wpa.c revision 092955c7394ee96d6c8c9724ff46a3c038b36143
1/* 2 * WPA Supplicant - WPA state machine and EAPOL-Key processing 3 * Copyright (c) 2003-2015, Jouni Malinen <j@w1.fi> 4 * Copyright(c) 2015 Intel Deutschland GmbH 5 * 6 * This software may be distributed under the terms of the BSD license. 7 * See README for more details. 8 */ 9 10#include "includes.h" 11 12#include "common.h" 13#include "crypto/aes.h" 14#include "crypto/aes_wrap.h" 15#include "crypto/crypto.h" 16#include "crypto/random.h" 17#include "crypto/aes_siv.h" 18#include "common/ieee802_11_defs.h" 19#include "common/ieee802_11_common.h" 20#include "eap_common/eap_defs.h" 21#include "eapol_supp/eapol_supp_sm.h" 22#include "wpa.h" 23#include "eloop.h" 24#include "preauth.h" 25#include "pmksa_cache.h" 26#include "wpa_i.h" 27#include "wpa_ie.h" 28#include "peerkey.h" 29 30 31static const u8 null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 }; 32 33 34/** 35 * wpa_eapol_key_send - Send WPA/RSN EAPOL-Key message 36 * @sm: Pointer to WPA state machine data from wpa_sm_init() 37 * @ptk: PTK for Key Confirmation/Encryption Key 38 * @ver: Version field from Key Info 39 * @dest: Destination address for the frame 40 * @proto: Ethertype (usually ETH_P_EAPOL) 41 * @msg: EAPOL-Key message 42 * @msg_len: Length of message 43 * @key_mic: Pointer to the buffer to which the EAPOL-Key MIC is written 44 * Returns: >= 0 on success, < 0 on failure 45 */ 46int wpa_eapol_key_send(struct wpa_sm *sm, struct wpa_ptk *ptk, 47 int ver, const u8 *dest, u16 proto, 48 u8 *msg, size_t msg_len, u8 *key_mic) 49{ 50 int ret = -1; 51 size_t mic_len = wpa_mic_len(sm->key_mgmt); 52 53 if (is_zero_ether_addr(dest) && is_zero_ether_addr(sm->bssid)) { 54 /* 55 * Association event was not yet received; try to fetch 56 * BSSID from the driver. 57 */ 58 if (wpa_sm_get_bssid(sm, sm->bssid) < 0) { 59 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 60 "WPA: Failed to read BSSID for " 61 "EAPOL-Key destination address"); 62 } else { 63 dest = sm->bssid; 64 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 65 "WPA: Use BSSID (" MACSTR 66 ") as the destination for EAPOL-Key", 67 MAC2STR(dest)); 68 } 69 } 70 71 if (mic_len) { 72 if (key_mic && (!ptk || !ptk->kck_len)) 73 goto out; 74 75 if (key_mic && 76 wpa_eapol_key_mic(ptk->kck, ptk->kck_len, sm->key_mgmt, ver, 77 msg, msg_len, key_mic)) { 78 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR, 79 "WPA: Failed to generate EAPOL-Key version %d key_mgmt 0x%x MIC", 80 ver, sm->key_mgmt); 81 goto out; 82 } 83 if (ptk) 84 wpa_hexdump_key(MSG_DEBUG, "WPA: KCK", 85 ptk->kck, ptk->kck_len); 86 wpa_hexdump(MSG_DEBUG, "WPA: Derived Key MIC", 87 key_mic, mic_len); 88 } else { 89#ifdef CONFIG_FILS 90 /* AEAD cipher - Key MIC field not used */ 91 struct ieee802_1x_hdr *s_hdr, *hdr; 92 struct wpa_eapol_key *s_key, *key; 93 u8 *buf, *s_key_data, *key_data; 94 size_t buf_len = msg_len + AES_BLOCK_SIZE; 95 size_t key_data_len; 96 u16 eapol_len; 97 const u8 *aad[1]; 98 size_t aad_len[1]; 99 100 if (!ptk || !ptk->kek_len) 101 goto out; 102 103 key_data_len = msg_len - sizeof(struct ieee802_1x_hdr) - 104 sizeof(struct wpa_eapol_key) - 2; 105 106 buf = os_malloc(buf_len); 107 if (!buf) 108 goto out; 109 110 os_memcpy(buf, msg, msg_len); 111 hdr = (struct ieee802_1x_hdr *) buf; 112 key = (struct wpa_eapol_key *) (hdr + 1); 113 key_data = ((u8 *) (key + 1)) + 2; 114 115 /* Update EAPOL header to include AES-SIV overhead */ 116 eapol_len = be_to_host16(hdr->length); 117 eapol_len += AES_BLOCK_SIZE; 118 hdr->length = host_to_be16(eapol_len); 119 120 /* Update Key Data Length field to include AES-SIV overhead */ 121 WPA_PUT_BE16((u8 *) (key + 1), AES_BLOCK_SIZE + key_data_len); 122 123 s_hdr = (struct ieee802_1x_hdr *) msg; 124 s_key = (struct wpa_eapol_key *) (s_hdr + 1); 125 s_key_data = ((u8 *) (s_key + 1)) + 2; 126 127 wpa_hexdump_key(MSG_DEBUG, "WPA: Plaintext Key Data", 128 s_key_data, key_data_len); 129 130 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len); 131 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to 132 * to Key Data (exclusive). */ 133 aad[0] = buf; 134 aad_len[0] = key_data - buf; 135 if (aes_siv_encrypt(ptk->kek, ptk->kek_len, 136 s_key_data, key_data_len, 137 1, aad, aad_len, key_data) < 0) { 138 os_free(buf); 139 goto out; 140 } 141 142 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV", 143 key_data, AES_BLOCK_SIZE + key_data_len); 144 145 os_free(msg); 146 msg = buf; 147 msg_len = buf_len; 148#else /* CONFIG_FILS */ 149 goto out; 150#endif /* CONFIG_FILS */ 151 } 152 153 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key", msg, msg_len); 154 ret = wpa_sm_ether_send(sm, dest, proto, msg, msg_len); 155 eapol_sm_notify_tx_eapol_key(sm->eapol); 156out: 157 os_free(msg); 158 return ret; 159} 160 161 162/** 163 * wpa_sm_key_request - Send EAPOL-Key Request 164 * @sm: Pointer to WPA state machine data from wpa_sm_init() 165 * @error: Indicate whether this is an Michael MIC error report 166 * @pairwise: 1 = error report for pairwise packet, 0 = for group packet 167 * 168 * Send an EAPOL-Key Request to the current authenticator. This function is 169 * used to request rekeying and it is usually called when a local Michael MIC 170 * failure is detected. 171 */ 172void wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise) 173{ 174 size_t mic_len, hdrlen, rlen; 175 struct wpa_eapol_key *reply; 176 int key_info, ver; 177 u8 bssid[ETH_ALEN], *rbuf, *key_mic, *mic; 178 179 if (sm->key_mgmt == WPA_KEY_MGMT_OSEN || 180 wpa_key_mgmt_suite_b(sm->key_mgmt)) 181 ver = WPA_KEY_INFO_TYPE_AKM_DEFINED; 182 else if (wpa_key_mgmt_ft(sm->key_mgmt) || 183 wpa_key_mgmt_sha256(sm->key_mgmt)) 184 ver = WPA_KEY_INFO_TYPE_AES_128_CMAC; 185 else if (sm->pairwise_cipher != WPA_CIPHER_TKIP) 186 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 187 else 188 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 189 190 if (wpa_sm_get_bssid(sm, bssid) < 0) { 191 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 192 "Failed to read BSSID for EAPOL-Key request"); 193 return; 194 } 195 196 mic_len = wpa_mic_len(sm->key_mgmt); 197 hdrlen = sizeof(*reply) + mic_len + 2; 198 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL, 199 hdrlen, &rlen, (void *) &reply); 200 if (rbuf == NULL) 201 return; 202 203 reply->type = (sm->proto == WPA_PROTO_RSN || 204 sm->proto == WPA_PROTO_OSEN) ? 205 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 206 key_info = WPA_KEY_INFO_REQUEST | ver; 207 if (sm->ptk_set) 208 key_info |= WPA_KEY_INFO_SECURE; 209 if (sm->ptk_set && mic_len) 210 key_info |= WPA_KEY_INFO_MIC; 211 if (error) 212 key_info |= WPA_KEY_INFO_ERROR; 213 if (pairwise) 214 key_info |= WPA_KEY_INFO_KEY_TYPE; 215 WPA_PUT_BE16(reply->key_info, key_info); 216 WPA_PUT_BE16(reply->key_length, 0); 217 os_memcpy(reply->replay_counter, sm->request_counter, 218 WPA_REPLAY_COUNTER_LEN); 219 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN); 220 221 mic = (u8 *) (reply + 1); 222 WPA_PUT_BE16(mic + mic_len, 0); 223 if (!(key_info & WPA_KEY_INFO_MIC)) 224 key_mic = NULL; 225 else 226 key_mic = mic; 227 228 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 229 "WPA: Sending EAPOL-Key Request (error=%d " 230 "pairwise=%d ptk_set=%d len=%lu)", 231 error, pairwise, sm->ptk_set, (unsigned long) rlen); 232 wpa_eapol_key_send(sm, &sm->ptk, ver, bssid, ETH_P_EAPOL, rbuf, rlen, 233 key_mic); 234} 235 236 237static void wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm *sm) 238{ 239#ifdef CONFIG_IEEE80211R 240 if (sm->key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X) { 241 if (wpa_sm_key_mgmt_set_pmk(sm, sm->xxkey, sm->xxkey_len)) 242 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 243 "RSN: Cannot set low order 256 bits of MSK for key management offload"); 244 } else { 245#endif /* CONFIG_IEEE80211R */ 246 if (wpa_sm_key_mgmt_set_pmk(sm, sm->pmk, sm->pmk_len)) 247 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 248 "RSN: Cannot set PMK for key management offload"); 249#ifdef CONFIG_IEEE80211R 250 } 251#endif /* CONFIG_IEEE80211R */ 252} 253 254 255static int wpa_supplicant_get_pmk(struct wpa_sm *sm, 256 const unsigned char *src_addr, 257 const u8 *pmkid) 258{ 259 int abort_cached = 0; 260 261 if (pmkid && !sm->cur_pmksa) { 262 /* When using drivers that generate RSN IE, wpa_supplicant may 263 * not have enough time to get the association information 264 * event before receiving this 1/4 message, so try to find a 265 * matching PMKSA cache entry here. */ 266 sm->cur_pmksa = pmksa_cache_get(sm->pmksa, src_addr, pmkid, 267 NULL); 268 if (sm->cur_pmksa) { 269 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 270 "RSN: found matching PMKID from PMKSA cache"); 271 } else { 272 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 273 "RSN: no matching PMKID found"); 274 abort_cached = 1; 275 } 276 } 277 278 if (pmkid && sm->cur_pmksa && 279 os_memcmp_const(pmkid, sm->cur_pmksa->pmkid, PMKID_LEN) == 0) { 280 wpa_hexdump(MSG_DEBUG, "RSN: matched PMKID", pmkid, PMKID_LEN); 281 wpa_sm_set_pmk_from_pmksa(sm); 282 wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from PMKSA cache", 283 sm->pmk, sm->pmk_len); 284 eapol_sm_notify_cached(sm->eapol); 285#ifdef CONFIG_IEEE80211R 286 sm->xxkey_len = 0; 287#endif /* CONFIG_IEEE80211R */ 288 } else if (wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && sm->eapol) { 289 int res, pmk_len; 290 291 if (sm->key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) 292 pmk_len = PMK_LEN_SUITE_B_192; 293 else 294 pmk_len = PMK_LEN; 295 res = eapol_sm_get_key(sm->eapol, sm->pmk, pmk_len); 296 if (res) { 297 if (pmk_len == PMK_LEN) { 298 /* 299 * EAP-LEAP is an exception from other EAP 300 * methods: it uses only 16-byte PMK. 301 */ 302 res = eapol_sm_get_key(sm->eapol, sm->pmk, 16); 303 pmk_len = 16; 304 } 305 } else { 306#ifdef CONFIG_IEEE80211R 307 u8 buf[2 * PMK_LEN]; 308 if (eapol_sm_get_key(sm->eapol, buf, 2 * PMK_LEN) == 0) 309 { 310 os_memcpy(sm->xxkey, buf + PMK_LEN, PMK_LEN); 311 sm->xxkey_len = PMK_LEN; 312 os_memset(buf, 0, sizeof(buf)); 313 } 314#endif /* CONFIG_IEEE80211R */ 315 } 316 if (res == 0) { 317 struct rsn_pmksa_cache_entry *sa = NULL; 318 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK from EAPOL state " 319 "machines", sm->pmk, pmk_len); 320 sm->pmk_len = pmk_len; 321 wpa_supplicant_key_mgmt_set_pmk(sm); 322 if (sm->proto == WPA_PROTO_RSN && 323 !wpa_key_mgmt_suite_b(sm->key_mgmt) && 324 !wpa_key_mgmt_ft(sm->key_mgmt)) { 325 sa = pmksa_cache_add(sm->pmksa, 326 sm->pmk, pmk_len, NULL, 327 NULL, 0, 328 src_addr, sm->own_addr, 329 sm->network_ctx, 330 sm->key_mgmt); 331 } 332 if (!sm->cur_pmksa && pmkid && 333 pmksa_cache_get(sm->pmksa, src_addr, pmkid, NULL)) 334 { 335 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 336 "RSN: the new PMK matches with the " 337 "PMKID"); 338 abort_cached = 0; 339 } else if (sa && !sm->cur_pmksa && pmkid) { 340 /* 341 * It looks like the authentication server 342 * derived mismatching MSK. This should not 343 * really happen, but bugs happen.. There is not 344 * much we can do here without knowing what 345 * exactly caused the server to misbehave. 346 */ 347 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 348 "RSN: PMKID mismatch - authentication server may have derived different MSK?!"); 349 return -1; 350 } 351 352 if (!sm->cur_pmksa) 353 sm->cur_pmksa = sa; 354 } else { 355 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 356 "WPA: Failed to get master session key from " 357 "EAPOL state machines - key handshake " 358 "aborted"); 359 if (sm->cur_pmksa) { 360 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 361 "RSN: Cancelled PMKSA caching " 362 "attempt"); 363 sm->cur_pmksa = NULL; 364 abort_cached = 1; 365 } else if (!abort_cached) { 366 return -1; 367 } 368 } 369 } 370 371 if (abort_cached && wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && 372 !wpa_key_mgmt_suite_b(sm->key_mgmt) && 373 !wpa_key_mgmt_ft(sm->key_mgmt) && sm->key_mgmt != WPA_KEY_MGMT_OSEN) 374 { 375 /* Send EAPOL-Start to trigger full EAP authentication. */ 376 u8 *buf; 377 size_t buflen; 378 379 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 380 "RSN: no PMKSA entry found - trigger " 381 "full EAP authentication"); 382 buf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_START, 383 NULL, 0, &buflen, NULL); 384 if (buf) { 385 wpa_sm_ether_send(sm, sm->bssid, ETH_P_EAPOL, 386 buf, buflen); 387 os_free(buf); 388 return -2; 389 } 390 391 return -1; 392 } 393 394 return 0; 395} 396 397 398/** 399 * wpa_supplicant_send_2_of_4 - Send message 2 of WPA/RSN 4-Way Handshake 400 * @sm: Pointer to WPA state machine data from wpa_sm_init() 401 * @dst: Destination address for the frame 402 * @key: Pointer to the EAPOL-Key frame header 403 * @ver: Version bits from EAPOL-Key Key Info 404 * @nonce: Nonce value for the EAPOL-Key frame 405 * @wpa_ie: WPA/RSN IE 406 * @wpa_ie_len: Length of the WPA/RSN IE 407 * @ptk: PTK to use for keyed hash and encryption 408 * Returns: >= 0 on success, < 0 on failure 409 */ 410int wpa_supplicant_send_2_of_4(struct wpa_sm *sm, const unsigned char *dst, 411 const struct wpa_eapol_key *key, 412 int ver, const u8 *nonce, 413 const u8 *wpa_ie, size_t wpa_ie_len, 414 struct wpa_ptk *ptk) 415{ 416 size_t mic_len, hdrlen, rlen; 417 struct wpa_eapol_key *reply; 418 u8 *rbuf, *key_mic; 419 u8 *rsn_ie_buf = NULL; 420 u16 key_info; 421 422 if (wpa_ie == NULL) { 423 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No wpa_ie set - " 424 "cannot generate msg 2/4"); 425 return -1; 426 } 427 428#ifdef CONFIG_IEEE80211R 429 if (wpa_key_mgmt_ft(sm->key_mgmt)) { 430 int res; 431 432 /* 433 * Add PMKR1Name into RSN IE (PMKID-List) and add MDIE and 434 * FTIE from (Re)Association Response. 435 */ 436 rsn_ie_buf = os_malloc(wpa_ie_len + 2 + 2 + PMKID_LEN + 437 sm->assoc_resp_ies_len); 438 if (rsn_ie_buf == NULL) 439 return -1; 440 os_memcpy(rsn_ie_buf, wpa_ie, wpa_ie_len); 441 res = wpa_insert_pmkid(rsn_ie_buf, &wpa_ie_len, 442 sm->pmk_r1_name); 443 if (res < 0) { 444 os_free(rsn_ie_buf); 445 return -1; 446 } 447 448 if (sm->assoc_resp_ies) { 449 os_memcpy(rsn_ie_buf + wpa_ie_len, sm->assoc_resp_ies, 450 sm->assoc_resp_ies_len); 451 wpa_ie_len += sm->assoc_resp_ies_len; 452 } 453 454 wpa_ie = rsn_ie_buf; 455 } 456#endif /* CONFIG_IEEE80211R */ 457 458 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE for msg 2/4", wpa_ie, wpa_ie_len); 459 460 mic_len = wpa_mic_len(sm->key_mgmt); 461 hdrlen = sizeof(*reply) + mic_len + 2; 462 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, 463 NULL, hdrlen + wpa_ie_len, 464 &rlen, (void *) &reply); 465 if (rbuf == NULL) { 466 os_free(rsn_ie_buf); 467 return -1; 468 } 469 470 reply->type = (sm->proto == WPA_PROTO_RSN || 471 sm->proto == WPA_PROTO_OSEN) ? 472 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 473 key_info = ver | WPA_KEY_INFO_KEY_TYPE; 474 if (mic_len) 475 key_info |= WPA_KEY_INFO_MIC; 476 else 477 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 478 WPA_PUT_BE16(reply->key_info, key_info); 479 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) 480 WPA_PUT_BE16(reply->key_length, 0); 481 else 482 os_memcpy(reply->key_length, key->key_length, 2); 483 os_memcpy(reply->replay_counter, key->replay_counter, 484 WPA_REPLAY_COUNTER_LEN); 485 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", reply->replay_counter, 486 WPA_REPLAY_COUNTER_LEN); 487 488 key_mic = (u8 *) (reply + 1); 489 WPA_PUT_BE16(key_mic + mic_len, wpa_ie_len); /* Key Data Length */ 490 os_memcpy(key_mic + mic_len + 2, wpa_ie, wpa_ie_len); /* Key Data */ 491 os_free(rsn_ie_buf); 492 493 os_memcpy(reply->key_nonce, nonce, WPA_NONCE_LEN); 494 495 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/4"); 496 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen, 497 key_mic); 498} 499 500 501static int wpa_derive_ptk(struct wpa_sm *sm, const unsigned char *src_addr, 502 const struct wpa_eapol_key *key, struct wpa_ptk *ptk) 503{ 504#ifdef CONFIG_IEEE80211R 505 if (wpa_key_mgmt_ft(sm->key_mgmt)) 506 return wpa_derive_ptk_ft(sm, src_addr, key, ptk); 507#endif /* CONFIG_IEEE80211R */ 508 509 return wpa_pmk_to_ptk(sm->pmk, sm->pmk_len, "Pairwise key expansion", 510 sm->own_addr, sm->bssid, sm->snonce, 511 key->key_nonce, ptk, sm->key_mgmt, 512 sm->pairwise_cipher); 513} 514 515 516static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm, 517 const unsigned char *src_addr, 518 const struct wpa_eapol_key *key, 519 u16 ver, const u8 *key_data, 520 size_t key_data_len) 521{ 522 struct wpa_eapol_ie_parse ie; 523 struct wpa_ptk *ptk; 524 int res; 525 u8 *kde, *kde_buf = NULL; 526 size_t kde_len; 527 528 if (wpa_sm_get_network_ctx(sm) == NULL) { 529 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No SSID info " 530 "found (msg 1 of 4)"); 531 return; 532 } 533 534 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE); 535 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of 4-Way " 536 "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver); 537 538 os_memset(&ie, 0, sizeof(ie)); 539 540 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) { 541 /* RSN: msg 1/4 should contain PMKID for the selected PMK */ 542 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data", 543 key_data, key_data_len); 544 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0) 545 goto failed; 546 if (ie.pmkid) { 547 wpa_hexdump(MSG_DEBUG, "RSN: PMKID from " 548 "Authenticator", ie.pmkid, PMKID_LEN); 549 } 550 } 551 552 res = wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid); 553 if (res == -2) { 554 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: Do not reply to " 555 "msg 1/4 - requesting full EAP authentication"); 556 return; 557 } 558 if (res) 559 goto failed; 560 561 if (sm->renew_snonce) { 562 if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) { 563 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 564 "WPA: Failed to get random data for SNonce"); 565 goto failed; 566 } 567 sm->renew_snonce = 0; 568 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce", 569 sm->snonce, WPA_NONCE_LEN); 570 } 571 572 /* Calculate PTK which will be stored as a temporary PTK until it has 573 * been verified when processing message 3/4. */ 574 ptk = &sm->tptk; 575 wpa_derive_ptk(sm, src_addr, key, ptk); 576 if (sm->pairwise_cipher == WPA_CIPHER_TKIP) { 577 u8 buf[8]; 578 /* Supplicant: swap tx/rx Mic keys */ 579 os_memcpy(buf, &ptk->tk[16], 8); 580 os_memcpy(&ptk->tk[16], &ptk->tk[24], 8); 581 os_memcpy(&ptk->tk[24], buf, 8); 582 os_memset(buf, 0, sizeof(buf)); 583 } 584 sm->tptk_set = 1; 585 sm->tk_to_set = 1; 586 587 kde = sm->assoc_wpa_ie; 588 kde_len = sm->assoc_wpa_ie_len; 589 590#ifdef CONFIG_P2P 591 if (sm->p2p) { 592 kde_buf = os_malloc(kde_len + 2 + RSN_SELECTOR_LEN + 1); 593 if (kde_buf) { 594 u8 *pos; 595 wpa_printf(MSG_DEBUG, "P2P: Add IP Address Request KDE " 596 "into EAPOL-Key 2/4"); 597 os_memcpy(kde_buf, kde, kde_len); 598 kde = kde_buf; 599 pos = kde + kde_len; 600 *pos++ = WLAN_EID_VENDOR_SPECIFIC; 601 *pos++ = RSN_SELECTOR_LEN + 1; 602 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_IP_ADDR_REQ); 603 pos += RSN_SELECTOR_LEN; 604 *pos++ = 0x01; 605 kde_len = pos - kde; 606 } 607 } 608#endif /* CONFIG_P2P */ 609 610 if (wpa_supplicant_send_2_of_4(sm, sm->bssid, key, ver, sm->snonce, 611 kde, kde_len, ptk) < 0) 612 goto failed; 613 614 os_free(kde_buf); 615 os_memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN); 616 return; 617 618failed: 619 os_free(kde_buf); 620 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED); 621} 622 623 624static void wpa_sm_start_preauth(void *eloop_ctx, void *timeout_ctx) 625{ 626 struct wpa_sm *sm = eloop_ctx; 627 rsn_preauth_candidate_process(sm); 628} 629 630 631static void wpa_supplicant_key_neg_complete(struct wpa_sm *sm, 632 const u8 *addr, int secure) 633{ 634 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 635 "WPA: Key negotiation completed with " 636 MACSTR " [PTK=%s GTK=%s]", MAC2STR(addr), 637 wpa_cipher_txt(sm->pairwise_cipher), 638 wpa_cipher_txt(sm->group_cipher)); 639 wpa_sm_cancel_auth_timeout(sm); 640 wpa_sm_set_state(sm, WPA_COMPLETED); 641 642 if (secure) { 643 wpa_sm_mlme_setprotection( 644 sm, addr, MLME_SETPROTECTION_PROTECT_TYPE_RX_TX, 645 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE); 646 eapol_sm_notify_portValid(sm->eapol, TRUE); 647 if (wpa_key_mgmt_wpa_psk(sm->key_mgmt)) 648 eapol_sm_notify_eap_success(sm->eapol, TRUE); 649 /* 650 * Start preauthentication after a short wait to avoid a 651 * possible race condition between the data receive and key 652 * configuration after the 4-Way Handshake. This increases the 653 * likelihood of the first preauth EAPOL-Start frame getting to 654 * the target AP. 655 */ 656 eloop_register_timeout(1, 0, wpa_sm_start_preauth, sm, NULL); 657 } 658 659 if (sm->cur_pmksa && sm->cur_pmksa->opportunistic) { 660 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 661 "RSN: Authenticator accepted " 662 "opportunistic PMKSA entry - marking it valid"); 663 sm->cur_pmksa->opportunistic = 0; 664 } 665 666#ifdef CONFIG_IEEE80211R 667 if (wpa_key_mgmt_ft(sm->key_mgmt)) { 668 /* Prepare for the next transition */ 669 wpa_ft_prepare_auth_request(sm, NULL); 670 } 671#endif /* CONFIG_IEEE80211R */ 672} 673 674 675static void wpa_sm_rekey_ptk(void *eloop_ctx, void *timeout_ctx) 676{ 677 struct wpa_sm *sm = eloop_ctx; 678 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Request PTK rekeying"); 679 wpa_sm_key_request(sm, 0, 1); 680} 681 682 683static int wpa_supplicant_install_ptk(struct wpa_sm *sm, 684 const struct wpa_eapol_key *key) 685{ 686 int keylen, rsclen; 687 enum wpa_alg alg; 688 const u8 *key_rsc; 689 690 if (!sm->tk_to_set) { 691 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 692 "WPA: Do not re-install same PTK to the driver"); 693 return 0; 694 } 695 696 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 697 "WPA: Installing PTK to the driver"); 698 699 if (sm->pairwise_cipher == WPA_CIPHER_NONE) { 700 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Pairwise Cipher " 701 "Suite: NONE - do not use pairwise keys"); 702 return 0; 703 } 704 705 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) { 706 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 707 "WPA: Unsupported pairwise cipher %d", 708 sm->pairwise_cipher); 709 return -1; 710 } 711 712 alg = wpa_cipher_to_alg(sm->pairwise_cipher); 713 keylen = wpa_cipher_key_len(sm->pairwise_cipher); 714 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher); 715 716 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) { 717 key_rsc = null_rsc; 718 } else { 719 key_rsc = key->key_rsc; 720 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen); 721 } 722 723 if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, key_rsc, rsclen, 724 sm->ptk.tk, keylen) < 0) { 725 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 726 "WPA: Failed to set PTK to the " 727 "driver (alg=%d keylen=%d bssid=" MACSTR ")", 728 alg, keylen, MAC2STR(sm->bssid)); 729 return -1; 730 } 731 732 /* TK is not needed anymore in supplicant */ 733 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN); 734 sm->tk_to_set = 0; 735 736 if (sm->wpa_ptk_rekey) { 737 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL); 738 eloop_register_timeout(sm->wpa_ptk_rekey, 0, wpa_sm_rekey_ptk, 739 sm, NULL); 740 } 741 742 return 0; 743} 744 745 746static int wpa_supplicant_check_group_cipher(struct wpa_sm *sm, 747 int group_cipher, 748 int keylen, int maxkeylen, 749 int *key_rsc_len, 750 enum wpa_alg *alg) 751{ 752 int klen; 753 754 *alg = wpa_cipher_to_alg(group_cipher); 755 if (*alg == WPA_ALG_NONE) { 756 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 757 "WPA: Unsupported Group Cipher %d", 758 group_cipher); 759 return -1; 760 } 761 *key_rsc_len = wpa_cipher_rsc_len(group_cipher); 762 763 klen = wpa_cipher_key_len(group_cipher); 764 if (keylen != klen || maxkeylen < klen) { 765 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 766 "WPA: Unsupported %s Group Cipher key length %d (%d)", 767 wpa_cipher_txt(group_cipher), keylen, maxkeylen); 768 return -1; 769 } 770 return 0; 771} 772 773 774struct wpa_gtk_data { 775 enum wpa_alg alg; 776 int tx, key_rsc_len, keyidx; 777 u8 gtk[32]; 778 int gtk_len; 779}; 780 781 782static int wpa_supplicant_install_gtk(struct wpa_sm *sm, 783 const struct wpa_gtk_data *gd, 784 const u8 *key_rsc) 785{ 786 const u8 *_gtk = gd->gtk; 787 u8 gtk_buf[32]; 788 789 wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len); 790 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 791 "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)", 792 gd->keyidx, gd->tx, gd->gtk_len); 793 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, gd->key_rsc_len); 794 if (sm->group_cipher == WPA_CIPHER_TKIP) { 795 /* Swap Tx/Rx keys for Michael MIC */ 796 os_memcpy(gtk_buf, gd->gtk, 16); 797 os_memcpy(gtk_buf + 16, gd->gtk + 24, 8); 798 os_memcpy(gtk_buf + 24, gd->gtk + 16, 8); 799 _gtk = gtk_buf; 800 } 801 if (sm->pairwise_cipher == WPA_CIPHER_NONE) { 802 if (wpa_sm_set_key(sm, gd->alg, NULL, 803 gd->keyidx, 1, key_rsc, gd->key_rsc_len, 804 _gtk, gd->gtk_len) < 0) { 805 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 806 "WPA: Failed to set GTK to the driver " 807 "(Group only)"); 808 os_memset(gtk_buf, 0, sizeof(gtk_buf)); 809 return -1; 810 } 811 } else if (wpa_sm_set_key(sm, gd->alg, broadcast_ether_addr, 812 gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len, 813 _gtk, gd->gtk_len) < 0) { 814 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 815 "WPA: Failed to set GTK to " 816 "the driver (alg=%d keylen=%d keyidx=%d)", 817 gd->alg, gd->gtk_len, gd->keyidx); 818 os_memset(gtk_buf, 0, sizeof(gtk_buf)); 819 return -1; 820 } 821 os_memset(gtk_buf, 0, sizeof(gtk_buf)); 822 823 return 0; 824} 825 826 827static int wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm *sm, 828 int tx) 829{ 830 if (tx && sm->pairwise_cipher != WPA_CIPHER_NONE) { 831 /* Ignore Tx bit for GTK if a pairwise key is used. One AP 832 * seemed to set this bit (incorrectly, since Tx is only when 833 * doing Group Key only APs) and without this workaround, the 834 * data connection does not work because wpa_supplicant 835 * configured non-zero keyidx to be used for unicast. */ 836 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 837 "WPA: Tx bit set for GTK, but pairwise " 838 "keys are used - ignore Tx bit"); 839 return 0; 840 } 841 return tx; 842} 843 844 845static int wpa_supplicant_rsc_relaxation(const struct wpa_sm *sm, 846 const u8 *rsc) 847{ 848 int rsclen; 849 850 if (!sm->wpa_rsc_relaxation) 851 return 0; 852 853 rsclen = wpa_cipher_rsc_len(sm->group_cipher); 854 855 /* 856 * Try to detect RSC (endian) corruption issue where the AP sends 857 * the RSC bytes in EAPOL-Key message in the wrong order, both if 858 * it's actually a 6-byte field (as it should be) and if it treats 859 * it as an 8-byte field. 860 * An AP model known to have this bug is the Sapido RB-1632. 861 */ 862 if (rsclen == 6 && ((rsc[5] && !rsc[0]) || rsc[6] || rsc[7])) { 863 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 864 "RSC %02x%02x%02x%02x%02x%02x%02x%02x is likely bogus, using 0", 865 rsc[0], rsc[1], rsc[2], rsc[3], 866 rsc[4], rsc[5], rsc[6], rsc[7]); 867 868 return 1; 869 } 870 871 return 0; 872} 873 874 875static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, 876 const struct wpa_eapol_key *key, 877 const u8 *gtk, size_t gtk_len, 878 int key_info) 879{ 880 struct wpa_gtk_data gd; 881 const u8 *key_rsc; 882 883 /* 884 * IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames - Figure 43x 885 * GTK KDE format: 886 * KeyID[bits 0-1], Tx [bit 2], Reserved [bits 3-7] 887 * Reserved [bits 0-7] 888 * GTK 889 */ 890 891 os_memset(&gd, 0, sizeof(gd)); 892 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in pairwise handshake", 893 gtk, gtk_len); 894 895 if (gtk_len < 2 || gtk_len - 2 > sizeof(gd.gtk)) 896 return -1; 897 898 gd.keyidx = gtk[0] & 0x3; 899 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm, 900 !!(gtk[0] & BIT(2))); 901 gtk += 2; 902 gtk_len -= 2; 903 904 os_memcpy(gd.gtk, gtk, gtk_len); 905 gd.gtk_len = gtk_len; 906 907 key_rsc = key->key_rsc; 908 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc)) 909 key_rsc = null_rsc; 910 911 if (sm->group_cipher != WPA_CIPHER_GTK_NOT_USED && 912 (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, 913 gtk_len, gtk_len, 914 &gd.key_rsc_len, &gd.alg) || 915 wpa_supplicant_install_gtk(sm, &gd, key_rsc))) { 916 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 917 "RSN: Failed to install GTK"); 918 os_memset(&gd, 0, sizeof(gd)); 919 return -1; 920 } 921 os_memset(&gd, 0, sizeof(gd)); 922 923 wpa_supplicant_key_neg_complete(sm, sm->bssid, 924 key_info & WPA_KEY_INFO_SECURE); 925 return 0; 926} 927 928 929static int ieee80211w_set_keys(struct wpa_sm *sm, 930 struct wpa_eapol_ie_parse *ie) 931{ 932#ifdef CONFIG_IEEE80211W 933 if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher)) 934 return 0; 935 936 if (ie->igtk) { 937 size_t len; 938 const struct wpa_igtk_kde *igtk; 939 u16 keyidx; 940 len = wpa_cipher_key_len(sm->mgmt_group_cipher); 941 if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len) 942 return -1; 943 igtk = (const struct wpa_igtk_kde *) ie->igtk; 944 keyidx = WPA_GET_LE16(igtk->keyid); 945 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: IGTK keyid %d " 946 "pn %02x%02x%02x%02x%02x%02x", 947 keyidx, MAC2STR(igtk->pn)); 948 wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", 949 igtk->igtk, len); 950 if (keyidx > 4095) { 951 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 952 "WPA: Invalid IGTK KeyID %d", keyidx); 953 return -1; 954 } 955 if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), 956 broadcast_ether_addr, 957 keyidx, 0, igtk->pn, sizeof(igtk->pn), 958 igtk->igtk, len) < 0) { 959 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 960 "WPA: Failed to configure IGTK to the driver"); 961 return -1; 962 } 963 } 964 965 return 0; 966#else /* CONFIG_IEEE80211W */ 967 return 0; 968#endif /* CONFIG_IEEE80211W */ 969} 970 971 972static void wpa_report_ie_mismatch(struct wpa_sm *sm, 973 const char *reason, const u8 *src_addr, 974 const u8 *wpa_ie, size_t wpa_ie_len, 975 const u8 *rsn_ie, size_t rsn_ie_len) 976{ 977 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: %s (src=" MACSTR ")", 978 reason, MAC2STR(src_addr)); 979 980 if (sm->ap_wpa_ie) { 981 wpa_hexdump(MSG_INFO, "WPA: WPA IE in Beacon/ProbeResp", 982 sm->ap_wpa_ie, sm->ap_wpa_ie_len); 983 } 984 if (wpa_ie) { 985 if (!sm->ap_wpa_ie) { 986 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 987 "WPA: No WPA IE in Beacon/ProbeResp"); 988 } 989 wpa_hexdump(MSG_INFO, "WPA: WPA IE in 3/4 msg", 990 wpa_ie, wpa_ie_len); 991 } 992 993 if (sm->ap_rsn_ie) { 994 wpa_hexdump(MSG_INFO, "WPA: RSN IE in Beacon/ProbeResp", 995 sm->ap_rsn_ie, sm->ap_rsn_ie_len); 996 } 997 if (rsn_ie) { 998 if (!sm->ap_rsn_ie) { 999 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1000 "WPA: No RSN IE in Beacon/ProbeResp"); 1001 } 1002 wpa_hexdump(MSG_INFO, "WPA: RSN IE in 3/4 msg", 1003 rsn_ie, rsn_ie_len); 1004 } 1005 1006 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS); 1007} 1008 1009 1010#ifdef CONFIG_IEEE80211R 1011 1012static int ft_validate_mdie(struct wpa_sm *sm, 1013 const unsigned char *src_addr, 1014 struct wpa_eapol_ie_parse *ie, 1015 const u8 *assoc_resp_mdie) 1016{ 1017 struct rsn_mdie *mdie; 1018 1019 mdie = (struct rsn_mdie *) (ie->mdie + 2); 1020 if (ie->mdie == NULL || ie->mdie_len < 2 + sizeof(*mdie) || 1021 os_memcmp(mdie->mobility_domain, sm->mobility_domain, 1022 MOBILITY_DOMAIN_ID_LEN) != 0) { 1023 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE in msg 3/4 did " 1024 "not match with the current mobility domain"); 1025 return -1; 1026 } 1027 1028 if (assoc_resp_mdie && 1029 (assoc_resp_mdie[1] != ie->mdie[1] || 1030 os_memcmp(assoc_resp_mdie, ie->mdie, 2 + ie->mdie[1]) != 0)) { 1031 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE mismatch"); 1032 wpa_hexdump(MSG_DEBUG, "FT: MDIE in EAPOL-Key msg 3/4", 1033 ie->mdie, 2 + ie->mdie[1]); 1034 wpa_hexdump(MSG_DEBUG, "FT: MDIE in (Re)Association Response", 1035 assoc_resp_mdie, 2 + assoc_resp_mdie[1]); 1036 return -1; 1037 } 1038 1039 return 0; 1040} 1041 1042 1043static int ft_validate_ftie(struct wpa_sm *sm, 1044 const unsigned char *src_addr, 1045 struct wpa_eapol_ie_parse *ie, 1046 const u8 *assoc_resp_ftie) 1047{ 1048 if (ie->ftie == NULL) { 1049 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1050 "FT: No FTIE in EAPOL-Key msg 3/4"); 1051 return -1; 1052 } 1053 1054 if (assoc_resp_ftie == NULL) 1055 return 0; 1056 1057 if (assoc_resp_ftie[1] != ie->ftie[1] || 1058 os_memcmp(assoc_resp_ftie, ie->ftie, 2 + ie->ftie[1]) != 0) { 1059 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: FTIE mismatch"); 1060 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 3/4", 1061 ie->ftie, 2 + ie->ftie[1]); 1062 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)Association Response", 1063 assoc_resp_ftie, 2 + assoc_resp_ftie[1]); 1064 return -1; 1065 } 1066 1067 return 0; 1068} 1069 1070 1071static int ft_validate_rsnie(struct wpa_sm *sm, 1072 const unsigned char *src_addr, 1073 struct wpa_eapol_ie_parse *ie) 1074{ 1075 struct wpa_ie_data rsn; 1076 1077 if (!ie->rsn_ie) 1078 return 0; 1079 1080 /* 1081 * Verify that PMKR1Name from EAPOL-Key message 3/4 1082 * matches with the value we derived. 1083 */ 1084 if (wpa_parse_wpa_ie_rsn(ie->rsn_ie, ie->rsn_ie_len, &rsn) < 0 || 1085 rsn.num_pmkid != 1 || rsn.pmkid == NULL) { 1086 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: No PMKR1Name in " 1087 "FT 4-way handshake message 3/4"); 1088 return -1; 1089 } 1090 1091 if (os_memcmp_const(rsn.pmkid, sm->pmk_r1_name, WPA_PMK_NAME_LEN) != 0) 1092 { 1093 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1094 "FT: PMKR1Name mismatch in " 1095 "FT 4-way handshake message 3/4"); 1096 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Authenticator", 1097 rsn.pmkid, WPA_PMK_NAME_LEN); 1098 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name", 1099 sm->pmk_r1_name, WPA_PMK_NAME_LEN); 1100 return -1; 1101 } 1102 1103 return 0; 1104} 1105 1106 1107static int wpa_supplicant_validate_ie_ft(struct wpa_sm *sm, 1108 const unsigned char *src_addr, 1109 struct wpa_eapol_ie_parse *ie) 1110{ 1111 const u8 *pos, *end, *mdie = NULL, *ftie = NULL; 1112 1113 if (sm->assoc_resp_ies) { 1114 pos = sm->assoc_resp_ies; 1115 end = pos + sm->assoc_resp_ies_len; 1116 while (end - pos > 2) { 1117 if (2 + pos[1] > end - pos) 1118 break; 1119 switch (*pos) { 1120 case WLAN_EID_MOBILITY_DOMAIN: 1121 mdie = pos; 1122 break; 1123 case WLAN_EID_FAST_BSS_TRANSITION: 1124 ftie = pos; 1125 break; 1126 } 1127 pos += 2 + pos[1]; 1128 } 1129 } 1130 1131 if (ft_validate_mdie(sm, src_addr, ie, mdie) < 0 || 1132 ft_validate_ftie(sm, src_addr, ie, ftie) < 0 || 1133 ft_validate_rsnie(sm, src_addr, ie) < 0) 1134 return -1; 1135 1136 return 0; 1137} 1138 1139#endif /* CONFIG_IEEE80211R */ 1140 1141 1142static int wpa_supplicant_validate_ie(struct wpa_sm *sm, 1143 const unsigned char *src_addr, 1144 struct wpa_eapol_ie_parse *ie) 1145{ 1146 if (sm->ap_wpa_ie == NULL && sm->ap_rsn_ie == NULL) { 1147 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1148 "WPA: No WPA/RSN IE for this AP known. " 1149 "Trying to get from scan results"); 1150 if (wpa_sm_get_beacon_ie(sm) < 0) { 1151 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1152 "WPA: Could not find AP from " 1153 "the scan results"); 1154 } else { 1155 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG, 1156 "WPA: Found the current AP from " 1157 "updated scan results"); 1158 } 1159 } 1160 1161 if (ie->wpa_ie == NULL && ie->rsn_ie == NULL && 1162 (sm->ap_wpa_ie || sm->ap_rsn_ie)) { 1163 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match " 1164 "with IE in Beacon/ProbeResp (no IE?)", 1165 src_addr, ie->wpa_ie, ie->wpa_ie_len, 1166 ie->rsn_ie, ie->rsn_ie_len); 1167 return -1; 1168 } 1169 1170 if ((ie->wpa_ie && sm->ap_wpa_ie && 1171 (ie->wpa_ie_len != sm->ap_wpa_ie_len || 1172 os_memcmp(ie->wpa_ie, sm->ap_wpa_ie, ie->wpa_ie_len) != 0)) || 1173 (ie->rsn_ie && sm->ap_rsn_ie && 1174 wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt), 1175 sm->ap_rsn_ie, sm->ap_rsn_ie_len, 1176 ie->rsn_ie, ie->rsn_ie_len))) { 1177 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match " 1178 "with IE in Beacon/ProbeResp", 1179 src_addr, ie->wpa_ie, ie->wpa_ie_len, 1180 ie->rsn_ie, ie->rsn_ie_len); 1181 return -1; 1182 } 1183 1184 if (sm->proto == WPA_PROTO_WPA && 1185 ie->rsn_ie && sm->ap_rsn_ie == NULL && sm->rsn_enabled) { 1186 wpa_report_ie_mismatch(sm, "Possible downgrade attack " 1187 "detected - RSN was enabled and RSN IE " 1188 "was in msg 3/4, but not in " 1189 "Beacon/ProbeResp", 1190 src_addr, ie->wpa_ie, ie->wpa_ie_len, 1191 ie->rsn_ie, ie->rsn_ie_len); 1192 return -1; 1193 } 1194 1195#ifdef CONFIG_IEEE80211R 1196 if (wpa_key_mgmt_ft(sm->key_mgmt) && 1197 wpa_supplicant_validate_ie_ft(sm, src_addr, ie) < 0) 1198 return -1; 1199#endif /* CONFIG_IEEE80211R */ 1200 1201 return 0; 1202} 1203 1204 1205/** 1206 * wpa_supplicant_send_4_of_4 - Send message 4 of WPA/RSN 4-Way Handshake 1207 * @sm: Pointer to WPA state machine data from wpa_sm_init() 1208 * @dst: Destination address for the frame 1209 * @key: Pointer to the EAPOL-Key frame header 1210 * @ver: Version bits from EAPOL-Key Key Info 1211 * @key_info: Key Info 1212 * @ptk: PTK to use for keyed hash and encryption 1213 * Returns: >= 0 on success, < 0 on failure 1214 */ 1215int wpa_supplicant_send_4_of_4(struct wpa_sm *sm, const unsigned char *dst, 1216 const struct wpa_eapol_key *key, 1217 u16 ver, u16 key_info, 1218 struct wpa_ptk *ptk) 1219{ 1220 size_t mic_len, hdrlen, rlen; 1221 struct wpa_eapol_key *reply; 1222 u8 *rbuf, *key_mic; 1223 1224 mic_len = wpa_mic_len(sm->key_mgmt); 1225 hdrlen = sizeof(*reply) + mic_len + 2; 1226 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL, 1227 hdrlen, &rlen, (void *) &reply); 1228 if (rbuf == NULL) 1229 return -1; 1230 1231 reply->type = (sm->proto == WPA_PROTO_RSN || 1232 sm->proto == WPA_PROTO_OSEN) ? 1233 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1234 key_info &= WPA_KEY_INFO_SECURE; 1235 key_info |= ver | WPA_KEY_INFO_KEY_TYPE; 1236 if (mic_len) 1237 key_info |= WPA_KEY_INFO_MIC; 1238 else 1239 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 1240 WPA_PUT_BE16(reply->key_info, key_info); 1241 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) 1242 WPA_PUT_BE16(reply->key_length, 0); 1243 else 1244 os_memcpy(reply->key_length, key->key_length, 2); 1245 os_memcpy(reply->replay_counter, key->replay_counter, 1246 WPA_REPLAY_COUNTER_LEN); 1247 1248 key_mic = (u8 *) (reply + 1); 1249 WPA_PUT_BE16(key_mic + mic_len, 0); 1250 1251 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 4/4"); 1252 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen, 1253 key_mic); 1254} 1255 1256 1257static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm, 1258 const struct wpa_eapol_key *key, 1259 u16 ver, const u8 *key_data, 1260 size_t key_data_len) 1261{ 1262 u16 key_info, keylen; 1263 struct wpa_eapol_ie_parse ie; 1264 1265 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE); 1266 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 3 of 4-Way " 1267 "Handshake from " MACSTR " (ver=%d)", MAC2STR(sm->bssid), ver); 1268 1269 key_info = WPA_GET_BE16(key->key_info); 1270 1271 wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", key_data, key_data_len); 1272 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0) 1273 goto failed; 1274 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 1275 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1276 "WPA: GTK IE in unencrypted key data"); 1277 goto failed; 1278 } 1279#ifdef CONFIG_IEEE80211W 1280 if (ie.igtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 1281 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1282 "WPA: IGTK KDE in unencrypted key data"); 1283 goto failed; 1284 } 1285 1286 if (ie.igtk && 1287 wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) && 1288 ie.igtk_len != WPA_IGTK_KDE_PREFIX_LEN + 1289 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) { 1290 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1291 "WPA: Invalid IGTK KDE length %lu", 1292 (unsigned long) ie.igtk_len); 1293 goto failed; 1294 } 1295#endif /* CONFIG_IEEE80211W */ 1296 1297 if (wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0) 1298 goto failed; 1299 1300 if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) { 1301 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1302 "WPA: ANonce from message 1 of 4-Way Handshake " 1303 "differs from 3 of 4-Way Handshake - drop packet (src=" 1304 MACSTR ")", MAC2STR(sm->bssid)); 1305 goto failed; 1306 } 1307 1308 keylen = WPA_GET_BE16(key->key_length); 1309 if (keylen != wpa_cipher_key_len(sm->pairwise_cipher)) { 1310 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1311 "WPA: Invalid %s key length %d (src=" MACSTR 1312 ")", wpa_cipher_txt(sm->pairwise_cipher), keylen, 1313 MAC2STR(sm->bssid)); 1314 goto failed; 1315 } 1316 1317#ifdef CONFIG_P2P 1318 if (ie.ip_addr_alloc) { 1319 os_memcpy(sm->p2p_ip_addr, ie.ip_addr_alloc, 3 * 4); 1320 wpa_hexdump(MSG_DEBUG, "P2P: IP address info", 1321 sm->p2p_ip_addr, sizeof(sm->p2p_ip_addr)); 1322 } 1323#endif /* CONFIG_P2P */ 1324 1325 if (wpa_supplicant_send_4_of_4(sm, sm->bssid, key, ver, key_info, 1326 &sm->ptk) < 0) { 1327 goto failed; 1328 } 1329 1330 /* SNonce was successfully used in msg 3/4, so mark it to be renewed 1331 * for the next 4-Way Handshake. If msg 3 is received again, the old 1332 * SNonce will still be used to avoid changing PTK. */ 1333 sm->renew_snonce = 1; 1334 1335 if (key_info & WPA_KEY_INFO_INSTALL) { 1336 if (wpa_supplicant_install_ptk(sm, key)) 1337 goto failed; 1338 } 1339 1340 if (key_info & WPA_KEY_INFO_SECURE) { 1341 wpa_sm_mlme_setprotection( 1342 sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX, 1343 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE); 1344 eapol_sm_notify_portValid(sm->eapol, TRUE); 1345 } 1346 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE); 1347 1348 if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED) { 1349 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1350 key_info & WPA_KEY_INFO_SECURE); 1351 } else if (ie.gtk && 1352 wpa_supplicant_pairwise_gtk(sm, key, 1353 ie.gtk, ie.gtk_len, key_info) < 0) { 1354 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1355 "RSN: Failed to configure GTK"); 1356 goto failed; 1357 } 1358 1359 if (ieee80211w_set_keys(sm, &ie) < 0) { 1360 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1361 "RSN: Failed to configure IGTK"); 1362 goto failed; 1363 } 1364 1365 if (ie.gtk) 1366 wpa_sm_set_rekey_offload(sm); 1367 1368 if (sm->proto == WPA_PROTO_RSN && wpa_key_mgmt_suite_b(sm->key_mgmt)) { 1369 struct rsn_pmksa_cache_entry *sa; 1370 1371 sa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, NULL, 1372 sm->ptk.kck, sm->ptk.kck_len, 1373 sm->bssid, sm->own_addr, 1374 sm->network_ctx, sm->key_mgmt); 1375 if (!sm->cur_pmksa) 1376 sm->cur_pmksa = sa; 1377 } 1378 1379 sm->msg_3_of_4_ok = 1; 1380 return; 1381 1382failed: 1383 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED); 1384} 1385 1386 1387static int wpa_supplicant_process_1_of_2_rsn(struct wpa_sm *sm, 1388 const u8 *keydata, 1389 size_t keydatalen, 1390 u16 key_info, 1391 struct wpa_gtk_data *gd) 1392{ 1393 int maxkeylen; 1394 struct wpa_eapol_ie_parse ie; 1395 1396 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/2 key data", keydata, keydatalen); 1397 if (wpa_supplicant_parse_ies(keydata, keydatalen, &ie) < 0) 1398 return -1; 1399 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 1400 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1401 "WPA: GTK IE in unencrypted key data"); 1402 return -1; 1403 } 1404 if (ie.gtk == NULL) { 1405 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1406 "WPA: No GTK IE in Group Key msg 1/2"); 1407 return -1; 1408 } 1409 maxkeylen = gd->gtk_len = ie.gtk_len - 2; 1410 1411 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, 1412 gd->gtk_len, maxkeylen, 1413 &gd->key_rsc_len, &gd->alg)) 1414 return -1; 1415 1416 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in group key handshake", 1417 ie.gtk, ie.gtk_len); 1418 gd->keyidx = ie.gtk[0] & 0x3; 1419 gd->tx = wpa_supplicant_gtk_tx_bit_workaround(sm, 1420 !!(ie.gtk[0] & BIT(2))); 1421 if (ie.gtk_len - 2 > sizeof(gd->gtk)) { 1422 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1423 "RSN: Too long GTK in GTK IE (len=%lu)", 1424 (unsigned long) ie.gtk_len - 2); 1425 return -1; 1426 } 1427 os_memcpy(gd->gtk, ie.gtk + 2, ie.gtk_len - 2); 1428 1429 if (ieee80211w_set_keys(sm, &ie) < 0) 1430 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1431 "RSN: Failed to configure IGTK"); 1432 1433 return 0; 1434} 1435 1436 1437static int wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm, 1438 const struct wpa_eapol_key *key, 1439 const u8 *key_data, 1440 size_t key_data_len, u16 key_info, 1441 u16 ver, struct wpa_gtk_data *gd) 1442{ 1443 size_t maxkeylen; 1444 u16 gtk_len; 1445 1446 gtk_len = WPA_GET_BE16(key->key_length); 1447 maxkeylen = key_data_len; 1448 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1449 if (maxkeylen < 8) { 1450 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1451 "WPA: Too short maxkeylen (%lu)", 1452 (unsigned long) maxkeylen); 1453 return -1; 1454 } 1455 maxkeylen -= 8; 1456 } 1457 1458 if (gtk_len > maxkeylen || 1459 wpa_supplicant_check_group_cipher(sm, sm->group_cipher, 1460 gtk_len, maxkeylen, 1461 &gd->key_rsc_len, &gd->alg)) 1462 return -1; 1463 1464 gd->gtk_len = gtk_len; 1465 gd->keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >> 1466 WPA_KEY_INFO_KEY_INDEX_SHIFT; 1467 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) { 1468#ifdef CONFIG_NO_RC4 1469 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1470 "WPA: RC4 not supported in the build"); 1471 return -1; 1472#else /* CONFIG_NO_RC4 */ 1473 u8 ek[32]; 1474 if (key_data_len > sizeof(gd->gtk)) { 1475 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1476 "WPA: RC4 key data too long (%lu)", 1477 (unsigned long) key_data_len); 1478 return -1; 1479 } 1480 os_memcpy(ek, key->key_iv, 16); 1481 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len); 1482 os_memcpy(gd->gtk, key_data, key_data_len); 1483 if (rc4_skip(ek, 32, 256, gd->gtk, key_data_len)) { 1484 os_memset(ek, 0, sizeof(ek)); 1485 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR, 1486 "WPA: RC4 failed"); 1487 return -1; 1488 } 1489 os_memset(ek, 0, sizeof(ek)); 1490#endif /* CONFIG_NO_RC4 */ 1491 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1492 if (maxkeylen % 8) { 1493 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1494 "WPA: Unsupported AES-WRAP len %lu", 1495 (unsigned long) maxkeylen); 1496 return -1; 1497 } 1498 if (maxkeylen > sizeof(gd->gtk)) { 1499 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1500 "WPA: AES-WRAP key data " 1501 "too long (keydatalen=%lu maxkeylen=%lu)", 1502 (unsigned long) key_data_len, 1503 (unsigned long) maxkeylen); 1504 return -1; 1505 } 1506 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, maxkeylen / 8, 1507 key_data, gd->gtk)) { 1508 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1509 "WPA: AES unwrap failed - could not decrypt " 1510 "GTK"); 1511 return -1; 1512 } 1513 } else { 1514 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1515 "WPA: Unsupported key_info type %d", ver); 1516 return -1; 1517 } 1518 gd->tx = wpa_supplicant_gtk_tx_bit_workaround( 1519 sm, !!(key_info & WPA_KEY_INFO_TXRX)); 1520 return 0; 1521} 1522 1523 1524static int wpa_supplicant_send_2_of_2(struct wpa_sm *sm, 1525 const struct wpa_eapol_key *key, 1526 int ver, u16 key_info) 1527{ 1528 size_t mic_len, hdrlen, rlen; 1529 struct wpa_eapol_key *reply; 1530 u8 *rbuf, *key_mic; 1531 1532 mic_len = wpa_mic_len(sm->key_mgmt); 1533 hdrlen = sizeof(*reply) + mic_len + 2; 1534 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL, 1535 hdrlen, &rlen, (void *) &reply); 1536 if (rbuf == NULL) 1537 return -1; 1538 1539 reply->type = (sm->proto == WPA_PROTO_RSN || 1540 sm->proto == WPA_PROTO_OSEN) ? 1541 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1542 key_info &= WPA_KEY_INFO_KEY_INDEX_MASK; 1543 key_info |= ver | WPA_KEY_INFO_SECURE; 1544 if (mic_len) 1545 key_info |= WPA_KEY_INFO_MIC; 1546 WPA_PUT_BE16(reply->key_info, key_info); 1547 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) 1548 WPA_PUT_BE16(reply->key_length, 0); 1549 else 1550 os_memcpy(reply->key_length, key->key_length, 2); 1551 os_memcpy(reply->replay_counter, key->replay_counter, 1552 WPA_REPLAY_COUNTER_LEN); 1553 1554 key_mic = (u8 *) (reply + 1); 1555 WPA_PUT_BE16(key_mic + mic_len, 0); 1556 1557 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/2"); 1558 return wpa_eapol_key_send(sm, &sm->ptk, ver, sm->bssid, ETH_P_EAPOL, 1559 rbuf, rlen, key_mic); 1560} 1561 1562 1563static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm, 1564 const unsigned char *src_addr, 1565 const struct wpa_eapol_key *key, 1566 const u8 *key_data, 1567 size_t key_data_len, u16 ver) 1568{ 1569 u16 key_info; 1570 int rekey, ret; 1571 struct wpa_gtk_data gd; 1572 const u8 *key_rsc; 1573 1574 if (!sm->msg_3_of_4_ok) { 1575 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1576 "WPA: Group Key Handshake started prior to completion of 4-way handshake"); 1577 goto failed; 1578 } 1579 1580 os_memset(&gd, 0, sizeof(gd)); 1581 1582 rekey = wpa_sm_get_state(sm) == WPA_COMPLETED; 1583 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of Group Key " 1584 "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver); 1585 1586 key_info = WPA_GET_BE16(key->key_info); 1587 1588 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) { 1589 ret = wpa_supplicant_process_1_of_2_rsn(sm, key_data, 1590 key_data_len, key_info, 1591 &gd); 1592 } else { 1593 ret = wpa_supplicant_process_1_of_2_wpa(sm, key, key_data, 1594 key_data_len, 1595 key_info, ver, &gd); 1596 } 1597 1598 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE); 1599 1600 if (ret) 1601 goto failed; 1602 1603 key_rsc = key->key_rsc; 1604 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc)) 1605 key_rsc = null_rsc; 1606 1607 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc) || 1608 wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0) 1609 goto failed; 1610 os_memset(&gd, 0, sizeof(gd)); 1611 1612 if (rekey) { 1613 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Group rekeying " 1614 "completed with " MACSTR " [GTK=%s]", 1615 MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher)); 1616 wpa_sm_cancel_auth_timeout(sm); 1617 wpa_sm_set_state(sm, WPA_COMPLETED); 1618 } else { 1619 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1620 key_info & 1621 WPA_KEY_INFO_SECURE); 1622 } 1623 1624 wpa_sm_set_rekey_offload(sm); 1625 1626 return; 1627 1628failed: 1629 os_memset(&gd, 0, sizeof(gd)); 1630 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED); 1631} 1632 1633 1634static int wpa_supplicant_verify_eapol_key_mic(struct wpa_sm *sm, 1635 struct wpa_eapol_key *key, 1636 u16 ver, 1637 const u8 *buf, size_t len) 1638{ 1639 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN]; 1640 int ok = 0; 1641 size_t mic_len = wpa_mic_len(sm->key_mgmt); 1642 1643 os_memcpy(mic, key + 1, mic_len); 1644 if (sm->tptk_set) { 1645 os_memset(key + 1, 0, mic_len); 1646 wpa_eapol_key_mic(sm->tptk.kck, sm->tptk.kck_len, sm->key_mgmt, 1647 ver, buf, len, (u8 *) (key + 1)); 1648 if (os_memcmp_const(mic, key + 1, mic_len) != 0) { 1649 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1650 "WPA: Invalid EAPOL-Key MIC " 1651 "when using TPTK - ignoring TPTK"); 1652 } else { 1653 ok = 1; 1654 sm->tptk_set = 0; 1655 sm->ptk_set = 1; 1656 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk)); 1657 os_memset(&sm->tptk, 0, sizeof(sm->tptk)); 1658 } 1659 } 1660 1661 if (!ok && sm->ptk_set) { 1662 os_memset(key + 1, 0, mic_len); 1663 wpa_eapol_key_mic(sm->ptk.kck, sm->ptk.kck_len, sm->key_mgmt, 1664 ver, buf, len, (u8 *) (key + 1)); 1665 if (os_memcmp_const(mic, key + 1, mic_len) != 0) { 1666 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1667 "WPA: Invalid EAPOL-Key MIC - " 1668 "dropping packet"); 1669 return -1; 1670 } 1671 ok = 1; 1672 } 1673 1674 if (!ok) { 1675 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1676 "WPA: Could not verify EAPOL-Key MIC - " 1677 "dropping packet"); 1678 return -1; 1679 } 1680 1681 os_memcpy(sm->rx_replay_counter, key->replay_counter, 1682 WPA_REPLAY_COUNTER_LEN); 1683 sm->rx_replay_counter_set = 1; 1684 return 0; 1685} 1686 1687 1688/* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */ 1689static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm, 1690 struct wpa_eapol_key *key, 1691 size_t mic_len, u16 ver, 1692 u8 *key_data, size_t *key_data_len) 1693{ 1694 wpa_hexdump(MSG_DEBUG, "RSN: encrypted key data", 1695 key_data, *key_data_len); 1696 if (!sm->ptk_set) { 1697 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1698 "WPA: PTK not available, cannot decrypt EAPOL-Key Key " 1699 "Data"); 1700 return -1; 1701 } 1702 1703 /* Decrypt key data here so that this operation does not need 1704 * to be implemented separately for each message type. */ 1705 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) { 1706#ifdef CONFIG_NO_RC4 1707 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1708 "WPA: RC4 not supported in the build"); 1709 return -1; 1710#else /* CONFIG_NO_RC4 */ 1711 u8 ek[32]; 1712 os_memcpy(ek, key->key_iv, 16); 1713 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len); 1714 if (rc4_skip(ek, 32, 256, key_data, *key_data_len)) { 1715 os_memset(ek, 0, sizeof(ek)); 1716 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR, 1717 "WPA: RC4 failed"); 1718 return -1; 1719 } 1720 os_memset(ek, 0, sizeof(ek)); 1721#endif /* CONFIG_NO_RC4 */ 1722 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1723 ver == WPA_KEY_INFO_TYPE_AES_128_CMAC || 1724 sm->key_mgmt == WPA_KEY_MGMT_OSEN || 1725 wpa_key_mgmt_suite_b(sm->key_mgmt)) { 1726 u8 *buf; 1727 if (*key_data_len < 8 || *key_data_len % 8) { 1728 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1729 "WPA: Unsupported AES-WRAP len %u", 1730 (unsigned int) *key_data_len); 1731 return -1; 1732 } 1733 *key_data_len -= 8; /* AES-WRAP adds 8 bytes */ 1734 buf = os_malloc(*key_data_len); 1735 if (buf == NULL) { 1736 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1737 "WPA: No memory for AES-UNWRAP buffer"); 1738 return -1; 1739 } 1740 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, *key_data_len / 8, 1741 key_data, buf)) { 1742 bin_clear_free(buf, *key_data_len); 1743 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1744 "WPA: AES unwrap failed - " 1745 "could not decrypt EAPOL-Key key data"); 1746 return -1; 1747 } 1748 os_memcpy(key_data, buf, *key_data_len); 1749 bin_clear_free(buf, *key_data_len); 1750 WPA_PUT_BE16(((u8 *) (key + 1)) + mic_len, *key_data_len); 1751 } else { 1752 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1753 "WPA: Unsupported key_info type %d", ver); 1754 return -1; 1755 } 1756 wpa_hexdump_key(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data", 1757 key_data, *key_data_len); 1758 return 0; 1759} 1760 1761 1762/** 1763 * wpa_sm_aborted_cached - Notify WPA that PMKSA caching was aborted 1764 * @sm: Pointer to WPA state machine data from wpa_sm_init() 1765 */ 1766void wpa_sm_aborted_cached(struct wpa_sm *sm) 1767{ 1768 if (sm && sm->cur_pmksa) { 1769 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1770 "RSN: Cancelling PMKSA caching attempt"); 1771 sm->cur_pmksa = NULL; 1772 } 1773} 1774 1775 1776static void wpa_eapol_key_dump(struct wpa_sm *sm, 1777 const struct wpa_eapol_key *key, 1778 unsigned int key_data_len, 1779 const u8 *mic, unsigned int mic_len) 1780{ 1781#ifndef CONFIG_NO_STDOUT_DEBUG 1782 u16 key_info = WPA_GET_BE16(key->key_info); 1783 1784 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, " EAPOL-Key type=%d", key->type); 1785 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1786 " key_info 0x%x (ver=%d keyidx=%d rsvd=%d %s%s%s%s%s%s%s%s)", 1787 key_info, key_info & WPA_KEY_INFO_TYPE_MASK, 1788 (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >> 1789 WPA_KEY_INFO_KEY_INDEX_SHIFT, 1790 (key_info & (BIT(13) | BIT(14) | BIT(15))) >> 13, 1791 key_info & WPA_KEY_INFO_KEY_TYPE ? "Pairwise" : "Group", 1792 key_info & WPA_KEY_INFO_INSTALL ? " Install" : "", 1793 key_info & WPA_KEY_INFO_ACK ? " Ack" : "", 1794 key_info & WPA_KEY_INFO_MIC ? " MIC" : "", 1795 key_info & WPA_KEY_INFO_SECURE ? " Secure" : "", 1796 key_info & WPA_KEY_INFO_ERROR ? " Error" : "", 1797 key_info & WPA_KEY_INFO_REQUEST ? " Request" : "", 1798 key_info & WPA_KEY_INFO_ENCR_KEY_DATA ? " Encr" : ""); 1799 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1800 " key_length=%u key_data_length=%u", 1801 WPA_GET_BE16(key->key_length), key_data_len); 1802 wpa_hexdump(MSG_DEBUG, " replay_counter", 1803 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 1804 wpa_hexdump(MSG_DEBUG, " key_nonce", key->key_nonce, WPA_NONCE_LEN); 1805 wpa_hexdump(MSG_DEBUG, " key_iv", key->key_iv, 16); 1806 wpa_hexdump(MSG_DEBUG, " key_rsc", key->key_rsc, 8); 1807 wpa_hexdump(MSG_DEBUG, " key_id (reserved)", key->key_id, 8); 1808 wpa_hexdump(MSG_DEBUG, " key_mic", mic, mic_len); 1809#endif /* CONFIG_NO_STDOUT_DEBUG */ 1810} 1811 1812 1813#ifdef CONFIG_FILS 1814static int wpa_supp_aead_decrypt(struct wpa_sm *sm, u8 *buf, size_t buf_len, 1815 size_t *key_data_len) 1816{ 1817 struct wpa_ptk *ptk; 1818 struct ieee802_1x_hdr *hdr; 1819 struct wpa_eapol_key *key; 1820 u8 *pos, *tmp; 1821 const u8 *aad[1]; 1822 size_t aad_len[1]; 1823 1824 if (*key_data_len < AES_BLOCK_SIZE) { 1825 wpa_printf(MSG_INFO, "No room for AES-SIV data in the frame"); 1826 return -1; 1827 } 1828 1829 if (sm->tptk_set) 1830 ptk = &sm->tptk; 1831 else if (sm->ptk_set) 1832 ptk = &sm->ptk; 1833 else 1834 return -1; 1835 1836 hdr = (struct ieee802_1x_hdr *) buf; 1837 key = (struct wpa_eapol_key *) (hdr + 1); 1838 pos = (u8 *) (key + 1); 1839 pos += 2; /* Pointing at the Encrypted Key Data field */ 1840 1841 tmp = os_malloc(*key_data_len); 1842 if (!tmp) 1843 return -1; 1844 1845 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to 1846 * to Key Data (exclusive). */ 1847 aad[0] = buf; 1848 aad_len[0] = pos - buf; 1849 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, *key_data_len, 1850 1, aad, aad_len, tmp) < 0) { 1851 wpa_printf(MSG_INFO, "Invalid AES-SIV data in the frame"); 1852 bin_clear_free(tmp, *key_data_len); 1853 return -1; 1854 } 1855 1856 /* AEAD decryption and validation completed successfully */ 1857 (*key_data_len) -= AES_BLOCK_SIZE; 1858 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data", 1859 tmp, *key_data_len); 1860 1861 /* Replace Key Data field with the decrypted version */ 1862 os_memcpy(pos, tmp, *key_data_len); 1863 pos -= 2; /* Key Data Length field */ 1864 WPA_PUT_BE16(pos, *key_data_len); 1865 bin_clear_free(tmp, *key_data_len); 1866 1867 if (sm->tptk_set) { 1868 sm->tptk_set = 0; 1869 sm->ptk_set = 1; 1870 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk)); 1871 os_memset(&sm->tptk, 0, sizeof(sm->tptk)); 1872 } 1873 1874 os_memcpy(sm->rx_replay_counter, key->replay_counter, 1875 WPA_REPLAY_COUNTER_LEN); 1876 sm->rx_replay_counter_set = 1; 1877 1878 return 0; 1879} 1880#endif /* CONFIG_FILS */ 1881 1882 1883/** 1884 * wpa_sm_rx_eapol - Process received WPA EAPOL frames 1885 * @sm: Pointer to WPA state machine data from wpa_sm_init() 1886 * @src_addr: Source MAC address of the EAPOL packet 1887 * @buf: Pointer to the beginning of the EAPOL data (EAPOL header) 1888 * @len: Length of the EAPOL frame 1889 * Returns: 1 = WPA EAPOL-Key processed, 0 = not a WPA EAPOL-Key, -1 failure 1890 * 1891 * This function is called for each received EAPOL frame. Other than EAPOL-Key 1892 * frames can be skipped if filtering is done elsewhere. wpa_sm_rx_eapol() is 1893 * only processing WPA and WPA2 EAPOL-Key frames. 1894 * 1895 * The received EAPOL-Key packets are validated and valid packets are replied 1896 * to. In addition, key material (PTK, GTK) is configured at the end of a 1897 * successful key handshake. 1898 */ 1899int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr, 1900 const u8 *buf, size_t len) 1901{ 1902 size_t plen, data_len, key_data_len; 1903 const struct ieee802_1x_hdr *hdr; 1904 struct wpa_eapol_key *key; 1905 u16 key_info, ver; 1906 u8 *tmp = NULL; 1907 int ret = -1; 1908 struct wpa_peerkey *peerkey = NULL; 1909 u8 *mic, *key_data; 1910 size_t mic_len, keyhdrlen; 1911 1912#ifdef CONFIG_IEEE80211R 1913 sm->ft_completed = 0; 1914#endif /* CONFIG_IEEE80211R */ 1915 1916 mic_len = wpa_mic_len(sm->key_mgmt); 1917 keyhdrlen = sizeof(*key) + mic_len + 2; 1918 1919 if (len < sizeof(*hdr) + keyhdrlen) { 1920 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1921 "WPA: EAPOL frame too short to be a WPA " 1922 "EAPOL-Key (len %lu, expecting at least %lu)", 1923 (unsigned long) len, 1924 (unsigned long) sizeof(*hdr) + keyhdrlen); 1925 return 0; 1926 } 1927 1928 hdr = (const struct ieee802_1x_hdr *) buf; 1929 plen = be_to_host16(hdr->length); 1930 data_len = plen + sizeof(*hdr); 1931 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1932 "IEEE 802.1X RX: version=%d type=%d length=%lu", 1933 hdr->version, hdr->type, (unsigned long) plen); 1934 1935 if (hdr->version < EAPOL_VERSION) { 1936 /* TODO: backwards compatibility */ 1937 } 1938 if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) { 1939 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1940 "WPA: EAPOL frame (type %u) discarded, " 1941 "not a Key frame", hdr->type); 1942 ret = 0; 1943 goto out; 1944 } 1945 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", buf, len); 1946 if (plen > len - sizeof(*hdr) || plen < keyhdrlen) { 1947 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1948 "WPA: EAPOL frame payload size %lu " 1949 "invalid (frame size %lu)", 1950 (unsigned long) plen, (unsigned long) len); 1951 ret = 0; 1952 goto out; 1953 } 1954 if (data_len < len) { 1955 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1956 "WPA: ignoring %lu bytes after the IEEE 802.1X data", 1957 (unsigned long) len - data_len); 1958 } 1959 1960 /* 1961 * Make a copy of the frame since we need to modify the buffer during 1962 * MAC validation and Key Data decryption. 1963 */ 1964 tmp = os_malloc(data_len); 1965 if (tmp == NULL) 1966 goto out; 1967 os_memcpy(tmp, buf, data_len); 1968 key = (struct wpa_eapol_key *) (tmp + sizeof(struct ieee802_1x_hdr)); 1969 mic = (u8 *) (key + 1); 1970 key_data = mic + mic_len + 2; 1971 1972 if (key->type != EAPOL_KEY_TYPE_WPA && key->type != EAPOL_KEY_TYPE_RSN) 1973 { 1974 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1975 "WPA: EAPOL-Key type (%d) unknown, discarded", 1976 key->type); 1977 ret = 0; 1978 goto out; 1979 } 1980 1981 key_data_len = WPA_GET_BE16(mic + mic_len); 1982 wpa_eapol_key_dump(sm, key, key_data_len, mic, mic_len); 1983 1984 if (key_data_len > plen - keyhdrlen) { 1985 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Invalid EAPOL-Key " 1986 "frame - key_data overflow (%u > %u)", 1987 (unsigned int) key_data_len, 1988 (unsigned int) (plen - keyhdrlen)); 1989 goto out; 1990 } 1991 1992 eapol_sm_notify_lower_layer_success(sm->eapol, 0); 1993 key_info = WPA_GET_BE16(key->key_info); 1994 ver = key_info & WPA_KEY_INFO_TYPE_MASK; 1995 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && 1996#if defined(CONFIG_IEEE80211R) || defined(CONFIG_IEEE80211W) 1997 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC && 1998#endif /* CONFIG_IEEE80211R || CONFIG_IEEE80211W */ 1999 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES && 2000 !wpa_key_mgmt_suite_b(sm->key_mgmt) && 2001 !wpa_key_mgmt_fils(sm->key_mgmt) && 2002 sm->key_mgmt != WPA_KEY_MGMT_OSEN) { 2003 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2004 "WPA: Unsupported EAPOL-Key descriptor version %d", 2005 ver); 2006 goto out; 2007 } 2008 2009 if (sm->key_mgmt == WPA_KEY_MGMT_OSEN && 2010 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) { 2011 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2012 "OSEN: Unsupported EAPOL-Key descriptor version %d", 2013 ver); 2014 goto out; 2015 } 2016 2017 if ((wpa_key_mgmt_suite_b(sm->key_mgmt) || 2018 wpa_key_mgmt_fils(sm->key_mgmt)) && 2019 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) { 2020 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2021 "RSN: Unsupported EAPOL-Key descriptor version %d (expected AKM defined = 0)", 2022 ver); 2023 goto out; 2024 } 2025 2026#ifdef CONFIG_IEEE80211R 2027 if (wpa_key_mgmt_ft(sm->key_mgmt)) { 2028 /* IEEE 802.11r uses a new key_info type (AES-128-CMAC). */ 2029 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) { 2030 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2031 "FT: AP did not use AES-128-CMAC"); 2032 goto out; 2033 } 2034 } else 2035#endif /* CONFIG_IEEE80211R */ 2036#ifdef CONFIG_IEEE80211W 2037 if (wpa_key_mgmt_sha256(sm->key_mgmt)) { 2038 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC && 2039 sm->key_mgmt != WPA_KEY_MGMT_OSEN && 2040 !wpa_key_mgmt_fils(sm->key_mgmt) && 2041 !wpa_key_mgmt_suite_b(sm->key_mgmt)) { 2042 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2043 "WPA: AP did not use the " 2044 "negotiated AES-128-CMAC"); 2045 goto out; 2046 } 2047 } else 2048#endif /* CONFIG_IEEE80211W */ 2049 if (sm->pairwise_cipher == WPA_CIPHER_CCMP && 2050 !wpa_key_mgmt_suite_b(sm->key_mgmt) && 2051 !wpa_key_mgmt_fils(sm->key_mgmt) && 2052 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 2053 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2054 "WPA: CCMP is used, but EAPOL-Key " 2055 "descriptor version (%d) is not 2", ver); 2056 if (sm->group_cipher != WPA_CIPHER_CCMP && 2057 !(key_info & WPA_KEY_INFO_KEY_TYPE)) { 2058 /* Earlier versions of IEEE 802.11i did not explicitly 2059 * require version 2 descriptor for all EAPOL-Key 2060 * packets, so allow group keys to use version 1 if 2061 * CCMP is not used for them. */ 2062 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2063 "WPA: Backwards compatibility: allow invalid " 2064 "version for non-CCMP group keys"); 2065 } else if (ver == WPA_KEY_INFO_TYPE_AES_128_CMAC) { 2066 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2067 "WPA: Interoperability workaround: allow incorrect (should have been HMAC-SHA1), but stronger (is AES-128-CMAC), descriptor version to be used"); 2068 } else 2069 goto out; 2070 } else if (sm->pairwise_cipher == WPA_CIPHER_GCMP && 2071 !wpa_key_mgmt_suite_b(sm->key_mgmt) && 2072 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 2073 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2074 "WPA: GCMP is used, but EAPOL-Key " 2075 "descriptor version (%d) is not 2", ver); 2076 goto out; 2077 } 2078 2079#ifdef CONFIG_PEERKEY 2080 for (peerkey = sm->peerkey; peerkey; peerkey = peerkey->next) { 2081 if (os_memcmp(peerkey->addr, src_addr, ETH_ALEN) == 0) 2082 break; 2083 } 2084 2085 if (!(key_info & WPA_KEY_INFO_SMK_MESSAGE) && peerkey) { 2086 if (!peerkey->initiator && peerkey->replay_counter_set && 2087 os_memcmp(key->replay_counter, peerkey->replay_counter, 2088 WPA_REPLAY_COUNTER_LEN) <= 0) { 2089 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2090 "RSN: EAPOL-Key Replay Counter did not " 2091 "increase (STK) - dropping packet"); 2092 goto out; 2093 } else if (peerkey->initiator) { 2094 u8 _tmp[WPA_REPLAY_COUNTER_LEN]; 2095 os_memcpy(_tmp, key->replay_counter, 2096 WPA_REPLAY_COUNTER_LEN); 2097 inc_byte_array(_tmp, WPA_REPLAY_COUNTER_LEN); 2098 if (os_memcmp(_tmp, peerkey->replay_counter, 2099 WPA_REPLAY_COUNTER_LEN) != 0) { 2100 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2101 "RSN: EAPOL-Key Replay " 2102 "Counter did not match (STK) - " 2103 "dropping packet"); 2104 goto out; 2105 } 2106 } 2107 } 2108 2109 if (peerkey && peerkey->initiator && (key_info & WPA_KEY_INFO_ACK)) { 2110 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2111 "RSN: Ack bit in key_info from STK peer"); 2112 goto out; 2113 } 2114#endif /* CONFIG_PEERKEY */ 2115 2116 if (!peerkey && sm->rx_replay_counter_set && 2117 os_memcmp(key->replay_counter, sm->rx_replay_counter, 2118 WPA_REPLAY_COUNTER_LEN) <= 0) { 2119 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2120 "WPA: EAPOL-Key Replay Counter did not increase - " 2121 "dropping packet"); 2122 goto out; 2123 } 2124 2125 if (!(key_info & (WPA_KEY_INFO_ACK | WPA_KEY_INFO_SMK_MESSAGE)) 2126#ifdef CONFIG_PEERKEY 2127 && (peerkey == NULL || !peerkey->initiator) 2128#endif /* CONFIG_PEERKEY */ 2129 ) { 2130 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2131 "WPA: No Ack bit in key_info"); 2132 goto out; 2133 } 2134 2135 if (key_info & WPA_KEY_INFO_REQUEST) { 2136 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2137 "WPA: EAPOL-Key with Request bit - dropped"); 2138 goto out; 2139 } 2140 2141 if ((key_info & WPA_KEY_INFO_MIC) && !peerkey && 2142 wpa_supplicant_verify_eapol_key_mic(sm, key, ver, tmp, data_len)) 2143 goto out; 2144 2145#ifdef CONFIG_PEERKEY 2146 if ((key_info & WPA_KEY_INFO_MIC) && peerkey && 2147 peerkey_verify_eapol_key_mic(sm, peerkey, key, ver, tmp, 2148 data_len)) 2149 goto out; 2150#endif /* CONFIG_PEERKEY */ 2151 2152#ifdef CONFIG_FILS 2153 if (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 2154 if (wpa_supp_aead_decrypt(sm, tmp, data_len, &key_data_len)) 2155 goto out; 2156 } 2157#endif /* CONFIG_FILS */ 2158 2159 if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) && 2160 (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && mic_len) { 2161 if (wpa_supplicant_decrypt_key_data(sm, key, mic_len, 2162 ver, key_data, 2163 &key_data_len)) 2164 goto out; 2165 } 2166 2167 if (key_info & WPA_KEY_INFO_KEY_TYPE) { 2168 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) { 2169 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2170 "WPA: Ignored EAPOL-Key (Pairwise) with " 2171 "non-zero key index"); 2172 goto out; 2173 } 2174 if (peerkey) { 2175 /* PeerKey 4-Way Handshake */ 2176 peerkey_rx_eapol_4way(sm, peerkey, key, key_info, ver, 2177 key_data, key_data_len); 2178 } else if (key_info & (WPA_KEY_INFO_MIC | 2179 WPA_KEY_INFO_ENCR_KEY_DATA)) { 2180 /* 3/4 4-Way Handshake */ 2181 wpa_supplicant_process_3_of_4(sm, key, ver, key_data, 2182 key_data_len); 2183 } else { 2184 /* 1/4 4-Way Handshake */ 2185 wpa_supplicant_process_1_of_4(sm, src_addr, key, 2186 ver, key_data, 2187 key_data_len); 2188 } 2189 } else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) { 2190 /* PeerKey SMK Handshake */ 2191 peerkey_rx_eapol_smk(sm, src_addr, key, key_data, key_data_len, 2192 key_info, ver); 2193 } else { 2194 if ((mic_len && (key_info & WPA_KEY_INFO_MIC)) || 2195 (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA))) { 2196 /* 1/2 Group Key Handshake */ 2197 wpa_supplicant_process_1_of_2(sm, src_addr, key, 2198 key_data, key_data_len, 2199 ver); 2200 } else { 2201 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2202 "WPA: EAPOL-Key (Group) without Mic/Encr bit - " 2203 "dropped"); 2204 } 2205 } 2206 2207 ret = 1; 2208 2209out: 2210 bin_clear_free(tmp, data_len); 2211 return ret; 2212} 2213 2214 2215#ifdef CONFIG_CTRL_IFACE 2216static u32 wpa_key_mgmt_suite(struct wpa_sm *sm) 2217{ 2218 switch (sm->key_mgmt) { 2219 case WPA_KEY_MGMT_IEEE8021X: 2220 return ((sm->proto == WPA_PROTO_RSN || 2221 sm->proto == WPA_PROTO_OSEN) ? 2222 RSN_AUTH_KEY_MGMT_UNSPEC_802_1X : 2223 WPA_AUTH_KEY_MGMT_UNSPEC_802_1X); 2224 case WPA_KEY_MGMT_PSK: 2225 return (sm->proto == WPA_PROTO_RSN ? 2226 RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X : 2227 WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X); 2228#ifdef CONFIG_IEEE80211R 2229 case WPA_KEY_MGMT_FT_IEEE8021X: 2230 return RSN_AUTH_KEY_MGMT_FT_802_1X; 2231 case WPA_KEY_MGMT_FT_PSK: 2232 return RSN_AUTH_KEY_MGMT_FT_PSK; 2233#endif /* CONFIG_IEEE80211R */ 2234#ifdef CONFIG_IEEE80211W 2235 case WPA_KEY_MGMT_IEEE8021X_SHA256: 2236 return RSN_AUTH_KEY_MGMT_802_1X_SHA256; 2237 case WPA_KEY_MGMT_PSK_SHA256: 2238 return RSN_AUTH_KEY_MGMT_PSK_SHA256; 2239#endif /* CONFIG_IEEE80211W */ 2240 case WPA_KEY_MGMT_CCKM: 2241 return (sm->proto == WPA_PROTO_RSN ? 2242 RSN_AUTH_KEY_MGMT_CCKM: 2243 WPA_AUTH_KEY_MGMT_CCKM); 2244 case WPA_KEY_MGMT_WPA_NONE: 2245 return WPA_AUTH_KEY_MGMT_NONE; 2246 case WPA_KEY_MGMT_IEEE8021X_SUITE_B: 2247 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B; 2248 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192: 2249 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192; 2250 default: 2251 return 0; 2252 } 2253} 2254 2255 2256#define RSN_SUITE "%02x-%02x-%02x-%d" 2257#define RSN_SUITE_ARG(s) \ 2258((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff 2259 2260/** 2261 * wpa_sm_get_mib - Dump text list of MIB entries 2262 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2263 * @buf: Buffer for the list 2264 * @buflen: Length of the buffer 2265 * Returns: Number of bytes written to buffer 2266 * 2267 * This function is used fetch dot11 MIB variables. 2268 */ 2269int wpa_sm_get_mib(struct wpa_sm *sm, char *buf, size_t buflen) 2270{ 2271 char pmkid_txt[PMKID_LEN * 2 + 1]; 2272 int rsna, ret; 2273 size_t len; 2274 2275 if (sm->cur_pmksa) { 2276 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt), 2277 sm->cur_pmksa->pmkid, PMKID_LEN); 2278 } else 2279 pmkid_txt[0] = '\0'; 2280 2281 if ((wpa_key_mgmt_wpa_psk(sm->key_mgmt) || 2282 wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt)) && 2283 sm->proto == WPA_PROTO_RSN) 2284 rsna = 1; 2285 else 2286 rsna = 0; 2287 2288 ret = os_snprintf(buf, buflen, 2289 "dot11RSNAOptionImplemented=TRUE\n" 2290 "dot11RSNAPreauthenticationImplemented=TRUE\n" 2291 "dot11RSNAEnabled=%s\n" 2292 "dot11RSNAPreauthenticationEnabled=%s\n" 2293 "dot11RSNAConfigVersion=%d\n" 2294 "dot11RSNAConfigPairwiseKeysSupported=5\n" 2295 "dot11RSNAConfigGroupCipherSize=%d\n" 2296 "dot11RSNAConfigPMKLifetime=%d\n" 2297 "dot11RSNAConfigPMKReauthThreshold=%d\n" 2298 "dot11RSNAConfigNumberOfPTKSAReplayCounters=1\n" 2299 "dot11RSNAConfigSATimeout=%d\n", 2300 rsna ? "TRUE" : "FALSE", 2301 rsna ? "TRUE" : "FALSE", 2302 RSN_VERSION, 2303 wpa_cipher_key_len(sm->group_cipher) * 8, 2304 sm->dot11RSNAConfigPMKLifetime, 2305 sm->dot11RSNAConfigPMKReauthThreshold, 2306 sm->dot11RSNAConfigSATimeout); 2307 if (os_snprintf_error(buflen, ret)) 2308 return 0; 2309 len = ret; 2310 2311 ret = os_snprintf( 2312 buf + len, buflen - len, 2313 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n" 2314 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n" 2315 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n" 2316 "dot11RSNAPMKIDUsed=%s\n" 2317 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n" 2318 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n" 2319 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n" 2320 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n" 2321 "dot11RSNA4WayHandshakeFailures=%u\n", 2322 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)), 2323 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto, 2324 sm->pairwise_cipher)), 2325 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto, 2326 sm->group_cipher)), 2327 pmkid_txt, 2328 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)), 2329 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto, 2330 sm->pairwise_cipher)), 2331 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto, 2332 sm->group_cipher)), 2333 sm->dot11RSNA4WayHandshakeFailures); 2334 if (!os_snprintf_error(buflen - len, ret)) 2335 len += ret; 2336 2337 return (int) len; 2338} 2339#endif /* CONFIG_CTRL_IFACE */ 2340 2341 2342static void wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry, 2343 void *ctx, enum pmksa_free_reason reason) 2344{ 2345 struct wpa_sm *sm = ctx; 2346 int deauth = 0; 2347 2348 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: PMKSA cache entry free_cb: " 2349 MACSTR " reason=%d", MAC2STR(entry->aa), reason); 2350 2351 if (sm->cur_pmksa == entry) { 2352 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2353 "RSN: %s current PMKSA entry", 2354 reason == PMKSA_REPLACE ? "replaced" : "removed"); 2355 pmksa_cache_clear_current(sm); 2356 2357 /* 2358 * If an entry is simply being replaced, there's no need to 2359 * deauthenticate because it will be immediately re-added. 2360 * This happens when EAP authentication is completed again 2361 * (reauth or failed PMKSA caching attempt). 2362 */ 2363 if (reason != PMKSA_REPLACE) 2364 deauth = 1; 2365 } 2366 2367 if (reason == PMKSA_EXPIRE && 2368 (sm->pmk_len == entry->pmk_len && 2369 os_memcmp(sm->pmk, entry->pmk, sm->pmk_len) == 0)) { 2370 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2371 "RSN: deauthenticating due to expired PMK"); 2372 pmksa_cache_clear_current(sm); 2373 deauth = 1; 2374 } 2375 2376 if (deauth) { 2377 os_memset(sm->pmk, 0, sizeof(sm->pmk)); 2378 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED); 2379 } 2380} 2381 2382 2383/** 2384 * wpa_sm_init - Initialize WPA state machine 2385 * @ctx: Context pointer for callbacks; this needs to be an allocated buffer 2386 * Returns: Pointer to the allocated WPA state machine data 2387 * 2388 * This function is used to allocate a new WPA state machine and the returned 2389 * value is passed to all WPA state machine calls. 2390 */ 2391struct wpa_sm * wpa_sm_init(struct wpa_sm_ctx *ctx) 2392{ 2393 struct wpa_sm *sm; 2394 2395 sm = os_zalloc(sizeof(*sm)); 2396 if (sm == NULL) 2397 return NULL; 2398 dl_list_init(&sm->pmksa_candidates); 2399 sm->renew_snonce = 1; 2400 sm->ctx = ctx; 2401 2402 sm->dot11RSNAConfigPMKLifetime = 43200; 2403 sm->dot11RSNAConfigPMKReauthThreshold = 70; 2404 sm->dot11RSNAConfigSATimeout = 60; 2405 2406 sm->pmksa = pmksa_cache_init(wpa_sm_pmksa_free_cb, sm, sm); 2407 if (sm->pmksa == NULL) { 2408 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR, 2409 "RSN: PMKSA cache initialization failed"); 2410 os_free(sm); 2411 return NULL; 2412 } 2413 2414 return sm; 2415} 2416 2417 2418/** 2419 * wpa_sm_deinit - Deinitialize WPA state machine 2420 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2421 */ 2422void wpa_sm_deinit(struct wpa_sm *sm) 2423{ 2424 if (sm == NULL) 2425 return; 2426 pmksa_cache_deinit(sm->pmksa); 2427 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL); 2428 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL); 2429 os_free(sm->assoc_wpa_ie); 2430 os_free(sm->ap_wpa_ie); 2431 os_free(sm->ap_rsn_ie); 2432 wpa_sm_drop_sa(sm); 2433 os_free(sm->ctx); 2434 peerkey_deinit(sm); 2435#ifdef CONFIG_IEEE80211R 2436 os_free(sm->assoc_resp_ies); 2437#endif /* CONFIG_IEEE80211R */ 2438#ifdef CONFIG_TESTING_OPTIONS 2439 wpabuf_free(sm->test_assoc_ie); 2440#endif /* CONFIG_TESTING_OPTIONS */ 2441 os_free(sm); 2442} 2443 2444 2445/** 2446 * wpa_sm_notify_assoc - Notify WPA state machine about association 2447 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2448 * @bssid: The BSSID of the new association 2449 * 2450 * This function is called to let WPA state machine know that the connection 2451 * was established. 2452 */ 2453void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) 2454{ 2455 int clear_ptk = 1; 2456 2457 if (sm == NULL) 2458 return; 2459 2460 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2461 "WPA: Association event - clear replay counter"); 2462 os_memcpy(sm->bssid, bssid, ETH_ALEN); 2463 os_memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN); 2464 sm->rx_replay_counter_set = 0; 2465 sm->renew_snonce = 1; 2466 if (os_memcmp(sm->preauth_bssid, bssid, ETH_ALEN) == 0) 2467 rsn_preauth_deinit(sm); 2468 2469#ifdef CONFIG_IEEE80211R 2470 if (wpa_ft_is_completed(sm)) { 2471 /* 2472 * Clear portValid to kick EAPOL state machine to re-enter 2473 * AUTHENTICATED state to get the EAPOL port Authorized. 2474 */ 2475 eapol_sm_notify_portValid(sm->eapol, FALSE); 2476 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1); 2477 2478 /* Prepare for the next transition */ 2479 wpa_ft_prepare_auth_request(sm, NULL); 2480 2481 clear_ptk = 0; 2482 } 2483#endif /* CONFIG_IEEE80211R */ 2484#ifdef CONFIG_FILS 2485 if (sm->fils_completed) { 2486 /* 2487 * Clear portValid to kick EAPOL state machine to re-enter 2488 * AUTHENTICATED state to get the EAPOL port Authorized. 2489 */ 2490 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1); 2491 clear_ptk = 0; 2492 } 2493#endif /* CONFIG_FILS */ 2494 2495 if (clear_ptk) { 2496 /* 2497 * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if 2498 * this is not part of a Fast BSS Transition. 2499 */ 2500 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PTK"); 2501 sm->ptk_set = 0; 2502 os_memset(&sm->ptk, 0, sizeof(sm->ptk)); 2503 sm->tptk_set = 0; 2504 os_memset(&sm->tptk, 0, sizeof(sm->tptk)); 2505 } 2506 2507#ifdef CONFIG_TDLS 2508 wpa_tdls_assoc(sm); 2509#endif /* CONFIG_TDLS */ 2510 2511#ifdef CONFIG_P2P 2512 os_memset(sm->p2p_ip_addr, 0, sizeof(sm->p2p_ip_addr)); 2513#endif /* CONFIG_P2P */ 2514} 2515 2516 2517/** 2518 * wpa_sm_notify_disassoc - Notify WPA state machine about disassociation 2519 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2520 * 2521 * This function is called to let WPA state machine know that the connection 2522 * was lost. This will abort any existing pre-authentication session. 2523 */ 2524void wpa_sm_notify_disassoc(struct wpa_sm *sm) 2525{ 2526 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL); 2527 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL); 2528 peerkey_deinit(sm); 2529 rsn_preauth_deinit(sm); 2530 pmksa_cache_clear_current(sm); 2531 if (wpa_sm_get_state(sm) == WPA_4WAY_HANDSHAKE) 2532 sm->dot11RSNA4WayHandshakeFailures++; 2533#ifdef CONFIG_TDLS 2534 wpa_tdls_disassoc(sm); 2535#endif /* CONFIG_TDLS */ 2536#ifdef CONFIG_FILS 2537 sm->fils_completed = 0; 2538#endif /* CONFIG_FILS */ 2539 2540 /* Keys are not needed in the WPA state machine anymore */ 2541 wpa_sm_drop_sa(sm); 2542 2543 sm->msg_3_of_4_ok = 0; 2544} 2545 2546 2547/** 2548 * wpa_sm_set_pmk - Set PMK 2549 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2550 * @pmk: The new PMK 2551 * @pmk_len: The length of the new PMK in bytes 2552 * @pmkid: Calculated PMKID 2553 * @bssid: AA to add into PMKSA cache or %NULL to not cache the PMK 2554 * 2555 * Configure the PMK for WPA state machine. 2556 */ 2557void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len, 2558 const u8 *pmkid, const u8 *bssid) 2559{ 2560 if (sm == NULL) 2561 return; 2562 2563 sm->pmk_len = pmk_len; 2564 os_memcpy(sm->pmk, pmk, pmk_len); 2565 2566#ifdef CONFIG_IEEE80211R 2567 /* Set XXKey to be PSK for FT key derivation */ 2568 sm->xxkey_len = pmk_len; 2569 os_memcpy(sm->xxkey, pmk, pmk_len); 2570#endif /* CONFIG_IEEE80211R */ 2571 2572 if (bssid) { 2573 pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0, 2574 bssid, sm->own_addr, 2575 sm->network_ctx, sm->key_mgmt); 2576 } 2577} 2578 2579 2580/** 2581 * wpa_sm_set_pmk_from_pmksa - Set PMK based on the current PMKSA 2582 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2583 * 2584 * Take the PMK from the current PMKSA into use. If no PMKSA is active, the PMK 2585 * will be cleared. 2586 */ 2587void wpa_sm_set_pmk_from_pmksa(struct wpa_sm *sm) 2588{ 2589 if (sm == NULL) 2590 return; 2591 2592 if (sm->cur_pmksa) { 2593 sm->pmk_len = sm->cur_pmksa->pmk_len; 2594 os_memcpy(sm->pmk, sm->cur_pmksa->pmk, sm->pmk_len); 2595 } else { 2596 sm->pmk_len = PMK_LEN; 2597 os_memset(sm->pmk, 0, PMK_LEN); 2598 } 2599} 2600 2601 2602/** 2603 * wpa_sm_set_fast_reauth - Set fast reauthentication (EAP) enabled/disabled 2604 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2605 * @fast_reauth: Whether fast reauthentication (EAP) is allowed 2606 */ 2607void wpa_sm_set_fast_reauth(struct wpa_sm *sm, int fast_reauth) 2608{ 2609 if (sm) 2610 sm->fast_reauth = fast_reauth; 2611} 2612 2613 2614/** 2615 * wpa_sm_set_scard_ctx - Set context pointer for smartcard callbacks 2616 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2617 * @scard_ctx: Context pointer for smartcard related callback functions 2618 */ 2619void wpa_sm_set_scard_ctx(struct wpa_sm *sm, void *scard_ctx) 2620{ 2621 if (sm == NULL) 2622 return; 2623 sm->scard_ctx = scard_ctx; 2624 if (sm->preauth_eapol) 2625 eapol_sm_register_scard_ctx(sm->preauth_eapol, scard_ctx); 2626} 2627 2628 2629/** 2630 * wpa_sm_set_config - Notification of current configration change 2631 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2632 * @config: Pointer to current network configuration 2633 * 2634 * Notify WPA state machine that configuration has changed. config will be 2635 * stored as a backpointer to network configuration. This can be %NULL to clear 2636 * the stored pointed. 2637 */ 2638void wpa_sm_set_config(struct wpa_sm *sm, struct rsn_supp_config *config) 2639{ 2640 if (!sm) 2641 return; 2642 2643 if (config) { 2644 sm->network_ctx = config->network_ctx; 2645 sm->peerkey_enabled = config->peerkey_enabled; 2646 sm->allowed_pairwise_cipher = config->allowed_pairwise_cipher; 2647 sm->proactive_key_caching = config->proactive_key_caching; 2648 sm->eap_workaround = config->eap_workaround; 2649 sm->eap_conf_ctx = config->eap_conf_ctx; 2650 if (config->ssid) { 2651 os_memcpy(sm->ssid, config->ssid, config->ssid_len); 2652 sm->ssid_len = config->ssid_len; 2653 } else 2654 sm->ssid_len = 0; 2655 sm->wpa_ptk_rekey = config->wpa_ptk_rekey; 2656 sm->p2p = config->p2p; 2657 sm->wpa_rsc_relaxation = config->wpa_rsc_relaxation; 2658 } else { 2659 sm->network_ctx = NULL; 2660 sm->peerkey_enabled = 0; 2661 sm->allowed_pairwise_cipher = 0; 2662 sm->proactive_key_caching = 0; 2663 sm->eap_workaround = 0; 2664 sm->eap_conf_ctx = NULL; 2665 sm->ssid_len = 0; 2666 sm->wpa_ptk_rekey = 0; 2667 sm->p2p = 0; 2668 sm->wpa_rsc_relaxation = 0; 2669 } 2670} 2671 2672 2673/** 2674 * wpa_sm_set_own_addr - Set own MAC address 2675 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2676 * @addr: Own MAC address 2677 */ 2678void wpa_sm_set_own_addr(struct wpa_sm *sm, const u8 *addr) 2679{ 2680 if (sm) 2681 os_memcpy(sm->own_addr, addr, ETH_ALEN); 2682} 2683 2684 2685/** 2686 * wpa_sm_set_ifname - Set network interface name 2687 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2688 * @ifname: Interface name 2689 * @bridge_ifname: Optional bridge interface name (for pre-auth) 2690 */ 2691void wpa_sm_set_ifname(struct wpa_sm *sm, const char *ifname, 2692 const char *bridge_ifname) 2693{ 2694 if (sm) { 2695 sm->ifname = ifname; 2696 sm->bridge_ifname = bridge_ifname; 2697 } 2698} 2699 2700 2701/** 2702 * wpa_sm_set_eapol - Set EAPOL state machine pointer 2703 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2704 * @eapol: Pointer to EAPOL state machine allocated with eapol_sm_init() 2705 */ 2706void wpa_sm_set_eapol(struct wpa_sm *sm, struct eapol_sm *eapol) 2707{ 2708 if (sm) 2709 sm->eapol = eapol; 2710} 2711 2712 2713/** 2714 * wpa_sm_set_param - Set WPA state machine parameters 2715 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2716 * @param: Parameter field 2717 * @value: Parameter value 2718 * Returns: 0 on success, -1 on failure 2719 */ 2720int wpa_sm_set_param(struct wpa_sm *sm, enum wpa_sm_conf_params param, 2721 unsigned int value) 2722{ 2723 int ret = 0; 2724 2725 if (sm == NULL) 2726 return -1; 2727 2728 switch (param) { 2729 case RSNA_PMK_LIFETIME: 2730 if (value > 0) 2731 sm->dot11RSNAConfigPMKLifetime = value; 2732 else 2733 ret = -1; 2734 break; 2735 case RSNA_PMK_REAUTH_THRESHOLD: 2736 if (value > 0 && value <= 100) 2737 sm->dot11RSNAConfigPMKReauthThreshold = value; 2738 else 2739 ret = -1; 2740 break; 2741 case RSNA_SA_TIMEOUT: 2742 if (value > 0) 2743 sm->dot11RSNAConfigSATimeout = value; 2744 else 2745 ret = -1; 2746 break; 2747 case WPA_PARAM_PROTO: 2748 sm->proto = value; 2749 break; 2750 case WPA_PARAM_PAIRWISE: 2751 sm->pairwise_cipher = value; 2752 break; 2753 case WPA_PARAM_GROUP: 2754 sm->group_cipher = value; 2755 break; 2756 case WPA_PARAM_KEY_MGMT: 2757 sm->key_mgmt = value; 2758 break; 2759#ifdef CONFIG_IEEE80211W 2760 case WPA_PARAM_MGMT_GROUP: 2761 sm->mgmt_group_cipher = value; 2762 break; 2763#endif /* CONFIG_IEEE80211W */ 2764 case WPA_PARAM_RSN_ENABLED: 2765 sm->rsn_enabled = value; 2766 break; 2767 case WPA_PARAM_MFP: 2768 sm->mfp = value; 2769 break; 2770 default: 2771 break; 2772 } 2773 2774 return ret; 2775} 2776 2777 2778/** 2779 * wpa_sm_get_status - Get WPA state machine 2780 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2781 * @buf: Buffer for status information 2782 * @buflen: Maximum buffer length 2783 * @verbose: Whether to include verbose status information 2784 * Returns: Number of bytes written to buf. 2785 * 2786 * Query WPA state machine for status information. This function fills in 2787 * a text area with current status information. If the buffer (buf) is not 2788 * large enough, status information will be truncated to fit the buffer. 2789 */ 2790int wpa_sm_get_status(struct wpa_sm *sm, char *buf, size_t buflen, 2791 int verbose) 2792{ 2793 char *pos = buf, *end = buf + buflen; 2794 int ret; 2795 2796 ret = os_snprintf(pos, end - pos, 2797 "pairwise_cipher=%s\n" 2798 "group_cipher=%s\n" 2799 "key_mgmt=%s\n", 2800 wpa_cipher_txt(sm->pairwise_cipher), 2801 wpa_cipher_txt(sm->group_cipher), 2802 wpa_key_mgmt_txt(sm->key_mgmt, sm->proto)); 2803 if (os_snprintf_error(end - pos, ret)) 2804 return pos - buf; 2805 pos += ret; 2806 2807 if (sm->mfp != NO_MGMT_FRAME_PROTECTION && sm->ap_rsn_ie) { 2808 struct wpa_ie_data rsn; 2809 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn) 2810 >= 0 && 2811 rsn.capabilities & (WPA_CAPABILITY_MFPR | 2812 WPA_CAPABILITY_MFPC)) { 2813 ret = os_snprintf(pos, end - pos, "pmf=%d\n", 2814 (rsn.capabilities & 2815 WPA_CAPABILITY_MFPR) ? 2 : 1); 2816 if (os_snprintf_error(end - pos, ret)) 2817 return pos - buf; 2818 pos += ret; 2819 } 2820 } 2821 2822 return pos - buf; 2823} 2824 2825 2826int wpa_sm_pmf_enabled(struct wpa_sm *sm) 2827{ 2828 struct wpa_ie_data rsn; 2829 2830 if (sm->mfp == NO_MGMT_FRAME_PROTECTION || !sm->ap_rsn_ie) 2831 return 0; 2832 2833 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn) >= 0 && 2834 rsn.capabilities & (WPA_CAPABILITY_MFPR | WPA_CAPABILITY_MFPC)) 2835 return 1; 2836 2837 return 0; 2838} 2839 2840 2841/** 2842 * wpa_sm_set_assoc_wpa_ie_default - Generate own WPA/RSN IE from configuration 2843 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2844 * @wpa_ie: Pointer to buffer for WPA/RSN IE 2845 * @wpa_ie_len: Pointer to the length of the wpa_ie buffer 2846 * Returns: 0 on success, -1 on failure 2847 */ 2848int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm *sm, u8 *wpa_ie, 2849 size_t *wpa_ie_len) 2850{ 2851 int res; 2852 2853 if (sm == NULL) 2854 return -1; 2855 2856#ifdef CONFIG_TESTING_OPTIONS 2857 if (sm->test_assoc_ie) { 2858 wpa_printf(MSG_DEBUG, 2859 "TESTING: Replace association WPA/RSN IE"); 2860 if (*wpa_ie_len < wpabuf_len(sm->test_assoc_ie)) 2861 return -1; 2862 os_memcpy(wpa_ie, wpabuf_head(sm->test_assoc_ie), 2863 wpabuf_len(sm->test_assoc_ie)); 2864 res = wpabuf_len(sm->test_assoc_ie); 2865 } else 2866#endif /* CONFIG_TESTING_OPTIONS */ 2867 res = wpa_gen_wpa_ie(sm, wpa_ie, *wpa_ie_len); 2868 if (res < 0) 2869 return -1; 2870 *wpa_ie_len = res; 2871 2872 wpa_hexdump(MSG_DEBUG, "WPA: Set own WPA IE default", 2873 wpa_ie, *wpa_ie_len); 2874 2875 if (sm->assoc_wpa_ie == NULL) { 2876 /* 2877 * Make a copy of the WPA/RSN IE so that 4-Way Handshake gets 2878 * the correct version of the IE even if PMKSA caching is 2879 * aborted (which would remove PMKID from IE generation). 2880 */ 2881 sm->assoc_wpa_ie = os_malloc(*wpa_ie_len); 2882 if (sm->assoc_wpa_ie == NULL) 2883 return -1; 2884 2885 os_memcpy(sm->assoc_wpa_ie, wpa_ie, *wpa_ie_len); 2886 sm->assoc_wpa_ie_len = *wpa_ie_len; 2887 } else { 2888 wpa_hexdump(MSG_DEBUG, 2889 "WPA: Leave previously set WPA IE default", 2890 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len); 2891 } 2892 2893 return 0; 2894} 2895 2896 2897/** 2898 * wpa_sm_set_assoc_wpa_ie - Set own WPA/RSN IE from (Re)AssocReq 2899 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2900 * @ie: Pointer to IE data (starting from id) 2901 * @len: IE length 2902 * Returns: 0 on success, -1 on failure 2903 * 2904 * Inform WPA state machine about the WPA/RSN IE used in (Re)Association 2905 * Request frame. The IE will be used to override the default value generated 2906 * with wpa_sm_set_assoc_wpa_ie_default(). 2907 */ 2908int wpa_sm_set_assoc_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len) 2909{ 2910 if (sm == NULL) 2911 return -1; 2912 2913 os_free(sm->assoc_wpa_ie); 2914 if (ie == NULL || len == 0) { 2915 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2916 "WPA: clearing own WPA/RSN IE"); 2917 sm->assoc_wpa_ie = NULL; 2918 sm->assoc_wpa_ie_len = 0; 2919 } else { 2920 wpa_hexdump(MSG_DEBUG, "WPA: set own WPA/RSN IE", ie, len); 2921 sm->assoc_wpa_ie = os_malloc(len); 2922 if (sm->assoc_wpa_ie == NULL) 2923 return -1; 2924 2925 os_memcpy(sm->assoc_wpa_ie, ie, len); 2926 sm->assoc_wpa_ie_len = len; 2927 } 2928 2929 return 0; 2930} 2931 2932 2933/** 2934 * wpa_sm_set_ap_wpa_ie - Set AP WPA IE from Beacon/ProbeResp 2935 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2936 * @ie: Pointer to IE data (starting from id) 2937 * @len: IE length 2938 * Returns: 0 on success, -1 on failure 2939 * 2940 * Inform WPA state machine about the WPA IE used in Beacon / Probe Response 2941 * frame. 2942 */ 2943int wpa_sm_set_ap_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len) 2944{ 2945 if (sm == NULL) 2946 return -1; 2947 2948 os_free(sm->ap_wpa_ie); 2949 if (ie == NULL || len == 0) { 2950 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2951 "WPA: clearing AP WPA IE"); 2952 sm->ap_wpa_ie = NULL; 2953 sm->ap_wpa_ie_len = 0; 2954 } else { 2955 wpa_hexdump(MSG_DEBUG, "WPA: set AP WPA IE", ie, len); 2956 sm->ap_wpa_ie = os_malloc(len); 2957 if (sm->ap_wpa_ie == NULL) 2958 return -1; 2959 2960 os_memcpy(sm->ap_wpa_ie, ie, len); 2961 sm->ap_wpa_ie_len = len; 2962 } 2963 2964 return 0; 2965} 2966 2967 2968/** 2969 * wpa_sm_set_ap_rsn_ie - Set AP RSN IE from Beacon/ProbeResp 2970 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2971 * @ie: Pointer to IE data (starting from id) 2972 * @len: IE length 2973 * Returns: 0 on success, -1 on failure 2974 * 2975 * Inform WPA state machine about the RSN IE used in Beacon / Probe Response 2976 * frame. 2977 */ 2978int wpa_sm_set_ap_rsn_ie(struct wpa_sm *sm, const u8 *ie, size_t len) 2979{ 2980 if (sm == NULL) 2981 return -1; 2982 2983 os_free(sm->ap_rsn_ie); 2984 if (ie == NULL || len == 0) { 2985 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2986 "WPA: clearing AP RSN IE"); 2987 sm->ap_rsn_ie = NULL; 2988 sm->ap_rsn_ie_len = 0; 2989 } else { 2990 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSN IE", ie, len); 2991 sm->ap_rsn_ie = os_malloc(len); 2992 if (sm->ap_rsn_ie == NULL) 2993 return -1; 2994 2995 os_memcpy(sm->ap_rsn_ie, ie, len); 2996 sm->ap_rsn_ie_len = len; 2997 } 2998 2999 return 0; 3000} 3001 3002 3003/** 3004 * wpa_sm_parse_own_wpa_ie - Parse own WPA/RSN IE 3005 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3006 * @data: Pointer to data area for parsing results 3007 * Returns: 0 on success, -1 if IE is not known, or -2 on parsing failure 3008 * 3009 * Parse the contents of the own WPA or RSN IE from (Re)AssocReq and write the 3010 * parsed data into data. 3011 */ 3012int wpa_sm_parse_own_wpa_ie(struct wpa_sm *sm, struct wpa_ie_data *data) 3013{ 3014 if (sm == NULL) 3015 return -1; 3016 3017 if (sm->assoc_wpa_ie == NULL) { 3018 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 3019 "WPA: No WPA/RSN IE available from association info"); 3020 return -1; 3021 } 3022 if (wpa_parse_wpa_ie(sm->assoc_wpa_ie, sm->assoc_wpa_ie_len, data)) 3023 return -2; 3024 return 0; 3025} 3026 3027 3028int wpa_sm_pmksa_cache_list(struct wpa_sm *sm, char *buf, size_t len) 3029{ 3030 return pmksa_cache_list(sm->pmksa, buf, len); 3031} 3032 3033 3034struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_head(struct wpa_sm *sm) 3035{ 3036 return pmksa_cache_head(sm->pmksa); 3037} 3038 3039 3040struct rsn_pmksa_cache_entry * 3041wpa_sm_pmksa_cache_add_entry(struct wpa_sm *sm, 3042 struct rsn_pmksa_cache_entry * entry) 3043{ 3044 return pmksa_cache_add_entry(sm->pmksa, entry); 3045} 3046 3047 3048void wpa_sm_drop_sa(struct wpa_sm *sm) 3049{ 3050 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PMK and PTK"); 3051 sm->ptk_set = 0; 3052 sm->tptk_set = 0; 3053 os_memset(sm->pmk, 0, sizeof(sm->pmk)); 3054 os_memset(&sm->ptk, 0, sizeof(sm->ptk)); 3055 os_memset(&sm->tptk, 0, sizeof(sm->tptk)); 3056#ifdef CONFIG_IEEE80211R 3057 os_memset(sm->xxkey, 0, sizeof(sm->xxkey)); 3058 os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0)); 3059 os_memset(sm->pmk_r1, 0, sizeof(sm->pmk_r1)); 3060#endif /* CONFIG_IEEE80211R */ 3061} 3062 3063 3064int wpa_sm_has_ptk(struct wpa_sm *sm) 3065{ 3066 if (sm == NULL) 3067 return 0; 3068 return sm->ptk_set; 3069} 3070 3071 3072void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr) 3073{ 3074 os_memcpy(sm->rx_replay_counter, replay_ctr, WPA_REPLAY_COUNTER_LEN); 3075} 3076 3077 3078void wpa_sm_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx) 3079{ 3080 pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0); 3081} 3082 3083 3084#ifdef CONFIG_WNM 3085int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) 3086{ 3087 u16 keyinfo; 3088 u8 keylen; /* plaintext key len */ 3089 u8 *key_rsc; 3090 3091 if (subelem_id == WNM_SLEEP_SUBELEM_GTK) { 3092 struct wpa_gtk_data gd; 3093 3094 os_memset(&gd, 0, sizeof(gd)); 3095 keylen = wpa_cipher_key_len(sm->group_cipher); 3096 gd.key_rsc_len = wpa_cipher_rsc_len(sm->group_cipher); 3097 gd.alg = wpa_cipher_to_alg(sm->group_cipher); 3098 if (gd.alg == WPA_ALG_NONE) { 3099 wpa_printf(MSG_DEBUG, "Unsupported group cipher suite"); 3100 return -1; 3101 } 3102 3103 key_rsc = buf + 5; 3104 keyinfo = WPA_GET_LE16(buf + 2); 3105 gd.gtk_len = keylen; 3106 if (gd.gtk_len != buf[4]) { 3107 wpa_printf(MSG_DEBUG, "GTK len mismatch len %d vs %d", 3108 gd.gtk_len, buf[4]); 3109 return -1; 3110 } 3111 gd.keyidx = keyinfo & 0x03; /* B0 - B1 */ 3112 gd.tx = wpa_supplicant_gtk_tx_bit_workaround( 3113 sm, !!(keyinfo & WPA_KEY_INFO_TXRX)); 3114 3115 os_memcpy(gd.gtk, buf + 13, gd.gtk_len); 3116 3117 wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)", 3118 gd.gtk, gd.gtk_len); 3119 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc)) { 3120 os_memset(&gd, 0, sizeof(gd)); 3121 wpa_printf(MSG_DEBUG, "Failed to install the GTK in " 3122 "WNM mode"); 3123 return -1; 3124 } 3125 os_memset(&gd, 0, sizeof(gd)); 3126#ifdef CONFIG_IEEE80211W 3127 } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) { 3128 struct wpa_igtk_kde igd; 3129 u16 keyidx; 3130 3131 os_memset(&igd, 0, sizeof(igd)); 3132 keylen = wpa_cipher_key_len(sm->mgmt_group_cipher); 3133 os_memcpy(igd.keyid, buf + 2, 2); 3134 os_memcpy(igd.pn, buf + 4, 6); 3135 3136 keyidx = WPA_GET_LE16(igd.keyid); 3137 os_memcpy(igd.igtk, buf + 10, keylen); 3138 3139 wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)", 3140 igd.igtk, keylen); 3141 if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), 3142 broadcast_ether_addr, 3143 keyidx, 0, igd.pn, sizeof(igd.pn), 3144 igd.igtk, keylen) < 0) { 3145 wpa_printf(MSG_DEBUG, "Failed to install the IGTK in " 3146 "WNM mode"); 3147 os_memset(&igd, 0, sizeof(igd)); 3148 return -1; 3149 } 3150 os_memset(&igd, 0, sizeof(igd)); 3151#endif /* CONFIG_IEEE80211W */ 3152 } else { 3153 wpa_printf(MSG_DEBUG, "Unknown element id"); 3154 return -1; 3155 } 3156 3157 return 0; 3158} 3159#endif /* CONFIG_WNM */ 3160 3161 3162#ifdef CONFIG_PEERKEY 3163int wpa_sm_rx_eapol_peerkey(struct wpa_sm *sm, const u8 *src_addr, 3164 const u8 *buf, size_t len) 3165{ 3166 struct wpa_peerkey *peerkey; 3167 3168 for (peerkey = sm->peerkey; peerkey; peerkey = peerkey->next) { 3169 if (os_memcmp(peerkey->addr, src_addr, ETH_ALEN) == 0) 3170 break; 3171 } 3172 3173 if (!peerkey) 3174 return 0; 3175 3176 wpa_sm_rx_eapol(sm, src_addr, buf, len); 3177 3178 return 1; 3179} 3180#endif /* CONFIG_PEERKEY */ 3181 3182 3183#ifdef CONFIG_P2P 3184 3185int wpa_sm_get_p2p_ip_addr(struct wpa_sm *sm, u8 *buf) 3186{ 3187 if (sm == NULL || WPA_GET_BE32(sm->p2p_ip_addr) == 0) 3188 return -1; 3189 os_memcpy(buf, sm->p2p_ip_addr, 3 * 4); 3190 return 0; 3191} 3192 3193#endif /* CONFIG_P2P */ 3194 3195 3196void wpa_sm_set_rx_replay_ctr(struct wpa_sm *sm, const u8 *rx_replay_counter) 3197{ 3198 if (rx_replay_counter == NULL) 3199 return; 3200 3201 os_memcpy(sm->rx_replay_counter, rx_replay_counter, 3202 WPA_REPLAY_COUNTER_LEN); 3203 sm->rx_replay_counter_set = 1; 3204 wpa_printf(MSG_DEBUG, "Updated key replay counter"); 3205} 3206 3207 3208void wpa_sm_set_ptk_kck_kek(struct wpa_sm *sm, 3209 const u8 *ptk_kck, size_t ptk_kck_len, 3210 const u8 *ptk_kek, size_t ptk_kek_len) 3211{ 3212 if (ptk_kck && ptk_kck_len <= WPA_KCK_MAX_LEN) { 3213 os_memcpy(sm->ptk.kck, ptk_kck, ptk_kck_len); 3214 sm->ptk.kck_len = ptk_kck_len; 3215 wpa_printf(MSG_DEBUG, "Updated PTK KCK"); 3216 } 3217 if (ptk_kek && ptk_kek_len <= WPA_KEK_MAX_LEN) { 3218 os_memcpy(sm->ptk.kek, ptk_kek, ptk_kek_len); 3219 sm->ptk.kek_len = ptk_kek_len; 3220 wpa_printf(MSG_DEBUG, "Updated PTK KEK"); 3221 } 3222 sm->ptk_set = 1; 3223} 3224 3225 3226#ifdef CONFIG_TESTING_OPTIONS 3227void wpa_sm_set_test_assoc_ie(struct wpa_sm *sm, struct wpabuf *buf) 3228{ 3229 wpabuf_free(sm->test_assoc_ie); 3230 sm->test_assoc_ie = buf; 3231} 3232#endif /* CONFIG_TESTING_OPTIONS */ 3233 3234 3235#ifdef CONFIG_FILS 3236 3237struct wpabuf * fils_build_auth(struct wpa_sm *sm) 3238{ 3239 struct wpabuf *buf = NULL; 3240 struct wpabuf *erp_msg; 3241 3242 erp_msg = eapol_sm_build_erp_reauth_start(sm->eapol); 3243 if (!erp_msg && !sm->cur_pmksa) { 3244 wpa_printf(MSG_DEBUG, 3245 "FILS: Neither ERP EAP-Initiate/Re-auth nor PMKSA cache entry is available - skip FILS"); 3246 goto fail; 3247 } 3248 3249 wpa_printf(MSG_DEBUG, "FILS: Try to use FILS (erp=%d pmksa_cache=%d)", 3250 erp_msg != NULL, sm->cur_pmksa != NULL); 3251 3252 sm->fils_completed = 0; 3253 3254 if (!sm->assoc_wpa_ie) { 3255 wpa_printf(MSG_INFO, "FILS: No own RSN IE set for FILS"); 3256 goto fail; 3257 } 3258 3259 if (random_get_bytes(sm->fils_nonce, FILS_NONCE_LEN) < 0 || 3260 random_get_bytes(sm->fils_session, FILS_SESSION_LEN) < 0) 3261 goto fail; 3262 3263 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Nonce", 3264 sm->fils_nonce, FILS_NONCE_LEN); 3265 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Session", 3266 sm->fils_session, FILS_SESSION_LEN); 3267 3268 buf = wpabuf_alloc(1000 + sm->assoc_wpa_ie_len); 3269 if (!buf) 3270 goto fail; 3271 3272 /* Fields following the Authentication algorithm number field */ 3273 3274 /* Authentication Transaction seq# */ 3275 wpabuf_put_le16(buf, 1); 3276 3277 /* Status Code */ 3278 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS); 3279 3280 /* TODO: Finite Cyclic Group when using PK or PFS */ 3281 /* TODO: Element when using PK or PFS */ 3282 3283 /* RSNE */ 3284 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in FILS Authentication frame", 3285 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len); 3286 wpabuf_put_data(buf, sm->assoc_wpa_ie, sm->assoc_wpa_ie_len); 3287 3288 /* TODO: MDE when using FILS for FT initial association */ 3289 /* TODO: FTE when using FILS for FT initial association */ 3290 3291 /* FILS Nonce */ 3292 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */ 3293 wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN); /* Length */ 3294 /* Element ID Extension */ 3295 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE); 3296 wpabuf_put_data(buf, sm->fils_nonce, FILS_NONCE_LEN); 3297 3298 /* FILS Session */ 3299 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */ 3300 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */ 3301 /* Element ID Extension */ 3302 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION); 3303 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN); 3304 3305 /* FILS Wrapped Data */ 3306 sm->fils_erp_pmkid_set = 0; 3307 if (erp_msg) { 3308 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */ 3309 wpabuf_put_u8(buf, 1 + wpabuf_len(erp_msg)); /* Length */ 3310 /* Element ID Extension */ 3311 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_WRAPPED_DATA); 3312 wpabuf_put_buf(buf, erp_msg); 3313 /* Calculate pending PMKID here so that we do not need to 3314 * maintain a copy of the EAP-Initiate/Reauth message. */ 3315 if (fils_pmkid_erp(sm->key_mgmt, wpabuf_head(erp_msg), 3316 wpabuf_len(erp_msg), 3317 sm->fils_erp_pmkid) == 0) 3318 sm->fils_erp_pmkid_set = 1; 3319 } 3320 3321 wpa_hexdump_buf(MSG_DEBUG, "RSN: FILS fields for Authentication frame", 3322 buf); 3323 3324fail: 3325 wpabuf_free(erp_msg); 3326 return buf; 3327} 3328 3329 3330int fils_process_auth(struct wpa_sm *sm, const u8 *data, size_t len) 3331{ 3332 const u8 *pos, *end; 3333 struct ieee802_11_elems elems; 3334 struct wpa_ie_data rsn; 3335 int pmkid_match = 0; 3336 u8 ick[FILS_ICK_MAX_LEN]; 3337 size_t ick_len; 3338 int res; 3339 3340 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields", 3341 data, len); 3342 pos = data; 3343 end = data + len; 3344 3345 /* TODO: Finite Cyclic Group when using PK or PFS */ 3346 /* TODO: Element when using PK or PFS */ 3347 3348 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos); 3349 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) { 3350 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements"); 3351 return -1; 3352 } 3353 3354 /* RSNE */ 3355 wpa_hexdump(MSG_DEBUG, "FILS: RSN element", elems.rsn_ie, 3356 elems.rsn_ie_len); 3357 if (!elems.rsn_ie || 3358 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2, 3359 &rsn) < 0) { 3360 wpa_printf(MSG_DEBUG, "FILS: No RSN element"); 3361 return -1; 3362 } 3363 3364 if (!elems.fils_nonce) { 3365 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field"); 3366 return -1; 3367 } 3368 os_memcpy(sm->fils_anonce, elems.fils_nonce, FILS_NONCE_LEN); 3369 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", sm->fils_anonce, FILS_NONCE_LEN); 3370 3371 /* TODO: MDE when using FILS+FT */ 3372 /* TODO: FTE when using FILS+FT */ 3373 3374 /* PMKID List */ 3375 if (rsn.pmkid && rsn.num_pmkid > 0) { 3376 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List", 3377 rsn.pmkid, rsn.num_pmkid * PMKID_LEN); 3378 3379 if (rsn.num_pmkid != 1) { 3380 wpa_printf(MSG_DEBUG, "FILS: Invalid PMKID selection"); 3381 return -1; 3382 } 3383 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", rsn.pmkid, PMKID_LEN); 3384 if (os_memcmp(sm->cur_pmksa->pmkid, rsn.pmkid, PMKID_LEN) != 0) 3385 { 3386 wpa_printf(MSG_DEBUG, "FILS: PMKID mismatch"); 3387 wpa_hexdump(MSG_DEBUG, "FILS: Expected PMKID", 3388 sm->cur_pmksa->pmkid, PMKID_LEN); 3389 return -1; 3390 } 3391 wpa_printf(MSG_DEBUG, 3392 "FILS: Matching PMKID - continue using PMKSA caching"); 3393 pmkid_match = 1; 3394 } 3395 if (!pmkid_match && sm->cur_pmksa) { 3396 wpa_printf(MSG_DEBUG, 3397 "FILS: No PMKID match - cannot use cached PMKSA entry"); 3398 sm->cur_pmksa = NULL; 3399 } 3400 3401 /* FILS Session */ 3402 if (!elems.fils_session) { 3403 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element"); 3404 return -1; 3405 } 3406 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session, 3407 FILS_SESSION_LEN); 3408 if (os_memcmp(sm->fils_session, elems.fils_session, FILS_SESSION_LEN) 3409 != 0) { 3410 wpa_printf(MSG_DEBUG, "FILS: Session mismatch"); 3411 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session", 3412 sm->fils_session, FILS_SESSION_LEN); 3413 return -1; 3414 } 3415 3416 /* FILS Wrapped Data */ 3417 if (!sm->cur_pmksa && elems.fils_wrapped_data) { 3418 u8 rmsk[ERP_MAX_KEY_LEN]; 3419 size_t rmsk_len; 3420 3421 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data", 3422 elems.fils_wrapped_data, 3423 elems.fils_wrapped_data_len); 3424 eapol_sm_process_erp_finish(sm->eapol, elems.fils_wrapped_data, 3425 elems.fils_wrapped_data_len); 3426 if (eapol_sm_failed(sm->eapol)) 3427 return -1; 3428 3429 rmsk_len = ERP_MAX_KEY_LEN; 3430 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len); 3431 if (res == PMK_LEN) { 3432 rmsk_len = PMK_LEN; 3433 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len); 3434 } 3435 if (res) 3436 return -1; 3437 3438 res = fils_rmsk_to_pmk(sm->key_mgmt, rmsk, rmsk_len, 3439 sm->fils_nonce, sm->fils_anonce, NULL, 0, 3440 sm->pmk, &sm->pmk_len); 3441 os_memset(rmsk, 0, sizeof(rmsk)); 3442 3443 if (!sm->fils_erp_pmkid_set) { 3444 wpa_printf(MSG_DEBUG, "FILS: PMKID not available"); 3445 return -1; 3446 } 3447 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", sm->fils_erp_pmkid, 3448 PMKID_LEN); 3449 wpa_printf(MSG_DEBUG, "FILS: ERP processing succeeded - add PMKSA cache entry for the result"); 3450 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, 3451 sm->fils_erp_pmkid, NULL, 0, 3452 sm->bssid, sm->own_addr, 3453 sm->network_ctx, sm->key_mgmt); 3454 } 3455 3456 if (!sm->cur_pmksa) { 3457 wpa_printf(MSG_DEBUG, 3458 "FILS: No remaining options to continue FILS authentication"); 3459 return -1; 3460 } 3461 3462 if (fils_pmk_to_ptk(sm->pmk, sm->pmk_len, sm->own_addr, sm->bssid, 3463 sm->fils_nonce, sm->fils_anonce, &sm->ptk, 3464 ick, &ick_len, sm->key_mgmt, sm->pairwise_cipher) < 3465 0) { 3466 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PTK"); 3467 return -1; 3468 } 3469 sm->ptk_set = 1; 3470 sm->tptk_set = 0; 3471 os_memset(&sm->tptk, 0, sizeof(sm->tptk)); 3472 3473 res = fils_key_auth_sk(ick, ick_len, sm->fils_nonce, 3474 sm->fils_anonce, sm->own_addr, sm->bssid, 3475 NULL, 0, NULL, 0, /* TODO: SK+PFS */ 3476 sm->key_mgmt, sm->fils_key_auth_sta, 3477 sm->fils_key_auth_ap, 3478 &sm->fils_key_auth_len); 3479 os_memset(ick, 0, sizeof(ick)); 3480 return res; 3481} 3482 3483 3484struct wpabuf * fils_build_assoc_req(struct wpa_sm *sm, const u8 **kek, 3485 size_t *kek_len, const u8 **snonce, 3486 const u8 **anonce, 3487 const struct wpabuf **hlp, 3488 unsigned int num_hlp) 3489{ 3490 struct wpabuf *buf; 3491 size_t len; 3492 unsigned int i; 3493 3494 len = 1000; 3495 for (i = 0; hlp && i < num_hlp; i++) 3496 len += 10 + wpabuf_len(hlp[i]); 3497 buf = wpabuf_alloc(len); 3498 if (!buf) 3499 return NULL; 3500 3501 /* FILS Session */ 3502 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */ 3503 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */ 3504 /* Element ID Extension */ 3505 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION); 3506 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN); 3507 3508 /* Everything after FILS Session element gets encrypted in the driver 3509 * with KEK. The buffer returned from here is the plaintext version. */ 3510 3511 /* TODO: FILS Public Key */ 3512 3513 /* FILS Key Confirm */ 3514 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */ 3515 wpabuf_put_u8(buf, 1 + sm->fils_key_auth_len); /* Length */ 3516 /* Element ID Extension */ 3517 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_KEY_CONFIRM); 3518 wpabuf_put_data(buf, sm->fils_key_auth_sta, sm->fils_key_auth_len); 3519 3520 /* FILS HLP Container */ 3521 for (i = 0; hlp && i < num_hlp; i++) { 3522 const u8 *pos = wpabuf_head(hlp[i]); 3523 size_t left = wpabuf_len(hlp[i]); 3524 3525 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */ 3526 if (left <= 254) 3527 len = 1 + left; 3528 else 3529 len = 255; 3530 wpabuf_put_u8(buf, len); /* Length */ 3531 /* Element ID Extension */ 3532 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_HLP_CONTAINER); 3533 /* Destination MAC Address, Source MAC Address, HLP Packet. 3534 * HLP Packet is in MSDU format (i.e., included the LLC/SNAP 3535 * header when LPD is used). */ 3536 wpabuf_put_data(buf, pos, len - 1); 3537 pos += len - 1; 3538 left -= len - 1; 3539 while (left) { 3540 wpabuf_put_u8(buf, WLAN_EID_FRAGMENT); 3541 len = left > 255 ? 255 : left; 3542 wpabuf_put_u8(buf, len); 3543 wpabuf_put_data(buf, pos, len); 3544 pos += len; 3545 left -= len; 3546 } 3547 } 3548 3549 /* TODO: FILS IP Address Assignment */ 3550 3551 wpa_hexdump_buf(MSG_DEBUG, "FILS: Association Request plaintext", buf); 3552 3553 *kek = sm->ptk.kek; 3554 *kek_len = sm->ptk.kek_len; 3555 wpa_hexdump_key(MSG_DEBUG, "FILS: KEK for AEAD", *kek, *kek_len); 3556 *snonce = sm->fils_nonce; 3557 wpa_hexdump(MSG_DEBUG, "FILS: SNonce for AEAD AAD", 3558 *snonce, FILS_NONCE_LEN); 3559 *anonce = sm->fils_anonce; 3560 wpa_hexdump(MSG_DEBUG, "FILS: ANonce for AEAD AAD", 3561 *anonce, FILS_NONCE_LEN); 3562 3563 return buf; 3564} 3565 3566 3567int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len) 3568{ 3569 const struct ieee80211_mgmt *mgmt; 3570 const u8 *end, *ie_start; 3571 struct ieee802_11_elems elems; 3572 int keylen, rsclen; 3573 enum wpa_alg alg; 3574 struct wpa_gtk_data gd; 3575 int maxkeylen; 3576 struct wpa_eapol_ie_parse kde; 3577 3578 if (!sm || !sm->ptk_set) { 3579 wpa_printf(MSG_DEBUG, "FILS: No KEK available"); 3580 return -1; 3581 } 3582 3583 if (!wpa_key_mgmt_fils(sm->key_mgmt)) { 3584 wpa_printf(MSG_DEBUG, "FILS: Not a FILS AKM"); 3585 return -1; 3586 } 3587 3588 wpa_hexdump(MSG_DEBUG, "FILS: (Re)Association Response frame", 3589 resp, len); 3590 3591 mgmt = (const struct ieee80211_mgmt *) resp; 3592 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_resp)) 3593 return -1; 3594 3595 end = resp + len; 3596 /* Same offset for Association Response and Reassociation Response */ 3597 ie_start = mgmt->u.assoc_resp.variable; 3598 3599 if (ieee802_11_parse_elems(ie_start, end - ie_start, &elems, 1) == 3600 ParseFailed) { 3601 wpa_printf(MSG_DEBUG, 3602 "FILS: Failed to parse decrypted elements"); 3603 goto fail; 3604 } 3605 3606 if (!elems.fils_session) { 3607 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element"); 3608 return -1; 3609 } 3610 if (os_memcmp(elems.fils_session, sm->fils_session, 3611 FILS_SESSION_LEN) != 0) { 3612 wpa_printf(MSG_DEBUG, "FILS: FILS Session mismatch"); 3613 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session", 3614 elems.fils_session, FILS_SESSION_LEN); 3615 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session", 3616 sm->fils_session, FILS_SESSION_LEN); 3617 } 3618 3619 /* TODO: FILS Public Key */ 3620 3621 if (!elems.fils_key_confirm) { 3622 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element"); 3623 goto fail; 3624 } 3625 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) { 3626 wpa_printf(MSG_DEBUG, 3627 "FILS: Unexpected Key-Auth length %d (expected %d)", 3628 elems.fils_key_confirm_len, 3629 (int) sm->fils_key_auth_len); 3630 goto fail; 3631 } 3632 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_ap, 3633 sm->fils_key_auth_len) != 0) { 3634 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch"); 3635 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth", 3636 elems.fils_key_confirm, 3637 elems.fils_key_confirm_len); 3638 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth", 3639 sm->fils_key_auth_ap, sm->fils_key_auth_len); 3640 goto fail; 3641 } 3642 3643 /* Key Delivery */ 3644 if (!elems.key_delivery) { 3645 wpa_printf(MSG_DEBUG, "FILS: No Key Delivery element"); 3646 goto fail; 3647 } 3648 3649 /* Parse GTK and set the key to the driver */ 3650 os_memset(&gd, 0, sizeof(gd)); 3651 if (wpa_supplicant_parse_ies(elems.key_delivery + WPA_KEY_RSC_LEN, 3652 elems.key_delivery_len - WPA_KEY_RSC_LEN, 3653 &kde) < 0) { 3654 wpa_printf(MSG_DEBUG, "FILS: Failed to parse KDEs"); 3655 goto fail; 3656 } 3657 if (!kde.gtk) { 3658 wpa_printf(MSG_DEBUG, "FILS: No GTK KDE"); 3659 goto fail; 3660 } 3661 maxkeylen = gd.gtk_len = kde.gtk_len - 2; 3662 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, 3663 gd.gtk_len, maxkeylen, 3664 &gd.key_rsc_len, &gd.alg)) 3665 goto fail; 3666 3667 wpa_hexdump_key(MSG_DEBUG, "FILS: Received GTK", kde.gtk, kde.gtk_len); 3668 gd.keyidx = kde.gtk[0] & 0x3; 3669 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm, 3670 !!(kde.gtk[0] & BIT(2))); 3671 if (kde.gtk_len - 2 > sizeof(gd.gtk)) { 3672 wpa_printf(MSG_DEBUG, "FILS: Too long GTK in GTK KDE (len=%lu)", 3673 (unsigned long) kde.gtk_len - 2); 3674 goto fail; 3675 } 3676 os_memcpy(gd.gtk, kde.gtk + 2, kde.gtk_len - 2); 3677 3678 wpa_printf(MSG_DEBUG, "FILS: Set GTK to driver"); 3679 if (wpa_supplicant_install_gtk(sm, &gd, elems.key_delivery) < 0) { 3680 wpa_printf(MSG_DEBUG, "FILS: Failed to set GTK"); 3681 goto fail; 3682 } 3683 3684 if (ieee80211w_set_keys(sm, &kde) < 0) { 3685 wpa_printf(MSG_DEBUG, "FILS: Failed to set IGTK"); 3686 goto fail; 3687 } 3688 3689 alg = wpa_cipher_to_alg(sm->pairwise_cipher); 3690 keylen = wpa_cipher_key_len(sm->pairwise_cipher); 3691 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher); 3692 wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver", 3693 sm->ptk.tk, keylen); 3694 if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, null_rsc, rsclen, 3695 sm->ptk.tk, keylen) < 0) { 3696 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 3697 "FILS: Failed to set PTK to the driver (alg=%d keylen=%d bssid=" 3698 MACSTR ")", 3699 alg, keylen, MAC2STR(sm->bssid)); 3700 goto fail; 3701 } 3702 3703 /* TODO: TK could be cleared after auth frame exchange now that driver 3704 * takes care of association frame encryption/decryption. */ 3705 /* TK is not needed anymore in supplicant */ 3706 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN); 3707 3708 /* TODO: FILS HLP Container */ 3709 3710 /* TODO: FILS IP Address Assignment */ 3711 3712 wpa_printf(MSG_DEBUG, "FILS: Auth+Assoc completed successfully"); 3713 sm->fils_completed = 1; 3714 3715 return 0; 3716fail: 3717 return -1; 3718} 3719 3720#endif /* CONFIG_FILS */ 3721 3722 3723int wpa_fils_is_completed(struct wpa_sm *sm) 3724{ 3725#ifdef CONFIG_FILS 3726 return sm && sm->fils_completed; 3727#else /* CONFIG_FILS */ 3728 return 0; 3729#endif /* CONFIG_FILS */ 3730} 3731