie_data rsn;
5130 const u8 *rsne;
5131 size_t rsne_len;
5132
5133 rsne = wpa_sm_get_ap_rsne(sm, &rsne_len);
5134 if (!sm->ocv || !rsne)
5135 return 0;
5136
5137 return wpa_parse_wpa_ie_rsn(rsne, rsne_len, &rsn) >= 0 &&
5138 (rsn.capabilities & WPA_CAPABILITY_OCVC);
5139 }
5140
5141
5142 /**
5143 * wpa_sm_set_assoc_wpa_ie_default - Generate own WPA/RSN IE from configuration
5144 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5145 * @wpa_ie: Pointer to buffer for WPA/RSN IE
5146 * @wpa_ie_len: Pointer to the length of the wpa_ie buffer
5147 * Returns: 0 on success, -1 on failure
5148 */
wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm * sm,u8 * wpa_ie,size_t * wpa_ie_len)5149 int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm *sm, u8 *wpa_ie,
5150 size_t *wpa_ie_len)
5151 {
5152 int res;
5153
5154 if (sm == NULL)
5155 return -1;
5156
5157 #ifdef CONFIG_TESTING_OPTIONS
5158 if (sm->test_assoc_ie) {
5159 wpa_printf(MSG_DEBUG,
5160 "TESTING: Replace association WPA/RSN IE");
5161 if (*wpa_ie_len < wpabuf_len(sm->test_assoc_ie))
5162 return -1;
5163 os_memcpy(wpa_ie, wpabuf_head(sm->test_assoc_ie),
5164 wpabuf_len(sm->test_assoc_ie));
5165 res = wpabuf_len(sm->test_assoc_ie);
5166 } else
5167 #endif /* CONFIG_TESTING_OPTIONS */
5168 res = wpa_gen_wpa_ie(sm, wpa_ie, *wpa_ie_len);
5169 if (res < 0)
5170 return -1;
5171 *wpa_ie_len = res;
5172
5173 wpa_hexdump(MSG_DEBUG, "WPA: Set own WPA IE default",
5174 wpa_ie, *wpa_ie_len);
5175
5176 if (sm->assoc_wpa_ie == NULL) {
5177 /*
5178 * Make a copy of the WPA/RSN IE so that 4-Way Handshake gets
5179 * the correct version of the IE even if PMKSA caching is
5180 * aborted (which would remove PMKID from IE generation).
5181 */
5182 sm->assoc_wpa_ie = os_memdup(wpa_ie, *wpa_ie_len);
5183 if (sm->assoc_wpa_ie == NULL)
5184 return -1;
5185
5186 sm->assoc_wpa_ie_len = *wpa_ie_len;
5187 } else {
5188 wpa_hexdump(MSG_DEBUG,
5189 "WPA: Leave previously set WPA IE default",
5190 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
5191 }
5192
5193 return 0;
5194 }
5195
5196
5197 /**
5198 * wpa_sm_set_assoc_wpa_ie - Set own WPA/RSN IE from (Re)AssocReq
5199 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5200 * @ie: Pointer to IE data (starting from id)
5201 * @len: IE length
5202 * Returns: 0 on success, -1 on failure
5203 *
5204 * Inform WPA state machine about the WPA/RSN IE used in (Re)Association
5205 * Request frame. The IE will be used to override the default value generated
5206 * with wpa_sm_set_assoc_wpa_ie_default().
5207 */
wpa_sm_set_assoc_wpa_ie(struct wpa_sm * sm,const u8 * ie,size_t len)5208 int wpa_sm_set_assoc_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
5209 {
5210 if (sm == NULL)
5211 return -1;
5212
5213 os_free(sm->assoc_wpa_ie);
5214 if (ie == NULL || len == 0) {
5215 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5216 "WPA: clearing own WPA/RSN IE");
5217 sm->assoc_wpa_ie = NULL;
5218 sm->assoc_wpa_ie_len = 0;
5219 } else {
5220 wpa_hexdump(MSG_DEBUG, "WPA: set own WPA/RSN IE", ie, len);
5221 sm->assoc_wpa_ie = os_memdup(ie, len);
5222 if (sm->assoc_wpa_ie == NULL)
5223 return -1;
5224
5225 sm->assoc_wpa_ie_len = len;
5226 }
5227
5228 return 0;
5229 }
5230
5231
5232 /**
5233 * wpa_sm_set_assoc_rsnxe_default - Generate own RSNXE from configuration
5234 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5235 * @rsnxe: Pointer to buffer for RSNXE
5236 * @rsnxe_len: Pointer to the length of the rsne buffer
5237 * Returns: 0 on success, -1 on failure
5238 */
wpa_sm_set_assoc_rsnxe_default(struct wpa_sm * sm,u8 * rsnxe,size_t * rsnxe_len)5239 int wpa_sm_set_assoc_rsnxe_default(struct wpa_sm *sm, u8 *rsnxe,
5240 size_t *rsnxe_len)
5241 {
5242 int res;
5243
5244 if (!sm)
5245 return -1;
5246
5247 res = wpa_gen_rsnxe(sm, rsnxe, *rsnxe_len);
5248 if (res < 0)
5249 return -1;
5250 *rsnxe_len = res;
5251
5252 wpa_hexdump(MSG_DEBUG, "RSN: Set own RSNXE default", rsnxe, *rsnxe_len);
5253
5254 if (sm->assoc_rsnxe) {
5255 wpa_hexdump(MSG_DEBUG,
5256 "RSN: Leave previously set RSNXE default",
5257 sm->assoc_rsnxe, sm->assoc_rsnxe_len);
5258 } else if (*rsnxe_len > 0) {
5259 /*
5260 * Make a copy of the RSNXE so that 4-Way Handshake gets the
5261 * correct version of the IE even if it gets changed.
5262 */
5263 sm->assoc_rsnxe = os_memdup(rsnxe, *rsnxe_len);
5264 if (!sm->assoc_rsnxe)
5265 return -1;
5266
5267 sm->assoc_rsnxe_len = *rsnxe_len;
5268 }
5269
5270 return 0;
5271 }
5272
5273
5274 /**
5275 * wpa_sm_set_assoc_rsnxe - Set own RSNXE from (Re)AssocReq
5276 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5277 * @ie: Pointer to IE data (starting from id)
5278 * @len: IE length
5279 * Returns: 0 on success, -1 on failure
5280 *
5281 * Inform WPA state machine about the RSNXE used in (Re)Association Request
5282 * frame. The IE will be used to override the default value generated
5283 * with wpa_sm_set_assoc_rsnxe_default().
5284 */
wpa_sm_set_assoc_rsnxe(struct wpa_sm * sm,const u8 * ie,size_t len)5285 int wpa_sm_set_assoc_rsnxe(struct wpa_sm *sm, const u8 *ie, size_t len)
5286 {
5287 if (!sm)
5288 return -1;
5289
5290 os_free(sm->assoc_rsnxe);
5291 if (!ie || len == 0) {
5292 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5293 "RSN: clearing own RSNXE");
5294 sm->assoc_rsnxe = NULL;
5295 sm->assoc_rsnxe_len = 0;
5296 } else {
5297 wpa_hexdump(MSG_DEBUG, "RSN: set own RSNXE", ie, len);
5298 sm->assoc_rsnxe = os_memdup(ie, len);
5299 if (!sm->assoc_rsnxe)
5300 return -1;
5301
5302 sm->assoc_rsnxe_len = len;
5303 }
5304
5305 if (sm->ssid_protection &&
5306 !ieee802_11_rsnx_capab(sm->assoc_rsnxe,
5307 WLAN_RSNX_CAPAB_SSID_PROTECTION)) {
5308 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5309 "RSN: Disabling SSID protection based on own RSNXE update");
5310 sm->ssid_protection = 0;
5311 }
5312
5313 return 0;
5314 }
5315
5316
5317 /**
5318 * wpa_sm_set_ap_wpa_ie - Set AP WPA IE from Beacon/ProbeResp
5319 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5320 * @ie: Pointer to IE data (starting from id)
5321 * @len: IE length
5322 * Returns: 0 on success, -1 on failure
5323 *
5324 * Inform WPA state machine about the WPA IE used in Beacon / Probe Response
5325 * frame.
5326 */
wpa_sm_set_ap_wpa_ie(struct wpa_sm * sm,const u8 * ie,size_t len)5327 int wpa_sm_set_ap_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
5328 {
5329 if (sm == NULL)
5330 return -1;
5331
5332 os_free(sm->ap_wpa_ie);
5333 if (ie == NULL || len == 0) {
5334 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5335 "WPA: clearing AP WPA IE");
5336 sm->ap_wpa_ie = NULL;
5337 sm->ap_wpa_ie_len = 0;
5338 } else {
5339 wpa_hexdump(MSG_DEBUG, "WPA: set AP WPA IE", ie, len);
5340 sm->ap_wpa_ie = os_memdup(ie, len);
5341 if (sm->ap_wpa_ie == NULL)
5342 return -1;
5343
5344 sm->ap_wpa_ie_len = len;
5345 }
5346
5347 return 0;
5348 }
5349
5350
5351 /**
5352 * wpa_sm_set_ap_rsn_ie - Set AP RSN IE from Beacon/ProbeResp
5353 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5354 * @ie: Pointer to IE data (starting from id)
5355 * @len: IE length
5356 * Returns: 0 on success, -1 on failure
5357 *
5358 * Inform WPA state machine about the RSN IE used in Beacon / Probe Response
5359 * frame.
5360 */
wpa_sm_set_ap_rsn_ie(struct wpa_sm * sm,const u8 * ie,size_t len)5361 int wpa_sm_set_ap_rsn_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
5362 {
5363 if (sm == NULL)
5364 return -1;
5365
5366 os_free(sm->ap_rsn_ie);
5367 if (ie == NULL || len == 0) {
5368 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5369 "WPA: clearing AP RSN IE");
5370 sm->ap_rsn_ie = NULL;
5371 sm->ap_rsn_ie_len = 0;
5372 } else {
5373 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSN IE", ie, len);
5374 sm->ap_rsn_ie = os_memdup(ie, len);
5375 if (sm->ap_rsn_ie == NULL)
5376 return -1;
5377
5378 sm->ap_rsn_ie_len = len;
5379 }
5380
5381 return 0;
5382 }
5383
5384
5385 /**
5386 * wpa_sm_set_ap_rsnxe - Set AP RSNXE from Beacon/ProbeResp
5387 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5388 * @ie: Pointer to IE data (starting from id)
5389 * @len: IE length
5390 * Returns: 0 on success, -1 on failure
5391 *
5392 * Inform WPA state machine about the RSNXE used in Beacon / Probe Response
5393 * frame.
5394 */
wpa_sm_set_ap_rsnxe(struct wpa_sm * sm,const u8 * ie,size_t len)5395 int wpa_sm_set_ap_rsnxe(struct wpa_sm *sm, const u8 *ie, size_t len)
5396 {
5397 if (!sm)
5398 return -1;
5399
5400 os_free(sm->ap_rsnxe);
5401 if (!ie || len == 0) {
5402 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: clearing AP RSNXE");
5403 sm->ap_rsnxe = NULL;
5404 sm->ap_rsnxe_len = 0;
5405 } else {
5406 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSNXE", ie, len);
5407 sm->ap_rsnxe = os_memdup(ie, len);
5408 if (!sm->ap_rsnxe)
5409 return -1;
5410
5411 sm->ap_rsnxe_len = len;
5412 }
5413
5414 return 0;
5415 }
5416
5417
wpa_sm_set_ap_rsne_override(struct wpa_sm * sm,const u8 * ie,size_t len)5418 int wpa_sm_set_ap_rsne_override(struct wpa_sm *sm, const u8 *ie, size_t len)
5419 {
5420 if (!sm)
5421 return -1;
5422
5423 os_free(sm->ap_rsne_override);
5424 if (!ie || len == 0) {
5425 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5426 "RSN: Clearing AP RSNE Override element");
5427 sm->ap_rsne_override = NULL;
5428 sm->ap_rsne_override_len = 0;
5429 } else {
5430 wpa_hexdump(MSG_DEBUG, "RSN: Set AP RSNE Override element",
5431 ie, len);
5432 sm->ap_rsne_override = os_memdup(ie, len);
5433 if (!sm->ap_rsne_override)
5434 return -1;
5435
5436 sm->ap_rsne_override_len = len;
5437 }
5438
5439 return 0;
5440 }
5441
5442
wpa_sm_set_ap_rsne_override_2(struct wpa_sm * sm,const u8 * ie,size_t len)5443 int wpa_sm_set_ap_rsne_override_2(struct wpa_sm *sm, const u8 *ie, size_t len)
5444 {
5445 if (!sm)
5446 return -1;
5447
5448 os_free(sm->ap_rsne_override_2);
5449 if (!ie || len == 0) {
5450 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5451 "RSN: Clearing AP RSNE Override 2 element");
5452 sm->ap_rsne_override_2 = NULL;
5453 sm->ap_rsne_override_2_len = 0;
5454 } else {
5455 wpa_hexdump(MSG_DEBUG, "RSN: Set AP RSNE Override 2 element",
5456 ie, len);
5457 sm->ap_rsne_override_2 = os_memdup(ie, len);
5458 if (!sm->ap_rsne_override_2)
5459 return -1;
5460
5461 sm->ap_rsne_override_2_len = len;
5462 }
5463
5464 return 0;
5465 }
5466
5467
wpa_sm_set_ap_rsnxe_override(struct wpa_sm * sm,const u8 * ie,size_t len)5468 int wpa_sm_set_ap_rsnxe_override(struct wpa_sm *sm, const u8 *ie, size_t len)
5469 {
5470 if (!sm)
5471 return -1;
5472
5473 os_free(sm->ap_rsnxe_override);
5474 if (!ie || len == 0) {
5475 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5476 "RSN: Clearing AP RSNXE Override element");
5477 sm->ap_rsnxe_override = NULL;
5478 sm->ap_rsnxe_override_len = 0;
5479 } else {
5480 wpa_hexdump(MSG_DEBUG, "RSN: Set AP RSNXE Override element",
5481 ie, len);
5482 sm->ap_rsnxe_override = os_memdup(ie, len);
5483 if (!sm->ap_rsnxe_override)
5484 return -1;
5485
5486 sm->ap_rsnxe_override_len = len;
5487 }
5488
5489 return 0;
5490 }
5491
5492
5493 /**
5494 * wpa_sm_parse_own_wpa_ie - Parse own WPA/RSN IE
5495 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5496 * @data: Pointer to data area for parsing results
5497 * Returns: 0 on success, -1 if IE is not known, or -2 on parsing failure
5498 *
5499 * Parse the contents of the own WPA or RSN IE from (Re)AssocReq and write the
5500 * parsed data into data.
5501 */
wpa_sm_parse_own_wpa_ie(struct wpa_sm * sm,struct wpa_ie_data * data)5502 int wpa_sm_parse_own_wpa_ie(struct wpa_sm *sm, struct wpa_ie_data *data)
5503 {
5504 if (sm == NULL)
5505 return -1;
5506
5507 if (sm->assoc_wpa_ie == NULL) {
5508 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5509 "WPA: No WPA/RSN IE available from association info");
5510 return -1;
5511 }
5512 if (wpa_parse_wpa_ie(sm->assoc_wpa_ie, sm->assoc_wpa_ie_len, data))
5513 return -2;
5514 return 0;
5515 }
5516
5517
wpa_sm_pmksa_cache_list(struct wpa_sm * sm,char * buf,size_t len)5518 int wpa_sm_pmksa_cache_list(struct wpa_sm *sm, char *buf, size_t len)
5519 {
5520 return pmksa_cache_list(sm->pmksa, buf, len);
5521 }
5522
5523
wpa_sm_pmksa_cache_head(struct wpa_sm * sm)5524 struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_head(struct wpa_sm *sm)
5525 {
5526 return pmksa_cache_head(sm->pmksa);
5527 }
5528
5529
5530 struct rsn_pmksa_cache_entry *
wpa_sm_pmksa_cache_add_entry(struct wpa_sm * sm,struct rsn_pmksa_cache_entry * entry)5531 wpa_sm_pmksa_cache_add_entry(struct wpa_sm *sm,
5532 struct rsn_pmksa_cache_entry * entry)
5533 {
5534 return pmksa_cache_add_entry(sm->pmksa, entry);
5535 }
5536
5537
wpa_sm_pmksa_cache_add(struct wpa_sm * sm,const u8 * pmk,size_t pmk_len,const u8 * pmkid,const u8 * bssid,const u8 * fils_cache_id)5538 void wpa_sm_pmksa_cache_add(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
5539 const u8 *pmkid, const u8 *bssid,
5540 const u8 *fils_cache_id)
5541 {
5542 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0,
5543 bssid, sm->own_addr, sm->network_ctx,
5544 sm->key_mgmt, fils_cache_id);
5545 }
5546
5547
wpa_sm_pmksa_exists(struct wpa_sm * sm,const u8 * bssid,const u8 * own_addr,const void * network_ctx)5548 int wpa_sm_pmksa_exists(struct wpa_sm *sm, const u8 *bssid, const u8 *own_addr,
5549 const void *network_ctx)
5550 {
5551 return pmksa_cache_get(sm->pmksa, bssid, own_addr, NULL, network_ctx,
5552 0) != NULL;
5553 }
5554
5555
wpa_sm_pmksa_cache_get(struct wpa_sm * sm,const u8 * aa,const u8 * pmkid,const void * network_ctx,int akmp)5556 struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_get(struct wpa_sm *sm,
5557 const u8 *aa,
5558 const u8 *pmkid,
5559 const void *network_ctx,
5560 int akmp)
5561 {
5562 return pmksa_cache_get(sm->pmksa, aa, sm->own_addr, pmkid, network_ctx,
5563 akmp);
5564 }
5565
5566
wpa_sm_pmksa_cache_remove(struct wpa_sm * sm,struct rsn_pmksa_cache_entry * entry)5567 void wpa_sm_pmksa_cache_remove(struct wpa_sm *sm,
5568 struct rsn_pmksa_cache_entry *entry)
5569 {
5570 if (sm && sm->pmksa)
5571 pmksa_cache_remove(sm->pmksa, entry);
5572 }
5573
5574
wpa_sm_drop_sa(struct wpa_sm * sm)5575 void wpa_sm_drop_sa(struct wpa_sm *sm)
5576 {
5577 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PMK and PTK");
5578 wpa_sm_clear_ptk(sm);
5579 sm->pmk_len = 0;
5580 os_memset(sm->pmk, 0, sizeof(sm->pmk));
5581 #ifdef CONFIG_IEEE80211R
5582 os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
5583 sm->xxkey_len = 0;
5584 os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
5585 sm->pmk_r0_len = 0;
5586 os_memset(sm->pmk_r1, 0, sizeof(sm->pmk_r1));
5587 sm->pmk_r1_len = 0;
5588 #ifdef CONFIG_PASN
5589 os_free(sm->pasn_r1kh);
5590 sm->pasn_r1kh = NULL;
5591 sm->n_pasn_r1kh = 0;
5592 #endif /* CONFIG_PASN */
5593 #endif /* CONFIG_IEEE80211R */
5594 }
5595
5596
5597 #ifdef CONFIG_IEEE80211R
wpa_sm_has_ft_keys(struct wpa_sm * sm,const u8 * md)5598 bool wpa_sm_has_ft_keys(struct wpa_sm *sm, const u8 *md)
5599 {
5600 if (!sm)
5601 return false;
5602 if (!wpa_key_mgmt_ft(sm->key_mgmt) ||
5603 os_memcmp(md, sm->key_mobility_domain,
5604 MOBILITY_DOMAIN_ID_LEN) != 0) {
5605 /* Do not allow FT protocol to be used even if we were to have
5606 * an PTK since the mobility domain has changed. */
5607 return false;
5608 }
5609 return sm->ptk_set;
5610 }
5611 #endif /* CONFIG_IEEE80211R */
5612
5613
wpa_sm_has_ptk_installed(struct wpa_sm * sm)5614 int wpa_sm_has_ptk_installed(struct wpa_sm *sm)
5615 {
5616 if (!sm)
5617 return 0;
5618 return sm->tk_set || sm->ptk.installed;
5619 }
5620
5621
wpa_sm_update_replay_ctr(struct wpa_sm * sm,const u8 * replay_ctr)5622 void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr)
5623 {
5624 os_memcpy(sm->rx_replay_counter, replay_ctr, WPA_REPLAY_COUNTER_LEN);
5625 }
5626
5627
wpa_sm_pmksa_cache_flush(struct wpa_sm * sm,void * network_ctx)5628 void wpa_sm_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx)
5629 {
5630 pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0, false);
5631 }
5632
5633
wpa_sm_external_pmksa_cache_flush(struct wpa_sm * sm,void * network_ctx)5634 void wpa_sm_external_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx)
5635 {
5636 pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0, true);
5637 }
5638
5639
5640 #ifdef CONFIG_WNM
wpa_wnmsleep_install_key(struct wpa_sm * sm,u8 subelem_id,u8 * buf)5641 int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
5642 {
5643 u16 keyinfo;
5644 u8 keylen; /* plaintext key len */
5645 u8 *key_rsc;
5646
5647 if (subelem_id == WNM_SLEEP_SUBELEM_GTK) {
5648 struct wpa_gtk_data gd;
5649
5650 os_memset(&gd, 0, sizeof(gd));
5651 keylen = wpa_cipher_key_len(sm->group_cipher);
5652 gd.key_rsc_len = wpa_cipher_rsc_len(sm->group_cipher);
5653 gd.alg = wpa_cipher_to_alg(sm->group_cipher);
5654 if (gd.alg == WPA_ALG_NONE) {
5655 wpa_printf(MSG_DEBUG, "Unsupported group cipher suite");
5656 return -1;
5657 }
5658
5659 key_rsc = buf + 5;
5660 keyinfo = WPA_GET_LE16(buf + 2);
5661 gd.gtk_len = keylen;
5662 if (gd.gtk_len != buf[4]) {
5663 wpa_printf(MSG_DEBUG, "GTK len mismatch len %d vs %d",
5664 gd.gtk_len, buf[4]);
5665 return -1;
5666 }
5667 gd.keyidx = keyinfo & 0x03; /* B0 - B1 */
5668 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(
5669 sm, !!(keyinfo & WPA_KEY_INFO_TXRX));
5670
5671 os_memcpy(gd.gtk, buf + 13, gd.gtk_len);
5672
5673 wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)",
5674 gd.gtk, gd.gtk_len);
5675 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) {
5676 forced_memzero(&gd, sizeof(gd));
5677 wpa_printf(MSG_DEBUG, "Failed to install the GTK in "
5678 "WNM mode");
5679 return -1;
5680 }
5681 forced_memzero(&gd, sizeof(gd));
5682 } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
5683 const struct wpa_igtk_kde *igtk;
5684
5685 igtk = (const struct wpa_igtk_kde *) (buf + 2);
5686 if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0)
5687 return -1;
5688 } else if (subelem_id == WNM_SLEEP_SUBELEM_BIGTK) {
5689 const struct wpa_bigtk_kde *bigtk;
5690
5691 bigtk = (const struct wpa_bigtk_kde *) (buf + 2);
5692 if (sm->beacon_prot &&
5693 wpa_supplicant_install_bigtk(sm, bigtk, 1) < 0)
5694 return -1;
5695 } else {
5696 wpa_printf(MSG_DEBUG, "Unknown element id");
5697 return -1;
5698 }
5699
5700 return 0;
5701 }
5702 #endif /* CONFIG_WNM */
5703
5704
5705 #ifdef CONFIG_P2P
5706
wpa_sm_get_p2p_ip_addr(struct wpa_sm * sm,u8 * buf)5707 int wpa_sm_get_p2p_ip_addr(struct wpa_sm *sm, u8 *buf)
5708 {
5709 if (sm == NULL || WPA_GET_BE32(sm->p2p_ip_addr) == 0)
5710 return -1;
5711 os_memcpy(buf, sm->p2p_ip_addr, 3 * 4);
5712 return 0;
5713 }
5714
5715 #endif /* CONFIG_P2P */
5716
5717
wpa_sm_set_rx_replay_ctr(struct wpa_sm * sm,const u8 * rx_replay_counter)5718 void wpa_sm_set_rx_replay_ctr(struct wpa_sm *sm, const u8 *rx_replay_counter)
5719 {
5720 if (rx_replay_counter == NULL)
5721 return;
5722
5723 os_memcpy(sm->rx_replay_counter, rx_replay_counter,
5724 WPA_REPLAY_COUNTER_LEN);
5725 sm->rx_replay_counter_set = 1;
5726 wpa_printf(MSG_DEBUG, "Updated key replay counter");
5727 }
5728
5729
wpa_sm_set_ptk_kck_kek(struct wpa_sm * sm,const u8 * ptk_kck,size_t ptk_kck_len,const u8 * ptk_kek,size_t ptk_kek_len)5730 void wpa_sm_set_ptk_kck_kek(struct wpa_sm *sm,
5731 const u8 *ptk_kck, size_t ptk_kck_len,
5732 const u8 *ptk_kek, size_t ptk_kek_len)
5733 {
5734 if (ptk_kck && ptk_kck_len <= WPA_KCK_MAX_LEN) {
5735 os_memcpy(sm->ptk.kck, ptk_kck, ptk_kck_len);
5736 sm->ptk.kck_len = ptk_kck_len;
5737 wpa_printf(MSG_DEBUG, "Updated PTK KCK");
5738 }
5739 if (ptk_kek && ptk_kek_len <= WPA_KEK_MAX_LEN) {
5740 os_memcpy(sm->ptk.kek, ptk_kek, ptk_kek_len);
5741 sm->ptk.kek_len = ptk_kek_len;
5742 wpa_printf(MSG_DEBUG, "Updated PTK KEK");
5743 }
5744 sm->ptk_set = 1;
5745 }
5746
5747
5748 #ifdef CONFIG_TESTING_OPTIONS
5749
wpa_sm_set_test_assoc_ie(struct wpa_sm * sm,struct wpabuf * buf)5750 void wpa_sm_set_test_assoc_ie(struct wpa_sm *sm, struct wpabuf *buf)
5751 {
5752 wpabuf_free(sm->test_assoc_ie);
5753 sm->test_assoc_ie = buf;
5754 }
5755
5756
wpa_sm_set_test_eapol_m2_elems(struct wpa_sm * sm,struct wpabuf * buf)5757 void wpa_sm_set_test_eapol_m2_elems(struct wpa_sm *sm, struct wpabuf *buf)
5758 {
5759 wpabuf_free(sm->test_eapol_m2_elems);
5760 sm->test_eapol_m2_elems = buf;
5761 }
5762
5763
wpa_sm_set_test_eapol_m4_elems(struct wpa_sm * sm,struct wpabuf * buf)5764 void wpa_sm_set_test_eapol_m4_elems(struct wpa_sm *sm, struct wpabuf *buf)
5765 {
5766 wpabuf_free(sm->test_eapol_m4_elems);
5767 sm->test_eapol_m4_elems = buf;
5768 }
5769
5770
wpa_sm_get_anonce(struct wpa_sm * sm)5771 const u8 * wpa_sm_get_anonce(struct wpa_sm *sm)
5772 {
5773 return sm->anonce;
5774 }
5775
5776 #endif /* CONFIG_TESTING_OPTIONS */
5777
5778
wpa_sm_get_key_mgmt(struct wpa_sm * sm)5779 unsigned int wpa_sm_get_key_mgmt(struct wpa_sm *sm)
5780 {
5781 return sm->key_mgmt;
5782 }
5783
5784
wpa_sm_get_auth_addr(struct wpa_sm * sm)5785 const u8 * wpa_sm_get_auth_addr(struct wpa_sm *sm)
5786 {
5787 return sm->mlo.valid_links ? sm->mlo.ap_mld_addr : sm->bssid;
5788 }
5789
5790
5791 #ifdef CONFIG_FILS
5792
fils_build_auth(struct wpa_sm * sm,int dh_group,const u8 * md)5793 struct wpabuf * fils_build_auth(struct wpa_sm *sm, int dh_group, const u8 *md)
5794 {
5795 struct wpabuf *buf = NULL;
5796 struct wpabuf *erp_msg;
5797 struct wpabuf *pub = NULL;
5798
5799 erp_msg = eapol_sm_build_erp_reauth_start(sm->eapol);
5800 if (!erp_msg && !sm->cur_pmksa) {
5801 wpa_printf(MSG_DEBUG,
5802 "FILS: Neither ERP EAP-Initiate/Re-auth nor PMKSA cache entry is available - skip FILS");
5803 goto fail;
5804 }
5805
5806 wpa_printf(MSG_DEBUG, "FILS: Try to use FILS (erp=%d pmksa_cache=%d)",
5807 erp_msg != NULL, sm->cur_pmksa != NULL);
5808
5809 sm->fils_completed = 0;
5810
5811 if (!sm->assoc_wpa_ie) {
5812 wpa_printf(MSG_INFO, "FILS: No own RSN IE set for FILS");
5813 goto fail;
5814 }
5815
5816 if (random_get_bytes(sm->fils_nonce, FILS_NONCE_LEN) < 0 ||
5817 random_get_bytes(sm->fils_session, FILS_SESSION_LEN) < 0)
5818 goto fail;
5819
5820 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Nonce",
5821 sm->fils_nonce, FILS_NONCE_LEN);
5822 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Session",
5823 sm->fils_session, FILS_SESSION_LEN);
5824
5825 #ifdef CONFIG_FILS_SK_PFS
5826 sm->fils_dh_group = dh_group;
5827 if (dh_group) {
5828 crypto_ecdh_deinit(sm->fils_ecdh);
5829 sm->fils_ecdh = crypto_ecdh_init(dh_group);
5830 if (!sm->fils_ecdh) {
5831 wpa_printf(MSG_INFO,
5832 "FILS: Could not initialize ECDH with group %d",
5833 dh_group);
5834 goto fail;
5835 }
5836 pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1);
5837 if (!pub)
5838 goto fail;
5839 wpa_hexdump_buf(MSG_DEBUG, "FILS: Element (DH public key)",
5840 pub);
5841 sm->fils_dh_elem_len = wpabuf_len(pub);
5842 }
5843 #endif /* CONFIG_FILS_SK_PFS */
5844
5845 buf = wpabuf_alloc(1000 + sm->assoc_wpa_ie_len +
5846 (pub ? wpabuf_len(pub) : 0));
5847 if (!buf)
5848 goto fail;
5849
5850 /* Fields following the Authentication algorithm number field */
5851
5852 /* Authentication Transaction seq# */
5853 wpabuf_put_le16(buf, 1);
5854
5855 /* Status Code */
5856 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
5857
5858 /* TODO: FILS PK */
5859 #ifdef CONFIG_FILS_SK_PFS
5860 if (dh_group) {
5861 /* Finite Cyclic Group */
5862 wpabuf_put_le16(buf, dh_group);
5863 /* Element */
5864 wpabuf_put_buf(buf, pub);
5865 }
5866 #endif /* CONFIG_FILS_SK_PFS */
5867
5868 /* RSNE */
5869 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in FILS Authentication frame",
5870 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
5871 wpabuf_put_data(buf, sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
5872
5873 if (md) {
5874 /* MDE when using FILS for FT initial association */
5875 struct rsn_mdie *mdie;
5876
5877 wpabuf_put_u8(buf, WLAN_EID_MOBILITY_DOMAIN);
5878 wpabuf_put_u8(buf, sizeof(*mdie));
5879 mdie = wpabuf_put(buf, sizeof(*mdie));
5880 os_memcpy(mdie->mobility_domain, md, MOBILITY_DOMAIN_ID_LEN);
5881 mdie->ft_capab = 0;
5882 }
5883
5884 /* FILS Nonce */
5885 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
5886 wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN); /* Length */
5887 /* Element ID Extension */
5888 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
5889 wpabuf_put_data(buf, sm->fils_nonce, FILS_NONCE_LEN);
5890
5891 /* FILS Session */
5892 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
5893 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
5894 /* Element ID Extension */
5895 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
5896 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
5897
5898 /* Wrapped Data */
5899 sm->fils_erp_pmkid_set = 0;
5900 if (erp_msg) {
5901 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
5902 wpabuf_put_u8(buf, 1 + wpabuf_len(erp_msg)); /* Length */
5903 /* Element ID Extension */
5904 wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA);
5905 wpabuf_put_buf(buf, erp_msg);
5906 /* Calculate pending PMKID here so that we do not need to
5907 * maintain a copy of the EAP-Initiate/Reauth message. */
5908 if (fils_pmkid_erp(sm->key_mgmt, wpabuf_head(erp_msg),
5909 wpabuf_len(erp_msg),
5910 sm->fils_erp_pmkid) == 0)
5911 sm->fils_erp_pmkid_set = 1;
5912 }
5913
5914 wpa_hexdump_buf(MSG_DEBUG, "RSN: FILS fields for Authentication frame",
5915 buf);
5916
5917 fail:
5918 wpabuf_free(erp_msg);
5919 wpabuf_free(pub);
5920 return buf;
5921 }
5922
5923
fils_process_auth(struct wpa_sm * sm,const u8 * bssid,const u8 * data,size_t len)5924 int fils_process_auth(struct wpa_sm *sm, const u8 *bssid, const u8 *data,
5925 size_t len)
5926 {
5927 const u8 *pos, *end;
5928 struct ieee802_11_elems elems;
5929 struct wpa_ie_data rsn;
5930 int pmkid_match = 0;
5931 u8 ick[FILS_ICK_MAX_LEN];
5932 size_t ick_len;
5933 int res;
5934 struct wpabuf *dh_ss = NULL;
5935 const u8 *g_sta = NULL;
5936 size_t g_sta_len = 0;
5937 const u8 *g_ap = NULL;
5938 size_t g_ap_len = 0, kdk_len;
5939 struct wpabuf *pub = NULL;
5940 #ifdef CONFIG_IEEE80211R
5941 struct wpa_ft_ies parse;
5942
5943 os_memset(&parse, 0, sizeof(parse));
5944 #endif /* CONFIG_IEEE80211R */
5945
5946 os_memcpy(sm->bssid, bssid, ETH_ALEN);
5947
5948 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
5949 data, len);
5950 pos = data;
5951 end = data + len;
5952
5953 /* TODO: FILS PK */
5954 #ifdef CONFIG_FILS_SK_PFS
5955 if (sm->fils_dh_group) {
5956 u16 group;
5957
5958 /* Using FILS PFS */
5959
5960 /* Finite Cyclic Group */
5961 if (end - pos < 2) {
5962 wpa_printf(MSG_DEBUG,
5963 "FILS: No room for Finite Cyclic Group");
5964 goto fail;
5965 }
5966 group = WPA_GET_LE16(pos);
5967 pos += 2;
5968 if (group != sm->fils_dh_group) {
5969 wpa_printf(MSG_DEBUG,
5970 "FILS: Unexpected change in Finite Cyclic Group: %u (expected %u)",
5971 group, sm->fils_dh_group);
5972 goto fail;
5973 }
5974
5975 /* Element */
5976 if ((size_t) (end - pos) < sm->fils_dh_elem_len) {
5977 wpa_printf(MSG_DEBUG, "FILS: No room for Element");
5978 goto fail;
5979 }
5980
5981 if (!sm->fils_ecdh) {
5982 wpa_printf(MSG_DEBUG, "FILS: No ECDH state available");
5983 goto fail;
5984 }
5985 dh_ss = crypto_ecdh_set_peerkey(sm->fils_ecdh, 1, pos,
5986 sm->fils_dh_elem_len);
5987 if (!dh_ss) {
5988 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
5989 goto fail;
5990 }
5991 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", dh_ss);
5992 g_ap = pos;
5993 g_ap_len = sm->fils_dh_elem_len;
5994 pos += sm->fils_dh_elem_len;
5995 }
5996 #endif /* CONFIG_FILS_SK_PFS */
5997
5998 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
5999 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
6000 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
6001 goto fail;
6002 }
6003
6004 /* RSNE */
6005 wpa_hexdump(MSG_DEBUG, "FILS: RSN element", elems.rsn_ie,
6006 elems.rsn_ie_len);
6007 if (!elems.rsn_ie ||
6008 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
6009 &rsn) < 0) {
6010 wpa_printf(MSG_DEBUG, "FILS: No RSN element");
6011 goto fail;
6012 }
6013
6014 if (!elems.fils_nonce) {
6015 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
6016 goto fail;
6017 }
6018 os_memcpy(sm->fils_anonce, elems.fils_nonce, FILS_NONCE_LEN);
6019 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", sm->fils_anonce, FILS_NONCE_LEN);
6020
6021 #ifdef CONFIG_IEEE80211R
6022 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
6023 if (!elems.mdie || !elems.ftie) {
6024 wpa_printf(MSG_DEBUG, "FILS+FT: No MDE or FTE");
6025 goto fail;
6026 }
6027
6028 if (wpa_ft_parse_ies(pos, end - pos, &parse,
6029 sm->key_mgmt, false) < 0) {
6030 wpa_printf(MSG_DEBUG, "FILS+FT: Failed to parse IEs");
6031 goto fail;
6032 }
6033
6034 if (!parse.r0kh_id) {
6035 wpa_printf(MSG_DEBUG,
6036 "FILS+FT: No R0KH-ID subelem in FTE");
6037 goto fail;
6038 }
6039 os_memcpy(sm->r0kh_id, parse.r0kh_id, parse.r0kh_id_len);
6040 sm->r0kh_id_len = parse.r0kh_id_len;
6041 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID",
6042 sm->r0kh_id, sm->r0kh_id_len);
6043
6044 if (!parse.r1kh_id) {
6045 wpa_printf(MSG_DEBUG,
6046 "FILS+FT: No R1KH-ID subelem in FTE");
6047 goto fail;
6048 }
6049 os_memcpy(sm->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN);
6050 wpa_hexdump(MSG_DEBUG, "FILS+FT: R1KH-ID",
6051 sm->r1kh_id, FT_R1KH_ID_LEN);
6052
6053 /* TODO: Check MDE and FTE payload */
6054
6055 wpabuf_free(sm->fils_ft_ies);
6056 sm->fils_ft_ies = wpabuf_alloc(2 + elems.mdie_len +
6057 2 + elems.ftie_len);
6058 if (!sm->fils_ft_ies)
6059 goto fail;
6060 wpabuf_put_data(sm->fils_ft_ies, elems.mdie - 2,
6061 2 + elems.mdie_len);
6062 wpabuf_put_data(sm->fils_ft_ies, elems.ftie - 2,
6063 2 + elems.ftie_len);
6064 } else {
6065 wpabuf_free(sm->fils_ft_ies);
6066 sm->fils_ft_ies = NULL;
6067 }
6068 #endif /* CONFIG_IEEE80211R */
6069
6070 /* PMKID List */
6071 if (rsn.pmkid && rsn.num_pmkid > 0) {
6072 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
6073 rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
6074
6075 if (rsn.num_pmkid != 1) {
6076 wpa_printf(MSG_DEBUG, "FILS: Invalid PMKID selection");
6077 goto fail;
6078 }
6079 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", rsn.pmkid, PMKID_LEN);
6080 if (os_memcmp(sm->cur_pmksa->pmkid, rsn.pmkid, PMKID_LEN) != 0)
6081 {
6082 wpa_printf(MSG_DEBUG, "FILS: PMKID mismatch");
6083 wpa_hexdump(MSG_DEBUG, "FILS: Expected PMKID",
6084 sm->cur_pmksa->pmkid, PMKID_LEN);
6085 goto fail;
6086 }
6087 wpa_printf(MSG_DEBUG,
6088 "FILS: Matching PMKID - continue using PMKSA caching");
6089 pmkid_match = 1;
6090 }
6091 if (!pmkid_match && sm->cur_pmksa) {
6092 wpa_printf(MSG_DEBUG,
6093 "FILS: No PMKID match - cannot use cached PMKSA entry");
6094 sm->cur_pmksa = NULL;
6095 }
6096
6097 /* FILS Session */
6098 if (!elems.fils_session) {
6099 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
6100 goto fail;
6101 }
6102 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
6103 FILS_SESSION_LEN);
6104 if (os_memcmp(sm->fils_session, elems.fils_session, FILS_SESSION_LEN)
6105 != 0) {
6106 wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
6107 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
6108 sm->fils_session, FILS_SESSION_LEN);
6109 goto fail;
6110 }
6111
6112 /* Wrapped Data */
6113 if (!sm->cur_pmksa && elems.wrapped_data) {
6114 u8 rmsk[ERP_MAX_KEY_LEN];
6115 size_t rmsk_len;
6116
6117 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
6118 elems.wrapped_data,
6119 elems.wrapped_data_len);
6120 eapol_sm_process_erp_finish(sm->eapol, elems.wrapped_data,
6121 elems.wrapped_data_len);
6122 if (eapol_sm_failed(sm->eapol))
6123 goto fail;
6124
6125 rmsk_len = ERP_MAX_KEY_LEN;
6126 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
6127 if (res == PMK_LEN) {
6128 rmsk_len = PMK_LEN;
6129 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
6130 }
6131 if (res)
6132 goto fail;
6133
6134 res = fils_rmsk_to_pmk(sm->key_mgmt, rmsk, rmsk_len,
6135 sm->fils_nonce, sm->fils_anonce,
6136 dh_ss ? wpabuf_head(dh_ss) : NULL,
6137 dh_ss ? wpabuf_len(dh_ss) : 0,
6138 sm->pmk, &sm->pmk_len);
6139 forced_memzero(rmsk, sizeof(rmsk));
6140
6141 /* Don't use DHss in PTK derivation if PMKSA caching is not
6142 * used. */
6143 wpabuf_clear_free(dh_ss);
6144 dh_ss = NULL;
6145
6146 if (res)
6147 goto fail;
6148
6149 if (!sm->fils_erp_pmkid_set) {
6150 wpa_printf(MSG_DEBUG, "FILS: PMKID not available");
6151 goto fail;
6152 }
6153 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", sm->fils_erp_pmkid,
6154 PMKID_LEN);
6155 wpa_printf(MSG_DEBUG, "FILS: ERP processing succeeded - add PMKSA cache entry for the result");
6156 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len,
6157 sm->fils_erp_pmkid, NULL, 0,
6158 sm->bssid, sm->own_addr,
6159 sm->network_ctx, sm->key_mgmt,
6160 NULL);
6161 }
6162
6163 if (!sm->cur_pmksa) {
6164 wpa_printf(MSG_DEBUG,
6165 "FILS: No remaining options to continue FILS authentication");
6166 goto fail;
6167 }
6168
6169 if (sm->force_kdk_derivation ||
6170 (sm->secure_ltf &&
6171 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)))
6172 kdk_len = WPA_KDK_MAX_LEN;
6173 else
6174 kdk_len = 0;
6175
6176 if (fils_pmk_to_ptk(sm->pmk, sm->pmk_len, sm->own_addr,
6177 wpa_sm_get_auth_addr(sm),
6178 sm->fils_nonce, sm->fils_anonce,
6179 dh_ss ? wpabuf_head(dh_ss) : NULL,
6180 dh_ss ? wpabuf_len(dh_ss) : 0,
6181 &sm->ptk, ick, &ick_len,
6182 sm->key_mgmt, sm->pairwise_cipher,
6183 sm->fils_ft, &sm->fils_ft_len,
6184 kdk_len) < 0) {
6185 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PTK");
6186 goto fail;
6187 }
6188
6189 #ifdef CONFIG_PASN
6190 if (sm->secure_ltf &&
6191 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF) &&
6192 wpa_ltf_keyseed(&sm->ptk, sm->key_mgmt, sm->pairwise_cipher)) {
6193 wpa_printf(MSG_DEBUG, "FILS: Failed to derive LTF keyseed");
6194 goto fail;
6195 }
6196 #endif /* CONFIG_PASN */
6197
6198 wpabuf_clear_free(dh_ss);
6199 dh_ss = NULL;
6200
6201 sm->ptk_set = 1;
6202 sm->tptk_set = 0;
6203 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
6204
6205 #ifdef CONFIG_FILS_SK_PFS
6206 if (sm->fils_dh_group) {
6207 if (!sm->fils_ecdh) {
6208 wpa_printf(MSG_INFO, "FILS: ECDH not initialized");
6209 goto fail;
6210 }
6211 pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1);
6212 if (!pub)
6213 goto fail;
6214 wpa_hexdump_buf(MSG_DEBUG, "FILS: gSTA", pub);
6215 g_sta = wpabuf_head(pub);
6216 g_sta_len = wpabuf_len(pub);
6217 if (!g_ap) {
6218 wpa_printf(MSG_INFO, "FILS: gAP not available");
6219 goto fail;
6220 }
6221 wpa_hexdump(MSG_DEBUG, "FILS: gAP", g_ap, g_ap_len);
6222 }
6223 #endif /* CONFIG_FILS_SK_PFS */
6224
6225 res = fils_key_auth_sk(ick, ick_len, sm->fils_nonce,
6226 sm->fils_anonce, sm->own_addr, sm->bssid,
6227 g_sta, g_sta_len, g_ap, g_ap_len,
6228 sm->key_mgmt, sm->fils_key_auth_sta,
6229 sm->fils_key_auth_ap,
6230 &sm->fils_key_auth_len);
6231 wpabuf_free(pub);
6232 forced_memzero(ick, sizeof(ick));
6233 #ifdef CONFIG_IEEE80211R
6234 wpa_ft_parse_ies_free(&parse);
6235 #endif /* CONFIG_IEEE80211R */
6236 return res;
6237 fail:
6238 wpabuf_free(pub);
6239 wpabuf_clear_free(dh_ss);
6240 #ifdef CONFIG_IEEE80211R
6241 wpa_ft_parse_ies_free(&parse);
6242 #endif /* CONFIG_IEEE80211R */
6243 return -1;
6244 }
6245
6246
6247 #ifdef CONFIG_IEEE80211R
fils_ft_build_assoc_req_rsne(struct wpa_sm * sm,struct wpabuf * buf)6248 static int fils_ft_build_assoc_req_rsne(struct wpa_sm *sm, struct wpabuf *buf)
6249 {
6250 struct rsn_ie_hdr *rsnie;
6251 u16 capab;
6252 u8 *pos;
6253 int use_sha384 = wpa_key_mgmt_sha384(sm->key_mgmt);
6254
6255 /* RSNIE[PMKR0Name/PMKR1Name] */
6256 rsnie = wpabuf_put(buf, sizeof(*rsnie));
6257 rsnie->elem_id = WLAN_EID_RSN;
6258 WPA_PUT_LE16(rsnie->version, RSN_VERSION);
6259
6260 /* Group Suite Selector */
6261 if (!wpa_cipher_valid_group(sm->group_cipher)) {
6262 wpa_printf(MSG_WARNING, "FT: Invalid group cipher (%d)",
6263 sm->group_cipher);
6264 return -1;
6265 }
6266 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
6267 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
6268 sm->group_cipher));
6269
6270 /* Pairwise Suite Count */
6271 wpabuf_put_le16(buf, 1);
6272
6273 /* Pairwise Suite List */
6274 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
6275 wpa_printf(MSG_WARNING, "FT: Invalid pairwise cipher (%d)",
6276 sm->pairwise_cipher);
6277 return -1;
6278 }
6279 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
6280 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
6281 sm->pairwise_cipher));
6282
6283 /* Authenticated Key Management Suite Count */
6284 wpabuf_put_le16(buf, 1);
6285
6286 /* Authenticated Key Management Suite List */
6287 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
6288 if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA256)
6289 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA256);
6290 else if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA384)
6291 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA384);
6292 else {
6293 wpa_printf(MSG_WARNING,
6294 "FILS+FT: Invalid key management type (%d)",
6295 sm->key_mgmt);
6296 return -1;
6297 }
6298
6299 /* RSN Capabilities */
6300 capab = 0;
6301 if (sm->mfp)
6302 capab |= WPA_CAPABILITY_MFPC;
6303 if (sm->mfp == 2)
6304 capab |= WPA_CAPABILITY_MFPR;
6305 if (sm->ocv)
6306 capab |= WPA_CAPABILITY_OCVC;
6307 if (sm->ext_key_id)
6308 capab |= WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST;
6309 wpabuf_put_le16(buf, capab);
6310
6311 /* PMKID Count */
6312 wpabuf_put_le16(buf, 1);
6313
6314 /* PMKID List [PMKR1Name] */
6315 wpa_hexdump_key(MSG_DEBUG, "FILS+FT: XXKey (FILS-FT)",
6316 sm->fils_ft, sm->fils_ft_len);
6317 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: SSID", sm->ssid, sm->ssid_len);
6318 wpa_hexdump(MSG_DEBUG, "FILS+FT: MDID",
6319 sm->mobility_domain, MOBILITY_DOMAIN_ID_LEN);
6320 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID",
6321 sm->r0kh_id, sm->r0kh_id_len);
6322 if (wpa_derive_pmk_r0(sm->fils_ft, sm->fils_ft_len, sm->ssid,
6323 sm->ssid_len, sm->mobility_domain,
6324 sm->r0kh_id, sm->r0kh_id_len, sm->own_addr,
6325 sm->pmk_r0, sm->pmk_r0_name, sm->key_mgmt) < 0) {
6326 wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMK-R0");
6327 return -1;
6328 }
6329 if (wpa_key_mgmt_sae_ext_key(sm->key_mgmt))
6330 sm->pmk_r0_len = sm->fils_ft_len;
6331 else
6332 sm->pmk_r0_len = use_sha384 ? SHA384_MAC_LEN : PMK_LEN;
6333 wpa_printf(MSG_DEBUG, "FILS+FT: R1KH-ID: " MACSTR,
6334 MAC2STR(sm->r1kh_id));
6335 pos = wpabuf_put(buf, WPA_PMK_NAME_LEN);
6336 if (wpa_derive_pmk_r1_name(sm->pmk_r0_name, sm->r1kh_id, sm->own_addr,
6337 sm->pmk_r1_name, sm->fils_ft_len) < 0) {
6338 wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMKR1Name");
6339 return -1;
6340 }
6341 os_memcpy(pos, sm->pmk_r1_name, WPA_PMK_NAME_LEN);
6342
6343 os_memcpy(sm->key_mobility_domain, sm->mobility_domain,
6344 MOBILITY_DOMAIN_ID_LEN);
6345
6346 if (sm->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC) {
6347 /* Management Group Cipher Suite */
6348 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
6349 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_AES_128_CMAC);
6350 }
6351
6352 rsnie->len = ((u8 *) wpabuf_put(buf, 0) - (u8 *) rsnie) - 2;
6353 return 0;
6354 }
6355 #endif /* CONFIG_IEEE80211R */
6356
6357
fils_build_assoc_req(struct wpa_sm * sm,const u8 ** kek,size_t * kek_len,const u8 ** snonce,const u8 ** anonce,const struct wpabuf ** hlp,unsigned int num_hlp)6358 struct wpabuf * fils_build_assoc_req(struct wpa_sm *sm, const u8 **kek,
6359 size_t *kek_len, const u8 **snonce,
6360 const u8 **anonce,
6361 const struct wpabuf **hlp,
6362 unsigned int num_hlp)
6363 {
6364 struct wpabuf *buf;
6365 size_t len;
6366 unsigned int i;
6367
6368 len = 1000;
6369 #ifdef CONFIG_IEEE80211R
6370 if (sm->fils_ft_ies)
6371 len += wpabuf_len(sm->fils_ft_ies);
6372 if (wpa_key_mgmt_ft(sm->key_mgmt))
6373 len += 256;
6374 #endif /* CONFIG_IEEE80211R */
6375 for (i = 0; hlp && i < num_hlp; i++)
6376 len += 10 + wpabuf_len(hlp[i]);
6377 buf = wpabuf_alloc(len);
6378 if (!buf)
6379 return NULL;
6380
6381 #ifdef CONFIG_IEEE80211R
6382 if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) {
6383 /* MDE and FTE when using FILS+FT */
6384 wpabuf_put_buf(buf, sm->fils_ft_ies);
6385 /* RSNE with PMKR1Name in PMKID field */
6386 if (fils_ft_build_assoc_req_rsne(sm, buf) < 0) {
6387 wpabuf_free(buf);
6388 return NULL;
6389 }
6390 }
6391 #endif /* CONFIG_IEEE80211R */
6392
6393 /* FILS Session */
6394 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
6395 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
6396 /* Element ID Extension */
6397 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
6398 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
6399
6400 /* Everything after FILS Session element gets encrypted in the driver
6401 * with KEK. The buffer returned from here is the plaintext version. */
6402
6403 /* TODO: FILS Public Key */
6404
6405 /* FILS Key Confirm */
6406 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
6407 wpabuf_put_u8(buf, 1 + sm->fils_key_auth_len); /* Length */
6408 /* Element ID Extension */
6409 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_KEY_CONFIRM);
6410 wpabuf_put_data(buf, sm->fils_key_auth_sta, sm->fils_key_auth_len);
6411
6412 /* FILS HLP Container */
6413 for (i = 0; hlp && i < num_hlp; i++) {
6414 const u8 *pos = wpabuf_head(hlp[i]);
6415 size_t left = wpabuf_len(hlp[i]);
6416
6417 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
6418 if (left <= 254)
6419 len = 1 + left;
6420 else
6421 len = 255;
6422 wpabuf_put_u8(buf, len); /* Length */
6423 /* Element ID Extension */
6424 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_HLP_CONTAINER);
6425 /* Destination MAC Address, Source MAC Address, HLP Packet.
6426 * HLP Packet is in MSDU format (i.e., included the LLC/SNAP
6427 * header when LPD is used). */
6428 wpabuf_put_data(buf, pos, len - 1);
6429 pos += len - 1;
6430 left -= len - 1;
6431 while (left) {
6432 wpabuf_put_u8(buf, WLAN_EID_FRAGMENT);
6433 len = left > 255 ? 255 : left;
6434 wpabuf_put_u8(buf, len);
6435 wpabuf_put_data(buf, pos, len);
6436 pos += len;
6437 left -= len;
6438 }
6439 }
6440
6441 /* TODO: FILS IP Address Assignment */
6442
6443 #ifdef CONFIG_OCV
6444 if (wpa_sm_ocv_enabled(sm)) {
6445 struct wpa_channel_info ci;
6446 u8 *pos;
6447
6448 if (wpa_sm_channel_info(sm, &ci) != 0) {
6449 wpa_printf(MSG_WARNING,
6450 "FILS: Failed to get channel info for OCI element");
6451 wpabuf_free(buf);
6452 return NULL;
6453 }
6454 #ifdef CONFIG_TESTING_OPTIONS
6455 if (sm->oci_freq_override_fils_assoc) {
6456 wpa_printf(MSG_INFO,
6457 "TEST: Override OCI KDE frequency %d -> %d MHz",
6458 ci.frequency,
6459 sm->oci_freq_override_fils_assoc);
6460 ci.frequency = sm->oci_freq_override_fils_assoc;
6461 }
6462 #endif /* CONFIG_TESTING_OPTIONS */
6463
6464 pos = wpabuf_put(buf, OCV_OCI_EXTENDED_LEN);
6465 if (ocv_insert_extended_oci(&ci, pos) < 0) {
6466 wpabuf_free(buf);
6467 return NULL;
6468 }
6469 }
6470 #endif /* CONFIG_OCV */
6471
6472 wpa_hexdump_buf(MSG_DEBUG, "FILS: Association Request plaintext", buf);
6473
6474 *kek = sm->ptk.kek;
6475 *kek_len = sm->ptk.kek_len;
6476 wpa_hexdump_key(MSG_DEBUG, "FILS: KEK for AEAD", *kek, *kek_len);
6477 *snonce = sm->fils_nonce;
6478 wpa_hexdump(MSG_DEBUG, "FILS: SNonce for AEAD AAD",
6479 *snonce, FILS_NONCE_LEN);
6480 *anonce = sm->fils_anonce;
6481 wpa_hexdump(MSG_DEBUG, "FILS: ANonce for AEAD AAD",
6482 *anonce, FILS_NONCE_LEN);
6483
6484 return buf;
6485 }
6486
6487
fils_process_hlp_resp(struct wpa_sm * sm,const u8 * resp,size_t len)6488 static void fils_process_hlp_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
6489 {
6490 const u8 *pos, *end;
6491
6492 wpa_hexdump(MSG_MSGDUMP, "FILS: HLP response", resp, len);
6493 if (len < 2 * ETH_ALEN)
6494 return;
6495 pos = resp + 2 * ETH_ALEN;
6496 end = resp + len;
6497 if (end - pos >= 6 &&
6498 os_memcmp(pos, "\xaa\xaa\x03\x00\x00\x00", 6) == 0)
6499 pos += 6; /* Remove SNAP/LLC header */
6500 wpa_sm_fils_hlp_rx(sm, resp, resp + ETH_ALEN, pos, end - pos);
6501 }
6502
6503
fils_process_hlp_container(struct wpa_sm * sm,const u8 * pos,size_t len)6504 static void fils_process_hlp_container(struct wpa_sm *sm, const u8 *pos,
6505 size_t len)
6506 {
6507 const u8 *end = pos + len;
6508 u8 *tmp, *tmp_pos;
6509
6510 /* Check if there are any FILS HLP Container elements */
6511 while (end - pos >= 2) {
6512 if (2 + pos[1] > end - pos)
6513 return;
6514 if (pos[0] == WLAN_EID_EXTENSION &&
6515 pos[1] >= 1 + 2 * ETH_ALEN &&
6516 pos[2] == WLAN_EID_EXT_FILS_HLP_CONTAINER)
6517 break;
6518 pos += 2 + pos[1];
6519 }
6520 if (end - pos < 2)
6521 return; /* No FILS HLP Container elements */
6522
6523 tmp = os_malloc(end - pos);
6524 if (!tmp)
6525 return;
6526
6527 while (end - pos >= 2) {
6528 if (2 + pos[1] > end - pos ||
6529 pos[0] != WLAN_EID_EXTENSION ||
6530 pos[1] < 1 + 2 * ETH_ALEN ||
6531 pos[2] != WLAN_EID_EXT_FILS_HLP_CONTAINER)
6532 break;
6533 tmp_pos = tmp;
6534 os_memcpy(tmp_pos, pos + 3, pos[1] - 1);
6535 tmp_pos += pos[1] - 1;
6536 pos += 2 + pos[1];
6537
6538 /* Add possible fragments */
6539 while (end - pos >= 2 && pos[0] == WLAN_EID_FRAGMENT &&
6540 2 + pos[1] <= end - pos) {
6541 os_memcpy(tmp_pos, pos + 2, pos[1]);
6542 tmp_pos += pos[1];
6543 pos += 2 + pos[1];
6544 }
6545
6546 fils_process_hlp_resp(sm, tmp, tmp_pos - tmp);
6547 }
6548
6549 os_free(tmp);
6550 }
6551
6552
fils_process_assoc_resp(struct wpa_sm * sm,const u8 * resp,size_t len)6553 int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
6554 {
6555 const struct ieee80211_mgmt *mgmt;
6556 const u8 *end, *ie_start;
6557 struct ieee802_11_elems elems;
6558 int keylen, rsclen;
6559 enum wpa_alg alg;
6560 struct wpa_gtk_data gd;
6561 int maxkeylen;
6562 struct wpa_eapol_ie_parse kde;
6563
6564 if (!sm || !sm->ptk_set) {
6565 wpa_printf(MSG_DEBUG, "FILS: No KEK available");
6566 return -1;
6567 }
6568
6569 if (!wpa_key_mgmt_fils(sm->key_mgmt)) {
6570 wpa_printf(MSG_DEBUG, "FILS: Not a FILS AKM");
6571 return -1;
6572 }
6573
6574 if (sm->fils_completed) {
6575 wpa_printf(MSG_DEBUG,
6576 "FILS: Association has already been completed for this FILS authentication - ignore unexpected retransmission");
6577 return -1;
6578 }
6579
6580 wpa_hexdump(MSG_DEBUG, "FILS: (Re)Association Response frame",
6581 resp, len);
6582
6583 mgmt = (const struct ieee80211_mgmt *) resp;
6584 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_resp))
6585 return -1;
6586
6587 end = resp + len;
6588 /* Same offset for Association Response and Reassociation Response */
6589 ie_start = mgmt->u.assoc_resp.variable;
6590
6591 if (ieee802_11_parse_elems(ie_start, end - ie_start, &elems, 1) ==
6592 ParseFailed) {
6593 wpa_printf(MSG_DEBUG,
6594 "FILS: Failed to parse decrypted elements");
6595 goto fail;
6596 }
6597
6598 if (!elems.fils_session) {
6599 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
6600 return -1;
6601 }
6602 if (os_memcmp(elems.fils_session, sm->fils_session,
6603 FILS_SESSION_LEN) != 0) {
6604 wpa_printf(MSG_DEBUG, "FILS: FILS Session mismatch");
6605 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
6606 elems.fils_session, FILS_SESSION_LEN);
6607 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
6608 sm->fils_session, FILS_SESSION_LEN);
6609 }
6610
6611 if (!elems.rsn_ie) {
6612 wpa_printf(MSG_DEBUG,
6613 "FILS: No RSNE in (Re)Association Response");
6614 /* As an interop workaround, allow this for now since IEEE Std
6615 * 802.11ai-2016 did not include all the needed changes to make
6616 * a FILS AP include RSNE in the frame. This workaround might
6617 * eventually be removed and replaced with rejection (goto fail)
6618 * to follow a strict interpretation of the standard. */
6619 } else if (wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
6620 sm->ap_rsn_ie, sm->ap_rsn_ie_len,
6621 elems.rsn_ie - 2, elems.rsn_ie_len + 2)) {
6622 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
6623 "FILS: RSNE mismatch between Beacon/Probe Response and (Re)Association Response");
6624 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in Beacon/Probe Response",
6625 sm->ap_rsn_ie, sm->ap_rsn_ie_len);
6626 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in (Re)Association Response",
6627 elems.rsn_ie, elems.rsn_ie_len);
6628 goto fail;
6629 }
6630
6631 /* TODO: FILS Public Key */
6632
6633 if (!elems.fils_key_confirm) {
6634 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
6635 goto fail;
6636 }
6637 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
6638 wpa_printf(MSG_DEBUG,
6639 "FILS: Unexpected Key-Auth length %d (expected %d)",
6640 elems.fils_key_confirm_len,
6641 (int) sm->fils_key_auth_len);
6642 goto fail;
6643 }
6644 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_ap,
6645 sm->fils_key_auth_len) != 0) {
6646 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
6647 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
6648 elems.fils_key_confirm,
6649 elems.fils_key_confirm_len);
6650 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
6651 sm->fils_key_auth_ap, sm->fils_key_auth_len);
6652 goto fail;
6653 }
6654
6655 #ifdef CONFIG_OCV
6656 if (wpa_sm_ocv_enabled(sm)) {
6657 struct wpa_channel_info ci;
6658
6659 if (wpa_sm_channel_info(sm, &ci) != 0) {
6660 wpa_printf(MSG_WARNING,
6661 "Failed to get channel info to validate received OCI in FILS (Re)Association Response frame");
6662 goto fail;
6663 }
6664
6665 if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci,
6666 channel_width_to_int(ci.chanwidth),
6667 ci.seg1_idx) != OCI_SUCCESS) {
6668 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
6669 "addr=" MACSTR " frame=fils-assoc error=%s",
6670 MAC2STR(sm->bssid), ocv_errorstr);
6671 goto fail;
6672 }
6673 }
6674 #endif /* CONFIG_OCV */
6675
6676 #ifdef CONFIG_IEEE80211R
6677 if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) {
6678 struct wpa_ie_data rsn;
6679
6680 /* Check that PMKR1Name derived by the AP matches */
6681 if (!elems.rsn_ie ||
6682 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
6683 &rsn) < 0 ||
6684 !rsn.pmkid || rsn.num_pmkid != 1 ||
6685 os_memcmp(rsn.pmkid, sm->pmk_r1_name,
6686 WPA_PMK_NAME_LEN) != 0) {
6687 wpa_printf(MSG_DEBUG,
6688 "FILS+FT: No RSNE[PMKR1Name] match in AssocResp");
6689 goto fail;
6690 }
6691 }
6692 #endif /* CONFIG_IEEE80211R */
6693
6694 /* Key Delivery */
6695 if (!elems.key_delivery) {
6696 wpa_printf(MSG_DEBUG, "FILS: No Key Delivery element");
6697 goto fail;
6698 }
6699
6700 /* Parse GTK and set the key to the driver */
6701 os_memset(&gd, 0, sizeof(gd));
6702 if (wpa_supplicant_parse_ies(elems.key_delivery + WPA_KEY_RSC_LEN,
6703 elems.key_delivery_len - WPA_KEY_RSC_LEN,
6704 &kde) < 0) {
6705 wpa_printf(MSG_DEBUG, "FILS: Failed to parse KDEs");
6706 goto fail;
6707 }
6708 if (!kde.gtk) {
6709 wpa_printf(MSG_DEBUG, "FILS: No GTK KDE");
6710 goto fail;
6711 }
6712 maxkeylen = gd.gtk_len = kde.gtk_len - 2;
6713 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
6714 gd.gtk_len, maxkeylen,
6715 &gd.key_rsc_len, &gd.alg))
6716 goto fail;
6717
6718 wpa_hexdump_key(MSG_DEBUG, "FILS: Received GTK", kde.gtk, kde.gtk_len);
6719 gd.keyidx = kde.gtk[0] & 0x3;
6720 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
6721 !!(kde.gtk[0] & BIT(2)));
6722 if (kde.gtk_len - 2 > sizeof(gd.gtk)) {
6723 wpa_printf(MSG_DEBUG, "FILS: Too long GTK in GTK KDE (len=%lu)",
6724 (unsigned long) kde.gtk_len - 2);
6725 goto fail;
6726 }
6727 os_memcpy(gd.gtk, kde.gtk + 2, kde.gtk_len - 2);
6728
6729 wpa_printf(MSG_DEBUG, "FILS: Set GTK to driver");
6730 if (wpa_supplicant_install_gtk(sm, &gd, elems.key_delivery, 0) < 0) {
6731 wpa_printf(MSG_DEBUG, "FILS: Failed to set GTK");
6732 goto fail;
6733 }
6734
6735 if (ieee80211w_set_keys(sm, &kde) < 0) {
6736 wpa_printf(MSG_DEBUG, "FILS: Failed to set IGTK");
6737 goto fail;
6738 }
6739
6740 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
6741 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
6742 if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) {
6743 wpa_printf(MSG_DEBUG, "FILS: TK length mismatch: %u != %lu",
6744 keylen, (long unsigned int) sm->ptk.tk_len);
6745 goto fail;
6746 }
6747
6748 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
6749 wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver",
6750 sm->ptk.tk, keylen);
6751 if (wpa_sm_set_key(sm, -1, alg, wpa_sm_get_auth_addr(sm), 0, 1,
6752 null_rsc, rsclen,
6753 sm->ptk.tk, keylen, KEY_FLAG_PAIRWISE_RX_TX) < 0) {
6754 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
6755 "FILS: Failed to set PTK to the driver (alg=%d keylen=%d auth_addr="
6756 MACSTR ")",
6757 alg, keylen, MAC2STR(wpa_sm_get_auth_addr(sm)));
6758 goto fail;
6759 }
6760
6761 wpa_sm_store_ptk(sm, sm->bssid, sm->pairwise_cipher,
6762 sm->dot11RSNAConfigPMKLifetime, &sm->ptk);
6763
6764 /* TODO: TK could be cleared after auth frame exchange now that driver
6765 * takes care of association frame encryption/decryption. */
6766 /* TK is not needed anymore in supplicant */
6767 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
6768 sm->ptk.tk_len = 0;
6769 sm->ptk.installed = 1;
6770 sm->tk_set = true;
6771
6772 /* FILS HLP Container */
6773 fils_process_hlp_container(sm, ie_start, end - ie_start);
6774
6775 /* TODO: FILS IP Address Assignment */
6776
6777 wpa_printf(MSG_DEBUG, "FILS: Auth+Assoc completed successfully");
6778 sm->fils_completed = 1;
6779 forced_memzero(&gd, sizeof(gd));
6780
6781 if (kde.transition_disable)
6782 wpa_sm_transition_disable(sm, kde.transition_disable[0]);
6783
6784 return 0;
6785 fail:
6786 forced_memzero(&gd, sizeof(gd));
6787 return -1;
6788 }
6789
6790
wpa_sm_set_reset_fils_completed(struct wpa_sm * sm,int set)6791 void wpa_sm_set_reset_fils_completed(struct wpa_sm *sm, int set)
6792 {
6793 if (sm)
6794 sm->fils_completed = !!set;
6795 }
6796
6797 #endif /* CONFIG_FILS */
6798
6799
wpa_fils_is_completed(struct wpa_sm * sm)6800 int wpa_fils_is_completed(struct wpa_sm *sm)
6801 {
6802 #ifdef CONFIG_FILS
6803 return sm && sm->fils_completed;
6804 #else /* CONFIG_FILS */
6805 return 0;
6806 #endif /* CONFIG_FILS */
6807 }
6808
6809
6810 #ifdef CONFIG_OWE
6811
owe_build_assoc_req(struct wpa_sm * sm,u16 group)6812 struct wpabuf * owe_build_assoc_req(struct wpa_sm *sm, u16 group)
6813 {
6814 struct wpabuf *ie = NULL, *pub = NULL;
6815 size_t prime_len;
6816
6817 if (group == 19)
6818 prime_len = 32;
6819 else if (group == 20)
6820 prime_len = 48;
6821 else if (group == 21)
6822 prime_len = 66;
6823 else
6824 return NULL;
6825
6826 crypto_ecdh_deinit(sm->owe_ecdh);
6827 sm->owe_ecdh = crypto_ecdh_init(group);
6828 if (!sm->owe_ecdh)
6829 goto fail;
6830 sm->owe_group = group;
6831 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
6832 pub = wpabuf_zeropad(pub, prime_len);
6833 if (!pub)
6834 goto fail;
6835
6836 ie = wpabuf_alloc(5 + wpabuf_len(pub));
6837 if (!ie)
6838 goto fail;
6839 wpabuf_put_u8(ie, WLAN_EID_EXTENSION);
6840 wpabuf_put_u8(ie, 1 + 2 + wpabuf_len(pub));
6841 wpabuf_put_u8(ie, WLAN_EID_EXT_OWE_DH_PARAM);
6842 wpabuf_put_le16(ie, group);
6843 wpabuf_put_buf(ie, pub);
6844 wpabuf_free(pub);
6845 wpa_hexdump_buf(MSG_DEBUG, "OWE: Diffie-Hellman Parameter element",
6846 ie);
6847
6848 return ie;
6849 fail:
6850 wpabuf_free(pub);
6851 crypto_ecdh_deinit(sm->owe_ecdh);
6852 sm->owe_ecdh = NULL;
6853 return NULL;
6854 }
6855
6856
owe_process_assoc_resp(struct wpa_sm * sm,const u8 * bssid,const u8 * resp_ies,size_t resp_ies_len)6857 int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *bssid,
6858 const u8 *resp_ies, size_t resp_ies_len)
6859 {
6860 struct ieee802_11_elems elems;
6861 u16 group;
6862 struct wpabuf *secret, *pub, *hkey;
6863 int res;
6864 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
6865 const char *info = "OWE Key Generation";
6866 const u8 *addr[2];
6867 size_t len[2];
6868 size_t hash_len, prime_len;
6869 struct wpa_ie_data data;
6870
6871 if (!resp_ies ||
6872 ieee802_11_parse_elems(resp_ies, resp_ies_len, &elems, 1) ==
6873 ParseFailed) {
6874 wpa_printf(MSG_INFO,
6875 "OWE: Could not parse Association Response frame elements");
6876 return -1;
6877 }
6878
6879 if (sm->cur_pmksa && elems.rsn_ie &&
6880 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, 2 + elems.rsn_ie_len,
6881 &data) == 0 &&
6882 data.num_pmkid == 1 && data.pmkid &&
6883 os_memcmp(sm->cur_pmksa->pmkid, data.pmkid, PMKID_LEN) == 0) {
6884 wpa_printf(MSG_DEBUG, "OWE: Use PMKSA caching");
6885 wpa_sm_set_pmk_from_pmksa(sm);
6886 return 0;
6887 }
6888
6889 if (!elems.owe_dh) {
6890 wpa_printf(MSG_INFO,
6891 "OWE: No Diffie-Hellman Parameter element found in Association Response frame");
6892 return -1;
6893 }
6894
6895 group = WPA_GET_LE16(elems.owe_dh);
6896 if (group != sm->owe_group) {
6897 wpa_printf(MSG_INFO,
6898 "OWE: Unexpected Diffie-Hellman group in response: %u",
6899 group);
6900 return -1;
6901 }
6902
6903 if (!sm->owe_ecdh) {
6904 wpa_printf(MSG_INFO, "OWE: No ECDH state available");
6905 return -1;
6906 }
6907
6908 if (group == 19)
6909 prime_len = 32;
6910 else if (group == 20)
6911 prime_len = 48;
6912 else if (group == 21)
6913 prime_len = 66;
6914 else
6915 return -1;
6916
6917 secret = crypto_ecdh_set_peerkey(sm->owe_ecdh, 0,
6918 elems.owe_dh + 2,
6919 elems.owe_dh_len - 2);
6920 secret = wpabuf_zeropad(secret, prime_len);
6921 if (!secret) {
6922 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
6923 return -1;
6924 }
6925 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
6926
6927 /* prk = HKDF-extract(C | A | group, z) */
6928
6929 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
6930 if (!pub) {
6931 wpabuf_clear_free(secret);
6932 return -1;
6933 }
6934
6935 /* PMKID = Truncate-128(Hash(C | A)) */
6936 addr[0] = wpabuf_head(pub);
6937 len[0] = wpabuf_len(pub);
6938 addr[1] = elems.owe_dh + 2;
6939 len[1] = elems.owe_dh_len - 2;
6940 if (group == 19) {
6941 res = sha256_vector(2, addr, len, pmkid);
6942 hash_len = SHA256_MAC_LEN;
6943 } else if (group == 20) {
6944 res = sha384_vector(2, addr, len, pmkid);
6945 hash_len = SHA384_MAC_LEN;
6946 } else if (group == 21) {
6947 res = sha512_vector(2, addr, len, pmkid);
6948 hash_len = SHA512_MAC_LEN;
6949 } else {
6950 res = -1;
6951 hash_len = 0;
6952 }
6953 pub = wpabuf_zeropad(pub, prime_len);
6954 if (res < 0 || !pub) {
6955 wpabuf_free(pub);
6956 wpabuf_clear_free(secret);
6957 return -1;
6958 }
6959
6960 hkey = wpabuf_alloc(wpabuf_len(pub) + elems.owe_dh_len - 2 + 2);
6961 if (!hkey) {
6962 wpabuf_free(pub);
6963 wpabuf_clear_free(secret);
6964 return -1;
6965 }
6966
6967 wpabuf_put_buf(hkey, pub); /* C */
6968 wpabuf_free(pub);
6969 wpabuf_put_data(hkey, elems.owe_dh + 2, elems.owe_dh_len - 2); /* A */
6970 wpabuf_put_le16(hkey, sm->owe_group); /* group */
6971 if (group == 19)
6972 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
6973 wpabuf_head(secret), wpabuf_len(secret), prk);
6974 else if (group == 20)
6975 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
6976 wpabuf_head(secret), wpabuf_len(secret), prk);
6977 else if (group == 21)
6978 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
6979 wpabuf_head(secret), wpabuf_len(secret), prk);
6980 wpabuf_clear_free(hkey);
6981 wpabuf_clear_free(secret);
6982 if (res < 0)
6983 return -1;
6984
6985 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
6986
6987 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
6988
6989 if (group == 19)
6990 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
6991 os_strlen(info), sm->pmk, hash_len);
6992 else if (group == 20)
6993 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
6994 os_strlen(info), sm->pmk, hash_len);
6995 else if (group == 21)
6996 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
6997 os_strlen(info), sm->pmk, hash_len);
6998 forced_memzero(prk, SHA512_MAC_LEN);
6999 if (res < 0) {
7000 sm->pmk_len = 0;
7001 return -1;
7002 }
7003 sm->pmk_len = hash_len;
7004
7005 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sm->pmk, sm->pmk_len);
7006 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
7007 pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, pmkid, NULL, 0,
7008 bssid, sm->own_addr, sm->network_ctx, sm->key_mgmt,
7009 NULL);
7010
7011 return 0;
7012 }
7013
7014 #endif /* CONFIG_OWE */
7015
7016
wpa_sm_set_fils_cache_id(struct wpa_sm * sm,const u8 * fils_cache_id)7017 void wpa_sm_set_fils_cache_id(struct wpa_sm *sm, const u8 *fils_cache_id)
7018 {
7019 #ifdef CONFIG_FILS
7020 if (sm && fils_cache_id) {
7021 sm->fils_cache_id_set = 1;
7022 os_memcpy(sm->fils_cache_id, fils_cache_id, FILS_CACHE_ID_LEN);
7023 }
7024 #endif /* CONFIG_FILS */
7025 }
7026
7027
7028 #ifdef CONFIG_DPP2
wpa_sm_set_dpp_z(struct wpa_sm * sm,const struct wpabuf * z)7029 void wpa_sm_set_dpp_z(struct wpa_sm *sm, const struct wpabuf *z)
7030 {
7031 if (sm) {
7032 wpabuf_clear_free(sm->dpp_z);
7033 sm->dpp_z = z ? wpabuf_dup(z) : NULL;
7034 }
7035 }
7036 #endif /* CONFIG_DPP2 */
7037
7038
7039 #ifdef CONFIG_PASN
7040
wpa_pasn_sm_set_caps(struct wpa_sm * sm,unsigned int flags2)7041 void wpa_pasn_sm_set_caps(struct wpa_sm *sm, unsigned int flags2)
7042 {
7043 if (flags2 & WPA_DRIVER_FLAGS2_SEC_LTF_STA)
7044 sm->secure_ltf = 1;
7045 if (flags2 & WPA_DRIVER_FLAGS2_SEC_RTT_STA)
7046 sm->secure_rtt = 1;
7047 if (flags2 & WPA_DRIVER_FLAGS2_PROT_RANGE_NEG_STA)
7048 sm->prot_range_neg = 1;
7049 }
7050
7051 #endif /* CONFIG_PASN */
7052
7053
wpa_sm_pmksa_cache_reconfig(struct wpa_sm * sm)7054 void wpa_sm_pmksa_cache_reconfig(struct wpa_sm *sm)
7055 {
7056 if (sm)
7057 pmksa_cache_reconfig(sm->pmksa);
7058 }
7059
7060
wpa_sm_get_pmksa_cache(struct wpa_sm * sm)7061 struct rsn_pmksa_cache * wpa_sm_get_pmksa_cache(struct wpa_sm *sm)
7062 {
7063 return sm ? sm->pmksa : NULL;
7064 }
7065
7066
wpa_sm_set_cur_pmksa(struct wpa_sm * sm,struct rsn_pmksa_cache_entry * entry)7067 void wpa_sm_set_cur_pmksa(struct wpa_sm *sm,
7068 struct rsn_pmksa_cache_entry *entry)
7069 {
7070 if (sm)
7071 sm->cur_pmksa = entry;
7072 }
7073
7074
wpa_sm_set_driver_bss_selection(struct wpa_sm * sm,bool driver_bss_selection)7075 void wpa_sm_set_driver_bss_selection(struct wpa_sm *sm,
7076 bool driver_bss_selection)
7077 {
7078 if (sm)
7079 sm->driver_bss_selection = driver_bss_selection;
7080 }
7081
