1 /*
2 * WPA Supplicant - WPA state machine and EAPOL-Key processing
3 * Copyright (c) 2003-2018, Jouni Malinen <j@w1.fi>
4 * Copyright(c) 2015 Intel Deutschland GmbH
5 *
6 * This software may be distributed under the terms of the BSD license.
7 * See README for more details.
8 */
9
10 #include "includes.h"
11
12 #include "common.h"
13 #include "crypto/aes.h"
14 #include "crypto/aes_wrap.h"
15 #include "crypto/crypto.h"
16 #include "crypto/random.h"
17 #include "crypto/aes_siv.h"
18 #include "crypto/sha256.h"
19 #include "crypto/sha384.h"
20 #include "crypto/sha512.h"
21 #include "common/ieee802_11_defs.h"
22 #include "common/ieee802_11_common.h"
23 #include "common/ocv.h"
24 #include "common/dpp.h"
25 #include "common/wpa_ctrl.h"
26 #include "eap_common/eap_defs.h"
27 #include "eapol_supp/eapol_supp_sm.h"
28 #include "drivers/driver.h"
29 #include "wpa.h"
30 #include "eloop.h"
31 #include "preauth.h"
32 #include "pmksa_cache.h"
33 #include "wpa_i.h"
34 #include "wpa_ie.h"
35
36
37 static const u8 null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
38
39
40 /**
41 * wpa_eapol_key_send - Send WPA/RSN EAPOL-Key message
42 * @sm: Pointer to WPA state machine data from wpa_sm_init()
43 * @ptk: PTK for Key Confirmation/Encryption Key
44 * @ver: Version field from Key Info
45 * @dest: Destination address for the frame
46 * @proto: Ethertype (usually ETH_P_EAPOL)
47 * @msg: EAPOL-Key message
48 * @msg_len: Length of message
49 * @key_mic: Pointer to the buffer to which the EAPOL-Key MIC is written
50 * Returns: >= 0 on success, < 0 on failure
51 */
wpa_eapol_key_send(struct wpa_sm * sm,struct wpa_ptk * ptk,int ver,const u8 * dest,u16 proto,u8 * msg,size_t msg_len,u8 * key_mic)52 int wpa_eapol_key_send(struct wpa_sm *sm, struct wpa_ptk *ptk,
53 int ver, const u8 *dest, u16 proto,
54 u8 *msg, size_t msg_len, u8 *key_mic)
55 {
56 int ret = -1;
57 size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
58
59 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL-Key frame to " MACSTR
60 " ver=%d mic_len=%d key_mgmt=0x%x",
61 MAC2STR(dest), ver, (int) mic_len, sm->key_mgmt);
62 if (is_zero_ether_addr(dest) && is_zero_ether_addr(sm->bssid)) {
63 /*
64 * Association event was not yet received; try to fetch
65 * BSSID from the driver.
66 */
67 if (wpa_sm_get_bssid(sm, sm->bssid) < 0) {
68 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
69 "WPA: Failed to read BSSID for "
70 "EAPOL-Key destination address");
71 } else {
72 dest = sm->bssid;
73 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
74 "WPA: Use BSSID (" MACSTR
75 ") as the destination for EAPOL-Key",
76 MAC2STR(dest));
77 }
78 }
79
80 if (mic_len) {
81 if (key_mic && (!ptk || !ptk->kck_len))
82 goto out;
83
84 if (key_mic &&
85 wpa_eapol_key_mic(ptk->kck, ptk->kck_len, sm->key_mgmt, ver,
86 msg, msg_len, key_mic)) {
87 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
88 "WPA: Failed to generate EAPOL-Key version %d key_mgmt 0x%x MIC",
89 ver, sm->key_mgmt);
90 goto out;
91 }
92 if (ptk)
93 wpa_hexdump_key(MSG_DEBUG, "WPA: KCK",
94 ptk->kck, ptk->kck_len);
95 wpa_hexdump(MSG_DEBUG, "WPA: Derived Key MIC",
96 key_mic, mic_len);
97 } else {
98 #ifdef CONFIG_FILS
99 /* AEAD cipher - Key MIC field not used */
100 struct ieee802_1x_hdr *s_hdr, *hdr;
101 struct wpa_eapol_key *s_key, *key;
102 u8 *buf, *s_key_data, *key_data;
103 size_t buf_len = msg_len + AES_BLOCK_SIZE;
104 size_t key_data_len;
105 u16 eapol_len;
106 const u8 *aad[1];
107 size_t aad_len[1];
108
109 if (!ptk || !ptk->kek_len)
110 goto out;
111
112 key_data_len = msg_len - sizeof(struct ieee802_1x_hdr) -
113 sizeof(struct wpa_eapol_key) - 2;
114
115 buf = os_malloc(buf_len);
116 if (!buf)
117 goto out;
118
119 os_memcpy(buf, msg, msg_len);
120 hdr = (struct ieee802_1x_hdr *) buf;
121 key = (struct wpa_eapol_key *) (hdr + 1);
122 key_data = ((u8 *) (key + 1)) + 2;
123
124 /* Update EAPOL header to include AES-SIV overhead */
125 eapol_len = be_to_host16(hdr->length);
126 eapol_len += AES_BLOCK_SIZE;
127 hdr->length = host_to_be16(eapol_len);
128
129 /* Update Key Data Length field to include AES-SIV overhead */
130 WPA_PUT_BE16((u8 *) (key + 1), AES_BLOCK_SIZE + key_data_len);
131
132 s_hdr = (struct ieee802_1x_hdr *) msg;
133 s_key = (struct wpa_eapol_key *) (s_hdr + 1);
134 s_key_data = ((u8 *) (s_key + 1)) + 2;
135
136 wpa_hexdump_key(MSG_DEBUG, "WPA: Plaintext Key Data",
137 s_key_data, key_data_len);
138
139 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len);
140 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
141 * to Key Data (exclusive). */
142 aad[0] = buf;
143 aad_len[0] = key_data - buf;
144 if (aes_siv_encrypt(ptk->kek, ptk->kek_len,
145 s_key_data, key_data_len,
146 1, aad, aad_len, key_data) < 0) {
147 os_free(buf);
148 goto out;
149 }
150
151 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
152 key_data, AES_BLOCK_SIZE + key_data_len);
153
154 os_free(msg);
155 msg = buf;
156 msg_len = buf_len;
157 #else /* CONFIG_FILS */
158 goto out;
159 #endif /* CONFIG_FILS */
160 }
161
162 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key", msg, msg_len);
163 ret = wpa_sm_ether_send(sm, dest, proto, msg, msg_len);
164 eapol_sm_notify_tx_eapol_key(sm->eapol);
165 out:
166 os_free(msg);
167 return ret;
168 }
169
170
171 /**
172 * wpa_sm_key_request - Send EAPOL-Key Request
173 * @sm: Pointer to WPA state machine data from wpa_sm_init()
174 * @error: Indicate whether this is an Michael MIC error report
175 * @pairwise: 1 = error report for pairwise packet, 0 = for group packet
176 *
177 * Send an EAPOL-Key Request to the current authenticator. This function is
178 * used to request rekeying and it is usually called when a local Michael MIC
179 * failure is detected.
180 */
wpa_sm_key_request(struct wpa_sm * sm,int error,int pairwise)181 void wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise)
182 {
183 size_t mic_len, hdrlen, rlen;
184 struct wpa_eapol_key *reply;
185 int key_info, ver;
186 u8 bssid[ETH_ALEN], *rbuf, *key_mic, *mic;
187
188 if (pairwise && sm->wpa_deny_ptk0_rekey && !sm->use_ext_key_id &&
189 wpa_sm_get_state(sm) == WPA_COMPLETED) {
190 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
191 "WPA: PTK0 rekey not allowed, reconnecting");
192 wpa_sm_reconnect(sm);
193 return;
194 }
195
196 if (wpa_use_akm_defined(sm->key_mgmt))
197 ver = WPA_KEY_INFO_TYPE_AKM_DEFINED;
198 else if (wpa_key_mgmt_ft(sm->key_mgmt) ||
199 wpa_key_mgmt_sha256(sm->key_mgmt))
200 ver = WPA_KEY_INFO_TYPE_AES_128_CMAC;
201 else if (sm->pairwise_cipher != WPA_CIPHER_TKIP)
202 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
203 else
204 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
205
206 if (wpa_sm_get_bssid(sm, bssid) < 0) {
207 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
208 "Failed to read BSSID for EAPOL-Key request");
209 return;
210 }
211
212 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
213 hdrlen = sizeof(*reply) + mic_len + 2;
214 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
215 hdrlen, &rlen, (void *) &reply);
216 if (rbuf == NULL)
217 return;
218
219 reply->type = (sm->proto == WPA_PROTO_RSN ||
220 sm->proto == WPA_PROTO_OSEN) ?
221 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
222 key_info = WPA_KEY_INFO_REQUEST | ver;
223 if (sm->ptk_set)
224 key_info |= WPA_KEY_INFO_SECURE;
225 if (sm->ptk_set && mic_len)
226 key_info |= WPA_KEY_INFO_MIC;
227 if (error)
228 key_info |= WPA_KEY_INFO_ERROR;
229 if (pairwise)
230 key_info |= WPA_KEY_INFO_KEY_TYPE;
231 WPA_PUT_BE16(reply->key_info, key_info);
232 WPA_PUT_BE16(reply->key_length, 0);
233 os_memcpy(reply->replay_counter, sm->request_counter,
234 WPA_REPLAY_COUNTER_LEN);
235 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
236
237 mic = (u8 *) (reply + 1);
238 WPA_PUT_BE16(mic + mic_len, 0);
239 if (!(key_info & WPA_KEY_INFO_MIC))
240 key_mic = NULL;
241 else
242 key_mic = mic;
243
244 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
245 "WPA: Sending EAPOL-Key Request (error=%d "
246 "pairwise=%d ptk_set=%d len=%lu)",
247 error, pairwise, sm->ptk_set, (unsigned long) rlen);
248 wpa_eapol_key_send(sm, &sm->ptk, ver, bssid, ETH_P_EAPOL, rbuf, rlen,
249 key_mic);
250 }
251
252
wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm * sm)253 static void wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm *sm)
254 {
255 #ifdef CONFIG_IEEE80211R
256 if (sm->key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X) {
257 if (wpa_sm_key_mgmt_set_pmk(sm, sm->xxkey, sm->xxkey_len))
258 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
259 "RSN: Cannot set low order 256 bits of MSK for key management offload");
260 } else {
261 #endif /* CONFIG_IEEE80211R */
262 if (wpa_sm_key_mgmt_set_pmk(sm, sm->pmk, sm->pmk_len))
263 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
264 "RSN: Cannot set PMK for key management offload");
265 #ifdef CONFIG_IEEE80211R
266 }
267 #endif /* CONFIG_IEEE80211R */
268 }
269
270
wpa_supplicant_get_pmk(struct wpa_sm * sm,const unsigned char * src_addr,const u8 * pmkid)271 static int wpa_supplicant_get_pmk(struct wpa_sm *sm,
272 const unsigned char *src_addr,
273 const u8 *pmkid)
274 {
275 int abort_cached = 0;
276
277 if (pmkid && !sm->cur_pmksa) {
278 /* When using drivers that generate RSN IE, wpa_supplicant may
279 * not have enough time to get the association information
280 * event before receiving this 1/4 message, so try to find a
281 * matching PMKSA cache entry here. */
282 sm->cur_pmksa = pmksa_cache_get(sm->pmksa, src_addr, pmkid,
283 NULL, 0);
284 if (sm->cur_pmksa) {
285 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
286 "RSN: found matching PMKID from PMKSA cache");
287 } else {
288 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
289 "RSN: no matching PMKID found");
290 abort_cached = 1;
291 }
292 }
293
294 if (pmkid && sm->cur_pmksa &&
295 os_memcmp_const(pmkid, sm->cur_pmksa->pmkid, PMKID_LEN) == 0) {
296 wpa_hexdump(MSG_DEBUG, "RSN: matched PMKID", pmkid, PMKID_LEN);
297 wpa_sm_set_pmk_from_pmksa(sm);
298 wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from PMKSA cache",
299 sm->pmk, sm->pmk_len);
300 eapol_sm_notify_cached(sm->eapol);
301 #ifdef CONFIG_IEEE80211R
302 sm->xxkey_len = 0;
303 #ifdef CONFIG_SAE
304 if (sm->key_mgmt == WPA_KEY_MGMT_FT_SAE &&
305 sm->pmk_len == PMK_LEN) {
306 /* Need to allow FT key derivation to proceed with
307 * PMK from SAE being used as the XXKey in cases where
308 * the PMKID in msg 1/4 matches the PMKSA entry that was
309 * just added based on SAE authentication for the
310 * initial mobility domain association. */
311 os_memcpy(sm->xxkey, sm->pmk, sm->pmk_len);
312 sm->xxkey_len = sm->pmk_len;
313 }
314 #endif /* CONFIG_SAE */
315 #endif /* CONFIG_IEEE80211R */
316 } else if (wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && sm->eapol) {
317 int res, pmk_len;
318 #ifdef CONFIG_IEEE80211R
319 u8 buf[2 * PMK_LEN];
320 #endif /* CONFIG_IEEE80211R */
321
322 if (wpa_key_mgmt_sha384(sm->key_mgmt))
323 pmk_len = PMK_LEN_SUITE_B_192;
324 else
325 pmk_len = PMK_LEN;
326 res = eapol_sm_get_key(sm->eapol, sm->pmk, pmk_len);
327 if (res) {
328 if (pmk_len == PMK_LEN) {
329 /*
330 * EAP-LEAP is an exception from other EAP
331 * methods: it uses only 16-byte PMK.
332 */
333 res = eapol_sm_get_key(sm->eapol, sm->pmk, 16);
334 pmk_len = 16;
335 }
336 }
337 #ifdef CONFIG_IEEE80211R
338 if (res == 0 &&
339 eapol_sm_get_key(sm->eapol, buf, 2 * PMK_LEN) == 0) {
340 if (wpa_key_mgmt_sha384(sm->key_mgmt)) {
341 os_memcpy(sm->xxkey, buf, SHA384_MAC_LEN);
342 sm->xxkey_len = SHA384_MAC_LEN;
343 } else {
344 os_memcpy(sm->xxkey, buf + PMK_LEN, PMK_LEN);
345 sm->xxkey_len = PMK_LEN;
346 }
347 forced_memzero(buf, sizeof(buf));
348 if (sm->proto == WPA_PROTO_RSN &&
349 wpa_key_mgmt_ft(sm->key_mgmt)) {
350 struct rsn_pmksa_cache_entry *sa = NULL;
351 const u8 *fils_cache_id = NULL;
352
353 #ifdef CONFIG_FILS
354 if (sm->fils_cache_id_set)
355 fils_cache_id = sm->fils_cache_id;
356 #endif /* CONFIG_FILS */
357 wpa_hexdump_key(MSG_DEBUG,
358 "FT: Cache XXKey/MPMK",
359 sm->xxkey, sm->xxkey_len);
360 sa = pmksa_cache_add(sm->pmksa,
361 sm->xxkey, sm->xxkey_len,
362 NULL, NULL, 0,
363 src_addr, sm->own_addr,
364 sm->network_ctx,
365 sm->key_mgmt,
366 fils_cache_id);
367 if (!sm->cur_pmksa)
368 sm->cur_pmksa = sa;
369 }
370 }
371 #endif /* CONFIG_IEEE80211R */
372 if (res == 0) {
373 struct rsn_pmksa_cache_entry *sa = NULL;
374 const u8 *fils_cache_id = NULL;
375
376 #ifdef CONFIG_FILS
377 if (sm->fils_cache_id_set)
378 fils_cache_id = sm->fils_cache_id;
379 #endif /* CONFIG_FILS */
380
381 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK from EAPOL state "
382 "machines", sm->pmk, pmk_len);
383 sm->pmk_len = pmk_len;
384 wpa_supplicant_key_mgmt_set_pmk(sm);
385 if (sm->proto == WPA_PROTO_RSN &&
386 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
387 !wpa_key_mgmt_ft(sm->key_mgmt)) {
388 sa = pmksa_cache_add(sm->pmksa,
389 sm->pmk, pmk_len, NULL,
390 NULL, 0,
391 src_addr, sm->own_addr,
392 sm->network_ctx,
393 sm->key_mgmt,
394 fils_cache_id);
395 }
396 if (!sm->cur_pmksa && pmkid &&
397 pmksa_cache_get(sm->pmksa, src_addr, pmkid, NULL,
398 0)) {
399 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
400 "RSN: the new PMK matches with the "
401 "PMKID");
402 abort_cached = 0;
403 } else if (sa && !sm->cur_pmksa && pmkid) {
404 /*
405 * It looks like the authentication server
406 * derived mismatching MSK. This should not
407 * really happen, but bugs happen.. There is not
408 * much we can do here without knowing what
409 * exactly caused the server to misbehave.
410 */
411 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
412 "RSN: PMKID mismatch - authentication server may have derived different MSK?!");
413 return -1;
414 }
415
416 if (!sm->cur_pmksa)
417 sm->cur_pmksa = sa;
418 #ifdef CONFIG_IEEE80211R
419 } else if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->ft_protocol) {
420 wpa_printf(MSG_DEBUG,
421 "FT: Continue 4-way handshake without PMK/PMKID for association using FT protocol");
422 #endif /* CONFIG_IEEE80211R */
423 } else {
424 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
425 "WPA: Failed to get master session key from "
426 "EAPOL state machines - key handshake "
427 "aborted");
428 if (sm->cur_pmksa) {
429 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
430 "RSN: Cancelled PMKSA caching "
431 "attempt");
432 sm->cur_pmksa = NULL;
433 abort_cached = 1;
434 } else if (!abort_cached) {
435 return -1;
436 }
437 }
438 }
439
440 if (abort_cached && wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) &&
441 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
442 !wpa_key_mgmt_ft(sm->key_mgmt) && sm->key_mgmt != WPA_KEY_MGMT_OSEN)
443 {
444 /* Send EAPOL-Start to trigger full EAP authentication. */
445 u8 *buf;
446 size_t buflen;
447
448 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
449 "RSN: no PMKSA entry found - trigger "
450 "full EAP authentication");
451 buf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_START,
452 NULL, 0, &buflen, NULL);
453 if (buf) {
454 /* Set and reset eapFail to allow EAP state machine to
455 * proceed with new authentication. */
456 eapol_sm_notify_eap_fail(sm->eapol, true);
457 eapol_sm_notify_eap_fail(sm->eapol, false);
458 wpa_sm_ether_send(sm, sm->bssid, ETH_P_EAPOL,
459 buf, buflen);
460 os_free(buf);
461 return -2;
462 }
463
464 return -1;
465 }
466
467 return 0;
468 }
469
470
471 /**
472 * wpa_supplicant_send_2_of_4 - Send message 2 of WPA/RSN 4-Way Handshake
473 * @sm: Pointer to WPA state machine data from wpa_sm_init()
474 * @dst: Destination address for the frame
475 * @key: Pointer to the EAPOL-Key frame header
476 * @ver: Version bits from EAPOL-Key Key Info
477 * @nonce: Nonce value for the EAPOL-Key frame
478 * @wpa_ie: WPA/RSN IE
479 * @wpa_ie_len: Length of the WPA/RSN IE
480 * @ptk: PTK to use for keyed hash and encryption
481 * Returns: >= 0 on success, < 0 on failure
482 */
wpa_supplicant_send_2_of_4(struct wpa_sm * sm,const unsigned char * dst,const struct wpa_eapol_key * key,int ver,const u8 * nonce,const u8 * wpa_ie,size_t wpa_ie_len,struct wpa_ptk * ptk)483 int wpa_supplicant_send_2_of_4(struct wpa_sm *sm, const unsigned char *dst,
484 const struct wpa_eapol_key *key,
485 int ver, const u8 *nonce,
486 const u8 *wpa_ie, size_t wpa_ie_len,
487 struct wpa_ptk *ptk)
488 {
489 size_t mic_len, hdrlen, rlen;
490 struct wpa_eapol_key *reply;
491 u8 *rbuf, *key_mic;
492 u8 *rsn_ie_buf = NULL;
493 u16 key_info;
494
495 if (wpa_ie == NULL) {
496 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No wpa_ie set - "
497 "cannot generate msg 2/4");
498 return -1;
499 }
500
501 #ifdef CONFIG_IEEE80211R
502 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
503 int res;
504
505 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE before FT processing",
506 wpa_ie, wpa_ie_len);
507 /*
508 * Add PMKR1Name into RSN IE (PMKID-List) and add MDIE and
509 * FTIE from (Re)Association Response.
510 */
511 rsn_ie_buf = os_malloc(wpa_ie_len + 2 + 2 + PMKID_LEN +
512 sm->assoc_resp_ies_len);
513 if (rsn_ie_buf == NULL)
514 return -1;
515 os_memcpy(rsn_ie_buf, wpa_ie, wpa_ie_len);
516 res = wpa_insert_pmkid(rsn_ie_buf, &wpa_ie_len,
517 sm->pmk_r1_name);
518 if (res < 0) {
519 os_free(rsn_ie_buf);
520 return -1;
521 }
522 wpa_hexdump(MSG_DEBUG,
523 "WPA: WPA IE after PMKID[PMKR1Name] addition into RSNE",
524 rsn_ie_buf, wpa_ie_len);
525
526 if (sm->assoc_resp_ies) {
527 wpa_hexdump(MSG_DEBUG, "WPA: Add assoc_resp_ies",
528 sm->assoc_resp_ies,
529 sm->assoc_resp_ies_len);
530 os_memcpy(rsn_ie_buf + wpa_ie_len, sm->assoc_resp_ies,
531 sm->assoc_resp_ies_len);
532 wpa_ie_len += sm->assoc_resp_ies_len;
533 }
534
535 wpa_ie = rsn_ie_buf;
536 }
537 #endif /* CONFIG_IEEE80211R */
538
539 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE for msg 2/4", wpa_ie, wpa_ie_len);
540
541 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
542 hdrlen = sizeof(*reply) + mic_len + 2;
543 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY,
544 NULL, hdrlen + wpa_ie_len,
545 &rlen, (void *) &reply);
546 if (rbuf == NULL) {
547 os_free(rsn_ie_buf);
548 return -1;
549 }
550
551 reply->type = (sm->proto == WPA_PROTO_RSN ||
552 sm->proto == WPA_PROTO_OSEN) ?
553 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
554 key_info = ver | WPA_KEY_INFO_KEY_TYPE;
555 if (mic_len)
556 key_info |= WPA_KEY_INFO_MIC;
557 else
558 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
559 WPA_PUT_BE16(reply->key_info, key_info);
560 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
561 WPA_PUT_BE16(reply->key_length, 0);
562 else
563 os_memcpy(reply->key_length, key->key_length, 2);
564 os_memcpy(reply->replay_counter, key->replay_counter,
565 WPA_REPLAY_COUNTER_LEN);
566 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", reply->replay_counter,
567 WPA_REPLAY_COUNTER_LEN);
568
569 key_mic = (u8 *) (reply + 1);
570 WPA_PUT_BE16(key_mic + mic_len, wpa_ie_len); /* Key Data Length */
571 os_memcpy(key_mic + mic_len + 2, wpa_ie, wpa_ie_len); /* Key Data */
572 os_free(rsn_ie_buf);
573
574 os_memcpy(reply->key_nonce, nonce, WPA_NONCE_LEN);
575
576 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/4");
577 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
578 key_mic);
579 }
580
581
wpa_derive_ptk(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,struct wpa_ptk * ptk)582 static int wpa_derive_ptk(struct wpa_sm *sm, const unsigned char *src_addr,
583 const struct wpa_eapol_key *key, struct wpa_ptk *ptk)
584 {
585 const u8 *z = NULL;
586 size_t z_len = 0, kdk_len;
587 int akmp;
588
589 #ifdef CONFIG_IEEE80211R
590 if (wpa_key_mgmt_ft(sm->key_mgmt))
591 return wpa_derive_ptk_ft(sm, src_addr, key, ptk);
592 #endif /* CONFIG_IEEE80211R */
593
594 #ifdef CONFIG_DPP2
595 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
596 z = wpabuf_head(sm->dpp_z);
597 z_len = wpabuf_len(sm->dpp_z);
598 }
599 #endif /* CONFIG_DPP2 */
600
601 akmp = sm->key_mgmt;
602 #ifdef CONFIG_OWE
603 if (sm->owe_ptk_workaround && akmp == WPA_KEY_MGMT_OWE &&
604 sm->pmk_len > 32) {
605 wpa_printf(MSG_DEBUG,
606 "OWE: Force SHA256 for PTK derivation");
607 akmp |= WPA_KEY_MGMT_PSK_SHA256;
608 }
609 #endif /* CONFIG_OWE */
610
611 if (sm->force_kdk_derivation ||
612 (sm->secure_ltf &&
613 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)))
614 kdk_len = WPA_KDK_MAX_LEN;
615 else
616 kdk_len = 0;
617
618 return wpa_pmk_to_ptk(sm->pmk, sm->pmk_len, "Pairwise key expansion",
619 sm->own_addr, sm->bssid, sm->snonce,
620 key->key_nonce, ptk, akmp,
621 sm->pairwise_cipher, z, z_len,
622 kdk_len);
623 }
624
625
wpa_handle_ext_key_id(struct wpa_sm * sm,struct wpa_eapol_ie_parse * kde)626 static int wpa_handle_ext_key_id(struct wpa_sm *sm,
627 struct wpa_eapol_ie_parse *kde)
628 {
629 if (sm->ext_key_id) {
630 u16 key_id;
631
632 if (!kde->key_id) {
633 wpa_msg(sm->ctx->msg_ctx,
634 sm->use_ext_key_id ? MSG_INFO : MSG_DEBUG,
635 "RSN: No Key ID in Extended Key ID handshake");
636 sm->keyidx_active = 0;
637 return sm->use_ext_key_id ? -1 : 0;
638 }
639
640 key_id = kde->key_id[0] & 0x03;
641 if (key_id > 1) {
642 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
643 "RSN: Invalid Extended Key ID: %d", key_id);
644 return -1;
645 }
646 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
647 "RSN: Using Extended Key ID %d", key_id);
648 sm->keyidx_active = key_id;
649 sm->use_ext_key_id = 1;
650 } else {
651 if (kde->key_id && (kde->key_id[0] & 0x03)) {
652 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
653 "RSN: Non-zero Extended Key ID Key ID in PTK0 handshake");
654 return -1;
655 }
656
657 if (kde->key_id) {
658 /* This is not supposed to be included here, but ignore
659 * the case of matching Key ID 0 just in case. */
660 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
661 "RSN: Extended Key ID Key ID 0 in PTK0 handshake");
662 }
663 sm->keyidx_active = 0;
664 sm->use_ext_key_id = 0;
665 }
666
667 return 0;
668 }
669
670
wpa_supplicant_process_1_of_4(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len)671 static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
672 const unsigned char *src_addr,
673 const struct wpa_eapol_key *key,
674 u16 ver, const u8 *key_data,
675 size_t key_data_len)
676 {
677 struct wpa_eapol_ie_parse ie;
678 struct wpa_ptk *ptk;
679 int res;
680 u8 *kde, *kde_buf = NULL;
681 size_t kde_len;
682
683 if (wpa_sm_get_network_ctx(sm) == NULL) {
684 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No SSID info "
685 "found (msg 1 of 4)");
686 return;
687 }
688
689 if (sm->wpa_deny_ptk0_rekey && !sm->use_ext_key_id &&
690 wpa_sm_get_state(sm) == WPA_COMPLETED) {
691 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
692 "WPA: PTK0 rekey not allowed, reconnecting");
693 wpa_sm_reconnect(sm);
694 return;
695 }
696
697 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
698 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of 4-Way "
699 "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
700
701 os_memset(&ie, 0, sizeof(ie));
702
703 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
704 /* RSN: msg 1/4 should contain PMKID for the selected PMK */
705 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data",
706 key_data, key_data_len);
707 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
708 goto failed;
709 if (ie.pmkid) {
710 wpa_hexdump(MSG_DEBUG, "RSN: PMKID from "
711 "Authenticator", ie.pmkid, PMKID_LEN);
712 }
713 }
714
715 res = wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid);
716 if (res == -2) {
717 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: Do not reply to "
718 "msg 1/4 - requesting full EAP authentication");
719 return;
720 }
721 if (res)
722 goto failed;
723
724 if (sm->renew_snonce) {
725 if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) {
726 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
727 "WPA: Failed to get random data for SNonce");
728 goto failed;
729 }
730 sm->renew_snonce = 0;
731 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce",
732 sm->snonce, WPA_NONCE_LEN);
733 }
734
735 /* Calculate PTK which will be stored as a temporary PTK until it has
736 * been verified when processing message 3/4. */
737 ptk = &sm->tptk;
738 if (wpa_derive_ptk(sm, src_addr, key, ptk) < 0)
739 goto failed;
740 if (sm->pairwise_cipher == WPA_CIPHER_TKIP) {
741 u8 buf[8];
742 /* Supplicant: swap tx/rx Mic keys */
743 os_memcpy(buf, &ptk->tk[16], 8);
744 os_memcpy(&ptk->tk[16], &ptk->tk[24], 8);
745 os_memcpy(&ptk->tk[24], buf, 8);
746 forced_memzero(buf, sizeof(buf));
747 }
748 sm->tptk_set = 1;
749
750 kde = sm->assoc_wpa_ie;
751 kde_len = sm->assoc_wpa_ie_len;
752 kde_buf = os_malloc(kde_len +
753 2 + RSN_SELECTOR_LEN + 3 +
754 sm->assoc_rsnxe_len +
755 2 + RSN_SELECTOR_LEN + 1 +
756 2 + RSN_SELECTOR_LEN + 2);
757 if (!kde_buf)
758 goto failed;
759 os_memcpy(kde_buf, kde, kde_len);
760 kde = kde_buf;
761
762 #ifdef CONFIG_OCV
763 if (wpa_sm_ocv_enabled(sm)) {
764 struct wpa_channel_info ci;
765 u8 *pos;
766
767 pos = kde + kde_len;
768 if (wpa_sm_channel_info(sm, &ci) != 0) {
769 wpa_printf(MSG_WARNING,
770 "Failed to get channel info for OCI element in EAPOL-Key 2/4");
771 goto failed;
772 }
773 #ifdef CONFIG_TESTING_OPTIONS
774 if (sm->oci_freq_override_eapol) {
775 wpa_printf(MSG_INFO,
776 "TEST: Override OCI KDE frequency %d -> %d MHz",
777 ci.frequency, sm->oci_freq_override_eapol);
778 ci.frequency = sm->oci_freq_override_eapol;
779 }
780 #endif /* CONFIG_TESTING_OPTIONS */
781
782 if (ocv_insert_oci_kde(&ci, &pos) < 0)
783 goto failed;
784 kde_len = pos - kde;
785 }
786 #endif /* CONFIG_OCV */
787
788 if (sm->assoc_rsnxe && sm->assoc_rsnxe_len) {
789 os_memcpy(kde + kde_len, sm->assoc_rsnxe, sm->assoc_rsnxe_len);
790 kde_len += sm->assoc_rsnxe_len;
791 }
792
793 #ifdef CONFIG_P2P
794 if (sm->p2p) {
795 u8 *pos;
796
797 wpa_printf(MSG_DEBUG,
798 "P2P: Add IP Address Request KDE into EAPOL-Key 2/4");
799 pos = kde + kde_len;
800 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
801 *pos++ = RSN_SELECTOR_LEN + 1;
802 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_IP_ADDR_REQ);
803 pos += RSN_SELECTOR_LEN;
804 *pos++ = 0x01;
805 kde_len = pos - kde;
806 }
807 #endif /* CONFIG_P2P */
808
809 #ifdef CONFIG_DPP2
810 if (DPP_VERSION > 1 && sm->key_mgmt == WPA_KEY_MGMT_DPP) {
811 u8 *pos;
812
813 wpa_printf(MSG_DEBUG, "DPP: Add DPP KDE into EAPOL-Key 2/4");
814 pos = kde + kde_len;
815 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
816 *pos++ = RSN_SELECTOR_LEN + 2;
817 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_DPP);
818 pos += RSN_SELECTOR_LEN;
819 *pos++ = DPP_VERSION; /* Protocol Version */
820 *pos = 0; /* Flags */
821 if (sm->dpp_pfs == 0)
822 *pos |= DPP_KDE_PFS_ALLOWED;
823 else if (sm->dpp_pfs == 1)
824 *pos |= DPP_KDE_PFS_ALLOWED | DPP_KDE_PFS_REQUIRED;
825 pos++;
826 kde_len = pos - kde;
827 }
828 #endif /* CONFIG_DPP2 */
829
830 if (wpa_supplicant_send_2_of_4(sm, sm->bssid, key, ver, sm->snonce,
831 kde, kde_len, ptk) < 0)
832 goto failed;
833
834 os_free(kde_buf);
835 os_memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN);
836 return;
837
838 failed:
839 os_free(kde_buf);
840 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
841 }
842
843
wpa_sm_start_preauth(void * eloop_ctx,void * timeout_ctx)844 static void wpa_sm_start_preauth(void *eloop_ctx, void *timeout_ctx)
845 {
846 struct wpa_sm *sm = eloop_ctx;
847 rsn_preauth_candidate_process(sm);
848 }
849
850
wpa_supplicant_key_neg_complete(struct wpa_sm * sm,const u8 * addr,int secure)851 static void wpa_supplicant_key_neg_complete(struct wpa_sm *sm,
852 const u8 *addr, int secure)
853 {
854 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
855 "WPA: Key negotiation completed with "
856 MACSTR " [PTK=%s GTK=%s]", MAC2STR(addr),
857 wpa_cipher_txt(sm->pairwise_cipher),
858 wpa_cipher_txt(sm->group_cipher));
859 wpa_sm_cancel_auth_timeout(sm);
860 wpa_sm_set_state(sm, WPA_COMPLETED);
861
862 if (secure) {
863 wpa_sm_mlme_setprotection(
864 sm, addr, MLME_SETPROTECTION_PROTECT_TYPE_RX_TX,
865 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
866 eapol_sm_notify_portValid(sm->eapol, true);
867 if (wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
868 sm->key_mgmt == WPA_KEY_MGMT_DPP ||
869 sm->key_mgmt == WPA_KEY_MGMT_OWE)
870 eapol_sm_notify_eap_success(sm->eapol, true);
871 /*
872 * Start preauthentication after a short wait to avoid a
873 * possible race condition between the data receive and key
874 * configuration after the 4-Way Handshake. This increases the
875 * likelihood of the first preauth EAPOL-Start frame getting to
876 * the target AP.
877 */
878 if (!dl_list_empty(&sm->pmksa_candidates))
879 eloop_register_timeout(1, 0, wpa_sm_start_preauth,
880 sm, NULL);
881 }
882
883 if (sm->cur_pmksa && sm->cur_pmksa->opportunistic) {
884 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
885 "RSN: Authenticator accepted "
886 "opportunistic PMKSA entry - marking it valid");
887 sm->cur_pmksa->opportunistic = 0;
888 }
889
890 #ifdef CONFIG_IEEE80211R
891 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
892 /* Prepare for the next transition */
893 wpa_ft_prepare_auth_request(sm, NULL);
894 }
895 #endif /* CONFIG_IEEE80211R */
896 }
897
898
wpa_sm_rekey_ptk(void * eloop_ctx,void * timeout_ctx)899 static void wpa_sm_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
900 {
901 struct wpa_sm *sm = eloop_ctx;
902 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Request PTK rekeying");
903 wpa_sm_key_request(sm, 0, 1);
904 }
905
906
wpa_supplicant_install_ptk(struct wpa_sm * sm,const struct wpa_eapol_key * key,enum key_flag key_flag)907 static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
908 const struct wpa_eapol_key *key,
909 enum key_flag key_flag)
910 {
911 int keylen, rsclen;
912 enum wpa_alg alg;
913 const u8 *key_rsc;
914
915 if (sm->ptk.installed) {
916 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
917 "WPA: Do not re-install same PTK to the driver");
918 return 0;
919 }
920
921 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
922 "WPA: Installing PTK to the driver");
923
924 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
925 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Pairwise Cipher "
926 "Suite: NONE - do not use pairwise keys");
927 return 0;
928 }
929
930 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
931 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
932 "WPA: Unsupported pairwise cipher %d",
933 sm->pairwise_cipher);
934 return -1;
935 }
936
937 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
938 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
939 if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) {
940 wpa_printf(MSG_DEBUG, "WPA: TK length mismatch: %d != %lu",
941 keylen, (long unsigned int) sm->ptk.tk_len);
942 return -1;
943 }
944 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
945
946 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
947 key_rsc = null_rsc;
948 } else {
949 key_rsc = key->key_rsc;
950 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen);
951 }
952
953 if (wpa_sm_set_key(sm, alg, sm->bssid, sm->keyidx_active, 1, key_rsc,
954 rsclen, sm->ptk.tk, keylen,
955 KEY_FLAG_PAIRWISE | key_flag) < 0) {
956 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
957 "WPA: Failed to set PTK to the driver (alg=%d keylen=%d bssid="
958 MACSTR " idx=%d key_flag=0x%x)",
959 alg, keylen, MAC2STR(sm->bssid),
960 sm->keyidx_active, key_flag);
961 return -1;
962 }
963
964 wpa_sm_store_ptk(sm, sm->bssid, sm->pairwise_cipher,
965 sm->dot11RSNAConfigPMKLifetime, &sm->ptk);
966
967 /* TK is not needed anymore in supplicant */
968 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
969 sm->ptk.tk_len = 0;
970 sm->ptk.installed = 1;
971
972 if (sm->wpa_ptk_rekey) {
973 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
974 eloop_register_timeout(sm->wpa_ptk_rekey, 0, wpa_sm_rekey_ptk,
975 sm, NULL);
976 }
977 return 0;
978 }
979
980
wpa_supplicant_activate_ptk(struct wpa_sm * sm)981 static int wpa_supplicant_activate_ptk(struct wpa_sm *sm)
982 {
983 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
984 "WPA: Activate PTK (idx=%d bssid=" MACSTR ")",
985 sm->keyidx_active, MAC2STR(sm->bssid));
986
987 if (wpa_sm_set_key(sm, 0, sm->bssid, sm->keyidx_active, 0, NULL, 0,
988 NULL, 0, KEY_FLAG_PAIRWISE_RX_TX_MODIFY) < 0) {
989 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
990 "WPA: Failed to activate PTK for TX (idx=%d bssid="
991 MACSTR ")", sm->keyidx_active, MAC2STR(sm->bssid));
992 return -1;
993 }
994 return 0;
995 }
996
997
wpa_supplicant_check_group_cipher(struct wpa_sm * sm,int group_cipher,int keylen,int maxkeylen,int * key_rsc_len,enum wpa_alg * alg)998 static int wpa_supplicant_check_group_cipher(struct wpa_sm *sm,
999 int group_cipher,
1000 int keylen, int maxkeylen,
1001 int *key_rsc_len,
1002 enum wpa_alg *alg)
1003 {
1004 int klen;
1005
1006 *alg = wpa_cipher_to_alg(group_cipher);
1007 if (*alg == WPA_ALG_NONE) {
1008 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1009 "WPA: Unsupported Group Cipher %d",
1010 group_cipher);
1011 return -1;
1012 }
1013 *key_rsc_len = wpa_cipher_rsc_len(group_cipher);
1014
1015 klen = wpa_cipher_key_len(group_cipher);
1016 if (keylen != klen || maxkeylen < klen) {
1017 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1018 "WPA: Unsupported %s Group Cipher key length %d (%d)",
1019 wpa_cipher_txt(group_cipher), keylen, maxkeylen);
1020 return -1;
1021 }
1022 return 0;
1023 }
1024
1025
1026 struct wpa_gtk_data {
1027 enum wpa_alg alg;
1028 int tx, key_rsc_len, keyidx;
1029 u8 gtk[32];
1030 int gtk_len;
1031 };
1032
1033
wpa_supplicant_install_gtk(struct wpa_sm * sm,const struct wpa_gtk_data * gd,const u8 * key_rsc,int wnm_sleep)1034 static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
1035 const struct wpa_gtk_data *gd,
1036 const u8 *key_rsc, int wnm_sleep)
1037 {
1038 const u8 *_gtk = gd->gtk;
1039 u8 gtk_buf[32];
1040
1041 /* Detect possible key reinstallation */
1042 if ((sm->gtk.gtk_len == (size_t) gd->gtk_len &&
1043 os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) ||
1044 (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len &&
1045 os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk,
1046 sm->gtk_wnm_sleep.gtk_len) == 0)) {
1047 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1048 "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
1049 gd->keyidx, gd->tx, gd->gtk_len);
1050 return 0;
1051 }
1052
1053 wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
1054 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1055 "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
1056 gd->keyidx, gd->tx, gd->gtk_len);
1057 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, gd->key_rsc_len);
1058 if (sm->group_cipher == WPA_CIPHER_TKIP) {
1059 /* Swap Tx/Rx keys for Michael MIC */
1060 os_memcpy(gtk_buf, gd->gtk, 16);
1061 os_memcpy(gtk_buf + 16, gd->gtk + 24, 8);
1062 os_memcpy(gtk_buf + 24, gd->gtk + 16, 8);
1063 _gtk = gtk_buf;
1064 }
1065 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
1066 if (wpa_sm_set_key(sm, gd->alg, NULL,
1067 gd->keyidx, 1, key_rsc, gd->key_rsc_len,
1068 _gtk, gd->gtk_len,
1069 KEY_FLAG_GROUP_RX_TX_DEFAULT) < 0) {
1070 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1071 "WPA: Failed to set GTK to the driver "
1072 "(Group only)");
1073 forced_memzero(gtk_buf, sizeof(gtk_buf));
1074 return -1;
1075 }
1076 } else if (wpa_sm_set_key(sm, gd->alg, broadcast_ether_addr,
1077 gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len,
1078 _gtk, gd->gtk_len, KEY_FLAG_GROUP_RX) < 0) {
1079 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1080 "WPA: Failed to set GTK to "
1081 "the driver (alg=%d keylen=%d keyidx=%d)",
1082 gd->alg, gd->gtk_len, gd->keyidx);
1083 forced_memzero(gtk_buf, sizeof(gtk_buf));
1084 return -1;
1085 }
1086 forced_memzero(gtk_buf, sizeof(gtk_buf));
1087
1088 if (wnm_sleep) {
1089 sm->gtk_wnm_sleep.gtk_len = gd->gtk_len;
1090 os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk,
1091 sm->gtk_wnm_sleep.gtk_len);
1092 } else {
1093 sm->gtk.gtk_len = gd->gtk_len;
1094 os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
1095 }
1096
1097 return 0;
1098 }
1099
1100
wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm * sm,int tx)1101 static int wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm *sm,
1102 int tx)
1103 {
1104 if (tx && sm->pairwise_cipher != WPA_CIPHER_NONE) {
1105 /* Ignore Tx bit for GTK if a pairwise key is used. One AP
1106 * seemed to set this bit (incorrectly, since Tx is only when
1107 * doing Group Key only APs) and without this workaround, the
1108 * data connection does not work because wpa_supplicant
1109 * configured non-zero keyidx to be used for unicast. */
1110 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1111 "WPA: Tx bit set for GTK, but pairwise "
1112 "keys are used - ignore Tx bit");
1113 return 0;
1114 }
1115 return tx;
1116 }
1117
1118
wpa_supplicant_rsc_relaxation(const struct wpa_sm * sm,const u8 * rsc)1119 static int wpa_supplicant_rsc_relaxation(const struct wpa_sm *sm,
1120 const u8 *rsc)
1121 {
1122 int rsclen;
1123
1124 if (!sm->wpa_rsc_relaxation)
1125 return 0;
1126
1127 rsclen = wpa_cipher_rsc_len(sm->group_cipher);
1128
1129 /*
1130 * Try to detect RSC (endian) corruption issue where the AP sends
1131 * the RSC bytes in EAPOL-Key message in the wrong order, both if
1132 * it's actually a 6-byte field (as it should be) and if it treats
1133 * it as an 8-byte field.
1134 * An AP model known to have this bug is the Sapido RB-1632.
1135 */
1136 if (rsclen == 6 && ((rsc[5] && !rsc[0]) || rsc[6] || rsc[7])) {
1137 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1138 "RSC %02x%02x%02x%02x%02x%02x%02x%02x is likely bogus, using 0",
1139 rsc[0], rsc[1], rsc[2], rsc[3],
1140 rsc[4], rsc[5], rsc[6], rsc[7]);
1141
1142 return 1;
1143 }
1144
1145 return 0;
1146 }
1147
1148
wpa_supplicant_pairwise_gtk(struct wpa_sm * sm,const struct wpa_eapol_key * key,const u8 * gtk,size_t gtk_len,int key_info)1149 static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
1150 const struct wpa_eapol_key *key,
1151 const u8 *gtk, size_t gtk_len,
1152 int key_info)
1153 {
1154 struct wpa_gtk_data gd;
1155 const u8 *key_rsc;
1156
1157 /*
1158 * IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames - Figure 43x
1159 * GTK KDE format:
1160 * KeyID[bits 0-1], Tx [bit 2], Reserved [bits 3-7]
1161 * Reserved [bits 0-7]
1162 * GTK
1163 */
1164
1165 os_memset(&gd, 0, sizeof(gd));
1166 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in pairwise handshake",
1167 gtk, gtk_len);
1168
1169 if (gtk_len < 2 || gtk_len - 2 > sizeof(gd.gtk))
1170 return -1;
1171
1172 gd.keyidx = gtk[0] & 0x3;
1173 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
1174 !!(gtk[0] & BIT(2)));
1175 gtk += 2;
1176 gtk_len -= 2;
1177
1178 os_memcpy(gd.gtk, gtk, gtk_len);
1179 gd.gtk_len = gtk_len;
1180
1181 key_rsc = key->key_rsc;
1182 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
1183 key_rsc = null_rsc;
1184
1185 if (sm->group_cipher != WPA_CIPHER_GTK_NOT_USED &&
1186 (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
1187 gtk_len, gtk_len,
1188 &gd.key_rsc_len, &gd.alg) ||
1189 wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) {
1190 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1191 "RSN: Failed to install GTK");
1192 forced_memzero(&gd, sizeof(gd));
1193 return -1;
1194 }
1195 forced_memzero(&gd, sizeof(gd));
1196
1197 return 0;
1198 }
1199
1200
wpa_supplicant_install_igtk(struct wpa_sm * sm,const struct wpa_igtk_kde * igtk,int wnm_sleep)1201 static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
1202 const struct wpa_igtk_kde *igtk,
1203 int wnm_sleep)
1204 {
1205 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1206 u16 keyidx = WPA_GET_LE16(igtk->keyid);
1207
1208 /* Detect possible key reinstallation */
1209 if ((sm->igtk.igtk_len == len &&
1210 os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) ||
1211 (sm->igtk_wnm_sleep.igtk_len == len &&
1212 os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk,
1213 sm->igtk_wnm_sleep.igtk_len) == 0)) {
1214 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1215 "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
1216 keyidx);
1217 return 0;
1218 }
1219
1220 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1221 "WPA: IGTK keyid %d pn " COMPACT_MACSTR,
1222 keyidx, MAC2STR(igtk->pn));
1223 wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len);
1224 if (keyidx > 4095) {
1225 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1226 "WPA: Invalid IGTK KeyID %d", keyidx);
1227 return -1;
1228 }
1229 if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
1230 broadcast_ether_addr,
1231 keyidx, 0, igtk->pn, sizeof(igtk->pn),
1232 igtk->igtk, len, KEY_FLAG_GROUP_RX) < 0) {
1233 if (keyidx == 0x0400 || keyidx == 0x0500) {
1234 /* Assume the AP has broken PMF implementation since it
1235 * seems to have swapped the KeyID bytes. The AP cannot
1236 * be trusted to implement BIP correctly or provide a
1237 * valid IGTK, so do not try to configure this key with
1238 * swapped KeyID bytes. Instead, continue without
1239 * configuring the IGTK so that the driver can drop any
1240 * received group-addressed robust management frames due
1241 * to missing keys.
1242 *
1243 * Normally, this error behavior would result in us
1244 * disconnecting, but there are number of deployed APs
1245 * with this broken behavior, so as an interoperability
1246 * workaround, allow the connection to proceed. */
1247 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1248 "WPA: Ignore IGTK configuration error due to invalid IGTK KeyID byte order");
1249 } else {
1250 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1251 "WPA: Failed to configure IGTK to the driver");
1252 return -1;
1253 }
1254 }
1255
1256 if (wnm_sleep) {
1257 sm->igtk_wnm_sleep.igtk_len = len;
1258 os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk,
1259 sm->igtk_wnm_sleep.igtk_len);
1260 } else {
1261 sm->igtk.igtk_len = len;
1262 os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
1263 }
1264
1265 return 0;
1266 }
1267
1268
wpa_supplicant_install_bigtk(struct wpa_sm * sm,const struct wpa_bigtk_kde * bigtk,int wnm_sleep)1269 static int wpa_supplicant_install_bigtk(struct wpa_sm *sm,
1270 const struct wpa_bigtk_kde *bigtk,
1271 int wnm_sleep)
1272 {
1273 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1274 u16 keyidx = WPA_GET_LE16(bigtk->keyid);
1275
1276 /* Detect possible key reinstallation */
1277 if ((sm->bigtk.bigtk_len == len &&
1278 os_memcmp(sm->bigtk.bigtk, bigtk->bigtk,
1279 sm->bigtk.bigtk_len) == 0) ||
1280 (sm->bigtk_wnm_sleep.bigtk_len == len &&
1281 os_memcmp(sm->bigtk_wnm_sleep.bigtk, bigtk->bigtk,
1282 sm->bigtk_wnm_sleep.bigtk_len) == 0)) {
1283 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1284 "WPA: Not reinstalling already in-use BIGTK to the driver (keyidx=%d)",
1285 keyidx);
1286 return 0;
1287 }
1288
1289 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1290 "WPA: BIGTK keyid %d pn " COMPACT_MACSTR,
1291 keyidx, MAC2STR(bigtk->pn));
1292 wpa_hexdump_key(MSG_DEBUG, "WPA: BIGTK", bigtk->bigtk, len);
1293 if (keyidx < 6 || keyidx > 7) {
1294 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1295 "WPA: Invalid BIGTK KeyID %d", keyidx);
1296 return -1;
1297 }
1298 if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
1299 broadcast_ether_addr,
1300 keyidx, 0, bigtk->pn, sizeof(bigtk->pn),
1301 bigtk->bigtk, len, KEY_FLAG_GROUP_RX) < 0) {
1302 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1303 "WPA: Failed to configure BIGTK to the driver");
1304 return -1;
1305 }
1306
1307 if (wnm_sleep) {
1308 sm->bigtk_wnm_sleep.bigtk_len = len;
1309 os_memcpy(sm->bigtk_wnm_sleep.bigtk, bigtk->bigtk,
1310 sm->bigtk_wnm_sleep.bigtk_len);
1311 } else {
1312 sm->bigtk.bigtk_len = len;
1313 os_memcpy(sm->bigtk.bigtk, bigtk->bigtk, sm->bigtk.bigtk_len);
1314 }
1315
1316 return 0;
1317 }
1318
1319
ieee80211w_set_keys(struct wpa_sm * sm,struct wpa_eapol_ie_parse * ie)1320 static int ieee80211w_set_keys(struct wpa_sm *sm,
1321 struct wpa_eapol_ie_parse *ie)
1322 {
1323 size_t len;
1324
1325 if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) ||
1326 sm->mgmt_group_cipher == WPA_CIPHER_GTK_NOT_USED)
1327 return 0;
1328
1329 if (ie->igtk) {
1330 const struct wpa_igtk_kde *igtk;
1331
1332 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1333 if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
1334 return -1;
1335
1336 igtk = (const struct wpa_igtk_kde *) ie->igtk;
1337 if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0)
1338 return -1;
1339 }
1340
1341 if (ie->bigtk && sm->beacon_prot) {
1342 const struct wpa_bigtk_kde *bigtk;
1343
1344 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1345 if (ie->bigtk_len != WPA_BIGTK_KDE_PREFIX_LEN + len)
1346 return -1;
1347
1348 bigtk = (const struct wpa_bigtk_kde *) ie->bigtk;
1349 if (wpa_supplicant_install_bigtk(sm, bigtk, 0) < 0)
1350 return -1;
1351 }
1352
1353 return 0;
1354 }
1355
1356
wpa_report_ie_mismatch(struct wpa_sm * sm,const char * reason,const u8 * src_addr,const u8 * wpa_ie,size_t wpa_ie_len,const u8 * rsn_ie,size_t rsn_ie_len)1357 static void wpa_report_ie_mismatch(struct wpa_sm *sm,
1358 const char *reason, const u8 *src_addr,
1359 const u8 *wpa_ie, size_t wpa_ie_len,
1360 const u8 *rsn_ie, size_t rsn_ie_len)
1361 {
1362 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: %s (src=" MACSTR ")",
1363 reason, MAC2STR(src_addr));
1364
1365 if (sm->ap_wpa_ie) {
1366 wpa_hexdump(MSG_INFO, "WPA: WPA IE in Beacon/ProbeResp",
1367 sm->ap_wpa_ie, sm->ap_wpa_ie_len);
1368 }
1369 if (wpa_ie) {
1370 if (!sm->ap_wpa_ie) {
1371 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1372 "WPA: No WPA IE in Beacon/ProbeResp");
1373 }
1374 wpa_hexdump(MSG_INFO, "WPA: WPA IE in 3/4 msg",
1375 wpa_ie, wpa_ie_len);
1376 }
1377
1378 if (sm->ap_rsn_ie) {
1379 wpa_hexdump(MSG_INFO, "WPA: RSN IE in Beacon/ProbeResp",
1380 sm->ap_rsn_ie, sm->ap_rsn_ie_len);
1381 }
1382 if (rsn_ie) {
1383 if (!sm->ap_rsn_ie) {
1384 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1385 "WPA: No RSN IE in Beacon/ProbeResp");
1386 }
1387 wpa_hexdump(MSG_INFO, "WPA: RSN IE in 3/4 msg",
1388 rsn_ie, rsn_ie_len);
1389 }
1390
1391 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
1392 }
1393
1394
1395 #ifdef CONFIG_IEEE80211R
1396
ft_validate_mdie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie,const u8 * assoc_resp_mdie)1397 static int ft_validate_mdie(struct wpa_sm *sm,
1398 const unsigned char *src_addr,
1399 struct wpa_eapol_ie_parse *ie,
1400 const u8 *assoc_resp_mdie)
1401 {
1402 struct rsn_mdie *mdie;
1403
1404 mdie = (struct rsn_mdie *) (ie->mdie + 2);
1405 if (ie->mdie == NULL || ie->mdie_len < 2 + sizeof(*mdie) ||
1406 os_memcmp(mdie->mobility_domain, sm->mobility_domain,
1407 MOBILITY_DOMAIN_ID_LEN) != 0) {
1408 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE in msg 3/4 did "
1409 "not match with the current mobility domain");
1410 return -1;
1411 }
1412
1413 if (assoc_resp_mdie &&
1414 (assoc_resp_mdie[1] != ie->mdie[1] ||
1415 os_memcmp(assoc_resp_mdie, ie->mdie, 2 + ie->mdie[1]) != 0)) {
1416 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE mismatch");
1417 wpa_hexdump(MSG_DEBUG, "FT: MDIE in EAPOL-Key msg 3/4",
1418 ie->mdie, 2 + ie->mdie[1]);
1419 wpa_hexdump(MSG_DEBUG, "FT: MDIE in (Re)Association Response",
1420 assoc_resp_mdie, 2 + assoc_resp_mdie[1]);
1421 return -1;
1422 }
1423
1424 return 0;
1425 }
1426
1427
ft_validate_ftie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie,const u8 * assoc_resp_ftie)1428 static int ft_validate_ftie(struct wpa_sm *sm,
1429 const unsigned char *src_addr,
1430 struct wpa_eapol_ie_parse *ie,
1431 const u8 *assoc_resp_ftie)
1432 {
1433 if (ie->ftie == NULL) {
1434 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1435 "FT: No FTIE in EAPOL-Key msg 3/4");
1436 return -1;
1437 }
1438
1439 if (assoc_resp_ftie == NULL)
1440 return 0;
1441
1442 if (assoc_resp_ftie[1] != ie->ftie[1] ||
1443 os_memcmp(assoc_resp_ftie, ie->ftie, 2 + ie->ftie[1]) != 0) {
1444 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: FTIE mismatch");
1445 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 3/4",
1446 ie->ftie, 2 + ie->ftie[1]);
1447 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)Association Response",
1448 assoc_resp_ftie, 2 + assoc_resp_ftie[1]);
1449 return -1;
1450 }
1451
1452 return 0;
1453 }
1454
1455
ft_validate_rsnie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie)1456 static int ft_validate_rsnie(struct wpa_sm *sm,
1457 const unsigned char *src_addr,
1458 struct wpa_eapol_ie_parse *ie)
1459 {
1460 struct wpa_ie_data rsn;
1461
1462 if (!ie->rsn_ie)
1463 return 0;
1464
1465 /*
1466 * Verify that PMKR1Name from EAPOL-Key message 3/4
1467 * matches with the value we derived.
1468 */
1469 if (wpa_parse_wpa_ie_rsn(ie->rsn_ie, ie->rsn_ie_len, &rsn) < 0 ||
1470 rsn.num_pmkid != 1 || rsn.pmkid == NULL) {
1471 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: No PMKR1Name in "
1472 "FT 4-way handshake message 3/4");
1473 return -1;
1474 }
1475
1476 if (os_memcmp_const(rsn.pmkid, sm->pmk_r1_name, WPA_PMK_NAME_LEN) != 0)
1477 {
1478 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1479 "FT: PMKR1Name mismatch in "
1480 "FT 4-way handshake message 3/4");
1481 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Authenticator",
1482 rsn.pmkid, WPA_PMK_NAME_LEN);
1483 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
1484 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
1485 return -1;
1486 }
1487
1488 return 0;
1489 }
1490
1491
wpa_supplicant_validate_ie_ft(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie)1492 static int wpa_supplicant_validate_ie_ft(struct wpa_sm *sm,
1493 const unsigned char *src_addr,
1494 struct wpa_eapol_ie_parse *ie)
1495 {
1496 const u8 *pos, *end, *mdie = NULL, *ftie = NULL;
1497
1498 if (sm->assoc_resp_ies) {
1499 pos = sm->assoc_resp_ies;
1500 end = pos + sm->assoc_resp_ies_len;
1501 while (end - pos > 2) {
1502 if (2 + pos[1] > end - pos)
1503 break;
1504 switch (*pos) {
1505 case WLAN_EID_MOBILITY_DOMAIN:
1506 mdie = pos;
1507 break;
1508 case WLAN_EID_FAST_BSS_TRANSITION:
1509 ftie = pos;
1510 break;
1511 }
1512 pos += 2 + pos[1];
1513 }
1514 }
1515
1516 if (ft_validate_mdie(sm, src_addr, ie, mdie) < 0 ||
1517 ft_validate_ftie(sm, src_addr, ie, ftie) < 0 ||
1518 ft_validate_rsnie(sm, src_addr, ie) < 0)
1519 return -1;
1520
1521 return 0;
1522 }
1523
1524 #endif /* CONFIG_IEEE80211R */
1525
1526
wpa_supplicant_validate_ie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie)1527 static int wpa_supplicant_validate_ie(struct wpa_sm *sm,
1528 const unsigned char *src_addr,
1529 struct wpa_eapol_ie_parse *ie)
1530 {
1531 if (sm->ap_wpa_ie == NULL && sm->ap_rsn_ie == NULL) {
1532 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1533 "WPA: No WPA/RSN IE for this AP known. "
1534 "Trying to get from scan results");
1535 if (wpa_sm_get_beacon_ie(sm) < 0) {
1536 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1537 "WPA: Could not find AP from "
1538 "the scan results");
1539 return -1;
1540 }
1541 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
1542 "WPA: Found the current AP from updated scan results");
1543 }
1544
1545 if (ie->wpa_ie == NULL && ie->rsn_ie == NULL &&
1546 (sm->ap_wpa_ie || sm->ap_rsn_ie)) {
1547 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
1548 "with IE in Beacon/ProbeResp (no IE?)",
1549 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1550 ie->rsn_ie, ie->rsn_ie_len);
1551 return -1;
1552 }
1553
1554 if ((ie->wpa_ie && sm->ap_wpa_ie &&
1555 (ie->wpa_ie_len != sm->ap_wpa_ie_len ||
1556 os_memcmp(ie->wpa_ie, sm->ap_wpa_ie, ie->wpa_ie_len) != 0)) ||
1557 (ie->rsn_ie && sm->ap_rsn_ie &&
1558 wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
1559 sm->ap_rsn_ie, sm->ap_rsn_ie_len,
1560 ie->rsn_ie, ie->rsn_ie_len))) {
1561 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
1562 "with IE in Beacon/ProbeResp",
1563 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1564 ie->rsn_ie, ie->rsn_ie_len);
1565 return -1;
1566 }
1567
1568 if (sm->proto == WPA_PROTO_WPA &&
1569 ie->rsn_ie && sm->ap_rsn_ie == NULL && sm->rsn_enabled) {
1570 wpa_report_ie_mismatch(sm, "Possible downgrade attack "
1571 "detected - RSN was enabled and RSN IE "
1572 "was in msg 3/4, but not in "
1573 "Beacon/ProbeResp",
1574 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1575 ie->rsn_ie, ie->rsn_ie_len);
1576 return -1;
1577 }
1578
1579 if (sm->proto == WPA_PROTO_RSN &&
1580 ((sm->ap_rsnxe && !ie->rsnxe) ||
1581 (!sm->ap_rsnxe && ie->rsnxe) ||
1582 (sm->ap_rsnxe && ie->rsnxe &&
1583 (sm->ap_rsnxe_len != ie->rsnxe_len ||
1584 os_memcmp(sm->ap_rsnxe, ie->rsnxe, sm->ap_rsnxe_len) != 0)))) {
1585 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1586 "WPA: RSNXE mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4");
1587 wpa_hexdump(MSG_INFO, "RSNXE in Beacon/ProbeResp",
1588 sm->ap_rsnxe, sm->ap_rsnxe_len);
1589 wpa_hexdump(MSG_INFO, "RSNXE in EAPOL-Key msg 3/4",
1590 ie->rsnxe, ie->rsnxe_len);
1591 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
1592 return -1;
1593 }
1594
1595 #ifdef CONFIG_IEEE80211R
1596 if (wpa_key_mgmt_ft(sm->key_mgmt) &&
1597 wpa_supplicant_validate_ie_ft(sm, src_addr, ie) < 0)
1598 return -1;
1599 #endif /* CONFIG_IEEE80211R */
1600
1601 return 0;
1602 }
1603
1604
1605 /**
1606 * wpa_supplicant_send_4_of_4 - Send message 4 of WPA/RSN 4-Way Handshake
1607 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1608 * @dst: Destination address for the frame
1609 * @key: Pointer to the EAPOL-Key frame header
1610 * @ver: Version bits from EAPOL-Key Key Info
1611 * @key_info: Key Info
1612 * @ptk: PTK to use for keyed hash and encryption
1613 * Returns: >= 0 on success, < 0 on failure
1614 */
wpa_supplicant_send_4_of_4(struct wpa_sm * sm,const unsigned char * dst,const struct wpa_eapol_key * key,u16 ver,u16 key_info,struct wpa_ptk * ptk)1615 int wpa_supplicant_send_4_of_4(struct wpa_sm *sm, const unsigned char *dst,
1616 const struct wpa_eapol_key *key,
1617 u16 ver, u16 key_info,
1618 struct wpa_ptk *ptk)
1619 {
1620 size_t mic_len, hdrlen, rlen;
1621 struct wpa_eapol_key *reply;
1622 u8 *rbuf, *key_mic;
1623
1624 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
1625 hdrlen = sizeof(*reply) + mic_len + 2;
1626 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
1627 hdrlen, &rlen, (void *) &reply);
1628 if (rbuf == NULL)
1629 return -1;
1630
1631 reply->type = (sm->proto == WPA_PROTO_RSN ||
1632 sm->proto == WPA_PROTO_OSEN) ?
1633 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1634 key_info &= WPA_KEY_INFO_SECURE;
1635 key_info |= ver | WPA_KEY_INFO_KEY_TYPE;
1636 if (mic_len)
1637 key_info |= WPA_KEY_INFO_MIC;
1638 else
1639 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1640 WPA_PUT_BE16(reply->key_info, key_info);
1641 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
1642 WPA_PUT_BE16(reply->key_length, 0);
1643 else
1644 os_memcpy(reply->key_length, key->key_length, 2);
1645 os_memcpy(reply->replay_counter, key->replay_counter,
1646 WPA_REPLAY_COUNTER_LEN);
1647
1648 key_mic = (u8 *) (reply + 1);
1649 WPA_PUT_BE16(key_mic + mic_len, 0);
1650
1651 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 4/4");
1652 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
1653 key_mic);
1654 }
1655
1656
wpa_supplicant_process_3_of_4(struct wpa_sm * sm,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len)1657 static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
1658 const struct wpa_eapol_key *key,
1659 u16 ver, const u8 *key_data,
1660 size_t key_data_len)
1661 {
1662 u16 key_info, keylen;
1663 struct wpa_eapol_ie_parse ie;
1664
1665 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
1666 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 3 of 4-Way "
1667 "Handshake from " MACSTR " (ver=%d)", MAC2STR(sm->bssid), ver);
1668
1669 key_info = WPA_GET_BE16(key->key_info);
1670
1671 wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", key_data, key_data_len);
1672 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
1673 goto failed;
1674 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1675 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1676 "WPA: GTK IE in unencrypted key data");
1677 goto failed;
1678 }
1679 if (ie.igtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1680 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1681 "WPA: IGTK KDE in unencrypted key data");
1682 goto failed;
1683 }
1684
1685 if (ie.igtk &&
1686 sm->mgmt_group_cipher != WPA_CIPHER_GTK_NOT_USED &&
1687 wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) &&
1688 ie.igtk_len != WPA_IGTK_KDE_PREFIX_LEN +
1689 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
1690 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1691 "WPA: Invalid IGTK KDE length %lu",
1692 (unsigned long) ie.igtk_len);
1693 goto failed;
1694 }
1695
1696 if (wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0)
1697 goto failed;
1698
1699 if (wpa_handle_ext_key_id(sm, &ie))
1700 goto failed;
1701
1702 if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
1703 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1704 "WPA: ANonce from message 1 of 4-Way Handshake "
1705 "differs from 3 of 4-Way Handshake - drop packet (src="
1706 MACSTR ")", MAC2STR(sm->bssid));
1707 goto failed;
1708 }
1709
1710 keylen = WPA_GET_BE16(key->key_length);
1711 if (keylen != wpa_cipher_key_len(sm->pairwise_cipher)) {
1712 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1713 "WPA: Invalid %s key length %d (src=" MACSTR
1714 ")", wpa_cipher_txt(sm->pairwise_cipher), keylen,
1715 MAC2STR(sm->bssid));
1716 goto failed;
1717 }
1718
1719 #ifdef CONFIG_P2P
1720 if (ie.ip_addr_alloc) {
1721 os_memcpy(sm->p2p_ip_addr, ie.ip_addr_alloc, 3 * 4);
1722 wpa_hexdump(MSG_DEBUG, "P2P: IP address info",
1723 sm->p2p_ip_addr, sizeof(sm->p2p_ip_addr));
1724 }
1725 #endif /* CONFIG_P2P */
1726
1727 #ifdef CONFIG_OCV
1728 if (wpa_sm_ocv_enabled(sm)) {
1729 struct wpa_channel_info ci;
1730
1731 if (wpa_sm_channel_info(sm, &ci) != 0) {
1732 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1733 "Failed to get channel info to validate received OCI in EAPOL-Key 3/4");
1734 return;
1735 }
1736
1737 if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci,
1738 channel_width_to_int(ci.chanwidth),
1739 ci.seg1_idx) != OCI_SUCCESS) {
1740 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
1741 "addr=" MACSTR " frame=eapol-key-m3 error=%s",
1742 MAC2STR(sm->bssid), ocv_errorstr);
1743 return;
1744 }
1745 }
1746 #endif /* CONFIG_OCV */
1747
1748 #ifdef CONFIG_DPP2
1749 if (DPP_VERSION > 1 && ie.dpp_kde) {
1750 wpa_printf(MSG_DEBUG,
1751 "DPP: peer Protocol Version %u Flags 0x%x",
1752 ie.dpp_kde[0], ie.dpp_kde[1]);
1753 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_pfs != 2 &&
1754 (ie.dpp_kde[1] & DPP_KDE_PFS_ALLOWED) && !sm->dpp_z) {
1755 wpa_printf(MSG_INFO,
1756 "DPP: Peer indicated it supports PFS and local configuration allows this, but PFS was not negotiated for the association");
1757 goto failed;
1758 }
1759 }
1760 #endif /* CONFIG_DPP2 */
1761
1762 if (sm->use_ext_key_id &&
1763 wpa_supplicant_install_ptk(sm, key, KEY_FLAG_RX))
1764 goto failed;
1765
1766 if (wpa_supplicant_send_4_of_4(sm, sm->bssid, key, ver, key_info,
1767 &sm->ptk) < 0) {
1768 goto failed;
1769 }
1770
1771 /* SNonce was successfully used in msg 3/4, so mark it to be renewed
1772 * for the next 4-Way Handshake. If msg 3 is received again, the old
1773 * SNonce will still be used to avoid changing PTK. */
1774 sm->renew_snonce = 1;
1775
1776 if (key_info & WPA_KEY_INFO_INSTALL) {
1777 int res;
1778
1779 if (sm->use_ext_key_id)
1780 res = wpa_supplicant_activate_ptk(sm);
1781 else
1782 res = wpa_supplicant_install_ptk(sm, key,
1783 KEY_FLAG_RX_TX);
1784 if (res)
1785 goto failed;
1786 }
1787
1788 if (key_info & WPA_KEY_INFO_SECURE) {
1789 wpa_sm_mlme_setprotection(
1790 sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX,
1791 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
1792 eapol_sm_notify_portValid(sm->eapol, true);
1793 }
1794 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
1795
1796 if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED) {
1797 /* No GTK to be set to the driver */
1798 } else if (!ie.gtk && sm->proto == WPA_PROTO_RSN) {
1799 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1800 "RSN: No GTK KDE included in EAPOL-Key msg 3/4");
1801 goto failed;
1802 } else if (ie.gtk &&
1803 wpa_supplicant_pairwise_gtk(sm, key,
1804 ie.gtk, ie.gtk_len, key_info) < 0) {
1805 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1806 "RSN: Failed to configure GTK");
1807 goto failed;
1808 }
1809
1810 if (ieee80211w_set_keys(sm, &ie) < 0) {
1811 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1812 "RSN: Failed to configure IGTK");
1813 goto failed;
1814 }
1815
1816 if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED || ie.gtk)
1817 wpa_supplicant_key_neg_complete(sm, sm->bssid,
1818 key_info & WPA_KEY_INFO_SECURE);
1819
1820 if (ie.gtk)
1821 wpa_sm_set_rekey_offload(sm);
1822
1823 /* Add PMKSA cache entry for Suite B AKMs here since PMKID can be
1824 * calculated only after KCK has been derived. Though, do not replace an
1825 * existing PMKSA entry after each 4-way handshake (i.e., new KCK/PMKID)
1826 * to avoid unnecessary changes of PMKID while continuing to use the
1827 * same PMK. */
1828 if (sm->proto == WPA_PROTO_RSN && wpa_key_mgmt_suite_b(sm->key_mgmt) &&
1829 !sm->cur_pmksa) {
1830 struct rsn_pmksa_cache_entry *sa;
1831
1832 sa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, NULL,
1833 sm->ptk.kck, sm->ptk.kck_len,
1834 sm->bssid, sm->own_addr,
1835 sm->network_ctx, sm->key_mgmt, NULL);
1836 if (!sm->cur_pmksa)
1837 sm->cur_pmksa = sa;
1838 }
1839
1840 if (ie.transition_disable)
1841 wpa_sm_transition_disable(sm, ie.transition_disable[0]);
1842 sm->msg_3_of_4_ok = 1;
1843 return;
1844
1845 failed:
1846 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
1847 }
1848
1849
wpa_supplicant_process_1_of_2_rsn(struct wpa_sm * sm,const u8 * keydata,size_t keydatalen,u16 key_info,struct wpa_gtk_data * gd)1850 static int wpa_supplicant_process_1_of_2_rsn(struct wpa_sm *sm,
1851 const u8 *keydata,
1852 size_t keydatalen,
1853 u16 key_info,
1854 struct wpa_gtk_data *gd)
1855 {
1856 int maxkeylen;
1857 struct wpa_eapol_ie_parse ie;
1858 u16 gtk_len;
1859
1860 wpa_hexdump_key(MSG_DEBUG, "RSN: msg 1/2 key data",
1861 keydata, keydatalen);
1862 if (wpa_supplicant_parse_ies(keydata, keydatalen, &ie) < 0)
1863 return -1;
1864 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1865 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1866 "WPA: GTK IE in unencrypted key data");
1867 return -1;
1868 }
1869 if (ie.gtk == NULL) {
1870 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1871 "WPA: No GTK IE in Group Key msg 1/2");
1872 return -1;
1873 }
1874 gtk_len = ie.gtk_len;
1875 if (gtk_len < 2) {
1876 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1877 "RSN: Invalid GTK KDE length (%u) in Group Key msg 1/2",
1878 gtk_len);
1879 return -1;
1880 }
1881 gtk_len -= 2;
1882 if (gtk_len > sizeof(gd->gtk)) {
1883 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1884 "RSN: Too long GTK in GTK KDE (len=%u)", gtk_len);
1885 return -1;
1886 }
1887 maxkeylen = gd->gtk_len = gtk_len;
1888
1889 #ifdef CONFIG_OCV
1890 if (wpa_sm_ocv_enabled(sm)) {
1891 struct wpa_channel_info ci;
1892
1893 if (wpa_sm_channel_info(sm, &ci) != 0) {
1894 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1895 "Failed to get channel info to validate received OCI in EAPOL-Key group msg 1/2");
1896 return -1;
1897 }
1898
1899 if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci,
1900 channel_width_to_int(ci.chanwidth),
1901 ci.seg1_idx) != OCI_SUCCESS) {
1902 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
1903 "addr=" MACSTR " frame=eapol-key-g1 error=%s",
1904 MAC2STR(sm->bssid), ocv_errorstr);
1905 return -1;
1906 }
1907 }
1908 #endif /* CONFIG_OCV */
1909
1910 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
1911 gtk_len, maxkeylen,
1912 &gd->key_rsc_len, &gd->alg))
1913 return -1;
1914
1915 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in group key handshake",
1916 ie.gtk, 2 + gtk_len);
1917 gd->keyidx = ie.gtk[0] & 0x3;
1918 gd->tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
1919 !!(ie.gtk[0] & BIT(2)));
1920 os_memcpy(gd->gtk, ie.gtk + 2, gtk_len);
1921
1922 if (ieee80211w_set_keys(sm, &ie) < 0)
1923 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1924 "RSN: Failed to configure IGTK");
1925
1926 return 0;
1927 }
1928
1929
wpa_supplicant_process_1_of_2_wpa(struct wpa_sm * sm,const struct wpa_eapol_key * key,const u8 * key_data,size_t key_data_len,u16 key_info,u16 ver,struct wpa_gtk_data * gd)1930 static int wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm,
1931 const struct wpa_eapol_key *key,
1932 const u8 *key_data,
1933 size_t key_data_len, u16 key_info,
1934 u16 ver, struct wpa_gtk_data *gd)
1935 {
1936 size_t maxkeylen;
1937 u16 gtk_len;
1938
1939 gtk_len = WPA_GET_BE16(key->key_length);
1940 maxkeylen = key_data_len;
1941 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1942 if (maxkeylen < 8) {
1943 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1944 "WPA: Too short maxkeylen (%lu)",
1945 (unsigned long) maxkeylen);
1946 return -1;
1947 }
1948 maxkeylen -= 8;
1949 }
1950
1951 if (gtk_len > maxkeylen ||
1952 wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
1953 gtk_len, maxkeylen,
1954 &gd->key_rsc_len, &gd->alg))
1955 return -1;
1956
1957 gd->gtk_len = gtk_len;
1958 gd->keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
1959 WPA_KEY_INFO_KEY_INDEX_SHIFT;
1960 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
1961 #ifdef CONFIG_NO_RC4
1962 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1963 "WPA: RC4 not supported in the build");
1964 return -1;
1965 #else /* CONFIG_NO_RC4 */
1966 u8 ek[32];
1967 if (key_data_len > sizeof(gd->gtk)) {
1968 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1969 "WPA: RC4 key data too long (%lu)",
1970 (unsigned long) key_data_len);
1971 return -1;
1972 }
1973 os_memcpy(ek, key->key_iv, 16);
1974 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
1975 os_memcpy(gd->gtk, key_data, key_data_len);
1976 if (rc4_skip(ek, 32, 256, gd->gtk, key_data_len)) {
1977 forced_memzero(ek, sizeof(ek));
1978 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
1979 "WPA: RC4 failed");
1980 return -1;
1981 }
1982 forced_memzero(ek, sizeof(ek));
1983 #endif /* CONFIG_NO_RC4 */
1984 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1985 if (maxkeylen % 8) {
1986 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1987 "WPA: Unsupported AES-WRAP len %lu",
1988 (unsigned long) maxkeylen);
1989 return -1;
1990 }
1991 if (maxkeylen > sizeof(gd->gtk)) {
1992 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1993 "WPA: AES-WRAP key data "
1994 "too long (keydatalen=%lu maxkeylen=%lu)",
1995 (unsigned long) key_data_len,
1996 (unsigned long) maxkeylen);
1997 return -1;
1998 }
1999 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, maxkeylen / 8,
2000 key_data, gd->gtk)) {
2001 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2002 "WPA: AES unwrap failed - could not decrypt "
2003 "GTK");
2004 return -1;
2005 }
2006 } else {
2007 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2008 "WPA: Unsupported key_info type %d", ver);
2009 return -1;
2010 }
2011 gd->tx = wpa_supplicant_gtk_tx_bit_workaround(
2012 sm, !!(key_info & WPA_KEY_INFO_TXRX));
2013 return 0;
2014 }
2015
2016
wpa_supplicant_send_2_of_2(struct wpa_sm * sm,const struct wpa_eapol_key * key,int ver,u16 key_info)2017 static int wpa_supplicant_send_2_of_2(struct wpa_sm *sm,
2018 const struct wpa_eapol_key *key,
2019 int ver, u16 key_info)
2020 {
2021 size_t mic_len, hdrlen, rlen;
2022 struct wpa_eapol_key *reply;
2023 u8 *rbuf, *key_mic;
2024 size_t kde_len = 0;
2025
2026 #ifdef CONFIG_OCV
2027 if (wpa_sm_ocv_enabled(sm))
2028 kde_len = OCV_OCI_KDE_LEN;
2029 #endif /* CONFIG_OCV */
2030
2031 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
2032 hdrlen = sizeof(*reply) + mic_len + 2;
2033 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
2034 hdrlen + kde_len, &rlen, (void *) &reply);
2035 if (rbuf == NULL)
2036 return -1;
2037
2038 reply->type = (sm->proto == WPA_PROTO_RSN ||
2039 sm->proto == WPA_PROTO_OSEN) ?
2040 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
2041 key_info &= WPA_KEY_INFO_KEY_INDEX_MASK;
2042 key_info |= ver | WPA_KEY_INFO_SECURE;
2043 if (mic_len)
2044 key_info |= WPA_KEY_INFO_MIC;
2045 else
2046 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
2047 WPA_PUT_BE16(reply->key_info, key_info);
2048 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
2049 WPA_PUT_BE16(reply->key_length, 0);
2050 else
2051 os_memcpy(reply->key_length, key->key_length, 2);
2052 os_memcpy(reply->replay_counter, key->replay_counter,
2053 WPA_REPLAY_COUNTER_LEN);
2054
2055 key_mic = (u8 *) (reply + 1);
2056 WPA_PUT_BE16(key_mic + mic_len, kde_len); /* Key Data Length */
2057
2058 #ifdef CONFIG_OCV
2059 if (wpa_sm_ocv_enabled(sm)) {
2060 struct wpa_channel_info ci;
2061 u8 *pos;
2062
2063 if (wpa_sm_channel_info(sm, &ci) != 0) {
2064 wpa_printf(MSG_WARNING,
2065 "Failed to get channel info for OCI element in EAPOL-Key 2/2");
2066 os_free(rbuf);
2067 return -1;
2068 }
2069 #ifdef CONFIG_TESTING_OPTIONS
2070 if (sm->oci_freq_override_eapol_g2) {
2071 wpa_printf(MSG_INFO,
2072 "TEST: Override OCI KDE frequency %d -> %d MHz",
2073 ci.frequency,
2074 sm->oci_freq_override_eapol_g2);
2075 ci.frequency = sm->oci_freq_override_eapol_g2;
2076 }
2077 #endif /* CONFIG_TESTING_OPTIONS */
2078
2079 pos = key_mic + mic_len + 2; /* Key Data */
2080 if (ocv_insert_oci_kde(&ci, &pos) < 0) {
2081 os_free(rbuf);
2082 return -1;
2083 }
2084 }
2085 #endif /* CONFIG_OCV */
2086
2087 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/2");
2088 return wpa_eapol_key_send(sm, &sm->ptk, ver, sm->bssid, ETH_P_EAPOL,
2089 rbuf, rlen, key_mic);
2090 }
2091
2092
wpa_supplicant_process_1_of_2(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,const u8 * key_data,size_t key_data_len,u16 ver)2093 static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
2094 const unsigned char *src_addr,
2095 const struct wpa_eapol_key *key,
2096 const u8 *key_data,
2097 size_t key_data_len, u16 ver)
2098 {
2099 u16 key_info;
2100 int rekey, ret;
2101 struct wpa_gtk_data gd;
2102 const u8 *key_rsc;
2103
2104 if (!sm->msg_3_of_4_ok && !wpa_fils_is_completed(sm)) {
2105 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2106 "WPA: Group Key Handshake started prior to completion of 4-way handshake");
2107 goto failed;
2108 }
2109
2110 os_memset(&gd, 0, sizeof(gd));
2111
2112 rekey = wpa_sm_get_state(sm) == WPA_COMPLETED;
2113 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of Group Key "
2114 "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
2115
2116 key_info = WPA_GET_BE16(key->key_info);
2117
2118 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
2119 ret = wpa_supplicant_process_1_of_2_rsn(sm, key_data,
2120 key_data_len, key_info,
2121 &gd);
2122 } else {
2123 ret = wpa_supplicant_process_1_of_2_wpa(sm, key, key_data,
2124 key_data_len,
2125 key_info, ver, &gd);
2126 }
2127
2128 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
2129
2130 if (ret)
2131 goto failed;
2132
2133 key_rsc = key->key_rsc;
2134 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
2135 key_rsc = null_rsc;
2136
2137 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
2138 wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
2139 goto failed;
2140 forced_memzero(&gd, sizeof(gd));
2141
2142 if (rekey) {
2143 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Group rekeying "
2144 "completed with " MACSTR " [GTK=%s]",
2145 MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher));
2146 wpa_sm_cancel_auth_timeout(sm);
2147 wpa_sm_set_state(sm, WPA_COMPLETED);
2148 } else {
2149 wpa_supplicant_key_neg_complete(sm, sm->bssid,
2150 key_info &
2151 WPA_KEY_INFO_SECURE);
2152 }
2153
2154 wpa_sm_set_rekey_offload(sm);
2155
2156 return;
2157
2158 failed:
2159 forced_memzero(&gd, sizeof(gd));
2160 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
2161 }
2162
2163
wpa_supplicant_verify_eapol_key_mic(struct wpa_sm * sm,struct wpa_eapol_key * key,u16 ver,const u8 * buf,size_t len)2164 static int wpa_supplicant_verify_eapol_key_mic(struct wpa_sm *sm,
2165 struct wpa_eapol_key *key,
2166 u16 ver,
2167 const u8 *buf, size_t len)
2168 {
2169 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN];
2170 int ok = 0;
2171 size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
2172
2173 os_memcpy(mic, key + 1, mic_len);
2174 if (sm->tptk_set) {
2175 os_memset(key + 1, 0, mic_len);
2176 if (wpa_eapol_key_mic(sm->tptk.kck, sm->tptk.kck_len,
2177 sm->key_mgmt,
2178 ver, buf, len, (u8 *) (key + 1)) < 0 ||
2179 os_memcmp_const(mic, key + 1, mic_len) != 0) {
2180 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2181 "WPA: Invalid EAPOL-Key MIC "
2182 "when using TPTK - ignoring TPTK");
2183 #ifdef TEST_FUZZ
2184 wpa_printf(MSG_INFO,
2185 "TEST: Ignore Key MIC failure for fuzz testing");
2186 goto continue_fuzz;
2187 #endif /* TEST_FUZZ */
2188 } else {
2189 #ifdef TEST_FUZZ
2190 continue_fuzz:
2191 #endif /* TEST_FUZZ */
2192 ok = 1;
2193 sm->tptk_set = 0;
2194 sm->ptk_set = 1;
2195 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
2196 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
2197 /*
2198 * This assures the same TPTK in sm->tptk can never be
2199 * copied twice to sm->ptk as the new PTK. In
2200 * combination with the installed flag in the wpa_ptk
2201 * struct, this assures the same PTK is only installed
2202 * once.
2203 */
2204 sm->renew_snonce = 1;
2205 }
2206 }
2207
2208 if (!ok && sm->ptk_set) {
2209 os_memset(key + 1, 0, mic_len);
2210 if (wpa_eapol_key_mic(sm->ptk.kck, sm->ptk.kck_len,
2211 sm->key_mgmt,
2212 ver, buf, len, (u8 *) (key + 1)) < 0 ||
2213 os_memcmp_const(mic, key + 1, mic_len) != 0) {
2214 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2215 "WPA: Invalid EAPOL-Key MIC - "
2216 "dropping packet");
2217 #ifdef TEST_FUZZ
2218 wpa_printf(MSG_INFO,
2219 "TEST: Ignore Key MIC failure for fuzz testing");
2220 goto continue_fuzz2;
2221 #endif /* TEST_FUZZ */
2222 return -1;
2223 }
2224 #ifdef TEST_FUZZ
2225 continue_fuzz2:
2226 #endif /* TEST_FUZZ */
2227 ok = 1;
2228 }
2229
2230 if (!ok) {
2231 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2232 "WPA: Could not verify EAPOL-Key MIC - "
2233 "dropping packet");
2234 return -1;
2235 }
2236
2237 os_memcpy(sm->rx_replay_counter, key->replay_counter,
2238 WPA_REPLAY_COUNTER_LEN);
2239 sm->rx_replay_counter_set = 1;
2240 return 0;
2241 }
2242
2243
2244 /* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */
wpa_supplicant_decrypt_key_data(struct wpa_sm * sm,struct wpa_eapol_key * key,size_t mic_len,u16 ver,u8 * key_data,size_t * key_data_len)2245 static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm,
2246 struct wpa_eapol_key *key,
2247 size_t mic_len, u16 ver,
2248 u8 *key_data, size_t *key_data_len)
2249 {
2250 wpa_hexdump(MSG_DEBUG, "RSN: encrypted key data",
2251 key_data, *key_data_len);
2252 if (!sm->ptk_set) {
2253 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2254 "WPA: PTK not available, cannot decrypt EAPOL-Key Key "
2255 "Data");
2256 return -1;
2257 }
2258
2259 /* Decrypt key data here so that this operation does not need
2260 * to be implemented separately for each message type. */
2261 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
2262 #ifdef CONFIG_NO_RC4
2263 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2264 "WPA: RC4 not supported in the build");
2265 return -1;
2266 #else /* CONFIG_NO_RC4 */
2267 u8 ek[32];
2268
2269 wpa_printf(MSG_DEBUG, "WPA: Decrypt Key Data using RC4");
2270 os_memcpy(ek, key->key_iv, 16);
2271 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
2272 if (rc4_skip(ek, 32, 256, key_data, *key_data_len)) {
2273 forced_memzero(ek, sizeof(ek));
2274 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
2275 "WPA: RC4 failed");
2276 return -1;
2277 }
2278 forced_memzero(ek, sizeof(ek));
2279 #endif /* CONFIG_NO_RC4 */
2280 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
2281 ver == WPA_KEY_INFO_TYPE_AES_128_CMAC ||
2282 wpa_use_aes_key_wrap(sm->key_mgmt)) {
2283 u8 *buf;
2284
2285 wpa_printf(MSG_DEBUG,
2286 "WPA: Decrypt Key Data using AES-UNWRAP (KEK length %u)",
2287 (unsigned int) sm->ptk.kek_len);
2288 if (*key_data_len < 8 || *key_data_len % 8) {
2289 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2290 "WPA: Unsupported AES-WRAP len %u",
2291 (unsigned int) *key_data_len);
2292 return -1;
2293 }
2294 *key_data_len -= 8; /* AES-WRAP adds 8 bytes */
2295 buf = os_malloc(*key_data_len);
2296 if (buf == NULL) {
2297 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2298 "WPA: No memory for AES-UNWRAP buffer");
2299 return -1;
2300 }
2301 #ifdef TEST_FUZZ
2302 os_memset(buf, 0x11, *key_data_len);
2303 #endif /* TEST_FUZZ */
2304 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, *key_data_len / 8,
2305 key_data, buf)) {
2306 #ifdef TEST_FUZZ
2307 wpa_printf(MSG_INFO,
2308 "TEST: Ignore AES unwrap failure for fuzz testing");
2309 goto continue_fuzz;
2310 #endif /* TEST_FUZZ */
2311 bin_clear_free(buf, *key_data_len);
2312 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2313 "WPA: AES unwrap failed - "
2314 "could not decrypt EAPOL-Key key data");
2315 return -1;
2316 }
2317 #ifdef TEST_FUZZ
2318 continue_fuzz:
2319 #endif /* TEST_FUZZ */
2320 os_memcpy(key_data, buf, *key_data_len);
2321 bin_clear_free(buf, *key_data_len);
2322 WPA_PUT_BE16(((u8 *) (key + 1)) + mic_len, *key_data_len);
2323 } else {
2324 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2325 "WPA: Unsupported key_info type %d", ver);
2326 return -1;
2327 }
2328 wpa_hexdump_key(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data",
2329 key_data, *key_data_len);
2330 return 0;
2331 }
2332
2333
2334 /**
2335 * wpa_sm_aborted_cached - Notify WPA that PMKSA caching was aborted
2336 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2337 */
wpa_sm_aborted_cached(struct wpa_sm * sm)2338 void wpa_sm_aborted_cached(struct wpa_sm *sm)
2339 {
2340 if (sm && sm->cur_pmksa) {
2341 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2342 "RSN: Cancelling PMKSA caching attempt");
2343 sm->cur_pmksa = NULL;
2344 }
2345 }
2346
2347
wpa_sm_aborted_external_cached(struct wpa_sm * sm)2348 void wpa_sm_aborted_external_cached(struct wpa_sm *sm)
2349 {
2350 if (sm && sm->cur_pmksa && sm->cur_pmksa->external) {
2351 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2352 "RSN: Cancelling external PMKSA caching attempt");
2353 sm->cur_pmksa = NULL;
2354 }
2355 }
2356
2357
wpa_eapol_key_dump(struct wpa_sm * sm,const struct wpa_eapol_key * key,unsigned int key_data_len,const u8 * mic,unsigned int mic_len)2358 static void wpa_eapol_key_dump(struct wpa_sm *sm,
2359 const struct wpa_eapol_key *key,
2360 unsigned int key_data_len,
2361 const u8 *mic, unsigned int mic_len)
2362 {
2363 #ifndef CONFIG_NO_STDOUT_DEBUG
2364 u16 key_info = WPA_GET_BE16(key->key_info);
2365
2366 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, " EAPOL-Key type=%d", key->type);
2367 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2368 " key_info 0x%x (ver=%d keyidx=%ld rsvd=%ld %s%s%s%s%s%s%s%s)",
2369 key_info, key_info & WPA_KEY_INFO_TYPE_MASK,
2370 (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
2371 WPA_KEY_INFO_KEY_INDEX_SHIFT,
2372 (key_info & (BIT(13) | BIT(14) | BIT(15))) >> 13,
2373 key_info & WPA_KEY_INFO_KEY_TYPE ? "Pairwise" : "Group",
2374 key_info & WPA_KEY_INFO_INSTALL ? " Install" : "",
2375 key_info & WPA_KEY_INFO_ACK ? " Ack" : "",
2376 key_info & WPA_KEY_INFO_MIC ? " MIC" : "",
2377 key_info & WPA_KEY_INFO_SECURE ? " Secure" : "",
2378 key_info & WPA_KEY_INFO_ERROR ? " Error" : "",
2379 key_info & WPA_KEY_INFO_REQUEST ? " Request" : "",
2380 key_info & WPA_KEY_INFO_ENCR_KEY_DATA ? " Encr" : "");
2381 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2382 " key_length=%u key_data_length=%u",
2383 WPA_GET_BE16(key->key_length), key_data_len);
2384 wpa_hexdump(MSG_DEBUG, " replay_counter",
2385 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
2386 wpa_hexdump(MSG_DEBUG, " key_nonce", key->key_nonce, WPA_NONCE_LEN);
2387 wpa_hexdump(MSG_DEBUG, " key_iv", key->key_iv, 16);
2388 wpa_hexdump(MSG_DEBUG, " key_rsc", key->key_rsc, 8);
2389 wpa_hexdump(MSG_DEBUG, " key_id (reserved)", key->key_id, 8);
2390 wpa_hexdump(MSG_DEBUG, " key_mic", mic, mic_len);
2391 #endif /* CONFIG_NO_STDOUT_DEBUG */
2392 }
2393
2394
2395 #ifdef CONFIG_FILS
wpa_supp_aead_decrypt(struct wpa_sm * sm,u8 * buf,size_t buf_len,size_t * key_data_len)2396 static int wpa_supp_aead_decrypt(struct wpa_sm *sm, u8 *buf, size_t buf_len,
2397 size_t *key_data_len)
2398 {
2399 struct wpa_ptk *ptk;
2400 struct ieee802_1x_hdr *hdr;
2401 struct wpa_eapol_key *key;
2402 u8 *pos, *tmp;
2403 const u8 *aad[1];
2404 size_t aad_len[1];
2405
2406 if (*key_data_len < AES_BLOCK_SIZE) {
2407 wpa_printf(MSG_INFO, "No room for AES-SIV data in the frame");
2408 return -1;
2409 }
2410
2411 if (sm->tptk_set)
2412 ptk = &sm->tptk;
2413 else if (sm->ptk_set)
2414 ptk = &sm->ptk;
2415 else
2416 return -1;
2417
2418 hdr = (struct ieee802_1x_hdr *) buf;
2419 key = (struct wpa_eapol_key *) (hdr + 1);
2420 pos = (u8 *) (key + 1);
2421 pos += 2; /* Pointing at the Encrypted Key Data field */
2422
2423 tmp = os_malloc(*key_data_len);
2424 if (!tmp)
2425 return -1;
2426
2427 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
2428 * to Key Data (exclusive). */
2429 aad[0] = buf;
2430 aad_len[0] = pos - buf;
2431 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, *key_data_len,
2432 1, aad, aad_len, tmp) < 0) {
2433 wpa_printf(MSG_INFO, "Invalid AES-SIV data in the frame");
2434 bin_clear_free(tmp, *key_data_len);
2435 return -1;
2436 }
2437
2438 /* AEAD decryption and validation completed successfully */
2439 (*key_data_len) -= AES_BLOCK_SIZE;
2440 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
2441 tmp, *key_data_len);
2442
2443 /* Replace Key Data field with the decrypted version */
2444 os_memcpy(pos, tmp, *key_data_len);
2445 pos -= 2; /* Key Data Length field */
2446 WPA_PUT_BE16(pos, *key_data_len);
2447 bin_clear_free(tmp, *key_data_len);
2448
2449 if (sm->tptk_set) {
2450 sm->tptk_set = 0;
2451 sm->ptk_set = 1;
2452 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
2453 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
2454 }
2455
2456 os_memcpy(sm->rx_replay_counter, key->replay_counter,
2457 WPA_REPLAY_COUNTER_LEN);
2458 sm->rx_replay_counter_set = 1;
2459
2460 return 0;
2461 }
2462 #endif /* CONFIG_FILS */
2463
2464
2465 /**
2466 * wpa_sm_rx_eapol - Process received WPA EAPOL frames
2467 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2468 * @src_addr: Source MAC address of the EAPOL packet
2469 * @buf: Pointer to the beginning of the EAPOL data (EAPOL header)
2470 * @len: Length of the EAPOL frame
2471 * Returns: 1 = WPA EAPOL-Key processed, 0 = not a WPA EAPOL-Key, -1 failure
2472 *
2473 * This function is called for each received EAPOL frame. Other than EAPOL-Key
2474 * frames can be skipped if filtering is done elsewhere. wpa_sm_rx_eapol() is
2475 * only processing WPA and WPA2 EAPOL-Key frames.
2476 *
2477 * The received EAPOL-Key packets are validated and valid packets are replied
2478 * to. In addition, key material (PTK, GTK) is configured at the end of a
2479 * successful key handshake.
2480 */
wpa_sm_rx_eapol(struct wpa_sm * sm,const u8 * src_addr,const u8 * buf,size_t len)2481 int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr,
2482 const u8 *buf, size_t len)
2483 {
2484 size_t plen, data_len, key_data_len;
2485 const struct ieee802_1x_hdr *hdr;
2486 struct wpa_eapol_key *key;
2487 u16 key_info, ver;
2488 u8 *tmp = NULL;
2489 int ret = -1;
2490 u8 *mic, *key_data;
2491 size_t mic_len, keyhdrlen, pmk_len;
2492
2493 #ifdef CONFIG_IEEE80211R
2494 sm->ft_completed = 0;
2495 #endif /* CONFIG_IEEE80211R */
2496
2497 pmk_len = sm->pmk_len;
2498 if (!pmk_len && sm->cur_pmksa)
2499 pmk_len = sm->cur_pmksa->pmk_len;
2500 mic_len = wpa_mic_len(sm->key_mgmt, pmk_len);
2501 keyhdrlen = sizeof(*key) + mic_len + 2;
2502
2503 if (len < sizeof(*hdr) + keyhdrlen) {
2504 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2505 "WPA: EAPOL frame too short to be a WPA "
2506 "EAPOL-Key (len %lu, expecting at least %lu)",
2507 (unsigned long) len,
2508 (unsigned long) sizeof(*hdr) + keyhdrlen);
2509 return 0;
2510 }
2511
2512 hdr = (const struct ieee802_1x_hdr *) buf;
2513 plen = be_to_host16(hdr->length);
2514 data_len = plen + sizeof(*hdr);
2515 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2516 "IEEE 802.1X RX: version=%d type=%d length=%lu",
2517 hdr->version, hdr->type, (unsigned long) plen);
2518
2519 if (hdr->version < EAPOL_VERSION) {
2520 /* TODO: backwards compatibility */
2521 }
2522 if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) {
2523 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2524 "WPA: EAPOL frame (type %u) discarded, "
2525 "not a Key frame", hdr->type);
2526 ret = 0;
2527 goto out;
2528 }
2529 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", buf, len);
2530 if (plen > len - sizeof(*hdr) || plen < keyhdrlen) {
2531 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2532 "WPA: EAPOL frame payload size %lu "
2533 "invalid (frame size %lu)",
2534 (unsigned long) plen, (unsigned long) len);
2535 ret = 0;
2536 goto out;
2537 }
2538 if (data_len < len) {
2539 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2540 "WPA: ignoring %lu bytes after the IEEE 802.1X data",
2541 (unsigned long) len - data_len);
2542 }
2543
2544 /*
2545 * Make a copy of the frame since we need to modify the buffer during
2546 * MAC validation and Key Data decryption.
2547 */
2548 tmp = os_memdup(buf, data_len);
2549 if (tmp == NULL)
2550 goto out;
2551 key = (struct wpa_eapol_key *) (tmp + sizeof(struct ieee802_1x_hdr));
2552 mic = (u8 *) (key + 1);
2553 key_data = mic + mic_len + 2;
2554
2555 if (key->type != EAPOL_KEY_TYPE_WPA && key->type != EAPOL_KEY_TYPE_RSN)
2556 {
2557 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2558 "WPA: EAPOL-Key type (%d) unknown, discarded",
2559 key->type);
2560 ret = 0;
2561 goto out;
2562 }
2563
2564 key_data_len = WPA_GET_BE16(mic + mic_len);
2565 wpa_eapol_key_dump(sm, key, key_data_len, mic, mic_len);
2566
2567 if (key_data_len > plen - keyhdrlen) {
2568 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Invalid EAPOL-Key "
2569 "frame - key_data overflow (%u > %u)",
2570 (unsigned int) key_data_len,
2571 (unsigned int) (plen - keyhdrlen));
2572 goto out;
2573 }
2574
2575 eapol_sm_notify_lower_layer_success(sm->eapol, 0);
2576 key_info = WPA_GET_BE16(key->key_info);
2577 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
2578 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
2579 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
2580 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES &&
2581 !wpa_use_akm_defined(sm->key_mgmt)) {
2582 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2583 "WPA: Unsupported EAPOL-Key descriptor version %d",
2584 ver);
2585 goto out;
2586 }
2587
2588 if (wpa_use_akm_defined(sm->key_mgmt) &&
2589 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
2590 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2591 "RSN: Unsupported EAPOL-Key descriptor version %d (expected AKM defined = 0)",
2592 ver);
2593 goto out;
2594 }
2595
2596 #ifdef CONFIG_IEEE80211R
2597 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
2598 /* IEEE 802.11r uses a new key_info type (AES-128-CMAC). */
2599 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
2600 !wpa_use_akm_defined(sm->key_mgmt)) {
2601 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2602 "FT: AP did not use AES-128-CMAC");
2603 goto out;
2604 }
2605 } else
2606 #endif /* CONFIG_IEEE80211R */
2607 if (wpa_key_mgmt_sha256(sm->key_mgmt)) {
2608 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
2609 !wpa_use_akm_defined(sm->key_mgmt)) {
2610 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2611 "WPA: AP did not use the "
2612 "negotiated AES-128-CMAC");
2613 goto out;
2614 }
2615 } else if (sm->pairwise_cipher == WPA_CIPHER_CCMP &&
2616 !wpa_use_akm_defined(sm->key_mgmt) &&
2617 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
2618 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2619 "WPA: CCMP is used, but EAPOL-Key "
2620 "descriptor version (%d) is not 2", ver);
2621 if (sm->group_cipher != WPA_CIPHER_CCMP &&
2622 !(key_info & WPA_KEY_INFO_KEY_TYPE)) {
2623 /* Earlier versions of IEEE 802.11i did not explicitly
2624 * require version 2 descriptor for all EAPOL-Key
2625 * packets, so allow group keys to use version 1 if
2626 * CCMP is not used for them. */
2627 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2628 "WPA: Backwards compatibility: allow invalid "
2629 "version for non-CCMP group keys");
2630 } else if (ver == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
2631 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2632 "WPA: Interoperability workaround: allow incorrect (should have been HMAC-SHA1), but stronger (is AES-128-CMAC), descriptor version to be used");
2633 } else
2634 goto out;
2635 } else if (sm->pairwise_cipher == WPA_CIPHER_GCMP &&
2636 !wpa_use_akm_defined(sm->key_mgmt) &&
2637 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
2638 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2639 "WPA: GCMP is used, but EAPOL-Key "
2640 "descriptor version (%d) is not 2", ver);
2641 goto out;
2642 }
2643
2644 if (sm->rx_replay_counter_set &&
2645 os_memcmp(key->replay_counter, sm->rx_replay_counter,
2646 WPA_REPLAY_COUNTER_LEN) <= 0) {
2647 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2648 "WPA: EAPOL-Key Replay Counter did not increase - "
2649 "dropping packet");
2650 goto out;
2651 }
2652
2653 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
2654 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2655 "WPA: Unsupported SMK bit in key_info");
2656 goto out;
2657 }
2658
2659 if (!(key_info & WPA_KEY_INFO_ACK)) {
2660 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2661 "WPA: No Ack bit in key_info");
2662 goto out;
2663 }
2664
2665 if (key_info & WPA_KEY_INFO_REQUEST) {
2666 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2667 "WPA: EAPOL-Key with Request bit - dropped");
2668 goto out;
2669 }
2670
2671 if ((key_info & WPA_KEY_INFO_MIC) &&
2672 wpa_supplicant_verify_eapol_key_mic(sm, key, ver, tmp, data_len))
2673 goto out;
2674
2675 #ifdef CONFIG_FILS
2676 if (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
2677 if (wpa_supp_aead_decrypt(sm, tmp, data_len, &key_data_len))
2678 goto out;
2679 }
2680 #endif /* CONFIG_FILS */
2681
2682 if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
2683 (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && mic_len) {
2684 /*
2685 * Only decrypt the Key Data field if the frame's authenticity
2686 * was verified. When using AES-SIV (FILS), the MIC flag is not
2687 * set, so this check should only be performed if mic_len != 0
2688 * which is the case in this code branch.
2689 */
2690 if (!(key_info & WPA_KEY_INFO_MIC)) {
2691 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2692 "WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
2693 goto out;
2694 }
2695 if (wpa_supplicant_decrypt_key_data(sm, key, mic_len,
2696 ver, key_data,
2697 &key_data_len))
2698 goto out;
2699 }
2700
2701 if (key_info & WPA_KEY_INFO_KEY_TYPE) {
2702 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) {
2703 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2704 "WPA: Ignored EAPOL-Key (Pairwise) with "
2705 "non-zero key index");
2706 goto out;
2707 }
2708 if (key_info & (WPA_KEY_INFO_MIC |
2709 WPA_KEY_INFO_ENCR_KEY_DATA)) {
2710 /* 3/4 4-Way Handshake */
2711 wpa_supplicant_process_3_of_4(sm, key, ver, key_data,
2712 key_data_len);
2713 } else {
2714 /* 1/4 4-Way Handshake */
2715 wpa_supplicant_process_1_of_4(sm, src_addr, key,
2716 ver, key_data,
2717 key_data_len);
2718 }
2719 } else {
2720 if ((mic_len && (key_info & WPA_KEY_INFO_MIC)) ||
2721 (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA))) {
2722 /* 1/2 Group Key Handshake */
2723 wpa_supplicant_process_1_of_2(sm, src_addr, key,
2724 key_data, key_data_len,
2725 ver);
2726 } else {
2727 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2728 "WPA: EAPOL-Key (Group) without Mic/Encr bit - "
2729 "dropped");
2730 }
2731 }
2732
2733 ret = 1;
2734
2735 out:
2736 bin_clear_free(tmp, data_len);
2737 return ret;
2738 }
2739
2740
2741 #ifdef CONFIG_CTRL_IFACE
wpa_key_mgmt_suite(struct wpa_sm * sm)2742 static u32 wpa_key_mgmt_suite(struct wpa_sm *sm)
2743 {
2744 switch (sm->key_mgmt) {
2745 case WPA_KEY_MGMT_IEEE8021X:
2746 return ((sm->proto == WPA_PROTO_RSN ||
2747 sm->proto == WPA_PROTO_OSEN) ?
2748 RSN_AUTH_KEY_MGMT_UNSPEC_802_1X :
2749 WPA_AUTH_KEY_MGMT_UNSPEC_802_1X);
2750 case WPA_KEY_MGMT_PSK:
2751 return (sm->proto == WPA_PROTO_RSN ?
2752 RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X :
2753 WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X);
2754 #ifdef CONFIG_IEEE80211R
2755 case WPA_KEY_MGMT_FT_IEEE8021X:
2756 return RSN_AUTH_KEY_MGMT_FT_802_1X;
2757 case WPA_KEY_MGMT_FT_PSK:
2758 return RSN_AUTH_KEY_MGMT_FT_PSK;
2759 #endif /* CONFIG_IEEE80211R */
2760 case WPA_KEY_MGMT_IEEE8021X_SHA256:
2761 return RSN_AUTH_KEY_MGMT_802_1X_SHA256;
2762 case WPA_KEY_MGMT_PSK_SHA256:
2763 return RSN_AUTH_KEY_MGMT_PSK_SHA256;
2764 case WPA_KEY_MGMT_CCKM:
2765 return (sm->proto == WPA_PROTO_RSN ?
2766 RSN_AUTH_KEY_MGMT_CCKM:
2767 WPA_AUTH_KEY_MGMT_CCKM);
2768 case WPA_KEY_MGMT_WPA_NONE:
2769 return WPA_AUTH_KEY_MGMT_NONE;
2770 case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
2771 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B;
2772 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
2773 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192;
2774 default:
2775 return 0;
2776 }
2777 }
2778
2779
2780 #define RSN_SUITE "%02x-%02x-%02x-%d"
2781 #define RSN_SUITE_ARG(s) \
2782 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
2783
2784 /**
2785 * wpa_sm_get_mib - Dump text list of MIB entries
2786 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2787 * @buf: Buffer for the list
2788 * @buflen: Length of the buffer
2789 * Returns: Number of bytes written to buffer
2790 *
2791 * This function is used fetch dot11 MIB variables.
2792 */
wpa_sm_get_mib(struct wpa_sm * sm,char * buf,size_t buflen)2793 int wpa_sm_get_mib(struct wpa_sm *sm, char *buf, size_t buflen)
2794 {
2795 char pmkid_txt[PMKID_LEN * 2 + 1];
2796 bool rsna;
2797 int ret;
2798 size_t len;
2799
2800 if (sm->cur_pmksa) {
2801 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
2802 sm->cur_pmksa->pmkid, PMKID_LEN);
2803 } else
2804 pmkid_txt[0] = '\0';
2805
2806 rsna = (wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
2807 wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt)) &&
2808 sm->proto == WPA_PROTO_RSN;
2809
2810 ret = os_snprintf(buf, buflen,
2811 "dot11RSNAOptionImplemented=TRUE\n"
2812 "dot11RSNAPreauthenticationImplemented=TRUE\n"
2813 "dot11RSNAEnabled=%s\n"
2814 "dot11RSNAPreauthenticationEnabled=%s\n"
2815 "dot11RSNAConfigVersion=%d\n"
2816 "dot11RSNAConfigPairwiseKeysSupported=5\n"
2817 "dot11RSNAConfigGroupCipherSize=%d\n"
2818 "dot11RSNAConfigPMKLifetime=%d\n"
2819 "dot11RSNAConfigPMKReauthThreshold=%d\n"
2820 "dot11RSNAConfigNumberOfPTKSAReplayCounters=1\n"
2821 "dot11RSNAConfigSATimeout=%d\n",
2822 rsna ? "TRUE" : "FALSE",
2823 rsna ? "TRUE" : "FALSE",
2824 RSN_VERSION,
2825 wpa_cipher_key_len(sm->group_cipher) * 8,
2826 sm->dot11RSNAConfigPMKLifetime,
2827 sm->dot11RSNAConfigPMKReauthThreshold,
2828 sm->dot11RSNAConfigSATimeout);
2829 if (os_snprintf_error(buflen, ret))
2830 return 0;
2831 len = ret;
2832
2833 ret = os_snprintf(
2834 buf + len, buflen - len,
2835 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
2836 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
2837 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
2838 "dot11RSNAPMKIDUsed=%s\n"
2839 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
2840 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
2841 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
2842 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n"
2843 "dot11RSNA4WayHandshakeFailures=%u\n",
2844 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
2845 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2846 sm->pairwise_cipher)),
2847 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2848 sm->group_cipher)),
2849 pmkid_txt,
2850 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
2851 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2852 sm->pairwise_cipher)),
2853 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2854 sm->group_cipher)),
2855 sm->dot11RSNA4WayHandshakeFailures);
2856 if (!os_snprintf_error(buflen - len, ret))
2857 len += ret;
2858
2859 return (int) len;
2860 }
2861 #endif /* CONFIG_CTRL_IFACE */
2862
2863
wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry * entry,void * ctx,enum pmksa_free_reason reason)2864 static void wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
2865 void *ctx, enum pmksa_free_reason reason)
2866 {
2867 struct wpa_sm *sm = ctx;
2868 int deauth = 0;
2869
2870 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: PMKSA cache entry free_cb: "
2871 MACSTR " reason=%d", MAC2STR(entry->aa), reason);
2872
2873 if (sm->cur_pmksa == entry) {
2874 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2875 "RSN: %s current PMKSA entry",
2876 reason == PMKSA_REPLACE ? "replaced" : "removed");
2877 pmksa_cache_clear_current(sm);
2878
2879 /*
2880 * If an entry is simply being replaced, there's no need to
2881 * deauthenticate because it will be immediately re-added.
2882 * This happens when EAP authentication is completed again
2883 * (reauth or failed PMKSA caching attempt).
2884 */
2885 if (reason != PMKSA_REPLACE)
2886 deauth = 1;
2887 }
2888
2889 if (reason == PMKSA_EXPIRE &&
2890 (sm->pmk_len == entry->pmk_len &&
2891 os_memcmp(sm->pmk, entry->pmk, sm->pmk_len) == 0)) {
2892 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2893 "RSN: deauthenticating due to expired PMK");
2894 pmksa_cache_clear_current(sm);
2895 deauth = 1;
2896 }
2897
2898 if (deauth) {
2899 sm->pmk_len = 0;
2900 os_memset(sm->pmk, 0, sizeof(sm->pmk));
2901 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
2902 }
2903 }
2904
2905
wpa_sm_pmksa_is_current_cb(struct rsn_pmksa_cache_entry * entry,void * ctx)2906 static bool wpa_sm_pmksa_is_current_cb(struct rsn_pmksa_cache_entry *entry,
2907 void *ctx)
2908 {
2909 struct wpa_sm *sm = ctx;
2910
2911 return sm->cur_pmksa == entry;
2912 }
2913
2914
2915 /**
2916 * wpa_sm_init - Initialize WPA state machine
2917 * @ctx: Context pointer for callbacks; this needs to be an allocated buffer
2918 * Returns: Pointer to the allocated WPA state machine data
2919 *
2920 * This function is used to allocate a new WPA state machine and the returned
2921 * value is passed to all WPA state machine calls.
2922 */
wpa_sm_init(struct wpa_sm_ctx * ctx)2923 struct wpa_sm * wpa_sm_init(struct wpa_sm_ctx *ctx)
2924 {
2925 struct wpa_sm *sm;
2926
2927 sm = os_zalloc(sizeof(*sm));
2928 if (sm == NULL)
2929 return NULL;
2930 dl_list_init(&sm->pmksa_candidates);
2931 sm->renew_snonce = 1;
2932 sm->ctx = ctx;
2933
2934 sm->dot11RSNAConfigPMKLifetime = 43200;
2935 sm->dot11RSNAConfigPMKReauthThreshold = 70;
2936 sm->dot11RSNAConfigSATimeout = 60;
2937
2938 sm->pmksa = pmksa_cache_init(wpa_sm_pmksa_free_cb,
2939 wpa_sm_pmksa_is_current_cb, sm, sm);
2940 if (sm->pmksa == NULL) {
2941 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
2942 "RSN: PMKSA cache initialization failed");
2943 os_free(sm);
2944 return NULL;
2945 }
2946
2947 return sm;
2948 }
2949
2950
2951 /**
2952 * wpa_sm_deinit - Deinitialize WPA state machine
2953 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2954 */
wpa_sm_deinit(struct wpa_sm * sm)2955 void wpa_sm_deinit(struct wpa_sm *sm)
2956 {
2957 if (sm == NULL)
2958 return;
2959 pmksa_cache_deinit(sm->pmksa);
2960 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
2961 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
2962 os_free(sm->assoc_wpa_ie);
2963 os_free(sm->assoc_rsnxe);
2964 os_free(sm->ap_wpa_ie);
2965 os_free(sm->ap_rsn_ie);
2966 os_free(sm->ap_rsnxe);
2967 wpa_sm_drop_sa(sm);
2968 os_free(sm->ctx);
2969 #ifdef CONFIG_IEEE80211R
2970 os_free(sm->assoc_resp_ies);
2971 #endif /* CONFIG_IEEE80211R */
2972 #ifdef CONFIG_TESTING_OPTIONS
2973 wpabuf_free(sm->test_assoc_ie);
2974 #endif /* CONFIG_TESTING_OPTIONS */
2975 #ifdef CONFIG_FILS_SK_PFS
2976 crypto_ecdh_deinit(sm->fils_ecdh);
2977 #endif /* CONFIG_FILS_SK_PFS */
2978 #ifdef CONFIG_FILS
2979 wpabuf_free(sm->fils_ft_ies);
2980 #endif /* CONFIG_FILS */
2981 #ifdef CONFIG_OWE
2982 crypto_ecdh_deinit(sm->owe_ecdh);
2983 #endif /* CONFIG_OWE */
2984 #ifdef CONFIG_DPP2
2985 wpabuf_clear_free(sm->dpp_z);
2986 #endif /* CONFIG_DPP2 */
2987 os_free(sm);
2988 }
2989
2990
2991 /**
2992 * wpa_sm_notify_assoc - Notify WPA state machine about association
2993 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2994 * @bssid: The BSSID of the new association
2995 *
2996 * This function is called to let WPA state machine know that the connection
2997 * was established.
2998 */
wpa_sm_notify_assoc(struct wpa_sm * sm,const u8 * bssid)2999 void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
3000 {
3001 int clear_keys = 1;
3002
3003 if (sm == NULL)
3004 return;
3005
3006 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3007 "WPA: Association event - clear replay counter");
3008 os_memcpy(sm->bssid, bssid, ETH_ALEN);
3009 os_memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN);
3010 sm->rx_replay_counter_set = 0;
3011 sm->renew_snonce = 1;
3012 if (os_memcmp(sm->preauth_bssid, bssid, ETH_ALEN) == 0)
3013 rsn_preauth_deinit(sm);
3014
3015 #ifdef CONFIG_IEEE80211R
3016 if (wpa_ft_is_completed(sm)) {
3017 /*
3018 * Clear portValid to kick EAPOL state machine to re-enter
3019 * AUTHENTICATED state to get the EAPOL port Authorized.
3020 */
3021 eapol_sm_notify_portValid(sm->eapol, false);
3022 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
3023
3024 /* Prepare for the next transition */
3025 wpa_ft_prepare_auth_request(sm, NULL);
3026
3027 clear_keys = 0;
3028 sm->ft_protocol = 1;
3029 } else {
3030 sm->ft_protocol = 0;
3031 }
3032 #endif /* CONFIG_IEEE80211R */
3033 #ifdef CONFIG_FILS
3034 if (sm->fils_completed) {
3035 /*
3036 * Clear portValid to kick EAPOL state machine to re-enter
3037 * AUTHENTICATED state to get the EAPOL port Authorized.
3038 */
3039 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
3040 clear_keys = 0;
3041 }
3042 #endif /* CONFIG_FILS */
3043
3044 if (clear_keys) {
3045 /*
3046 * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
3047 * this is not part of a Fast BSS Transition.
3048 */
3049 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PTK");
3050 sm->ptk_set = 0;
3051 os_memset(&sm->ptk, 0, sizeof(sm->ptk));
3052 sm->tptk_set = 0;
3053 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
3054 os_memset(&sm->gtk, 0, sizeof(sm->gtk));
3055 os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
3056 os_memset(&sm->igtk, 0, sizeof(sm->igtk));
3057 os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
3058 }
3059
3060 #ifdef CONFIG_TDLS
3061 wpa_tdls_assoc(sm);
3062 #endif /* CONFIG_TDLS */
3063
3064 #ifdef CONFIG_P2P
3065 os_memset(sm->p2p_ip_addr, 0, sizeof(sm->p2p_ip_addr));
3066 #endif /* CONFIG_P2P */
3067
3068 sm->keyidx_active = 0;
3069 }
3070
3071
3072 /**
3073 * wpa_sm_notify_disassoc - Notify WPA state machine about disassociation
3074 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3075 *
3076 * This function is called to let WPA state machine know that the connection
3077 * was lost. This will abort any existing pre-authentication session.
3078 */
wpa_sm_notify_disassoc(struct wpa_sm * sm)3079 void wpa_sm_notify_disassoc(struct wpa_sm *sm)
3080 {
3081 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
3082 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
3083 rsn_preauth_deinit(sm);
3084 pmksa_cache_clear_current(sm);
3085 if (wpa_sm_get_state(sm) == WPA_4WAY_HANDSHAKE)
3086 sm->dot11RSNA4WayHandshakeFailures++;
3087 #ifdef CONFIG_TDLS
3088 wpa_tdls_disassoc(sm);
3089 #endif /* CONFIG_TDLS */
3090 #ifdef CONFIG_FILS
3091 sm->fils_completed = 0;
3092 #endif /* CONFIG_FILS */
3093 #ifdef CONFIG_IEEE80211R
3094 sm->ft_reassoc_completed = 0;
3095 sm->ft_protocol = 0;
3096 #endif /* CONFIG_IEEE80211R */
3097
3098 /* Keys are not needed in the WPA state machine anymore */
3099 wpa_sm_drop_sa(sm);
3100 sm->keyidx_active = 0;
3101
3102 sm->msg_3_of_4_ok = 0;
3103 os_memset(sm->bssid, 0, ETH_ALEN);
3104 }
3105
3106
3107 /**
3108 * wpa_sm_set_pmk - Set PMK
3109 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3110 * @pmk: The new PMK
3111 * @pmk_len: The length of the new PMK in bytes
3112 * @pmkid: Calculated PMKID
3113 * @bssid: AA to add into PMKSA cache or %NULL to not cache the PMK
3114 *
3115 * Configure the PMK for WPA state machine.
3116 */
wpa_sm_set_pmk(struct wpa_sm * sm,const u8 * pmk,size_t pmk_len,const u8 * pmkid,const u8 * bssid)3117 void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
3118 const u8 *pmkid, const u8 *bssid)
3119 {
3120 if (sm == NULL)
3121 return;
3122
3123 wpa_hexdump_key(MSG_DEBUG, "WPA: Set PMK based on external data",
3124 pmk, pmk_len);
3125 sm->pmk_len = pmk_len;
3126 os_memcpy(sm->pmk, pmk, pmk_len);
3127
3128 #ifdef CONFIG_IEEE80211R
3129 /* Set XXKey to be PSK for FT key derivation */
3130 sm->xxkey_len = pmk_len;
3131 os_memcpy(sm->xxkey, pmk, pmk_len);
3132 #endif /* CONFIG_IEEE80211R */
3133
3134 if (bssid) {
3135 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len,
3136 pmkid, NULL, 0, bssid,
3137 sm->own_addr,
3138 sm->network_ctx, sm->key_mgmt,
3139 NULL);
3140 }
3141 }
3142
3143
3144 /**
3145 * wpa_sm_set_pmk_from_pmksa - Set PMK based on the current PMKSA
3146 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3147 *
3148 * Take the PMK from the current PMKSA into use. If no PMKSA is active, the PMK
3149 * will be cleared.
3150 */
wpa_sm_set_pmk_from_pmksa(struct wpa_sm * sm)3151 void wpa_sm_set_pmk_from_pmksa(struct wpa_sm *sm)
3152 {
3153 if (sm == NULL)
3154 return;
3155
3156 if (sm->cur_pmksa) {
3157 wpa_hexdump_key(MSG_DEBUG,
3158 "WPA: Set PMK based on current PMKSA",
3159 sm->cur_pmksa->pmk, sm->cur_pmksa->pmk_len);
3160 sm->pmk_len = sm->cur_pmksa->pmk_len;
3161 os_memcpy(sm->pmk, sm->cur_pmksa->pmk, sm->pmk_len);
3162 } else {
3163 wpa_printf(MSG_DEBUG, "WPA: No current PMKSA - clear PMK");
3164 sm->pmk_len = 0;
3165 os_memset(sm->pmk, 0, PMK_LEN_MAX);
3166 }
3167 }
3168
3169
3170 /**
3171 * wpa_sm_set_fast_reauth - Set fast reauthentication (EAP) enabled/disabled
3172 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3173 * @fast_reauth: Whether fast reauthentication (EAP) is allowed
3174 */
wpa_sm_set_fast_reauth(struct wpa_sm * sm,int fast_reauth)3175 void wpa_sm_set_fast_reauth(struct wpa_sm *sm, int fast_reauth)
3176 {
3177 if (sm)
3178 sm->fast_reauth = fast_reauth;
3179 }
3180
3181
3182 /**
3183 * wpa_sm_set_scard_ctx - Set context pointer for smartcard callbacks
3184 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3185 * @scard_ctx: Context pointer for smartcard related callback functions
3186 */
wpa_sm_set_scard_ctx(struct wpa_sm * sm,void * scard_ctx)3187 void wpa_sm_set_scard_ctx(struct wpa_sm *sm, void *scard_ctx)
3188 {
3189 if (sm == NULL)
3190 return;
3191 sm->scard_ctx = scard_ctx;
3192 if (sm->preauth_eapol)
3193 eapol_sm_register_scard_ctx(sm->preauth_eapol, scard_ctx);
3194 }
3195
3196
3197 /**
3198 * wpa_sm_set_config - Notification of current configuration change
3199 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3200 * @config: Pointer to current network configuration
3201 *
3202 * Notify WPA state machine that configuration has changed. config will be
3203 * stored as a backpointer to network configuration. This can be %NULL to clear
3204 * the stored pointed.
3205 */
wpa_sm_set_config(struct wpa_sm * sm,struct rsn_supp_config * config)3206 void wpa_sm_set_config(struct wpa_sm *sm, struct rsn_supp_config *config)
3207 {
3208 if (!sm)
3209 return;
3210
3211 if (config) {
3212 sm->network_ctx = config->network_ctx;
3213 sm->allowed_pairwise_cipher = config->allowed_pairwise_cipher;
3214 sm->proactive_key_caching = config->proactive_key_caching;
3215 sm->eap_workaround = config->eap_workaround;
3216 sm->eap_conf_ctx = config->eap_conf_ctx;
3217 if (config->ssid) {
3218 os_memcpy(sm->ssid, config->ssid, config->ssid_len);
3219 sm->ssid_len = config->ssid_len;
3220 } else
3221 sm->ssid_len = 0;
3222 sm->wpa_ptk_rekey = config->wpa_ptk_rekey;
3223 sm->p2p = config->p2p;
3224 sm->wpa_rsc_relaxation = config->wpa_rsc_relaxation;
3225 sm->owe_ptk_workaround = config->owe_ptk_workaround;
3226 sm->force_kdk_derivation = config->force_kdk_derivation;
3227 #ifdef CONFIG_FILS
3228 if (config->fils_cache_id) {
3229 sm->fils_cache_id_set = 1;
3230 os_memcpy(sm->fils_cache_id, config->fils_cache_id,
3231 FILS_CACHE_ID_LEN);
3232 } else {
3233 sm->fils_cache_id_set = 0;
3234 }
3235 #endif /* CONFIG_FILS */
3236 sm->beacon_prot = config->beacon_prot;
3237 } else {
3238 sm->network_ctx = NULL;
3239 sm->allowed_pairwise_cipher = 0;
3240 sm->proactive_key_caching = 0;
3241 sm->eap_workaround = 0;
3242 sm->eap_conf_ctx = NULL;
3243 sm->ssid_len = 0;
3244 sm->wpa_ptk_rekey = 0;
3245 sm->p2p = 0;
3246 sm->wpa_rsc_relaxation = 0;
3247 sm->owe_ptk_workaround = 0;
3248 sm->beacon_prot = 0;
3249 sm->force_kdk_derivation = false;
3250 }
3251 }
3252
3253
3254 /**
3255 * wpa_sm_set_own_addr - Set own MAC address
3256 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3257 * @addr: Own MAC address
3258 */
wpa_sm_set_own_addr(struct wpa_sm * sm,const u8 * addr)3259 void wpa_sm_set_own_addr(struct wpa_sm *sm, const u8 *addr)
3260 {
3261 if (sm)
3262 os_memcpy(sm->own_addr, addr, ETH_ALEN);
3263 }
3264
3265
3266 /**
3267 * wpa_sm_set_ifname - Set network interface name
3268 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3269 * @ifname: Interface name
3270 * @bridge_ifname: Optional bridge interface name (for pre-auth)
3271 */
wpa_sm_set_ifname(struct wpa_sm * sm,const char * ifname,const char * bridge_ifname)3272 void wpa_sm_set_ifname(struct wpa_sm *sm, const char *ifname,
3273 const char *bridge_ifname)
3274 {
3275 if (sm) {
3276 sm->ifname = ifname;
3277 sm->bridge_ifname = bridge_ifname;
3278 }
3279 }
3280
3281
3282 /**
3283 * wpa_sm_set_eapol - Set EAPOL state machine pointer
3284 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3285 * @eapol: Pointer to EAPOL state machine allocated with eapol_sm_init()
3286 */
wpa_sm_set_eapol(struct wpa_sm * sm,struct eapol_sm * eapol)3287 void wpa_sm_set_eapol(struct wpa_sm *sm, struct eapol_sm *eapol)
3288 {
3289 if (sm)
3290 sm->eapol = eapol;
3291 }
3292
3293
3294 /**
3295 * wpa_sm_set_param - Set WPA state machine parameters
3296 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3297 * @param: Parameter field
3298 * @value: Parameter value
3299 * Returns: 0 on success, -1 on failure
3300 */
wpa_sm_set_param(struct wpa_sm * sm,enum wpa_sm_conf_params param,unsigned int value)3301 int wpa_sm_set_param(struct wpa_sm *sm, enum wpa_sm_conf_params param,
3302 unsigned int value)
3303 {
3304 int ret = 0;
3305
3306 if (sm == NULL)
3307 return -1;
3308
3309 switch (param) {
3310 case RSNA_PMK_LIFETIME:
3311 if (value > 0)
3312 sm->dot11RSNAConfigPMKLifetime = value;
3313 else
3314 ret = -1;
3315 break;
3316 case RSNA_PMK_REAUTH_THRESHOLD:
3317 if (value > 0 && value <= 100)
3318 sm->dot11RSNAConfigPMKReauthThreshold = value;
3319 else
3320 ret = -1;
3321 break;
3322 case RSNA_SA_TIMEOUT:
3323 if (value > 0)
3324 sm->dot11RSNAConfigSATimeout = value;
3325 else
3326 ret = -1;
3327 break;
3328 case WPA_PARAM_PROTO:
3329 sm->proto = value;
3330 break;
3331 case WPA_PARAM_PAIRWISE:
3332 sm->pairwise_cipher = value;
3333 break;
3334 case WPA_PARAM_GROUP:
3335 sm->group_cipher = value;
3336 break;
3337 case WPA_PARAM_KEY_MGMT:
3338 sm->key_mgmt = value;
3339 break;
3340 case WPA_PARAM_MGMT_GROUP:
3341 sm->mgmt_group_cipher = value;
3342 break;
3343 case WPA_PARAM_RSN_ENABLED:
3344 sm->rsn_enabled = value;
3345 break;
3346 case WPA_PARAM_MFP:
3347 sm->mfp = value;
3348 break;
3349 case WPA_PARAM_OCV:
3350 sm->ocv = value;
3351 break;
3352 case WPA_PARAM_SAE_PWE:
3353 sm->sae_pwe = value;
3354 break;
3355 case WPA_PARAM_SAE_PK:
3356 sm->sae_pk = value;
3357 break;
3358 case WPA_PARAM_DENY_PTK0_REKEY:
3359 sm->wpa_deny_ptk0_rekey = value;
3360 break;
3361 case WPA_PARAM_EXT_KEY_ID:
3362 sm->ext_key_id = value;
3363 break;
3364 case WPA_PARAM_USE_EXT_KEY_ID:
3365 sm->use_ext_key_id = value;
3366 break;
3367 #ifdef CONFIG_TESTING_OPTIONS
3368 case WPA_PARAM_FT_RSNXE_USED:
3369 sm->ft_rsnxe_used = value;
3370 break;
3371 case WPA_PARAM_OCI_FREQ_EAPOL:
3372 sm->oci_freq_override_eapol = value;
3373 break;
3374 case WPA_PARAM_OCI_FREQ_EAPOL_G2:
3375 sm->oci_freq_override_eapol_g2 = value;
3376 break;
3377 case WPA_PARAM_OCI_FREQ_FT_ASSOC:
3378 sm->oci_freq_override_ft_assoc = value;
3379 break;
3380 case WPA_PARAM_OCI_FREQ_FILS_ASSOC:
3381 sm->oci_freq_override_fils_assoc = value;
3382 break;
3383 #endif /* CONFIG_TESTING_OPTIONS */
3384 #ifdef CONFIG_DPP2
3385 case WPA_PARAM_DPP_PFS:
3386 sm->dpp_pfs = value;
3387 break;
3388 #endif /* CONFIG_DPP2 */
3389 default:
3390 break;
3391 }
3392
3393 return ret;
3394 }
3395
3396
3397 /**
3398 * wpa_sm_get_status - Get WPA state machine
3399 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3400 * @buf: Buffer for status information
3401 * @buflen: Maximum buffer length
3402 * @verbose: Whether to include verbose status information
3403 * Returns: Number of bytes written to buf.
3404 *
3405 * Query WPA state machine for status information. This function fills in
3406 * a text area with current status information. If the buffer (buf) is not
3407 * large enough, status information will be truncated to fit the buffer.
3408 */
wpa_sm_get_status(struct wpa_sm * sm,char * buf,size_t buflen,int verbose)3409 int wpa_sm_get_status(struct wpa_sm *sm, char *buf, size_t buflen,
3410 int verbose)
3411 {
3412 char *pos = buf, *end = buf + buflen;
3413 int ret;
3414
3415 ret = os_snprintf(pos, end - pos,
3416 "pairwise_cipher=%s\n"
3417 "group_cipher=%s\n"
3418 "key_mgmt=%s\n",
3419 wpa_cipher_txt(sm->pairwise_cipher),
3420 wpa_cipher_txt(sm->group_cipher),
3421 wpa_key_mgmt_txt(sm->key_mgmt, sm->proto));
3422 if (os_snprintf_error(end - pos, ret))
3423 return pos - buf;
3424 pos += ret;
3425
3426 #ifdef CONFIG_DPP2
3427 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
3428 ret = os_snprintf(pos, end - pos, "dpp_pfs=1\n");
3429 if (os_snprintf_error(end - pos, ret))
3430 return pos - buf;
3431 pos += ret;
3432 }
3433 #endif /* CONFIG_DPP2 */
3434
3435 if (sm->mfp != NO_MGMT_FRAME_PROTECTION && sm->ap_rsn_ie) {
3436 struct wpa_ie_data rsn;
3437 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn)
3438 >= 0 &&
3439 rsn.capabilities & (WPA_CAPABILITY_MFPR |
3440 WPA_CAPABILITY_MFPC)) {
3441 ret = os_snprintf(pos, end - pos, "pmf=%d\n"
3442 "mgmt_group_cipher=%s\n",
3443 (rsn.capabilities &
3444 WPA_CAPABILITY_MFPR) ? 2 : 1,
3445 wpa_cipher_txt(
3446 sm->mgmt_group_cipher));
3447 if (os_snprintf_error(end - pos, ret))
3448 return pos - buf;
3449 pos += ret;
3450 }
3451 }
3452
3453 return pos - buf;
3454 }
3455
3456
wpa_sm_pmf_enabled(struct wpa_sm * sm)3457 int wpa_sm_pmf_enabled(struct wpa_sm *sm)
3458 {
3459 struct wpa_ie_data rsn;
3460
3461 if (sm->mfp == NO_MGMT_FRAME_PROTECTION || !sm->ap_rsn_ie)
3462 return 0;
3463
3464 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn) >= 0 &&
3465 rsn.capabilities & (WPA_CAPABILITY_MFPR | WPA_CAPABILITY_MFPC))
3466 return 1;
3467
3468 return 0;
3469 }
3470
3471
wpa_sm_ext_key_id(struct wpa_sm * sm)3472 int wpa_sm_ext_key_id(struct wpa_sm *sm)
3473 {
3474 return sm ? sm->ext_key_id : 0;
3475 }
3476
3477
wpa_sm_ext_key_id_active(struct wpa_sm * sm)3478 int wpa_sm_ext_key_id_active(struct wpa_sm *sm)
3479 {
3480 return sm ? sm->use_ext_key_id : 0;
3481 }
3482
3483
wpa_sm_ocv_enabled(struct wpa_sm * sm)3484 int wpa_sm_ocv_enabled(struct wpa_sm *sm)
3485 {
3486 struct wpa_ie_data rsn;
3487
3488 if (!sm->ocv || !sm->ap_rsn_ie)
3489 return 0;
3490
3491 return wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len,
3492 &rsn) >= 0 &&
3493 (rsn.capabilities & WPA_CAPABILITY_OCVC);
3494 }
3495
3496
3497 /**
3498 * wpa_sm_set_assoc_wpa_ie_default - Generate own WPA/RSN IE from configuration
3499 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3500 * @wpa_ie: Pointer to buffer for WPA/RSN IE
3501 * @wpa_ie_len: Pointer to the length of the wpa_ie buffer
3502 * Returns: 0 on success, -1 on failure
3503 */
wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm * sm,u8 * wpa_ie,size_t * wpa_ie_len)3504 int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm *sm, u8 *wpa_ie,
3505 size_t *wpa_ie_len)
3506 {
3507 int res;
3508
3509 if (sm == NULL)
3510 return -1;
3511
3512 #ifdef CONFIG_TESTING_OPTIONS
3513 if (sm->test_assoc_ie) {
3514 wpa_printf(MSG_DEBUG,
3515 "TESTING: Replace association WPA/RSN IE");
3516 if (*wpa_ie_len < wpabuf_len(sm->test_assoc_ie))
3517 return -1;
3518 os_memcpy(wpa_ie, wpabuf_head(sm->test_assoc_ie),
3519 wpabuf_len(sm->test_assoc_ie));
3520 res = wpabuf_len(sm->test_assoc_ie);
3521 } else
3522 #endif /* CONFIG_TESTING_OPTIONS */
3523 res = wpa_gen_wpa_ie(sm, wpa_ie, *wpa_ie_len);
3524 if (res < 0)
3525 return -1;
3526 *wpa_ie_len = res;
3527
3528 wpa_hexdump(MSG_DEBUG, "WPA: Set own WPA IE default",
3529 wpa_ie, *wpa_ie_len);
3530
3531 if (sm->assoc_wpa_ie == NULL) {
3532 /*
3533 * Make a copy of the WPA/RSN IE so that 4-Way Handshake gets
3534 * the correct version of the IE even if PMKSA caching is
3535 * aborted (which would remove PMKID from IE generation).
3536 */
3537 sm->assoc_wpa_ie = os_memdup(wpa_ie, *wpa_ie_len);
3538 if (sm->assoc_wpa_ie == NULL)
3539 return -1;
3540
3541 sm->assoc_wpa_ie_len = *wpa_ie_len;
3542 } else {
3543 wpa_hexdump(MSG_DEBUG,
3544 "WPA: Leave previously set WPA IE default",
3545 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
3546 }
3547
3548 return 0;
3549 }
3550
3551
3552 /**
3553 * wpa_sm_set_assoc_wpa_ie - Set own WPA/RSN IE from (Re)AssocReq
3554 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3555 * @ie: Pointer to IE data (starting from id)
3556 * @len: IE length
3557 * Returns: 0 on success, -1 on failure
3558 *
3559 * Inform WPA state machine about the WPA/RSN IE used in (Re)Association
3560 * Request frame. The IE will be used to override the default value generated
3561 * with wpa_sm_set_assoc_wpa_ie_default().
3562 */
wpa_sm_set_assoc_wpa_ie(struct wpa_sm * sm,const u8 * ie,size_t len)3563 int wpa_sm_set_assoc_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
3564 {
3565 if (sm == NULL)
3566 return -1;
3567
3568 os_free(sm->assoc_wpa_ie);
3569 if (ie == NULL || len == 0) {
3570 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3571 "WPA: clearing own WPA/RSN IE");
3572 sm->assoc_wpa_ie = NULL;
3573 sm->assoc_wpa_ie_len = 0;
3574 } else {
3575 wpa_hexdump(MSG_DEBUG, "WPA: set own WPA/RSN IE", ie, len);
3576 sm->assoc_wpa_ie = os_memdup(ie, len);
3577 if (sm->assoc_wpa_ie == NULL)
3578 return -1;
3579
3580 sm->assoc_wpa_ie_len = len;
3581 }
3582
3583 return 0;
3584 }
3585
3586
3587 /**
3588 * wpa_sm_set_assoc_rsnxe_default - Generate own RSNXE from configuration
3589 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3590 * @rsnxe: Pointer to buffer for RSNXE
3591 * @rsnxe_len: Pointer to the length of the rsne buffer
3592 * Returns: 0 on success, -1 on failure
3593 */
wpa_sm_set_assoc_rsnxe_default(struct wpa_sm * sm,u8 * rsnxe,size_t * rsnxe_len)3594 int wpa_sm_set_assoc_rsnxe_default(struct wpa_sm *sm, u8 *rsnxe,
3595 size_t *rsnxe_len)
3596 {
3597 int res;
3598
3599 if (!sm)
3600 return -1;
3601
3602 res = wpa_gen_rsnxe(sm, rsnxe, *rsnxe_len);
3603 if (res < 0)
3604 return -1;
3605 *rsnxe_len = res;
3606
3607 wpa_hexdump(MSG_DEBUG, "RSN: Set own RSNXE default", rsnxe, *rsnxe_len);
3608
3609 if (sm->assoc_rsnxe) {
3610 wpa_hexdump(MSG_DEBUG,
3611 "RSN: Leave previously set RSNXE default",
3612 sm->assoc_rsnxe, sm->assoc_rsnxe_len);
3613 } else if (*rsnxe_len > 0) {
3614 /*
3615 * Make a copy of the RSNXE so that 4-Way Handshake gets the
3616 * correct version of the IE even if it gets changed.
3617 */
3618 sm->assoc_rsnxe = os_memdup(rsnxe, *rsnxe_len);
3619 if (!sm->assoc_rsnxe)
3620 return -1;
3621
3622 sm->assoc_rsnxe_len = *rsnxe_len;
3623 }
3624
3625 return 0;
3626 }
3627
3628
3629 /**
3630 * wpa_sm_set_assoc_rsnxe - Set own RSNXE from (Re)AssocReq
3631 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3632 * @ie: Pointer to IE data (starting from id)
3633 * @len: IE length
3634 * Returns: 0 on success, -1 on failure
3635 *
3636 * Inform WPA state machine about the RSNXE used in (Re)Association Request
3637 * frame. The IE will be used to override the default value generated
3638 * with wpa_sm_set_assoc_rsnxe_default().
3639 */
wpa_sm_set_assoc_rsnxe(struct wpa_sm * sm,const u8 * ie,size_t len)3640 int wpa_sm_set_assoc_rsnxe(struct wpa_sm *sm, const u8 *ie, size_t len)
3641 {
3642 if (!sm)
3643 return -1;
3644
3645 os_free(sm->assoc_rsnxe);
3646 if (!ie || len == 0) {
3647 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3648 "RSN: clearing own RSNXE");
3649 sm->assoc_rsnxe = NULL;
3650 sm->assoc_rsnxe_len = 0;
3651 } else {
3652 wpa_hexdump(MSG_DEBUG, "RSN: set own RSNXE", ie, len);
3653 sm->assoc_rsnxe = os_memdup(ie, len);
3654 if (!sm->assoc_rsnxe)
3655 return -1;
3656
3657 sm->assoc_rsnxe_len = len;
3658 }
3659
3660 return 0;
3661 }
3662
3663
3664 /**
3665 * wpa_sm_set_ap_wpa_ie - Set AP WPA IE from Beacon/ProbeResp
3666 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3667 * @ie: Pointer to IE data (starting from id)
3668 * @len: IE length
3669 * Returns: 0 on success, -1 on failure
3670 *
3671 * Inform WPA state machine about the WPA IE used in Beacon / Probe Response
3672 * frame.
3673 */
wpa_sm_set_ap_wpa_ie(struct wpa_sm * sm,const u8 * ie,size_t len)3674 int wpa_sm_set_ap_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
3675 {
3676 if (sm == NULL)
3677 return -1;
3678
3679 os_free(sm->ap_wpa_ie);
3680 if (ie == NULL || len == 0) {
3681 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3682 "WPA: clearing AP WPA IE");
3683 sm->ap_wpa_ie = NULL;
3684 sm->ap_wpa_ie_len = 0;
3685 } else {
3686 wpa_hexdump(MSG_DEBUG, "WPA: set AP WPA IE", ie, len);
3687 sm->ap_wpa_ie = os_memdup(ie, len);
3688 if (sm->ap_wpa_ie == NULL)
3689 return -1;
3690
3691 sm->ap_wpa_ie_len = len;
3692 }
3693
3694 return 0;
3695 }
3696
3697
3698 /**
3699 * wpa_sm_set_ap_rsn_ie - Set AP RSN IE from Beacon/ProbeResp
3700 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3701 * @ie: Pointer to IE data (starting from id)
3702 * @len: IE length
3703 * Returns: 0 on success, -1 on failure
3704 *
3705 * Inform WPA state machine about the RSN IE used in Beacon / Probe Response
3706 * frame.
3707 */
wpa_sm_set_ap_rsn_ie(struct wpa_sm * sm,const u8 * ie,size_t len)3708 int wpa_sm_set_ap_rsn_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
3709 {
3710 if (sm == NULL)
3711 return -1;
3712
3713 os_free(sm->ap_rsn_ie);
3714 if (ie == NULL || len == 0) {
3715 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3716 "WPA: clearing AP RSN IE");
3717 sm->ap_rsn_ie = NULL;
3718 sm->ap_rsn_ie_len = 0;
3719 } else {
3720 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSN IE", ie, len);
3721 sm->ap_rsn_ie = os_memdup(ie, len);
3722 if (sm->ap_rsn_ie == NULL)
3723 return -1;
3724
3725 sm->ap_rsn_ie_len = len;
3726 }
3727
3728 return 0;
3729 }
3730
3731
3732 /**
3733 * wpa_sm_set_ap_rsnxe - Set AP RSNXE from Beacon/ProbeResp
3734 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3735 * @ie: Pointer to IE data (starting from id)
3736 * @len: IE length
3737 * Returns: 0 on success, -1 on failure
3738 *
3739 * Inform WPA state machine about the RSNXE used in Beacon / Probe Response
3740 * frame.
3741 */
wpa_sm_set_ap_rsnxe(struct wpa_sm * sm,const u8 * ie,size_t len)3742 int wpa_sm_set_ap_rsnxe(struct wpa_sm *sm, const u8 *ie, size_t len)
3743 {
3744 if (!sm)
3745 return -1;
3746
3747 os_free(sm->ap_rsnxe);
3748 if (!ie || len == 0) {
3749 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: clearing AP RSNXE");
3750 sm->ap_rsnxe = NULL;
3751 sm->ap_rsnxe_len = 0;
3752 } else {
3753 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSNXE", ie, len);
3754 sm->ap_rsnxe = os_memdup(ie, len);
3755 if (!sm->ap_rsnxe)
3756 return -1;
3757
3758 sm->ap_rsnxe_len = len;
3759 }
3760
3761 return 0;
3762 }
3763
3764
3765 /**
3766 * wpa_sm_parse_own_wpa_ie - Parse own WPA/RSN IE
3767 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3768 * @data: Pointer to data area for parsing results
3769 * Returns: 0 on success, -1 if IE is not known, or -2 on parsing failure
3770 *
3771 * Parse the contents of the own WPA or RSN IE from (Re)AssocReq and write the
3772 * parsed data into data.
3773 */
wpa_sm_parse_own_wpa_ie(struct wpa_sm * sm,struct wpa_ie_data * data)3774 int wpa_sm_parse_own_wpa_ie(struct wpa_sm *sm, struct wpa_ie_data *data)
3775 {
3776 if (sm == NULL)
3777 return -1;
3778
3779 if (sm->assoc_wpa_ie == NULL) {
3780 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3781 "WPA: No WPA/RSN IE available from association info");
3782 return -1;
3783 }
3784 if (wpa_parse_wpa_ie(sm->assoc_wpa_ie, sm->assoc_wpa_ie_len, data))
3785 return -2;
3786 return 0;
3787 }
3788
3789
wpa_sm_pmksa_cache_list(struct wpa_sm * sm,char * buf,size_t len)3790 int wpa_sm_pmksa_cache_list(struct wpa_sm *sm, char *buf, size_t len)
3791 {
3792 return pmksa_cache_list(sm->pmksa, buf, len);
3793 }
3794
3795
wpa_sm_pmksa_cache_head(struct wpa_sm * sm)3796 struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_head(struct wpa_sm *sm)
3797 {
3798 return pmksa_cache_head(sm->pmksa);
3799 }
3800
3801
3802 struct rsn_pmksa_cache_entry *
wpa_sm_pmksa_cache_add_entry(struct wpa_sm * sm,struct rsn_pmksa_cache_entry * entry)3803 wpa_sm_pmksa_cache_add_entry(struct wpa_sm *sm,
3804 struct rsn_pmksa_cache_entry * entry)
3805 {
3806 return pmksa_cache_add_entry(sm->pmksa, entry);
3807 }
3808
3809
wpa_sm_pmksa_cache_add(struct wpa_sm * sm,const u8 * pmk,size_t pmk_len,const u8 * pmkid,const u8 * bssid,const u8 * fils_cache_id)3810 void wpa_sm_pmksa_cache_add(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
3811 const u8 *pmkid, const u8 *bssid,
3812 const u8 *fils_cache_id)
3813 {
3814 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0,
3815 bssid, sm->own_addr, sm->network_ctx,
3816 sm->key_mgmt, fils_cache_id);
3817 }
3818
3819
wpa_sm_pmksa_exists(struct wpa_sm * sm,const u8 * bssid,const void * network_ctx)3820 int wpa_sm_pmksa_exists(struct wpa_sm *sm, const u8 *bssid,
3821 const void *network_ctx)
3822 {
3823 return pmksa_cache_get(sm->pmksa, bssid, NULL, network_ctx, 0) != NULL;
3824 }
3825
3826
wpa_sm_pmksa_cache_get(struct wpa_sm * sm,const u8 * aa,const u8 * pmkid,const void * network_ctx,int akmp)3827 struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_get(struct wpa_sm *sm,
3828 const u8 *aa,
3829 const u8 *pmkid,
3830 const void *network_ctx,
3831 int akmp)
3832 {
3833 return pmksa_cache_get(sm->pmksa, aa, pmkid, network_ctx, akmp);
3834 }
3835
3836
wpa_sm_drop_sa(struct wpa_sm * sm)3837 void wpa_sm_drop_sa(struct wpa_sm *sm)
3838 {
3839 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PMK and PTK");
3840 sm->ptk_set = 0;
3841 sm->tptk_set = 0;
3842 sm->pmk_len = 0;
3843 os_memset(sm->pmk, 0, sizeof(sm->pmk));
3844 os_memset(&sm->ptk, 0, sizeof(sm->ptk));
3845 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
3846 os_memset(&sm->gtk, 0, sizeof(sm->gtk));
3847 os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
3848 os_memset(&sm->igtk, 0, sizeof(sm->igtk));
3849 os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
3850 #ifdef CONFIG_IEEE80211R
3851 os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
3852 sm->xxkey_len = 0;
3853 os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
3854 sm->pmk_r0_len = 0;
3855 os_memset(sm->pmk_r1, 0, sizeof(sm->pmk_r1));
3856 sm->pmk_r1_len = 0;
3857 #ifdef CONFIG_PASN
3858 os_free(sm->pasn_r1kh);
3859 sm->pasn_r1kh = NULL;
3860 sm->n_pasn_r1kh = 0;
3861 #endif /* CONFIG_PASN */
3862 #endif /* CONFIG_IEEE80211R */
3863 }
3864
3865
wpa_sm_has_ptk(struct wpa_sm * sm)3866 int wpa_sm_has_ptk(struct wpa_sm *sm)
3867 {
3868 if (sm == NULL)
3869 return 0;
3870 return sm->ptk_set;
3871 }
3872
3873
wpa_sm_has_ptk_installed(struct wpa_sm * sm)3874 int wpa_sm_has_ptk_installed(struct wpa_sm *sm)
3875 {
3876 if (!sm)
3877 return 0;
3878 return sm->ptk.installed;
3879 }
3880
3881
wpa_sm_update_replay_ctr(struct wpa_sm * sm,const u8 * replay_ctr)3882 void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr)
3883 {
3884 os_memcpy(sm->rx_replay_counter, replay_ctr, WPA_REPLAY_COUNTER_LEN);
3885 }
3886
3887
wpa_sm_pmksa_cache_flush(struct wpa_sm * sm,void * network_ctx)3888 void wpa_sm_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx)
3889 {
3890 pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0, false);
3891 }
3892
3893
wpa_sm_external_pmksa_cache_flush(struct wpa_sm * sm,void * network_ctx)3894 void wpa_sm_external_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx)
3895 {
3896 pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0, true);
3897 }
3898
3899
3900 #ifdef CONFIG_WNM
wpa_wnmsleep_install_key(struct wpa_sm * sm,u8 subelem_id,u8 * buf)3901 int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
3902 {
3903 u16 keyinfo;
3904 u8 keylen; /* plaintext key len */
3905 u8 *key_rsc;
3906
3907 if (subelem_id == WNM_SLEEP_SUBELEM_GTK) {
3908 struct wpa_gtk_data gd;
3909
3910 os_memset(&gd, 0, sizeof(gd));
3911 keylen = wpa_cipher_key_len(sm->group_cipher);
3912 gd.key_rsc_len = wpa_cipher_rsc_len(sm->group_cipher);
3913 gd.alg = wpa_cipher_to_alg(sm->group_cipher);
3914 if (gd.alg == WPA_ALG_NONE) {
3915 wpa_printf(MSG_DEBUG, "Unsupported group cipher suite");
3916 return -1;
3917 }
3918
3919 key_rsc = buf + 5;
3920 keyinfo = WPA_GET_LE16(buf + 2);
3921 gd.gtk_len = keylen;
3922 if (gd.gtk_len != buf[4]) {
3923 wpa_printf(MSG_DEBUG, "GTK len mismatch len %d vs %d",
3924 gd.gtk_len, buf[4]);
3925 return -1;
3926 }
3927 gd.keyidx = keyinfo & 0x03; /* B0 - B1 */
3928 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(
3929 sm, !!(keyinfo & WPA_KEY_INFO_TXRX));
3930
3931 os_memcpy(gd.gtk, buf + 13, gd.gtk_len);
3932
3933 wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)",
3934 gd.gtk, gd.gtk_len);
3935 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) {
3936 forced_memzero(&gd, sizeof(gd));
3937 wpa_printf(MSG_DEBUG, "Failed to install the GTK in "
3938 "WNM mode");
3939 return -1;
3940 }
3941 forced_memzero(&gd, sizeof(gd));
3942 } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
3943 const struct wpa_igtk_kde *igtk;
3944
3945 igtk = (const struct wpa_igtk_kde *) (buf + 2);
3946 if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0)
3947 return -1;
3948 } else if (subelem_id == WNM_SLEEP_SUBELEM_BIGTK) {
3949 const struct wpa_bigtk_kde *bigtk;
3950
3951 bigtk = (const struct wpa_bigtk_kde *) (buf + 2);
3952 if (sm->beacon_prot &&
3953 wpa_supplicant_install_bigtk(sm, bigtk, 1) < 0)
3954 return -1;
3955 } else {
3956 wpa_printf(MSG_DEBUG, "Unknown element id");
3957 return -1;
3958 }
3959
3960 return 0;
3961 }
3962 #endif /* CONFIG_WNM */
3963
3964
3965 #ifdef CONFIG_P2P
3966
wpa_sm_get_p2p_ip_addr(struct wpa_sm * sm,u8 * buf)3967 int wpa_sm_get_p2p_ip_addr(struct wpa_sm *sm, u8 *buf)
3968 {
3969 if (sm == NULL || WPA_GET_BE32(sm->p2p_ip_addr) == 0)
3970 return -1;
3971 os_memcpy(buf, sm->p2p_ip_addr, 3 * 4);
3972 return 0;
3973 }
3974
3975 #endif /* CONFIG_P2P */
3976
3977
wpa_sm_set_rx_replay_ctr(struct wpa_sm * sm,const u8 * rx_replay_counter)3978 void wpa_sm_set_rx_replay_ctr(struct wpa_sm *sm, const u8 *rx_replay_counter)
3979 {
3980 if (rx_replay_counter == NULL)
3981 return;
3982
3983 os_memcpy(sm->rx_replay_counter, rx_replay_counter,
3984 WPA_REPLAY_COUNTER_LEN);
3985 sm->rx_replay_counter_set = 1;
3986 wpa_printf(MSG_DEBUG, "Updated key replay counter");
3987 }
3988
3989
wpa_sm_set_ptk_kck_kek(struct wpa_sm * sm,const u8 * ptk_kck,size_t ptk_kck_len,const u8 * ptk_kek,size_t ptk_kek_len)3990 void wpa_sm_set_ptk_kck_kek(struct wpa_sm *sm,
3991 const u8 *ptk_kck, size_t ptk_kck_len,
3992 const u8 *ptk_kek, size_t ptk_kek_len)
3993 {
3994 if (ptk_kck && ptk_kck_len <= WPA_KCK_MAX_LEN) {
3995 os_memcpy(sm->ptk.kck, ptk_kck, ptk_kck_len);
3996 sm->ptk.kck_len = ptk_kck_len;
3997 wpa_printf(MSG_DEBUG, "Updated PTK KCK");
3998 }
3999 if (ptk_kek && ptk_kek_len <= WPA_KEK_MAX_LEN) {
4000 os_memcpy(sm->ptk.kek, ptk_kek, ptk_kek_len);
4001 sm->ptk.kek_len = ptk_kek_len;
4002 wpa_printf(MSG_DEBUG, "Updated PTK KEK");
4003 }
4004 sm->ptk_set = 1;
4005 }
4006
4007
4008 #ifdef CONFIG_TESTING_OPTIONS
4009
wpa_sm_set_test_assoc_ie(struct wpa_sm * sm,struct wpabuf * buf)4010 void wpa_sm_set_test_assoc_ie(struct wpa_sm *sm, struct wpabuf *buf)
4011 {
4012 wpabuf_free(sm->test_assoc_ie);
4013 sm->test_assoc_ie = buf;
4014 }
4015
4016
wpa_sm_get_anonce(struct wpa_sm * sm)4017 const u8 * wpa_sm_get_anonce(struct wpa_sm *sm)
4018 {
4019 return sm->anonce;
4020 }
4021
4022 #endif /* CONFIG_TESTING_OPTIONS */
4023
4024
wpa_sm_get_key_mgmt(struct wpa_sm * sm)4025 unsigned int wpa_sm_get_key_mgmt(struct wpa_sm *sm)
4026 {
4027 return sm->key_mgmt;
4028 }
4029
4030
4031 #ifdef CONFIG_FILS
4032
fils_build_auth(struct wpa_sm * sm,int dh_group,const u8 * md)4033 struct wpabuf * fils_build_auth(struct wpa_sm *sm, int dh_group, const u8 *md)
4034 {
4035 struct wpabuf *buf = NULL;
4036 struct wpabuf *erp_msg;
4037 struct wpabuf *pub = NULL;
4038
4039 erp_msg = eapol_sm_build_erp_reauth_start(sm->eapol);
4040 if (!erp_msg && !sm->cur_pmksa) {
4041 wpa_printf(MSG_DEBUG,
4042 "FILS: Neither ERP EAP-Initiate/Re-auth nor PMKSA cache entry is available - skip FILS");
4043 goto fail;
4044 }
4045
4046 wpa_printf(MSG_DEBUG, "FILS: Try to use FILS (erp=%d pmksa_cache=%d)",
4047 erp_msg != NULL, sm->cur_pmksa != NULL);
4048
4049 sm->fils_completed = 0;
4050
4051 if (!sm->assoc_wpa_ie) {
4052 wpa_printf(MSG_INFO, "FILS: No own RSN IE set for FILS");
4053 goto fail;
4054 }
4055
4056 if (random_get_bytes(sm->fils_nonce, FILS_NONCE_LEN) < 0 ||
4057 random_get_bytes(sm->fils_session, FILS_SESSION_LEN) < 0)
4058 goto fail;
4059
4060 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Nonce",
4061 sm->fils_nonce, FILS_NONCE_LEN);
4062 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Session",
4063 sm->fils_session, FILS_SESSION_LEN);
4064
4065 #ifdef CONFIG_FILS_SK_PFS
4066 sm->fils_dh_group = dh_group;
4067 if (dh_group) {
4068 crypto_ecdh_deinit(sm->fils_ecdh);
4069 sm->fils_ecdh = crypto_ecdh_init(dh_group);
4070 if (!sm->fils_ecdh) {
4071 wpa_printf(MSG_INFO,
4072 "FILS: Could not initialize ECDH with group %d",
4073 dh_group);
4074 goto fail;
4075 }
4076 pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1);
4077 if (!pub)
4078 goto fail;
4079 wpa_hexdump_buf(MSG_DEBUG, "FILS: Element (DH public key)",
4080 pub);
4081 sm->fils_dh_elem_len = wpabuf_len(pub);
4082 }
4083 #endif /* CONFIG_FILS_SK_PFS */
4084
4085 buf = wpabuf_alloc(1000 + sm->assoc_wpa_ie_len +
4086 (pub ? wpabuf_len(pub) : 0));
4087 if (!buf)
4088 goto fail;
4089
4090 /* Fields following the Authentication algorithm number field */
4091
4092 /* Authentication Transaction seq# */
4093 wpabuf_put_le16(buf, 1);
4094
4095 /* Status Code */
4096 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
4097
4098 /* TODO: FILS PK */
4099 #ifdef CONFIG_FILS_SK_PFS
4100 if (dh_group) {
4101 /* Finite Cyclic Group */
4102 wpabuf_put_le16(buf, dh_group);
4103 /* Element */
4104 wpabuf_put_buf(buf, pub);
4105 }
4106 #endif /* CONFIG_FILS_SK_PFS */
4107
4108 /* RSNE */
4109 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in FILS Authentication frame",
4110 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
4111 wpabuf_put_data(buf, sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
4112
4113 if (md) {
4114 /* MDE when using FILS for FT initial association */
4115 struct rsn_mdie *mdie;
4116
4117 wpabuf_put_u8(buf, WLAN_EID_MOBILITY_DOMAIN);
4118 wpabuf_put_u8(buf, sizeof(*mdie));
4119 mdie = wpabuf_put(buf, sizeof(*mdie));
4120 os_memcpy(mdie->mobility_domain, md, MOBILITY_DOMAIN_ID_LEN);
4121 mdie->ft_capab = 0;
4122 }
4123
4124 /* FILS Nonce */
4125 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
4126 wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN); /* Length */
4127 /* Element ID Extension */
4128 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
4129 wpabuf_put_data(buf, sm->fils_nonce, FILS_NONCE_LEN);
4130
4131 /* FILS Session */
4132 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
4133 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
4134 /* Element ID Extension */
4135 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
4136 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
4137
4138 /* Wrapped Data */
4139 sm->fils_erp_pmkid_set = 0;
4140 if (erp_msg) {
4141 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
4142 wpabuf_put_u8(buf, 1 + wpabuf_len(erp_msg)); /* Length */
4143 /* Element ID Extension */
4144 wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA);
4145 wpabuf_put_buf(buf, erp_msg);
4146 /* Calculate pending PMKID here so that we do not need to
4147 * maintain a copy of the EAP-Initiate/Reauth message. */
4148 if (fils_pmkid_erp(sm->key_mgmt, wpabuf_head(erp_msg),
4149 wpabuf_len(erp_msg),
4150 sm->fils_erp_pmkid) == 0)
4151 sm->fils_erp_pmkid_set = 1;
4152 }
4153
4154 wpa_hexdump_buf(MSG_DEBUG, "RSN: FILS fields for Authentication frame",
4155 buf);
4156
4157 fail:
4158 wpabuf_free(erp_msg);
4159 wpabuf_free(pub);
4160 return buf;
4161 }
4162
4163
fils_process_auth(struct wpa_sm * sm,const u8 * bssid,const u8 * data,size_t len)4164 int fils_process_auth(struct wpa_sm *sm, const u8 *bssid, const u8 *data,
4165 size_t len)
4166 {
4167 const u8 *pos, *end;
4168 struct ieee802_11_elems elems;
4169 struct wpa_ie_data rsn;
4170 int pmkid_match = 0;
4171 u8 ick[FILS_ICK_MAX_LEN];
4172 size_t ick_len;
4173 int res;
4174 struct wpabuf *dh_ss = NULL;
4175 const u8 *g_sta = NULL;
4176 size_t g_sta_len = 0;
4177 const u8 *g_ap = NULL;
4178 size_t g_ap_len = 0, kdk_len;
4179 struct wpabuf *pub = NULL;
4180
4181 os_memcpy(sm->bssid, bssid, ETH_ALEN);
4182
4183 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
4184 data, len);
4185 pos = data;
4186 end = data + len;
4187
4188 /* TODO: FILS PK */
4189 #ifdef CONFIG_FILS_SK_PFS
4190 if (sm->fils_dh_group) {
4191 u16 group;
4192
4193 /* Using FILS PFS */
4194
4195 /* Finite Cyclic Group */
4196 if (end - pos < 2) {
4197 wpa_printf(MSG_DEBUG,
4198 "FILS: No room for Finite Cyclic Group");
4199 goto fail;
4200 }
4201 group = WPA_GET_LE16(pos);
4202 pos += 2;
4203 if (group != sm->fils_dh_group) {
4204 wpa_printf(MSG_DEBUG,
4205 "FILS: Unexpected change in Finite Cyclic Group: %u (expected %u)",
4206 group, sm->fils_dh_group);
4207 goto fail;
4208 }
4209
4210 /* Element */
4211 if ((size_t) (end - pos) < sm->fils_dh_elem_len) {
4212 wpa_printf(MSG_DEBUG, "FILS: No room for Element");
4213 goto fail;
4214 }
4215
4216 if (!sm->fils_ecdh) {
4217 wpa_printf(MSG_DEBUG, "FILS: No ECDH state available");
4218 goto fail;
4219 }
4220 dh_ss = crypto_ecdh_set_peerkey(sm->fils_ecdh, 1, pos,
4221 sm->fils_dh_elem_len);
4222 if (!dh_ss) {
4223 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
4224 goto fail;
4225 }
4226 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", dh_ss);
4227 g_ap = pos;
4228 g_ap_len = sm->fils_dh_elem_len;
4229 pos += sm->fils_dh_elem_len;
4230 }
4231 #endif /* CONFIG_FILS_SK_PFS */
4232
4233 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
4234 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
4235 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
4236 goto fail;
4237 }
4238
4239 /* RSNE */
4240 wpa_hexdump(MSG_DEBUG, "FILS: RSN element", elems.rsn_ie,
4241 elems.rsn_ie_len);
4242 if (!elems.rsn_ie ||
4243 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
4244 &rsn) < 0) {
4245 wpa_printf(MSG_DEBUG, "FILS: No RSN element");
4246 goto fail;
4247 }
4248
4249 if (!elems.fils_nonce) {
4250 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
4251 goto fail;
4252 }
4253 os_memcpy(sm->fils_anonce, elems.fils_nonce, FILS_NONCE_LEN);
4254 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", sm->fils_anonce, FILS_NONCE_LEN);
4255
4256 #ifdef CONFIG_IEEE80211R
4257 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
4258 struct wpa_ft_ies parse;
4259
4260 if (!elems.mdie || !elems.ftie) {
4261 wpa_printf(MSG_DEBUG, "FILS+FT: No MDE or FTE");
4262 goto fail;
4263 }
4264
4265 if (wpa_ft_parse_ies(pos, end - pos, &parse,
4266 wpa_key_mgmt_sha384(sm->key_mgmt)) < 0) {
4267 wpa_printf(MSG_DEBUG, "FILS+FT: Failed to parse IEs");
4268 goto fail;
4269 }
4270
4271 if (!parse.r0kh_id) {
4272 wpa_printf(MSG_DEBUG,
4273 "FILS+FT: No R0KH-ID subelem in FTE");
4274 goto fail;
4275 }
4276 os_memcpy(sm->r0kh_id, parse.r0kh_id, parse.r0kh_id_len);
4277 sm->r0kh_id_len = parse.r0kh_id_len;
4278 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID",
4279 sm->r0kh_id, sm->r0kh_id_len);
4280
4281 if (!parse.r1kh_id) {
4282 wpa_printf(MSG_DEBUG,
4283 "FILS+FT: No R1KH-ID subelem in FTE");
4284 goto fail;
4285 }
4286 os_memcpy(sm->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN);
4287 wpa_hexdump(MSG_DEBUG, "FILS+FT: R1KH-ID",
4288 sm->r1kh_id, FT_R1KH_ID_LEN);
4289
4290 /* TODO: Check MDE and FTE payload */
4291
4292 wpabuf_free(sm->fils_ft_ies);
4293 sm->fils_ft_ies = wpabuf_alloc(2 + elems.mdie_len +
4294 2 + elems.ftie_len);
4295 if (!sm->fils_ft_ies)
4296 goto fail;
4297 wpabuf_put_data(sm->fils_ft_ies, elems.mdie - 2,
4298 2 + elems.mdie_len);
4299 wpabuf_put_data(sm->fils_ft_ies, elems.ftie - 2,
4300 2 + elems.ftie_len);
4301 } else {
4302 wpabuf_free(sm->fils_ft_ies);
4303 sm->fils_ft_ies = NULL;
4304 }
4305 #endif /* CONFIG_IEEE80211R */
4306
4307 /* PMKID List */
4308 if (rsn.pmkid && rsn.num_pmkid > 0) {
4309 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
4310 rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
4311
4312 if (rsn.num_pmkid != 1) {
4313 wpa_printf(MSG_DEBUG, "FILS: Invalid PMKID selection");
4314 goto fail;
4315 }
4316 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", rsn.pmkid, PMKID_LEN);
4317 if (os_memcmp(sm->cur_pmksa->pmkid, rsn.pmkid, PMKID_LEN) != 0)
4318 {
4319 wpa_printf(MSG_DEBUG, "FILS: PMKID mismatch");
4320 wpa_hexdump(MSG_DEBUG, "FILS: Expected PMKID",
4321 sm->cur_pmksa->pmkid, PMKID_LEN);
4322 goto fail;
4323 }
4324 wpa_printf(MSG_DEBUG,
4325 "FILS: Matching PMKID - continue using PMKSA caching");
4326 pmkid_match = 1;
4327 }
4328 if (!pmkid_match && sm->cur_pmksa) {
4329 wpa_printf(MSG_DEBUG,
4330 "FILS: No PMKID match - cannot use cached PMKSA entry");
4331 sm->cur_pmksa = NULL;
4332 }
4333
4334 /* FILS Session */
4335 if (!elems.fils_session) {
4336 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
4337 goto fail;
4338 }
4339 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
4340 FILS_SESSION_LEN);
4341 if (os_memcmp(sm->fils_session, elems.fils_session, FILS_SESSION_LEN)
4342 != 0) {
4343 wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
4344 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
4345 sm->fils_session, FILS_SESSION_LEN);
4346 goto fail;
4347 }
4348
4349 /* Wrapped Data */
4350 if (!sm->cur_pmksa && elems.wrapped_data) {
4351 u8 rmsk[ERP_MAX_KEY_LEN];
4352 size_t rmsk_len;
4353
4354 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
4355 elems.wrapped_data,
4356 elems.wrapped_data_len);
4357 eapol_sm_process_erp_finish(sm->eapol, elems.wrapped_data,
4358 elems.wrapped_data_len);
4359 if (eapol_sm_failed(sm->eapol))
4360 goto fail;
4361
4362 rmsk_len = ERP_MAX_KEY_LEN;
4363 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
4364 if (res == PMK_LEN) {
4365 rmsk_len = PMK_LEN;
4366 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
4367 }
4368 if (res)
4369 goto fail;
4370
4371 res = fils_rmsk_to_pmk(sm->key_mgmt, rmsk, rmsk_len,
4372 sm->fils_nonce, sm->fils_anonce,
4373 dh_ss ? wpabuf_head(dh_ss) : NULL,
4374 dh_ss ? wpabuf_len(dh_ss) : 0,
4375 sm->pmk, &sm->pmk_len);
4376 forced_memzero(rmsk, sizeof(rmsk));
4377
4378 /* Don't use DHss in PTK derivation if PMKSA caching is not
4379 * used. */
4380 wpabuf_clear_free(dh_ss);
4381 dh_ss = NULL;
4382
4383 if (res)
4384 goto fail;
4385
4386 if (!sm->fils_erp_pmkid_set) {
4387 wpa_printf(MSG_DEBUG, "FILS: PMKID not available");
4388 goto fail;
4389 }
4390 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", sm->fils_erp_pmkid,
4391 PMKID_LEN);
4392 wpa_printf(MSG_DEBUG, "FILS: ERP processing succeeded - add PMKSA cache entry for the result");
4393 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len,
4394 sm->fils_erp_pmkid, NULL, 0,
4395 sm->bssid, sm->own_addr,
4396 sm->network_ctx, sm->key_mgmt,
4397 NULL);
4398 }
4399
4400 if (!sm->cur_pmksa) {
4401 wpa_printf(MSG_DEBUG,
4402 "FILS: No remaining options to continue FILS authentication");
4403 goto fail;
4404 }
4405
4406 if (sm->force_kdk_derivation ||
4407 (sm->secure_ltf &&
4408 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)))
4409 kdk_len = WPA_KDK_MAX_LEN;
4410 else
4411 kdk_len = 0;
4412
4413 if (fils_pmk_to_ptk(sm->pmk, sm->pmk_len, sm->own_addr, sm->bssid,
4414 sm->fils_nonce, sm->fils_anonce,
4415 dh_ss ? wpabuf_head(dh_ss) : NULL,
4416 dh_ss ? wpabuf_len(dh_ss) : 0,
4417 &sm->ptk, ick, &ick_len,
4418 sm->key_mgmt, sm->pairwise_cipher,
4419 sm->fils_ft, &sm->fils_ft_len,
4420 kdk_len) < 0) {
4421 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PTK");
4422 goto fail;
4423 }
4424
4425 wpabuf_clear_free(dh_ss);
4426 dh_ss = NULL;
4427
4428 sm->ptk_set = 1;
4429 sm->tptk_set = 0;
4430 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
4431
4432 #ifdef CONFIG_FILS_SK_PFS
4433 if (sm->fils_dh_group) {
4434 if (!sm->fils_ecdh) {
4435 wpa_printf(MSG_INFO, "FILS: ECDH not initialized");
4436 goto fail;
4437 }
4438 pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1);
4439 if (!pub)
4440 goto fail;
4441 wpa_hexdump_buf(MSG_DEBUG, "FILS: gSTA", pub);
4442 g_sta = wpabuf_head(pub);
4443 g_sta_len = wpabuf_len(pub);
4444 if (!g_ap) {
4445 wpa_printf(MSG_INFO, "FILS: gAP not available");
4446 goto fail;
4447 }
4448 wpa_hexdump(MSG_DEBUG, "FILS: gAP", g_ap, g_ap_len);
4449 }
4450 #endif /* CONFIG_FILS_SK_PFS */
4451
4452 res = fils_key_auth_sk(ick, ick_len, sm->fils_nonce,
4453 sm->fils_anonce, sm->own_addr, sm->bssid,
4454 g_sta, g_sta_len, g_ap, g_ap_len,
4455 sm->key_mgmt, sm->fils_key_auth_sta,
4456 sm->fils_key_auth_ap,
4457 &sm->fils_key_auth_len);
4458 wpabuf_free(pub);
4459 forced_memzero(ick, sizeof(ick));
4460 return res;
4461 fail:
4462 wpabuf_free(pub);
4463 wpabuf_clear_free(dh_ss);
4464 return -1;
4465 }
4466
4467
4468 #ifdef CONFIG_IEEE80211R
fils_ft_build_assoc_req_rsne(struct wpa_sm * sm,struct wpabuf * buf)4469 static int fils_ft_build_assoc_req_rsne(struct wpa_sm *sm, struct wpabuf *buf)
4470 {
4471 struct rsn_ie_hdr *rsnie;
4472 u16 capab;
4473 u8 *pos;
4474 int use_sha384 = wpa_key_mgmt_sha384(sm->key_mgmt);
4475
4476 /* RSNIE[PMKR0Name/PMKR1Name] */
4477 rsnie = wpabuf_put(buf, sizeof(*rsnie));
4478 rsnie->elem_id = WLAN_EID_RSN;
4479 WPA_PUT_LE16(rsnie->version, RSN_VERSION);
4480
4481 /* Group Suite Selector */
4482 if (!wpa_cipher_valid_group(sm->group_cipher)) {
4483 wpa_printf(MSG_WARNING, "FT: Invalid group cipher (%d)",
4484 sm->group_cipher);
4485 return -1;
4486 }
4487 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
4488 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
4489 sm->group_cipher));
4490
4491 /* Pairwise Suite Count */
4492 wpabuf_put_le16(buf, 1);
4493
4494 /* Pairwise Suite List */
4495 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
4496 wpa_printf(MSG_WARNING, "FT: Invalid pairwise cipher (%d)",
4497 sm->pairwise_cipher);
4498 return -1;
4499 }
4500 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
4501 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
4502 sm->pairwise_cipher));
4503
4504 /* Authenticated Key Management Suite Count */
4505 wpabuf_put_le16(buf, 1);
4506
4507 /* Authenticated Key Management Suite List */
4508 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
4509 if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA256)
4510 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA256);
4511 else if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA384)
4512 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA384);
4513 else {
4514 wpa_printf(MSG_WARNING,
4515 "FILS+FT: Invalid key management type (%d)",
4516 sm->key_mgmt);
4517 return -1;
4518 }
4519
4520 /* RSN Capabilities */
4521 capab = 0;
4522 if (sm->mfp)
4523 capab |= WPA_CAPABILITY_MFPC;
4524 if (sm->mfp == 2)
4525 capab |= WPA_CAPABILITY_MFPR;
4526 if (sm->ocv)
4527 capab |= WPA_CAPABILITY_OCVC;
4528 if (sm->ext_key_id)
4529 capab |= WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST;
4530 wpabuf_put_le16(buf, capab);
4531
4532 /* PMKID Count */
4533 wpabuf_put_le16(buf, 1);
4534
4535 /* PMKID List [PMKR1Name] */
4536 wpa_hexdump_key(MSG_DEBUG, "FILS+FT: XXKey (FILS-FT)",
4537 sm->fils_ft, sm->fils_ft_len);
4538 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: SSID", sm->ssid, sm->ssid_len);
4539 wpa_hexdump(MSG_DEBUG, "FILS+FT: MDID",
4540 sm->mobility_domain, MOBILITY_DOMAIN_ID_LEN);
4541 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID",
4542 sm->r0kh_id, sm->r0kh_id_len);
4543 if (wpa_derive_pmk_r0(sm->fils_ft, sm->fils_ft_len, sm->ssid,
4544 sm->ssid_len, sm->mobility_domain,
4545 sm->r0kh_id, sm->r0kh_id_len, sm->own_addr,
4546 sm->pmk_r0, sm->pmk_r0_name, use_sha384) < 0) {
4547 wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMK-R0");
4548 return -1;
4549 }
4550 sm->pmk_r0_len = use_sha384 ? SHA384_MAC_LEN : PMK_LEN;
4551 wpa_printf(MSG_DEBUG, "FILS+FT: R1KH-ID: " MACSTR,
4552 MAC2STR(sm->r1kh_id));
4553 pos = wpabuf_put(buf, WPA_PMK_NAME_LEN);
4554 if (wpa_derive_pmk_r1_name(sm->pmk_r0_name, sm->r1kh_id, sm->own_addr,
4555 sm->pmk_r1_name, use_sha384) < 0) {
4556 wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMKR1Name");
4557 return -1;
4558 }
4559 os_memcpy(pos, sm->pmk_r1_name, WPA_PMK_NAME_LEN);
4560
4561 if (sm->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC) {
4562 /* Management Group Cipher Suite */
4563 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
4564 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_AES_128_CMAC);
4565 }
4566
4567 rsnie->len = ((u8 *) wpabuf_put(buf, 0) - (u8 *) rsnie) - 2;
4568 return 0;
4569 }
4570 #endif /* CONFIG_IEEE80211R */
4571
4572
fils_build_assoc_req(struct wpa_sm * sm,const u8 ** kek,size_t * kek_len,const u8 ** snonce,const u8 ** anonce,const struct wpabuf ** hlp,unsigned int num_hlp)4573 struct wpabuf * fils_build_assoc_req(struct wpa_sm *sm, const u8 **kek,
4574 size_t *kek_len, const u8 **snonce,
4575 const u8 **anonce,
4576 const struct wpabuf **hlp,
4577 unsigned int num_hlp)
4578 {
4579 struct wpabuf *buf;
4580 size_t len;
4581 unsigned int i;
4582
4583 len = 1000;
4584 #ifdef CONFIG_IEEE80211R
4585 if (sm->fils_ft_ies)
4586 len += wpabuf_len(sm->fils_ft_ies);
4587 if (wpa_key_mgmt_ft(sm->key_mgmt))
4588 len += 256;
4589 #endif /* CONFIG_IEEE80211R */
4590 for (i = 0; hlp && i < num_hlp; i++)
4591 len += 10 + wpabuf_len(hlp[i]);
4592 buf = wpabuf_alloc(len);
4593 if (!buf)
4594 return NULL;
4595
4596 #ifdef CONFIG_IEEE80211R
4597 if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) {
4598 /* MDE and FTE when using FILS+FT */
4599 wpabuf_put_buf(buf, sm->fils_ft_ies);
4600 /* RSNE with PMKR1Name in PMKID field */
4601 if (fils_ft_build_assoc_req_rsne(sm, buf) < 0) {
4602 wpabuf_free(buf);
4603 return NULL;
4604 }
4605 }
4606 #endif /* CONFIG_IEEE80211R */
4607
4608 /* FILS Session */
4609 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
4610 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
4611 /* Element ID Extension */
4612 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
4613 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
4614
4615 /* Everything after FILS Session element gets encrypted in the driver
4616 * with KEK. The buffer returned from here is the plaintext version. */
4617
4618 /* TODO: FILS Public Key */
4619
4620 /* FILS Key Confirm */
4621 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
4622 wpabuf_put_u8(buf, 1 + sm->fils_key_auth_len); /* Length */
4623 /* Element ID Extension */
4624 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_KEY_CONFIRM);
4625 wpabuf_put_data(buf, sm->fils_key_auth_sta, sm->fils_key_auth_len);
4626
4627 /* FILS HLP Container */
4628 for (i = 0; hlp && i < num_hlp; i++) {
4629 const u8 *pos = wpabuf_head(hlp[i]);
4630 size_t left = wpabuf_len(hlp[i]);
4631
4632 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
4633 if (left <= 254)
4634 len = 1 + left;
4635 else
4636 len = 255;
4637 wpabuf_put_u8(buf, len); /* Length */
4638 /* Element ID Extension */
4639 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_HLP_CONTAINER);
4640 /* Destination MAC Address, Source MAC Address, HLP Packet.
4641 * HLP Packet is in MSDU format (i.e., included the LLC/SNAP
4642 * header when LPD is used). */
4643 wpabuf_put_data(buf, pos, len - 1);
4644 pos += len - 1;
4645 left -= len - 1;
4646 while (left) {
4647 wpabuf_put_u8(buf, WLAN_EID_FRAGMENT);
4648 len = left > 255 ? 255 : left;
4649 wpabuf_put_u8(buf, len);
4650 wpabuf_put_data(buf, pos, len);
4651 pos += len;
4652 left -= len;
4653 }
4654 }
4655
4656 /* TODO: FILS IP Address Assignment */
4657
4658 #ifdef CONFIG_OCV
4659 if (wpa_sm_ocv_enabled(sm)) {
4660 struct wpa_channel_info ci;
4661 u8 *pos;
4662
4663 if (wpa_sm_channel_info(sm, &ci) != 0) {
4664 wpa_printf(MSG_WARNING,
4665 "FILS: Failed to get channel info for OCI element");
4666 wpabuf_free(buf);
4667 return NULL;
4668 }
4669 #ifdef CONFIG_TESTING_OPTIONS
4670 if (sm->oci_freq_override_fils_assoc) {
4671 wpa_printf(MSG_INFO,
4672 "TEST: Override OCI KDE frequency %d -> %d MHz",
4673 ci.frequency,
4674 sm->oci_freq_override_fils_assoc);
4675 ci.frequency = sm->oci_freq_override_fils_assoc;
4676 }
4677 #endif /* CONFIG_TESTING_OPTIONS */
4678
4679 pos = wpabuf_put(buf, OCV_OCI_EXTENDED_LEN);
4680 if (ocv_insert_extended_oci(&ci, pos) < 0) {
4681 wpabuf_free(buf);
4682 return NULL;
4683 }
4684 }
4685 #endif /* CONFIG_OCV */
4686
4687 wpa_hexdump_buf(MSG_DEBUG, "FILS: Association Request plaintext", buf);
4688
4689 *kek = sm->ptk.kek;
4690 *kek_len = sm->ptk.kek_len;
4691 wpa_hexdump_key(MSG_DEBUG, "FILS: KEK for AEAD", *kek, *kek_len);
4692 *snonce = sm->fils_nonce;
4693 wpa_hexdump(MSG_DEBUG, "FILS: SNonce for AEAD AAD",
4694 *snonce, FILS_NONCE_LEN);
4695 *anonce = sm->fils_anonce;
4696 wpa_hexdump(MSG_DEBUG, "FILS: ANonce for AEAD AAD",
4697 *anonce, FILS_NONCE_LEN);
4698
4699 return buf;
4700 }
4701
4702
fils_process_hlp_resp(struct wpa_sm * sm,const u8 * resp,size_t len)4703 static void fils_process_hlp_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
4704 {
4705 const u8 *pos, *end;
4706
4707 wpa_hexdump(MSG_MSGDUMP, "FILS: HLP response", resp, len);
4708 if (len < 2 * ETH_ALEN)
4709 return;
4710 pos = resp + 2 * ETH_ALEN;
4711 end = resp + len;
4712 if (end - pos >= 6 &&
4713 os_memcmp(pos, "\xaa\xaa\x03\x00\x00\x00", 6) == 0)
4714 pos += 6; /* Remove SNAP/LLC header */
4715 wpa_sm_fils_hlp_rx(sm, resp, resp + ETH_ALEN, pos, end - pos);
4716 }
4717
4718
fils_process_hlp_container(struct wpa_sm * sm,const u8 * pos,size_t len)4719 static void fils_process_hlp_container(struct wpa_sm *sm, const u8 *pos,
4720 size_t len)
4721 {
4722 const u8 *end = pos + len;
4723 u8 *tmp, *tmp_pos;
4724
4725 /* Check if there are any FILS HLP Container elements */
4726 while (end - pos >= 2) {
4727 if (2 + pos[1] > end - pos)
4728 return;
4729 if (pos[0] == WLAN_EID_EXTENSION &&
4730 pos[1] >= 1 + 2 * ETH_ALEN &&
4731 pos[2] == WLAN_EID_EXT_FILS_HLP_CONTAINER)
4732 break;
4733 pos += 2 + pos[1];
4734 }
4735 if (end - pos < 2)
4736 return; /* No FILS HLP Container elements */
4737
4738 tmp = os_malloc(end - pos);
4739 if (!tmp)
4740 return;
4741
4742 while (end - pos >= 2) {
4743 if (2 + pos[1] > end - pos ||
4744 pos[0] != WLAN_EID_EXTENSION ||
4745 pos[1] < 1 + 2 * ETH_ALEN ||
4746 pos[2] != WLAN_EID_EXT_FILS_HLP_CONTAINER)
4747 break;
4748 tmp_pos = tmp;
4749 os_memcpy(tmp_pos, pos + 3, pos[1] - 1);
4750 tmp_pos += pos[1] - 1;
4751 pos += 2 + pos[1];
4752
4753 /* Add possible fragments */
4754 while (end - pos >= 2 && pos[0] == WLAN_EID_FRAGMENT &&
4755 2 + pos[1] <= end - pos) {
4756 os_memcpy(tmp_pos, pos + 2, pos[1]);
4757 tmp_pos += pos[1];
4758 pos += 2 + pos[1];
4759 }
4760
4761 fils_process_hlp_resp(sm, tmp, tmp_pos - tmp);
4762 }
4763
4764 os_free(tmp);
4765 }
4766
4767
fils_process_assoc_resp(struct wpa_sm * sm,const u8 * resp,size_t len)4768 int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
4769 {
4770 const struct ieee80211_mgmt *mgmt;
4771 const u8 *end, *ie_start;
4772 struct ieee802_11_elems elems;
4773 int keylen, rsclen;
4774 enum wpa_alg alg;
4775 struct wpa_gtk_data gd;
4776 int maxkeylen;
4777 struct wpa_eapol_ie_parse kde;
4778
4779 if (!sm || !sm->ptk_set) {
4780 wpa_printf(MSG_DEBUG, "FILS: No KEK available");
4781 return -1;
4782 }
4783
4784 if (!wpa_key_mgmt_fils(sm->key_mgmt)) {
4785 wpa_printf(MSG_DEBUG, "FILS: Not a FILS AKM");
4786 return -1;
4787 }
4788
4789 if (sm->fils_completed) {
4790 wpa_printf(MSG_DEBUG,
4791 "FILS: Association has already been completed for this FILS authentication - ignore unexpected retransmission");
4792 return -1;
4793 }
4794
4795 wpa_hexdump(MSG_DEBUG, "FILS: (Re)Association Response frame",
4796 resp, len);
4797
4798 mgmt = (const struct ieee80211_mgmt *) resp;
4799 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_resp))
4800 return -1;
4801
4802 end = resp + len;
4803 /* Same offset for Association Response and Reassociation Response */
4804 ie_start = mgmt->u.assoc_resp.variable;
4805
4806 if (ieee802_11_parse_elems(ie_start, end - ie_start, &elems, 1) ==
4807 ParseFailed) {
4808 wpa_printf(MSG_DEBUG,
4809 "FILS: Failed to parse decrypted elements");
4810 goto fail;
4811 }
4812
4813 if (!elems.fils_session) {
4814 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
4815 return -1;
4816 }
4817 if (os_memcmp(elems.fils_session, sm->fils_session,
4818 FILS_SESSION_LEN) != 0) {
4819 wpa_printf(MSG_DEBUG, "FILS: FILS Session mismatch");
4820 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
4821 elems.fils_session, FILS_SESSION_LEN);
4822 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
4823 sm->fils_session, FILS_SESSION_LEN);
4824 }
4825
4826 if (!elems.rsn_ie) {
4827 wpa_printf(MSG_DEBUG,
4828 "FILS: No RSNE in (Re)Association Response");
4829 /* As an interop workaround, allow this for now since IEEE Std
4830 * 802.11ai-2016 did not include all the needed changes to make
4831 * a FILS AP include RSNE in the frame. This workaround might
4832 * eventually be removed and replaced with rejection (goto fail)
4833 * to follow a strict interpretation of the standard. */
4834 } else if (wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
4835 sm->ap_rsn_ie, sm->ap_rsn_ie_len,
4836 elems.rsn_ie - 2, elems.rsn_ie_len + 2)) {
4837 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
4838 "FILS: RSNE mismatch between Beacon/Probe Response and (Re)Association Response");
4839 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in Beacon/Probe Response",
4840 sm->ap_rsn_ie, sm->ap_rsn_ie_len);
4841 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in (Re)Association Response",
4842 elems.rsn_ie, elems.rsn_ie_len);
4843 goto fail;
4844 }
4845
4846 /* TODO: FILS Public Key */
4847
4848 if (!elems.fils_key_confirm) {
4849 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
4850 goto fail;
4851 }
4852 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
4853 wpa_printf(MSG_DEBUG,
4854 "FILS: Unexpected Key-Auth length %d (expected %d)",
4855 elems.fils_key_confirm_len,
4856 (int) sm->fils_key_auth_len);
4857 goto fail;
4858 }
4859 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_ap,
4860 sm->fils_key_auth_len) != 0) {
4861 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
4862 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
4863 elems.fils_key_confirm,
4864 elems.fils_key_confirm_len);
4865 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
4866 sm->fils_key_auth_ap, sm->fils_key_auth_len);
4867 goto fail;
4868 }
4869
4870 #ifdef CONFIG_OCV
4871 if (wpa_sm_ocv_enabled(sm)) {
4872 struct wpa_channel_info ci;
4873
4874 if (wpa_sm_channel_info(sm, &ci) != 0) {
4875 wpa_printf(MSG_WARNING,
4876 "Failed to get channel info to validate received OCI in FILS (Re)Association Response frame");
4877 goto fail;
4878 }
4879
4880 if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci,
4881 channel_width_to_int(ci.chanwidth),
4882 ci.seg1_idx) != OCI_SUCCESS) {
4883 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
4884 "addr=" MACSTR " frame=fils-assoc error=%s",
4885 MAC2STR(sm->bssid), ocv_errorstr);
4886 goto fail;
4887 }
4888 }
4889 #endif /* CONFIG_OCV */
4890
4891 #ifdef CONFIG_IEEE80211R
4892 if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) {
4893 struct wpa_ie_data rsn;
4894
4895 /* Check that PMKR1Name derived by the AP matches */
4896 if (!elems.rsn_ie ||
4897 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
4898 &rsn) < 0 ||
4899 !rsn.pmkid || rsn.num_pmkid != 1 ||
4900 os_memcmp(rsn.pmkid, sm->pmk_r1_name,
4901 WPA_PMK_NAME_LEN) != 0) {
4902 wpa_printf(MSG_DEBUG,
4903 "FILS+FT: No RSNE[PMKR1Name] match in AssocResp");
4904 goto fail;
4905 }
4906 }
4907 #endif /* CONFIG_IEEE80211R */
4908
4909 /* Key Delivery */
4910 if (!elems.key_delivery) {
4911 wpa_printf(MSG_DEBUG, "FILS: No Key Delivery element");
4912 goto fail;
4913 }
4914
4915 /* Parse GTK and set the key to the driver */
4916 os_memset(&gd, 0, sizeof(gd));
4917 if (wpa_supplicant_parse_ies(elems.key_delivery + WPA_KEY_RSC_LEN,
4918 elems.key_delivery_len - WPA_KEY_RSC_LEN,
4919 &kde) < 0) {
4920 wpa_printf(MSG_DEBUG, "FILS: Failed to parse KDEs");
4921 goto fail;
4922 }
4923 if (!kde.gtk) {
4924 wpa_printf(MSG_DEBUG, "FILS: No GTK KDE");
4925 goto fail;
4926 }
4927 maxkeylen = gd.gtk_len = kde.gtk_len - 2;
4928 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
4929 gd.gtk_len, maxkeylen,
4930 &gd.key_rsc_len, &gd.alg))
4931 goto fail;
4932
4933 wpa_hexdump_key(MSG_DEBUG, "FILS: Received GTK", kde.gtk, kde.gtk_len);
4934 gd.keyidx = kde.gtk[0] & 0x3;
4935 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
4936 !!(kde.gtk[0] & BIT(2)));
4937 if (kde.gtk_len - 2 > sizeof(gd.gtk)) {
4938 wpa_printf(MSG_DEBUG, "FILS: Too long GTK in GTK KDE (len=%lu)",
4939 (unsigned long) kde.gtk_len - 2);
4940 goto fail;
4941 }
4942 os_memcpy(gd.gtk, kde.gtk + 2, kde.gtk_len - 2);
4943
4944 wpa_printf(MSG_DEBUG, "FILS: Set GTK to driver");
4945 if (wpa_supplicant_install_gtk(sm, &gd, elems.key_delivery, 0) < 0) {
4946 wpa_printf(MSG_DEBUG, "FILS: Failed to set GTK");
4947 goto fail;
4948 }
4949
4950 if (ieee80211w_set_keys(sm, &kde) < 0) {
4951 wpa_printf(MSG_DEBUG, "FILS: Failed to set IGTK");
4952 goto fail;
4953 }
4954
4955 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
4956 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
4957 if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) {
4958 wpa_printf(MSG_DEBUG, "FILS: TK length mismatch: %u != %lu",
4959 keylen, (long unsigned int) sm->ptk.tk_len);
4960 goto fail;
4961 }
4962
4963 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
4964 wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver",
4965 sm->ptk.tk, keylen);
4966 if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, null_rsc, rsclen,
4967 sm->ptk.tk, keylen, KEY_FLAG_PAIRWISE_RX_TX) < 0) {
4968 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
4969 "FILS: Failed to set PTK to the driver (alg=%d keylen=%d bssid="
4970 MACSTR ")",
4971 alg, keylen, MAC2STR(sm->bssid));
4972 goto fail;
4973 }
4974
4975 wpa_sm_store_ptk(sm, sm->bssid, sm->pairwise_cipher,
4976 sm->dot11RSNAConfigPMKLifetime, &sm->ptk);
4977
4978 /* TODO: TK could be cleared after auth frame exchange now that driver
4979 * takes care of association frame encryption/decryption. */
4980 /* TK is not needed anymore in supplicant */
4981 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
4982 sm->ptk.tk_len = 0;
4983 sm->ptk.installed = 1;
4984
4985 /* FILS HLP Container */
4986 fils_process_hlp_container(sm, ie_start, end - ie_start);
4987
4988 /* TODO: FILS IP Address Assignment */
4989
4990 wpa_printf(MSG_DEBUG, "FILS: Auth+Assoc completed successfully");
4991 sm->fils_completed = 1;
4992 forced_memzero(&gd, sizeof(gd));
4993
4994 if (kde.transition_disable)
4995 wpa_sm_transition_disable(sm, kde.transition_disable[0]);
4996
4997 return 0;
4998 fail:
4999 forced_memzero(&gd, sizeof(gd));
5000 return -1;
5001 }
5002
5003
wpa_sm_set_reset_fils_completed(struct wpa_sm * sm,int set)5004 void wpa_sm_set_reset_fils_completed(struct wpa_sm *sm, int set)
5005 {
5006 if (sm)
5007 sm->fils_completed = !!set;
5008 }
5009
5010 #endif /* CONFIG_FILS */
5011
5012
wpa_fils_is_completed(struct wpa_sm * sm)5013 int wpa_fils_is_completed(struct wpa_sm *sm)
5014 {
5015 #ifdef CONFIG_FILS
5016 return sm && sm->fils_completed;
5017 #else /* CONFIG_FILS */
5018 return 0;
5019 #endif /* CONFIG_FILS */
5020 }
5021
5022
5023 #ifdef CONFIG_OWE
5024
owe_build_assoc_req(struct wpa_sm * sm,u16 group)5025 struct wpabuf * owe_build_assoc_req(struct wpa_sm *sm, u16 group)
5026 {
5027 struct wpabuf *ie = NULL, *pub = NULL;
5028 size_t prime_len;
5029
5030 if (group == 19)
5031 prime_len = 32;
5032 else if (group == 20)
5033 prime_len = 48;
5034 else if (group == 21)
5035 prime_len = 66;
5036 else
5037 return NULL;
5038
5039 crypto_ecdh_deinit(sm->owe_ecdh);
5040 sm->owe_ecdh = crypto_ecdh_init(group);
5041 if (!sm->owe_ecdh)
5042 goto fail;
5043 sm->owe_group = group;
5044 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
5045 pub = wpabuf_zeropad(pub, prime_len);
5046 if (!pub)
5047 goto fail;
5048
5049 ie = wpabuf_alloc(5 + wpabuf_len(pub));
5050 if (!ie)
5051 goto fail;
5052 wpabuf_put_u8(ie, WLAN_EID_EXTENSION);
5053 wpabuf_put_u8(ie, 1 + 2 + wpabuf_len(pub));
5054 wpabuf_put_u8(ie, WLAN_EID_EXT_OWE_DH_PARAM);
5055 wpabuf_put_le16(ie, group);
5056 wpabuf_put_buf(ie, pub);
5057 wpabuf_free(pub);
5058 wpa_hexdump_buf(MSG_DEBUG, "OWE: Diffie-Hellman Parameter element",
5059 ie);
5060
5061 return ie;
5062 fail:
5063 wpabuf_free(pub);
5064 crypto_ecdh_deinit(sm->owe_ecdh);
5065 sm->owe_ecdh = NULL;
5066 return NULL;
5067 }
5068
5069
owe_process_assoc_resp(struct wpa_sm * sm,const u8 * bssid,const u8 * resp_ies,size_t resp_ies_len)5070 int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *bssid,
5071 const u8 *resp_ies, size_t resp_ies_len)
5072 {
5073 struct ieee802_11_elems elems;
5074 u16 group;
5075 struct wpabuf *secret, *pub, *hkey;
5076 int res;
5077 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
5078 const char *info = "OWE Key Generation";
5079 const u8 *addr[2];
5080 size_t len[2];
5081 size_t hash_len, prime_len;
5082 struct wpa_ie_data data;
5083
5084 if (!resp_ies ||
5085 ieee802_11_parse_elems(resp_ies, resp_ies_len, &elems, 1) ==
5086 ParseFailed) {
5087 wpa_printf(MSG_INFO,
5088 "OWE: Could not parse Association Response frame elements");
5089 return -1;
5090 }
5091
5092 if (sm->cur_pmksa && elems.rsn_ie &&
5093 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, 2 + elems.rsn_ie_len,
5094 &data) == 0 &&
5095 data.num_pmkid == 1 && data.pmkid &&
5096 os_memcmp(sm->cur_pmksa->pmkid, data.pmkid, PMKID_LEN) == 0) {
5097 wpa_printf(MSG_DEBUG, "OWE: Use PMKSA caching");
5098 wpa_sm_set_pmk_from_pmksa(sm);
5099 return 0;
5100 }
5101
5102 if (!elems.owe_dh) {
5103 wpa_printf(MSG_INFO,
5104 "OWE: No Diffie-Hellman Parameter element found in Association Response frame");
5105 return -1;
5106 }
5107
5108 group = WPA_GET_LE16(elems.owe_dh);
5109 if (group != sm->owe_group) {
5110 wpa_printf(MSG_INFO,
5111 "OWE: Unexpected Diffie-Hellman group in response: %u",
5112 group);
5113 return -1;
5114 }
5115
5116 if (!sm->owe_ecdh) {
5117 wpa_printf(MSG_INFO, "OWE: No ECDH state available");
5118 return -1;
5119 }
5120
5121 if (group == 19)
5122 prime_len = 32;
5123 else if (group == 20)
5124 prime_len = 48;
5125 else if (group == 21)
5126 prime_len = 66;
5127 else
5128 return -1;
5129
5130 secret = crypto_ecdh_set_peerkey(sm->owe_ecdh, 0,
5131 elems.owe_dh + 2,
5132 elems.owe_dh_len - 2);
5133 secret = wpabuf_zeropad(secret, prime_len);
5134 if (!secret) {
5135 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
5136 return -1;
5137 }
5138 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
5139
5140 /* prk = HKDF-extract(C | A | group, z) */
5141
5142 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
5143 if (!pub) {
5144 wpabuf_clear_free(secret);
5145 return -1;
5146 }
5147
5148 /* PMKID = Truncate-128(Hash(C | A)) */
5149 addr[0] = wpabuf_head(pub);
5150 len[0] = wpabuf_len(pub);
5151 addr[1] = elems.owe_dh + 2;
5152 len[1] = elems.owe_dh_len - 2;
5153 if (group == 19) {
5154 res = sha256_vector(2, addr, len, pmkid);
5155 hash_len = SHA256_MAC_LEN;
5156 } else if (group == 20) {
5157 res = sha384_vector(2, addr, len, pmkid);
5158 hash_len = SHA384_MAC_LEN;
5159 } else if (group == 21) {
5160 res = sha512_vector(2, addr, len, pmkid);
5161 hash_len = SHA512_MAC_LEN;
5162 } else {
5163 res = -1;
5164 hash_len = 0;
5165 }
5166 pub = wpabuf_zeropad(pub, prime_len);
5167 if (res < 0 || !pub) {
5168 wpabuf_free(pub);
5169 wpabuf_clear_free(secret);
5170 return -1;
5171 }
5172
5173 hkey = wpabuf_alloc(wpabuf_len(pub) + elems.owe_dh_len - 2 + 2);
5174 if (!hkey) {
5175 wpabuf_free(pub);
5176 wpabuf_clear_free(secret);
5177 return -1;
5178 }
5179
5180 wpabuf_put_buf(hkey, pub); /* C */
5181 wpabuf_free(pub);
5182 wpabuf_put_data(hkey, elems.owe_dh + 2, elems.owe_dh_len - 2); /* A */
5183 wpabuf_put_le16(hkey, sm->owe_group); /* group */
5184 if (group == 19)
5185 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
5186 wpabuf_head(secret), wpabuf_len(secret), prk);
5187 else if (group == 20)
5188 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
5189 wpabuf_head(secret), wpabuf_len(secret), prk);
5190 else if (group == 21)
5191 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
5192 wpabuf_head(secret), wpabuf_len(secret), prk);
5193 wpabuf_clear_free(hkey);
5194 wpabuf_clear_free(secret);
5195 if (res < 0)
5196 return -1;
5197
5198 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
5199
5200 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
5201
5202 if (group == 19)
5203 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
5204 os_strlen(info), sm->pmk, hash_len);
5205 else if (group == 20)
5206 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
5207 os_strlen(info), sm->pmk, hash_len);
5208 else if (group == 21)
5209 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
5210 os_strlen(info), sm->pmk, hash_len);
5211 forced_memzero(prk, SHA512_MAC_LEN);
5212 if (res < 0) {
5213 sm->pmk_len = 0;
5214 return -1;
5215 }
5216 sm->pmk_len = hash_len;
5217
5218 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sm->pmk, sm->pmk_len);
5219 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
5220 pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, pmkid, NULL, 0,
5221 bssid, sm->own_addr, sm->network_ctx, sm->key_mgmt,
5222 NULL);
5223
5224 return 0;
5225 }
5226
5227 #endif /* CONFIG_OWE */
5228
5229
wpa_sm_set_fils_cache_id(struct wpa_sm * sm,const u8 * fils_cache_id)5230 void wpa_sm_set_fils_cache_id(struct wpa_sm *sm, const u8 *fils_cache_id)
5231 {
5232 #ifdef CONFIG_FILS
5233 if (sm && fils_cache_id) {
5234 sm->fils_cache_id_set = 1;
5235 os_memcpy(sm->fils_cache_id, fils_cache_id, FILS_CACHE_ID_LEN);
5236 }
5237 #endif /* CONFIG_FILS */
5238 }
5239
5240
5241 #ifdef CONFIG_DPP2
wpa_sm_set_dpp_z(struct wpa_sm * sm,const struct wpabuf * z)5242 void wpa_sm_set_dpp_z(struct wpa_sm *sm, const struct wpabuf *z)
5243 {
5244 if (sm) {
5245 wpabuf_clear_free(sm->dpp_z);
5246 sm->dpp_z = z ? wpabuf_dup(z) : NULL;
5247 }
5248 }
5249 #endif /* CONFIG_DPP2 */
5250
5251
5252 #ifdef CONFIG_PASN
wpa_pasn_pmksa_cache_add(struct wpa_sm * sm,const u8 * pmk,size_t pmk_len,const u8 * pmkid,const u8 * bssid,int key_mgmt)5253 void wpa_pasn_pmksa_cache_add(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
5254 const u8 *pmkid, const u8 *bssid, int key_mgmt)
5255 {
5256 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0,
5257 bssid, sm->own_addr, NULL,
5258 key_mgmt, 0);
5259 }
5260 #endif /* CONFIG_PASN */
5261
5262
wpa_sm_pmksa_cache_reconfig(struct wpa_sm * sm)5263 void wpa_sm_pmksa_cache_reconfig(struct wpa_sm *sm)
5264 {
5265 if (sm)
5266 pmksa_cache_reconfig(sm->pmksa);
5267 }
5268
